No matter how perfectly crafted an organization’s policies, identifying when enhanced due diligence (EDD) is merited and how fine-tuned its procedures specifying how EDD will be conducted, workplace realities can impact who is undertaking the task and how backlogged their to-do list happens to be.
With the United Nations’ International Anti-Corruption Day on the horizon, we feature a two-part blog series on the critical issues around enhanced due diligence protocols.
Poor implementation of policies and procedures on enhanced due diligence (EDD) could mean that problematic high-risk customers, including politically exposed persons, are being on-boarded or, conversely, that too many viable yet seemingly high-risk prospects are being turned away.
As every organization strives to find its sweet spot in EDD screening, a timely reassessment of a business’s overall approach to the subject may be in order.
The pandemic and its aftermath have, after all, rattled every business. Boom times just 20 months ago may have come to a screeching halt, or businesses that just happen to be well-suited to a customer base compelled to remain at home may have flourished. Workers became distracted by the overall shutdown, home-schooling their kids and worrying about virus-stricken family members, quarantine, self-isolation, and every other stress that was triggered by our communal encounter with the COVID-19 pandemic.
Why update EDD protocols now?
What that means is even a well-run due diligence operation that worked well before the pandemic may be experiencing some kinks now. Workplace turnover or just absenteeism can mean that the experts who were undertaking diligence a year ago are overworked now, dealing with less experienced teams, or delegating tasks a bit more recklessly than they should.
Changes in the way business is conducted, in who a company’s suppliers and customers are, and in who is implementing an enhanced due diligence policy could mean (as one entity experienced in the not-too-distant past), that the person responsible for vetting and then overseeing the high-risk individual is the one who recommended the person and brought in their business in the first place. Consider it a best practice to make sure that the person monitoring the risk does not have a conflict of interest.
It’s worth remembering that not just low-level personnel can run afoul of EDD policies and procedures. In November 2020, an individual bearing the title of First Vice President and Bank Secrecy Act Officer had to pay a $10,000 penalty for mispresenting the status of the bank’s EDD reviews to bank management and the Federal Deposit Insurance Corporation (FDIC). This was an expensive error that also resulted in a large backlog and failure to timely file suspicious activity reports (SARs).
How to thwart problems
Given the change in circumstances, policies and procedures should be reappraised in light of the current business environment. These policies and procedures should be assessed with an eye toward something going wrong. For example, how might current protocols in your current conditions allow inappropriate behavior to take place, go undetected, or be ignored if someone did flag it?
Be realistic about the present-day necessity to perhaps do business with higher-risk entities than your organization might once have contemplated. The world has changed; supply chains have been disrupted, shortages may be frequent, and your business may just need to expand its risk appetite if it hopes to survive this very disruptive time. What that means is that your organization’s EDD protocols may need to be adapted to this new reality. This also means that more resources may be needed to be fully identify and understand the risk posed by certain entities and monitor of your organization’s relationship with them. Remember that even long-time customers and business partners have also experienced upheaval from the pandemic such that their own risk profiles may have changed as well. Will your organization’s EDD protocols be able to identify these potentially new risks?
Along with a protocol update, organizations likely need to revisit their training on due diligence, customer and third-party risk management, and risk monitoring. And there are several actions a business should do, such as blasting compliance messaging out to your workforce more often with reminders about red flags, how to convey concerns, what to look for, and what to do if an initial report is ignored. Further, ask for your employees’ help, and inspire them to follow up as needed.
Don’t assume that management, under its own pressure to perform right now, will always do the right thing. Make sure there are sufficient safeguards so that inappropriate behavior will be identified and corrected.
Admittedly, today’s current environment is a tough time to do business. It can become an even tougher one if a regulator or enforcement agency begins investigating your operation.
This is the second article in a two-part series. You can read the first part, The peril of poorly done enhanced due diligence here.