Felipe Victolla Silveira

Using Third Parties to Automate Our Due Diligence

Felipe Victolla Silveira
Contributors: Henriette van Ingen

For the past year, we've been improving our due diligence procedures. Performing all of the necessary checks is complex work, and there’s a lot of it. For this reason, we'll be using trusted third-party expertise and automation in two key areas: sanctions screening and the validation of identification documents. This article explains what we’re doing and how it will affect you.

Sanctions Compliance

The challenge

A priority over the past year has been to review and update our sanctions screening process. This work has gone very well and we are confident in terms of our sanctions compliance. However, it has had a significant impact on our workload.

Sanctions screening involves more than just looking for matches between the company names of our 20,000 members and the EU sanctions list. We need to check individual people too. This includes everyone on a member’s board, as well as any other companies or people with shares in that member’s company. We also need to run these checks for an additional 20,000 End Users with Provider Independent (PI) assignments. If any of these parties are found to be subject to EU sanctions, we cannot approve any additional resource or transfer requests, or allow them to open memberships.

For this reason, sanctions checks are triggered whenever we receive a new membership, assignment, allocation or transfer request (including End User requests). That’s a lot of checks! Aside from the scale of the task, this also requires specialised skills and data, which is further complicated by the fact that we serve a wide region with many legal and administrative differences. And since sanctions lists are updated frequently, performing these checks manually would be time-consuming and we would still run the risk of mistakes. We are therefore automating this process, which is where the help from third parties comes in.

Who are we working with?

There are two companies here. Altares Dun & Bradstreet maintains a registry solution (IndueD) that has public due diligence-related information about companies. Our automated checks will use this to confirm things like a company’s address or the name of its director. The information from Altares Dun & Bradstreet’s registry is then checked against another registry, run by Dow Jones, which lists all sanctioned persons and entities around the world. For every sanctioned entity, Dow Jones conducts research to find any related companies and individuals and links them in its database.

How will this affect you?

For the overwhelming majority of members and End Users, these are automated checks against external databases that will run behind the scenes; you will not notice any difference. However, inevitably we will encounter cases where a member is not in Altares Dun & Bradstreet’s registry and we will flag that there is a gap. In most instances, they will find the relevant information (chamber of commerce records, address, contact details, etc.) and update their registry themselves. Where they are unable to do so, Altares Dun & Bradstreet will contact members directly. If needed, we might supply them with contact information for this purpose, after first getting permission from the member or End User to do so.

A key word here is voluntary. In all cases, we would notify the member or End User in advance that Altares Dun & Bradstreet would like to contact them as part of our sanctions screening. Members are under no obligation to accept Dun & Bradstreet’s call or grant us permission to share their contact information.

It is also important to highlight that while we will be using Altares Dun & Bradstreet’s data for our sanctions screening process, they would not only be collecting information on our behalf. This information will be added to this third-party registry and can be used by other customers of Altares Dun & Bradstreet in the future. Members will therefore need to ask themselves if they want to share this information.

However, while we will take care to explain that members can opt-out if they wish, we also have a hard requirement in terms of our due diligence and sanctions screening obligations. If Altares Dun & Bradstreet cannot verify a company’s information, we might not be able to either, and we cannot approve requests without first performing these checks. That being said, we can explore alternative options with any members who decide to opt-out.

Identification Document Validation

The challenge

A separate but related issue is with the validation of ID documents as part of our due diligence requirements. Until now, we have been using a third party to manually verify and authenticate ID documents that look suspicious – which we continue to see a lot of. Of course, using a well-known celebrity for your passport photo is easy to spot, but other examples can be very sophisticated and require specialist analysis.

With due diligence becoming a bigger part of our workload, our preference is to automate as much of this validation work as we can and apply it consistently across the board by checking all IDs. We also need to ensure high standards of security, and getting this right is especially important due to the personal nature of these documents and our responsibilities in the context of GDPR.

Who are we working with?

Our search has led us to a company called iDenfy, which is a specialised provider in automated ID validation and remote identification services. iDenfy uses AI and biometric technologies that provide both an improvement in quality and overall efficiency.

How will this affect you?

In the near future, whenever someone needs to provide a copy of their ID, they will upload it directly to iDenfy instead of us, using a secure link we send in an email. Once iDenfy have completed their validation, they will send us the relevant information we need to keep on record.

Using iDenfy will ensure consistent, high-quality validations of ID documents and the automation will save a great deal of time and work on our side. This will also help us to maximise our GDPR compliance. While we remain ‘data controller’, Idenfy will ensure the secure handling of all sensitive and personal data, and will delete all IDs within 14 days of being submitted. iDenfy is based in the EU (Lithuania) and is therefore also subject to GDPR requirements.

Work is currently underway to integrate our external request processes with iDenfy’s systems. We plan for this to go live on 23 September.


You may also like

View more

About the author

I am the Chief Operations Officer of the RIPE NCC, responsible for the registry, member-related services and software development, including the RIPE Database, LIR Portal, and RPKI. I have joined the RIPE NCC in 2012 as a Software Engineer, and since then have worked in different roles across the organisation. I have a MSc in Computer Science.

Comments 0