As companies engage with counterparties – namely customers, vendors or other parts of their supply chain – it is essential that they understand the risk associated with doing business with all of those entities. That is difficult enough when the counterparties are nearby and really challenging when they are further afield.
At the heart of KYC (Know Your Customer – or KYV for vendors), is a check to see if your customer appears on a public watchlists or sanctions lists. The lists are published by organisations such as the UN and specific governments. The most well known publisher is the US Treasury’s Office of Foreign Assets Control or OFAC. Their sanctions list must be observed by all businesses operating in the US.
In a simpler world, that would be all there was to it, but the requirement is actually more complex. OFAC’s 50 Percent Rule states that “property and interests in property of entities directly or indirectly owned 50 percent or more in the aggregate by one or more blocked persons are considered blocked”. That is to say that sometimes counterparties may not appear on watchlists and sanctions lists but may be majority owned (individually, indirectly or in the aggregate) by sanctioned actors presenting a hidden risk.
We are delighted to announce that we are partnering with Kharon to close the gap. Kharon’s premium 50 Plus data adds another important dimension to the fight against financial crime and desire to protect against reputational risk.
Kharon conducts complex, multilingual investigations for entities that appear on the sanctions list – including their subsidiaries as far down as the ownership chain extends – as well as state owned enterprises in sanctioned jurisdictions. It includes thousands of entities and maritime vessels registered in more than 100 jurisdictions.
If you’d like to know more about how Kharon data can enhance your KYC process, please contact us for a demo.
In a global marketplace, third-party relationships are a crucial component of day-to-day business. However, while those relationships bring operational advantages they also pose an array of potentially significant risks. In order to address those risks and ensure compliance in an increasingly complex regulatory environment, organizations must think carefully about their approach to third party risk management (TPRM), implementing appropriate measures and controls to protect themselves against threats.
Accordingly, an organization’s third party risk management solution should be built on an understanding of best practice, and incorporate automated tools and technology to increase accuracy and efficiency.
What is Third Party Risk Management?
While most organizations develop a reliable understanding of the risks that they face directly, when they enter into relationships with third parties those risks may be more difficult to understand or predict. The complexity of third party compliance regulations exacerbates that risk, and requires organizations to carefully monitor the behavior of the third parties with which they do business, including examining their prior business relationships and historical actions.
Third party risks are diverse, reflecting factors such as business sector, internal policies and controls, and the level of regulatory oversight applied in a given jurisdiction. A third party may have connections to or involvement in criminal activities, may be subject to international sanctions, or may have inadequate cyber-security measures in place to protect customer data.
With those factors in mind, TPRM essentially involves the identification, mitigation, and reduction of the risks of doing business with third parties. An organization should seek to develop standardized policies and controls to facilitate TPRM, as part of a wider risk management solution that is calibrated to their operational environment.
The Risk Based Approach
TPRM requires organizations to collect and analyze vast amounts of data – a process which can be time consuming, costly, and adversely affect customer experiences during onboarding and throughout a relationship. In order to reduce the negative impact of risk management, most regulatory authorities require organizations to implement a risk-based compliance response.
The risk-based approach is required by regulatory compliance in jurisdictions around the world and is fundamental to the anti-money laundering guidelines set out by the Financial Action Task Force (FATF). Under the risk-based approach, organizations must adjust their compliance response based on an assessment of the specific risks that they face. Accordingly, following a risk assessment, an organization would deploy an enhanced compliance response for third-parties that present a higher risk, and a simplified response, for lower risk third parties.
The risk based approach enables organizations to economize the resources they deploy in response to third party risks, tailoring their response on a case-by-case basis rather than deploying comprehensive and costly compliance measures and controls for every third party relationship.
Third Party Risk Management Best Practices
To optimize your compliance solution, it is important to understand TPRM best practices:
Onboarding focus: Third party risk must be established prior to the beginning of a business relationship, which means conducting suitable screening and due diligence processes during the onboarding process. The due diligence process should capture a range of third party data, including names, addresses, company incorporation documents, beneficial ownership, industry certifications, and contractual obligations.
Risk priorities: The risk-based approach relies on organizations being able to efficiently determine the level of risk that specific third parties present. With that in mind, following a risk assessment, third party relationships should be grouped by their risk profile, with higher risk third parties prioritized over medium risk third parties, and so on. Organizations should develop a suitable internal policy to calculate and assign risk, based on industry benchmarks and other contextual data points.
Standardized processes: When different departments develop siloed risk management strategies, an organization’s collective third-party risk response may develop redundancies and inefficiencies, with frequent failures to share crucial data and insight. Accordingly, organizations should seek to standardize their third-party risk management strategy, setting out consistent, defined screening and due diligence procedures, and establishing a centralized repository of third-party risk data which all departments may access.
Ongoing monitoring: The level of risk posed by third parties will inevitably change over time. To manage changing risk levels, organizations should ensure that they perform ongoing risk monitoring procedures to maintain accurate risk profiles ideally, that monitoring should be conducted in real time, and involve suitable Know Your Customer (KYC) measures, such as due diligence processes, sanctions screening, and adverse media screening. TPRM solutions should also be tested for efficacy on an ongoing basis.
Adverse media: One of the best indicators of third party risk is involvement in adverse or negative news stories. Those stories might set out, for example, a third party’s financial difficulties, connections to criminal activity, or involvement in government investigations (amongst other types of risk) – all of which may be reported by news sources prior to any official confirmation. Accordingly, organizations should implement an adverse media screening solution capable of capturing data from traditional screen and print media sources, and from online sources.
TPRM Automation Solutions
Effective third party risk management requires the collection and analysis of vast amounts of data. To optimize that process, organizations should seek to leverage technology as part of their TPRM solution wherever possible.
Practically, this means implementing a suitable TPRM software solution that fits both the business and risk management needs of a given operating environment. Technology tools add automated speed, efficiency, and accuracy to risk assessment, monitoring, and screening processes, reducing reliance on ad-hoc data collection and the potential for costly human errors. The advantage of technology to TPRM is significant, and regulators around the world expect organizations to implement suitable software solutions in order to meet their compliance obligations. The US Office of Foreign Assets Control (OFAC), for example, now mandates “technology solutions” as part of TPRM where those solutions “address the organization’s risk profile and compliance needs”.
There is no one-size-fits-all approach to TPRM and, beyond its practical data handling benefits, automation enables organizations to purpose-build and calibrate their compliance solution to the specific business environments in which they operate. Automated TPRM solutions also allow firms to better apply the best practice principles outlined above, including the need to share important data between departments, to monitor adverse media channels, and to centralize and standardize the collective company response to third party risk.
TPRM Applications: Working in collaboration with Accenture and Royal Dutch Shell, Ripjar recently demonstrated the effectiveness of a TPRM solution powered by technology. Leveraging Accenture’s industry experience, Shell integrated Ripjar’s AI screening solution to enhance risk screening across its third party supply chain transactions. The technology is intended to deliver accuracy and efficiency benefits to Shell’s risk screening process and to reduce data-reporting errors by around 80% in comparison to legacy systems.
Accenture managing director Adam Markson emphasized the importance of tackling third party risk challenges, including criminal activity, cybersecurity, and fraud, as reasons for integrating Ripjar’s solution but also pointed out that the AI technology would add valuable data insights and “give management complete audit capabilities and accountability over the entire screening process.”
Want to learn how Ripjar can help with Third Party Risk Screening? Please get in touch.
The announcement of enhanced defense collaboration between the UK, US, and Australia underlines crucial global alignment in multiple areas.
There are many interesting elements to the new AUKUS pact between the United Kingdom, Australia, and the USA – from the way it was announced to the tenor of many of the reactions. There are a number of less talked-about points behind the headlines that are also worth looking at.
1. It’s not all about submarines
The coverage has focused on nuclear and diesel submarines from France and Australia. Given the geopolitics, the amazing hardware is a critical and fascinating component, but this is also about other types of confrontation.
Critically, cyber is a crucial element, recognising the threat the three nations and their allies face from cyber warfare, as well as the opportunities inherent in data and capability sharing. The joint statement says, “This is an historic opportunity for the three nations, with like-minded allies and partners, to protect shared values and promote security and prosperity in the Indo-Pacific region.”
A critical driver for the pact is the substantial defence spending from China in submarines and aircraft of their own. You can be sure that China’s investment in Cyber weapons is equally concerning.
Once the dust settles, we will see a commitment to collaboration coming from the highest level of allied governments with huge potential to disrupt adversarial cyber threats.
We know from our experiences with Ripjar’s Labyrinth platform how powerful technologies can make sense of large scale structured and unstructured data to understand threats. Data sharing and collaboration across jurisdictions will make AUKUS truly formidable, but will also provide some complex challenges. Extreme caution will be needed around data segmentation, classification and control.
2. Advanced technology is central
The AUKUS leaders are ambitious. The White House statement even talks about Quantum computing. While we will have to see if that part of their vision is fully realised, we can be sure that Artificial Intelligence and Machine Learning will be utilised like never before.
“In the last 5 years, the rule books have been torn up. As a result, immense compute power and complex machine learning algorithms are within reach of sophisticated individual hackers, never mind state-sponsored adversaries.”
It is essential to enlist the latest public and private sector technology to combat emerging threats. AUKUS provides a robust framework for Australian, UK and US agencies and their vendors to work together to build the formidable capabilities we need.
The commercial sector will have a significant role to play in the AUKUS developments. We have seen first-hand the importance of strong systems integration partners such as Accenture in delivering capability vision in a timely efficient manner.
3. AUKUS – more of the same?
Australia, the United Kingdom and the US already work together on aspects relating to cyber and intelligence. The Five Eyes alliance adds New Zealand and Canada to the other three nations and has been in existence since 1941. The English-speaking nations share intelligence to counter threats of different types.
The experiences of previous collaboration will be an important catalyst to future AUKUS collaboration. Aside from the English language, there are strong cultural and technological ties between teams in the different jurisdictions. It is no coincidence that Ripjar itself has experience in all three pact countries.
AUKUS truly is a historic pact, and we welcome every opportunity to support the work being done to bring security and stability to the region and the world.
I was reminded today that context can make a massive difference. In our lightning-fast ever-more-connected world that first appearances can be deceptive. That can lead to simple amusement – as it did today – but it can just as easily generate mistakes and confusion.
“What have you been up to?” came the amused messages from former colleagues, pointing out that I had earned an appearance in the news. I’d been mentioned in a publication called Punchline Gloucester – which apparently ranks as “Gloucestershire’s No.1 business to business publication and website”.
For any of you that don’t know the UK, Gloucestershire is a region of England that is home to my employer – Ripjar.
What was the reason for the concerned messages? Punchline had tagged me in a round-up of Gloucester headlines that led with the sad story of a local businessman in court over a manslaughter charge and followed up with a range of stories – from a shortage of bus drivers, an assault at a cider festival, and the closure of a Gap store.
Right beneath the story were two headshots – a man with an enigmatic smile. And me.
The power of context… What had I done? Was I OK? Which end of this manslaughter charge had I been part of? Had I drunk too much cider? Had I started driving buses?
On closer inspection, it all became clear. An editor or algorithm, or a mix of the two, had picked the two headshots and featured them on the post and tagged companies and people mentioned. Presumably doing so generates more clicks to the newspaper and helps to drive their advertising revenue.
Similar patterns happen all the time, in all sorts of different settings. Maybe there’s a similar roundup of political stories which includes both negative and positive coverage of politicians, or there can be stories about terrorism that discuss appalling criminal acts alongside the valiant efforts of politicians or agency staff to combat them.
In each case, it underlines both the power of the media and the risks associated with an unsophisticated reading of an article.
The lesson is important when it comes to gaining insights from unstructured data. Systems like Ripjar’s Labyrinth Screening must be careful to accurately parse the content of news articles to understand where there is a relationship between the individuals and crimes, or behavior mentioned. An unsophisticated approach might look at the post from Punchline Gloucester and conclude that I was connected to the manslaughter case or the assault, or it might look at an article on financial crime and associate the wrongdoing with a judge or lawyer involved in the case.
At Ripjar we use advanced Natural Language Processing (NLP) to automatically read and interpret each story, separating out the level of involvement. We have developed specific machine learning models in 18 different languages. Each model has been trained to successfully extract the relationships as a native reader would.
The result is that organisations looking at the media to calibrate counter-party risk get early and effective alerts with minimal false positives. Maybe even more importantly, non-related companies and people coincidentally mentioned in the news are not impacted.
Gabe Hopkins Chief Product Officer, Ripjar
If you want to find out more please get in touch to arrange a demo!
Minimise Risk and Maximise Efficiency with the Combination of Best-in-Class Media Data and Advanced Next Generation Screening Technology
Sweet and sour. Bread and butter. Gin and tonic. Some things just go better together.
After two years of working together, when it comes to next generation adverse media screening we’re confident that the perfect combination is Dow Jones data and Ripjar screening technology. There are a number of important reasons why the fusion brings a multiplier effect and ultimately a critical advantage to users.
In our modern connected world, there are simply huge quantities of data out there. Industry experience confirms that is the best all round source of media data. It includes a huge array of high quality structured and unstructured data including licensed news sources.
With data, coverage is all important. As a Chief Risk Officer, you want to do everything you can to ensure you’re not missing risks that could prove devastating to your business.
However, making sense of large volumes of data provides a real challenge.
Ripjar’s screening approach uses sophisticated Natural Language Processing (NLP) and Machine Learning to look in-depth at the content of each and every media article. The processing algorithms identify which people and companies are referred to in each article, and which risks each article refers to.
Working in 19 different languages, the technology has been fine tuned and tested with multiple Tier 1 banks operating across many demanding regulatory regimes.
And how often should you check your customers against the data? The answer is continuously.
Real-time monitoring is complex, but it is the only way to avoid the risks that are inherent with scheduled monitoring. As new media articles are received they are immediately screened and generate alerts.
Maintaining the highest standards of compliance is extremely challenging, but sophisticated businesses around the world are realising the power of media data to evaluate client, vendor and supply chain risk. Modern solutions, such as Ripjar Labyrinth Screening, provide the ability to precisely calibrate and understand risks in real-time.
Since Dow Jones and Ripjar have partnered to deliver Dow Jones Advanced Adverse Media Media Screening two years ago, it’s been great to see the power of strong collaboration. Together we are looking forward to many more years of partnership to redefine the state of the art of name and media screening.
