Information abounds on company risk; finding the right data you need for improved screenings via enhanced due diligence can be the challenge.

The Compliance Week 2019 Survey on Anti-Bribery & Corruption, conducted with Refinitiv, asked respondents what sources of data they use to identify or validate the level of third-party risk for each party of concern.

Among the 15 options for sources of data, the most frequently cited were public records (74 percent of respondents), international screening databases (68 percent), internet/social media searches (64 percent), adverse media (63 percent), and content on politically exposed persons (57 percent).

When initiating the enhanced due diligence process, a firm will also need to assess the available data and intelligence.

“Ultimately, with every third party that you’re screening, you’re often going to be using a questionnaire,” says Kevin Bogdanov, director of market development – risk, Americas, for Refinitiv’s third-party risk management business. “They want to do business with you, and so you send them a document they need to fill out. It will have information like: ‘How many employees do you have? What’s your annual turnover? Tell us about your business structures and processes.’ ”


“Then there’ll also be more kind of pointed stuff around child labor. Or, ‘Can you attest that you do not pay bribes to secure business?’ You’re relying on that information that is provided to you by that supplier and by that third party, agent, contractor, or whoever.”

“However, that’s obviously limited data. If I’m self-reporting risk—if I’m a third party—I may not tell you that I’m linked to a sanctioned entity. So the confluence between the data that is sourced from the third party and the data that is externally available, whether it’s a sanctions watch list or any other types of data, like address media and court filings and whatever else that is going to be, what do you use to assess the level of diligence that’s required—that confluence between both available self-sourced and independently verified data?”

Other upfront, factual determinations include parameters for what motivates additional financial diligence. Does the deal involve a high-risk jurisdiction? Are you working in Bulgaria or Uzbekistan or maybe parts of Asia, Africa, or the Middle East? Or, instead, are you doing a deal in New Zealand or Norway, “where it is obviously going to be a different thing,” Bogdanov says.

What is the volume? Is it a couple of containers, or shiploads? What is the monetary value? “Obviously, when you have very high volume and exposure, it’s going to necessitate due diligence more often than not,” says Bogdanov.


Is interpretation of public data sources a challenge when making the decision that enhanced due diligence is required? Can even usually unimpeachable public data sources be misleading or cry out for further scrutiny?

“I’ll give you a silly example,” Bogdanov says. “Sometimes, I myself am considered a Politically Exposed Person, albeit in the most benign way possible. My uncle is a police director in Bulgaria.”

“Not that it is particularly relevant,” he adds, “but it does make me a PEP, even if it is absurd that it would have any bearing on anything because I live in the U.S. and I’m not involved in anything that actually ties to police work. It is just a classic example of where, just because somebody is a PEP, it can be completely benign and completely irrelevant, or it could be highly relevant. It just depends, and more research is needed.”

Why might this data be relevant? It could be meaningful if you, for example, are dealing with a large multimillion-dollar project in a high-risk part of the world—Uzbekistan or someplace like that—and in order to get the deal across the line, you need local ministerial approvals and permits to build industry infrastructure in the local network. “All of a sudden, you are dealing with PEPs who have the ability to either accept or reject the project or bid,” Bogdanov says. “Now, that’s a very different situation.”

“What I would advise is that every organization needs to establish a risk-based approach from the onset—at the beginning of the process, before any of the screening and diligence even happens. This risk assessment will determine what types of risk matters most to them. Firms can then leverage all of the available data that they have to determine whether any of those criteria are met.”

Bogdanov also suggests that businesses “have a very narrow view of what their risk threshold is.”

For example, there are some really good available sources of data, like Transparency International, and others to talk about bribery and corruption risk, but there are ultimately 50-plus different risk indicators.

“You could look at a country, or a place of doing business, and sort of determine what their risk of violent crime is, their risk of child labor, of corruption of money laundering, or extortion, of whatever,” he says. “There are all these different indicators out there and, if you have a far more nuanced view of what types of risks happened and at what level, you can create an automated risk threshold.”

“A lot of our Western customers crave really intuitive, but really advanced, kinds of programs where they automatically create a new due diligence report. They’re able to be scientific about it, and it takes the emotion out of it. We really advocate for a scientific, objective, automated, integrated threshold inside the programs, which is not that hard to do.”