Financial Crime Risk Management

Due Diligence - FAQ

May not cover factors relevant to a particular situation or circumstance.


Frequently Asked Questions

Click Questions to see example responses, some of which include embedded links to reference sources.

Depending on the public profile of the individual or company of interest, the countries with which they have a nexus and other factors, it might be possible to identify information.  However, this will be heavily influenced by whether reliable information sources are available:

  • Adopting a general fishing approach to identify information sources can be useful, but to a limited extent.  It is often more effective (and better for cost-control) to undertake more directed or focused investigative research.
  • State controlled or regulated sources are relatively more reliable for factual content than, say, web-based blogs or chat-rooms. Gossip or misinformation may not provide useful intelligence without further research, to identify corroborative or supporting content. Gossip can be easy to identify, but establishing facts can be more time-consuming.
  • Instances occur when information might be expected to be found (or may previously have been identifiable) but, as a consequence of the right to be forgotten, information may not be available. In May 2014, the Court of Justice of the European Union (C-131/12, 13 May 2014) ruled that certain people can ask search engines to remove specific results for queries that include their name, where the person's privacy rights outweigh the interests in those results appearing.
  • Information might exist but be held subject to a confidential or restrictive requirement. Gaining access may only be possible with a Court Order, to compel a data controller to allow access to / release a copy of the information sought.

No. The nature and extent of due diligence to be undertaken is often a matter of risk-appetite:

  • Research findings might confirm only what is already known (or believed).  Or, they could result in the identification of previously unknown information, of direct and material relevance to a sensitive deal, transaction or relationship.
  • An insurer, regulator, investor or a significant stakeholder concerned about how an asset or investment portfolio is managed, might expect a reasonable level of due diligence to be completed in certain circumstances.  A failure to do so might be detrimental to that party's perception of how risk is identified and responded to.
  • It is possible to do too much.  Excessive due diligence without a clear/defensible rationale can offend potential employees or impact the completion timeline for a transaction.  A balance should be drawn which is risk-based and does not unnecessarily prevent legitimate activity from proceeding.

The approach to adopt requires consideration of where risk may exist, whether broad-based or tightly focused research is needed, the skills required to undertake the required due diligence, and prioritisation of the most important issues.

The short answer is 'No':

  • An effective due diligence assessment can help identify potential anomaly or red-flag, for a client's consideration of relevance to a relationship or a business transaction/activity.
  • It is similar to undertaking an annual health-check.  The most recent assessment may not have identified anything of concern.  However, this will not prevent a new/emerging health issue arising in the next 12 months, which might be linked to a previously unidentified hereditary condition.

Examples of third-party relationships, include:

  • A business arrangement between a principal and another party or entity, whether covered by contract or otherwise.
  • A business activity delivered by, or via, an outsourced service provider ('OSP') (e.g. OSP administering or delivering sales, financial or other activity). In certain circumstances, a reasonable due diligence exercise might involve sampling or dip-testing, to assess effectiveness of how a target principal ensures that OSPs' maintain operational integrity and do not expose the principal to bribery, false accounting or tax evasion risk, etc.
  • Business activity supported by outside consultants or (formal and informal) networking arrangements (e.g. do they involve commissions, incentives or practices which are incompatible with an acquiring principal's risk appetite?).
  • Subsidairies, branches and affiliates, or other arrangement (e.g. joint venture), where local practice may not involve the escalation or referral to the centre, of higher-risk relationships, funds-flow or local whistle-blowing reports.

The Bribery Act 2010 and the Criminal Finances Act 2017 - Both present senior management of a commercial organisation with the risk of criminal prosecution where an associated person is involved in criminality. A 'principal' covered by the legislation would need to ensure appropriate consideration of the risks presented by third parties, when considering the level and extent of due diligence required in, say, an M&A transaction.

The Modern Slavery Act 2015 - Every organisation carrying on a business in the UK with a total annual turnover of £36m or more is required to produce a slavery and human trafficking statement for each financial year of the organisation. The statement should identify steps taken by the organisation to ensure that slavery and human trafficking is not taking place in any of its supply chains, and in any part of its own business’. The statement should also aim to include information about due diligence processes in relation to slavery and human trafficking in its business and supply chains.

Not all third-party relationships present the same level or type of risk.  Some may present financial, regulatory, reputation or geographic risk, linked to how and where business is undertaken.

Criminal records are not generally available as public information:

  • For individuals applying for certain UK roles, such as, in healthcare or childcare, employers can apply for a Standard or Enhanced check via the Disclosure and Barring Service ('DBS') - A 'DBS check'.
  • An individual cannot request a Standard or Enhanced criminal record check on themself.  They can apply to Disclosure Scotland for a copy of their own criminal record in England, Scotland and Wales (known as a ‘Basic disclosure’™).

For more information - Click Here

It's a similar conundrum to the question 'How long is a piece of string?!  When researching a person who has only worked at one company, lived in one house and has never been appointed as a company director, s/he will take less time to research than, say, someone else who has worked at multiple companies, lived at several historic addresses and who is (or has been) a director of several companies.

Examples of other factors influencing the length of time required, include:

  1. How common is the name to be researched? In the UK someone with a relatively common name, such as David Smith, John Jones, or Tim Davies, will produce more false-positive name match hits for assessment in open-sources than, say, someone named Zaccharius Charlesworth. The impact of name commonality will be similar in other countries.
  2. Does the subject have (or use) one or more previous name(s), nickname(s), etc. 
  3. Some names have multiple derivations.  For example:
    1. Muhammad has alternative spellings of Moohammed, Mahmad, Mehmed, Mahamed, Mohamad, Mohamed, Mohammad, Mohammed, Muhamad, Muhamed, Muhamet, Muhammed, Muhammet, Mahammud, Mehmet, Mohd, Muh, Mahamid.
    2. Edward is similar to Edouard, Eduardo, Eddie, Ed, Edd, Ned, Ted, Woody, etc.
  4. The number and geographic locations of countries where research is to be undertaken. Some countries have easily accessible data sources, whereas others may not.
  5. The period of legacy research required (e.g. last 12 months, previous 5 years, or longer).
  6. Whether research scope is wholly focused on a named individual, or if related parties are also to be covered.
  7. The ability/authority under which information is requested.  A consenting individual would provide a written authority (e.g. as part of pre-employment screening).  However, in circumstances such as, research undertaken as part of a fraud investigation, this might involve obtaining a relevant court order, to gain access to relevant material.

In summary, many factors influence the time required to conduct research, applicable to individuals or companies:

  • It is unlikely every name derivation will be researched as part of standard due diligence, except where specifically required, as this will lead to a high volume of false-positive name-matches.
  • The level and quality of information available on individuals and companies (or other structures, such as Trusts, Foundations, etc.) varies by jurisdiction.
  • Where a Court order is needed as part of a fraud investigation, or other investigative due diligence, we would work with the client's legal advisors.

Common issues encountered include applicants who:

  • Are careless about CV accuracy or completeness.
  • Deliberately use broad timelines to obscure/change employment dates (e.g. to hide periods of inactivity, unemployment or undeclared employment).
  • Overstate personal skills, experience or qualifications’.

FCRM Ltd is registered with the Information Commissioner's Office ('ICO') - Registration Number: Z1273248. We process information as part of an Investigatory Services offering:

  • Under the Data Protection Act 2018 ('DPA'), processing covers any means by which personal data can be dealt with, including collection, use, storage, disclosure and amendment.
  • We will share personal information we process with the individual themself (e.g. in response to a subject access request) and/or with other organisations (e.g. EEA clients who commission research to be undertaken by us in the UK with the research subject's consent, or having a legitimate interest).
  • When sharing information we are required to comply with all aspects of the DPA.
  • Your personal data is not shared with unrelated third parties.

As noted in ICO Guidance Legitimate interests differs from other lawful bases as it is not centred around a particular purpose (e.g. performing a contract with the individual, complying with a legal obligation, protecting vital interests or carrying out a public task), and it is not processing that the individual has specifically agreed to (i.e. consent). Legitimate interests is more flexible and might in principle apply to any type of processing for any reasonable purpose.

For more on how we process personal data and our compliance with the Data Protection Act 2018 - See Privacy

The nature and types of source vary, depending on work scope.  They could include a blend, such as:

  • Client records (e.g. procurement to payment documentation when work scope includes reviewing or assessing supplier/vendor arrangements, etc.).
  • Open sources / public records (e.g. hosted by public body, such as, company registry, regulatory body, etc.).
  • A range of free-access or subscription-based data portals (e.g. third party news or research providers).
  • Candidate CVs.
  • Web-based research of credible open-source information.
  • Information identified via meetings / interviews.
  • Other....

See also 'Modular approach (examples) to meet client needs' on our Due Diligence site.

Unfortunately, the answer is 'No'.  This means that anti-money laundering customer due diligence processes for high-risk clients, such as PEPs, should include a higher degree of due diligence being exercised, when considering doing business with customers who live in:

  • High-risk countries; or
  • Unstable regions of the world known for the presence of corrupt practices.

As noted in UK Joint Money Laundering Steering Group ('Guidance'): "Firms must take adequate measures to establish the source of wealth and source of funds which are involved in the business relationship in order to allow the firm to satisfy itself that it does not handle the proceeds from corruption or other criminal activity. The measures firms should take to establish the PEP’s source of wealth and the source of funds will depend on the degree of high risk associated with the business relationship, and where the individual sits on the PEP continuum. Firms should verify the source of wealth and the source of funds on the basis of reliable and independent data, documents or information where the risk associated with the PEP relationship is particularly high."

JMLSG guidance also notes:"As part of its Enhanced Due Diligence measures, the firm should consider, on a risk sensitive basis, whether the information regarding source of wealth and source of funds should be evidenced...."

Some PEPs are willing to provide relevant evidence of their wealth, but others may be less forthcoming.  In the latter case, firms have to decide whether to on-board (or retain) such relationships involving PEPs, particularly if source of wealth lacks transparency.  It may be possible to build a documented profile of a PEP (or other high-risk customer), which provides or informs an objective basis for a firm's senior management to assess identifiable risk.

For more on our Due Diligence services - See Due Diligence Services