Since broad sanctions are adopted following Russia’s military aggression against Ukraine, we see an increase in requests for the assessment (screening) of (Russian) third parties. With such requests, clients frequently ask for some kind of automated solution, preferably one which can be integrated in their ERP. While their search for efficient solutions is understandable, when it comes to third party assessments, we have to explain that automated solutions do not work. This blogpost explains why automated solutions do not work and why brainpower (= human analysis) is required.
Simply said, there are two key reasons why automated solutions do not work for third party assessments. First is the lack of reliable sources containing unified comprehensive data on legal entities which would be required to perform meaningful automated screening. The second is that automation does not deal well with complexity.
Lack of unified comprehensive data
For an automated solution for worldwide third party assessments to work, it would need direct access to data for all legal entities in the world, including their current and previous ownership structure and key management. No such database (or federated access to multiple databases) exists.
This is primarily due to the fact that for many jurisdictions data on corporate ownership and management is often not (immediately) publicly accessible. For example data on the ownership of entities in many offshore jurisdictions or free-zones which is generally not publicly available, nor is data on the ownership of Delaware LLCs and of (most) Russian joint stock companies.
Even in the EU, where under the Fourth AML Directive UBO disclosure requirements are agreed which dictate that beneficial ownership of legal entities should be public, it is frequently not straightforward to obtain the relevant data. Also in cases where the data essentially is public, it may be contained in filed documents and therefore not automatically retrievable. Therefore, even for some of the most comprehensive databases with corporate data currently available, it is not possible to have all the data which is available included.
An experienced researcher on the other hand who dives into the data and history of the third party, can quickly access multiple databases, extract data from filed documents and collate all into what is actually needed for the screening. Also a researcher can – to a certain degree – frequently infer ownership from annual reports and other data sources, even when not publicly disclosed. That, however, requires access to multiple data sources and, above all, associative and deductive reasoning.
And once the ownership structure, beneficial owners and key controlling individuals are established, the problem of false positives pops up when checking them against for example sanction and warning lists. Different ways of transcribing names between different scripts (e.g. Cyrillic, Arabic, Mandarin, Latin) as well as a lack of uniqueness of names frequently result in dozens of ‘John Smiths’ listed for being sanctioned, related to a sanctioned entity, as a PEP, or as involved in criminal or other nefarious behaviour. Sifting through false positives again requires human review.
Third party screening becomes more challenging – and interesting – in complex situations where the lack of unified data isn’t the biggest issue. Let’s look at two examples of types of cases that frequently can be encountered.
The first example relates to a sanctions check we recently executed on a Russian entity. That sounds simple enough, however in this case the entity used to be indirectly ultimately owned by an oligarch until just after the Russian invasion of Crimea. The oligarch and his investment holding made it to the OFAC blocked list in 2016. So for obvious reasons the stake of the oligarch in the third party we were screening had since decreased to 49%.
An automated solution of course could detect the previous ownership, although this is not standard because of efficiency reasons in sanction checks usually only current ownership and control is considered. And even if the automated process did detect the previous ownership and flagged the file for human review, generally such review is aimed at checking whether the automated process made the right call based on the available data. That is however not sufficient.
The relevant question, which any experienced analyst would ask in this particular case, is who took the share previously owned by the blocked oligarch? Unsurprisingly, that was a novel investment firm, not on any sanctions list and with a squeaky clean track record. A review of their filed financial records however, raised questions on the source of their funds. No automated solution would be able to do that.
And strangely the new investment fund was owned and mangled by an individual who till recently had a very senior position at the previous majority shareholder. Formally perhaps all still OK, however again only human analysis will detect and understand the underlying risk.
The second example does not immediate relate to sanctions, however is common for a third party risk screening. This case revolves around the screening of an entity which the client was considering as a distributor in a certain jurisdiction. All data on registration, ownership and business operations was retrievable from various databases and did not show any direct red flags in terms of insolvency, sanctions, litigation, adverse media, etc., nor were there any inconsistencies between the available data which would raise concerns. This distributor would have passed any automated test with ease.
However, we were bugged by something, which we initially could not articulate. Only when we took a step back we realised that it was not about the data which was available, however about the lack of specific data. The distributor in question had no track record in the specific jurisdiction where it was supposed to start operating, it was even not clear whether owner / director spoke the local language. No currently existing automated situation would have identified this detail. Perhaps in a future, far away from now, there may be Artificial Intelligence (AI) systems which would be able to identify this detail, for now human analysis is needed.
Automation is not bad per se and can – if organised properly – make especially repetitive data collection and collation tasks much more efficient and as such augment the analysis. However, a proper third party assessment – whether conducted for sanction/export control compliance, or to detect and avoid financial or reputation risk – requires an actual understanding of the third party. In other words, it requires brainpower. Without brainpower the assessment becomes a checkbox exercise which may look nice on the compliance dashboard, but does not detect any of the underlying real risks.
(picture credits: https://www.pexels.com/@shvets-production/)