I was researching the background of a shareholder in a UK entity this week, trying to establish the legitimacy and reputation of that shareholder and screening for red flags. When I after some first obstacles was able to finally fully identify the person, I tumbled into a deep rabbit hole of half thruths. Then it suddenly struck me: Brandolini’s Law also applies to third party risk screenings. Let me explain.
In 2014 a software developer, Alberto Brandolini, known under the Twitter handle @ziobrando, formulated the bullshit asymmetry principle for the first time:
The principle, since then also known as Brandolini’s law, has been applied mainly in the context of online disinformation. For example, it takes only little effort to edit a video and then to claim that it is a real recording of an event – very recently seen for example in relation to the disaster in Beirut – however it can take quite significant work to debunk such false claims.
Now, surely there can be a technical debate whether the principle holds true in all situations. Nonetheless, when the truth is only slightly altered, it takes considerable effort to recognise it and explain why it is not the actual truth. Of course to an experienced eye it is clear that something is not right and experts may say that very good falsifications hardly exist. However, proving that a falsehood is indeed false always takes an enormous amount of effort.
Third party risk screening
So I believe that the bullshit asymmetry principle also to applies third party (risk) screenings. These screenings are generally defined as an attempt to understand (or quantify) the risk associated with a new vendor, client, subcontractor or partner with whom your organisation wants to get into business. Sometimes third party (risk) assessment are a regulatory requirement, like for example under the UK Bribery Act. Increasingly organisations, however, as best practice choose to check their vendors and other business relationships preemptively to avoid (reputation) risks.
Mostly third party screenings largely or solely focus on verifying the truthfulness of (company) registration data and screening of individuals and entities against watch lists and regulatory data. In case the entity is, for example, not registered at all or if derogatory information is found, the researcher can draw relatively straightforward conclusions based on such so-called ‘hard red flags’. I wrote earlier that such a focus on hard red flags is not sufficient.
A screening becomes more challenging when no immediate hard red flags exist. Obviously in most cases that means that there is nothing wrong; most vendors and clients are after all just trying to make an honest living. And when there is little (verifiable) data available on the third party the analist has already to work harder. However, the real interesting and laborious cases are those where individuals try to keep up appearances by providing just enough information to find the obvious ‘confirmations’ of their status. Let’s look at the example that triggered this blog post.
The Russian shareholder
Imagine a UK entity with two shareholders, one of which is a Russian female, and some recent Companies House registration data on one entity is all we had to start from. That also means that no full date of birth was available (only month and year) and that the ‘address’ provided for the shareholder as so often was a registered office address. Lastly, the Russian shareholder only provided her first and last name without patronymic which makes it nearly impossible to positively identify an individual in Russia.
Fortunately after some searching, data on a previously registered entity and an obsolete company website with an address in Russia led us to a dissolved Russian entity. Through a combination of the data, we now had established the identity including patronymic and full date of brith of the Russian shareholder. But that was where the trouble started. We identified a CV on the company website which matched the LinkedIn profile and it was possible to ‘verify’ multiple pieces of the puzzle. Also the data we could find on the other shareholder nicely matched their partly shared history, including actual company registrations. For the unexperienced eye the information on this Russian shareholder increasingly looked consistent and legit. But still….
A feeling that something is not quite right, is difficult to explain so I try to stick to the actual observations. We noticed (to name just a few):
- inconsistent use of the company name, with ‘XYZ Services’ on the website while the registration was ‘XYZ Global services’ and previously ‘XYZ European Services’ and again another transliteration into Cyrillic;
- inconsistent use of personal names: different spellings and different use of middle names;
- inconsistent use of type of legal entity: the same entity was a Limited by registration however alternately indicated as a LLP or a LLC on the website and LinkedIn;
- use of very generic company names for previous employers without naming an exact location: so impossible to verify but also impossible to disprove immediately;
- inconsistencies between education and subsequent roles on the CV;
- Abundant use of ‘registered office’ addresses: so no real address to further pivot on;
- Annual accounts either not filed, or when filed the data in the accounts was implausible.
All these could be ‘unfortunate’ or ‘honest’ mistakes. However, in combination, such ‘mistakes’ reveal a pattern of deliberate disinformation and we want to protect our clients against falling for it.
Nonetheless, when reporting all these inconsistencies it takes a lot of text to disprove the nonsense. The subject has a first-mover advantage and has the benefit of the doubt so the burden of proof is upon the analist. It takes 15 minutes to create a fictitious LinkedIn profile and another hour to create a matching website, but evidence-based disproving that fairy-tale may take several hours. In this case it felt like being back in the criminal investigation department again in the Amsterdam police where I started my career; every Mickey-Mouse story a suspect told us, no matter how implausible, needed to be fact-checked.
My conclusion is that Brandolini’s Law also applies to third party risk assessments. It is easy to create a (little) lie but takes considerable effort to disprove that lie and properly write it down (and explain the client why it took that amount of time).