Welcome to Xapien's monthly newsletter featuring articles and insights from the team. 🗞️
Bruno explains why compliance teams should “Know Your Firm" in the same way you'd "Know Your Customer". Understand its risk appetite and the priority level of AML compliance. The firm-wide risk assessment required by the SRA is useful for understanding how your firm operates and identifying key risks. This approach helps in building a tailored programme to manage those risks and address unique issues.
That initial assessment of knowing your firm will lead to a collaborative effort with other teams, enabling you to communicate the importance of AML compliance—not only as a regulatory requirement but as an influence on other areas. For instance, client due diligence can provide valuable context for Partners to help understand a client’s background and interests to identify cross-selling opportunities. It also helps bridge the gap between departments that often operate in silos. When presented this way, AML compliance gains more traction.
Centralising compliance processes is beneficial, yet firms should remain flexible to accommodate local nuances. By having people in each location instead of entirely centralised, each office has a person on the ground to communicate with. These individuals can become experts in local laws and the requirements of the relevant bars and law societies.
The Section 7 offence under the UK Bribery Act mandates having adequate procedures in place to catch corruption against corporates. While it has long been considered inadequate to rely on manual processes, not using AI will now be similarly seen as inadequate. AI will enable—and perhaps force—companies to rethink what constitutes adequate procedures to refine their risk-based approach.
Most existing tools haven’t kept pace with the explosion of data, especially unstructured data from open sources such as news media and blogs. Databases contain pre-collected, static information, making capturing emerging risks impossible. In contrast, open-source research democratises access to contextual information on a third party in real-time. This is essential for gaining a genuine understanding of the risks surrounding a third party.
There’s a growing understanding of the importance of a risk-based approach to third-party due diligence as part of adequate procedures. However, compliance teams can’t apply risk-based measures without knowing a third party’s risk level from the outset. AI now enables a triage process in which third parties can be assessed upfront, screened on databases and set in a broader context using open-source information in minutes, providing a holistic and nuanced view of an individual or entity’s risk.
Dartmouth College recognised the need for clearer guidelines on reputational risk following a close call with a donor. Its pressing challenge was large philanthropic and capital gifts—especially amounts of $10 million or more. Often, the focus wasn't solely on identifying potential red flags that might disqualify a gift. Rather, they wanted to be aware of any broader concerns so they wouldn't be caught off guard if reputational risks surfaced later on.
Some front-line officers expressed concerns that this added scrutiny might delay processes or lead to uncomfortable situations if unfavourable information was found. However, senior leadership and the advancement team recognised the importance of this initiative. As a result, due diligence is now done on board appointees, advisors, and honorary degree recipients.
The research team is considering lowering the due diligence threshold from $10 million to something more manageable now that they've cleared their backlog. This has only been possible through Xapien, which allows them to conduct due diligence before the front-line officers start gift conversations.
The challenges with taking a risk-based approach to AML
Relying solely on AML databases to build a risk profile offers a limited perspective. This narrow view fails to capture broader, nuanced risks associated with clients, leading to either over-scrutiny or under-scrutiny, which misaligns with a risk-based approach and can create regulatory vulnerabilities.
With AML databases covering only a fraction of global individuals, just because a client isn't on a list doesn't mean they aren't risky. To enrich AML screening data, compliance teams must supplement database checks with open-source research to uncover potential risky associations or illicit ties not flagged by traditional AML screening.
Traditional manual research can’t scale as client volume grows and compliance teams find themselves spread thin as a result. This undermines the risk-based approach, as higher-risk clients might not receive the focused assessment needed to identify significant risks.
Our guide to donor due diligence with Tufts University
A strong due diligence policy is essential for managing risk effectively. Tufts realised the importance of this when an external review pointed out the need for greater transparency about donations made to the institution.
Defining your university's risk tolerance is crucial, especially for high-value donations. Setting clear thresholds for in-depth due diligence ensures that higher-risk cases are thoroughly vetted. Many institutions, including Tufts, use financial benchmarks to trigger due diligence.
Internal classifications ensure that higher risks, such as those associated with high-value donations or specific industries, are thoroughly vetted.
To set up a strong due diligence program, it’s crucial to secure a budget and secure support from senior leadership. Having senior leaders on board is key—it shows the program’s importance and helps ensure everyone follows it.
Interconnected supply chains make it challenging for corporations to track risks associated with third parties across different languages and jurisdictions. This is exacerbated by the evolving risk landscape. In addition to traditional risks like financial crime, companies now face threats such as human rights abuses, forced labour, and environmental harm.
Governments are taking stronger action to address corporate supply chain risks. New regulations are emerging globally to hold companies accountable for the practices of their third parties. Take the Corporate Sustainability Due Diligence EU directive as an example, which came into effect on 25 July 2024 and will become applicable to companies in stages starting from 26 July 2027.
AI is streamlining third-party due diligence by quickly distilling relevant information from millions of online results. While a human would take an unimaginable amount of time to sift through articles, AI can generate a due diligence report in about 15 minutes. It cross-references against sanctions and watchlists and identifies risks related to financial crime, ESG issues, and reputational damage.
