An introduction to third party screening processes

Posted on by

Paul Curwell, CPP, CFE, CISSP

7 minutes

What is screening and why is it important?

Screening is a term applied in the governance, risk and compliance field which equates to one or more database checks. In a screening process, the name of a business, organisation or individual is queried in a database to identify potential matches.

white jigsaw puzzle illustration
Photo by Pixabay on Pexels.com

Where a match is identified, the screening process should include a confirmation step to determine how reliable the match is prior to determining next steps. Screening is used in a range of functions, including:

Many risk and compliance laws and international standards have a reasonable expectation that screening will be performed by business and government as part of routine business operations or as part of customer service delivery. Vendor screening is also an essential part of vendor due diligence and is a foundational element of any supplier integrity framework.

Building your supplier integrity framework

Overview of the screening process

Any screening process comprises two stages – screening design and screening delivery – with a total of five steps in the process, as follows:

Stage 1 – Screening Design

  • Determine screening context and objectives: Confirm what you need to achieve by screening. This could be an obligation under legislation, standards, or policies.
  • Agree screening parameters: Determine what you are going to search (sources), when (at what point in a process or relationship), how frequently (e.g. once on commencement of relationship annually ), who will perform the work and where the results will be stored.

Stage 2 – Screening Delivery

  • Perform name-based screening: Query the relevant database for a name manually or automatically, ensuring all steps and results are documented.
  • Qualify potential matches and escalate matters of concern: Have a mechanism to perform further view (investigation) of likely matches
  • Perform Quality Assurance (QA) to validate search parameters, providing assurance that your proceses achieve their intended objectives.

Keeping detailed and accurate records of what you search for, when, where, and what results were achieved is essential in any compliance or due diligence process. You never know when you may be required to produce these records as part of your legal defence, when seeking external investment, or a similar activity.

It is also essential to keep records of how and why you designed the screening process, any inherent risks in the screening process and how these are mitigated.

Screening processes employing ‘name matching’ algorithms are inherently risky

If you are unfamilar with text analytics or computer science, you could be forgiven for thinking every search you do in a database is the same, but this is not correct. Broadly speaking, there are two main types of screening query:

  • Exact Name Matching: This search setting queries the exact phrase you have entered against the database (some systems may also be case sensitive). If there is a typo or names are back to front, no match will be returned giving a erroneous result.
  • Fuzzy Name Matching: Fuzzy matching is used to compare to search strings which may be similar but are not identical based on critieria determine either by the user (when performing the search) or by the algorithm.
google search engine on macbook pro
Photo by Pixabay on Pexels.com

Common problems encountered when designing your screening process (Stage 1 above) include:

  • Spelling errors
  • Truncated words
  • Names containing multiple languages (e.g. Arabic + English)
  • Names that have been incorrectly translated to English (either in a database record or in the search parameter)
  • Dealing with initials and titles / honorifics
  • Words that are out of order (e.g. surname -> first name or first name -> surname)
  • Spaces and hyphens
  • Nicknames or unofficial names

When performing screening for compliance purposes, it is common to determine how your screening procesess (including selected search parameters) complies with your organisation’s policy, legislative obligations, or risk appetite. It is also important to understand your data, both in the database and the material you are using to search. If your data quality is poor, you can have the best process in the world but you will still miss something. In a compliance or reputation context, improperly performing screening can have serious financial and legal consequences.

What should businesses screen for?

Precisely what a business screens its vendors for will vary depending on regulatory obligations, internal policy settings and risk appetite. In some cases, the cost of performing the screening may outweigh the risk. Examples of what is commonly employed as part of a screening process include:

Screening is only the first step in any supplier due diligence or third party risk management. Remember that not everything is in a database, and may require an audit or use of investigative techniques for detection. Show and Shadow Factories are one such example.

What is Show and Shadow Manufacturing?

There are a plethora of screening solutions on the market, particularly for vendors. Some screening solutions are aggregators meaning they offer access to multiple different databases (e.g. financial viability plus adverse media) within the same interface. Many aggregators also offer proprietary reporting and case management tools, as well as continuous monitoring and alerting functionality at a variety of price points.

What about emerging markets where there is no data?

Screening tools are powered by databases, so the quality of the output reflects the data quality inputs. I have previously worked with clients to test the accuracy, coverage and reliability of paid proprietary databases against known results to determine whether the information holdings of paid databases are as accurate as they claim.

Unfortunately, the results of these comparisons haven’t always been great, particularly when it comes to data quality in emerging markets. Here are three things to consider in this scenario:

  • Consider the type of record and what the regulatory obligations are for updating that record in the given jurisdiction. A country which provides 3 months for company secretaries to register a change of director is not going to show up in a database just because the company has made a press announcement
  • Understand whether the database vendor collects the records themselves, or if they are an agregator (or worse, an aggregator of aggregators). The closer your provider is to the primary source the greater the likely the record will be accurate and timely
  • Remember that errors can be made in declarations or when transposing information unless the country uses data validation tools. Some errors can be intentional, such as where a front company provides fictitious director details

When designing your screening process, it pays to understand what you are doing and why, and confirm this meets your requirements and acceptance criteria.

Further Reading

DISCLAIMER: All information presented on ForewarnedBlog is intended for general information purposes only. The content of ForewarnedBlog should not be considered legal or any other form of advice or opinion on any specific facts or circumstances. Readers should consult their own advisers experts or lawyers on any specific questions they may have. Any reliance placed upon ForewarnedBlog is strictly at the reader’s own risk. The views expressed by the authors are entirely their own and do not represent the views of, nor are they endorsed by, their respective employers. Refer here for full disclaimer.