Harry Cassin Publisher and Editor

Andy Spalding Senior Editor

Jessica Tillipman Senior Editor

Richard L. Cassin Editor at Large

Elizabeth K. Spahn Editor Emeritus 

Cody Worthington Contributing Editor

Julie DiMauro Contributing Editor

Thomas Fox Contributing Editor

Marc Alain Bohn Contributing Editor

Bill Waite Contributing Editor

Shruti J. Shah Contributing Editor

Russell A. Stamets Contributing Editor

Richard Bistrong Contributing Editor 

Eric Carlson Contributing Editor

Bill Steinman Contributing Editor

Aarti Maharaj Contributing Editor

FCPA Blog Daily News

« Bill Waite: Progress, yes. But victory against corruption remains uncertain | Main | Honduran anti-graft officer’s death ruled murder, not suicide »

Lindsay Columbo: How did due diligence become so complicated?

Over the past several years, concepts that once served as basic elements to an appropriate customer due diligence program and that had simple definitions have morphed into requirements that are completely decentralized and that vary, based on factors such as geographical location, risk level, industry and business activity.

For example, under Bermuda’s due diligence requirements, a customer review should include both a sanctions screening and an internet search on the customer, as well as due diligence on other relevant parties including beneficiaries and controllers on the account.

In comparison, U.S. legal requirements issued by FinCEN specify that a customer review must include a sanctions screening against the OFAC list only.

Disparate due diligence requirements impact both industry professionals and compliance technology providers. The demand for specific due diligence measures based on a variety of factors and assessed risks have forced compliance teams to develop, and re-develop, processes that are able to address all legal requirements from a global perspective while also accounting for specific rules in jurisdictions with more stringent laws.

It is difficult for a compliance team to establish a practical process and procedure for due diligence when faced with constant changes to how we define and think about basic concepts like KYC and CIP. Effective implementation, training and communication of appropriate procedures to other non-compliance professionals also inherently become challenges when required procedures are continuously being re-defined due to regulatory developments and changes to internal processes.

Regulatory changes and inconsistencies in due diligence requirements have also greatly impacted compliance technology providers. Providers are forced to turn technology that was originally developed, designed and relied upon to assist companies in meeting high-level due diligence requirements under basic due diligence concepts into a solution that is incredibly sophisticated, robust and most importantly, flexible. Only then do the providers stand a chance in meeting the demands generated by the waves of regulatory changes we have witnessed over the past several years.

Moreover, as due diligence requirements become more complex and decentralized across jurisdictions and subject matter areas, technology providers are faced with pressure to provide a “one-stop-shop” where customers can effectively cover and conduct all required due diligence in one place. While the concept sounds like a dream to compliance professionals, going down this path to meet a one-stop-shop demand can result in a provider spreading itself too thin or advertising services that truly do not fall within the provider’s expertise or capability.

On top of the pressure from customers to provide more robust platforms, providers face additional heat from regulators who have specifically promoted and encouraged customers to review and adopt new compliance technology to meet new or more robust legal requirements.

Under the AML regulations for the Isle of Man, for example, a relevant individual is required to assess and document the use of developing technologies for both old and new products, which include data and transaction screening systems and electronic verification of documentation. This sends a message to providers that they need to have technology that will satisfy and survive reviews and audits now required by customers under certain laws.

Further, both compliance professionals and technology providers are expected to put a program or system in place that can capture exactly what a given company or institution needs based on those specific laws that are applicable to the business while also ensuring effectiveness from both a productivity and cost perspective.

Fortunately, some countries are adopting consistent regulations to fit a global due diligence standard across certain compliance areas, such as AML. This could take due diligence requirements full circle and bring us back to simple concepts that can be understood and addressed regardless of jurisdiction or any other factor.


Lindsay Columbo, Esq. is a founder of eSpear LLC, a developer of due diligence and screening solutions, where she serves as the Global VP of Compliance & Support Services. She previously served as Associate Corporate Counsel, Global Ethics & Compliance for Brightstar Corp. a SoftBank company headquartered in Miami, Florida. She can be contacted here.

Reader Comments (1)

Do you also see a concern that heightened privacy regulation will conflict with increasing expectations for due diligence? Where specific diligence steps are required by law, as is the case in AML, there may be a different standard than where the diligence steps are appropriate, but discretionary. Do you think privacy regulators are attentive to these compliance program concerns? Regards, Joe Murphy
July 19, 2018 | Unregistered CommenterJoseph Murphy
Comments for this entry have been disabled. Additional comments may not be added to this entry at this time.