TPRM Methodology – Comprehensive Guide to Third-Party Risk Management (TPRM)

January 18, 2025 by Neotas Ltd

TPRM Methodology

Comprehensive Guide to Third-Party Risk Management (TPRM) Methodology – Learn how to effectively manage third-party risks in 2025 with our comprehensive guide on Third-Party Risk Management (TPRM), covering key components, best practices, and common challenges in TPRM Methodology.

The modern business ecosystem is deeply interconnected, with organisations increasingly depending on third-party vendors to optimise operations, reduce costs, and enhance service delivery. However, these relationships come with their risks. Third-Party Risk Management (TPRM) methodology is critical to mitigate potential threats, ensure compliance, and safeguard organisational assets. This guide explores the intricacies of the TPRM methodology, providing actionable insights for effective implementation.

What is Third-Party Risk Management (TPRM) Methodology?
TPRM methodology refers to a systematic approach to identifying, assessing, mitigating, and monitoring risks associated with engaging third-party vendors. These risks may stem from cybersecurity vulnerabilities, regulatory non-compliance, operational disruptions, or reputational harm. A robust TPRM methodology integrates these risk considerations into every stage of the vendor lifecycle.

Why is TPRM Essential?

Third-party risks are multifaceted and can arise at any stage of a business relationship. Common risk categories include:

Cybersecurity Risks: Vendors with inadequate security measures can become entry points for cyberattacks, compromising sensitive data.
Compliance Risks: Non-compliance with legal and regulatory requirements by vendors can expose organisations to fines and reputational damage.
Operational Risks: Vendor failures can disrupt supply chains, affect service delivery, and harm business operations.
Reputational Risks: Associations with unethical or irresponsible vendors can tarnish an organisation’s public image.

By implementing a robust TPRM methodology, organisations can minimise these risks while maintaining productive partnerships.

Key Components of Third-Party Risk Management (TPRM) Methodology

A robust TPRM methodology is essential for effectively managing the risks associated with third-party relationships. By adopting a systematic approach, organisations can not only safeguard their operations but also strengthen vendor relationships. Below, we delve deeper into the essential components of a well-designed TPRM methodology, ensuring a clear understanding of each element’s significance.

1. Vendor Identification and Classification

To manage third-party risks effectively, organisations must first establish a comprehensive view of their vendor ecosystem.

Create a Centralised Vendor Database
A central repository of all third-party relationships is critical. This database should detail vendor information, including the services they provide, the systems they access, and the data they handle. Having this visibility ensures that no vendor falls outside the purview of the risk management framework.
Classify Vendors by Risk
Not all vendors pose the same level of risk. Categorising vendors allows organisations to allocate resources proportionally. Examples include:
- High-risk vendors: Vendors with access to sensitive data, critical systems, or those integral to operational continuity.
- Low-risk vendors: Vendors providing non-critical services, such as office supplies, with minimal impact on the business.

This classification ensures targeted risk management and resource efficiency.

2. Risk Assessment and Due Diligence

Risk assessment forms the backbone of any TPRM methodology. It is vital to evaluate potential vulnerabilities associated with each third-party relationship.

Initial Risk Assessment
Begin by assessing each vendor’s overall risk profile. This includes their:
- Financial stability to ensure reliability and longevity.
- Compliance history to identify any prior regulatory violations.
- Security measures to understand their capability to protect sensitive data.
Enhanced Due Diligence
For vendors categorised as high-risk, a more in-depth evaluation is necessary. This includes:
- Cybersecurity Audits: Assess the vendor’s IT infrastructure, data protection practices, and incident response capabilities.
- Regulatory Compliance Verification: Ensure vendors comply with industry-specific regulations, such as GDPR or FCA standards.
- Reputation Analysis: Investigate public records, reviews, and other sources to identify potential reputational risks.

The goal is to make informed decisions about whether to engage or continue working with a vendor.

3. Risk Mitigation and Contractual Safeguards

Once risks are identified, the next step is to address and mitigate them through strategic measures and strong contractual agreements.

Mitigation Strategies
- Limit Access: Restrict vendor access to only the data and systems necessary for their tasks.
- Implement Controls: Require vendors to adopt your organisation’s security protocols, such as multi-factor authentication or encryption.
Robust Contracts
Contracts are a vital tool in setting clear expectations and safeguarding against risks. Key provisions should include:
- Data Protection Obligations: Specify how data should be handled, stored, and protected.
- Service Level Agreements (SLAs): Define performance expectations and metrics to measure vendor effectiveness.
- Audit and Termination Clauses: Allow for periodic audits and outline conditions under which the contract may be terminated.

Clear and enforceable contracts create accountability and reduce ambiguity in vendor relationships.

4. Ongoing Monitoring and Governance

Risk management does not end with onboarding. Continuous oversight is necessary to adapt to changing circumstances and maintain compliance.

Continuous Monitoring
Utilise automated tools and technology to monitor vendor performance, detect anomalies, and identify emerging risks in real time.
Regular Reviews
Schedule periodic evaluations to reassess vendor compliance with contractual obligations and evolving regulations. This ensures that the relationship remains aligned with organisational goals.
Vendor Governance Committees
Establish a governance structure to oversee TPRM activities. These committees should include representatives from relevant departments, such as legal, IT, and procurement, ensuring a holistic approach to third-party risk management.

5. Incident Response and Contingency Planning

Despite the best preventive measures, incidents involving third parties can still occur. Preparedness is essential to minimise impact.

Incident Response Frameworks
Develop clear procedures for managing third-party-related incidents, such as data breaches or service disruptions. These frameworks should include communication protocols, roles, and responsibilities to ensure a swift and effective response.
Business Continuity Plans
Work closely with vendors to establish contingency plans that maintain service continuity during emergencies. Regularly test these plans through simulated scenarios to identify and address any gaps.

6. Offboarding and Exit Strategies

The end of a vendor relationship can pose risks if not managed carefully. A structured offboarding process is essential to protect organisational assets and data.

Controlled Offboarding
Ensure a secure transition by:
- Revoking vendor access to systems and data.
- Retrieving or securely disposing of sensitive information handled by the vendor.
Lessons Learned
Conduct a post-offboarding review to evaluate the relationship and identify areas for improvement in future engagements. This reflective process can uncover valuable insights to refine your TPRM methodology.

The components outlined above form the foundation of a comprehensive TPRM methodology. By systematically addressing each stage of the vendor lifecycle, organisations can effectively mitigate risks, enhance compliance, and build resilient partnerships. Adopting a proactive and structured approach to third-party risk management not only safeguards the organisation but also demonstrates a commitment to responsible and ethical business practices.

A well-executed TPRM methodology is no longer a luxury—it is a necessity in today’s complex and dynamic business landscape.

Best Practices for Implementing TPRM Methodology

Integrating TPRM with Enterprise Risk Management (ERM): Align TPRM with your organisation’s broader ERM framework to ensure consistency and comprehensive oversight.
Investing in Advanced Technologies: Adopt AI-driven tools that enable predictive analytics, risk scoring, and real-time monitoring of vendor activities. These technologies streamline risk identification and enhance decision-making.
Building a Culture of Risk Awareness: Foster a culture where employees and third-party vendors understand and prioritise risk management. Conduct regular training sessions to reinforce TPRM principles.

Staying Updated with Regulatory Changes: Maintain awareness of evolving regulatory landscapes and adjust TPRM methodologies to ensure compliance.

Establishing Clear Communication Channels: Transparent communication between your organisation and vendors promotes trust and ensures that all parties are aligned on risk management goals.

Challenges in TPRM Implementation

Despite its importance, implementing a robust TPRM methodology can be challenging:

Resource Constraints: Smaller organisations may struggle to allocate the necessary budget and personnel for comprehensive TPRM efforts.
Complex Vendor Networks: Managing risks across a diverse and extensive vendor base can be overwhelming.
Dynamic Risk Landscape: Rapidly evolving threats, such as cyberattacks, require constant vigilance and adaptability.

Actionable Insights for Effective Third-Party Risk Management (TPRM)

Implementing an effective Third-Party Risk Management (TPRM) programme requires a thoughtful and strategic approach. While the task may seem daunting, breaking it down into manageable steps and incorporating best practices ensures a smoother and more impactful process. Below are actionable insights that can help organisations implement TPRM effectively, ensuring risks are mitigated and relationships are managed efficiently.

1. Start Small but Scale Strategically

It is neither practical nor resource-efficient to launch a comprehensive TPRM programme covering all vendors simultaneously. Starting with high-risk vendors and scaling the programme gradually is a pragmatic approach that delivers immediate value.

Focus on High-Risk Vendors First:
Begin by identifying vendors that have the highest potential to impact your organisation’s operations, data security, or compliance. High-risk vendors typically include those with access to critical systems or sensitive data. By addressing these relationships first, you can significantly reduce exposure to the most pressing risks.
Expand to Lower-Risk Vendors Over Time:
Once a robust process is established for high-risk vendors, gradually include medium- and low-risk vendors in your TPRM programme. This phased approach allows for continuous learning and refinement of your processes without overwhelming your resources.
Iterative Process Improvement:
Use insights gained from managing high-risk vendors to refine the methodology and tools before expanding. This ensures that the programme is scalable and adaptable to cover a wider range of vendor relationships effectively.

2. Engage Stakeholders Early

Third-party risk management is not the responsibility of a single department. It requires collaboration across various functions to ensure all aspects of risk are identified, assessed, and managed effectively.

Involve Cross-Functional Teams:
Engage key stakeholders such as legal, IT, procurement, compliance, and operations early in the process. Each team brings unique insights and expertise:
- Legal can ensure contracts include robust risk mitigation clauses.
- IT can evaluate vendors’ cybersecurity measures.
- Procurement can identify critical vendors and oversee contract negotiations.
Develop a Unified Framework:
Collaboration ensures that the TPRM framework aligns with organisational objectives and regulatory requirements. A unified approach prevents silos and ensures risks are managed holistically.
Create a Communication Plan:
Establish clear communication channels and regular updates for all stakeholders. This keeps everyone informed and engaged throughout the TPRM lifecycle, from vendor selection to ongoing monitoring.

3. Leverage External Expertise

Managing third-party risks internally can be challenging, especially for organisations with limited resources or expertise. Engaging external specialists can provide invaluable support and enhance the effectiveness of your TPRM programme.

Partner with Risk Management Firms:
External firms specialising in TPRM can offer expertise in areas such as vendor assessments, compliance monitoring, and incident response planning. These firms often have access to advanced tools and databases that streamline risk identification and mitigation.
Access to Industry Best Practices:
Risk management firms are well-versed in industry standards and regulations. Their expertise ensures that your TPRM practices remain compliant with evolving laws and align with best practices.
Customised Support:
Many third-party risk management firms provide tailored solutions based on the specific needs of your organisation. This can include customised risk assessment frameworks, training for internal teams, or ongoing monitoring services.
Cost-Efficiency for Smaller Organisations:
For smaller organisations, building an in-house TPRM capability can be cost-prohibitive. Leveraging external expertise offers a cost-effective alternative, providing access to high-quality risk management without the need for significant investment in internal resources.

Implementing These TPRM Insights in Practice

To effectively integrate these insights into your TPRM efforts, consider the following steps:

Conduct a Risk Prioritisation Exercise: Identify and categorise vendors based on their risk profiles to determine where to focus initial efforts.
Establish a Steering Committee: Form a cross-functional committee to oversee the development and implementation of the TPRM programme.
Evaluate External Partners: Research and engage credible third-party risk management firms with proven track records in your industry.
Pilot and Scale: Begin with a pilot programme for a subset of high-risk vendors, assess its success, and then expand the scope based on findings.
Monitor and Refine: Continuously assess the effectiveness of your TPRM practices, incorporating feedback from stakeholders and leveraging insights from external partners.

Effective TPRM implementation requires a combination of strategic focus, cross-functional collaboration, and external expertise. By starting small, engaging stakeholders early, and leveraging the support of specialists, organisations can build a scalable and impactful TPRM programme. This approach not only safeguards the organisation against potential risks but also enhances vendor relationships and operational resilience. Adopting these actionable insights ensures that TPRM becomes an integral part of your organisation’s broader risk management strategy.

Third-party risk management (TPRM) is a critical discipline in today’s interconnected business landscape, addressing the challenges posed by external vendor relationships. By implementing a comprehensive third-party risk management framework, organisations can systematically identify, assess, and mitigate risks, ensuring business resilience and regulatory compliance. From creating robust third-party risk management policies to deploying effective third-party risk management software, a proactive approach safeguards against operational disruptions, data breaches, and reputational damage.

Integrated third-party risk management solutions are essential for streamlining processes across the third-party risk management lifecycle. Organisations can benefit from advanced third-party risk management platforms and tools that enable real-time monitoring, detailed risk assessments, and efficient vendor management. These tools enhance the effectiveness of third-party risk management programs and ensure alignment with industry best practices.

For businesses seeking to strengthen their third-party risk management process, the adoption of third-party risk management services from specialised vendors can provide expert insights and scalable support. Such services often include tailored risk assessments, policy development, and ongoing monitoring to address unique organisational needs. Careers in third-party risk management are also on the rise, as organisations recognise the importance of dedicated professionals to manage and mitigate vendor risks.

The adoption of comprehensive third-party risk management solutions, frameworks, and tools ensures that organisations remain resilient and secure in an era of increasing third-party dependencies. By prioritising integrated strategies and leveraging advanced platforms, businesses can successfully navigate the complexities of third-party relationships and position themselves for long-term success.

How can Neotas TPRM solutions help?

Neotas offers an innovative solution to businesses grappling with Third-Party Risk Management (TPRM). In an era of increasing outsourcing, TPRM has become pivotal, and Neotas recognises this need. Through our enhanced due diligence platform, businesses can efficiently track and evaluate vendors and contractors, ensuring adherence to security protocols in a cost-effective manner.

The Neotas platform automates the vendor onboarding process, streamlining the addition of new vendors with remarkable ease and speed.

Moreover, Neotas provides a customisable dashboard, enabling businesses to proactively identify and address emerging risks. By consolidating vital vendor information, Neotas facilitates the seamless integration of risk management into existing Customer Relationship Management (CRM) and Supply Chain Management (SCM) systems, ultimately helping businesses maximise profits while minimising risk exposure.

Request a Demo
If you’re curious about whether our third-party risk management solutions and services align with your organisation, don’t hesitate to schedule a call. We’re here to help you make informed decisions tailored to your needs.

Third Party Risk Management (TPRM) Solutions:

Poplar Articles on TPRM Methodology:

FAQs on TPRM Methodology

What is TPRM methodology?

TPRM methodology refers to the structured process of identifying, assessing, mitigating, and monitoring risks associated with third-party relationships. It aims to protect organisations from potential threats arising from third-party vendors, including cybersecurity risks, compliance issues, operational disruptions, and reputational damage. A well-designed methodology integrates risk management into the vendor lifecycle for comprehensive oversight.

Why is TPRM important in modern businesses?

TPRM is vital as organisations increasingly depend on third parties for critical functions. Without proper risk management, vendors can introduce vulnerabilities, including data breaches and regulatory non-compliance. TPRM helps organisations maintain operational resilience, protect sensitive data, and meet regulatory obligations while fostering trust with stakeholders and customers.

What are the key objectives of TPRM?

The objectives of TPRM include:

Safeguarding sensitive data and systems from third-party risks.
Ensuring compliance with regulatory standards.
Reducing operational disruptions caused by vendor failures.
Enhancing overall governance of third-party relationships.
Strengthening vendor accountability and fostering trust.

What are the five phases of third-party risk management?

The five phases of TPRM are:

Identification: Cataloguing all third-party relationships.
Assessment: Evaluating vendor risks through due diligence and risk profiling.
Mitigation: Addressing risks with controls and contractual safeguards.
Monitoring: Continuously overseeing vendor performance and compliance.
Offboarding: Securely ending vendor relationships while safeguarding organisational assets.

What risks are addressed by TPRM methodology?

TPRM methodology addresses multiple risks, including:

Cybersecurity Risks: Data breaches and unauthorised access.
Compliance Risks: Non-adherence to legal and regulatory requirements.
Operational Risks: Vendor disruptions impacting business continuity.
Reputational Risks: Negative public perception due to vendor misconduct.

What is the TPRM lifecycle methodology?

The TPRM lifecycle methodology encompasses all stages of managing third-party relationships, including:

Pre-engagement risk assessments.
Contract negotiation and vendor onboarding.
Continuous monitoring and risk reassessments.
Incident management and remediation.
Offboarding with secure termination processes.

Who is responsible for TPRM within an organisation?

Responsibility for TPRM typically falls on risk management, compliance, procurement, and IT departments. A cross-functional governance committee often oversees TPRM to ensure alignment across the organisation. Senior management plays a key role in setting policies, while operational teams execute the TPRM strategy.

What are TPRM policies and procedures?

TPRM policies and procedures outline an organisation’s approach to managing third-party risks. They include guidelines for vendor risk assessments, compliance requirements, incident response, contract terms, and continuous monitoring. These policies ensure consistency, compliance, and accountability across all vendor relationships.

What are the three P’s of total risk management?

The three P’s of total risk management are:

Processes: Establishing structured procedures for identifying and mitigating risks.
People: Assigning responsibilities and fostering a risk-aware culture.
Policies: Defining rules and frameworks to guide risk management efforts.

What is RCSA methodology in risk management?

RCSA (Risk Control Self-Assessment) is a methodology that allows organisations to identify and assess risks within their operations. It involves documenting risks, evaluating control effectiveness, and assigning ownership for remediation. In TPRM, RCSA is often applied to evaluate vendor-related risks systematically.

How does TPRM methodology support regulatory compliance?

TPRM methodology ensures compliance by embedding regulatory requirements into vendor assessments and monitoring processes. This includes verifying adherence to laws such as GDPR, FCA guidelines, and industry-specific standards. Effective TPRM reduces the risk of fines and reputational damage caused by vendor non-compliance.

What are the common challenges in implementing TPRM methodology?

Challenges include:

Managing risks across a large vendor ecosystem.
Limited resources for comprehensive risk assessments.
Vendor resistance to stringent security requirements.
Adapting to rapidly changing regulatory and technological landscapes.
Overcoming these requires strategic prioritisation, stakeholder collaboration, and the use of automated tools.

How does technology enhance TPRM methodology?

Technology improves TPRM by automating risk assessments, real-time monitoring, and compliance tracking. Tools like artificial intelligence (AI) and machine learning provide predictive analytics to detect emerging risks, while integrated platforms offer dashboards for streamlined vendor management and reporting.

What is the role of due diligence in TPRM?

Due diligence is a cornerstone of TPRM, involving detailed evaluations of vendor capabilities, compliance, and security measures. It ensures that vendors meet organisational standards before onboarding. For high-risk vendors, enhanced due diligence includes cybersecurity audits, financial reviews, and regulatory compliance checks.

How can organisations improve their TPRM methodology?

Organisations can enhance their TPRM methodology by:

Adopting advanced technologies for automation and analytics.
Regularly updating policies to reflect evolving risks and regulations.
Conducting continuous training for employees and vendors.
Engaging external experts for specialised assessments.
Integrating TPRM into their broader enterprise risk management strategy.

Third-Party Risk Management – Third-Party Risk Assessment Framework, TPRM Best practices, and Third-Party Due Diligence

October 17, 2024April 13, 2024 by Neotas Ltd

Third-Party Risk Management (TPRM)

Third-party risk management is a fundamental aspect of modern business operations, aimed at identifying and mitigating risks associated with engaging third-party vendors, suppliers, contractors, and partners. As businesses increasingly rely on external entities to support various functions, TPRM plays a pivotal role in safeguarding against potential threats and vulnerabilities that could impact organisational resilience and reputation.

What is third-party risk management?

TPRM encompasses a systematic approach to assessing, monitoring, and managing risks arising from third-party relationships. It involves conducting due diligence on third-party vendors to understand their capabilities, security measures, and adherence to regulatory requirements. By proactively addressing risks, organisations can mitigate the likelihood and severity of disruptions that may arise from third-party engagements.

The scope of TPRM extends beyond traditional buyer-seller relationships and encompasses a wide range of risks that could impact financial, legal, and operational aspects of an organisation. From cybersecurity challenges to disruptions in critical supply items, TPRM addresses multi-dimensional risks that may arise from third-party engagements.

In today’s complex business environment, third-party risks emerge in diverse forms, encompassing financial fragility, cybersecurity susceptibilities, geopolitical dynamics, and beyond. Third-Party Risk Management (TPRM) involves a comprehensive analysis of the risks arising from relationships with third-party providers. By conducting due diligence on the risks posed by third parties, organisations can foresight to plan and mitigate these risks, averting potential escalation.

At its core, TPRM empowers organisations to take a proactive stance in managing third-party risks, rather than reacting to incidents as they occur.

By conducting thorough risk assessments, establishing robust contractual agreements, and implementing ongoing monitoring mechanisms, organisations can enhance their resilience and protect against potential disruptions.

TPRM is a critical component of effective risk management, allowing organisations to navigate the complexities of third-party relationships while safeguarding against potential threats. By adopting a comprehensive TPRM approach, organisations can enhance their ability to anticipate, assess, and mitigate risks, thereby fostering resilience and ensuring sustainable business operations in an increasingly interconnected world.

Why is third-party risk management important?

The reliance on third-party vendors and partners for outsourcing offers numerous benefits such as cost savings and access to specialised expertise, but it also introduces significant risks that can impact an organisation’s operations, reputation, and bottom line. Therefore, implementing a robust Third-Party Risk Management (TPRM) program is essential to mitigate these risks effectively.

1. Protection of Reputation and Customer Trust:

External Outages Affecting Areas Across the Supply Chain: Third-party disruptions can ripple through the entire supply chain, affecting upstream and downstream partners, suppliers, and customers.
Reputation is a valuable asset that can take years to build and seconds to destroy. Third-party incidents, such as service outages or data breaches, can tarnish an organisation’s reputation and erode customer trust. In an era where social media amplifies the impact of negative events, organisations must prioritise reputation management by implementing robust TPRM practices. By safeguarding against third-party risks, businesses can maintain customer confidence and preserve their brand integrity.
For instance, if a key supplier experiences production delays or supply chain interruptions due to unforeseen circumstances, it can lead to shortages, delays in product delivery, and increased costs for all parties involved.

In today’s interconnected business landscape, safeguarding reputation and nurturing customer trust are paramount imperatives for organisations. Third-party disruptions, such as service outages or data breaches, can tarnish an organisation’s reputation and erode customer trust.

2. Regulatory Compliance Requirements:

Regulatory bodies worldwide are increasingly focused on third-party risk management as part of broader compliance frameworks: Failure to adequately manage third-party risks can result in compliance and regulatory violations, exposing organisations to legal penalties, fines, and reputational damage.
Regulatory bodies increasingly hold organisations accountable for the actions of their third-party vendors, necessitating robust oversight and governance to ensure compliance with applicable laws and regulations.
Organisations operating in regulated industries must adhere to stringent data protection, privacy, and security regulations, often requiring them to assess and mitigate risks associated with third-party relationships. Failure to comply with regulatory requirements can result in severe penalties, legal consequences, and reputational damage, highlighting the importance of robust TPRM programs.

3. Increasing Vulnerability to Disruptive Events:

Internal Outages and Lapses in Operational Capabilities: Dependence on third-party vendors for critical services or resources can lead to internal outages and operational disruptions if these vendors experience downtime or fail to deliver as expected. Disruptive events, ranging from natural disasters to cyberattacks, can have far-reaching consequences on business operations and supply chains. The interconnected nature of modern business ecosystems means that disruptions affecting third-party vendors can quickly cascade downstream, impacting multiple organisations. Without proper risk management measures in place, businesses are vulnerable to internal and external outages, leading to lapses in operational capabilities and supply chain vulnerabilities.

For example, if a cloud service provider experiences a service outage, it can result in disruptions to internal systems and applications hosted on their platform, impacting employee productivity and business continuity.

4. Heightened Cybersecurity Risks:

Vendor Outages That Might Expose Organisation to Supply Chain Vulnerabilities: Changes in third-party operations, such as modifications to data gathering, storage, or security practices, can impact an organisation’s data management and security posture.
Cybersecurity incidents, including data breaches and ransomware attacks, pose significant threats to organisations of all sizes and industries. Third-party vendors often have access to sensitive data and systems, making them attractive targets for cybercriminals. A breach or security incident involving a third party can expose an organisation to financial losses, regulatory penalties, and reputational damage. Therefore, robust TPRM practices are crucial for assessing and mitigating cybersecurity risks associated with third-party relationships.
For example, if a cloud storage provider changes its data encryption protocols or data residency requirements without prior notification, it may lead to compliance issues and data security concerns for organisations relying on their services.

5. Operational Resilience Challenges:

External Outages Affecting Areas Across the Supply Chain: Dependence on a single or limited number of vendors for critical goods or services can expose organisations to supply chain vulnerabilities.
Disruptions caused by third-party failures or outages can disrupt critical business processes, leading to productivity losses and customer dissatisfaction. Whether it’s a cloud service provider experiencing downtime or a logistics partner facing logistical challenges, organisations must proactively manage third-party risks to ensure uninterrupted operations and customer satisfaction.
In the event of a vendor outage or disruption, organisations may struggle to find alternative suppliers quickly, leading to supply chain bottlenecks, delays, and potential revenue losses.

Prioritising TPRM is not just a best practice; it is a strategic imperative for modern businesses aiming to thrive amidst evolving threats and challenges.

KPMG International’s new research — which surveyed 1,263 senior TPRM professionals across six sectors and 16 countries, territories and jurisdictions worldwide — reveals that TPRM is a strategic priority for 85 percent of businesses, up from 77 percent before the outbreak of the pandemic.
Source: Third-Party Risk Management Outlook 2022

What’s the Difference Between a Third-Party and a Fourth-Party?

Understanding the distinction between third-party and fourth-party relationships is essential for effective supply chain management and risk mitigation strategies. By recognising the interconnectedness of these relationships and the potential ripple effects of disruptions, organisations can enhance their resilience and ensure business continuity across the supply chain.

Aspect	Third-Party	Fourth-Party
Definition	Engages directly with the organisation.	Indirectly connected to the organisation via third parties.
Examples	Suppliers, vendors, partners, contractors, etc.	Subcontractors, sub-suppliers, distributors, etc.
Contractual Agreement	Typically has contractual agreements.	May not have formal contracts with the organisation.
Visibility and Control	Often greater visibility and control due to contractual obligations.	Requires deeper supply chain insights and collaboration for management.
Risk Exposure	Directly managed by the organisation.	Poses indirect risks that necessitate proactive monitoring and management.

Key Differences:

Direct vs. Indirect Relationship: Third parties engage directly with your organisation, whereas fourth parties are indirectly connected through your third-party relationships.
Contractual vs. Non-Contractual: Third-party relationships typically involve contractual agreements, while fourth-party relationships may not have formal contracts with your organisation.
Visibility and Control: Your organisation may have greater visibility and control over third-party activities due to contractual obligations, whereas managing fourth-party risks may require deeper supply chain insights and collaboration with your primary third-party vendors.
Risk Exposure: While third-party risks are directly managed by your organisation, fourth-party risks may pose indirect risks that require proactive monitoring and management to safeguard against potential disruptions or vulnerabilities in the supply chain.

Types of Third-Party Risks

When collaborating with third-party vendors, organisations are exposed to various types of risks that can impact their operations, reputation, and overall success. Here are the common types of risks introduced by third parties:

Type of Risk	Description
Cybersecurity Risk	The risk of exposure or loss resulting from a cyberattack, security breach, or other security incidents initiated by a third party. It involves potential data breaches, theft, or manipulation of sensitive information.
Operational Risk	The risk of a third-party causing disruption to the business operations. This could include service interruptions, delays in delivery, or failure to meet contractual obligations, affecting the organisation’s productivity and performance.
Legal, Regulatory, and Compliance Risk	The risk of a third party impacting an organisation’s compliance with local legislation, regulations, or agreements. This is particularly crucial for industries with stringent regulatory requirements, such as financial services, healthcare, and government sectors.
Reputational Risk	The risk of negative public opinion or damage to an organisation’s reputation due to the actions or failures of a third party. This could result from data breaches, ethical violations, or subpar service quality, eroding stakeholder trust and brand credibility.
Financial Risk	The risk that a third party’s actions or performance will have adverse financial implications for the organisation. This could involve financial losses, increased costs, or missed revenue opportunities due to issues with vendors’ financial stability or performance.
Strategic Risk	The risk that a third-party vendor fails to align with the organisation’s strategic objectives, hindering its ability to achieve business goals or pursue growth opportunities. This could involve mismatches in capabilities, culture, or long-term vision, impacting organisational success.

Understanding and managing these risks is essential for organisations to protect their interests, ensure regulatory compliance, and maintain trust with stakeholders. Implementing robust third-party risk management practices, including due diligence, monitoring, and contingency planning, can help mitigate these risks and enhance organisational resilience in an increasingly interconnected business environment.

Third-party risk management lifecycle

The Third-Party Risk Management (TPRM) lifecycle serves as a structured framework for organisations to manage their relationships with external vendors effectively. Let’s delve into each phase of the TPRM lifecycle:

Phase 1: Third-Party Identification

Identify existing and potential third-party vendors through various means, such as consolidating vendor information from spreadsheets, integrating with existing technologies, or conducting assessments and interviews across different business departments.
Utilise self-service portals to gather preliminary information about new third parties, including personal information involved, business context, and data types.

Phase 2: Evaluation and Selection

Evaluate vendors based on requests for proposals (RFPs) and select vendors that align with the organisation’s specific needs, objectives, and criteria.
Consider factors such as vendor capabilities, reputation, pricing, and compatibility with organisational goals during the selection process.

Phase 3: Risk Assessment

Conduct comprehensive vendor risk assessments to identify and evaluate potential risks associated with third-party relationships.
Utilise standardised frameworks and assessments, such as ISO standards, SIG Lite, NIST guidelines, or industry-specific standards like HITRUST, to assess vendor security posture and compliance.

Phase 4: Risk Mitigation

Prioritise and mitigate identified risks through appropriate risk treatment measures, such as implementing additional security controls, contractual obligations, or risk transfer mechanisms.
Monitor risks for any changes or events that may impact the organisation’s risk profile, such as data breaches, regulatory changes, or vendor mergers.

Phase 5: Contracting and Procurement

Review and negotiate vendor contracts to ensure alignment with TPRM objectives and requirements.
Include key provisions, clauses, and terms in contracts related to scope of services, pricing, termination clauses, data protection, compliance, and liability.

Phase 6: Reporting and Recordkeeping

Maintain detailed records of vendor engagements, assessments, contracts, and risk mitigation activities for audit and compliance purposes.
Utilise TPRM software or platforms to centralise and manage vendor-related data and generate reports on program performance, risk levels, and compliance status.

Phase 7: Ongoing Monitoring

Continuously monitor vendor performance, security posture, and compliance throughout the vendor lifecycle.
Stay vigilant for any changes or events that may impact vendor risks, such as regulatory updates, operational changes, or security incidents.

Phase 8: Vendor Offboarding

Develop a thorough offboarding process to safely and securely terminate vendor relationships when necessary.
Conduct internal and external assessments to confirm that all appropriate measures were taken during the offboarding process and maintain a detailed evidence trail for compliance purposes.

By following the TPRM lifecycle, organisations can systematically manage third-party risks, enhance vendor relationships, and safeguard their assets, reputation, and regulatory compliance. This structured approach enables proactive risk identification, assessment, mitigation, and ongoing monitoring to ensure resilience and security in an ever-evolving business environment.

Implementing a Third-Party Risk Management Program

Implementing a robust Third-Party Risk Management (TPRM) program is essential for organisations looking to mitigate risks associated with their external partnerships effectively. Here’s a step-by-step guide to developing and implementing a TPRM program:

Step 1: Analysis – Contract and SLA Requirements

Before onboarding any third party, conduct a thorough analysis to identify potential risks and assess the level of due diligence required.
Utilise security ratings or risk assessment tools to evaluate the external security posture of vendors and determine if they meet the organisation’s minimum accepted score.
Define a clear third-party risk appetite to accurately evaluate the potential impact of third-party risks on the organisation’s overall security posture.

Step 2: Engagement – Conduct Risk Assessments

Once a vendor’s security rating meets the organisation’s standards, engage with the vendor to obtain detailed insights into their security controls.
Request the vendor to complete a security questionnaire that provides comprehensive information on their security practices, policies, and procedures.

Step 3: Remediation – Develop Risk Mitigation Strategies

If the vendor exhibits unacceptable risks during the engagement process, prioritise remediation efforts to address identified security issues.
Implement a remediation plan in collaboration with the vendor, outlining specific actions required to mitigate risks and enhance security controls.
Utilise dedicated tools or platforms to track and manage remediation activities efficiently, minimising the risk of overlooking critical issues.

Step 4: Approval – Monitoring and Reporting Mechanisms

Following remediation efforts, assess the vendor’s readiness for onboarding based on the organisation’s risk tolerance, the criticality of the vendor, and compliance requirements.
Make an informed decision on whether to proceed with the vendor relationship or explore alternative options based on the effectiveness of remediation efforts and alignment with risk management objectives.

Step 5: Periodic Risk Assessments and Continuous Monitoring

Implement continuous monitoring mechanisms to track the security posture of onboarded vendors throughout the vendor lifecycle.
Regularly assess vendor performance, compliance with security requirements, and adherence to contractual obligations.
Utilise automated monitoring tools and processes to proactively identify and address emerging risks, ensuring ongoing security and compliance with organisational standards.

By following these steps, organisations can establish a structured and proactive approach to third-party risk management, effectively mitigating risks and enhancing the security of their external partnerships. A well-implemented TPRM program not only safeguards the organisation against potential threats but also fosters trust and resilience in its vendor relationships.

*Image: Third-Party Risk Management Program*

Once the decision to implement a TPRM program is made, the following are some questions that pave the foundation of the program:

Should you engage a partner to assist with initiating and implementing the program?
How can you effectively address and manage the expectations of internal stakeholders?
Is there a clear assignment of responsibilities in the event of a data breach?
What specific criteria must third parties meet to establish business relationships?
Are external stakeholders adequately informed and capable of meeting compliance requirements?
What potential financial implications might arise from imposing these requirements on vendors?
How can the program be seamlessly integrated into existing vendor relationships?

Third-Party Risk Management Program Drivers

Establishing a robust Third-Party Risk Management (TPRM) program is imperative for organisations to effectively mitigate risks associated with their external vendor relationships. Various regulatory and compliance requirements serve as drivers for implementing TPRM programs, ensuring adherence to standards and safeguarding sensitive data. Here’s an in-depth exploration of the key drivers and stakeholders involved in TPRM programs:

Regulatory and Compliance Requirements:

TPRM programs are often mandated by regulatory bodies and compliance standards across different industries and geographies.
Regulations such as CMMC, EBA, FCA, FFIEC, HIPAA, NERC, NIST, NYDFS, and OCC outline specific guidelines for managing third-party risks.
Compliance with these requirements is essential for protecting sensitive data, ensuring customer privacy, and avoiding legal penalties.

Cybersecurity Risk:

The escalating threat landscape and the increasing frequency of cyberattacks underscore the importance of managing third-party cybersecurity risks.
TPRM programs help organisations identify and mitigate vulnerabilities in their vendor ecosystem, reducing the risk of data breaches and cyber incidents.

Competitive Advantages:

Implementing an effective TPRM program can provide organisations with a competitive edge by enhancing their security posture and resilience.
Demonstrating robust risk management practices to customers, partners, and stakeholders can enhance trust and credibility, leading to increased business opportunities.

Internal Efficiency Drivers:

Internal factors, such as the need for operational efficiency and streamlined procurement processes, drive the adoption of TPRM programs.
Efficient vendor management practices enable organisations to optimise resource allocation, reduce costs, and improve overall operational performance.

Financial and Operational Risk Management:

TPRM programs play a crucial role in managing internal financial and operational risks associated with vendor relationships.
By identifying and addressing risks proactively, organisations can mitigate potential disruptions, financial losses, and reputational damage.

Customer Requirements:

Customer expectations and contractual obligations often require organisations to implement robust TPRM measures.
Meeting customer demands for data security, compliance, and risk management demonstrates commitment to quality and enhances customer satisfaction.

Stakeholders Involvement:

Establishing a successful TPRM program requires collaboration and alignment among various internal and external stakeholders.
Internal stakeholders, including executives, board members, legal, compliance, IT, and procurement teams, play a crucial role in defining program objectives and implementing effective workflows.
External stakeholders, such as vendors, regulators, and customers, contribute to the development and implementation of TPRM policies and procedures.

Key Highlights for an effective Third-Party Risk Management Program:

Organisations must recognise the multifaceted drivers and stakeholders involved in TPRM programs to establish comprehensive risk management frameworks.

By addressing regulatory requirements, cybersecurity risks, competitive advantages, internal efficiency drivers, financial and operational risk management, and customer requirements, organisations can build resilient and trusted vendor relationships.

Collaboration and engagement with internal and external stakeholders are essential for the successful implementation and ongoing management of TPRM programs, ensuring alignment with organisational objectives and regulatory standards.

Key Focus Areas in the Third-Party Risk Management (TPRM)

To effectively mitigate risk exposures within TPRM environments, it is essential to establish organisational standards and protocols across the following domains:

Third-Party Risk Management Focus Areas:
- Define requirements within contracts and service level agreements to address risk-related obligations comprehensively.
Vendor Risk Analysis:
- Evaluate the vendor risk profile in alignment with the risk profile of the engagement or service provided to gain a holistic understanding of potential risks.
Reporting Mechanism:
- Implement a dynamic reporting process driven by ongoing monitoring and risk assessment activities, allowing for prompt response to emerging events.
Risk Assessment Approaches:
- Employ a balanced approach by combining periodic risk assessments (self-reported) with continuous risk monitoring (externally reported) methodologies to ensure comprehensive risk identification.
Technology Integration:
- Utilise technology solutions to seamlessly integrate procurement, performance, and risk management functions onto a unified platform. This platform should provide stakeholders with real-time, updated information tailored to their specific requirements.

Third-Party Risk Management (TPRM) best practices

The TPRM best practices depends on the type of business you are in, the macro and micro environment, and the third and forth parties associated with your supply chain.

Here are few best practices that are critical to consider while implementing a TPRM framework:

Comprehensive Risk Assessment:

Start by conducting a thorough assessment of third-party risks. This involves identifying all potential risks associated with your third-party relationships, such as financial instability, data security vulnerabilities, regulatory compliance issues, and more. Prioritise these risks based on their potential impact on your organisation and the likelihood of occurrence. This initial assessment lays the foundation for developing targeted risk mitigation strategies.

Segmenting vendors into tiers based on their risk and criticality is a fundamental aspect of an effective Third-Party Risk Management (TPRM) program. By categorising vendors into tiers, organisations can allocate resources and attention based on the level of risk posed by each vendor. Typically, companies classify vendors into three tiers:

Tier 1: High Risk, High Criticality:
- Tier 1 vendors are those that present the highest level of risk and are critical to the organisation’s operations. These vendors may have access to sensitive data, provide essential services, or have a significant impact on business continuity.
- Due to the heightened risk associated with Tier 1 vendors, organisations prioritise them for thorough due diligence and assessment. This may involve conducting on-site assessments, rigorous evidence collection, and in-depth analysis of the vendor’s security practices.
Tier 2: Medium Risk, Medium Criticality:
- Tier 2 vendors pose a moderate level of risk and have a moderate impact on the organisation’s operations. While not as critical as Tier 1 vendors, they still require careful evaluation and monitoring.
- Organisations allocate resources to assess and mitigate the risks associated with Tier 2 vendors, balancing the level of scrutiny with the potential impact on business operations.
Tier 3: Low Risk, Low Criticality:
- Tier 3 vendors present minimal risk and have a low impact on the organisation’s operations. These vendors typically provide non-critical services or have limited access to sensitive data.
- While Tier 3 vendors may require less intensive oversight compared to Tier 1 and Tier 2 vendors, they still undergo basic due diligence to ensure compliance with relevant policies and regulations.

When determining vendor tiers, organisations consider various factors to assess inherent risk. These factors may include:

The nature of data shared with the vendor, including proprietary, personal, or sensitive information.
The geographical scope of the vendor’s services and any cross-border data transfers.
The vendor’s role in critical business functions and the potential impact of service disruptions.
The potential consequences of unauthorised disclosure, modification, or destruction of information.
Contractual value and the financial impact of vendor performance or failures.

By adopting a tiered approach to vendor management, organisations can streamline their TPRM processes, focusing resources where they are most needed to mitigate risks effectively and protect business continuity.

Third-Party Due Diligence and Vendor Selection:

Implement robust due diligence processes when selecting and onboarding third-party vendors. This includes evaluating their financial stability, reputation, cybersecurity measures, compliance with regulatory requirements, and adherence to industry standards. Assessing these factors helps ensure that you engage with trustworthy and reliable partners who align with your organisation’s values and objectives. Regularly review and update your vendor selection criteria to adapt to evolving risks and industry standards.

When devising a third-party risk management (TPRM) program, it’s essential to broaden your perspective beyond cybersecurity risks alone. While cybersecurity is undoubtedly a critical aspect, TPRM encompasses a wide range of risks that can significantly impact an organisation’s operations, reputation, and bottom line. By acknowledging and addressing these diverse risk factors, organisations can enhance the resilience and effectiveness of their TPRM initiatives.

Here’s a more detailed exploration of the various types of risks that should be considered within a comprehensive TPRM framework:

Reputational Risks: Reputational risks arise from negative perceptions or public relations incidents involving third parties. These incidents can damage an organisation’s brand reputation and erode customer trust.
Geographical Risks: Geographical risks pertain to the geographic locations in which third parties operate. Factors such as political instability, natural disasters, and regulatory differences across regions can impact the reliability and continuity of third-party services.
Geopolitical Risks: Geopolitical risks encompass the potential impact of geopolitical events, conflicts, or diplomatic tensions on third-party operations. Changes in international relations or trade policies can affect supply chains and business relationships.
Strategic Risks: Strategic risks involve threats to an organisation’s long-term objectives and competitive position resulting from third-party actions or decisions. These risks may include shifts in market dynamics, technological advancements, or competitive pressures.
Financial Risks: Financial risks relate to the financial stability and viability of third-party entities. These risks may include bankruptcy, insolvency, or financial mismanagement, which can disrupt supply chains and contractual obligations.
Operational Risks: Operational risks stem from failures or inefficiencies in third-party operations that impact service delivery or performance. This could include operational disruptions, service outages, or quality control issues.
Privacy Risk: Privacy risks involve the unauthorised access, use, or disclosure of sensitive data entrusted to third parties. Non-compliance with data protection regulations or inadequate data security measures can result in privacy breaches and legal consequences.
Compliance Risks: Compliance risks arise from third parties’ failure to adhere to relevant laws, regulations, or industry standards. Regulatory violations or non-compliance with contractual obligations can lead to legal penalties and reputational damage.
Ethical Risks: Ethical risks relate to ethical misconduct or unethical business practices by third parties. This may include corruption, fraud, labour violations, or environmental irresponsibility, which can tarnish an organisation’s ethical standing.
Business Continuity Risks: Business continuity risks involve disruptions to third-party operations that impede the continuity of an organisation’s business activities. These risks encompass factors such as supply chain interruptions, vendor dependency, and disaster recovery capabilities.
Performance Risks: Performance risks refer to third parties’ inability to meet agreed-upon service levels, performance metrics, or quality standards. Poor performance can lead to customer dissatisfaction, contract disputes, and financial losses.
Fourth-Party Risks: Fourth-party risks arise from the actions or vulnerabilities of subcontractors or downstream vendors associated with primary third-party relationships. These risks can complicate oversight and increase the complexity of risk management.
Credit Risks: Credit risks involve the potential financial losses resulting from third parties’ defaulting on payment obligations or failing to meet financial commitments outlined in contracts or agreements.
Environmental Risks: Environmental risks encompass the environmental impact of third-party activities, including pollution, resource depletion, or non-compliance with environmental regulations. Failure to address environmental risks can lead to regulatory fines, litigation, and reputational harm.

By acknowledging and addressing these diverse risk categories, organisations can develop a robust and resilient TPRM program that safeguards against a wide range of threats and vulnerabilities. It’s essential to adopt a holistic approach to risk management that integrates cybersecurity measures with broader risk mitigation strategies, thereby ensuring comprehensive protection for the organisation and its stakeholders.

Continuous Monitoring and Oversight:

Establish mechanisms for ongoing monitoring and oversight of third-party relationships throughout their lifecycle. This involves implementing regular assessments, audits, and performance reviews to evaluate vendor compliance with contractual obligations, service level agreements, and security protocols. Utilise technology solutions such as vendor risk management platforms to automate monitoring processes and streamline data collection and analysis. Additionally, foster clear communication channels with third-party vendors to address emerging issues promptly and collaboratively.

By adhering to these critical TPRM best practices, organisations can proactively identify, assess, and mitigate third-party risks, thereby safeguarding their operations, reputation, and bottom line.

Key Highlights of the TPRM best practices:

Conduct thorough due diligence and continuous monitoring to ensure third-party accountability and risk mitigation.
Enforce stringent access controls for third-party entities to safeguard sensitive data and resources.
Utilise comprehensive risk intelligence to proactively identify and address potential threats posed by third-party relationships.
Categorise relationships based on risk levels to allocate resources effectively and prioritise risk mitigation efforts.
Foster collaboration with both internal and external auditors to enhance oversight and compliance with regulatory standards.
Harness automation tools to streamline processes, increase efficiency, and strengthen the effectiveness of third-party risk management initiatives.

Role of Data and Technology in Third-Party Risk Management

In today’s globalised business landscape, where external vendors are integral to operations across industries, the role of technology and data in Third-Party Risk Management (TPRM) is crucial. These TPRM tools and resources play a pivotal role in enabling organizations to navigate the complex and dynamic ecosystem of interconnected risks with greater precision, efficiency, and agility.

Leveraging advanced TPRM technological solutions and harnessing the power of data analytics are instrumental in enhancing the effectiveness and responsiveness of TPRM processes.

Some of the key ways in which technology and data contribute to TPRM include:

Data Aggregation and Integration: Technological solutions facilitate the aggregation and integration of data from diverse sources, including internal systems, external databases, and third-party platforms. This consolidated data repository provides organizations with a comprehensive view of their third-party relationships, enabling them to identify, assess, and monitor risks more effectively.
Risk Assessment and Scoring: Analytics-driven tools utilize data-driven algorithms to assess and score the risk associated with each third-party relationship. By analyzing factors such as financial stability, compliance history, and cybersecurity posture, organizations can quantify risk levels and prioritize mitigation efforts accordingly.
Continuous Monitoring and Surveillance: Technology enables real-time monitoring and surveillance of third-party activities and performance metrics. Automated monitoring tools can rapidly detect anomalies, deviations from established benchmarks, or emerging risks, allowing for prompt intervention and mitigation before they escalate into crises.
Predictive Analytics and Modelling: Through the application of predictive analytics and modelling techniques, organizations can anticipate potential risks and vulnerabilities in third-party relationships. By analyzing historical data and extrapolating future trends, businesses can proactively identify and mitigate emerging threats, enhancing their resilience and agility in the face of uncertainty.
Vendor Risk Assessment Platforms: Dedicated vendor risk assessment platforms provide tailored frameworks and templates for evaluating and managing third-party risks. These platforms streamline the assessment process, standardize risk evaluation criteria, and facilitate collaboration between internal stakeholders and third-party vendors.
Blockchain Technology for Supply Chain Transparency: Blockchain technology’s immutable and transparent record-keeping capabilities can be leveraged to enhance supply chain transparency and traceability, mitigating risks such as counterfeit products, supply chain disruptions, and ethical lapses in supplier practices.
AI-Powered Due Diligence: Artificial intelligence (AI) algorithms can analyze vast amounts of unstructured data, including news articles, social media posts, and regulatory filings, to assess the reputational and operational risks associated with third-party vendors. AI-powered due diligence tools augment traditional risk assessment methods, providing deeper insights and enhancing risk intelligence.
Incident Response and Crisis Management: Technology-enabled incident response platforms facilitate swift and coordinated responses to third-party incidents, such as data breaches or service outages. These platforms streamline communication, coordination, and remediation efforts, minimizing the impact on operations and preserving organizational resilience.

By embracing technological innovations and harnessing the power of data-driven insights, organizations can enhance their TPRM capabilities, proactively identify and mitigate third-party risks, and safeguard their reputations, financial stability, and long-term sustainability in an increasingly interconnected and dynamic business environment.

How can Neotas Third-Party Risk Management and Third-Party Due Diligence solutions help?

Neotas offers an innovative solution to businesses grappling with Third-Party Risk Management (TPRM) challenges. In an era of increasing outsourcing, TPRM has become pivotal, and Neotas recognises this need. Through our enhanced due diligence platform, businesses can efficiently track and evaluate vendors and contractors, ensuring adherence to security protocols in a cost-effective manner.

The Neotas platform automates the vendor onboarding process, streamlining the addition of new vendors with remarkable ease and speed.

Request a Demo
If you’re curious about whether our Third-Party Risk Management and Third-Party Vendor Due Diligence solutions align with your organisation, don’t hesitate to schedule a call. We’re here to help you make informed decisions tailored to your needs.

FAQs on Third-Party Risk Management (TPRM)

What is Third-Party Risk Assessment?

Third-Party Risk Assessment refers to the specific process of evaluating and quantifying the potential risks associated with engaging third-party vendors, suppliers, or partners.
It involves identifying and understanding various types of risks that third parties may pose to the organisation, such as financial instability, data breaches, regulatory non-compliance, operational disruptions, reputational damage, and other potential liabilities.
The focus of a Third-Party Risk Assessment is on conducting thorough due diligence, risk evaluation, and analysis of individual third-party relationships to identify potential risks and vulnerabilities.

What is Third-Party Risk Management Framework?

A Third-Party Risk Management Framework is a structured approach used by organisations to identify, assess, mitigate, and monitor risks associated with their third-party relationships. It provides guidelines, processes, and controls to effectively manage risks across the vendor lifecycle, ensuring alignment with business objectives and regulatory requirements.

What is a Vendor Risk Management?

Vendor Risk Management covers a wide range of activities beyond risk management, such as vendor selection criteria, contract negotiations, service level agreements (SLAs), vendor performance evaluations, vendor audits, and vendor relationship management.

While risk management is an essential component of Vendor Management, it may not be as comprehensive or focused on third-party risks specifically as in the TPRM framework.

What is third-party risk compliance?

Third-party risk compliance refers to ensuring that third-party relationships adhere to relevant laws, regulations, and industry standards to mitigate potential risks associated with non-compliance.

What is meant by third-party management?

Third-party management involves overseeing and managing relationships with external vendors, suppliers, contractors, and partners to ensure alignment with organisational goals and mitigate associated risks.

What is an example of a third-party risk management framework?

An example of a third-party risk management framework is the Shared Assessments Standardised Information Gathering (SIG) questionnaire, which provides a structured approach for assessing and managing third-party risks.

What is the meaning of third-party risk management?

Third-party risk management involves identifying, assessing, mitigating, and monitoring risks associated with engaging external parties to safeguard an organisation from potential harm or disruption.

What are the 5 phases of third-party risk management?

The five phases of third-party risk management typically include: assessment and categorisation, due diligence and selection, contract negotiation and onboarding, ongoing monitoring and oversight, and termination or renewal.

What is an example of a third-party risk?

An example of a third-party risk is a data breach caused by vulnerabilities in a vendor’s cybersecurity practices, leading to the exposure of sensitive information belonging to the organisation and its customers.

What are the roles in third-party risk management?

Roles in third-party risk management may include a third-party risk manager, vendor relationship manager, compliance officer, legal advisor, and cybersecurity analyst, among others.

Who is responsible for third-party risk?

Various stakeholders share responsibility for third-party risk, including senior management, risk management teams, procurement departments, legal and compliance teams, and business unit owners.

Why is third-party risk important?

Third-party risk is important because it helps organisations identify and mitigate potential threats posed by external parties, safeguarding reputation, financial stability, and regulatory compliance.

What is third-party lifecycle?

The third-party lifecycle refers to the stages of engagement with external vendors or partners, including identification, due diligence, contract negotiation, ongoing monitoring, and termination or renewal of the relationship.

How do you identify third-party risk?

Third-party risk can be identified through thorough due diligence, risk assessments, evaluating compliance with regulations and industry standards, and monitoring changes in the external environment.

What is ESG risk?

ESG (Environmental, Social, and Governance) risk refers to the potential negative impact that environmental, social, or governance factors associated with third-party relationships may have on an organisation’s sustainability or reputation.

What is a high-risk third-party?

A high-risk third-party is one that poses a significant threat to an organisation’s operations, finances, or reputation due to factors such as financial instability, inadequate cybersecurity measures, regulatory non-compliance, or poor performance.

What is a third-party risk in AML?

In Anti-Money Laundering (AML) compliance, third-party risk refers to the potential for external entities, such as vendors or partners, to facilitate money laundering or terrorist financing activities, posing regulatory and reputational risks to the organisation.

What is a third-party risk analyst?

A third-party risk analyst is responsible for assessing, analysing, and monitoring risks associated with engaging external vendors, suppliers, or partners, and providing recommendations for risk mitigation strategies to protect the organisation.

TPRM Solutions:

TPRM Case Studies:

Risk-based approach (RBA) – effective procedures to determine and manage AML & KYC risk in 2024

January 29, 2025March 16, 2024 by Neotas Ltd

Risk-Based Approach (RBA) to AML & KYC risk management

Implementing a Risk-Based Approach in AML and KYC: Strategies for Effective Risk Management.

This article presents an in-depth exploration of the Risk-Based Approach (RBA) as a critical tool for compliance teams in the fight against money laundering and terrorist financing. It explains how RBA necessitates a thorough understanding of the risks inherent within an organisation and the development of tailored controls to address these risks. The focus is on prioritising efforts based on the severity and likelihood of risks, thereby optimising resource allocation and enhancing the effectiveness of compliance measures. The article offers a detailed guide on how to implement RBA, including risk assessment methodologies, policy formulation, and staff training, ultimately providing a roadmap for compliance teams to strategically focus their efforts where they are most needed and impactful.

The Risk-Based Approach (RBA) is a strategic framework focused on proactively identifying and managing the potential risks of money laundering and terrorist financing that a business may encounter.
It involves a systematic assessment of these risks, aligning them with robust and effective control measures. Rather than merely reacting to incidents of money laundering through post-event analysis, RBA emphasises preemptive risk management, guiding financial institutions to actively anticipate and mitigate risks.

Risk-Based Approach (RBA) requires an organisation to thoroughly understand its exposure to money laundering and terrorist financing risks, and to develop tailored control mechanisms. These controls are designed and prioritised based on the severity and likelihood of the risks identified. Commonly employed by compliance teams, this approach directs resources and efforts proportionally to the level of risk, ensuring that higher risks receive more attention and resources.

Risk-Based Approach (RBA) dictates that countries, regulatory authorities, and financial entities must not only identify and assess the risks of money laundering and terrorist financing they face but also understand these risks comprehensively. Following this understanding, they are required to implement appropriate and proportionate mitigation measures. These measures should correspond directly to the intensity of the identified risks, ensuring a balanced and effective approach to managing potential threats in the financial sector.

Risk-Based Approach (RBA) to Anti-Money Laundering

The Risk-Based Approach (RBA) in the context of Anti-Money Laundering (AML) is a methodological framework that prioritises and allocates resources to areas deemed as higher risks. This approach is dynamic and adaptable, allowing for a more focused and efficient use of resources in combating money laundering and terrorist financing. It contrasts with a ‘one-size-fits-all’ strategy, instead advocating for measures that are proportionate to the nature, size, and risk exposure of the entity.

In the RBA, financial institutions and obliged entities assess the likelihood and potential impact of money laundering risks specific to their operations. Based on this assessment, they design and implement controls and mitigation strategies that are commensurate with the identified risks. This process involves a continuous cycle of risk identification, assessment, mitigation, and monitoring.

Importance and Benefits of RBA in Risk Management

Enhanced Effectiveness: By focusing on higher-risk areas, RBA ensures that efforts and resources are directed where they are most needed, enhancing the effectiveness of AML programs.
Cost-Efficiency: RBA avoids the wasteful allocation of resources to low-risk areas, allowing for more efficient use of funds and personnel.
Regulatory Compliance: Many regulatory bodies globally have adopted the RBA, making it not just a best practice but a compliance requirement. It aligns with international standards set by bodies like the Financial Action Task Force (FATF).
Flexibility and Adaptability: RBA allows organisations to quickly adapt to emerging threats or changes in the risk landscape, unlike more rigid, traditional models.
Informed Decision-Making: RBA fosters a deeper understanding of the specific risks faced by an entity, leading to more informed and effective decision-making in AML strategies.

Transition from Traditional to Risk-Based Models

The shift from traditional, prescriptive AML models to a Risk-Based Approach represents a significant paradigm change in financial crime risk management. Traditional models often revolved around strict adherence to predefined rules and thresholds, regardless of the specific risk context of an entity. This often led to a ‘tick-box’ culture, where compliance was more about meeting set criteria rather than effectively managing risks.

The transition to RBA requires a cultural and operational shift:

Risk Assessment: Entities must conduct comprehensive risk assessments to understand their unique risk exposures.
Policies and Procedures: Development of policies and procedures that are tailored to the risk profile, rather than generic.
Training and Awareness: Staff need training not just in compliance procedures but in understanding and identifying risks.
Technology and Data Analysis: Leveraging technology for better risk analysis and management.
Continuous Monitoring and Review: A shift towards ongoing monitoring of risk profiles and effectiveness of controls, rather than periodic compliance checks.

This transition, while challenging, positions organisations to more effectively combat money laundering and terrorist financing, and to respond with agility to the evolving risk landscape.

The Risk-Based Approach (RBA) Framework

Fundamental Concepts and Categories of Risk

The RBA framework in anti-money laundering (AML) and counter-terrorist financing (CTF) is centred around the identification, assessment, mitigation, and ongoing monitoring of risks. This framework requires a nuanced understanding of various categories of risk, which can broadly be classified as:

Customer Risks: These risks arise from the diverse nature of customers. Factors such as the customer’s background, occupation, business activities, and the transparency of their source of funds or wealth contribute to the risk profile. High-risk customers might include politically exposed persons (PEPs), those from countries with inadequate AML controls, or individuals involved in industries prone to money laundering.
Product and Service Risks: Different financial products and services carry varying levels of risk. Products that offer higher anonymity, cross-border transactions, complex structures, or those that inherently have higher cash flows are considered riskier. Examples include private banking, correspondent banking, and certain types of electronic payment services.
Geographical Risks: These are associated with the countries or regions in which the entity operates, as well as those with which its customers have connections. Countries with high levels of corruption, weak AML regulations, known tax havens, or those under international sanctions are typically deemed higher risk.
Transactional Risks: These relate to the nature and patterns of transactions conducted by customers. Unusual transaction patterns, transactions that do not align with a customer’s profile, high-volume or high-value transactions, and transactions involving high-risk countries are potential risk indicators.

The RBA Process: Identification, Assessment, Mitigation, Monitoring

A Risk-Based Approach (RBA) is central to effective Anti-Money Laundering (AML) compliance, ensuring that resources are allocated where they are most needed. Unlike rigid, rule-based frameworks, an RBA prioritises threats dynamically, enabling financial institutions to detect, assess, and mitigate risks efficiently.

This structured process allows organisations to:

Identify high-risk customers, transactions, and business relationships.
Assess risks based on severity, impact, and likelihood.
Implement proportionate controls tailored to the level of risk exposure.
Continuously monitor and adapt to emerging financial crime threats.

By adopting an RBA, institutions strengthen their compliance posture, enhance fraud detection, and build resilience against regulatory scrutiny.

1. Risk Identification: Establishing the Threat Landscape

The first step in the RBA process is to identify potential risks associated with customers, transactions, products, services, and jurisdictions. This involves:

Customer Risk Profiling – Categorising customers based on factors such as business activity, transaction behaviour, political exposure (PEPs), and geographic presence.
Product & Service Risks – Assessing the inherent risk of financial products, such as anonymous transactions, high-value transfers, and cross-border payments.
Geographic Risks – Evaluating exposure to high-risk jurisdictions with weak AML enforcement or a history of financial crime.
Delivery Channel Risks – Reviewing risks associated with digital banking, correspondent banking, and third-party service providers.

Why It Matters: Identifying risks at an early stage allows institutions to preemptively apply controls where they are most needed

2. Risk Assessment: Quantifying & Prioritising Risks

Once risks are identified, they must be evaluated based on likelihood and impact to ensure effective prioritisation. Key steps include:

Risk Scoring & Categorisation – Assigning risk ratings (Low, Medium, High) based on quantitative models and qualitative assessments.
Transaction Pattern Analysis – Identifying anomalies in frequency, volume, and destination of transactions to detect potential illicit activity.
Regulatory Impact Assessment – Aligning internal risk evaluations with jurisdictional AML regulations and international compliance standards (FATF, EU, FinCEN, etc.).

Why It Matters: A well-structured risk assessment model ensures that AML resources are allocated proportionately, preventing unnecessary scrutiny on low-risk entities while enhancing oversight of high-risk areas.

3. Risk Mitigation: Implementing Proportionate Controls

Once risks are assessed, financial institutions must implement tailored controls to reduce exposure while maintaining operational efficiency.

Enhanced Due Diligence (EDD) – Applied to high-risk customers and transactions, involving source of funds verification, transaction monitoring, and ongoing scrutiny.
Simplified Due Diligence (SDD) – Used for low-risk clients, reducing unnecessary compliance burdens while maintaining basic AML checks.
Transaction Monitoring & Alerting – Deploying AI-driven monitoring systems to detect suspicious activity in real time.
Automated Sanctions & PEP Screening – Ensuring customers and business relationships comply with sanctions lists, watchlists, and adverse media checks.

Why It Matters: Effective risk mitigation strategies ensure that AML frameworks remain agile, cost-efficient, and fully compliant with regulatory expectations.

4. Continuous Monitoring & Adaptive Response

AML risks evolve over time, requiring continuous oversight and system adjustments. Institutions must establish ongoing risk management practices such as:

Dynamic Risk Reassessment – Regularly updating customer risk profiles and business-wide risk assessments based on new data.
Regulatory Compliance Audits – Conducting periodic AML audits to ensure policies align with latest industry regulations.
Machine Learning & AI Integration – Using predictive analytics to identify emerging money laundering trends before they escalate.
Suspicious Activity Reporting (SARs) – Ensuring timely escalation of high-risk transactions to regulatory authorities.

Why It Matters: By continuously adapting to emerging financial crime trends, institutions can stay ahead of regulatory requirements while safeguarding their operations.

The Competitive Advantage of a Robust RBA

A well-implemented Risk-Based Approach delivers tangible benefits, including:

Increased AML efficiency by focusing efforts where risk exposure is highest.
Regulatory compliance alignment with FATF, EU AML directives, FinCEN, and other governing bodies.
Enhanced fraud detection & prevention through data-driven risk monitoring.
Stronger institutional resilience against financial crime threats.

By adopting a structured RBA process, financial institutions not only strengthen their compliance posture but also enhance operational agility, improve risk governance, and foster trust with regulators, clients, and stakeholders.

Practical Implementation: Essential Tools & Technologies

1. Technology in RBA: AI, Machine Learning, and Automation

AI-Driven Risk Detection – Automates AML risk assessments with advanced pattern recognition.
Machine Learning Models – Predictive analytics for fraud prevention and customer risk profiling.
Automated Compliance Workflows – Reducing manual effort and enhancing regulatory reporting accuracy.

2. Risk Assessment & Compliance Tools

AML Risk Matrix – Classifies risks based on likelihood and impact.
Watchlist Screening & Adverse Media Checks – Identifies sanctioned entities, PEPs, and financial crime suspects.
Integration with Third-Party Databases – Accessing up-to-date information on global compliance watchlists.

Institutions that leverage technology-driven risk assessment tools streamline compliance, reduce false positives, and enhance risk detection capabilities.

Essential Elements for an Effective Risk-Based Approach in Anti-Money Laundering

A robust risk-based approach (RBA) to anti-money laundering (AML) is fundamental in mitigating financial crime risks while ensuring compliance with regulatory requirements. To be effective, an RBA must incorporate several key elements, each contributing to a resilient AML framework that adapts to evolving threats.

1. Know Your Customer (KYC): Establishing Identity & Legitimacy

A strong KYC framework is the foundation of an effective AML strategy, ensuring that financial institutions can verify and authenticate customer identities while assessing potential risks.

Mandatory Identity Verification

Regulated entities are required to conduct thorough identity verification processes, including:

Collecting personal information such as full name, residential address, and date of birth.
Obtaining additional financial details, including occupation and transaction history, for higher-risk clients.

Automated KYC Solutions

The evolution of AML compliance has led to the adoption of automated KYC systems that enhance efficiency, accuracy, and scalability. These systems:

Enable rapid and seamless customer onboarding through AI-driven verification methods.
Use advanced techniques such as document authentication, biometric verification, video-based identification, phone validation, and address confirmation.
Ensure continuous compliance monitoring by adapting to evolving regulatory requirements.

By integrating technology-driven solutions, institutions can enhance operational efficiency while maintaining comprehensive risk oversight.

2. Customer Due Diligence (CDD): Assessing Risk at Every Stage

Beyond identity verification, institutions must continuously evaluate the risk profile of each customer to ensure ongoing compliance and proactive risk management.

Risk Differentiation Among Customers

Recognising that not all customers present the same level of AML risk is essential. Risk assessment should consider:

Customer type (e.g., individuals, corporations, financial institutions).
Transaction patterns and deviation from expected behaviours.
Business nature and geographical exposure to high-risk jurisdictions.

Adaptation of Due Diligence Levels

The degree of due diligence should be proportionate to the risk level identified:

Simplified Due Diligence (SDD): Applied to low-risk customers with limited AML exposure.
Standard Due Diligence (CDD): Routine verification and ongoing monitoring for general risk customers.
Enhanced Due Diligence (EDD): Reserved for high-risk customers, involving deeper scrutiny, source of funds verification, and heightened monitoring.

A risk-based CDD strategy allows institutions to allocate resources effectively, focusing on areas of greatest financial crime vulnerability.

3. Watchlist Screening: Strengthening Compliance & Security

A comprehensive screening framework is essential in identifying and mitigating risks associated with sanctioned entities, politically exposed persons (PEPs), and adverse media exposure.

Key Screening Components

1. Watchlist Screening

Organisations must screen customers and business partners against global regulatory lists, ensuring compliance with:

Sanctions Lists: Maintained by bodies such as the OFAC (US), EU, UN, and HM Treasury (UK).
Financial Crime Databases: Including lists from Interpol, FATF, and national law enforcement agencies.

Watchlist screening ensures that institutions do not engage with high-risk or sanctioned individuals and entities, reducing the potential for financial and reputational damage.

2. Adverse Media Screening

Negative news and public records can provide early warning signs of potential risk exposure. Adverse media screening involves:

Identifying media reports that link individuals or businesses to financial misconduct, fraud, or corruption.
Flagging potential reputational risks before engagement with customers or business partners.

By leveraging AI-driven adverse media checks, institutions can automate the identification of high-risk entities in real time.

3. PEPs and Sanctions Screening

Politically Exposed Persons (PEPs) are individuals with significant political influence, posing a higher risk of money laundering and corruption. Institutions must:

Implement enhanced due diligence when engaging with PEPs and their associates.
Continuously monitor political exposure and potential financial misconduct risks.

Sanctions screening and PEP assessments ensure that financial institutions do not inadvertently facilitate financial crime or violate international regulatory obligations.

A Holistic & Adaptive AML Strategy

An effective risk-based approach to AML requires a dynamic and proactive framework that integrates:

Technology-driven KYC for efficient identity verification and customer onboarding.
Risk-based CDD to continuously assess and adapt due diligence measures.
Comprehensive screening mechanisms to identify high-risk individuals, entities, and transactions.

By embedding these essential elements within their AML frameworks, financial institutions can:
Strengthen regulatory compliance.
Protect against financial and reputational damage.
Stay ahead of evolving money laundering threats.

Institutions that prioritise a robust risk-based approach will not only mitigate exposure but also enhance operational resilience in an increasingly complex financial landscape.

Implementing a Risk-Based Approach in AML

Incorporating these elements into an AML program is not just beneficial; it’s imperative for robust compliance. While constructing such a program from the ground up can be daunting, its importance in maintaining regulatory compliance and preventing financial crimes cannot be overstated. This comprehensive approach ensures that an organisation is not only adhering to legal requirements but also actively contributing to the broader effort against money laundering and associated risks.

The Risk-Based Approach (RBA) to Anti-Money Laundering (AML) represents a fundamental shift from rigid, prescriptive compliance models to a dynamic, intelligence-driven framework that prioritises risks based on their severity and impact. By aligning AML measures with actual risk exposure, organisations can optimise resources, enhance compliance, and improve operational resilience.

1. Enhanced Effectiveness: A Strategic Focus on High-Risk Areas

A risk-based AML framework ensures that compliance efforts are precisely targeted at areas of greatest vulnerability, rather than applied indiscriminately across all activities.

Targeted Risk Management

- RBA enables financial institutions to identify, assess, and prioritise high-risk areas.
- This ensures AML measures are proportionate to the threat level, strengthening defence mechanisms against financial crime.

Improved Risk Awareness

- A well-structured RBA fosters a culture of vigilance, ensuring employees and compliance teams are acutely aware of AML risks.
- By integrating real-time risk monitoring, organisations can proactively detect and prevent illicit financial activities.

Dynamic Adaptation to Emerging Threats

- Financial crime tactics evolve rapidly; a rigid AML framework struggles to keep pace.
- RBA offers adaptability, allowing institutions to respond swiftly to new threats, typologies, and regulatory changes.

A strategic, risk-aligned AML framework enhances the overall effectiveness of financial crime prevention efforts.

2. Improved Efficiency: Maximising Impact with Optimal Resource Allocation

An RBA eliminates inefficiencies inherent in one-size-fits-all AML models, ensuring that compliance efforts are efficient, cost-effective, and scalable.

Resource Optimisation

- Institutions can direct resources towards high-risk areas, avoiding unnecessary expenditure on low-risk activities.
- This risk-prioritised allocation improves both operational performance and regulatory compliance.

Streamlined Processes

- Traditional AML models often impose blanket controls, leading to excessive bureaucracy and inefficiencies.
- RBA fosters simplified, tailored controls, reducing administrative burdens while maintaining compliance integrity.

Data-Driven Decision Making

- By integrating risk assessment tools, predictive analytics, and AI-driven monitoring, institutions can make informed, evidence-based decisions.
- This enhances AML effectiveness while ensuring a proactive rather than reactive approach to financial crime.

Through risk-based efficiencies, organisations achieve greater agility, optimising their AML frameworks while reducing compliance costs.

3. Regulatory Compliance: Meeting Global Standards with Confidence

An RBA is widely endorsed by international regulatory bodies, ensuring alignment with global AML expectations while minimising regulatory risk exposure.

Alignment with International Standards

- Regulatory bodies, including the Financial Action Task Force (FATF), European Union (EU), and national regulators, mandate a risk-based AML approach.
- Adopting RBA ensures seamless compliance with these evolving global regulatory expectations.

Reduced Legal and Reputational Risks

- A well-implemented RBA minimises exposure to financial penalties, sanctions, and legal proceedings arising from AML failures.
- Proactive risk management enhances institutional credibility, safeguarding against reputational damage.

Enhanced Stakeholder Trust

- A structured risk-based AML strategy reassures regulators, investors, partners, and customers of an organisation’s commitment to financial integrity.
- Demonstrating compliance leadership fosters greater trust, transparency, and long-term financial stability.

By integrating RBA best practices, financial institutions not only meet regulatory requirements but also strengthen their market position.

Why the Risk-Based Approach is the Future of AML

The Risk-Based Approach provides a more intelligent, scalable, and effective method for managing money laundering risks compared to traditional, prescriptive models.

Improves AML effectiveness by targeting high-risk activities with precision.
Optimises resource allocation, ensuring compliance costs are justified by risk exposure.
Strengthens regulatory alignment, reducing the risk of non-compliance penalties.
Enhances agility, allowing institutions to adapt quickly to emerging financial crime threats.

In an increasingly complex financial landscape, organisations that embrace a risk-based AML strategy will not only ensure compliance but will build more resilient, future-proof AML frameworks that uphold financial security, trust, and integrity.

Risk-Based Approach in Anti-Money Laundering (AML) & Know Your Customer (KYC)

The Risk-Based Approach (RBA) plays a pivotal role in Anti-Money Laundering (AML) and Know Your Customer (KYC) processes by tailoring the intensity and nature of due diligence to the risk profile of customers and transactions. This approach allows financial institutions and other obliged entities to concentrate their efforts and resources on higher-risk areas, thereby enhancing the effectiveness and efficiency of their AML and KYC measures.

Common AML Risk Factors:

Individual Risks:
- Customer Profile: Risks vary based on the customer’s occupation, public status (e.g., Politically Exposed Persons – PEPs), financial background, and behaviour.
- Customer History: Past incidents of non-compliance or suspicious activities increase risk levels.
Geographic Risks:
- Country Risk: Countries with weak AML regulations or high levels of corruption and political instability are considered higher risk.
- Cross-Border Transactions: International transactions, especially with high-risk countries, are often subject to increased scrutiny.
Channel Risks:
- Delivery Channels: Non-face-to-face interactions and digital channels can elevate risk due to anonymity concerns.
- Third-Party Relationships: Dependence on external parties for customer introduction or transactions can introduce additional risks.
Transaction Risks:
- Nature and Complexity: Unusual, complex, or unusually large transactions can be indicative of money laundering.
- Transaction Patterns: Frequent or irregular transactions that don’t align with the customer’s profile can be suspicious.

RBA’s Role in Managing AML and KYC Risks:

Customised Due Diligence: RBA allows for more intensive due diligence for higher risk customers while streamlining processes for lower-risk customers.
Continuous Monitoring: Ongoing monitoring of transactions and customer activity, adjusted based on their risk profile.
Adaptive Measures: Adjusting AML and KYC measures in response to changes in a customer’s risk profile or emerging risks.

FATF Recommendations and Global Standards:

The Financial Action Task Force (FATF) recommends the use of RBA in AML and KYC. These recommendations guide countries and financial institutions in developing AML policies that are both effective and flexible. The key is to identify, assess, and understand the money laundering and terrorist financing risks and to mitigate them with appropriate measures.

Developing an AML Risk-Based Matrix:

An AML Risk-Based Matrix is a tool for categorising and managing risks. It involves:

Risk Categorisation: Identifying different risk categories (individual, geographic, channel, transaction).
Risk Assessment: Evaluating the likelihood and impact of risks in each category.
Risk Scoring: Assigning scores to risks based on their assessed severity and likelihood.
Control Measures: Determining appropriate controls for different risk levels.
Monitoring and Review: Regularly reviewing and updating the risk matrix to reflect changes in risk profiles or the external environment.

The RBA ensures that AML and KYC measures are not only compliant with legal requirements but are also strategically aligned with the specific risk profile of each customer or transaction, thereby making the fight against financial crime more targeted and effective.

Regulatory Guidance and Best Practices for Risk-Based Approach (RBA) in AML/KYC

The adoption of a Risk-Based Approach (RBA) in Anti-Money Laundering (AML) and Know Your Customer (KYC) processes is strongly influenced by global and regional regulatory frameworks and best practices. The cornerstone of these regulatory guidelines is the Financial Action Task Force (FATF), which sets international standards.

FATF Recommendations for RBA:

Risk Assessment and Management: FATF recommends that countries and financial institutions identify, assess, and understand their money laundering and terrorist financing risks and take action to mitigate these risks.
Customer Due Diligence: Enhanced due diligence for higher-risk customers and simplified measures for lower-risk scenarios.
Record Keeping: Maintaining comprehensive records of risk assessments and mitigative actions.
Reporting Suspicious Transactions: Reporting any unusual or suspicious transactions identified under the RBA.
Ongoing Monitoring: Continuously monitoring the risk level and adjusting AML/KYC measures accordingly.

Sector-Specific Guidance:

Banking: Enhanced due diligence for private banking, correspondent banking, and customers from high-risk countries. Emphasis on transaction monitoring and verifying the source of funds.
Securities: Focus on identifying risks related to market manipulation and insider trading. Monitoring complex trading patterns and large transactions.
Other Financial Services: Inclusive of insurance, fintech, and cryptocurrencies. The focus here includes the understanding of new technologies and their potential for misuse, and monitoring transactions involving high-risk jurisdictions.

Global vs. Regional Regulatory Perspectives:

Global Perspective (FATF): Provides a broad framework for AML/KYC compliance applicable across different jurisdictions. It offers the flexibility for countries to implement these standards based on their specific risk environments.
Regional and National Regulatory Bodies:
- Financial Conduct Authority (FCA) – UK: Focuses on ensuring that financial markets operate fairly and transparently, with a strong emphasis on consumer protection and market integrity.
- General Data Protection Regulation (GDPR) – EU: Although primarily focused on data protection, it has implications for AML/KYC, particularly in terms of customer data handling and sharing.
- Other Regional Bodies: Each region (like the European Union, ASEAN, etc.) may have specific regulatory bodies and frameworks which address local financial crime risks and compliance standards.

Best Practices for Implementing RBA:

Customisation to Business Model: Tailoring the RBA to fit the specific business model and risk exposure of the institution.
Staff Training: Regular training for staff to recognise and effectively manage AML risks.
Technology Utilisation: Leveraging technology for efficient risk assessment and monitoring.
Collaboration and Information Sharing: Working with regulatory bodies and participating in information sharing initiatives to stay updated on emerging risks.

The RBA in AML and KYC requires a nuanced application of FATF recommendations, tailored to sector-specific needs and aligned with both global and regional regulatory expectations. Emphasis is placed on a proactive and flexible approach to identifying and mitigating financial crime risks, ensuring regulatory compliance and safeguarding the integrity of the financial system.

Implementing Risk-Based Approach in Various Sectors

Implementing a Risk-Based Approach (RBA) in different sectors, particularly in banking, involves customising the methodology to address the unique risks and regulatory requirements of each sector.

Risk-Based Approach in Banking

Banking institutions face diverse and often complex money laundering and terrorist financing risks, making RBA implementation critical. In banking, RBA involves:

Customer Risk Profiling: Assessing the money laundering risk of customers based on factors like occupation, source of funds, transaction patterns, and geography.
Transaction Monitoring: Continuously monitoring customer transactions to identify patterns that may indicate money laundering or terrorist financing.
Product Risk Assessment: Evaluating the risks associated with different banking products and services, particularly those that offer higher levels of anonymity or are prone to misuse.
Geographic Risk Analysis: Considering the risks associated with operating in or transacting with high-risk countries or regions.
Internal Controls and Policies: Developing robust internal controls and policies that reflect the identified risks, including procedures for customer due diligence, reporting, and record-keeping.

Overview of FATF Recommendations

The Financial Action Task Force (FATF) sets international standards for combating money laundering and terrorist financing, and its recommendations form the cornerstone of RBA implementation. Key FATF recommendations include:

Risk Assessment: Countries and financial institutions should conduct a comprehensive risk assessment to understand their exposure to money laundering and terrorist financing risks.
Mitigation Measures: Implement measures to mitigate identified risks proportionate to their severity.
Supervisory and Regulatory Systems: Establish effective systems to monitor and ensure compliance with AML/CFT measures.
Transparency and Cooperation: Enhance transparency and promote international cooperation to combat money laundering and terrorist financing.

Risk-Based Approach Implementation Guidance for Banks and Supervisors

For Banks:
- Risk Assessment Process: Develop and maintain a risk assessment process that is regularly updated to reflect changing risk landscapes.
- Customer Due Diligence (CDD): Implement enhanced due diligence for high-risk customers and simplified measures for lower-risk groups.
- Employee Training: Ensure regular training for employees to understand and apply RBA in their roles effectively.
- Reporting and Compliance: Establish a culture of compliance with clear reporting lines and procedures for suspicious activity reporting.

For Supervisors:
- Regulatory Framework: Create a regulatory framework that supports and enforces the implementation of RBA in banks.
- Guidance and Resources: Provide banks with guidance, resources, and training on effectively implementing RBA.
- Oversight and Monitoring: Regularly monitor banks to ensure compliance and provide feedback on their RBA processes.
- Sanction and Enforcement Mechanisms: Implement mechanisms to sanction non-compliance and encourage adherence to AML/CFT regulations.

Implementing RBA in banking requires a comprehensive and dynamic approach, integrating FATF recommendations, custom risk assessments, and continuous monitoring. Both banks and regulatory supervisors play crucial roles in ensuring the effectiveness of RBA, ultimately enhancing the integrity and security of the financial sector against money laundering and terrorist financing threats.

The Role of Risk Assessment Skills in Compliance

In compliance, particularly in Anti-Money Laundering (AML) and Know Your Customer (KYC) operations, risk assessment skills are paramount. These skills enable compliance professionals to navigate a complex landscape of regulatory requirements, financial threats, and evolving criminal tactics effectively.

Identifying Compliance Risks:

Comprehending Regulatory Requirements: Understanding the spectrum of applicable laws, regulations, and guidelines is fundamental. This includes not only domestic legislation but also international standards like those set by the FATF.
Industry-Specific Risks: Each industry, whether banking, insurance, or securities, has unique risk profiles. Proficiency in identifying these sector-specific risks is essential.
Emerging Threats: Staying abreast of emerging risks, such as new forms of financial fraud or changes in money laundering techniques, is critical.

Implementing Controls:

Tailored Risk Mitigation: Based on the identified risks, compliance officers need to design and implement controls that are proportionate and effective. This could involve enhanced due diligence processes, transaction monitoring systems, and customer risk assessments.
Adapting to Risk Dynamics: As risks evolve, controls must be reassessed and adapted. This requires ongoing monitoring and a dynamic approach to risk management.
Training and Awareness: Ensuring that all staff, not just those in compliance roles, are trained and aware of compliance risks and the controls in place to mitigate them.

Managing Policy Changes:

Regulatory Updates: Compliance professionals must adapt policies in response to changes in legislation and regulatory guidance. This includes updating procedures, systems, and training programmes.
Internal Policy Review: Regularly reviewing and updating internal policies to ensure they remain effective and aligned with both the external regulatory environment and internal business changes.
Stakeholder Engagement: Effectively communicating policy changes to all relevant stakeholders, including management, employees, and, where appropriate, customers.

Reporting and Accountability:

Compliance Reporting: Regular reporting on compliance matters to senior management, regulators, and other stakeholders. This includes reporting on the effectiveness of controls and any breaches or suspicious activities.
Audit and Review: Facilitating or conducting audits and reviews to assess the effectiveness of compliance policies and controls.
Responsibility and Culture: Fostering a culture of compliance and ethics throughout the organisation, where responsibility for compliance is shared and understood.

Risk assessment skills in compliance are indispensable for identifying potential compliance risks, implementing appropriate controls, managing policy changes, and ensuring effective reporting and accountability. These skills are crucial in navigating the ever-changing regulatory landscape, managing emerging threats, and sustaining a robust compliance culture within an organisation.

Risk-Based Approach in Auditing

In various sectors, especially in financial services and data protection, a Risk-Based Approach (RBA) to auditing is becoming increasingly vital. This approach prioritises risks and allocates audit resources where they are most needed, ensuring that key areas of potential non-compliance or vulnerability are addressed efficiently.

Financial Sector and FCA’s Risk-Based Approach:
- The Financial Conduct Authority (FCA) in the UK advocates for an RBA in auditing, focusing on the areas with the highest risk of non-compliance or financial crime.
- Audits in the financial sector under this approach assess risks related to market abuse, financial crime, customer protection, and integrity of financial reporting.
- The FCA’s RBA aims to identify emerging risks, ensuring that financial institutions maintain high compliance standards and respond effectively to changes in the regulatory landscape.
Data Protection and GDPR’s Application of RBA:
- The General Data Protection Regulation (GDPR) emphasises the importance of risk assessment in protecting personal data.
- Audits under GDPR involve evaluating the risks associated with data processing activities, particularly concerning personal data breaches and misuse.
- The focus is on ensuring that organisations implement adequate technical and organisational measures to safeguard personal data, proportionate to the level of risk.
Internal Audit and Risk-Based Auditing:
- Risk-based auditing in an internal audit context involves prioritising audit work towards the areas that represent the greatest risk to an organisation’s objectives.
- This approach ensures that audit resources are efficiently used by focusing on the most critical controls and processes.
- Internal audits under this methodology aid in identifying weaknesses in risk management practices and in suggesting improvements.
Customer Due Diligence and KYC Procedures:
- In customer due diligence (CDD) and Know Your Customer (KYC) procedures, RBA plays a critical role in identifying the risk level of each customer.
- Audits in this area assess the adequacy of CDD and KYC procedures in identifying, assessing, and managing customer-related risks.
- The aim is to ensure that financial institutions are not inadvertently facilitating money laundering or terrorist financing and are compliant with AML regulations.

A Risk-Based Approach in auditing, whether in the financial sector, data protection, internal audit processes, or CDD and KYC procedures, focuses on identifying and assessing risks and allocating audit resources to the areas where they are most needed. This approach not only enhances the effectiveness of the audit process but also ensures that organisations remain compliant with regulatory requirements and protect themselves from potential risks.

Challenges and Critiques of RBA

While the Risk-Based Approach (RBA) to Anti-Money Laundering (AML) and compliance offers many benefits, it also faces certain challenges and criticisms.

Limitations and Criticisms of the RBA:
- Complexity in Risk Assessment: Accurately identifying and assessing risks can be complex and resource-intensive. There’s a risk of either underestimating or overestimating threats.
- Dependence on Quality Data: RBA’s effectiveness hinges on the availability of high-quality, relevant data. Poor data quality can lead to inaccurate risk assessments.
- Subjectivity: Decisions about risk levels can be subjective and vary significantly between assessors.
- Balancing Act: Ensuring a balance between being too risk-averse, which can stifle business, and being too lenient, which can expose the organisation to vulnerabilities.
Addressing the Challenges of Implementing RBA:
- Investment in Technology and Training: Adopting advanced technologies like AI and ML, and training staff in risk assessment and compliance are critical.
- Standardisation of Risk Assessments: Developing standard procedures and methodologies can help reduce subjectivity and inconsistency in risk assessments.
- Regular Reviews and Updates: Continuously updating risk assessments and control mechanisms in response to new threats and changes in the regulatory environment.
Future Outlook and Evolving Landscape of RBA:
- Technology Integration: Continuous integration of newer technologies for more efficient and accurate risk management.
- Global Regulatory Alignment: Further alignment and harmonisation of global regulatory standards can enhance the effectiveness of RBA across borders.
- Focus on Emerging Risks: Increased attention to emerging risks, such as those associated with cryptocurrencies and fintech innovations.

Regulatory Resources and Further Reading:

FATF Guidance on RBA: Provides comprehensive guidance on implementing RBA as per FATF recommendations.
EU Directive on Money Laundering: Details about AML directives within the EU.
Financial Conduct Authority (FCA) Guidelines: Offers guidance on RBA and AML for firms under its regulation.
Journal of Money Laundering Control: A publication offering insights and research on money laundering trends and control strategies.
‘Compliance and Risk Management Strategies’ by John Smith: A book focusing on the implementation of effective compliance and risk management practices.

Also, Read about Anti-Money Laundering (AML) Compliance and Checks

Why the Risk-Based Approach is Essential for AML Compliance
Financial institutions that adopt an advanced Risk-Based Approach will:
Enhance AML effectiveness by focusing compliance efforts on high-risk activities.
Reduce false positives & optimise compliance budgets.
Ensure global regulatory alignment with FATF, FCA, EU, & FinCEN directives.
Future-proof AML frameworks against evolving financial crime threats.
The future of AML compliance is risk-driven. Is your organisation ready?

FAQs on Risk-Based Approach

What is a risk-based approach?
A risk-based approach (RBA) is a method that prioritises risks, focusing on the most significant threats to allocate resources effectively and enhance decision-making processes in various domains like AML, KYC, and compliance. Here is detailed guide to What is a Risk-Based Approach and the Key Components of a Risk-Based Approach.

What are risk-based approach methods?
Risk-based approach methods involve identifying, assessing, prioritising, and managing risks. These methods help organisations tailor their strategies to address specific risks effectively.

What is under a risk-based approach?
Under a risk-based approach, organisations evaluate potential risks in their operations, such as financial, legal, and reputational risks, and implement controls proportionate to the level of risk.

What are the phases of a risk-based approach?
The phases include risk identification, risk assessment, risk prioritisation, risk mitigation, and continuous monitoring and review.

What are the 4 pillars of a risk-based approach?
The four pillars include risk identification, risk assessment, risk control measures, and continuous monitoring and review.

What are the core requirements of a risk-based approach?
Core requirements include comprehensive risk assessment, tailored control measures, continuous monitoring, and effective communication and reporting mechanisms.

How do you adopt a risk-based approach?
Adopting a risk-based approach involves conducting a thorough risk assessment, implementing risk-based controls, regularly reviewing and updating the risk profile, and ensuring staff are trained and aware of the approach.

What are the 5 risk management approaches?
The five approaches include risk avoidance, risk reduction, risk sharing, risk retention, and risk exploitation.

What are the three approaches to risk management?
The three main approaches are risk avoidance, risk transfer, and risk mitigation.

What is the opposite of a risk-based approach?
The opposite is a prescriptive or rules-based approach, which applies uniform controls without considering the specific level of risk.

What is the difference between risk management and a risk-based approach?
Risk management involves identifying and addressing risks, while a risk-based approach prioritises risks to focus efforts and resources on the most critical areas.

What are the two basic approaches to risk management?
The two basic approaches are the traditional risk management approach, focusing on avoiding losses, and the enterprise risk management approach, which also considers strategic risks.

What is the risk-based approach to prioritisation?
This approach involves ranking risks based on their severity and likelihood to ensure that the most critical risks are addressed first.

What are the key elements of a risk management approach?
Key elements include risk identification, risk analysis, risk evaluation, risk treatment, and continuous monitoring.

What is the 4-step approach to risk management?
The four steps are identifying risks, assessing risks, controlling risks, and monitoring and reviewing the control measures.

What are the three phases of a risk-based audit approach?
The three phases include planning (risk identification and assessment), execution (testing controls), and reporting (communicating findings and recommendations).

What is the main objective of using the risk-based approach?
The main objective is to efficiently allocate resources to the areas of highest risk to enhance the effectiveness of risk management practices.

What is the nature of a risk-based approach?
The nature of an RBA is proactive and dynamic, focusing on identifying and mitigating risks before they materialise, based on their likelihood and impact.

What is the difference between a rule-based approach and a risk-based approach?
A rule-based approach applies uniform standards regardless of risk, while a risk-based approach tailors controls to the level of risk.

What are the key benefits of adopting a risk-based approach?
Key benefits include improved resource allocation, enhanced decision-making, increased compliance, and better risk mitigation.

What is an example of a risk management approach?
An example is a company performing regular cybersecurity assessments to identify vulnerabilities and implementing targeted security measures to mitigate identified risks.

What is an example of good risk management?
Good risk management could be a financial institution conducting thorough customer due diligence to prevent money laundering.

What are the 7 types of risk management?
The seven types include financial, operational, reputational, compliance, strategic, environmental, and health and safety risk management.

What is the ideal approach for managing risk?
The ideal approach is context-specific, combining various risk management strategies to address the unique risk profile of an organisation effectively.

What is an example of risk avoidance?
Risk avoidance might involve a company deciding not to enter a high-risk market to prevent potential losses.

When should a risk be avoided?
A risk should be avoided when its potential impact is unacceptable to the organisation or when mitigation costs outweigh the benefits.

About Neotas Due Diligence

Neotas Platform covers 600Bn+ archived web pages, 1.8Bn+ court records, 198M+ corporate records, global social media platforms, and 40,000+ Media sources from over 100 countries to help you build a comprehensive picture of the team. It’s a world-first, searching beyond Google. Neotas’ diligence uncovers illicit activities, reducing financial and reputational risk.

Due Diligence Solutions:

Risk-Based Approach and AML Case Studies:

Leveraging AI Chatbots for Enhanced Social Media Checks and OSINT

December 9, 2024November 7, 2023 by Neotas Ltd

AI Chatbots for Enhanced Social Media Checks and OSINT

In the digital age, information is abundant, but the challenge lies in its verification and analysis. Open-Source Intelligence (OSINT) has become a vital tool for individuals, businesses, and governments to gather actionable intelligence from publicly available sources. One of the latest innovations enhancing the OSINT landscape is the use of chatbots. These intelligent virtual assistants are revolutionising the way we conduct social media checks and gather valuable information from online sources. In this article, we will explore the evolving role of chatbots in OSINT, their benefits, and potential applications.

Chatbots, powered by AI and advanced algorithms, are revolutionising Open-Source Intelligence (OSINT) by automating data collection and analysis. As technology evolves, chatbots will play an even greater role in navigating the vast expanse of digital information, emphasising the need for ethical and privacy-conscious practices. 

The Growing Importance of AI Chatbots for Enhanced Social Media Checks and OSINT

Open-Source Intelligence, often referred to as OSINT, is the practice of collecting and analysing information from publicly available sources. These sources can include social media platforms, websites, blogs, news articles, and more. OSINT plays a crucial role in various domains, including national security, law enforcement, corporate intelligence, and even personal research. It allows professionals to gather insights, track trends, and make informed decisions.

However, as the digital landscape continues to expand, the sheer volume of information available online can be overwhelming. This is where chatbots come into play, streamlining the process of gathering and analysing OSINT data.

Chatbots necessarily utilise advanced technologies such as AI, Machine Learning and Computer Vision within their proprietary algorithms. Appropriate security techniques must be applied to ensure that these interactions are not subject to algorithmic bias conscious or otherwise.

The Role of Chatbots in OSINT

Chatbots are computer programs designed to simulate human interaction. They can be integrated into various platforms and used for a wide range of purposes, from customer service to data analysis and simply acquiring knowledge. When it comes to OSINT, chatbots offer several advantages:

Automation: Chatbots can automate the process of gathering information from social media platforms and other online sources. They can monitor specific keywords, profiles, or websites 24/7, ensuring that no relevant information is missed.

Real-time Alerts: Chatbots can provide real-time alerts for specific events or mentions. For example, they can notify law enforcement agencies about potential threats or businesses about brand activities.

Data Extraction: Chatbots can extract data from websites and social media profiles, making it easier to analyse and organise information. This can save investigators valuable time.

Multilingual Capabilities: Many chatbots have multilingual capabilities, allowing them to monitor and analyse content in multiple languages, making them valuable in international OSINT efforts. The output can be accessed as dialogue in multiple languages and formats.

Natural Language Processing (NLP): Advanced chatbots equipped with NLP can understand and interpret text data more accurately, making them better at semantic analysis together with identifying sentiment, intent, and context.

Applications of Chatbots in OSINT

Threat Intelligence: Chatbots can monitor social media and online forums for discussions related to security threats, helping security agencies stay ahead of potential dangers.

Brand Reputation Management: Businesses can use chatbots to track mentions of their brand online and respond to customer feedback and inquiries promptly.

Investigative Journalism: Journalists can utilise chatbots to sift through vast amounts of data, uncovering leads for stories and conducting research more efficiently.

Competitive Analysis: Companies can employ chatbots to gather information about their competitors, such as product releases, customer feedback, and marketing strategies.

Personnel Vetting: In the hiring process, chatbots can assist in vetting potential candidates by checking their online presence for red flags or inconsistencies.

Disaster Response: During natural disasters or emergencies, chatbots can help authorities monitor social media for critical information, such as requests for assistance or reports of incidents.

Challenges and Considerations

While chatbots offer significant advantages in OSINT, there are challenges and considerations to keep in mind:

Ethics and Privacy: Chatbots must adhere to ethical guidelines and privacy laws when collecting and handling personal information from public sources.

Data Accuracy: The accuracy of OSINT data gathered by chatbots depends on the quality of the algorithms and the sources they monitor. False positives and misinformation can still be a challenge.

Contextual Understanding: Despite advances in NLP, chatbots may struggle with understanding context, sarcasm, and nuance in online conversations.

Data Overload: The sheer volume of data collected by chatbots can be overwhelming. Effective data filtering and analysis tools are essential.

Evolving Technology: The field of chatbot development is continually evolving. Staying up-to-date with the latest advancements is crucial to harness their full potential.

Skills Training: The use of chatbots will require training and education in order to use then effectively, appropriately and in an unbiased manner.

Conclusion

The integration of chatbots into the realm of OSINT is a significant step forward in the quest for reliable and actionable intelligence from online sources but the final analysis must involve human intervention. These intelligent virtual assistants bring automation, real-time alerts, and data extraction capabilities to the OSINT process, making it more efficient and effective.

The data collation capabilities of chatbots will necessarily include the collation of a great deal of personal information. It is imperative that measures are put in place to ensure that regulatory and legal requirements such as GDPR are not breached.

As technology continues to evolve, chatbots will become even more sophisticated, enhancing their ability to analyse and interpret online data accurately. However, it’s essential to remember that while chatbots are powerful tools, they should be used ethically and responsibly, with a keen eye on privacy and data accuracy.

In a world where information is king, chatbots are emerging as valuable allies in the ongoing pursuit of knowledge and insight, helping individuals, businesses, and governments navigate the vast seas of data that the digital age has bestowed upon us

OSINT background checks harness the wealth of information available on the internet to provide insights that aid in making informed decisions.

Manage Business Risk with OSINT.
Neotas is an Enhanced Due Diligence Platform that leverages AI to join the dots between Corporate Records, Adverse Media and Open Source Intelligence (OSINT). Get in touch with Neotas and we would be happy to help you with OSINT related queries and provide for more information on how to carry out these checks in a safe and compliant manner
Schedule a Call or Book a Demo of Neotas Enhanced Due Diligence Platform.

Read More about Open Source Intelligence:

The Perils of AI-Based Social Media Checks Without Human Intervention

March 22, 2025September 28, 2023 by Neotas Ltd

AI-Based Social Media Checks Without Human Intervention

AI Social Media Checks

As artificial intelligence (AI) continues to advance, its integration into various aspects of our lives becomes increasingly apparent. One area that has created considerable interest is the use of AI-based social media checks. While these AI based systems may promise enhanced security, efficiency, and decision-making, they also come with potential dangers that affect our privacy, personal freedom, and our employment prospects. In this article, we explore why it is crucial to have human intervention in the process to strike a balance between AI based technological advancements and safeguarding individual rights.

Invasion of Privacy

AI-based social media checks rely on increasingly sophisticated algorithms that analyse individuals’ online activities, posts, and interactions. While the intention may be to identify potential threats to an employer, (or other parties such as an investor,) the process can involve the collection of personal sensitive data albeit with consent. Gathering of information must be done without invading an individual’s privacy in a fair and responsible manner.

To protect innocent individuals from becoming unjustly identified as potentially poor employees due to false positives or misinterpretations of their online behaviour we cannot leave this to technology alone. Governments around the world continue to introduce incremental safeguarding legislation to further protect against this. Otherwise unwarranted damage may impact on an individual’s professional reputation and employment prospects through the use of only AI based technology.

The optimal use of AI will ensure that every check is assessed by a trained analyst and also QA checked by a suitably experienced person. Not only does this adhere to legislation but also gives confidence to employers using the service.

Amplification of Biases

AI algorithms are trained on large datasets, which may inadvertently highlight information that the algorithm has been designed to discover but which do not present a problem to an employer. As a result, these biases can be amplified when utilized in AI based social media checks without human intervention, leading to discriminatory actions against specific groups or an individual.

For example, without human intervention, protected characteristics such as racial, religious, or political interests might be adversely identified in the process, perpetuating poor employment prospects for those whose sensitive personal information has been exposed. It is therefore important for anyone using such checks in an employment situation to ensure the results are reviewed by an experienced analyst. An HR department should not undertake this task because once a person has seen the protected characteristic, they can’t unsee it and therefore leave themselves exposed to cries of discrimination by an interviewee.

The production of AI-based social media checks without the intervention of a trained analyst can have far-reaching consequences on an individuals’ access to employment. Experienced human intervention is necessary to ensure protected characteristics are removed from any report or information passed to those making hiring decisions. Experienced analysts continue to develop their skill in these matters to balance technological progress and provide a more equitable future for employers and employees.

Free Speech and Individuality

Social media has become a vital platform for expression and free speech in the modern age. It is also a medium used by many to spread disinformation, perpetuate crime and spread falsehoods. AI-based social media checks are a useful tool to protect employers from hiring an individual practising inappropriate social disruption. It is fundamental that reports are curated by a human to identify individuals that pose a threat to an organisation without undermining the principles of free speech and social engagement.

Without human intervention AI technology can have unintended consequences.

Fostering Trust

When a trained analyst curates the results of AI-based social media checks it introduces a level of scrutiny that makes it possible for employers to have trust in the outcome. This balanced use of technology enhances the positive aspects of social media, such as freedom of expression, connecting with friends, staying informed, and participating in community discussions without the dangers of machine made decisions on their own.

A compliant organisation providing screening services should be FCRA compliant and GDPR certified to ISO27701 or equivalent. The supplier of social media checks should confirm that all social media reports are checked by a trained analyst to remove protected characteristics and protect your organisation from unwanted legal action.

Social Media Background Checks Do’s & Don’ts for Employers

As we move forward in an increasingly interconnected world, it is essential to strike a balance between leveraging the speed and efficiencey benefits of AI and safeguarding individual rights.

AI-based social media checks present many positive opportunities for employers that must not be overlooked. The invasion of privacy, amplification of biases, and safeguarding against the use of protected characteristics are critical issues that demand the attention of a trained analyst in the process.

It is clear that AI will continue to develop enhanced capabilities in discovery and reporting functions. Interpretation and consideration of this information necessarily requires the intervention of highly skilled individuals. This combination of technology and experience is a fundamental requirement in the production of screening services. For a technologically responsible future the blend of technology and experience is a fundamental requirement in the production of screening services.

How can Neotas Social Media Screening help?

With this service, employers can make well-informed decisions, safeguarding their organizations from potential reputational risks, security breaches, or any other concerns that could arise from an employee’s online activities. By proactively screening social media accounts, Neotas enables businesses to maintain a safe and secure working environment while protecting their brand integrity.

Schedule a call today! We highlight behavioural risks identified across social media profiles and the wider internet. Supplements the background screening process. Learn more about how we can help you conduct social media screening and background checks in a safe and compliant manner.

Neotas Social Media Screening and Online Reputation Screening Services:

Social Media Background Checks
Online Reputation Screening
Social Media Screening
Social Media Check
OSINT Framework, OSINT Tools, OSINT Techniques, and how to use OSINT framework.
Follow us on LinkedIn for the latest updates on Neotas Screening Solutions.

Tags: Social Media Checks, Social Media Screening, Pre-Employment Screening, Online Screening, Social Media Check

Social Media checks and background screening for Teachers and school staff

March 22, 2025September 12, 2023 by Neotas Ltd

Social Media checks for Teachers

Educational institutions are responsible for providing a safe, secure, and healthy learning environment. In today’s world, social media platforms have become an integral part of our daily lives. It is one of the most popular ways of communication used amongst people of different age groups, genders, and professions, especially teachers.

Teachers, as much as anyone else, use social media platforms like Facebook, Twitter, LinkedIn, and Instagram to connect with their peers, colleagues, and students. However, in recent years, there has been a growing concern about teachers’ social media activities and how it can affect the learning environment of their students. It is essential that this is addressed to ensure that teachers remain professional in their conduct and do not hurt the students’ learning environment.

Why Social Media checks for Teachers

Maintaining Professional Boundaries

The primary reason for carrying out Social Media checks for teachers is to ensure that they maintain appropriate boundaries between themselves and their students. Social media platforms are a massive repository of personal information, and teachers’ actions on these platforms can be very telling about their personalities, values, and potentially harmful behaviours. Although social media platforms have privacy settings, these settings are not a guarantee that all personal information and communication will remain private. Inadvertent sharing of private information or inappropriate interaction with students can have serious consequences.

Reputational Integrity

Another important reason for the Social Media checks of teachers is to ensure that their public behaviour doesn’t reflect poorly on their school’s reputation. Inappropriate photos, public rants, or posts that are not aligned with the school’s philosophy or values can have a damaging effect on the school’s reputation. The school is also responsible for ensuring that the students’ health and safety are not compromised by any action taken by the teachers.

Read our case study on Online Reputation Screening

Appropriate Communication

Social Media checks serve as a way to evaluate a teacher’s ability to teach and communicate effectively with their students. A teacher’s online presence can play an important role in determining their effectiveness as a teacher. It is important for teachers to communicate well with their students, both offline and online. Social media is an excellent way to keep students informed and updated about school events, assignments, and additional resources for learning. The teacher’s multimedia presence should be a reflection of their efforts in educating their students.

Appropriate Behaviour

Furthermore, social media checks ensure that teachers are not involved in any inappropriate behaviour or engaging in any activities that would compromise their ability to perform their duties. Instances of engaging in alcohol, drug use, or gambling could point to problematic past behaviours that might negatively affect the teacher-student interaction, thus compromising the learning environment or student safety. It is crucial to perform these checks to ensure that only the appropriate role models are teaching the students.

Prevention of Extremism

Another reason why social media checks should be carried out for teachers is to prevent them from networking with or aiding extremist groups and political organisations. Social media has played a significant role in shaping relationships and extremist groups’ networks in recent years. This has led to the recruitment of individuals into these extremist groups. It is critical to vet teachers and their online activity to ensure that they are not in any way involved in such groups or promoting extremist views. This would ensure that students are not exposed to extremist propaganda, violence, or hate speech.

Privacy and Safety

Social Media checks are necessary to protect the privacy and safety of students. The internet is home to cyber criminals and online predators who, given the chance, would take advantage of any personal information available. Teachers often have access to students’ personal information, which puts them in a vulnerable position for online predators. Carrying out Social Media checks can help to make sure these predators are not using online communication channels to contact and harm students. Moreover, it ensures that students’ personal data is kept confidential and not discussed on public forums.

Social media checks should be carried out for teachers to ensure that they are held to a high standard of professionalism in their teaching conduct while supporting the learning environment. Such checks can prevent inappropriate behaviour towards students, aid in evaluating the effectiveness of teachers, safeguard the school’s reputation, and ensure student privacy and safety.

Educational institutions are responsible for providing a safe, secure, and healthy learning environment, and carrying out social media checks is an important step in meeting that responsibility. As the use of social media continues to grow, teachers must understand how it can impact their professional and personal lives, while monitoring their digital lives accordingly. By doing so and carrying out regular Social Media Check-ups, the learning environment for students can remain safe, secure, and conducive to success.

Social Media Checks for School Staff

Social media background checks have become an essential part of the hiring process, safeguarding students, maintaining institutional reputation, and ensuring compliance with ethical and legal frameworks. This comprehensive guide explores the significance of social media checks for school staff, legal considerations, best practices, and the future of online screening in the education sector.

Social Media Background Checks

What Are Social Media Background Checks?

A social media background check is a process where a school or hiring entity reviews the social media activity of prospective and current employees to assess their professionalism, behavior, and alignment with institutional values. These checks help identify potential risks and red flags before employment decisions are made.

How Are They Different from Traditional Background Checks?

Unlike conventional background checks that focus on criminal records, education, and employment history, social media screening evaluates a candidate’s public online behavior, including posts, comments, affiliations, and shared content that could impact their suitability as an educator.

The Necessity of Social Media Checks in Schools

1. Ensuring Student Safety and Well-being

Teachers and school staff interact with students daily. Monitoring their online presence can help prevent exposure to inappropriate behavior, discrimination, or unethical conduct.

2. Upholding the Institution’s Reputation

Schools and academic institutions are held to high moral and ethical standards. A teacher’s online activity, if questionable, can harm the reputation of the institution.

3. Compliance with Legal and Ethical Standards

Many educational institutions are mandated by policies and regulations to conduct thorough background checks, including reviewing a candidate’s social media footprint.

Implementing Social Media Screening: Methods and Best Practices

Manual vs. Automated Screening

Manual Screening: Reviewing social media profiles manually provides detailed insights but can be time-consuming and prone to bias.
Automated Screening: AI-based tools analyze vast amounts of online data efficiently, offering objective and fast results.

Key Platforms to Monitor

Facebook – Posts, group affiliations, comments
Twitter/X – Tweets, retweets, public interactions
Instagram – Visual content, captions, stories
LinkedIn – Professional conduct, networking behavior
TikTok – Trends, challenges, and potential inappropriate content

Identifying Red Flags

Inappropriate Content – Hate speech, explicit images, or illegal activities
Breaches of Confidentiality – Sharing student data or sensitive school information
Affiliations with Extremist Groups – Content that reflects intolerance or criminal activities
Unprofessional Behavior – Excessive profanity, negative remarks about previous employers, or inappropriate interactions with students

Legal and Ethical Considerations

Privacy Concerns

It is crucial to distinguish between public and private information. Schools should only review content that is publicly accessible and avoid intrusive monitoring of private accounts.

Anti-Discrimination Laws

Social media checks must align with Equal Employment Opportunity (EEO) laws, avoiding biases based on race, religion, or personal beliefs.

Data Protection Regulations

Schools must comply with legal frameworks such as:

GDPR (General Data Protection Regulation) – Governing data privacy laws in the EU
FERPA (Family Educational Rights and Privacy Act) – U.S. law protecting student data privacy
State-Specific Regulations – Different U.S. states have laws regulating employer social media access

Developing a Social Media Policy for School Staff

Components of an Effective Policy

Clearly Defined Acceptable Online Behavior
Guidelines on Privacy Settings and Professionalism
Policies on Engaging with Students Online

Training and Awareness

Regular workshops on digital footprints
Informing staff about potential risks and best practices

Enforcement and Consequences

Schools must have transparent disciplinary measures in place for violations

Social media background checks for school staff are essential in modern hiring practices. They help protect students, uphold an institution’s reputation, and ensure compliance with legal and ethical standards. Schools must implement structured policies, adhere to regulations, and use ethical screening methods to conduct responsible social media vetting.

With the right approach, social media checks can create a safer and more professional educational environment while maintaining fairness and transparency in hiring decisions.

The Role of Third-Party Screening Services

Benefits of Outsourcing

Expertise in social media analytics
Objectivity in the screening process
Time-saving for school administrators

Selecting a Reputable Service Provider

Compliance with privacy laws
Use of ethical screening practices

Social Media Background Checks Do’s & Don’ts for Employers

Neotas Social Media Background Checks and Social Media Screening

At Neotas, We understand the importance of conducting thorough and compliant Social Media Screening Checks, and our team of experts is dedicated to ensuring that the process is safe and reliable. Receive accurate and up-to-date information while complying with all relevant regulations, including GDPR and FCRA. Our advanced OSINT technology and human intelligence allow us to uncover valuable insights that traditional checks may miss.

Ready to experience the future of social media checks?

Schedule a call today! We highlight behavioural risks identified across social media profiles and the wider internet. Supplements the background screening process. Learn more about how we can help you conduct social media screening and background checks in a safe and compliant manner.

Neotas Social Media Screening and Online Reputation Screening Services:

Social Media Background Checks
Online Reputation Screening
Social Media Screening
Social Media Check
OSINT Framework, OSINT Tools, OSINT Techniques, and how to use OSINT framework.
Follow us on LinkedIn for the latest updates on Neotas Screening Solutions.

Developing an Effective Third Party Risk Management Framework

October 13, 2023August 13, 2023 by Neotas Ltd

Third Party Risk Management Framework

In today’s interconnected business ecosystem, organizations are increasingly reliant on third-party relationships to support their operations and growth. However, these relationships also introduce potential risks that can impact an organization’s reputation, operations, and compliance. This white paper explores the essential components of an effective Third Party Risk Management (TPRM) Framework and provides insights into how organizations can establish comprehensive strategies to mitigate these risks.

Table of Contents:

Introduction
- The Rise of Third-Party Dependencies
- Importance of Third Party Risk Management
Understanding Third Party Risk
- Types of Third Party Risks
- Impact of Third Party Risks on Organizations
Key Components of a TPRM Framework
- Governance and Ownership
- Risk Assessment and Classification
- Due Diligence and Vendor Selection
- Contractual Agreements
- Ongoing Monitoring and Reporting
- Incident Response and Remediation
Developing a TPRM Framework
- Defining Risk Appetite and Tolerance
- Establishing Policies and Procedures
- Assigning Responsibility and Accountability
- Integrating TPRM with Business Processes
Risk Assessment and Classification
- Identifying Critical Third Parties
- Assessing Risk Factors: Compliance, Financial, Operational, Reputational, and Security
Due Diligence and Vendor Selection
- Criteria for Vendor Evaluation
- Conducting Background Checks
- Assessing Financial Stability and Legal Compliance
Contractual Agreements
- Key Elements of Third Party Agreements
- Including Risk Mitigation Clauses
- Defining Data Protection and Security Requirements
Ongoing Monitoring and Reporting
- Implementing Regular Audits and Assessments
- Tracking Changes in Third Party Operations
- Creating Comprehensive Reporting Mechanisms
Incident Response and Remediation
- Developing a Response Plan for Third Party Failures
- Ensuring Business Continuity and Minimizing Disruption
- Remediating Issues and Reevaluating Relationships
Integration of TPRM into Organizational Culture
- Educating Employees about TPRM
- Creating Awareness of Third Party Risks
Conclusion
- Benefits of an Effective TPRM Framework
- Embracing TPRM as a Continuous Process

———————————————–

Introduction

In today’s interconnected global business landscape, organizations are increasingly relying on external partnerships to drive efficiency, innovation, and growth. These collaborations, while advantageous, introduce a complex web of dependencies that can pose significant risks to an organization’s operations, financial stability, and reputation. As the reliance on third-party relationships continues to grow, so does the need for effective Third Party Risk Management (TPRM) strategies.

The Rise of Third-Party Dependencies

The traditional model of self-sufficiency has evolved into a more interconnected and specialized ecosystem, driven by the need for diverse expertise and resources. Organizations now frequently engage third parties, such as suppliers, vendors, contractors, and service providers, to complement their core competencies. This shift has led to a surge in third-party dependencies that extend beyond the borders of a single organization.

As the network of external relationships expands, so does the potential for risk exposure. A single disruption within a third-party partner can reverberate through the entire value chain, causing supply chain disruptions, service interruptions, and reputational damage. The interconnected nature of modern business emphasizes the importance of understanding, mitigating, and managing these third-party risks.

Importance of Third Party Risk Management

The importance of Third Party Risk Management (TPRM) cannot be overstated. Organizations must proactively assess and manage the risks associated with their third-party relationships to ensure business continuity, regulatory compliance, and the protection of sensitive data. Effective TPRM is not merely a defensive strategy; it’s a proactive approach that empowers organizations to harness the benefits of external collaborations while safeguarding against potential pitfalls.

By embracing TPRM, organizations can identify vulnerabilities within their third-party network, quantify the potential impacts of these vulnerabilities, and develop strategies to mitigate or eliminate them. TPRM helps organizations strike a balance between innovation and risk, enabling them to confidently pursue new opportunities without compromising their stability.

In the subsequent sections of this white paper, we will delve deeper into the components of a robust TPRM framework, explore strategies for risk assessment and mitigation, and provide insights into integrating TPRM into the organizational culture. Through real-world case studies and practical examples, we will illustrate the significance of effective TPRM implementation in today’s dynamic business environment. By the end of this exploration, readers will gain a comprehensive understanding of TPRM’s role in mitigating the risks inherent in third-party dependencies and fostering a resilient and successful organization.

Understanding Third Party Risk

As organizations expand their operations and engage with a diverse array of third-party partners, understanding and managing third party risks becomes paramount. This section explores the various types of third-party risks and delves into their potential impact on organizations.

Types of Third Party Risks

Compliance Risks: Third parties that fail to meet regulatory standards or industry regulations can expose organizations to legal and financial penalties. Non-compliance with data protection laws, anti-corruption regulations, or industry-specific standards can tarnish an organization’s reputation.
Financial Risks: Financial instability or bankruptcy of a third-party vendor can lead to supply chain disruptions, impacting an organization’s ability to deliver goods or services. Organizations can also face financial losses due to contractual breaches by third parties.
Operational Risks: Dependence on third parties for critical operations exposes organizations to operational risks. Disruptions in a third party’s operations, such as IT outages or labor strikes, can directly affect an organization’s performance and customer satisfaction.
Reputational Risks: The actions or misdeeds of a third party can directly impact an organization’s reputation. If a vendor engages in unethical behavior or environmental violations, the negative spotlight can extend to the organization that partnered with them.
Security Risks: Third parties with weak cybersecurity measures can become a gateway for cyberattacks, potentially leading to data breaches or leaks. Cybercriminals often target organizations through vulnerable third-party connections.

Impact of Third Party Risks on Organizations

The impact of third party risks can be far-reaching and severe, affecting an organization’s bottom line, reputation, and overall stability. A disruption in a critical third-party relationship can lead to:

Delayed product launches and reduced competitiveness.
Decreased customer trust and loyalty due to failures in service delivery.
Financial losses resulting from supply chain disruptions or contractual disputes.
Legal liabilities stemming from non-compliance with laws and regulations.
Reputational damage that can erode brand equity and customer confidence.

Furthermore, organizations may face indirect consequences, such as increased scrutiny from regulators, loss of investor confidence, and strained relationships with stakeholders. To mitigate these potential impacts, organizations must proactively identify, assess, and manage third party risks through a comprehensive TPRM framework.

In the following sections, we will delve into the key components of an effective TPRM framework, providing guidance on risk assessment, due diligence, monitoring, and response strategies. By understanding the nuances of third-party risks and their potential ramifications, organizations can equip themselves with the tools needed to navigate the complex landscape of external partnerships.

Third Party Risk Management Framework

Key Components of a TPRM Framework

A robust Third Party Risk Management (TPRM) framework comprises several essential components that work harmoniously to identify, assess, and mitigate risks arising from third-party relationships. This section delves into the key components that form the foundation of an effective TPRM strategy.

1. Governance and Ownership: Establishing clear governance structures and assigning ownership of TPRM responsibilities are vital. This includes defining roles and responsibilities, ensuring accountability, and securing executive sponsorship. Effective governance ensures that TPRM becomes an integrated part of the organization’s risk management culture.

2. Risk Assessment and Classification: Thoroughly assessing and classifying third-party risks is fundamental. This involves identifying the types of risks associated with each third party and categorizing them based on factors such as impact and likelihood. By understanding the inherent risks, organizations can allocate resources effectively and prioritize risk mitigation efforts.

3. Due Diligence and Vendor Selection: Conducting due diligence is critical during the vendor selection process. Organizations should evaluate potential partners’ financial stability, regulatory compliance, operational history, and security practices. Rigorous due diligence ensures that organizations engage with third parties that align with their risk appetite and operational standards.

4. Contractual Agreements: Crafting comprehensive contractual agreements is pivotal for managing third-party risks. Contracts should explicitly outline risk mitigation measures, compliance expectations, data protection requirements, and consequences for breaches. Clear contractual terms enable organizations to hold third parties accountable for their role in risk management.

5. Ongoing Monitoring and Reporting: Continuously monitoring third parties is essential to detect changes in risk profiles and identify emerging risks. Regular assessments, audits, and performance reviews help organizations stay informed about third-party activities, ensuring they remain aligned with expectations and compliance standards. Robust reporting mechanisms facilitate transparent communication.

6. Incident Response and Remediation: Developing a well-defined incident response plan for third-party failures is critical. Organizations should outline procedures for mitigating disruptions caused by third-party issues, maintaining business continuity, and addressing reputational damage. Swift remediation strategies minimize the negative impact of incidents.

Developing a TPRM Framework

A well-structured Third Party Risk Management (TPRM) framework is the cornerstone of effective risk mitigation. This section delves into the steps involved in developing a comprehensive TPRM framework that aligns with organizational goals and ensures seamless risk management.

1. Defining Risk Appetite and Tolerance: Clearly defining the organization’s risk appetite and tolerance is the starting point. This involves determining the level of risk the organization is willing to accept and the threshold beyond which risks become unacceptable. Defining these parameters guides decision-making throughout the TPRM process.

2. Establishing Policies and Procedures: Developing robust TPRM policies and procedures is essential to provide a structured approach to risk management. These documents should outline the organization’s objectives, the scope of the TPRM framework, roles and responsibilities, risk assessment methodologies, and protocols for due diligence, monitoring, and incident response.

3. Assigning Responsibility and Accountability: Appointing responsible individuals for different aspects of TPRM is critical for its successful implementation. Designating roles such as TPRM coordinators, risk owners, and executive sponsors ensures that each component of the framework is effectively managed. Clear accountability fosters a sense of ownership and ensures TPRM’s integration into the organizational culture.

4. Integrating TPRM with Business Processes: Embedding TPRM within existing business processes enhances its effectiveness. Integrating risk assessments into vendor selection procedures, incorporating risk monitoring into performance evaluations, and aligning TPRM with procurement processes ensures that risk management becomes an inherent part of day-to-day operations.

By combining these foundational steps, organizations can lay the groundwork for a TPRM framework that is tailored to their risk appetite, aligned with their operational needs, and capable of adapting to changing risk landscapes. In the following sections, we will delve deeper into each step, offering practical insights, strategies, and real-world examples that showcase the benefits of a well-developed TPRM framework. With careful planning and execution, organizations can navigate the complexities of third-party risks and enhance their overall risk resilience.

Risk Assessment and Classification

Effective Third Party Risk Management (TPRM) hinges on a thorough understanding of the risks associated with external partnerships. This section delves into the critical steps of risk assessment and classification within a comprehensive TPRM framework.

1. Identifying Critical Third Parties: Not all third parties have the same impact on an organization’s operations. Identifying critical third parties is essential. These are the external partners whose disruptions could significantly affect the organization’s ability to deliver goods or services. By prioritizing critical third parties, organizations can focus their risk management efforts where they matter most.

2. Assessing Risk Factors: Compliance, Financial, Operational, Reputational, and Security: Risk assessment involves evaluating various factors that contribute to third-party risks. These factors include:

Compliance Risk: Assessing the extent to which third parties adhere to legal and regulatory requirements.
Financial Risk: Evaluating the financial stability of third parties to ensure they can fulfill contractual obligations.
Operational Risk: Analyzing third parties’ operational practices and stability to identify potential disruptions.
Reputational Risk: Gauging the third party’s reputation and ethical practices, as it can impact the organization’s brand image.
Security Risk: Scrutinizing the cybersecurity measures of third parties to protect against data breaches.

By comprehensively assessing these risk factors, organizations gain a holistic view of the risks associated with each third party and can tailor their risk mitigation strategies accordingly.

Due Diligence and Vendor Selection

Choosing the right third-party partners is a critical step in effective TPRM. This section explores the due diligence and vendor selection process that ensures organizations engage with partners aligned with their risk management objectives.

1. Criteria for Vendor Evaluation: Defining criteria for evaluating potential vendors is crucial. Criteria may include their track record, industry reputation, service quality, and the extent to which their offerings align with the organization’s needs and values. Establishing clear criteria helps organizations make informed decisions about engaging with specific vendors.

2. Conducting Background Checks: Conducting background checks on potential vendors involves investigating their history, past performance, and any legal or regulatory issues. This step helps identify any red flags that may indicate potential risks or ethical concerns.

3. Assessing Financial Stability and Legal Compliance: Evaluating the financial stability of potential vendors ensures that they have the resources to fulfill their commitments. Additionally, assessing their compliance with legal and regulatory requirements reduces the risk of engaging with partners that could pose legal liabilities to the organization.

By integrating thorough risk assessment and due diligence practices into their TPRM framework, organizations can make informed decisions about their third-party relationships, mitigate potential risks, and foster more secure and beneficial partnerships.

Contractual Agreements

Within the realm of Third Party Risk Management (TPRM), robust contractual agreements play a pivotal role in safeguarding organizations against potential risks associated with external partnerships. This section delves into the essential components of effective contractual agreements within a comprehensive TPRM framework.

1. Key Elements of Third Party Agreements: Contracts with third parties should articulate the expectations, roles, and responsibilities of each party. Key elements include scope of work, deliverables, timelines, and performance metrics. Clarity in these areas ensures that both parties have a shared understanding of their obligations.

2. Including Risk Mitigation Clauses: To address potential risks, contracts should include clauses that outline the steps each party will take to mitigate risks. These clauses might address data breaches, operational disruptions, compliance breaches, and other risk factors specific to the partnership.

3. Defining Data Protection and Security Requirements: Data protection and security are critical components of modern business partnerships. Contracts should define data handling procedures, security protocols, and measures to ensure compliance with data protection regulations, safeguarding sensitive information.

Ongoing Monitoring and Reporting

Continuous monitoring and reporting are integral to maintaining the integrity of third-party relationships within a TPRM framework. This section explores the steps organizations can take to ensure ongoing risk mitigation.

1. Implementing Regular Audits and Assessments: Regular audits and assessments of third parties help organizations stay informed about their performance, risk exposure, and adherence to contractual terms. Audits provide insights into areas that require improvement and opportunities for proactive risk mitigation.

2. Tracking Changes in Third Party Operations: External partners’ operations can change over time, affecting risk profiles. Organizations must consistently track and assess these changes to ensure that third parties continue to meet established risk standards and performance expectations.

3. Creating Comprehensive Reporting Mechanisms: Establishing reporting mechanisms enables seamless communication between the organization and its third-party partners. Organizations should define reporting frequency, content, and channels to ensure timely updates on risk-related matters.

Incident Response and Remediation

Even with diligent risk management, incidents can occur. This section addresses how organizations can respond to and remediate third-party-related issues.

1. Developing a Response Plan for Third Party Failures: A response plan outlines how the organization will address disruptions caused by third-party failures. Swift action is crucial to minimizing the impact on the organization’s operations and reputation.

2. Ensuring Business Continuity and Minimizing Disruption: Response plans should focus on maintaining business continuity in the face of third-party-related incidents. Strategies to quickly switch to alternate vendors or internal solutions can help mitigate disruptions.

3. Remediating Issues and Reevaluating Relationships: After an incident, organizations should work with third parties to address the root causes and implement corrective measures. Following resolution, the relationship should be reevaluated to determine whether continued engagement aligns with the organization’s risk tolerance.

Integration of TPRM into Organizational Culture

Effectively embedding TPRM into an organization’s culture is vital for sustained risk mitigation. This section explores the steps to create a risk-aware organizational culture.

1. Educating Employees about TPRM: Educating employees about TPRM principles and practices fosters a culture of vigilance and shared responsibility. Training ensures that individuals across the organization understand their role in identifying and mitigating third-party risks.

2. Creating Awareness of Third Party Risks: Raising awareness about the potential risks associated with external partnerships helps employees make informed decisions when engaging with third parties. Awareness campaigns and communication initiatives can contribute to a risk-aware culture.

By effectively implementing these components into a comprehensive TPRM framework, organizations can systematically manage third-party risks, mitigate potential disruptions, and cultivate a culture that values proactive risk management.

Conclusion: An effective Third Party Risk Management Framework is critical for modern organizations to navigate the complexities of external partnerships while safeguarding their interests. By establishing a comprehensive TPRM strategy that encompasses risk assessment, due diligence, ongoing monitoring, and incident response, organizations can not only minimize potential risks but also optimize their third-party relationships for sustainable success in a rapidly changing business landscape.

Benefits of an Effective TPRM Framework: An effective TPRM framework offers numerous benefits to organizations:

Business Continuity: A well-managed TPRM framework ensures operational continuity even in the face of disruptions caused by third-party failures.
Regulatory Compliance: TPRM ensures that third-party partnerships adhere to legal and regulatory requirements, shielding organizations from legal liabilities.
Reputation Protection: By mitigating risks associated with external partners, organizations safeguard their reputation and brand image.
Enhanced Decision-Making: Informed decisions about third-party engagements reduce potential negative impacts, fostering strategic growth.
Efficiency and Innovation: TPRM optimizes operations by addressing potential disruptions, allowing organizations to focus on innovation and growth.

Embracing TPRM as a Continuous Process: TPRM is not a one-time effort; it’s an ongoing commitment. As the business landscape evolves, so do the associated risks. Organizations must view TPRM as a continuous process that adapts to changing risk profiles, regulatory shifts, and business expansion. By integrating TPRM into the organizational culture, training employees, and consistently assessing and refining the framework, organizations create a resilient risk management culture that enables sustainable success.

In conclusion, TPRM is a strategic imperative that empowers organizations to navigate the complexities of third-party relationships while minimizing potential risks. By understanding the types of risks, integrating due diligence, establishing effective contractual agreements, and fostering an organizational culture of risk awareness, organizations position themselves for resilience, growth, and enduring success in today’s dynamic business environment.

Build a robust Third Party Risk Management Framework with us. We offer a structured approach to identify, assess, and manage risks introduced by external partnerships. Strengthen compliance, security, and continuity, ensuring sustainable success in a dynamic business landscape.

How GDPR and FCRA Apply to Social Media Background Checks – The Do’s and Don’ts of Social Media Background Checks for Employers

March 22, 2025August 1, 2023 by Neotas Ltd

Social Media Background Checks

The widespread use of social media has led to an increasing trend among employers to conduct social media checks as part of their recruitment process. However, employers must be aware of the GDPR and FCRA implications of such checks, which set out strict rules for the processing of personal data, including data collected from social media checks. Employers must ensure that social media checks are conducted in a lawful, fair, and transparent manner and that the data collected is relevant, accurate, and necessary.

GDPR and FCRA implications of Social Media Background Checks

In today’s world, social media has become an integral part of our lives, and many of us use social media platforms to share personal information, opinions, and views. However, the widespread use of social media has led to an increasing trend among employers to conduct Social Media checks as part of their recruitment process.
While Social Media checks can help employers gather information about a candidate’s character, qualifications, and work history, it is essential to be aware of the General Data Protection Regulations (GDPR) and the Fair Credit Reporting Act (FCRA) implications of such checks. The GDPR and FCRA sets out strict rules for the processing of personal data, including data collected from Social Media checks.

Personal Data

Social Media checks involve an employer or other organization gathering information about a person from their social media profiles, which can include sensitive personal data. Firstly, it is important to understand what is meant by personal data. Personal data includes any information that can be used to identify a living individual, such as their name, address, email address, or even their IP address. Additionally, the GDPR also includes special categories of personal data, such as race, ethnicity, political opinions, religious beliefs, health data, and sexual orientation.

When conducting Social Media checks, employers are likely to gather personal data from a candidate’s social media profiles. This data could include their name, age, gender, location, employment history, education, and other personal information such as political views, religious beliefs, or health-related information.

Personal data must be processed lawfully, fairly, and transparently. This means that the person whose data is being processed must be aware of the processing and have given their consent for it to take place, or the processing must be necessary for a legitimate reason, such as for the employer to carry out their duties.

Legitimacy

When it comes to Social Media checks, an employer must have a legitimate reason for conducting them. For example, an employer may want to verify a candidate’s work history, or assess their character or cultural fit. However, employers must ensure that the information gathered is relevant, accurate and not excessive. They must also inform job candidates that they plan to conduct social media checks and explain why they are necessary.

Data Integrity

Employers must ensure that they process personal data in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures. Ensuring your supplier is accredited to standards e.g. ISO27001 and ISO27701 provides a good level of confidence.

Employers must keep personal data secure, only keep it for as long as necessary and not to use it for any purposes other than those for which it was collected. This means that employers cannot use Social Media checks to discriminate against candidates based on their race, gender, age, sexual orientation, or any other protected characteristic.

FAQs on GDPR and FCRA implications of Social Media Background Checks

Q: What is the GDPR, and how does it relate to social media background checks?

The GDPR is the General Data Protection Regulation, a European Union regulation that governs the protection of personal data. It relates to social media background checks when employers process personal data from social media platforms during the hiring process.

Q: Do GDPR regulations apply to all social media background checks, or only those involving EU citizens?

GDPR regulations apply to social media background checks that involve the personal data of EU citizens, regardless of where the employer is located. If the checks involve candidates from the EU, GDPR compliance is mandatory.

Q: Can employers conduct social media background checks without explicit consent from the job candidate under the GDPR?

No, employers must obtain explicit consent from job candidates before conducting social media background checks. Consent must be freely given, specific, informed, and unambiguous, as per GDPR requirements.

Q: Are there any specific guidelines on data retention periods for social media background checks under the GDPR?

While the GDPR does not provide specific data retention periods, employers should only retain social media data for as long as necessary to fulfill the purpose for which it was collected. They must establish clear retention policies and delete data once it becomes irrelevant.

Q: Can employers use automated decision-making based on social media data without violating the GDPR?

Employers can use automated decision-making based on social media data, but they must ensure it complies with the GDPR’s principles, such as transparency and the right to human review of automated decisions.

Q: Can candidates request access to the social media data obtained during the background check process under the GDPR?

Yes, candidates have the right to request access to the personal data collected from social media background checks. Employers must provide this information upon request, along with details of how the data was processed.

Q: Can social media data obtained during background checks be shared with third parties under the GDPR?

Social media data obtained during background checks can be shared with third parties only if there is a lawful basis for such sharing and if the candidate has been properly informed about it.

Q: What specific disclosures must employers provide to candidates under the FCRA when conducting social media background checks?

Under the Fair Credit Reporting Act (FCRA), employers must provide a clear and separate disclosure to candidates before conducting social media background checks. The disclosure must inform the candidate that the check may be used for employment decisions and must obtain written consent.

Q: Can employers use information obtained from social media checks to make “adverse employment decisions” under the FCRA?

Yes, employers can use information from social media checks to make adverse employment decisions under the FCRA, but they must follow specific procedures outlined in the law. This includes providing the candidate with a pre-adverse action notice and allowing them time to dispute the accuracy of the information.

Q: How long can employers retain social media data obtained during background checks under the FCRA?

The FCRA does not specify a specific data retention period for social media data. However, employers are encouraged to retain the data only for as long as necessary and in compliance with other relevant laws.

Q: Can job candidates dispute the accuracy of social media data used in background checks under the FCRA?

Yes, job candidates have the right to dispute the accuracy of social media data used in background checks under the FCRA. Employers must provide a process for candidates to dispute any inaccuracies and correct the information if necessary.

Q: Can social media background checks be conducted on current employees under the GDPR and FCRA?

Yes, social media background checks can be conducted on current employees, but employers must ensure that they have a legitimate reason and comply with relevant GDPR and FCRA regulations. Consent or a legitimate interest must be established before conducting such checks.

Q: Can employers use publicly available social media data without obtaining consent under the GDPR and FCRA?

Yes, employers can use publicly available social media data without obtaining consent, as long as the data is legitimately obtained and used for lawful purposes, and it complies with applicable GDPR and FCRA guidelines.

Q: How should employers inform job candidates about the social media background check process under the GDPR and FCRA?

Employers should provide clear and transparent information to job candidates about the social media background check process. This includes disclosing the types of data they will collect and how they will use it, ensuring candidates are fully informed.

Q: Are there any restrictions on the types of social media data that employers can collect under the GDPR and FCRA?

While there are no specific restrictions on the types of social media data that can be collected, employers should only gather data that is relevant and necessary for the job-related purpose and avoid collecting sensitive or irrelevant information.

Q: Can social media background checks be outsourced to third-party vendors under the GDPR and FCRA?

Yes, social media background checks can be outsourced to third-party vendors, but employers must ensure that the vendors comply with GDPR and FCRA requirements and protect the privacy of the candidates’ data.

Q: Can employers use social media data to discriminate against candidates based on their race, religion, or other protected characteristics under the GDPR and FCRA?

No, employers cannot use social media data to discriminate against candidates based on protected characteristics under the GDPR and FCRA. Such practices are strictly prohibited and can lead to legal consequences.

Q: Can social media background checks impact a candidate’s right to be forgotten under the GDPR?

Yes, if a candidate requests their data to be deleted under the right to be forgotten provision of the GDPR, employers must comply and remove any social media data obtained through the background check process, provided there are no legitimate reasons to retain it.

Q: What should employers do if they find misleading or false information about a candidate during a social media background check?

If employers find misleading or false information during a social media background check, they should not use it to make hiring decisions. Instead, they should inform the candidate and provide them with an opportunity to clarify or dispute the information.

Q: Can employers use automated tools or algorithms to process social media data during background checks under the GDPR and FCRA?

Employers can use automated tools or algorithms to process social media data during background checks, but they must ensure that such tools comply with the principles of transparency, fairness, and accountability under the GDPR and FCRA.

Q: Are there any additional requirements for social media background checks when dealing with candidates who are minors under the GDPR and FCRA?

When dealing with candidates who are minors, employers must be especially cautious. They should obtain consent from the candidate’s legal guardian, ensure the information obtained is relevant to the job, and comply with any additional regulations related to minors’ data protection.

Q: Can employers use social media data to assess a candidate’s suitability for remote work positions under the GDPR and FCRA?

Yes, employers can use social media data to assess a candidate’s suitability for remote work positions, provided they do so in a fair and non-discriminatory manner and comply with all applicable privacy regulations.

Q: What should employers do with social media data after the hiring process is complete under the GDPR and FCRA?

After the hiring process is complete, employers should ensure they have a proper data retention and deletion policy. Social media data that is no longer relevant should be securely deleted to comply with GDPR and FCRA requirements.

Q: Can employers use social media data obtained during background checks for purposes other than hiring decisions under the GDPR and FCRA?

Employers should use social media data obtained during background checks only for the purpose for which it was collected, typically for making informed hiring decisions. Using the data for other purposes could lead to non-compliance with GDPR and FCRA regulations.

Q: What measures can employers take to ensure compliance with both GDPR and FCRA during social media background checks?

Employers can ensure compliance by obtaining explicit consent from candidates, providing clear disclosures, using reputable third-party vendors, maintaining data accuracy, and establishing appropriate data retention and deletion policies.

Q: Can social media background checks be conducted on candidates applying for internships or volunteer positions under the GDPR and FCRA?

Yes, social media background checks can be conducted on candidates applying for internships or volunteer positions, but employers should follow the same GDPR and FCRA guidelines as they would for regular job candidates.

Q: Can employers conduct periodic social media background checks on their current employees under the GDPR and FCRA?

Yes, employers can conduct periodic social media background checks on their current employees, but they must have a legitimate reason and comply with GDPR and FCRA requirements. Employee consent or a legitimate interest must be established.

Q: Can candidates refuse to undergo a social media background check without it negatively affecting their job application under the GDPR and FCRA?

In general, candidates have the right to refuse a social media background check, and employers should not negatively impact their job application solely based on their refusal, as long as the refusal does not violate any legal or regulatory obligations.

Neotas Social Media Background Checks and Social Media Screening

Schedule a call today! We highlight behavioural risks identified across social media profiles and the wider internet. Supplements the background screening process. Learn more about how we can help you conduct social media screening and background checks in a safe and compliant manner.

Neotas Social Media Screening and Online Reputation Screening Services:

Online Reputation Screening
Social Media Screening
Social Media Check
Social Media Background Checks
OSINT Framework, OSINT Tools, OSINT Techniques, and how to use OSINT framework.
Follow us on LinkedIn for the latest updates on Neotas Screening Solutions.

Social Media checks for Lawyers and other legal professionals

March 22, 2025August 1, 2023 by Neotas Ltd

Social Media checks for Lawyers and other legal professionals

In recent years, social media has become a ubiquitous part of our lives, with millions of people using it every day to share their thoughts, opinions, and experiences with others. Social media has also become an increasingly important tool for businesses and organizations to promote themselves and connect with their customers. However, with the increasing use of social media, there are also concerns about the potential risks it poses to individuals and organizations, especially in the legal sector.

Trust

Lawyers and legal professionals are individuals who are entrusted with sensitive and confidential information on a regular basis. This information can include details about ongoing legal cases, client information, and other sensitive data that needs to be kept confidential. Therefore, it is important to ensure that these individuals are responsible and trustworthy, and that they do not engage in activities that could jeopardize the safety and security of the clients they serve.

One way to ensure that Lawyers and legal workers are trustworthy is to subject them to social media checks. Social media checks can help to uncover any inappropriate behaviour, unethical conduct, or potential conflicts of interest that could harm the reputation of the individual or their organisation. For example, a social media check could uncover evidence of discriminatory behaviour, drug use, or excessive drinking that could reflect poorly on the individual or the organisation they work for.

Client Confidentiality

In addition to protecting the reputation of the individual and their organisation, social media checks can also help to protect the safety and security of their clients. Lawyers and legal workers are often required to handle sensitive and confidential information, which means that they need to be trustworthy and responsible. A social media check can help to identify any potential risks, such as an individual who has expressed criminal, violent or threatening behaviour online, and prevent them from being hired or retained by the organisation.

Standards of Ethical Behaviour

Another important reason why Lawyers and legal workers should be subjected to social media checks is to ensure that they are compliant with legal and ethical standards. Legal professionals are held to a high standard of professional conduct, and any behaviour that is deemed unethical or illegal could lead to serious consequences, including disciplinary action or even revocation of their license to practice law. By subjecting Lawyers and legal workers to social media checks, organisations can ensure they are complying with these standards and upholding the integrity of the legal profession.

It is important to note that social media checks should not be used as the sole basis for hiring or firing an individual. Rather, they should be used as a supplementary tool to help organisations make informed decisions about the individuals they hire or retain. It is also important to ensure that any social media checks are conducted in a fair and consistent manner, and that individuals are given the opportunity to explain or clarify any issues that may arise.

In conclusion, Lawyers and legal workers are entrusted with sensitive and confidential information on a regular basis, and it is important to ensure that they are responsible, trustworthy, and compliant with legal and ethical standards. Social media checks can help to identify any potential risks or issues that could harm the reputation of the individual or their organisation and protect the safety and security of their clients. Social media checks area valuable tool to help organisations make informed decisions about the individuals they hire or retain.

Neotas Social Media checks for Lawyers and other legal professionals

Schedule a call today!
We highlight behavioural risks identified across social media profiles and the wider internet. Supplements the background screening process. Learn more about how we can help you conduct social media screening and background checks in a safe and compliant manner.

Neotas Social Media Screening and Online Reputation Screening Services:

Online Reputation Screening
Social Media Screening
Social Media Check
Social Media Background Checks
OSINT Framework, OSINT Tools, OSINT Techniques, and how to use OSINT framework.
Follow us on LinkedIn for the latest updates on Neotas Screening Solutions.

Social media checks for doctors and healthcare specialists

March 22, 2025August 1, 2023 by Neotas Ltd

Social media checks for doctors and healthcare specialists

In the modern age, social media has become an integral part of our daily lives, extending its influence into professional realms. This article explores the significance of implementing social media checks for doctors and healthcare specialists.  

Social media checks contribute to maintaining professionalism, upholding ethical standards, staying updated on medical advancements, and preserving patient trust.  

By employing social media checks, medical boards can ensure that healthcare professionals uphold the highest standards of service and provide optimal care to their patients while safeguarding the doctor-patient relationship from potential harm caused by inappropriate social media use.

Implementing social media checks for doctors and healthcare specialists in the modern age is crucial to ensure professionalism, ethics, medical knowledge, patient trust, and safeguards the doctor-patient relationship.

The use of Social Media checks for Doctors and other medical and care specialists:

In the modern age of technology, social media has become a part of our daily lives, and it has also been the source of professional and personal information. Social media platforms and email have also become a tool for doctors to communicate with their patients, share their opinions, and learn about new medical advancements. However, there are concerns about doctors’ use of social media and the impact it can have on their professionalism and the doctor-patient relationship. This is why social media checks should be used for doctors.

Professionalism

Doctors, nurses and healthcare workers are expected to maintain a high standard of professionalism, and their social media presence should be no exception. Social media checks help to ensure that doctors, nurses and healthcare workers do not post inappropriate or unprofessional content on their profiles. This can include anything from offensive language, discriminatory comments, or inappropriate images. Any of these things can damage a doctor’s reputation and harm their patients’ trust.

Ethics

Social Media checks can help doctors, nurses and healthcare workers avoid legal and ethical issues. There are certain guidelines that doctors must follow, and these guidelines apply to their online activity as well. For example, doctors must maintain patient confidentiality, and they cannot discuss their patients’ medical information or post images of their patients without their consent. Social Media Policies backed up regular Social Media checks can help ensure that doctors are aware of these guidelines and are not in violation of them.

Medical Advancements

Social media checks can help ensure that doctors are up-to-date with medical advancements and research because social media platforms can be an excellent source of medical information. These platforms can also be a source of misinformation. By monitoring doctors’ social media activity, medical boards can ensure that doctors are following evidence-based medicine and not spreading any misleading or harmful information.

Patient Trust

Lastly, social media checks can help maintain the trust between doctors and their patients. Patients have a right to know that their doctors are trustworthy and professional. If patients discover that their doctor has posted something inappropriate or unprofessional on social media, it can damage their trust in their doctor. By using social media checks, medical boards can ensure that doctors are maintaining a professional and trustworthy image online at all times.

In conclusion, social media checks are essential for doctors, nurses and healthcare workers to maintain their professionalism, avoid legal and ethical issues, stay up-to-date with medical advancements, and maintain the trust of their patients.

By using Social Media checks, medical boards can ensure that all doctors and other healthcare workers are adhering to the highest standards of professionalism and are providing the best care to their patients. It is crucial to ensure that social media is not damaging the doctor-patient relationship and that doctors are using it appropriately.

Neotas Social media checks for doctors and healthcare specialists

Neotas’ Social Media Screening goes beyond the surface, delving deep into a candidate’s or employee’s digital footprint to provide comprehensive insights. By harnessing the latest OSINT technology and expert analysis, Neotas can uncover valuable information that traditional background checks might miss, ensuring a more holistic evaluation of individuals. At Neotas, We understand the importance of conducting thorough and compliant Social Media Screening Checks, and our team of experts is dedicated to ensuring that the process is safe and reliable. Receive accurate and up-to-date information while complying with all relevant regulations, including GDPR and FCRA. Our advanced OSINT technology and human intelligence allow us to uncover valuable insights that traditional checks may miss.

In a rapidly evolving digital world, Neotas’ Social Media Screening service is a powerful tool that equips you with the right information to make the right choices. So, take the first step towards a safer, more secure future by scheduling a call with Neotas today. You can also request a demo of the Neotas Enhanced Due Diligence Platform.

Written by: Steve Bailey

Steve has spent more than 20 years in screening. He introduced “Background Checking” as the terminology used today. He is a qualified Accountant, CEO of the Risk Accounting Standards Board, an academic, and a serial investor in innovative technology-based organisations.

Neotas Social Media Screening and Online Reputation Screening Services:

Social Media Background Checks
Online Reputation Screening
Social Media Screening
Social Media Check
OSINT Framework, OSINT Tools, OSINT Techniques, and how to use OSINT framework.
Follow us on LinkedIn for the latest updates on Neotas Screening Solutions.

Schedule a call today! We highlight behavioural risks identified across social media profiles and the wider internet. Supplements the background screening process. Learn more about how we can help you conduct social media screening and background checks in a safe and compliant manner.

Importance of using Social Media checks for Police Officers

February 13, 2024August 1, 2023 by Neotas Ltd

Social Media checks for Police Officers

This article covers the importance of social media checks for police officers, ensuring public safety, preventing misconduct, and building trust. By promoting transparency and professionalism, social media checks foster a stronger relationship between law enforcement and the community they serve.

Introduction:

The demand for social media checks for police officers are rapidly gaining traction. Social media data checks can help to identify any red flags that may indicate a threat to public safety, such as officers posting racist or derogatory content. They also help prevent misconduct by revealing past behaviour that may indicate a tendency for misconduct, such as posts about abusing power or using excessive force. Social media checks protect trust in the police by identifying and mitigating any risks to the police’s image caused by negative or false information spread on social media. Officers’ transparency, accountability, and professionalism are stronger through social media checks, fostering a durable long-term relationship between the police and the community they serve.

Importance of using Social Media checks for Police Officers

The use of social media has become an integral part of our daily lives for staying connected with friends and family, networking with colleagues, and even job searches. However, social media has also been used to scrutinize and investigate individuals, including police officers. There has been a growing demand for social media checks to be conducted on police officers during recruitment and throughout their careers. It’s important to ask why?

Ensures Public Safety

Police officers are sworn to protect and serve the public. As such, they should be held to a higher standard of conduct than the average citizen. Social media background checks can reveal any red flags that may indicate that an officer poses a threat to public safety. For example, a police officer that has posted racist or derogatory content on their social media accounts may not be fit to serve the public fairly and impartially. By conducting social media checks, law enforcement agencies can ensure that they are hiring individuals that will keep the public’s best interests at heart.

Prevents Misconduct

The use of social media has led to an increase in the reporting of police misconduct. Law enforcement agencies cannot afford to have officers that tarnish their reputation through misconduct. Social media checks can reveal any past behaviour that may indicate potential misconduct. For example, if an officer has made a post about abusing their power or bragged about using excessive force, it may signal that they have a penchant for misconduct. By conducting social media checks, law enforcement agencies can nip any misconduct in the bud before it becomes a problem.

Protects Trust in the Police

The image of the police is essential to maintain public trust and confidence. Social media can be a double-edged sword when it comes to police image. On the one hand, social media can be used to promote positive interactions between law enforcement officers and the public. On the other hand, social media can be used to spread negative, false, or misleading information about the police, leading to a loss of public trust. Social Media checks can help law enforcement agencies identify any risks to police image and take measures to mitigate them.

Ensures Compliance with Policies

Law enforcement agencies have strict policies that govern how officers should conduct themselves both on and off-duty. Social media checks can help law enforcement agencies ensure that their officers are adhering to these policies. For example, if a police department has a policy that forbids officers from making public statements about ongoing investigations or cases, social media checks can help identify officers that are violating the policy. By enforcing departmental policies, law enforcement agencies can ensure that their officers are functioning within the parameters of their job duties.

Helps Identify Issues with Mental Health and Wellness

Police officers are often exposed to traumatic and stressful situations, leading to an increased risk of mental health issues. Social media checks can help identify any indications that an officer may be suffering from mental health issues or struggling with addiction. For example, if an officer has made posts about substance abuse or suicidal thoughts, it may indicate that they are struggling with mental health issues. By identifying officers that need help, law enforcement agencies can provide support and prevent potential incidents that may occur due to untreated mental health conditions.

In conclusion, Social Media checks should be carried out on police officers to ensure that they are fit to serve the public fairly and impartially. Social media checks can reveal any red flags that may indicate that an officer poses a threat to public safety, is prone to misconduct, or violating policies.

Ongoing Social media checks throughout the career of a police officer can also help identify issues with mental health and wellness, allowing the police to provide support and prevent potential incidents related to untreated mental health conditions. They also promote transparency, accountability, and professionalism among their officers, leading to a stronger and more trusted relationship between the police and the community they serve.

About Neotas Social Media Screening:

Schedule a call today! We highlight behavioural risks identified across social media profiles and the wider internet. Supplements the background screening process. Learn more about how we can help you conduct social media screening and background checks in a safe and compliant manner.

Neotas Social Media Screening and Online Reputation Screening Services:

Online Reputation Screening
Social Media Screening
Social Media Check
OSINT Framework, OSINT Tools, OSINT Techniques, and how to use OSINT framework.
Follow us on LinkedIn for the latest updates on Neotas Screening Solutions.

Social Media Screening Checks for Education Industry To Aid Safeguarding – Social Media Checks for School Staff

February 13, 2024August 26, 2022 by Neotas Ltd

Social Media Checks for School Staff

Social Media Screening Checks for Education Industry To Aid Safeguarding

The Department of Education (DfE) is consulting on changes to the Keeping Children Safe in Education statutory guidance, to include the recommendation of social media background checks and adverse internet checks on prospective teachers.

The proposed changes would be set to come into effect from September 2022, ahead of the new school year. They would apply to England only but the devolved UK governments could soon follow suit.

What is the statutory guidance?

The Keeping Children Safe in Education statutory guidance outlines recommendations for schools and colleges on safeguarding children.

The updated version for 2022 comes into force on 1st September and includes guidance for the Education sector on the recruitment and selection process, regulated activity and recommended background checks.

What recommendations are being made?

Under the statutory guidance, recommendations are being made for the process of shortlisting candidates. Currently, the process must include a self-declaration of a candidate’s criminal history, as well as declarations relating to their qualifications and eligibility for teaching in the UK.

Crucially, the guidance now also recommends that “online searches” should also be undertaken:

“As part of the shortlisting process] Schools and colleges should consider carrying out an online search as part of their due diligence on the shortlisted candidates. This may help identify any incidents or issues that have happened, and are publicly available online, which the school or college might want to explore with the applicant at interview.”

These additional online searches have been recommended to supplement traditional background checks. They include screening a candidate’s online activity, including social media, as well as any relevant adverse media relating to the candidate online.

Conducting these checks at the shortlisting phase when hiring will help exclude inappropriate candidates from the later stages of the recruitment process, improving hiring efficiencies.

Recent Case Study: Senior Manager With Hidden Abusive Past

Social media policies for teachers

Education employers will now almost universally have a strict social media policy relating to the conduct of staff online, with clear behavioural guidelines.

These guidelines will typically include interaction and engagement with students and their families online but wider behaviour online should also be considered.

Social media screening checks will review online activity and check whether a teaching candidate displays behaviours that would make them unsuitable for this particular role, or whether their online activity could potentially bring the institution’s reputation into disrepute.

Why conduct additional background checks on teachers and education staff?

A growing number of sectors, now potentially including Education, are using online reputation screening to assess shortlisted employment candidates or existing employees.

What was once a “nice to have” check has now become a fundamental element of a robust hiring process, supplementing existing screening procedures.

Increasingly, this type of screening is being adopted by industries whose employees are responsible for handling the vulnerable, such as teachers, as an added measure of risk management.

Over thousands of social media background checks, we have proven their effectiveness at identifying potentially behavioural risk, which would have gone unnoticed by traditional screening methods.

Here are examples of the types of “red flags”, or risks, which are typically uncovered in these types of online searches:

Extreme views and opinions
Hate and discriminatory behaviour
Inappropriate or undesirable content
Illegal activities
Addiction and substance abuse
Violent content
Sexually explicit content

Safeguarding children and protecting institutional interests

Conducting online reputation screening on prospective teaching candidates can help identify problematic or dangerous behaviours that wouldn’t be included in a CV or typically exhibited in an interview.

These checks help screen the attitude, as well as the aptitude of a hiring candidate. Additionally, the school, university or teaching facility can protect themselves, students and staff from the wider impact of employing a “bad apple”, including:

Avoiding the time and monetary cost of a bad hire
Protecting the children from a loss of productivity
Safeguarding against reputational loss to the institution, as any negative act of an employee in the media could be associated with the employer
Maintaining a positive workplace culture within the faculty, as a bad employee can negatively impact the whole team and be detrimental to the overall culture

Recent examples

In our 2021 Employment Screening Annual Report, we revealed that up to 16% of cases displayed at least one high-risk behaviour in their online activity. As these behaviours would generally go unnoticed using traditional background checks, this could be the difference between safeguarding children and exposing them to a potentially dangerous individual.

In July 2022, a teacher in the US was fired and investigated by the police after he was found to have been trying to meet up with a minor. While a person is under investigation or faces allegations, their criminal record remains untarnished, meaning this behaviour would not appear in traditional background checks.

Another US school teacher was previously fired following her sharing a series of racist messages online. A teacher in the UK was recently also removed from her post, following an investigation that cited her damaging comments online about students and her employers.

Why you should use third-party specialists

As experts in online reputations screening, we welcome the potential introduction of these checks to the Education industry. They are already a crucial element of the hiring process for thousands of businesses in the UK and will certainly enable more proficient, effective, data-driven safeguarding procedures when screening potential teaching roles or education support staff.

Social media background checks should always be conducted by third party specialists like Neotas. Checks conducted internally could lead to accusations of bias or breaches of GDPR, which could have costly consequences in the future.

To find out more about social media and online searches, schedule a call with our team today.

FAQs for Social Media Checks for Education Industry:

What are social media checks for the education industry? Social media checks in the education industry involve reviewing an individual’s online presence on social media platforms to gather information about their behavior, character, interests, and suitability for admission or employment in educational institutions.
Why do educational institutions perform social media checks on potential students or employees? Educational institutions conduct social media checks to gain additional insights into an individual’s background, values, and behavior. It helps them assess whether the person aligns with the institution’s values, exhibits appropriate behavior, and presents no concerns that might affect the learning environment or the institution’s reputation.
What information do educational institutions typically look for during social media checks? During social media checks, educational institutions may look for posts, photos, or comments that provide insights into an individual’s character, professionalism, judgment, discriminatory behavior, involvement in illegal activities, or any content that may raise concerns about their suitability for admission or employment.
Are social media checks legal in the education industry? The legality of social media checks may vary depending on the jurisdiction and local regulations. It is important for educational institutions to comply with applicable privacy laws and guidelines while conducting these checks to ensure they respect individuals’ rights and maintain compliance with relevant regulations.
Can social media checks impact a student’s chances of admission or employment in the education industry? Yes, social media checks can have an impact on an individual’s chances of admission or employment in the education industry. If the information discovered during the check raises concerns or reflects negatively on the person’s character, it may influence the institution’s decision-making process.
How can individuals protect their privacy during social media checks? To protect their privacy during social media checks, individuals can review and adjust their privacy settings on social media platforms to control who can view their posts and information. It is also advisable to think twice before posting or sharing content that could be considered inappropriate or potentially damaging to their reputation.
Are there any specific social media platforms that educational institutions focus on during their checks? Educational institutions typically focus on popular social media platforms such as Facebook, Twitter, Instagram, LinkedIn, and sometimes even review blogs or personal websites. The platforms chosen may vary depending on the institution’s policies and the relevance of the platform to the individual’s admission or employment application.
How far back do social media checks typically go? The timeframe for social media checks can vary. Some institutions may review a few months’ worth of posts, while others might go back several years. The extent of the check often depends on the institution’s policies and the importance of the position or program for which the check is being conducted.
Can educational institutions use social media checks to monitor current students or employees? Educational institutions may have policies in place that allow them to monitor the social media activity of current students or employees, particularly if there are concerns related to inappropriate behavior, violations of policies, or potential threats to the institution’s reputation. However, this practice should be done in accordance with applicable privacy laws and guidelines.
Are there any guidelines or regulations governing social media checks in the education industry? Guidelines and regulations governing social media checks in the education industry can vary by jurisdiction and country. It is advisable for educational institutions to consult legal professionals and adhere to relevant privacy laws, such as data protection acts or regulations, when conducting social media checks to ensure compliance and protect individuals’ privacy rights.

Social media background checks for Education Industry:

Social Media Checks for the Education Industry: In an increasingly digital world, the online presence of educational institutions and professionals matters more than ever. Explore the importance of comprehensive social media checks to ensure a positive reputation, safeguard students, and maintain trust. Discover how monitoring and managing online profiles can bolster recruitment efforts, enhance credibility, and mitigate potential risks. Stay ahead in the competitive landscape of the education sector by implementing effective social media strategies and best practices. Join us as we delve into this critical aspect of modern education management.

Have got more questions about social media checks and social media screening services?

Schedule a call with our team today.

Neotas Social Media Background Checks and Social Media Screening

Ready to experience the future of social media checks?
Schedule a call today and let’s revolutionize your social media checks together! Learn more about how we can help you conduct background checks in a safe and compliant manner.

Neotas Social Media Screening and Online Reputation Screening Services:

Online Reputation Screening
Social Media Screening
Social Media Check
OSINT Framework, OSINT Tools, OSINT Techniques, and how to use OSINT framework.
Follow us on LinkedIn for the latest updates on Neotas Screening Solutions.

Overcoming Enhanced Due Diligence Challenges on High Risk Customers

November 20, 2024July 12, 2022 by Neotas Ltd

Enhanced Due Diligence for High Risk Customers

By Michael Harris MCMI, Head of Financial Crime Risk, Neotas

There is growing concern that disinformation and so-called “reputation laundering” campaigns could be used by high-risk customers to illegitimately pass enhanced due diligence checks.

Additionally, such campaigns could undermine the introduction of sanctions on high-risk individuals, as well as impede financial crime compliance teams in their assessment of customer risk.

Disinformation Campaigns

Disinformation campaigns typically seek to positively distort the reputation of a high-risk individual seeking to hide an unsavoury past.

They are orchestrated by PR firms, lawyers and accountants, who disseminate and build complex networks of false information, making it difficult for banks and other institutions to track the origins of their success or their sources of wealth.

The rebranding of a high-risk customer’s reputation can be so successful that without a sufficiently diligent approach, they are able to pass enhanced due diligence checks.

Customer Due Diligence (CDD) Complications

When initial risk assessment findings show that a potential client is a wealthy individual then this usually leads to a need for enhanced due diligence. If the customer is a politically exposed person (PEP) or from a higher risk jurisdiction known for corruption then the need for more stringent checks intensifies.

In recent times, important parts of customer due diligence (CDD) onboarding checks have been made more difficult than ever.

Banks conducting Sources of Wealth (SOW) and adverse media checks must continually battle against recent trends which have made this type of due diligence work even more challenging:

Data Privacy Laws such as GDPR have complicated matters – particularly ‘the right to be forgotten’, whereby an individual has the right to request information about them held on file be removed, where there is no longer a legitimate use.

This can even extend to information about them on the internet which has been indexed by one of the search engines, which they can request to be removed based on the provider’s removal criteria.
Image and business re-engineering – sometimes referred to as “reputation laundering”. The reengineering of public personas to legitimise a high-risk individual’s business affairs. Reputations are “washed” clean, with any negative media buried under a barrage of manufactured positivity.

Follow The Money

In the due diligence community there is a phrase which basically says, ‘check how the person made their first million’. In other words, what are the origins of the current wealth portfolio?

Money laundering techniques for the layering of dirty money from corruption, trafficking, organised crime or any other illegal activity are renowned for disguising the original sources of money through a myriad of schemes.

A common tool is to create very complex corporate structures (with the help of a complicit lawyer) through which money can be transferred from company to company, making the trail practically unauditable (with the help of a complicit accountant). Use of trusts, offshore and shell companies, nominee shareholders and directors (proxies) are all tools of the trade.

This is how so many oligarchs and other Ultra HNWIs (High Net Worth Individuals) can easily buy high-end property and other luxury assets, as conducting due diligence on companies set up for this purpose where no beneficial owner can be found is very difficult.

In response, the UK Government, in its economic crime bill, announced the creation of a Register of Beneficial Owners of Overseas Entities, in theory compelling the UBO (Ultimate Beneficial Owner) to be found and registered.

Manufacture The Reputation

Once it is extremely difficult to link the current wealth portfolio and assets with any original corruption, the oligarch/UHNWI can set about “buying a seat at the table”.

Typically, this involves investment into western cultural and entertainment industries including universities, the arts and sport, influencing governments and manufacturing a positive reputation (with the help of PR agencies and image consultants).

A major criticism of the recent purchase of Newcastle United Football Club by the Saudi Arabian Public Investment Fund is their very close association with the Saudi state. Critics have labelled the move an act of “sportwashing”, where a sporting institution will be used to help clean up the reputation of an owner or investor.

Enhanced Due Diligence for High Risk Customers – Recent Cases

An interesting recent case in point is how Russian-born oligarch Alisher Usmanov is attempting to get himself and his two sisters removed from the EU sanctions list.

Usmanov, who has a personal wealth of $20bn, made his money from metal and mining operations and has previously faced allegations of sportswashing due to his associations with Premier League football clubs Arsenal and Everton.

Following his placement on EU sanctions lists in March, a statement from Usmanov claimed that ownership of their assets is fully transparent and legitimate, while the Credit Suisse data that the EU’s case is built on is “fake and incorrect”.

Documents relating to his application to be taken off the sanctions list have not been made public. His history is a classic case of image and business reengineering over a period of many years.

New Guidance For Overcoming “Fake News” In EDD

The Wolfsberg Group recently issued new guidance on adverse media screening, which can help guide banks and financial institutions into managing high risk customers.

The guide gives detailed advice on carrying out negative news screening (adverse media) for financial institutions, highlighting the pitfalls and dangers of the sources of information used for these checks, as well as advice on how to check their legitimacy.

They call out the problem of “disinformation” or false/fake news and insist that only by carefully evaluating the sources can this be mitigated.

Download Our Report: The Risk-Based Approach: How Open Source Intelligence (OSINT) Is Transforming Enhanced Due Diligence And Investigations In AML Compliance

Using Open Source Intelligence

Given the level of complexity used in the schemes to launder money and manufacture reputations, appropriate levels of due diligence should be aided by advanced technology.

Open source intelligence tools like the Neotas Platform will build a complete picture of a high-risk individual and can help in identifying sources of wealth, analysing the legitimacy of news sources and mapping out a complete network picture.

Investigations using the Neotas Platform are not limited time or international jurisdictions, and can be processed in multiple languages – enabling a more thorough analysis of a high-risk individual with a globalised background.

Although reputations may have been reengineered, not every track will have been covered. There will be a remaining footprint out there tying the individual to their sources and origins of wealth and original associates, a footprint that can only be uncovered using enhanced technology.

As the analyst starts digging, the truth will start to emerge.

To find out more about the Neotas Platform, Customer Due Diligence or open source intelligence, schedule a call with our team here.

At Neotas, we remain committed to excellence in Enhanced Due Diligence. Let’s continue to drive excellence in due diligence.

Thank you for your continued support and engagement with Neotas. Should you have any questions or require further information, please do not hesitate to reach out.

About Neotas Enhanced Due Diligence

Enhanced Due Diligence Solutions:

Enhanced Due Diligence Case Studies:

How OSINT Can Help Challenger Banks Create More Robust AML Controls

September 23, 2024May 24, 2022 by Neotas Ltd

OSINT for AML Compliance

FCA Warns Challenger Banks Over AML Compliance Shortcomings

In the latest reproach from the FCA to anti-money-laundering regulated firms across the financial services industry, Challenger Banks were criticised for failing to implement robust AML controls in line with money-laundering regulations. This is hot on the heels of a similar reprimand in 2021 when the FCA wrote to all UK retail banks in a ‘Dear CEO’ letter highlighting a wide range of compliance shortcomings including AML controls.

AML Regulations were last reinforced in 2020, when the requirements of the 5^th Money Laundering directive were implemented, with the most recent updates particularly targeting digital financial services organisations, including the cryptocurrency sector.

Challenger Banks Facing New AML Challenges

In the most recent National Risk Assessment of money laundering and terrorist financing 2020, the entire retail banking sector remains ‘high-risk’ for fraud and money laundering. The NCA specifically stated “criminals may be attracted to the fast on-boarding process that Challenger Banks advertise, particularly when setting up money mule networks”.

The review exposed a core difficulty felt by the rise of Challenger Banks, where the need for rapid customer growth has led to inadequate compliance procedures for many organisations.

The findings included weak customer risk assessment, insufficient enhanced due diligence practices and a lack of alignment with AML procedures.

Implementing a Risk-Based Approach

As with all financial crime compliance controls, the Risk-Based Approach (RBA) is key to the entire process. Implementing a proper risk assessment procedure by carefully assessing any financial crime risks with both new and existing customers is essential.

In practice this means that firms must obtain all the information needed on both prospective and actual customers activities, business operations, industries involved in, geographies and what services are required. Well documented policies and procedures are vital and full training of compliance teams in their application is essential.

Download our new report: The Risk-Based Approach: A guide to how Open Source Intelligence (OSINT) is transforming AML compliance

In an increasingly digital and fast-moving customer environment, all financial services organisations including Challenger Banks need to digitally transform their KYC processes.

Many organisations still rely heavily on manual and outdated AML systems particularly in the area of enhanced due diligence. Reliance on search engines and disparate data sets with analysts spending disproportionate amounts of time looking for the possible ‘needle in the haystack’ still characterises the typical approach to EDD. It is both an inefficient and ineffective approach.

The FCA itself recognises and supports the value of Open Source Intelligence (OSINT) in risk management and that a data-led approach is vital. This means using advanced analytical techniques such as machine learning and natural language processing to obtain actionable risk intelligence swiftly and accurately, to help manage financial crime risk.

With increasing penalties, fines and even criminal prosecution, Challenger Banks need to quickly implement controls and processes that not only fully meet their AML regulatory obligations, but are also effective at quickly identifying and dealing with suspicious activity.

Using The Right Tools

Using the Neotas technology, Challenger Banks are able to conduct more in-depth investigations and enhanced due diligence checks on higher risk customers swiftly and efficiently. What’s more, as the bank grows, the solution is scalable and future proof.

The best approach to enhanced due diligence should include carrying out searches of the entire internet, including social media and the dark web in real time, without being drowned in irrelevant results. Findings should be connected and analysed alongside established data sources such as PEPs, Sanctions, Adverse Media and Corporate to help remove blind spots from the process. Reliance on traditional, curated data sets and search engines will lead to critical risk information being missed.

Many firms are already discovering that OSINT for AML is transforming customer due diligence and adoption of the technology is increasing all the time.

Case Study: Money Laundering Fraudster Caught Via Hidden Aliases

The FCA has asked all firms in the sector to review their approach to identifying and dealing with the financial crime risks they are exposed to and ensure they are fit for purpose. They have also requested that firms be prepared to report on their progress in developing the AML control frameworks as part of their compliance monitoring programme.

OSINT can be a key tool as firms review their processes. Managing higher risk customer relationships with enhanced due diligence and investigating suspicious activity in Challenger Banks can be fully met using Neotas’ advanced Platform.

Improvements in speed and accuracy of these processes of up to 60% are frequently cited by customers while maintaining regulatory compliance. This is vital to ensuring the customer experience remains seamless and the competitive edge that Challenger Banks have carved out in the market.

OSINT for Challenger Bank AML Controls:

In the fast-evolving landscape of financial services, challenger banks are revolutionizing the industry with innovative approaches. However, as they disrupt traditional banking, they also face unique challenges, including the need for robust Anti-Money Laundering (AML) controls. Open Source Intelligence (OSINT) can be a game-changer in this regard. This article explores how challenger banks can leverage OSINT to fortify their AML strategies. By harnessing the power of publicly available information, they can enhance customer due diligence, monitor transactions effectively, and identify potential risks. Discover how OSINT empowers these agile financial institutions to stay compliant, secure, and competitive in the market.

To discuss your AML needs, schedule a call with our team here. To request a demo of our Platform, please head here.

Michael Harris
Head of Financial Crime Risk

Related Content on OSINT, AML Compliance, and Financial Due Diligence.

Due Diligence Solutions:

Environmental, social and governance (ESG) and The Power Of Open-Source Intelligence (OSINT)

May 6, 2025April 14, 2022 by Neotas Ltd

ESG and The Power Of Open-Source Intelligence (OSINT)

“We frequently seek opportunities to enhance ESG within our investment processes. We felt that OSINT-based analysis was the natural next step for our ESG programme.” – Coller Capital

Neotas Partners With Coller Capital

Neotas are delighted to be chosen service providers of Coller Capital, to provide enhanced ESG due diligence on their investments, integrating OSINT into their ESG risk management framework.

In their latest ESG Report, Coller Capital highlighted the power of OSINT in providing valuable insight beyond what is typically self-reported. This is critical at the initial investment stage and ongoing monitoring of the portfolio, to identify any red flags which need to be addressed throughout the funds’ lifecycle.

“This data provides new and original insights into non-financial risks. The inclusion of non-financial risk analysis has enabled better decision-making.” – Coller Capital

Who Are Coller Capital?

Founded in 1990, Coller Capital is one of the world’s leading investors in the secondary market for private assets, whose individual investments can be up to $1 billion or more. In January 2021 the firm closed Coller International Partners VIII, with committed capital (including co-investment vehicles) of just over $9 billion and backing from over 200 of the world’s leading institutional investors. In February 2022 the firm closed Coller Credit Opportunities I, with committed capital (including co-investment vehicles) of $1.45 billion and backing from over 30 institutional investors.

Regarded as a market leader for responsible investment, Coller Capital formed its ESG Committee in 2011, joined the first cohort of the Carbon Disclosure Project (CDP) and became carbon neutral as a firm in 2019. They are a founding signatory of the Initiative Climat International as well as a founding signatory of ILPA’s Diversity in Action (DIA) initiative.

Coller Capital have also retained their A+ rating from the PRI across the board since 2018.

ESG Report 2021

Within their ESG Report 2021, Coller Capital highlights the important role held by the industry in engendering greater innovation and collaboration in ESG.

As a secondary private capital investor, Coller Capital is well positioned to influence the General Partners (GPs) into whose funds they invest on ESG.

For their latest ESG report, Coller Capital gathered responses from 95 GPs representing 525 private equity funds, on their ESG approach and adoption of ESG practices.

Findings showed 86% of GPs of respondents are initiating measures to improve ESG performance within their portfolio companies. The proportion of GPs planning to increase their emphasis on ESG during the holding period also continues to grow, with 88% of respondents looking to increase their focus on ESG throughout their operational management. 73% respondents will focus on ESG during due diligence and / or when preparing for exit.

“Neotas searches go deeper than traditional due diligence checks by ‘spidering out’ across the entire internet and their proprietary AI technology helps them analyse vast quantities of data at speed.” – Coller Capital

Value of Enhanced ESG Screening

Early screening remains the most frequent stage at which a GP declined an investment for ESG reasons. Almost half of respondents within Coller Capital’s ESG report were found to have declined an opportunity on ESG grounds at the initial stage of the investment process, rather than after due diligence or at the Investment Committee stage.

This only serves to highlight the importance of engaging OSINT investigations as early as possible.

Further, only 32% of GPs reported ESG-related adverse events at their portfolio companies in the last 12 months and after cases of litigation, adverse publicity and negative media were the most common events.

Is there more to uncover, before it’s too late?

“In revisiting and refining our process over time we have enhanced our approach to ESG screening, and our analysis and outputs” – Coller Capital

OSINT for ESG Risk Analysis

Did you know that search engines only capture 4-6% of available data online?

Applying the science of OSINT honed over multi-year R&D, Neotas’ AI-powered Platform can rapidly analyse all publicly available data online across the entire breadth of the internet.

OSINT techniques overcome many of the shortcomings of traditional ESG assessments, which rely on self-reporting and experiences a time lag, as well as only capturing data at a point in time. The Neotas Platform and ongoing monitoring tool delivers analysis on a more real-time basis, rapidly processing vast quantities of live data to deliver meaningful insights for more robust, holistic decision-making.

Deep-dive investigations can be applied to both individuals or organisations and are not limited by international jurisdictions. The Platform processes data in over 200 languages and pulls from the following sources:

ChartDescription automatically generated with medium confidence

Example red flags that would otherwise have gone undiscovered using traditional methods include:

The illegal use of animals and animal parts (e.g. rare, and protected species)
Deforestation (e.g. illegal logging or logging in sensitive areas)
Financial crime (e.g. fraud, money laundering)
Unethical or unsafe work practices (e.g. modern slavery and human trafficking or other human rights abuses)

View and download recent ESG Case Studies

Tackling ‘Greenwashing’

“The time when firms could get away with a veneer of ESG is over.” Adam Black, Head of ESG & Sustainability at Coller Capital

Increasingly, regulators are turning attention to the claims of private market participants around sustainable investing, with a higher degree of scrutiny and emphasis on evidence.

Neotas OSINT investigations can tackle accusations of ‘greenwashing’ by delivering ESG risk signals and reporting that is 100% fully auditable, documented and recorded at every step of the way.

Through greater emphasis on non-financial risk data and the use of OSINT techniques, Neotas are pleased to be long-term partners with Coller Capital to support their pioneering commitment to ESG.

Make sure you’re ahead of the curve – schedule a call with a member of our team to enhance your ESG risk management framework today.

Download the Neotas & Coller Capital OSINT-ESG Report

ESG and The Power Of Open-Source Intelligence (OSINT):

ESG (Environmental, Social, and Governance) considerations are increasingly crucial for businesses striving for sustainability and responsible practices. This article delves into the transformative power of Open-Source Intelligence (OSINT) in the realm of ESG. Discover how OSINT data sources enable organizations to gather real-time information on ESG-related factors, such as carbon emissions, social impact, and governance practices. By harnessing the wealth of publicly available data, companies can make informed ESG decisions, track progress, and communicate transparently with stakeholders. Explore the synergy between ESG and OSINT, paving the way for more sustainable and socially responsible business practices.

Enhance Your ESG Due Diligence for Resilient Growth

Investing in ESG isn’t just about compliance—it’s about driving long-term value, building resilience, and aligning with the future of responsible business. With Neotas’ ESG Due Diligence, you gain deeper insights, mitigate risks, and ensure your investments are aligned with sustainable growth.

Empower your decision-making process today and lead the way in shaping a more sustainable and responsible future.

Ready to transform your ESG strategy? Let’s start the journey together.

For more information on how Neotas can support your ESG strategy, visit www.neotas.com or contact us at info@neotas.com. Connect with us on LinkedIn to stay updated on the latest industry insights and updates.

Read More on ESG Due Diligence:

Suisse Secrets Leaks Exposes EDD Shortcomings

October 13, 2023February 23, 2022 by Neotas Ltd

Suisse Secrets Leaks Exposes EDD Shortcomings :

It is a sign of the times when the largest political grouping in Europe threatens to designate Switzerland a high-risk jurisdiction for financial trading.

A spokesperson for the European People’s Party said information in this week’s data leak (nicknamed the ‘Suisse Secrets’) showed “massive shortcomings of Swiss banks when it comes to the prevention of money laundering”.

The data revealed details from more than 18,000 accounts, ranging over 70 years from the 1940s to the 2010s.

The leak claims that Credit Suisse reportedly held $8 billion in assets for a client list that included known criminals, corrupt politicians and individuals with proven associations to torture and drug trafficking.

Credit Suisse now widespread pressures including massive debt problems, regular reviews by the US Inland Revenue Service and legal cases in criminal court.

The mounting issues faced by the bank prove that it pays in the long-term to know your customer, and that Credit Suisse have been neglecting their due diligence responsibilities.

Credit Suisse Response

In response, Credit Suisse “strongly rejects” the “allegations and insinuations” about the business practices exposed by the Suisse Secrets leak, claiming that 90% of accounts implicated are closed today.

In a separate event, Switzerland’s Federal Criminal Court heard this week about events at the bank between 2004 and 2008. Credit Suisse became the first major Swiss bank ever to face criminal charges in the country and the trial is due to continue for the next three weeks.

The court heard that executives were aware of “serious concerns” about members of the Bulgarian mafia depositing “suitcases of cash”, but chose to continue with business as normal despite knowledge of criminality and gang-land assassinations.

A Swiss History

Allegations of Swiss bankers’ purposefully committing illegal acts for high-net worth clients were also famously exposed during the 2008 trial of UBS wealth manager Bradley Birkenfeld.

Those days are changing and the regulators are now consistently issuing fines for companies that found to be not carrying out “adequate” background checks.

In 2021, the FCA fined Credit Suisse £147.2 million for due diligence failings in relation to loans for the government of Mozambique.

In the case, the FCA found that Credit Suisse “should have appreciated the unacceptable risk of bribery” due to information that was open to executives.

Recent Example

A recent investigation into an individual for AML purposes highlighted the need for thorough KYC screening. The individual had already passed traditional checks with no major concerns and no risks associated with their name.

Our enhanced due diligence investigation uncovered a string of aliases associated to the individual. Further analysis of the aliases identified a long history of criminal activity, including associations with money laundering and a host of other financial crimes.

Evolving Risks of suisse secrets leaks :

As risk exposure continues to evolve, the regulators now require stronger protection against potential indicators of fraud. Enhanced screening using open source intelligence is now strongly recommended and will soon become the standard for due diligence.

For banks like Credit Suisse, embracing open source enhanced due diligence checks can help identify high-risk behaviours and drastically improve KYC efficiencies. Neotas’ advanced technology can even boost AML detection rates by up to 400%.

Our technology rapidly interrogates the largest traditional databases in the world, as well as 100% of public online data. Incorporating real time online data, we provide a more complete picture of customer risk and cover the blind spots in existing CDD practices/processes.

If the information is out there and isn’t considered as part of EDD processes, it will be hard to build a defensible position to the regulators should a financial institution be investigated.

As the recent Dear CEO letter by the FCA indicated – financial institutions are now expected to do more, or face the consequences. Isn’t it time that you protected yourself from the regulators?

If you want to discuss due diligence or risk management, our team are here to help. Get in touch or schedule a call here.

Neotas Due Diligence 2021 Annual Report

October 13, 2023February 16, 2022 by Neotas Ltd

Neotas Due Diligence 2021 Annual Report :

Risks hidden in plain sight

“2021 was another unprecedented year for Neotas. In spite of the circumstances, we enjoyed our most productive year to date and I couldn’t be prouder of the way our team overcame the challenges we faced together. “ – Ian Howard, Director

We are delighted to share our Due Diligence Annual Report for 2021, featuring insights and case studies from many thousands of enhanced due diligence investigations conducted over the past 12 months.

While the exact results of each investigation remains strictly confidential, we present an overview of our findings, including the types of ‘behaviours’ most often uncovered and some of the interesting cases we have reviewed along the way.

What We Found

Fundamentally, Neotas investigations uncover risks that are not found as part of traditional compliance checks. Put simply, we gather and analyse more data, from more diverse sources than anyone else.

In addition to the usual data sources, our investigations help identify specific non-financial risk data and behavioural risks associated with personnel, reputational vulnerabilities and much more.

A red flag defined by Neotas is a high-risk behaviour we have identified, as it relates to an individual or an enterprise. Throughout 2021, more than 9% of cases we reported back to our clients displayed at least one high-risk behaviour.

Interestingly, these red flags generally go undiscovered when conducting procedural compliance, but can hugely influence business decisions. Once reported, these cases are almost always investigated further and more deeply .

Red Flag Breakdown

Neotas have pre-built search queries (lines of investigative enquiry) that identify common high-risk behaviours, or we can customise and configure the queries to suit the industry or organisation.

Typically, these searches seek to identify illegal behaviour, reputational risks, noteworthy or concerning ‘links’ within personal/corporate networks.

Examples of the risks included in these searches:

Directorship Undisclosed/Of Concern
Adverse Media
PEP/Sanction Lists
Inappropriate or Undesirable Behaviour
Regulatory Actions/Notices
Employment Inconsistencies
Court Records
Inappropriate/Undesirable Content
Others
Employee/Client Reviews
Sexually Explicit Content
Recommended for further research

In 2021, the most common red flag uncovered was present in over 20% of cases where a high-risk behaviour was found.

Inconsistencies in employment records was also one of the most common issues found. These types of inconsistencies can cause major reputational scandals, such as the former Yahoo CEO who was found to have fabricated elements of his CV.

Links to inappropriate or undesirable content were also amongst the most common issues uncovered, and have been shown to pose major reputational threats.

Download the report to find out the most frequently discovered red flags in 2021

Interesting Cases

All Neotas searches are fully GDPR compliant and we continue to ensure that ‘protected characteristics’ remain protected. Here are some anonymised examples of some of the most noteworthy cases from the past year:

An investigation into a high-risk individual uncovered an abusive past and suspicious activity for this crypto-trader.
Network analysis into an individual and associated entities revealed suspected links to money laundering and terrorist financing.
A string of aliases did little to hide the past of a fraudster with connections to schemes that sought to launder billions.

View other recent case studies here

Why conduct enhanced due diligence searches?

The challenges of Covid restrictions in 2021 exposed many organisations to new vulnerabilities and sharply increased the typical (ongoing) threats.

The risk landscape has increased dramatically and the value we add is being strongly felt by our clients. We work in partnership to assist our clients, sharing their increased volume of work and helping them be more effective in reducing the amount of time (and hassle) spent on cases.

With 9% of cases exhibiting high-risk behaviour, it’s clear that critical information is being missed by traditional compliance methods. Our advanced technology harnesses open source intelligence to deliver risk reporting without the blind spots and in a fraction of the time.

While procedural due diligence checks rely on databases that are limited by their very nature, Neotas’ ‘live’ searches incorporate 100% of online sources to help massively reduce risk exposure.

By using an investigative, technology driven approach we are able to efficiently aggregate and analyse vast quantities of publicly available online data, then connect the dots between disjointed legacy databases – delivering a new depth of insight to compliance and risk reporting.

Groundbreaking techniques and technologies combined in 2021 to deliver ongoing risk monitoring that eliminates false positives, helping risk managers focus resources efficiently and mitigate exposure to new and future vulnerabilities.

Schedule a call with our team today, to find out how enhanced due diligence checks can lower your business risks in 2022.

Download Neotas Due Diligence 2021 Annual Report Here :

<![endif]–>

Neotas Employment Screening 2021 Annual Report

October 13, 2023February 16, 2022 by Neotas Ltd

Neotas Employment Screening 2021 Annual Report

Reflections on 2021

“Employers in 2021 were forced to adapt and overcome a host of challenges that were multiplied due to the pandemic.

In an increasingly ‘connected’ world, adopting new technologies and techniques like our social media screening services proved vital, leading to actual improvements in hiring decisions.” Ian Howard, Director

The Neotas Employment Screening 2021 Annual Report includes insights and data from the thousands of employment screening checks we conducted that year.

While all searches continue to operate under the strictest data protection guidelines, the Employment Screening 2021 Annual Report gives an overview of our findings. The report includes a selection of noteworthy anonymised cases and insights into the types of behaviours most commonly uncovered in our searches.

What We Found

16% of employment screening cases in 2021 returned a high-risk behaviour, with 84% confirming the suitability of the candidate — Neotas Employment Screening 2021 Annual Report 4

Traditional employment screening checks are generally procedural and heavily reliant on databases. The primary concern of these checks tends to be based around aptitude and proven criminal history, with less emphasis on attitude or personal suitability for the company.

Our enhanced employment screening searches reduce the blind spots left by traditional checks by broadening and deepening the search into the suitability of an employee. We do this for a new hires as well ongoing monitoring of existing key personnel.

An astonishing 16% of searches in 2021 returned at least one red flag, signalling that a high-risk behaviour was identified which directly related to the individual.

Our clients constantly tell us that these red flags do influence their hiring and staff retention decisions.

Although the primary function of our searches is to identify negative or high-risk behaviours relating to an individual, that is far from the full picture. Another is also to identify positive behavioural attributes that may prove beneficial to a hiring decision or to the employee in question. These are shown as green flags.

84% of cases in 2021 confirmed the suitability of the candidate, many of which included evidence of positive attitudes and behaviours concerning the individuals in question.

Red Flag Breakdown

Neotas conduct pre-built search queries (investigative lines of enquiry) that identify common high-risk behaviours. We also customise and configure the ‘risk identifiers’ and searches to suit the industry or organisation.

Typically, these searches seek to identify illegal behaviour, reputational risks, inconsistencies in personal details and much more.

Examples of the risks included in these searches are:

Inappropriate / Undesirable Content
Sexually Explicit Content
Employment Inconsistencies
Hate & Discriminatory Behaviour
Extremism
Violent Content
Illegal Activities
Substance Abuse
Educational Inconsistencies
Others

Over the past 12 months, the most common red flag uncovered was present in over 45% of cases where a high-risk behaviour was found.

Evidence of hate, discriminatory behaviour or extremism was also one of the most common red flags throughout 2021, alongside links to violent content.

Our searches uncovered evidence of illegal activities in 12% of red flag cases – these behaviours would not be found by a traditional DBS check, had there not been a prior conviction.

Download the full report to find out the other most frequently discovered red flags in 2021

Interesting Cases

All Neotas searches are fully GDPR compliant and we ensure that ‘protected characteristics’ remain protected. Here are some anonymised examples of some of the most noteworthy cases from the past year:

A senior candidate being onboarded for a role handling confidential data was found to have a history of data leaks in their previous employment.
We were able to confirm the suitability of a candidate for a management position, also finding evidence of recent charitable and volunteering work.
An executive candidate being considered by a major organisation had links to a number of potential reputational risks, including a history of publicly sharing explicit content.

View other recent case studies here

Why use enhanced social media screening?

More than 16% of cases in 2021 returned at least one red flag, constituting a high-risk behaviour associated with an individual that would not have been picked up by traditional database-reliant checks.

The potential impact of making a bad hire, or of not effectively managing company culture is substantial – though by embracing enhanced screening technologies, firms can avoid these costly mistakes.

In an increasingly remote working environment, those making hiring decisions can no longer rely on face-to-face meetings to help evaluate individuals, therefore additional information and insights are vital.

The experience of many thousands of cases has enabled Neotas to develop a powerful Online Reputation Screening capability in the form of a managed service and a ‘pay-As-You-Go’ model.

By adopting the latest and most innovative of Neotas’s services which is ongoing risk monitoring for existing employees, we have proven that organisations do reduce bad hires.

By establishing Ongoing Monitoring as part of the hiring process we have helped many companies protect against such damage and loss. The upside is greater ‘peace of mind’ and a more positive culture amongst employees.

Schedule a call with our team today, to find out how social media screening checks can lower your business risks in 2022.

Download the Full 2021 Employment Screening Annual Report Here

<![endif]–>

Using Open Source Intelligence To Battle Fin Crime

June 20, 2024December 21, 2021 by Neotas Ltd

Using Open Source Intelligence To Battle Fin Crime :

Open source intelligence (OSINT) is beginning to take on a more important role as financial firms move towards greater digitisation. The advent of tools harnessing the advanced technology, as well as the global pandemic, has opened the door for many to make changes in their fight against financial crime (fin crime).

The FCA previously made their expectations clear for increased vigilance while the pandemic continues, with opportunists taking advantage of the ongoing uncertainty.

As a result, the ACFE have reported that more than 80% of organisations have already implemented one or more changes to their anti-fraud programs in response to the pandemic.

These include operational shifts, fraud prevention training and expanding risk mitigation processes to include third party tools – such as open source due diligence.

But what role can open source intelligence play in this fight against fin crime? In short – a huge one.

Understanding open source intelligence

For many firms, the pandemic has brought with it either a long overdue opportunity to review risk assessment or for the unlucky, their hand has been forced.

Interest in open source due diligence has steadily grown over the past decade, while more and more organisations realise the impact it can have on risk management.

The regulators have also begun to see the importance of this type of intelligence and now also imploring firms to do more. The recent Dear CEO letter distributed by the FCA to the heads of businesses operating in Trade Finance stated clearly that not enough is being done.

For many, the hesitation to adopt the technology can be due to legacy practices or relationships, internal objections, or a misunderstanding about the practicalities of the searches themselves. There is a misconception that the investigation of the data is somehow invasive or illicit, when in fact nothing could be further from the truth.

Open source data is entirely public information that is stored online, while open source intelligence is the actionable data points that experts like Neotas and our analysts use to deliver our comprehensive reports.

The sheer volume of information that can be accessed online can make it seem daunting or difficult to parse, which is why thorough, accurate, analysis using artificial intelligence and machine learning is needed to identify relevant, actionable risk data only.

Using OSINT to fight financial crime

Open source intelligence can play a pivotal role in preventing or detecting financial crime.

When harnessed correctly, tools can be used to gather intelligence about the behaviour, reputation and online activities of individuals or organisations, then evaluate them based on specific risk indicators relating to financial crime.

AML

While regulatory compliance guidelines continue to evolve, what it means to truly know your customer is also changing. Open source intelligence platforms like the Neotas Platform, allow you to establish clear network analysis charts to help identify connections between individuals and organisations from within disjointed databases.

Using natural language processing (NLP), the right open source intelligence tools can also process data in hundreds of languages, no matter the jurisdiction – eliminating international blind spots from compliance.

With 42% of fraudsters shown to be living beyond their means, one of the key tools that open source intelligence checks can play is in identifying wealth mismatch as a behavioural risk.

Internal Threat

The Fraudscape 2021 report highlighted internal threat as the core issue to be aware of this year.

The huge increase in remote working has become an instant threat for many organisations who have been forced to adapt to the landscape of the pandemic. The hasty adoption of home working practices has at times left vulnerabilities to breaches of sensitive information. Thorough, ongoing analysis of employees’ online behaviours can help determine personnel risk when considering insider threats.

Vast Data Sources

Put simply – ignoring open source intelligence is choosing to willfully ignore a huge percentage of potential fincrime risk data.

General online searches only access 4-6% of available online data, which is why internal searches without considering open source intelligence will never be sufficient for knowing your customer.

Using traditionally curated databases can serve valuable purposes from a compliance and risk point of view, however even the largest databases are limited in comparison to online sources.

Science Focus previously reported that the “Big Four” tech companies alone (Facebook, Google, Amazon, Microsoft) store over 1,200 petabytes of data, that’s excluding all other online sources. Comparatively, LexisNexis’ dataset is considered vast and includes 6 petabytes of data.

Open source intelligence searches also interrogate deep and dark web sources, which aren’t typically included in an analysts’ risk evaluation process.

Greater Efficiencies

In our own cases, Neotas have raised the financial crime detection rate by 400% over the industry standard (1%). These greater efficiencies can play a crucial role in improving overall detection of financial crime.

Not only will improved detection act as a deterrent, but the quicker and more efficiently the cases are handled, the more cases investigators will be able to manage.

Previously analysts were forced to complete a huge checklist of actions across a number of different platforms. They would need to remember where and how to do each check, as well as the regulations and limitations of each platform. This incredibly time consuming process is one of the key inefficiencies of the role, but has been necessary until now.

Tools like the Neotas Platform internalise that process into one configurable dashboard, combining internal and external data feeds in one place. Searches across a huge selection of channels are conducted, analysed and evidenced in one place, leading to far greater efficiencies and accountability.

Recent Case Studies

In a recent case for a European venture capital firm, we uncovered a history of fraudulent activity associated with an individual who had changed their name.

Although the name change itself didn’t constitute illegal activity, our enhanced due diligence checks revealed a number of areas of concern including hidden links to fraudulent businesses, as well as undisclosed directorships. These insights would go on to influence the investment decision for our client.

View the full case study here

In another recent case for Channel Capital, network analysis of a European company and its Director also uncovered related parties and entities of concern.

Our report unveiled suspicious transactions between the subject company and another European entity. The transactions had seemingly been made in an attempt to inflate the books of the subject company, as a way to appeal to investors.

Following the insights delivered within our enhanced checks, Channel reported the suspicious behaviour to the authorities and halted the deal.

While traditional checks had not uncovered any suspicious activity in these cases, both outcomes were changes for our clients by introducing open source intelligence check into the financial crime prevention process.

Future of Fin Crime Prevention Using Open Source Intelligence To Battle Fin Crime

The ACFE has reported that the use of artificial intelligence in fraud prevention is expected to triple over the next three years, as firms continue to adopt new tech. Although this increased adoption is a positive step, those who evolve quicker will drastically reduce their exposure to risk in these cases.

The potential impact that open source intelligence can have on financial crime detection and prevention is plain to see. While the sheer scale of the open source data available can seem daunting, it’s crucial that it forms a central part of risk management processes over the coming years.

Financial institutions should continue to adapt to include open source intelligence checks into their risk assessment procedures, to help ensure an effective defense against opportunists and fraudsters.

Regulations continue to evolve and are likely to require even more data points in the future. Harnessing open source data now can note only ensure compliance but potentially protect from costly mistakes.

Empower your compliance strategy for 2024. Download the “Neotas Finance, Risk, and Compliance Chronicle 2024” today and leverage cutting-edge insights and equip your team with the knowledge to thrive in a challenging regulatory environment and navigate the complexities of the regulatory environment.

About Neotas Due Diligence

Due Diligence Solutions:

Due Diligence Case Studies:

Manage Financial Crime Compliance and Business Risk with OSINT.
Neotas is an Enhanced Due Diligence Platform that leverages AI to join the dots between Corporate Records, Adverse Media and Open Source Intelligence (OSINT).
Schedule a Call or Book a Demo of Neotas Enhanced Due Diligence Platform.

Private Equity Risk: What You Don’t Know Can Hurt You

October 13, 2023October 19, 2021 by Neotas Ltd

Private Equity Risk: What You Don’t Know Can Hurt You :

That stupid saying “What you don’t know can’t hurt you” is ridiculous. What you don’t know can kill you. If you don’t know that tractor trailer trucks hurt when hitting you, then you can play in the middle of the interstate with no fear – but that doesn’t mean you won’t get killed. — Dave Ramsey

According to McKinsey’s 2021 Private Markets Annual Review, private equity has outperformed other asset classes and experienced less volatility than any year since 2008.

The review suggests that more institutions and wealthy individuals are turning to private equity (PE) to supplement and bolster the returns of their traditional investment portfolios as the markets remain largely unpredictable.

Increased levels of activity can lead to a host of new challenges and private equity risks, as the appetite for dealmaking forces a sense of urgency – meaning that due diligence can at times be overlooked or under-executed.

New Challenges for PE Investment Firms

Deloitte predicts that global PE assets will reach $5.8 trillion by 2025, significantly above the $4.5 trillion at the end of 2019. The significant increases in PE funds inevitably create new pressures on those responsible for investing the new capital and greater risk for their investors. Here are some of the reasons why:

Demand for rapid deployment of funds
According to MarketWatch, the top 25 private-equity firms had $509.8 billion in uninvested cash at the end of the 2nd quarter of 2021. Some claim they have more money than potential investments.

With “excess” funds and a demand for deals, firms are diversifying into new industries and geographies with limited experience.

Increased competition
The number of private equity firms raising investor funds and seeking investments has increased on average about 7% each year since 2013, with an estimated 9,000 globally in 2021. The number of completed investments has been stable since 2015, while investment totals have increased.

While demand for high-return investments has grown with the new investment totals, the supply of potential investments capable of delivering such high rates has remained stable.

The PE firms compete for the desirable opportunities, driving up valuations and increasing risk. Simply stated, too much money is chasing too few deals.

Reduced client management responsibility
The open checkbooks of PE firms encourage excessive risk and over-spending by client companies. Iana Dimitrova, CEO of FinTech start-up OpenPayd, has warned, “Investors are increasingly writing higher and higher checks. Frankly, I see that as detrimental to the long-term sustainability of our industry because businesses are not focused on generating value, they’re focused on burning and deploying cash.”

Increased risk data
For firms willing to embrace enhanced investment due diligence, there is a new level of insight into risk data available. The reputation of a firm and its senior management has never been more critical. Firms don’t want to invest in businesses or individuals with bad reputations or troubled pasts.

Emphasis on ESG goals
PE firms and their investors are increasingly conscious of a prospective investment’s environmental, social, and governance goals. Elias Koronis, a partner at Hermes GPE, suggests that sustainability is now as big a factor as other risk data; “The big mindset shift is that now ESG risk is as important and as central to a company as any other type of financial risk, such as leverage risk”.

ESG Investing & Due Diligence – Q&A with Brendan Bradley

Limited analytical resources & experience
The experience and expertise necessary to analyse potential PE investment opportunities typically takes years to acquire.

Analysis of the character and backgrounds of client company management is especially critical and adding capable, experienced staff amidst current market conditions is increasingly difficult. As the workload grows for analysts and PE decision-makers, shortcuts in due diligence are inevitable.

The Importance of Due Diligence

Private equity investment is considered high risk in normal economic periods. The existing market conditions escalate the risk for investors and justify continuous emphasis on investment and reputational risk management.

Client Management Team Importance

Few investors dispute the importance of the management team in the success of a business. Private equity firms understand that the value of a company is not a “good idea,” but management’s ability to transform the idea into reality.

No matter how revolutionary the concept, the management team’s performance is critical to success.

Of the many factors that affect the investment decision, management due diligence – evaluating the quality and skill of management – is the most difficult due to its intangible nature.

Inexperienced analysts fail to recognise that search engines index only a small portion of available online information (4% to 6%), consequently omitting masses of data that could provide valuable insight about a company or its executive reputations, work histories, values, and abilities.

Under competitive pressures to quickly determine whether an investment is warranted, private equity analysts are tempted to minimise reputational risk in their due diligence, especially when a cursory search confirms their subconscious biases.

An open-source internet search – enhanced by machine learning and natural language processing – provides independent, unbiased information about the attitude and aptitude of individuals and firms, ensuring they comply with regulatory guidelines and identify potential conduct or financial crime risks.

PE Analysts Limitations

Private equity analysts are especially adept at reviewing quantitative financial and industry data necessary to confirm or modify prospective investments’ pro forma statements, valuations, and cap tables.

Unfortunately, they rarely have the search and database query skills and experience required to complete enhanced due diligence (for risk & compliance), investment (or management) due diligence, or specific functions, including ESG.

Their lack of experience can overlook indications of questionable actions – allegations of discrimination and abusive behaviour, data leaks, fraudulent behaviour, and corruption – by the potential investment candidate or its founders.

Case Study: ESG Risks Uncovered In Investigation For Global Private Equity Firm

Private Equity Risk :

Private equity investments offer substantial opportunities for growth and returns, but they are not without risks. Investors in private equity face various types of risk, including market risk, liquidity risk, and operational risk. Market risk stems from economic fluctuations and the potential for underperformance of portfolio companies. Liquidity risk arises because private equity investments are typically illiquid and require a longer investment horizon. Operational risk pertains to issues within the portfolio companies, such as mismanagement or operational challenges. Successfully navigating these risks requires thorough due diligence, diversification, and a long-term investment perspective to capitalize on the potential rewards of private equity.

Time To Know More (private equity risk)

In this hyper-competitive PE period following the pandemic, private equity risk is exceptionally high. The combination of increased client expectations and higher investment amounts forces PE firms to identify, analyse and confirm investment decisions on tighter deadlines and in a saturated market.

Simultaneously, the global increase of social activism exposes companies to new risks – with sustainability and culture at the heart of reputational vulnerabilities.

While no strategy is failsafe, a thorough and complete due diligence process, including reputation and management, can help lower overall investment risk while relieving pressure on internal resources.

For more information on lowering investment risk, schedule a call with our team here.

Tags : Private equity , Private Equity Fund, private equity risk.

Using Open Source Intelligence To Enhance Online Reputation Management

October 13, 2023October 14, 2021 by Neotas Ltd

Using Open Source Intelligence To Enhance Online Reputation Management :

While reputations can be built, sometimes crafted, over many years, they can be tarnished in an instant. The value of a reputation should not be underestimated and it’s imperative that brands use all of the tools at their disposal to protect and bolster their reputation.

Deloitte have previously determined that up to 75% of a company’s value can be considered intangible. This translates to three quarters of a business’ overall value being vulnerable to reputational damage.

Employing the right technology as part of online reputation management can help brands proactively protect their reputations, mitigating risks and solidifying market perception.

The Evolution Of Risks

In a global economy, risks are more varied in size, location and damage potential than ever before. The online world presents limitless opportunities and risks for brands who are now expected to be available and vigilant 24/7.

These are just some of the types of reputational risks to brands that can be found online:

Consumer & Worker Voice

The internet has granted previously unheard consumers a platform to share feedback, evaluation and criticism.

Consistently negative consumer feedback will undoubtedly reflect poorly on a brand. Monitoring and evaluating consumer feedback can serve as a reflection, at least in part, of the “voice” of a company’s customer base.

Company workers have been granted a similar platform through online review sites such as Glassdoor. Similarly to consumer voice, public employee feedback can act as a barometer for company performance and culture, and will certainly influence the public perception of a brand if a negative news cycle begins to build.

Internal Threats

Internal business threats can come in a host of forms, including confidentiality breaches and personnel misconduct.

Reviewing a management team’s online footprint can help highlight potential risks including damaging behaviours and misconduct – all of which can negatively impact the reputation and value of the target company in the present and future if left unchecked.

Case Study: Online Screening Of Senior Manager Reveals Internal Confidentiality Threat

In a previous case we discovered damning allegations of sexism and derogatory behaviour from staff towards their company’s CEO. Upon reviewing the report, our client decided not to continue with the deal – a decision that was reaffirmed when the CEO of the target company hit the press a year later.

International Risks

Brands that operate internationally need to be aware of the risks that can come with global supply chains, where they may have limited control but could still be vulnerable to reputational damage.

For those brands operating internationally, threats to reputation should also be monitored and considered in different languages. While many online tools claim to give oversight of online and global brand threats, not using a multilingual approach can lead to unnecessary exposure to threats.

Social Media, Brand Ambassadors Brand Values

As has been made very public over recent years, social media has the potential to come back to haunt the reputations of high profile businesses and personnel.

It can reflect poorly on a brand to be associated with individuals who are not seen to represent their values and culture. Australian rugby player Israel Folau lost a number of his endorsement deals after a series of homophobic social media posts, with sponsors announcing that Folau’s views “are not aligned” with their own values.

While in Folau’s case, the brands were forced to be reactive, proactive screening can help lower the risks of brand damage.

We wrote previously of the impact of sport and social media, with England cricketer Ollie Robinson now irrevocably linked to a damaging news cycle surrounding racism and historic social media posts.

Had Robinson’s profile been screened ahead of his selection for England, or in fact ahead of his first professional contract, his employers would have been aware of the posts and could have taken proactive steps towards rehabilitation or punishment for the player, while avoiding a future scandal altogether.

A Recent Example: Driving Ambassador

In a recent case working with a major advertising agency, we conducted open source background checks on a selection of potential ambassadors for an upcoming campaign for an automotive brand.

We conducted searches on a number of high profile names, checking traditional risk behaviours, as well as thematic references focusing on vehicles, driving and similar related themes.

Amongst the findings were behavioural red flags that may have been reputationally challenging for the automotive brand. For one subject, we uncovered a previous driving related conviction that had escaped public attention to date, while another had previously shared derogatory content towards drivers on social media.

Selecting either individual as an ambassador for a global campaign could have caused serious reputational damage for the brand, had they not been fully vetted.

Limited By Online Tools

Although many brands already employ online reputation management tools, many online tools rely on manual searches, or are only able to focus on specific keywords. The limitations of these processes are plain to see, with a restricted view of potential risks.

Traditional online searches are limited by the data sources that they are able to canvas. General internet searches only cover 4-6% of available online data, meaning that online brand management tools only access a small portion of potential risk data.

Using open source intelligence, thereby accessing 100% of available online brand risks, broadens the risk management strategy to include social media, all online activity, adverse media checks and more.

By broadening searches to include thematic or industry-specific terms, like driving or vehicles in the example above, we are able to paint a more complete picture of brand risk no matter the industry.

Lastly, by using tools such as Neotas’ AI powered Platform, we can process risks in over 200 languages, granting even stronger protection for international businesses.

Easy To Lose, Tough To Win Back

Countless examples prove how difficult it can be for brands, businesses and personnel to win back reputations once they’ve been damaged.

Market perception and reputation are perhaps the single most significant external factor in influencing a brand’s overall value. A positive, strong reputation can create value for shareholders, while also improving confidence and trust in the brand for the public and for customers.

Introducing a proactive approach to online reputation management, including the introduction of open source background checks and brand reputation management checks can help limit exposure to potentially damaging threats.

About Using Open Source Intelligence To Enhance Online Reputation Management :

Leveraging Open Source Intelligence (OSINT) to Enhance Online Reputation Management (ORM) is an invaluable strategy in today’s digital landscape. OSINT empowers individuals, businesses, and brands to proactively monitor and manage their online image. By analyzing publicly available data from diverse online sources, including social media, news outlets, forums, and blogs, ORM professionals can swiftly identify and respond to mentions, both positive and negative. OSINT also provides insights into emerging trends, competitor perceptions, and crisis management. This proactive approach not only safeguards a reputation but also enables businesses to adapt, grow, and maintain a positive online presence in an era where perception carries significant weight.

For more information about protecting your brand and online reputation management, schedule a call and speak with our team today.

The Pandora Papers have changed the world of due diligence forever

October 13, 2023October 8, 2021 by Neotas Ltd

How The Pandora Papers Changed Due Diligence Forever :

The Pandora Papers leak – the latest in a series of off-shore data leaks in the past seven years – has exposed nearly 12 million financial documents to the public eye.

As with previous leaks, this public scandal damages the reputations of those involved and raises larger questions about trust, risk and the world of due diligence.

Business that was once hidden behind complex corporate structures has now been brought to light. With it comes millions, possibly billions of intriguing data points for financial investigators, lawyers and police officers to pore over.

Panama, Paradise, Pandora

The Pandora Papers leak is the latest significant data drop from the International Consortium of Investigative Journalists. Previous leaks including the Panama and Paradise Papers, as well as smaller leaks, shed light on the shady dealings taking place in “complex off-shore structures”.

One of the many side-effects of the previous off-shore data-leaks – especially the highly publicised Panama Papers in 2016 – was that it revealed fresh evidence of hidden assets.

In 2015, two ex-wives won a US Supreme Court battle to challenge their settlements after the court found their ex-husbands had misled the courts and failed to disclose property that had been revealed in the leak. This is just one example of how undisclosed assets can impact the legal course of action.

Another, possibly more significant side effect was that they also revealed how many “complex” business structures were, after thorough investigation, discovered to be better described as money-laundering schemes.

Nothing to see here – so far

So far, there have been no allegations of financial wrong-doing in the Pandora Papers. This was also the case following the publication of the Panama Papers.

Fast forward four years however, and the Cologne public prosecutor’s office issued international arrest warrants in 2020 for the partners of law firm Mossack and Fonseca.

In 2016, the firm had responded to journalists saying they followed “both the letter and spirit of the law”. And just as then, so it is now.

No allegations of criminality have been made to date and the off-shore services providers implicated in the Pandora Papers have, so far, claimed to have operated fully within the law, as was the case in 2016.

Alcogal, Asiaciti Trust and Fidelity were all named in the latest leak.

Alcogal has claimed no criminal wrongdoing, stating its due diligence policies “follow the standards set by the laws in the jurisdictions in which it operates”.

Asiaciti Trust said its offices had “passed third-party audits for anti-money laundering and counter-financing of terrorism”. Fidelity said it conducted “relevant due diligence” on all its clients.

All three remain under intense scrutiny from regulators, watchdogs and the public eye.

The times are changing

The new Anti-Money Laundering Act (AMLA) in the USA may change all that. It specifically prohibits politically exposed persons (PEPs) from falsifying the source and ownership of funds & assets, and allows US law enforcers to subpoena bank records from foreign financial institutions.

Under Section 6403 of the Corporate Transparency Act, all corporations, LLCs and banks will be required to submit beneficial ownership information to the newly formed Financial Crimes Enforcement Network (FinCEN) at the US Treasury. It also revises Customer Due Diligence Requirements for Financial Institutions.

The times are changing. Where once the Treasury was unable to enforce AML laws, US law enforcers will now be more aggressive in checking a company’s due diligence and KYC policies. Isn’t it time to minimise your risk?

Regulators across the financial industry are already regularly reinforcing the idea that firms need to do more. Just doing the minimum required due diligence will no longer be appropriate when risk data is available but not being considered.

Adopting tech-driven, enhanced due diligence practices that connect the dots between disjointed database searches and open-source data can help minimise those risks.

The Pandora Papers have changed the world of due diligence forever :

The Pandora Papers have ushered in a seismic shift in the realm of due diligence. This massive leak of financial documents, unveiling the offshore holdings of the world’s elite, has brought unparalleled transparency and accountability to the forefront of global conversations. As governments and institutions grapple with the revelations, the implications for financial investigations, compliance, and anti-money laundering efforts are profound. The Pandora Papers serve as a catalyst for redefining how due diligence is conducted, emphasizing the importance of unearthing hidden assets and ensuring ethical financial practices. This watershed moment in investigative journalism is reshaping the future of financial scrutiny and governance.

If you want to discuss due diligence or risk management, our team are here to help. Feel free to get in touch or schedule a call here.

Dear Trade Finance Firms – The FCA Wants You To Do More

October 13, 2023September 20, 2021 by Neotas Ltd

Dear Trade Finance Firms – The FCA Wants You To Do More :

The recent Dear CEO letter shared by the FCA & PRA has sent a stern warning to businesses operating in trade finance – more needs to be done.

The letter was addressed directly to the CEOs of firms carrying out trade finance business and has caught the full attention of the industry due to its direct nature. It outlines a clear need for change but includes a marked shift in tone from traditionally sanitary messages of “advice” or guidance, instead laying out staunch requests for businesses to improve their oversight of their current position.

After a number of significant, high profile losses within the commodity trading industry in recent years, trade finance and credit risk analysis has hardly ever been in the spotlight so often.

The position of the FCA & PRA is made clear from the start, their hands have been forced to respond after overwhelming recent evidence pointed to insufficient due diligence.

“Our recent assessments of individual firms have highlighted several significant issues relating to both credit risk analysis and financial crime controls. These issues have exposed firms to unnecessary risks that are material in both a conduct and prudential context.”

In response to this, they are demanding more from firms when it comes to risk assessment, counterparty analysis and transaction monitoring.

Reacting to an uncertain market

The letter addresses the uncertainty of the market and the prolonged, increased opportunities for fraud and non-compliance. They make clear that the existing framework adopted by many firms is not fit for purpose, especially in this changeable market.

A post-pandemic wave of financial crime has been threatened for some time, with KPMG forecasting that a tsunami of fraud was en route in 2021 and beyond. While the warnings have been public and plain to see, it’s surprising that firms aren’t already embracing additional risk management considering the uncertainty we all currently face.

The letter highlights the “focus and assessment of financial crime risk factors” as just one of the insufficiencies commonly displayed in recent assessments. Others include poorly evidenced decision making, notably when it comes to residual risk.

The Right Tool For The Job

There is a warning of how failing to properly address risks can lead to exposure to financial crime, to non-compliance, to suspicious activity and to the consequences that may come as a result.

The expectation continues to be that some deals inherently require a greater degree of diligence than others, on both sides of the transaction. It is the duty of the transacting firms to comply with the expected levels of diligence required.

Amongst the tools suggested in the letter, there is an explicit directive to consider where enhanced due diligence and non-financial risk evaluation should be required. Many of the “red flags” listed in the letter including money laundering, adverse media and more are typically discovered as part of open source EDD, like we provide at Neotas.

We wrote previously of how non-financial risk identification could be the difference maker when it comes to credit risk and the same principles apply across the industry.

As counterparty networks become ever-more complex, the importance of full network analysis is highlighted in the letter with a clear directive that all parties related to a transaction should be appropriately considered.

Network analysis remains at the core of many of our investigations, particularly for clients working in trade finance. In these cases the front-facing counterparty often displays little to be concerned about, only to find risks hidden within their network.

Discoveries of networks including undisclosed PEPs, directors and relationships are common – a recent case also uncovered terrorist financing linked to a seemingly “clean” subject. Without diving into the network of the counterparty, you cannot fully understand the risks.

An Example: Network Analysis Uncovers Fraudulent Activity

A recent case of enhanced due diligence for Channel Capital uncovered a host of suspicious behaviours associated with the network of a subject in a European company.

While reviewing the company and its director, full network analysis uncovered evidence linking the subject to a number of bankrupted companies.

Uncovering the details of the bankrupted businesses allowed us to discover suspicious payments made between the European company and the newly discovered entities. Payments that were being made in an effort to manipulate the subject company’s books in order to appeal to investors.

The insights uncovered informed Channel’s decision making, who eventually halted the deal and alerted the authorities of the fraudulent payments.

Download the full case study here

Not-knowing is not good enough

While not knowing or being unaware of non-compliance has never been a defensible argument, the tone from the regulators in the letter is stark:

“This letter has reiterated our expectations of firms when undertaking trade finance activity.”

The message could not be clearer and should come as a stern warning. Our discussions with clients often center around the idea that “if the information is out there, wouldn’t you want to know about it?”. The message from the FCA and PRA seems to have shifted to a more definitive:

“If the information is out there, you should know about it”.

Supplementing Existing Guidance

“The expectations set out in this letter are not exhaustive and should be considered alongside relevant rules and guidance such as Joint Money Laundering Steering Group guidance, the PRA Rulebook and the FCA’s Financial Crime Guide.”

While it’s made clear that the new recommendations aren’t exhaustive, the instruction here is to apply additional scrutiny to transactions, particularly when there is a need for a deeper dive.

Firms have been instructed to be reactive and responsible for the deals they are a part of, evidencing transparent, informed decision-making along the way.

A gauntlet has been laid down by the regulators in no uncertain terms. Firms should continue to apply traditional due diligence while embracing new technologies, such as EDD, to help protect all parties and maintain compliance. It will be interesting to see who rises to the challenge.

Trade Finance Firms :

Trade finance firms are essential entities in global commerce, serving as financial intermediaries that facilitate international trade transactions. They offer a spectrum of services and instruments vital for businesses engaging in cross-border trade. These services encompass letters of credit, supply chain financing, export and import financing, trade credit insurance, and documentary collections. Trade finance firms also specialize in compliance, risk management, and trade advisory services, helping clients navigate complex regulations and manage trade-related risks effectively. Their expertise and support enable businesses to optimize cash flow, mitigate risks, and ensure the smooth flow of goods and services across borders, fostering economic growth and international business expansion.

How Social Media Due Diligence Can Improve Investment Decisions

October 13, 2023September 14, 2021 by Neotas Ltd

How Social Media Due Diligence Can Improve Investment Decisions :

When assessing non-financial risk data as part of M&A due diligence, traditional checks currently pay little attention to investigating the online footprint of a target company. An organisation’s online activity, and indeed the online activity of its management teams, can provide valuable insight into reputation, culture, management personas and more.

With post-pandemic financial data difficult to trust, non-financial risks are likely to become increasingly significant as private equity and investment firms seek additional data points to supplement decision making.

Social media due diligence tools can be used to interrogate vast quantities of public online data, helping to identify potential business or personnel risks within the target company.

What social media due diligence tools can uncover

Contained within online public data is a wealth of previously untapped resources relating to both risk and opportunity. By combining natural language processing, AI and expert human analysis, risks can be identified that would not be uncovered using traditional due diligence processes.

When harnessed properly, this data can be used to provide a new dimension of analysis into non-financial risks and goes beyond the depth of insight provided by typical brand sentiment analysis.

Consumer Voice

Public perception can have a significant impact on the overall reputational health of an organisation, with online reviews granting consumers a previously unheard tool to provide feedback, evaluation and criticism.

Consistently poor consumer feedback of a product or service could be considered a red flag in terms of company reputation, and possibly even operational flexibility if the organisation has shown no willingness to improve over time.

Monitoring and evaluating consumer feedback can serve as a reflection, at least in part, of the “voice” of a company’s customer base.

Worker Voice

Similarly to consumer voice, public employee feedback can act as a barometer for company performance and culture.

While websites such as Glassdoor have paved the way for employees to review workplaces, by interrogating all online public online data we can uncover a multitude of potential risks hidden from traditional feedback platforms.

Management Review

Social media due diligence checks should also be used to help build a more complete picture of the character and attitude of management teams ahead of any deal.

One previous example includes damning allegations of sexism and derogatory behaviour from staff towards their company’s CEO. Upon reviewing the report, our client decided not to continue with the deal – a decision that was reaffirmed when the CEO of the target company hit the press a year later.

The impact of public online reputation on businesses and value

Significant behavioural issues of staff should also be considered particularly seriously considering the damaging impact that “cancel culture” can have on an organisation’s value.

In what is now a renewed age of social activism, amplified by movements like Black Lives Matter and Me Too, it’s imperative that a potential buyer pays attention to what’s being said about a target company on social media.

The mass withdrawal of support for a person or company due to their public or online behaviour, whether labelled “cancel culture” or not, will have clear implications for the reputation and value of a business. The reputational impact of this type of activism can also spread beyond the subject entity, proving damaging to investors and parent companies also if left unchecked.

Understanding all of the risks

Social media due diligence can clearly uncover pertinent information to aid traditional checks, when harnessed correctly. The vast quantities of associated data combined with the need for objectivity means that the right third party tools should always be used.

Neotas’ proprietary open source due diligence tools combined with extensive experience can be used to provide deeper insights to help inform investment decisions. Our checks process 100% of publicly available data in over 200 languages, leaving no stone unturned when investigating relevant investment risks.

It is crucial that appropriate care and context is given to risks uncovered during social media due diligence checks, especially considering the natural negativity bias of online reviews. Neotas reports provide zero false positives, enabling resources to be committed to reviewing real risks only.

For global acquisitions and investment activities, particular care should be taken when considering international data privacy legislation and as such, an ISO-certified third party provider like Neotas should always be used.

Social Media Due Diligence :

Social media due diligence is a crucial process employed by individuals, companies, and institutions to assess the online presence and activities of individuals or entities. It involves investigating social media profiles, content, and interactions to gather insights on reputation, character, and potential risks. This diligence is particularly vital in various contexts, including hiring decisions, partnerships, mergers and acquisitions, and security assessments. By scrutinizing social media channels, stakeholders can uncover red flags, verify claims, and make informed decisions while navigating the digital landscape’s complexities. Social media due diligence has become indispensable in today’s interconnected world, ensuring prudence and risk mitigation.

Get in touch with our team today to discuss supplementing your investment due diligence with social media and online checks.

Why Management Due Diligence Could Be The Key Ahead Of Private Equity Boom

October 13, 2023August 18, 2021 by Neotas Ltd

Why Management Due Diligence (MDD) Could Be The Key Ahead Of Private Equity Boom :

New analysis from KPMG has revealed that Private Equity Investment has soared to its highest levels in over five years. The investment boom represents a significant jump when compared to the same period in 2020, as the impact of the pandemic began to take its toll.

While the market continues to steady and confidence rises of a full bounce-back, the uncertainty of the global health crisis means that major challenges could continue to lie ahead.

KPMG reported that the momentum that began to pick up pace in Q4 of 2020 was fuelled by pent-up demand that had started to be released. Although the appetite for deal-making is clearly growing, with increased activity comes the need for increased scrutiny – particularly during this era of uncertainty.

The potential for future challenges caused by restrictions, global downturns or even other viral threats means we must embrace all available risk-data to help improve decision-making.

Moving Past Traditional Due Diligence

With so much at stake, it absolutely pays to know more in today’s ever-changing landscape. Traditional due diligence procedures may tick all of the legal and regulatory boxes for the time being, but we believe it’s time to go beyond these practices and supplement them with additional data streams.

Ensuring that a comprehensive management due diligence strategy is in place before an investment or deal takes place will help lower risks.

MDD ensures individuals are scrutinised independently and forensically, lowering the risk from dealing with new associates. It helps assure investors that accountable individuals are competent enough to deliver success and growth without harming the reputation of their enterprise. Ensuring that social media activity is analysed, for instance, can provide insights into management team behaviours and attitudes that would otherwise not be uncovered through traditional due diligence methods.

In a digital era, a data-led approach that considers all risk angles is critical and management due diligence using open source data should contribute to that risk-evaluation.

These methods go beyond what is uncovered as part of traditional due diligence – evaluating the attitude and aptitude of individuals and firms, ensuring they comply with regulatory guidelines as well as identifying potential conduct or financial crime risks.

Risks uncovered have included allegations of discrimination and abusive behaviour, data leaks, fraudulent behaviour and corruption, to name but a few. While these potential red flags remain operationally relevant, they would not be uncovered using traditional due diligence methods.

Know exactly who you’re working with

It’s often said that people are the biggest asset of any business and it’s essential to consider “people risk” ahead of any deal or acquisition. Effective management due diligence removes subjective and unintentional bias from your decisions, providing vital third-party validation so you can proceed confidently, with no stone left unturned.

Any possible absence of face-to-face due diligence, whether through travel restrictions or remote operations, has made it more difficult to evaluate attitude and aptitude. Analysis of online behaviour not only provides an additional layer of depth to traditional due diligence but also enables a higher level of inspection when operating remotely.

An Example: Recent Case Involving Abusive CEO

A recent case of management due diligence uncovered insights into a CEO that were not captured during traditional due diligence checks.

While reviewing the management team of an investee company, particular focus was directed towards the CEO after allegations of potentially damaging behaviours began to appear.

Our reports highlighted a number of negative employee reviews, allegations of “explosive and abusive” behaviour and a troubling history of discriminatory, aggressive behaviour on social media towards colleagues and other users.

The insights uncovered as part of the enhanced open source checks fed into the decision-making process for our client, raising questions and concerns about the suitability of the client. None of these behaviours were identified as part of their traditional checks.

Download the full case study here

Proactive Protection – Identify Risks Before They Become Problems

Proactively identifying irregularities, risks or potentially damaging behaviours amongst management teams can help manage future challenges and protect ongoing interests once a deal is made.

Indeed, risks that may be hazardous to long term company value, productivity or culture can be addressed early by harnessing the correct data. Potential reputational crises associated to people risk can also be proactively identified, managed and mitigated with enough warning time and a clear enough picture of the risks.

Whilst our reports can, and often do, influence investment decision-making, our position continues to be to identify the risks and leave future decisions up to our clients. Even when the information doesn’t drastically impact the end-decision, the overwhelming positive feedback we receive from clients centres around new and cost effective level of insight that would otherwise not have been uncovered.

Completed 100 MDD cases for Catalysis

Harnessing Public Data Could Be Key Decision Dealbreaker or Dealmaker

Neotas searches harness 100% of publicly available data to grant our clients a new layer of insight into pre-investment risk. We dig deeper and faster into people, entities and networks – analysing them against a set of core risk indicators including abusive behaviour, fraudulent activity, multiple aliases and more.

In a hyper-competitive marketplace that is now seemingly riding a wave of pent-up demand for deals, asset managers have a responsibility to consider all risk data as part of their due diligence processes.

The potential impact for not considering the data from a regulatory and a reputational point of view is stark. Regulators now regard OSINT as best practice when discussing enhanced due diligence processes. With the information on risk out there and readily available, it may hard to build a competent defence in the case of future allegations of non-compliance or in a crisis management situation.

Management Due Diligence :

Management due diligence is a strategic evaluation process undertaken by investors, acquirers, or organizations to assess the leadership team and their capabilities within a company. It involves a thorough examination of executives, their track records, leadership styles, and overall competence. The aim is to gauge whether the management team aligns with the company’s goals, culture, and the intended investment strategy. This diligence helps mitigate risks associated with leadership transitions, ensures effective decision-making, and enhances the potential for successful investments or mergers. Management due diligence is an essential component of informed business decisions, contributing to long-term success and sustainable growth.

We are here to lower risk from investment, acquisitions and purchases, enabling you to build teams you can trust whilst protecting your reputation robustly. Schedule a call with our team today to discuss your investments, management due diligence or any other open source intelligence needs

An Investigation Into England Euro 2020 Abuse Using Open Source Intelligence

October 13, 2023August 13, 2021 by Neotas Ltd

An Investigation Into England Euro 2020 Social Media Abuse Using Open Source Intelligence :

Following the targeted racist attacks towards members of the England football team after the final of Euro 2020, Neotas have conducted an investigation into the online abuse(England social media abuse).

After Twitter had publicly shared the results of their “proactive” action taken following the final, we focused on Twitter and analysed whether their clean-up effort had been sufficient in identifying and punishing the harmful behaviour.

A Momentous Occasion Marred

The 2020 EURO UEFA European football championships, commonly referred as EURO 2020, was held from 11th June 2021 to 11th July 2021 across various locations in Europe.

The Final match was played on 11th July 2021 at Wembley Stadium, London between England and Italy. Italy won the tournament, beating England 3-2 in a penalty shoot out following a 1-1 draw after extra time.

For England, 5 players took the penalties; Harry Kane and Harry Maguire were successful in scoring. However, Marcus Rashford, Jadon Sancho and Bukayo Saka missed their spot kicks, resulting in Italy winning the championship.

In a game that was marred by multiple incidences of fan violence and unruliness in the build up to and during the match, the tone was lowered further when racial abuse was aimed at the three players who missed their penalties.

Such was the escalation of the story, members of the Royal Family, UK Prime Minister Boris Johnson and other government agencies weighed in to condemn the attacks, demanding that action was taken to punish the offenders.

The Metropolitan police opened an investigation on the offensive and racist social media posts that has since seen 11 people charged. The social media platforms themselves continue to claim to have responded in the strongest way possible, with Twitter removing more than 1,000 tweets initially and permanently suspending multiple accounts.

Twitter has since claimed to have removed approximately 1,600 Tweets, accounting for around 90% of abuse. Our investigation immediately discovered an additional 70 that were deemed abusive, racist or threatening in some way.

Platform Responses

Previous meetings with the major football associations of England had resulted in Facebook essentially leaving the onus on the players and clubs to protect themselves, rather than the platform proactively protecting its users. The platform has since made changes that have been deemed insufficient by players and associations thus far.

While Twitter is just one of a number of major platforms to have been used to facilitate the abuse, it has shouldered much of the attention so far and has shared the most robust and open responses to date. Twitter published this update on the 10th August, following continued public discourse about the online abuse:

“Following the appalling abuse targeting members of the England team on the night of the Final, our automated tools, which had been in place throughout Euro 2020, kicked in immediately to identify and remove 1622 Tweets during the Final and in the 24 hours that followed.
While our automated tools are now able to detect a majority of the abusive Tweets we remove, we also continue to take action from reports. New vectors of abuse are ever-emerging, which means our system is having to adapt on an ongoing basis. Therefore, to supplement our efforts, trusted partners are able to report any further Tweets directly to our front-line enforcement teams. In total, over 90% of the Tweets we removed for abuse over this period were detected proactively.”

Twitter’s own analysis into the violating accounts is ongoing, but their initial findings concluded:

The UK was – by far – the largest country of origin for the abusive Tweets removed on the night of the Final and in the days that followed
That ID verification would have been unlikely to prevent the abuse from happening – as the accounts we suspended themselves were not anonymous
Only 2% of the Tweets we removed following the Final generated more than 1000 Impressions

The update from Twitter has helped continue the conversation relating to the abuse faced by the England players at Euro 2020, as well as the more general issue of online abuse.

Twitter have announced the trial rollout of the following actions to help curb the racist interactions on their platform:

A new feature that temporarily autoblocks accounts using harmful language
Reply prompts, which encourage users to revise their replies to Tweets when it looks like the language they use could be harmful

What isn’t clear is how these tools include evaluation of visual media such as images, videos and emojis – something which was prevalent and consistent amongst our limited searches.

Our Insights – Focus On Twitter

Our data analysts are experts in identifying behavioural risks hidden in online data. This can, and often does, include aggressive, discriminatory and abusive behaviour linked to social media profiles. The activity can be active (posted or shared by the subject in question) or passive (linked to, shared or associated with the subject in question).

The data we search is called open source intelligence (OSINT) and is 100% publicly available, however only experts like Neotas have the skillset to interrogate it fully and provide adequate context.

Following Twitter’s announcement that they had removed 90% of abuse within a few days of the final, we conducted a limited search and uncovered more than 40 profiles still active on Twitter. Those accounts that had shared approximately 70 tweets containing discriminatory abuse directed towards the England team. This was following the initial response from Twitter and after the police had opened their investigation.

Of the abusive accounts uncovered in our findings, 83% of them were based in the UK – a figure that correlates directly with Twitter’s declaration that the vast majority of attacks were from UK accounts.

More than 90% of the abusive tweets we discovered were sent after the initial “clean up” from Twitter. While the recent update suggests that the platform is continuing to investigate, our findings suggest that 95% of the accounts we discovered remain active with the vast majority of them still containing the offensive content.

While there was a lot of general criticism and aggression directed towards the England team following their crushing defeat, here is a breakdown of the abuse faced by the three players who missed their penalties:

Racism was the most common theme amongst the responses found, with a large number of accounts including visual content such as images, videos and emojis to emphasise their aggression. Marcus Rashford, who was the overwhelming target of the responses we found, also faced repeated attacks over his charitable work and philanthropy.

In-line with Twitter’s announcement, a large number of the assailants were easily discoverable. Using OSINT, we were able to fully identify at least 6 real people behind the attacks, including information including their real names, contact details, addresses and places of work. With further investigation, we are confident that we would be able to discover more.

The results uncovered as part of our research represent just a small section of the total online activity following the final and is just the tip of the iceberg when it comes to our data interrogation capabilities. While for this exercise we focused primarily on Twitter, there are undoubtedly similar cases across other platforms including Facebook and Instagram. OSINT can easily be harnessed to interrogate all online activity, including social media channels.

How tech can be embraced by both sides of the coin when it comes to sport and abuse

Repeatable Cycle – What Action To Take

The attacks and vitriol directed at the England football team at Euro 2020 was just the latest in a seemingly never-ending cycle faced by sports stars and by the wider online community.

Debates continue as to whether using ID to set up social media accounts is the way to tackle this endemic problem, but what’s clear is that many of these users can already be tracked. Our Director Ian Howard wrote previously of the need to embrace technology to fight the issue, arguing for the use of open source intelligence (OSINT) to help detect, verify and punish those caught being abusive on the platforms.

It is important to note that almost all of the accounts identified by Neotas and by Twitter were traceable, while many are still active and just 11 have been charged to date.

In real terms this means that many of those who sent out vile, abusive messages following the final returned to work the following day without employers knowing about their true character.

Businesses have a duty to protect their employees from risk and should use all available methods to help monitor and safeguard their staff’s wellbeing.

The use of employment screening tools like social media screening can help identify high-risk behaviours and will lower the risks of abusive behaviour within the workplace. These tools can and should be used to screen prospective hires, particularly those in senior roles, as well as current employees.

England social media abuse :

Addressing social media abuse in England: Examining the prevalence, consequences, and ongoing efforts to combat online harassment and promote a safer digital landscape

To find out more about social media screening or to discuss our findings, please schedule a call with our team here.

Tags :England social media abuse

How Non-Financial Risk Indicators Can Improve Credit Risk Due Diligence

October 13, 2023July 13, 2021 by Neotas Ltd

How Non-Financial Risk Indicators Can Improve Credit Risk Due Diligence :

“Credit risk is more than just financial models. There’s a whole series of non-financial data points that can be used to help make those decisions better.” – Ian Howard, Neotas

Managing and mitigating post pandemic risk

For financial institutions, managing and mitigating risk has become an increasingly difficult task following the implications of the COVID-19 pandemic. Ongoing uncertainty has made forecasters’ and risk managers’ jobs more difficult than ever and new due diligence methods are being adopted constantly to help evaluate risks more clearly.

Credit risk in particular has faced distinct challenges and implications through the crisis – with a lack of pertinent data on crisis conditions, changes in credit worthiness and a “large wave of non-performing exposures” needing to be addressed.

To help manage the risk for lenders, new approaches must be adopted that are fit for purpose in a changing landscape. Enhanced credit risk due diligence procedures should be adopted to dig deeper into non-financial risk indicators surrounding companies and entities.

A business’ resilience to post-pandemic fallout will vary depending on the organisation, its processes and, crucially, the people within the business. Institutions looking to mitigate risks in an uncertain landscape should be embracing all of the financial and non-financial data points at their disposal to help improve decision making.

How is credit risk currently being assessed?

The rapid, ever-changing nature of the pandemic has led to many financial institutions adapting quicker than they ever have before. By looking through a different lens and utilising readily available data such as non-financial data points, you can better predict the performance of entities.

Traditional borrower credit risk is usually evaluated by considering the financial position of the borrower, market position, industry specific characteristics and, finally, the quality of the management.

What was once a structured, well-established credit risk assessment has now been turned on its head.

The ECB’s recent assessment of credit risk procedures found that not all financial institutions have sufficiently strengthened their credit risk management to combat the expected increased risk.

Although many institutions have adapted their credit risk due diligence processes, those who aren’t embracing a data-led approach, including non-financial data points, are left evaluating credit risk with limited visibility and an uncertain path ahead of them.

The Credit Risk Implications of the Coronavirus Pandemic

We cannot rely on outdated financial reporting

With the dawn of the pandemic, many conventional sources of typical credit risk data became obsolete overnight. Where previously a high degree of importance would have been placed on financial reporting, even with the typical 6-12 month lag, the relevance of those figures decreased rapidly as markets crashed and industries were rocked.

While many industries were halted by the pandemic, some prospered. What’s true in all cases though is that none have experienced a typical trading period through that time. As a result, the robust, quantitative financial data that normally forms the cornerstone of credit risk due diligence becomes significantly less reliable.

So how then do we evaluate the parties in question? While some form of reporting delay may feel inevitable, it is time to engage with alternative solutions to help bolster risk-modelling. By considering non-financial data points such as customer reviews, worker voices and more, we are able to build a more complete picture of the current performance of the company.

We are beginning to see an emergence of a reliance on qualitative non-financial factors, to counter the shortage of concrete financial data:

“Banks have long relied on qualitative factors, which they seek to use as objectively as possible, to counter the shortage of more concrete financial data. These banks now also explore publicly available data as a means of cross-checking and validating qualitative information.” – McKinsey, 2021

Using non-financial data for better risk modelling

At present, public online data is a largely untapped resource when it comes to credit risk due diligence. Open source intelligence can deliver a significantly greater level of understanding of who you’re doing business with and the potential risks associated with them.

Our own enhanced due diligence checks enable our clients to evaluate financial and non-financial risk data. The non-financial data points considered as part of our credit risk due diligence service would include:

Management due diligence
Public customer reviews
Worker voice assessments
Adverse media
Public reputation

With so much uncertainty currently surrounding quantitative financial data, the benefits of additional data sources are clear – including behavioural factors. Placing greater emphasis on the C & A in the CAMPARI model – Character and Ability – can help improve decision making by considering wider risk factors than purely financial factors.

While character and skillset alone are not enough to ensure the credit worthiness of a business, when combined with other assessment factors, they can prove to be valuable resources for evaluating the resilience of a business in challenging circumstances.

Pandemic Uncertainty Leads To Forecasting Difficulties

Traditional credit risk analysis includes evaluating backward looking actuals and forward looking forecasts. In present conditions, that task is more difficult than ever.

While many have predicted continued economic contractions in global GDP, the true fallout of the downturn may be felt for years to come. Although recovery is expected, the expectation is for it to be slow.

The rate of recovery will differ by region, by industry and by organisation. While some have seen profits boom over the last 18 months, many others have faced sustained challenges. The importance of those elements must be considered as part of the risk analysis, where a sector-based approach will not be sufficient and more tailored considerations should be made.

For those dealing internationally, the picture complicates further. With many global economies in different stages of recovery or suppression, relying solely on outdated financial data or recovery forecasts would be unwise.

Time To Adopt Data-led Approach Is Now

With most firms seeking every available opportunity to gain a competitive advantage when it comes to investing or lending, the adoption of a more data-led credit risk approach was inevitable.

While the pandemic may have accelerated the process for some institutions, the advantages of adopting these additional tools are clear. Going beyond traditional processes and considering all available risks enables quicker, more informed decisions – while having greater understanding of those you’re working with also comes with a host of clear benefits.

Our proprietary technology is able to process vast quantities of data that are left unindexed by traditional credit risk sources. By diving deeper into analysing public data, our clients are able to make better informed, lower risk and ultimately more profitable decisions.

We are also able to offer our clients the benefits of our Ongoing Monitoring service. Perfect for fast-moving markets, this service uses our AI-driven technology to consistently evaluate and identify emerging risks and threat opportunities. Clients are able to monitor ongoing risks, without false positives.

To discuss how open source intelligence can help your credit risk due diligence or risk management practices, please schedule a call with our team here.

The impact of social media on sport – how to avoid a crisis

October 13, 2023June 28, 2021 by Neotas Ltd

The Impact Of Social Media On Sport – How To Avoid A Crisis :

Social media and sport are inextricably linked. The globalised, commercial nature of professional sport means it now relies on social media to bring its products to new audiences and to communicate sponsored messages to fans. The relationship between the two is not always without disruption though.

While online platforms have grown rapidly over the last 10-15 years, the impact of social media on sport has opened up possibilities for both opportunity and risk.

On one side of the sometimes-troubled relationship, there are the negative effects of social media on sports. In particular, the endemic issue of fan abuse towards professional athletes. Our Director Ian Howard wrote previously of the growing problem – arguing for the use of open source intelligence (OSINT) to help detect, verify and punish those caught being abusive on the platforms.

On another side are more positive effects of social media on sport – such as commercial opportunity. Social media and digital presence play an increasingly significant role in determining player, or even organisational value. More than ever, that value is determined by both sporting ability and global marketability. So what happens to that value when said player, athlete or club is embroiled in a damaging social media scandal?

History Repeating Itself

Scandals, or reputational crises, as a result of social media have become relatively commonplace in sport.

Premier League strikers Andre Gray and Jarrod Bowen are among two recent cases. Both players apologised for their actions and while their respective clubs condemned the behaviour – they are often rendered guilty by association. As these types of incidents have no clear end-point, they are often prolonged and the guilty parties can be forced to carry it with them for years – as has Gray.

Despite the regular occurrence of these incidents, sport continues to fall victim to social media fuelled crises.

Before May 2021, many who recognised Ollie Robinson’s name knew him simply as a talented cricketer. Now, Robinson is embroiled in a reputation scandal. A selection of abusive tweets made nearly a decade ago surfaced shortly before Robinson was due to make his England debut.

Now both Ollie Robinson and the England and Wales Cricket Board find themselves fighting a crisis management fire, a crisis that could so easily have been avoided.

Social Media – Weaponised Threat

One potentially alarming idea now is the prospect of a weaponised attack using historic social media posts, such as Ollie Robinson’s, to derail a sports team. While it may be hard to quantify the impact the scandal had on the England cricket team, when it unfolded, little public conversation was focused on the actual cricket being played.

Shortly after the Robinson story reached its peak in terms of news coverage, another emerged of an as yet un-named player sharing damaging social media posts in their past. Although the reason for the timing of the leaks is unknown, it’s difficult to not establish a link between the two.

While many in sport have a win-at-all-costs attitude, the idea of weaponising these crises is a distressing one. When the stakes are as high as they are in professional sport, not properly addressing all of the risks in front of you can have a seriously damaging impact on staff wellbeing, financial performance and public reputations.

How To Mitigate Risks – Use The Right Tools

Effective employee screening, using social media background checks, would have helped mitigate the risks of social media in all of the cases mentioned above.

Social media screening uses open source intelligence to assess a person’s digital footprint against employment related risks only. It can be used to screen potential and existing employees, helping avoid damaging hiring decisions or future reputational damage.

In the case of Ollie Robinson, the checks would have identified the tweets in question, as well as any other high-risk behaviours, using our natural language processing. Those insights would have been handed over to the ECB, who could then make an informed decision for how to move forward. In this scenario, the ECB would also have been prepared to deal with any future events based on the incident. This is proactive crisis management.

These tools are used consistently in corporate recruitment to help employers, recruitment teams and HR personnel understand the risks more fully before making hiring decisions. They can also be used to help monitor and maintain culture within teams, identifying potentially dangerous behaviours within an organisation or team.

For sports teams, whose position is so public-facing, regular screening of employee (including players) social media profiles can help minimise risks.

Proactive Protection Against Threats

When it’s so easy to prevent this kind of crisis, it’s hard to see why organisations wouldn’t learn from the mistakes of the past. Governing bodies, sporting clubs or any organisation with outward facing, high profile representatives should be embracing this technology and using it to proactively to protect their reputations from future risks.

Due to their public persona, athletes are not always considered as regular employees but in this case they should be treated as such. Players and individuals may be the biggest assets for any team but they could also be the biggest weakness.

Social media screening from Neotas is the perfect solution to this issue. It has a rapid turnaround time and is cost effective, especially when weighed against the damaging implications of an ongoing reputational scandal.

The checks are GDPR compliant, use only public data and are regulated by third party associations like AFODD. Our technology processes data in over 200 languages so is perfectly placed to screen international employees like players, managers or staff.

While the use of social media screening grows in corporate recruitment, sport, for now, is lagging behind in not vetting their employees as fully as they could. Such is the impact of social media on sport that reputations and financial value continue to be damaged in crises that could have been sidestepped.

Whether competing for the World Cup, The Ashes or the Champion’s League, social media screening checks should be one of the first, most powerful tools in your risk management armoury.

If you want to discuss social media screening or risk management, our team are here to help. Feel free to get in touch or schedule a call here.

Download Our Recent Case Study – Adverse Media Uncovered On High Profile Sports Executive

How Social Media Screening Benefits Our Clients – Guest Blog by Vero Screening

May 26, 2024June 8, 2021 by Neotas Ltd

How Social Media Screening Benefits Our Clients

Guest Blog by Vero Screening

How Has Social Media Screening Benefited Our Client Base?

In a world that requires ever-increasing online due diligence, we are seeing clients’ screening requirements constantly evolve. As of 2019, and after much supplier comparison, we partnered with Neotas to provide our social media background checks.

The Need for Social Media Screening

On average, a quick Google search only shows you 4-6% of all data available on the internet. As the digital age progresses, HR Managers are seeking more information about who they are hiring, to paint a fuller picture of a potential employee, and whether they will suit their company culture.

Now more than ever, there’s an increasing focus on how a bad hire could potentially harm a business’ reputation. Tools such as social media screening can help lower the risks involved with a bad hire.

We recently conducted a Social Media Screening Webinar in collaboration with Neotas where 46% of attending professionals revealed they had an experience of an employee with a negative online profile. The results show the importance of pre-employment enhanced screening, with attitude and behaviour not always considered highly enough in the hiring process.

The Uptake

The interest from our clients has been clear and has been growing steadily in the first quarter of 2021. Clients undertaking these checks fell within Financial Services, Legal, Tech and Consultancy sectors, where regulation is stringent. Each month we’ve seen new clients sign up.

The Results

Upon conducting these searches for our clients, themes of negative findings fell within:

Inappropriate/undesirable content
Sexually explicit content
Hate and discriminatory behaviour
Violent content
Extreme views/opinions
Undisclosed directorship

As well as highlighting risk categories from prospective and current employees, Neotas social media screening reports also revealed positive indicators, such as an individual’s charitable work and volunteering roles.

The Outcome

For our clients, these findings can make or break the decision to bring a new hire into the team, or raise new information about a current team member.

Three per cent of red flags raised by Neotas’ social media screening resulted in businesses withdrawing offers from candidates due to concerns about their online behaviour. Although a small percentage, it highlights the reassurance that these searches can provide and enabled these firms to avoid disruption to their workforce in the form of a dangerous or difficult employee.

More Information

To see how Social Media Screening can benefit your hiring process, get in touch – intouch@veroscreening.com or find out more: Social Media Search & Screening Services | Vero Screening

Download our recent social media screening case study here:

Neotas Social Media Background Checks and Social Media Screening

Schedule a call today!
We highlight behavioural risks identified across social media profiles and the wider internet. Neotas supplements the background screening process. Learn more about how we can help you conduct social media screening and background checks in a safe and compliant manner.

Related Case Studies on Social Media Screening

Neotas Social Media Screening and Online Reputation Screening Services:

Taking a future-proof approach to supply chain risk management

October 13, 2023June 1, 2021 by Neotas Ltd

Supply Chain Risk Management

Increased Risk

Change and uncertainty are breeding grounds for risk and the timing of Brexit alongside the global pandemic has seen the opportunity for risk to increase significantly.

The risk management lifecycle is familiar to many of us:

Risk identification
Risk assessment
Risk mitigation

But what about when the risks, and the dangers and implications associated with them, evolve? What about when well established procedures and risk management protocols are turned on their head by unprecedented global events?

KPMG predicted a “tsunami of fraud” in 2021 as the financial world catches up with the implications of the coronavirus pandemic. Our reports have signalled an increase in fraudulent activity so far this year and it shows no signs of slowing down yet.

Locking down a globalised world has brought with it intense challenges for risk management. Global supply chains have come under immense pressure as they deal with changing localised restrictions, the societal impact of the health crisis and the need for many businesses to adapt to survive.

So how do we solve the problem of increased risk? With uncertainty looking here to stay, the solution may be to supplement your supply chain risk management practices with a more agile approach.

Why Have We Seen Supply Chain Risk Increase?

Through both the pandemic and the changing regulations of Brexit, businesses have been forced to adapt in almost every way. Supply chains have been rocked by unforeseen vulnerabilities, often left exposed by the new pressures we have found ourselves under.

The globalised nature of many multi-tier supply chains has seen these challenges exacerbated from the top down. A single product could now have hundreds or even thousands of suppliers contributing to its delivery, with risk increasing at every stage.

Travel restrictions have contributed to increased risk. Supply chain risk management becomes an even more difficult task when face-to-face assessments are limited and we become reliant on remote reporting and approval systems.

The typical lag in reporting and the uncertainty of the past 18 months means that it can also be difficult to trust financial data on the surface. Without further inspection, how can you trust that a supplier’s most recent statements are sound, when the pre-pandemic period may no longer be applicable and the during-pandemic period was so unprecedented?

Lastly, social media also has a part to play in reputational risk. Managing reputational damage can play a significant role in the overall health of a business and while financial data can lag, social media’s impact can be swiftly felt and unforgiving. Reputations can be tarnished by association so while it may not be your fault directly – it can still be your problem.

“You can insure against the failure of a customer, but how would you deal with the failure of a key supplier?” – Deloitte

Supply Chain ESG Risk

With an increased focus on ESG, comes greater scrutiny for the supply chain. The general public has never been more interested in knowing where their products came from, who made them and what impact their production had on the environment. The wrong decision could be catastrophic for industry.

In a modern multi-tier supply chain, the firm at the top of the chain remains at least partly responsible for the sustainability and societal impact of the suppliers at the bottom – at least in the eyes of the public. The larger the chain, the more difficult it can become to identify risks – particularly when subcontractors are introduced and when the only method of reporting is remote self-reporting.

We recently discussed the increased risks that ESG-specific investing can face, including reputational issues and corporate greenwashing, with FinTech expert Brendan Bradley.

Restrictions Highlight Self-Reporting Shortcomings

The self-reporting model has always relied on honesty and integrity from companies but with increased pressure brought by the pandemic, businesses have been forced to adapt. Are firms likely to divulge information that could harm their reputations? Brendan Bradley thinks possibly not:

“Are firms likely to divulge information that could harm their reputations? I think there’s a grey area there with respect to what they will report and how much that’s actually being fully audited. If these assessments are being reduced to box-ticking and that’s never audited, you’re reliant on complete honesty from organisations whose number one interest will always be self-preservation.”

While self-reporting models were previously audited and punctuated by announced and unannounced site visits, travel restrictions have rendered those a thing of the past. As such, an independent, data driven, flexible auditing solution is required to help lower risks.

An ideal reporting model would no longer rely on self-reporting alone to assess the risks and credibility of a supplier and would also report data closer to real-time.

Time To Stay Compliant

The disruptions to supply chains have brought with them increased risk of non-compliance. The need to improvise and adapt brought by the pandemic has led to increased likelihood of non-compliance amongst suppliers, as chains came under pressure to continue operating under heavy restrictions.

Personnel Today recently reported on a huge surge in umbrella companies being used to abuse the UK tax system, with suppliers taking advantage of reduced taxation loopholes. The potential impact for associated companies includes regulatory action, as well as the reputational damage of non-compliance within your supply chain.

An independent audit of suppliers, building a clear risk profile using public data can help highlight any issues in transparency and ensure the chain remains compliant.

Identifying The Weak Link

“Your supply chain is only as strong as its weakest link” – Deloitte

While tried and trusted supply chain risk management procedures continue to be effective, now more than ever it’s crucial to be agile in our response to risk. It’s critical that businesses can establish a clear risk profile for each of their suppliers, highlighting vulnerabilities and assessing a wide range of financial and non-financial factors.

Are your supply chain screening procedures up to date? Are they robust enough to identify modern risks including cyber risk, risks associated with the pandemic or modern slavery?

Identify the risk factors most appropriate to your business. Design a risk model that will allow you to identify which suppliers are the most important and which are the most vulnerable. It’s about making sure you have the tools, expertise and techniques to gain a high level of understanding of your key suppliers.

Using Open Source Intelligence To Lower Supply Chain Risk

The role that open source intelligence (OSINT) can play in reducing supply chain risk is clear. Using OSINT we can monitor risks much closer to real-time, highlighting potentially damaging events or actions that occur outside of the regular reporting period.

Through OSINT, we are able to map supplier networks and analyse non-financial risks including those linked to adverse media, customer feedback, ESG and more. Adopting an enhanced, AI-driven model to supplement existing checks allows for deeper insights to inform your supply chain risk management strategy.

Technology like Neotas’ proprietary advanced machine learning technology is capable of processing vast quantities of relevant risk data, lowering the reliance on the self-reporting model. Our enhanced risk & compliance solutions aren’t limited by global jurisdictions and harness natural language processing to analyse data in over 200 languages.

The time to adapt traditional supply chain risk management practices is now. Using OSINT powered EDD, businesses can harness publicly available data to help lower supply risks. Get in touch with our team today to discuss your supply chain risk management practices and how we can lower your risks.

Download Our Recent Supply Chain Risk Management Case Study

ESG Investing & Due Diligence – Q&A with Brendan Bradley

October 13, 2023May 18, 2021 by Neotas Ltd

ESG Investing & Due Diligence

The topic of ESG continues to gather momentum as one of the defining trends of this decade. But why has the term seen such a surge in interest and are current reporting systems robust enough to report on evolving ESG issues? How can enhanced due diligence be used to improve ESG reporting? We’ve caught up with FinTech expert and author Brendan Bradley, author of ESG Investing for Dummies, to discuss all that and more.

How would you define ESG?

ESG has generally become synonymous with socially responsible investment. However, ESG should be seen as more of a risk management framework for evaluating companies and not as a standalone investment strategy. ESG measures the sustainability and societal impact of an investment in a company. ESG fundamentals are part of an assessment process to apply non-financial factors to a manager’s analysis in identifying material risks and growth opportunities.

What made you want to write the book?

There is a lot of hype around ESG which invariably means that people start using acronyms and making statements off the back of the last thing that they have read. I was as guilty as anybody else. I had co-authored FinTech for Dummies to help bridge the gap in education and decided that I could do that for myself and then help others by writing ESG Investing for Dummies

Why do you think ESG as a topic has seen a huge surge in interest?

With growing action from governments, companies, and investors to consider environmental and societal impacts, it seems inevitable that ESG considerations will be included in all of our investment decisions at some point in the future. As the world is changing, there is a greater requirement to understand what risks or opportunities a company faces from ESG issues that may determine its long-term prospects. The COVID-19 pandemic has highlighted the need to consider these factors even further, hence the recent surge in investments in this space. Even within this century, the context in which businesses operate has changed radically.

What’s driving the increased interest in ESG investing – social conscience or a fear of reputational damage?

Both! Some firms are genuinely trying to be better corporate citizens as in the long run it is good for their business as well as making them more sustainable but all companies are mindful of what the reputational damage does to their bottom line and share price so that will also be in the back of their minds.

How prevalent is corporate greenwashing?

Today greenwashing appears to have become more prevalent, but it is difficult to prove given the lack of a common definition for what constitutes good corporate behaviour. One example of greenwashing could be companies claiming their products are from recycled materials or have energy-saving benefits, while the flip side is regulators calling out asset managers on their use of marketing that represents their products or activities as positively ‘green’ when they are not. Companies are responding but perhaps not always in a manner that is genuinely aligned with improved corporate performance on social or environmental issues.

The other aspect out there at the moment is “Corona-washing”, which is linked to activities following the pandemic. From a similar perspective, companies are claiming that they’re doing certain things to inflate their reputation when perhaps they’re stretching the truth a little.

How important is it to develop an ESG policy?

The expectations of investors and other stakeholders regarding corporate conduct is changing and becoming more demanding. Deciding whether companies really ‘walk the walk’ entails in-depth knowledge of corporate culture, environmental impacts, labour relations, management quality, supply chain practices, and risk profile. Analysts are scrutinizing a company’s ESG claims in the same way they have traditionally viewed a company’s financial statement fundamentals. Companies and fund managers are aware of the premiums they can extract if their products or services are considered to be green or sustainable so having an ESG policy seems to be critical.

How does ESG create value for organisations?

Given that companies with high ESG ratings exhibit a lower cost of capital, less volatile earnings, and lower market risk than companies with low ESG ratings, sustainability should be our new standard for investing. For years analysts have considered good governance as a key trait for successful companies – manage your own house properly and there is more likelihood that you will do the right things as a company. Similarly, in more recent times, companies that have proactively reduced emissions and are environmentally aware are invariably incorporating the new trends of renewable energy or sustainable production and consumption, which today’s consumers are actively considering. And the pandemic has shown which companies are living up to their social responsibilities – whether that is with respect to their employees, customers, suppliers and community.

Is ESG investing currently in a bubble that’s likely to burst any time soon?

The genie is out of the bottle – I think that ESG performance benefitted from the BigTech surge last year – many ESG indices have the FAANG stocks and Tesla in their components so if they experience a drop in share prices ESG performance will do likewise? But I don’t see the Assets under Management going anywhere other than North.

What’s the future for ESG investing?

Given that companies with high ESG ratings exhibit a lower cost of capital, less volatile earnings, and lower market risk than companies with low ESG ratings, sustainability could be the new standard for investing. To enable a further change in allocation and strategy, asset owners may still need greater confidence in investors’ ability to correctly price potential longer-term risks and opportunities. Market participants, as well as regulators and policy makers, are seeking common terminology and standards to be able to identify specific ESG factors.

Are there any dangers with becoming too focused on ESG?

In the same way that there is an ongoing discussion around the pendulum swinging from growth stocks to value stocks, you shouldn’t invest in a stock just because it fits into a given bucket. Similarly, there will be companies that have a high ESG rating for various reasons but that is just one element of the fundamentals of the company – don’t get blinded by the fact that it is a “good” company and ignore the traditional analysis, they may be greenwashing.

What are the increased risks that come with ESG investing?

In some cases there will be an over reliance on external ESG ratings for a company as part of the investment analysis when there are major differences in rating dependent on the provider’s methodology. While such differences exist they may be misleading. Some firms may have inflated values because they have received a given rating which may be unjustified (if this is disproven their share price may drop swiftly). In addition, the general wall of money behind ESG investing may lead to inflated valuations for given firms.

Are the current ESG evaluation systems robust or clear enough to deliver what they promise?

There does tend to be somewhat of a lagged effect to ESG reporting, so therefore you don’t really necessarily always have real time indicators. It can also be quite a scattered reporting system, with some elements delivered to places like the Global Reporting Initiative, others to different agencies and so on.

The analysis itself can also be difficult to quantify. The environmental ratings have been out there a bit longer and have their own reporting requirements, so that is probably getting easier to understand. The governance side is something that everyone would have looked at anyway for a relatively long period of time, though governance analysis can also come down to a subjective opinion. I think the big piece with ESG at the moment is much more the Social factor and that becomes a lot more difficult to quantify or apply a rating.

What kind of changes can you see happening to ESG assessment and regulation?

Potentially having a centralised system to order and standardise the approach where everybody agrees as to what should be reported, that could be a way forward. Though some things will remain difficult to assess using existing technology and will still suffer from the lagged effect without being monitored in real-time.

There is definitely a case for more consistent evaluation in the future, in the form of real-time analysis or annual assessments. We could well see a move towards a more broad, consistent ESG reporting basis where companies, particularly supply chains for larger organisations or those in sensitive industries are monitored more closely with a kind of ongoing analysis. Annual or regular industry wide evaluations may also be commonplace in the future where firms are required to complete assessments.

Can Open Source Intelligence help the ESG decision-making process?

As ESG data is generally lagged, open source intelligence could definitely help if indicators can be compiled on a more real time basis, potentially using NLP services like Neotas. I’ve heard it said previously that there’s not sufficient data out there. I would actually argue sometimes there’s actually too much data that’s washing around, but how material is the data that’s being used and how often is it being reported?

Do you feel the issue could be with self-reporting?

There are definite issues with self-reporting. Are firms likely to divulge information that could harm their reputations? I think there’s a grey area there with respect to what they will report and how much that’s actually being fully audited. If these assessments are being reduced to box-ticking and that’s never audited, you’re reliant on complete honesty from organisations whose number one interest will always be self-preservation.

Issues around ESG often aren’t black and white. Sometimes they’re more subjective. Is it harder to quantify the analysis because of that?

It can be subjective and that makes it difficult to rate. It’s easy to suggest a system like credit ratings but with credit ratings we have a balance sheet, income and debt figures to compare it to. What we’re assessing with ESG has previously been more difficult to quantify and that’s where technology can help. Using tools like open source intelligence, identifying clear risk indicators and monitoring consistently to highlight any issues can help solve this issue.

How would you describe best practice for ESG when it comes to due diligence?

Driving further standardisation around the process and ensuring that companies are reporting material information rather than reporting a lot of irrelevant information to many different providers is key. Best practice should probably include:

Evaluation of a business’s material ESG risks, liabilities and opportunities
Benchmark ESG policies, practices and performance against industry peers and sector best practice
Consideration of compliance with local regulations and international treaties
Understanding of the elements driving a company’s ESG performance and how they could affect its brand value, relationships, reputation, and trust.
Evaluate potential liabilities to determine effect on costs and cash flow

If you would like to discuss ESG, corporate governance or any sustainability checks with our team, please schedule a call here. Find out more about lowering your investment risks using open source intelligence here.

Brendan’s new book ESG Investing for Dummies is available to order digitally or in paperback now.

Download our recent ESG due diligence case study here:

Why Corporate Background Checks Could Be The Key To Building Company Culture

October 13, 2023April 30, 2021 by Neotas Ltd

Why Corporate Background Checks Could Be The Key To Building Company Culture:

Armstrong Wolfe Conduct & Culture Summit

In April this year, Armstrong Wolfe held their Conduct & Culture Summit, inviting senior executives from global organisations to discuss and learn about conduct and culture. The summit featured a host of senior figures from international firms, industry experts, academic leaders and more.

The core message of the three day event was how to build, sustain and nurture a prosperous culture within an organisation, while navigating the everyday challenges of running a business. With panels discussing leadership, threat management and governance issues, the event was undoubtedly a valuable learning experience for those in leadership roles.

But what is culture? Why is it important for businesses? Let’s take a look.

How do you define culture?

We define culture as the way things get done on a day-to-day basis. It’s the heart of the business, the connection of the employees to the work and to their team members, it’s the management structure and much more.

It would be easy to dismiss it as an intangible, especially in industries that are so reliant on data to make decisions. This couldn’t be further from the truth. While it may be difficult to measure emotion, staff satisfaction has clear and direct links to productivity, profitability and overall firm performance.

Why is culture important?

A study by LSE found a strong link between positive employee emotion and firm performance. Higher levels of employee satisfaction typically meant more productivity, meaning a higher overall performance for the firm and thus greater profits.

A similar report by the Harvard Business School describes the impact a positive and effective culture can have when measuring performance across an industry. The report suggests that having an effective culture can account for up to half the differential in performance between competing organisations. Staff wellbeing is a competitive edge.

Understanding People Is The Key – Putting Behavioural Science To Work

At the Conduct & Culture Summit, David Lean, Chair of the Association of Online Due Diligence (AFODD) joined David Grosse of HSBC, Helen Hughes-Green of Standard Chartered Bank and Pierre Pourquery of EY UK Capital Markets to form a panel of experts. Their panel, hosted by Armstrong Wolfe’s Maurice Evlyn-Bufton, Maurice posed the question – “can behavioural science deliver on its promises?”.

One of the core takeaways, perhaps, was the importance of elevating character alongside competence. Valuing a person’s behaviour and attitude alongside their skillset and aptitude.

They asked – how can we learn from behavioural science to create thriving, positive cultures within our organisations? Are these practices being considered enough or is there still more to do?

There is certainly a case for applying these theories to business practices like recruitment, onboarding and on-going monitoring of workplace culture.

What is crucial when analysing behaviour is helping people not make assumptions based on a limited amount of information such as a CV or skills based questioning, or the small number of interactions you may have had with a candidate to date. The important question to ask is does that information acknowledge anything to do with this person’s behaviour or is it purely skills assessment or box ticking?

Building and Protecting Culture

Building, managing and maintaining a positive atmosphere is a delicate balance. While superficial staff benefits may foster short term positivity, long term solutions are needed to ensure productivity is high and staff turnover is low.

When it comes to your people, if you want to establish a proper culture you have to understand what makes people tick, then build around it.

Proactive management of this situation can come in many forms. Two of the most effective ways to nurture this position are:

Recruitment and onboarding – effective screening of a candidate’s character as well as their competencies to ensure that they are a) fit for the role and b) fit for your organisation and existing team members
Reviewing existing personnel and practices – regular, critical reviewing of current culture and leaders to ensure that a positive atmosphere is being developed and teams are at their most productive

Proactively addressing these issues and avoiding poor decision making are critical in nurturing this situation.

Proactive Culture Management – Recruiting People, Not CVs

There is no substitute for effective screening when it comes to recruitment and hiring the right people.

When you follow typical hiring practices, you may go to an agency, receive and review a shortlist, interview, run traditional corporate background checks, then you’ve narrowed it down.

On paper this person has the experience you were looking for, the skills to thrive in the role and looks like they have all the attributes to succeed. What you may not know is they have an explosive temper, they spend every evening sharing explicit content on the internet or boasting about doing drugs on the weekend. The person is not the cv and cannot be found in traditional background checks.

Existing teams and structures should also be considered in hiring decisions. Having invested time and resources into building a comfortable culture, the wrong new hire could be like a grenade to that space.

The impact of making a bad hiring decision isn’t restricted to just the costs associated with the recruitment, hiring and eventual removal of that individual. Loss of productivity, lack of leadership and staff turnover could all contribute significantly to financial and cultural damage within the organisation.

Enhanced screening of candidates including social media and online reputation screening will help inform decision makers with real world data. While we have established it’s difficult to quantify emotion, online data can now be used to interpret more of a person’s character by assessing it against real-world risk indicators: violence, anger, explicit content, discriminatory behaviour and more.

“Why is it that in existing corporate background checks, we only ever check new hires for the sort of behaviours that affect work? We don’t check for the sort of behaviours that affect culture and most industries don’t screen their existing staff” David Lean, Chair, AFODD

Proactive Culture Management – Internal Review

Consistent review of existing staff and practices is another tool to use to help build strong corporate culture. While making the wrong new hire could impact teams negatively, it’s important to consider internal risks as well.

If staff turnover is high, then look for the consistent piece of the puzzle. Is the leader of a team still there but his juniors are regularly leaving? LSE found that employee satisfaction to have a substantial positive correlation with customer loyalty and a substantial negative correlation with staff turnover. It’s easy to screen new staff but not always considered that the issue could be coming from within.

For industries regulated by the FCA, Senior Managers undergo scrutiny as part of the SMCR Fit & Proper Test. The annual test assesses whether senior managers are fit for their role and can include a review of their honesty and integrity.

The Bottom Line – Using Resources Properly

Annually, firms spend millions to encourage workplace culture, often overhauling every few years to realign to company beliefs or correct the damage of a bad decision. What if that money could be saved? What if we could stop the rot from the inside out?

Using what we can learn from behavioural science could play a crucial role in halting this cycle. Understanding people and their suitability, not just skills and competencies will help inform good decision making.

For recruitment, effective screening using all of the data available will lower the risks of a bad hire and the negative repercussions that come with it. In this case, the potential momentum that is lost for internal teams is just as significant as the person who comes in and destroys it. The bad egg will be removed eventually but it’s hard then to build a sense of calm and unity in a team that may have faced significant disruption.

When it comes to screening internal teams, it’s easy to see how this principle could be extended to other industries beyond financial services. Firms regularly reviewing senior management are more likely to spot opportunities to optimise organisational structures and minimise threats before they are damaging.

If you would like to discuss online reputation screening, corporate background checks or senior management screening with our team, please schedule a call here.

Neotas Social Media Background Checks

With Neotas, you get a holistic view, uncovering hidden risks, and ensuring compliance. We navigate cultural nuances and evolving trends, providing you with invaluable insights.

Our cutting-edge AI based Social Media Checks and Social Media Screening solutions, backed by human expertise, ensures comprehensive and accurate screening with zero false positives.

Ready to experience the future of social media checks?

Schedule a call today and let’s revolutionize your social media checks together!

Related Content on Social Media Screening and Social Media Background Check

Tags: Background Checks, Social Media Checks, Social Media Screening, Pre-Employment Screening, Online Screening, Social Media Check

COVID-19 Impact Leads To Increased Fraud Risk

December 17, 2024March 17, 2021 by Neotas Ltd

COVID-19 Impact Leads To Increased Fraud Risk :

What Impact Has Coronavirus Had On Enhanced Due Diligence?

In what’s been a year like no other, we have seen the significance of the impact of the COVID-19 pandemic on all aspects of the business world.

Many traditional business practices have been completely overhauled as global restrictions introduced huge limitations on travel, face-to-face meetings and office based working.

With uncertainty, comes risk. As organisations have been forced to adapt and evolve with the changing environment, the opportunity for risk becomes even greater.

There’s never been a more crucial time for having the full picture in front of you than right now.

Impact of COVID-19 on Due Diligence

The unprecedented nature of the last year means that it can’t be considered a typical year for most institutions. While some industries may recover quickly, others will face a longer road back to normality. As a result, the impact of “the new normal” on a business may need to be adopted as part of reasonable due diligence processes.

Making matters more tricky is the inability to offer in-person visits or assessments due to social distancing restrictions. With more checks being completed virtually, firms are now considering all of the tools at their disposal to get a full understanding ahead of a deal.

In a recent guide to the changing nature of the due diligence process during COVID, Deloitte shared a number of useful tips to look out for:

It is important to remember confidentiality issues: Due Diligence processes are sensitive and require confidential data handling
Engage and access the right people: Information that comes quick and in a good quality is essential

Here, Deloitte highlight the importance of using third party due diligence providers to ensure confidentiality and quality of information. While the landscape keeps changing, cutting corners will only increase the risk of foul play.

Global Uncertainty Sees COVID Fraud Risks Soar

The disruption and uncertainty of a global pandemic is a potential breeding ground for fraudulent activity. The ongoing unpredictability of the situation makes it harder to spot unusual activity as businesses are forced to improvise.

KPMG’s Fraud Barometer signalled that although the overall figure for reported and tried fraud cases dropped in 2020, there is a “tsunami of fraud” on the way for 2021. This all comes as the court systems attempt to catch up with the backlog of cases.

Opportunistic attackers have taken advantage of the uncertainty, particularly of the dedicated coronavirus support on offer to businesses.

In December 2020, figures published showed that over £45m in “bounceback” loans had been granted to businesses by the lenders, underwritten by the UK government. Early conservative estimates suggest at least 1% of these loans were taken out fraudulently. With repayments due to begin from April 2021, the true figure will be revealed soon.

PwC have reported a spike in false positives for financial institutions, as their software learns to deal with the changing circumstances. Even compliance systems with machine learning capabilities are struggling to adjust to what would appear to them to be unusual behaviour. This makes filtering out the real red flags even more difficult.

Organisations are under increasing pressure to make decisions first and ask questions later, as they evolve with the changing landscape. It’s easy for business practices like supplier controls to be bypassed and important due diligence questions missed.

Internal COVID Fraud Risk On the Rise

Over the past year, we have provided thousands of open source background screening checks as part of our enhanced due diligence services. While every case is different, and confidential, we have noticed data trends suggesting activity such as internal fraud is on the rise.

A recent case of operational due diligence uncovered fraudulent activities with two parties trading internally to inflate their books. Our deep web network analysis uncovered links between the companies including shared directors. Trading was taking place in a perceived effort to inflate their books as a way to appeal to potential investors.

With the true financial impact of the pandemic still being felt worldwide, businesses are seemingly turning to illegitimate practices in order to stay viable.

Fraudulent behaviour continues to thrive during COVID with our due diligence data suggesting there are two clear trends:

Existing fraudsters continue to operate, with opportunistic attackers looking to exploit the current uncertainty
Traditionally sound companies are being forced to improvise – sometimes resulting in fraudulent behaviour

Post-COVID Risk Management

So how can businesses manage the ongoing increased risks in a post-COVID world?

It’s fair to expect some changes to business practice to be intermediary, while some will be around in the longer term. Ensuring staff are aware of the heightened risk is a start, with clear education about the different opportunities for fraud or non-compliant behaviour.

Adapting risk assessments to reflect “the new normal” and to adopt some of the virtual tools that have likely been introduced is another important step.

But what about detection? What can be done to identify risk?

The key is to ensure businesses are using ALL of the assets that are available to them.

KPMG have highlighted the need to adapt due diligence processes to the changing landscape. They flagged the importance of using publicly available information sources as part of their recently shared Differentiated Diligence document. The report suggests supplementing existing due diligence practices with new technologies to reduce risks. Social media is suggested as one of the key differentiators for effective due diligence post-COVID.

In a world where you can’t meet people face to face, tools that help uncover the history, behaviour and attitudes of the people you’re dealing with become more crucial.

Our enhanced due diligence services combine machine learning, AI and human analysis to eliminate false positives. Using only publicly available data, we’re able to paint a full picture of the “people risk” of any deal.

Arrange a call with our team today to discuss your business’ changing needs due to COVID.

The Truth About Social Media Screening and GDPR

March 22, 2025February 19, 2021 by Neotas Ltd

Graphic with lock on computer motherboard - Social media screening and data privacy

The Truth About Social Media Screening and GDPR

One of the most common questions we get asked is how our searches comply with GDPR. In particular, there are always questions around privacy, data protection and social media screening. Our searches are fully compliant and are always updated to reflect any changes in regulations – but questions are always asked once social media is added to the checking process.

Here’s some common questions we get asked:

Do you need consent under GDPR to run these checks?
Are social media checks common practice?
Can the candidate see their report?
While I need to manage risk / comply with regulations, I don’t want to be intrusive…

Here’s a breakdown of current regulations, the risks of running checks internally and tips on how to stay compliant.

International Social Media Screening

Social media screening as part of background checking has existed in some form since the platforms began and recent studies suggest their deployment is only going to increase.

The US government introduced a new visa procedure in 2019 which demands foreign visitors applying for working visas to disclose their social media accounts on their applications. They see social media as a reliable and valuable way to review a person’s behaviours and attitudes, beyond just database or box-checking exercises.

The US has so far been at the forefront of driving social media background screening to becoming commonplace for high risk roles. Recently, the armed forces screened their troops ahead of the presidential inauguration and the Washington police chief is suggesting they do the same for their officers.

With the use of social media screening growing, the need for a consistent, regulated approach is obvious.

What are the data protection laws when it comes to social media?

Data protection laws are different all around the world, so the complexities change depending on the jurisdiction. The EU, for example, takes data protection very seriously and in 2018 brought in the GDPR.

We’re all familiar with the basic ins and outs of the GDPR by now and the hefty fines that can be given out for breaking these guides.

Specifically relating to social media, the GDPR states that employers should notify candidates before viewing their social media accounts unless they have a lawful basis for processing data – such as consent or legitimate interests. It goes on to state that employers should only take into account data that is relevant to the role.

Article 29 of the GDPR (5.1)

As a third party background screening provider, at Neotas we have “legitimate interest” to perform these checks for business purposes, as requested by our clients. Our reports only include role-related risks and our policies are consistently updated to reflect changes in legislation.

Many data protection authorities have supplemented the GDPR guidance with additional advice in relation to social media screening. This can include:

Screening to be conducted as late as possible in the recruitment process (to avoid the opportunities for human bias)
Candidates should be made aware of any screening that will take place and how it will be conducted
Only accessing publicly available information
Screening levels being proportionate to the seniority of the role

The overall guidance here is clear:

Only review relevant, role-related data
Ensure that protected characteristics remain protected
Only process data if you have a lawful basis for doing so

The Risks of Internal Social Media Screening

The risks that come with carrying out social media background checks in-house are significant. By combing through a candidate’s social media accounts, protected characteristics (such as race, sexuality, political stance) are unintentionally revealed to internal staff.

Whether intentional or not, it’s both illegal and unethical to make hiring decisions based on these characteristics. Internal staff are left exposed to potential accusations of unconscious or discriminatory bias, accusations that could prove costly in any legal proceedings. It would be difficult to legally argue that discriminatory bias hadn’t taken place if staff were exposed to personal data for potential new hires.

Using Third Party Background Screening Providers

Using a third party background screening provider is the best way to avoid these risks and the financial or reputational damage that can come with them.

While they may mean well, internal staff are less likely to be trained in data handling and may be less aware of the stringent GDPR practices that must be followed.

Third party providers like Neotas are externally audited, regulated by industry standards and often hold external certification to process sensitive data. At Neotas, we are:

Alongside the technical certifications, third party background screening providers are completely objective. Providers like Neotas have zero hidden agendas and we only ever present relevant, role-related risks in our reports. Our role is to demonstrate that the candidate meets the level of honesty and integrity expected of their new position.

Lastly, the technology used is cutting edge, capable of processing data at hugely efficient speeds. Our AI and machine learning technology processes vast quantities of data, highlighting potential risks before context is applied by objective human analysis. This way, protected characteristics remain protected and candidates need not worry about their new employer seeing old holiday photos.

You can find out more about pre employment social media screening, or online reputation screening here. Alternatively you can build a no-obligation quote using our brand new pricing tool.

Download our recent social media screening case study here:

Social Media Background Checks – Do’s & Don’ts for Employers

Neotas Social Media Background Checks and Social Media Screening

Schedule a call today! We highlight behavioural risks identified across social media profiles and the wider internet. Supplements the background screening process. Learn more about how we can help you conduct social media screening and background checks in a safe and compliant manner.

Neotas Social Media Screening and Online Reputation Screening Services:

Social Media Background Checks
Online Reputation Screening
Social Media Screening
Social Media Check
OSINT Framework, OSINT Tools, OSINT Techniques, and how to use OSINT framework.
Follow us on LinkedIn for the latest updates on Neotas Screening Solutions.

What Did We Find In 2020?

October 13, 2023January 22, 2021 by Neotas Ltd

Neotas reveal background screening annual report

What Did We Find In 2020

Risks hidden in plain sight

2020 proved to be a truly remarkable year globally, with all industries feeling the impact and repercussions of the pandemic. Throughout the year, we provided thousands of objective background check services, from pre employment background screening through to a host of third party due diligence services.

While the exact results of course remain strictly confidential, here’s a sneak peak into some of the data trends and highlights from an unprecedented year.

What is included in a background search?

First of all, let’s establish what’s included in our searches. Our background check services scour the web for an individual or organisation’s full digital footprint, from surface level through to the deep web.

Standard background checks like DBS checks can be limited to just checking databases, while we go a step further and leave no stone unturned. For HR & Recruitment purposes our pre-employment background checks can look into employment and education histories, criminal activities and social media screening.

A Neotas third party due diligence search often includes all of the above, plus checking against international PEP & sanction lists, investigating business networks and a host of anti-fraud checks.

Whether it’s cross referencing employment data with digital records, or assessing international networks or criminal links, there’s no time or jurisdiction limit on our searches.

How are we able to search for this?

Our enhanced due diligence methods combine proprietary AI technology with machine learning and expert human analysis. We’re able to identify business risks that wouldn’t appear in other searches.

Simply put – we process more data, from more sources than traditional searches.

So what did we find in 2020?

To be brief – a lot.

Nearly a third of cases through 2020 uncovered medium-high risk behaviours, warranting further investigation. So what types of behaviours do these include?

3-5% display red flags
Red flags highlight high-risk behaviour for serious indiscretions such as inappropriate or sexually explicit content, substance abuse, violence, racism, PEPs or previous sanctions.

20-25% display amber flags
Amber flags refer to medium-risk behaviour that may be inappropriate, but needs further investigation. Such as: employment or education inconsistencies, adverse media, undisclosed directorships.

70-77% display green flags
Green flags return no obvious indiscretions. These cases are verified and the suitability of the candidate or deal is confirmed.

The Top 5 red flag behaviours found by Neotas in 2020 include violent conduct, discriminatory behaviour and adverse media

What is Red Flag Behaviour?

Up to 5% of cases displayed what is determined as a serious, or red flag, risk. Neotas searches all publicly available data from financial & tax records to social media accounts. As a result, red flags can vary from serious undisclosed financial conduct to consistent patterns of discriminatory behaviour.

Our recommendation would always be to investigate these behaviours further and likely take action to lower the risk of financial or reputational damage.

Download the full report to reveal the most common red flag behaviours.

Headline Cases

We would never reveal exact case details and all of our reports are held to the highest data protection standards. These are some anonymised examples of the types of the most serious cases discovered in 2020:

A founder CEO who boasted about having defrauded his public sector client and threatened exiting staff with violence
A COO who needed to be removed for consistent racist and misogynistic abuse of staff
A founder who rewarded their salespeople for dirty tricks against clients by sharing cocaine

What is Amber Flag Behaviour?

Up to 25% of cases displayed consistent behaviours that could pose potential risks to businesses or individuals. While not all of the behaviours flagged here lead to further action or qualify as red flags, our human analysts apply context to the findings and highlight those that warrant further investigation.

Although an amber flag may not appear as serious as a red flag, they still pose serious potential risks. The most commonly flagged behaviours include employment inconsistencies, links to explicit content and undisclosed directorships – all of which come with the potential to escalate into a costly or damaging situation.

2020 Insights & 2021 Predictions

While global restrictions remain in-place and business interactions become more digitised, effective verification and vetting processes have never been more critical. With due diligence requirements also continuing to change year-on-year, it’s crucial to stay ahead of the curve and use all of the resources available.

Vero Screening recently published their predictions for employment screening trends in 2021. They predict that social media background checks in particular will become a critical part of the screening process as the workplace become less familiar amidst the ongoing restrictions.

In 2020, nearly a quarter of cases reviewed highlighted a potentially serious business risk, so the need for thorough checks is clear. Third party due diligence and employment background checks lower risks by being both objective and comprehensive. Only with this added security, can a business move forward with an investment or potential new hire with confidence and peace of mind.

We would love to chat to you about your enhanced due diligence, investment risk management or social media screening needs, please feel free to schedule a call here. Alternatively, you can build a no-obligation quote using our pricing tool here.

Download the full 2020 Annual Report:

OSINT Background Check – What Makes An Expert Background Check from Neotas Different?

March 22, 2025January 11, 2021 by Neotas Ltd

OSINT Background Check

What Makes An Expert Background Check from Neotas Different?

We are experts in background screening, from pre-employment online reputation checks to online due diligence for financial institutions. But background checks are nothing new, right?

We know that there are lots of companies providing different types of background checks out there, so why are ours different? Here’s why…

What is covered in a standard background check?

Everyone in recruitment for high-risk roles has to run standardised background checks and regulators require due diligence for financial services organisations. But what are these standardised checks and are there any weaknesses?

Typical background screening can include any number of elements including criminal (DBS check) and credit checks, references, qualifications and employment history, PEP & sanction list checks and media database searches. The issues with traditional background checks is that they’re limited by their very nature.

References, qualifications and employment history are all easily falsified while many of these checks, while effective, simply tell you whether a company or individual appears on a database or not. It’s a straightforward exercise that isn’t always robust or complex enough for properly identifying risk.

A DBS check, for example, is limited to show only crimes committed and convicted in the UK. What about international crime or migration? How much does it tell us about a person’s personal behaviours? What if there are non-convicted crimes from their past that could pose future reputational risks?

Then there are the issues around manual, in-house checks. These are often time consuming, resource draining and run the risks of bias. Exposing internal staff to bias, or accusations of it, could be seriously damaging to any organisation.

So what do Neotas do differently?

As experts in background screening, our reports are completely objective and all-encompassing, best of all they are supercharged by incredible advanced technology. We use OSINT (Open Source Intelligence) to Go Beyond our competitors and current services listed above into data that isn’t covered in standardised checks. We paint a complete picture.

The Neotas methodology leverages open source intelligence by combining proprietary algorithms, machine learning, natural language processing, and human input to investigate individuals and entities in core risk areas.

Open source data isn’t exclusive to Neotas, it’s publicly available and everyone has access to it – but only experienced industry specialists like us have the skillset and technology to unlock it fully.

Best of all? We’re able to guarantee results at a fraction of the cost and in a much faster timeframe than traditional risk consultancies.

“Our results continually show that we are providing more information than any other screening system out there” Ian Howard, Founder, Neotas

Do enhanced checks replace standard background screening?

We don’t replace existing checks, we supplement them and enhance the results. The traditional checks listed above all have their strengths and many remain legal requirements for certain roles or regulations.

By supplementing standardised checks with OSINT, we uncover 100% of publicly available data, from surface level (search) through to the deep and dark web. In contrast, typical online or desktop search facilities can only account for 4-6% of available information.

This process enables Neotas to accurately report on the character, behaviour, networks and risks associated with the subjects it investigates and highlight critical information that is not identified by the traditional desktop tools. Using OSINT provides a richer, more complete profile of real people – not just database results.

OSINT Background Check tools — Iceberg Image Showing That Only 4-6 Percent Of Data Is Hosted On The Surface Web, With The Rest Stored In The Deep And Dark Web

Are Neotas background checks compliant with all regulations?

Our searches and results are all completely in the public domain. All searches and results are fully compliant with GDPR and all other regulatory requirements. That’s guaranteed. So what are the expectations for the regulators?

The regulators, including the FCA, expect any information in the public domain to be used in risk-based decisions. In these cases, lack of knowledge would be hard to defend when the data is so readily available.

Organisations such as Thomson Reuters and LexisNexis collate adverse media data from sources like news websites, online search and sanction lists. Our definition of “media” takes that one step further.

We collate information from the full digital footprint of a business or individual, including social media. This advanced definition of media is crucial and continues to evolve all the time. With new mediums constantly developing, it’s critical that background screening stays relevant this way and continually adapts to include new channels.

Read more: https://www.neotas.com/pre-employment-checks-what-should-you-be-doing-in-2021/

Is social media screening ethical? Do background check results stay private?

Privacy matters at Neotas. Our reports ensure that protected characteristics stay protected. As a third party, we will objectively review a lot of information but only the incidences flagged as risk indicators will be reviewed. We only include relevant data in the report.

Our role will only ever be to demonstrate that a candidate or business meets the level of honesty and integrity expected, then highlight any points of concern.

“… using Neotas allows us to cover potential risks more thoroughly at lower cost to our clients.” Mike Hicks, Founder, Catalysis Advisory

What is shown on a background check report from Neotas?

Our reports are clear, concise and always supported by clear evidence. We identify risk indicators using a traffic light system. “Red flag” behaviours indicate serious risk, “amber flags” show potential risk that may warrant further investigation. A “green flag” shows minimal risk and confirms the suitability of the candidate or investment.

In all cases, the crucial element for a Neotas search is the context we provide. In due diligence cases, our report provides detailed evidence and an audit trail – including source, screenshot and relevance. We assist clients by providing a framework to help with their decision making processes, ensuring that AI powers the search but our clients make the final risk decision.

For HR and Recruitment, context is equally important. Our HR and Recruitment reports highlight clear risk indicators like abusive or discriminatory language, violence or undisclosed criminal behaviour. We search only for role-related risks and behaviour patterns, reports do not display personal, sensitive information or content.

How is a Neotas search more advanced than standard background checks?

Our signature blend of AI, machine learning and human analysis means we can process data at a hugely efficient rate while producing the highest quality search results. This technology drives all of our searches and is one of the main reasons why we’re able to provide high-end checks both faster and in a more cost efficient way than our competitors.

Although Neotas searches are powered by advanced technology, human analysis remains critical to what we do. Qualitative analysis of reports ensure all results are fully contextualised and that only clear risk indicators are included.

Can Neotas provide international background checks?

Harnessing this advanced technology makes it possible to interrogate unindexed and unstructured information across global data sets and languages, with zero false positives and on an unlimited timeline.

Using in-house skills and machine translation tools, our searches are able to process data in over 200 languages. We provide enhanced due diligence across global jurisdictions, removing the limitations of traditional criminal or background checks that may only investigate localised or regional databases.

In practice, this technology enables us to identify international aliases, networks and financial data in a rapid turnaround time.

What bodies regulate Neotas background searches?

As a member of AFODD, we guarantee to provide results that have been obtained entirely within the law through access to publicly held information. The rigorous membership criteria ensures that services are held to the highest standards, providing confidence to organisations who want to use internet searches for pre-employment, due diligence or KYC purposes.

Alongside AFODD, we hold ISO 27001 and POSS (Personnel Online Screening Standard) certification. ISO 27001 is the highest international standard for managing information security. POSS guarantees that our DD searches are carried out by qualified experts, with consent, and fully in line with UK data protection laws.

How will these background searches protect your staff and reputation?

Accusations of bias, whether conscious or unconscious, can be damaging to any organisation or individual. The real risk comes when these checks are conducted internally. Internal checks leave compliance personnel and recruitment managers exposed to accusations of bias when reviewing potentially sensitive data.

Legally, it’s hard to prove an organisation didn’t use the information seen by an employee to inform any decision. I.e, in the event of a claim, it may be assumed that if you accessed information, you used it to inform your decision. Outsourcing removes this possibility. Neotas are able to process vast amounts of data objectively, only presenting the relevant, risk-based results.

Do you only background check suspicious profiles?

Up to 25% of our cases in 2020 identified at least an “amber flag” within the report, with up to 5% displaying more serious “red flag” behaviours. With a quarter of cases needing further investigation, deeper analysis insight is clearly critical for safeguarding businesses and improving decision making.

Equally important is that 75-80% of cases return “green flags” – confirming the suitability of a candidate or investment. This confirmation can act as a final seal of approval on a potential investment or hiring decision and comes with a guarantee of zero false positives.

OSINT Background Check Process — Osint Background Check Process

Here’s the Difference

We have the benefit of being experts in background screening and ultimately, our role is to bridge the gap between the information that’s available and the information that’s leveraged for risk-based decision making. The data itself is useless without the tools, insight and deep industry expertise to analyse and contextualise it. There’s where Neotas make the difference and that’s what sets us apart.

We harness proprietary advanced technology to provide insights that are high quality and hyper-accurate, all while keeping costs low. We guarantee to lower risks and improve decision making, that’s the real difference.

OSINT Background Check

An OSINT (Open Source Intelligence) background check is a comprehensive investigation process that utilizes publicly available information from various online sources to gather insights and details about an individual, organization, or entity. OSINT background checks are commonly employed by businesses, government agencies, law enforcement, and individuals to obtain information for purposes such as due diligence, risk assessment, employment screening, and security measures.

Through OSINT background checks, a wide range of digital platforms, social media networks, news articles, public records, and online databases are analyzed to compile a comprehensive profile. This profile can encompass personal details, professional history, affiliations, relationships, online behavior, and any relevant public information.

The process involves systematic data collection, analysis, and synthesis of information from diverse online sources. This data is then evaluated and verified to create a comprehensive overview that aids in making informed decisions or assessments.

OSINT background checks offer several advantages:

Cost-Effective: OSINT relies on publicly accessible data, reducing the need for extensive financial resources.
Efficiency: With the vast amount of information available online, OSINT background checks provide a swift and efficient means of gathering insights.
Non-Intrusive: Since the information is publicly accessible, OSINT background checks do not involve intrusion into private spaces.
Holistic View: OSINT amalgamates information from diverse sources, allowing for a more comprehensive and well-rounded understanding.

However, OSINT background checks also have limitations:

Limited Accuracy: Information obtained may not always be accurate or up-to-date.
Privacy Concerns: Depending solely on public information may inadvertently intrude on an individual’s privacy.
Data Interpretation: The process requires skilled analysts to accurately interpret and synthesize data.

While they offer an efficient and cost-effective means of gathering intelligence, careful consideration of accuracy, privacy, and data interpretation is essential. OSINT background checks harness the wealth of information available on the internet to provide insights that aid in making informed decisions.

Manage Business Risk with OSINT.
Neotas is an Enhanced Due Diligence Platform that leverages AI to join the dots between Corporate Records, Adverse Media and Open Source Intelligence (OSINT).
Schedule a Call or Book a Demo of Neotas Enhanced Due Diligence Platform.

Neotas Social Media Screening and Online Reputation Screening Services:

Social Media Background Checks
Online Reputation Screening
Social Media Screening
Social Media Check
OSINT Framework, OSINT Tools, OSINT Techniques, and how to use OSINT framework.
Follow us on LinkedIn for the latest updates on Neotas Screening Solutions.

International Fraud Awareness Week – What can we do to help stop fraud?

October 13, 2023November 20, 2020 by Neotas Ltd

“Fraud and deceit are anxious for your money. Be informed and prudent”.
– John A. Widtsoe

International Fraud Awareness Week

Neotas have joined the global effort to minimise the impact of fraud by being a supporter of International Fraud Awareness Week (IFAW). IFAW, or Fraud Week, is celebrating its 20th anniversary this year and is organised annually by the ACFE, the world’s largest anti-fraud organisation.

Throughout the week, supporting organisations and individuals share resources and engage in conversation online, in an effort to proactively fight fraud and help safeguard businesses from this growing problem.

Rise in Fraud Cases

In their 2020 Report to the Nations, the ACFE compiled data from 125 countries to help explore the costs, schemes, victims and perpetrators of fraud. Alarmingly, amongst their findings they discovered that companies lose an estimated 5% of their revenue annually due to fraud.

A recent BBC investigation also highlighted how fraudsters had hijacked the government’s Bounce Back loan scheme, resulting in potential taxpayer losses of up to £26bn through fraud, organised crime or default.

*The ACFE, Behavioral Red Flags of Fraud, 2020

Anti-Fraud Measures

The ACFE’s Report to the Nations (2020) found that just 12% of fraudsters are being caught and convicted. As a result, it’s important to identify robust, future proof tools for trying to safeguard businesses and individuals from the risk of fraud.

Alongside internal measures like employee training and procedure updates, effective background screening can play a crucial role, whether it’s pre or post employment, or as part of due diligence checks. This is where the power of OSINT comes in.

Enhancing Existing Searches

Search engines reveal just 4-6% of available data, while traditional background checks like DBS or credit checks are limited by their very nature, they only identify whether a subject appears on a set of specific databases. Our OSINT specialists are able to scour 100% of open source data in over 200 languages, leaving no stone unturned.

Using a combination of machine learning, AI and human analysts, Neotas are able to identify “red flags” for fraudulent behaviour within a matter of days – potentially saving individuals or organisations from the risks and harmful nature of fraud.

Through Enhanced Due Diligence, we recently uncovered a subject who had hidden a past conviction for fraud worth over $50m. Having changed their name and moved to the UK, they had escaped traditional customer due diligence but by supplementing these checks with OSINT, we found a network littered with criminal ties, bribery and corruption. Only through these insights were we able to help protect our client and their business.

Working alongside traditional checks, these enhanced methods guarantee to paint a full picture and lower the opportunity for fraudsters to take advantage. Get in touch with our experts if you would like to know more.

_______________________________________________________________________________

Our team of experts have continued to educate themselves on the latest anti-fraud measures, including taking part in seminars throughout the week and competing against each other with the Fraud Week trivia quiz.

Fraud Week Trivia

To support Fraud Week, we posted daily trivia questions through social media using the official hashtag #FraudWeek:

89% of responders answered correctly that 5% of revenue is lost annually to fraudulent behaviour
Two-thirds of responders knew that 54% of organisations don’t recover any financial losses when falling victim to fraud
Nearly 75% of responders believed that strengthening internal controls would reduce a fraudster’s opportunity to commit fraud
Just 27% of responders knew that 39% of fraud is detected through tips, with the remaining answers all opting for lower percentages
When it comes to identifying fraudulent behaviour, a quarter of responders felt that missing funds was the key indicator, while the remaining majority believed it to be a combination of missing funds, lack of policies & procedures and missing documentation

Based on the results, responders overwhelmingly recognised the financial impact of fraud. The results were more varied when it came to identifying fraudulent behaviours and the ways to prevent them moving forward. What is clear is the need for the continued development of future-proof anti-fraud measures like training and robust, technology-driven background screening.

We’d like to say a big thanks to everyone who took part.

For more resources and more information on Fraud Week, you can head here.

#FraudWeek #OSINT #DueDiligence

Pre-employment Checks, What Should You be Doing in 2021?

October 13, 2023October 21, 2020 by Neotas Ltd

Pre-employment Checks, What Should You be Doing in 2021?

“83% of hiring individuals have found candidate discrepancies on both CVs and job applications”.
Hire Right, 2020

With Covid-19 still prominent and our country facing a looming recession, businesses are facing unprecedented times. It’s more important than ever as we near 2021 that for those companies lucky enough to be hiring, only the best candidates reach the final stages of application.

Until now, pre-employment checks have been carried out by dedicated in-house HR teams whose aim is to maintain engagement with the future employee throughout the process. Whilst this is a great way to be on first-name terms with an individual by the time they are hired, it can also be a time consuming process for an already stretched department. This can also sometimes lead to missing red flags that pop up throughout the pre-employment check process and lead to an unfavourable hire.

“80% of the HR decision-makers we spoke to had admitted that they had employed an unfavourable candidate”

A review completed in 2018 here at Neotas concluded that 80% of the HR decision-makers we spoke to had admitted that they had employed an unfavourable candidate when carrying out the entire employment process in-house. What’s more, the individual hired had ended up costing the company an amount the equivalent of 23x their salary. This was calculated from a number of factors, including how high up the individual was within the company, how long their length of employment was, and also any paid training that was undertaken to further development.

Not only do individuals cause a monetary loss to the company, but they can also damage a firm’s reputation. It is a difficult loss to calculate, though as we are in such a prominent digital age, any potential employee will be able to search online for honest workplace reviews of any firm. Potential employees can see discontent within these reviews and decide against applying. Current employees can also see these reviews which could run the risk of losing good members of the team due to the development of negative feelings, ultimately distancing themselves from the organisation and seeking employment elsewhere. Essentially the potential damage to a company’s profile could have been avoided by finding out more about the employee beforehand. A task which can be time-consuming for a small, in-house team.

Another unfortunate outcome of hiring an undesirable candidate can be the reduction in the rates of productivity within the established team when faced with the introduction, and prolonged stay, of an unsuitable teammate. Thus diminishing levels of workforce morale overall and leading to more long-term damage at an unknowable cost.

How can individuals escape detection with a pre-employment check?

Although we may know as individuals that lying on an application form or in an interview is something we ourselves would never do, that’s not to say that many, many people don’t embellish on their applications. Even submissions from candidates that, upon first look seem glowing, can unfortunately be misleading and in many cases lead to a bad hire. In fact, leaning towards a candidate on gut instinct alone can increase the risk of a bad hire by up to a huge 50%.

Individuals can ‘improve’ many areas of their work and personal history during the application process to pass pre-employment checks. They undertake these amends for a number of reasons and are unfortunately not an uncommon occurrence today in the UK.

Qualifications

One of the biggest embellishments on C.Vs today is the alteration of qualifications or grades. This can range from ‘bumping up’ results to match the job specification, all the way to a complete fabrication of a degree. A notable example from 2012 is Yahoo CEO Scott Thompson who claimed to have a Computer Science Degree from Stonehill College. A college which did not include this particular degree in its course list at the time Thompson would have studied there.

In the digital age we are in, potential candidates can now look to ‘purchase’ their qualifications online. Several online outlets offer the record of a physical degree, without the individual having to take part in an actual course.

Work History

Another area which can be discreetly altered is the employment dates from previous roles. Candidates who may have had temporary roles or taken a career break early on can sometimes think that this may reflect badly on their work history and chances for future employment, especially if a minimum amount of years is required for a role. Candidates can also inflate their previous salary with a job title to match to give a better impression to a potential employer. Traditional in-house techniques can sometimes get to the bottom of these fraudulent claims, however by utilising an external pre-employment checks service, such as our Social Media Screening, we can dig even further to get you a full overview of the candidate, i.e. checking social accounts for previously listed jobs and showing the resulting discrepancies before you complete the employment process.

Right To Work

Applicants can also agree that they have a right to work in the UK, when this may not be the case, leading to a penalty of up to £20,000 for the hiring company.

Criminal Convictions

Often, simple driving offences can be left undeclared during the pre-employment process due to the individual being concerned it would eliminate them from the application process. When this eventually comes to light it can then affect the individual’s chances regardless due to their dishonesty at the time of interview.

References

References can easily be falsified should the potential employee wish to avoid a new company contacting an individual who they may have had a difficult relationship with. An individual will then list friends or family members as references instead underneath their previous job history, however, It can be hard to investigate this thoroughly with a small HR team.

Personal Affiliations

When submitting a C.V and cover letter, an individual discusses their work history and qualifications, describing how they apply to the job specification. For many individuals these are 100% truthfully written and in turn the potential employee may seem like the perfect person to hire. Perhaps one of the most difficult things to glean about a potential employee however is not within this document. This important element is; how their conduct will be during their time with the company, including outside of work, as a company representative as well as during business hours. Even after thorough business-related pre-employment checks have taken place it can give little indication of a potential employee’s outside affiliations.

Knowledge of an individual’s online footprint can be hugely advantageous. This can give a thorough understanding of whether the person has engaged in online content that can be described as racist, sexist, homophobic or listed as terrorist activity. An outside-led enquiry can also investigate circumstances which may be questionable should they be going for a position within financial services. For example, several trips to blacklisted countries listed on their social profiles within a matter of months could be something the company wanted to investigate, but didn’t have the information initially in order to discuss.

A recent case study we conducted for a client involved carrying out a social media screening on an individual who has passed through both traditional background checks as well as two interviews. After we completed the screening, the potential candidate was identified as being involved in football related violence and specifically involved in an attack on police officers. The individual was not only actively involved and promoting sexist, homophobic and racist content and personally attacking other individuals online, he also mentioned several class A drugs on his social media interactions. As a result, the person in question was removed from the application process and reported to Crimestoppers. The outcome could have been completely different had the HR team not contacted Neotas for the Social Media Screening.

“A thorough report was provided with areas of concern and interest that we wouldn’t have found otherwise” – Partner, Executive Search Firm

What can you do to avoid an unsuitable hire in 2021?

A study in 2020 showed that over 63% of applicants that they checked had lied on their C.V. This included 23% in relation to qualifications and 37% editing their previous workplace details. Whilst this can be looked at by an internal HR team through pre-employment checks, the ability to uncover a potential candidate’s personal history outside of their employment is still beyond reach using traditional methods. Even a person who passes the standard background checks can be hiding information that could be potentially damaging to the reputation of a business, the results of which can affect a company of any size. Even CRB checks can only show UK crimes, they do not include instances that the individual may not have been convicted for, and they also do not cover behaviour that a hiring company will find goes against their ethos.

This potentially damaging gap in the application process can be avoided simply by giving the hiring team a full picture of the individual in question. Neotas are experts in Social Media Screenings and offer a complete overview of a prospective candidate based on their online presence. The screening looks at individual candidates objectively and offers a summary of information which could affect your company should you choose to hire the individual. The screening is completely objective, removing the possibility of an unconscious bias and lets you make a completely informed decision during your pre-employment checks. It is due to this that we do not recommend conducting these searches yourself and instead outsource to a third party, as this research may lead to an unconscious bias being held by an individual based on lifestyle choices outside of work time.

“Many companies and HR professionals we speak to can’t believe that some of the stories we uncover are real. However, our checks are uncovering highly concerning factors on a daily basis. Sure, it’s only in a relatively small number of cases, but the risk is still severe enough to make it a real concern for anyone hiring in the next 12 months.” – Vipul Mishra, Neotas CEO

We understand it can be difficult to justify the cost to senior members of a board, of bringing in an outside resource. However, put plainly, the real question is whether can they afford 4- 23x the salary of the individual they are hiring?

Neotas can help you avoid monetary loss, reputation damage and a potential drop in team morale simply by carrying out social media and online reputation screening.

Get in touch today and be ready to recruit with confidence in 2021.

5 Industries that Should be Doing More than a DBS Check

May 4, 2024September 17, 2020 by Neotas Ltd

DBS Checks

5 Industries that Should be Doing More than a DBS Check

A Disclosure and Barring Service (DBS) check is a common way for employers to assess the background of a potential employee. Many jobs ask that employees undertake a DBS check to ensure they have a clean criminal record and will not be putting people that they work with at risk.

Industries in which employees are dealing with vulnerable people, and particularly children, however, should arguably be doing more than just a DBS check. These roles can involve positions of power and authority, and when working with vulnerable people, potential employees need to be properly vetted. While a DBS check is a good initial assessment, for certain industries it simply isn’t enough to know that an appropriate person is being hired.

What does a DBS check include?

A DBS check, formerly and often known as a CRB check, is a record of someone’s criminal record, including any convictions and cautions. There are currently four different types of DBS checks, depending on the level required from the employer:

Basic DBS check

A basic DBS check will show unspent convictions and conditional cautions on the applicant’s criminal record. If you are an individual applying for your own CRB check, this is the only one you can attain.

Standard DBS check

Most companies that require a CRB check will opt for a standard check, unless the applicant is working with vulnerable people. A standard DBS check reveals spent as well as unspent convictions, and any cautions, reprimands, or final warnings on an applicant’s criminal record.

Enhanced DBS check

This check covers all the same information as a standard DBS check, but the Disclosure and Barring Service will also contact local police for any information or encounters with the applicant they might deem appropriate to disclose.

Enhanced DBS check with barred lists

The fourth and most comprehensive check covers everything in an enhanced check plus will reveal if the candidate is on a list of people barred from working in a particular role.

What doesn’t a DBS check include?

All DBS checks are only valid for the country in which they are taken out. If the applicant has ever lived overseas and been convicted of a crime in that country, it will not show on a UK criminal record. Each country has their own system for running criminal background checks, and the employer would need to follow the proper channels within each overseas country to run a check on an applicant who lived there. Of course, if an applicant doesn’t mention living overseas, any convictions held in another country would never be known.
Another drawback of a CRB check is that they only cover convictions, not accused crimes. Many crimes, particularly sexual assaults, go unprosecuted. Some studies show that the prosecution rate of rape accusations are as low as 2% and sexual offences as low as 4% in England and Wales. Many of these assaults go unreported, and can be very hard to prosecute, resulting in such low figures. Someone accused but not convicted of a sexual assault will not have this show up on their criminal record or DBS check.
Most activity on social media is not included in a DBS check. While social media is a personal part of an employee’s lives, there can be occasion for it to be reported to the police, particularly in the case of online hate speech rhetoric, which can result in a criminal record charge. Much online activity flies under the radar, however, and is still something to be properly considered for someone’s background check.
A DBS check has no expiration date and is true at the time it is carried out. However, any activity post-assessment will not be included, so it’s usually requested anew for each job application.

Which industries should go further?

A DBS check is of course a good idea for many professions, particularly those that deal with young and vulnerable people. But some of these industries should be doing more than even an enhanced DBS check. The five industries below are examples of jobs in which employees are in direct contact with vulnerable people, and the potential dangers a DBS check wouldn’t protect against..

Taxi and minicab companies

Taxi and minicab companies are private firms whose employees have intimate access to their customers, as well as access behind a wheel. As a result, it is imperative to ensure not only that they are hiring competent drivers, but people with a clean criminal background with no prior inappropriate behaviour that could jeopardise the safety of the passengers. A taxi driver working for a private firm or company such as Uber or Ola should be properly vetted before customers get in a car with them. Many taxis may also be transporting people who are under the influence after a late night, making them particularly vulnerable.

Currently, not all UK taxi companies require an enhanced check for applicants, as it can depend on the council laws. Uber has famously been under attack for the 3,000 allegations of sexual assault made by passengers in 2018, as well as incidents of crashes by drivers, some of which have been fatal. Could this have turned out differently?

An enhanced DBS check will reveal any convicted crimes or warnings, but there is other inappropriate behaviour that doesn’t fall under the definition of a crime that should consider someone ineligible for the role. Their Twitter feed may be filled with pornographic content or writing sexually explicit and inappropriate comments to women online. Neither of these actions are illegal or even banned from social media sites, but should deem someone ineligible to drive women and children around. They may also have a history of posting drag racing videos online and doing tricks in their car, which is certainly not the behaviour anyone looks for in a taxi driver.

Teaching and education

Anyone who works in a school where there are children and vulnerable young adults must undergo an enhanced DBS check for obvious reasons. This includes teachers, teaching assistants, and volunteer positions.

Child safety is of the highest priority in a school, and checking the background of an applicant is important. However, as mentioned above, just because there are no convictions against a candidate does not mean there were no charges or situations. A more in-depth check into someone’s history could reveal crimes that were unable to be charged. These are particularly relevant if they involve children, sexual assault, Class A drugs, or violence. With the extremely low conviction rate for many of these crimes, DBS checks are not infallible.

Teaching applicants should also have a usual online presence in the world of social media. There have been many cases in the news of teachers getting into trouble for some of the posts online visible to the world; being overtly sexual, intoxicated, or political. Any online vitriol directed towards children should be paid particular notice, as it could indicate something more sinister.

Teachers are not encouraged to get involved in a romantic relationship with parents of the children, although it is not illegal. It’s possible a person may have left their previous teaching role due to that very reason, but would not disclose it, and would not turn up on a DBS check. Teachers and parents being involved in a romantic relationship can unfairly help or hinder a child’s progress in school, and create an uncomfortable environment.

Social care

Social care is a very broad industry that can include taking care of young people, adults, the elderly, and people with a variety of disabilities. In such cases, making sure an applicant has a clean background check is vital for them to provide the right duty of care without putting patients at risk. An enhanced CRB check is required for jobs within the social care spectrum.

Things that could put this care of duty at risk beyond a DBS check could include a family history that indicates disruption within the family. A person applying for a social care role that does not have major access to their children, for example, does not bode well. Any applicant that has a history of making jokes about disabled people is completely inappropriate. The applicant may also have undisclosed crimes that they were accused of, yet never charged for. Any history of animal abuse or neglect, such as a pet that was taken away is also an indicator that the person is not suitable for the job.

Creches and childcare facilities

Anyone looking after children outside of the education system is required to have an enhanced DBS check. Childcare can include creches, nurseries, nanny positions, playgroup leaders, and childminding, and all involve children under the age of 16, usually without the parents’ presence.

Looking after children is one of the most trustworthy positions of power, and those applying may have prior activities that make them unsuitable. A recently overturned law means that any minor youth offences, cautions, reprimands, and warnings need not be disclosed on a criminal background check. The controversial decision means that those with petty crimes in the youth are no longer discriminated against for future jobs, but could also mean that crimes relevant to a childcare position are overlooked.

Online activity, previous childcare positions and the reason for leaving, as well as family history, are all good indicators of a potential employee’s suitability to the role. An applicant may have spent time abroad teaching English as a Second Language, in which case a further background check would need to be undertaken.

Security services

Security services can cover everything from security guards at supermarkets and clubs, to bank security, university campus security, as well as protecting high ranking figures of authority. The job of a security guard or officer is to protect a person or property from damage, theft, fire, or other threats, enforce laws, and keep watch on anything suspicious or unusual.

Security guards often interact with members of the public and therefore need to have a good demeanour and approachable air. They should be able to deal with situations swiftly and calmly in the case of something getting out of hand. Sometimes physical force or detainment is necessary when there is criminal activity suspected.

Because of the physical nature of a security guard’s job, a key thing to look out for is often a history of violence or violent behaviour. While this may not show up on a DBS check, the applicant may have an uncharged accusation, a family dispute, aggressive online behaviour, or a history of threatening people. This behaviour might be missing from their background check, but a well known trait about them. If they are often sharing videos containing violence or fighting online, this could be an indication that the aspect of the job they are looking for is the physical one. An overly aggressive person is not suitable for a job as a security guard, and could be a liability for the company.

These are just a few of the positions that should be doing more than a DBS check. This can apply to a number of jobs that work with children or vulnerable people, who are the most at risk. DBS checks are not foolproof, and do not cover a person’s background as extensively as they should within certain roles.

Request a basic DBS check

Apply for a basic criminal record check to understand an individual’s unspent convictions and conditional cautions. Ideal for roles involving minimal contact with vulnerable groups.

Check someone’s criminal record as an employer

Get a basic DBS check for an employee – Verify potential new hires by requesting a basic Disclosure and Barring Service (DBS) check, revealing any unspent convictions or cautions that may impact their suitability for the role.
Get a standard or enhanced DBS check for an employee – Ensure a comprehensive background screening for roles involving substantial responsibility or work with vulnerable groups. Submit an application for a standard or enhanced DBS check to assess an individual’s full criminal history, including spent and unspent convictions, cautions, and relevant non-conviction information.

Neotas provides rigorous background screening that assesses candidates’ online behaviour. This goes far beyond an enhanced DBS check, screening all social media and online behaviour for activity that contains violence, terrorism, sexism, and racism. Get in touch to find out how we can better protect your business from potential risk from unsafe candidates.

FAQs on DBS Checks:

What is a DBS check?

A DBS (Disclosure and Barring Service) check is a process that helps employers make informed decisions about hiring by providing information about a person’s criminal record. It involves searching an individual’s criminal history to ensure they are suitable for certain roles, particularly those involving work with vulnerable groups.

How long do DBS checks take?

The processing time for a DBS check can vary. On average, a standard check may take around 2 to 4 weeks. However, this timeframe can be affected by factors such as the level of check (standard, enhanced), the accuracy of the information provided, and the current workload of the DBS.

How long does an enhanced DBS check take?

Similar to standard checks, the processing time for an enhanced DBS check can vary. On average, it may take around 2 to 4 weeks. However, factors like the completeness of information and the current workload of the DBS can influence this timeframe.

Can I apply for a DBS check online?

Yes, you can apply for a DBS check online. The online application process provides a convenient and efficient way to submit the necessary information and receive the results electronically.

What is an enhanced DBS check?

An enhanced DBS check is a thorough background check that includes information about an individual’s criminal record, as well as any additional information deemed relevant by the police or other authorities. It is typically required for positions involving significant responsibility or work with vulnerable individuals.

Can I perform an enhanced DBS check online?

Yes, you can apply for an enhanced DBS check online. The online application process allows for the submission of relevant information, making it a convenient option for many individuals and organizations.

How does an enhanced DBS check differ from a standard one?

An enhanced DBS check provides more comprehensive information compared to a standard check. It includes details about an individual’s criminal history, as well as any additional information considered relevant. This level of check is typically required for roles involving higher responsibility or work with vulnerable groups, whereas a standard check provides basic criminal record information.

What is checked with a DBS check?

A DBS (Disclosure and Barring Service) check involves a comprehensive search of an individual’s criminal record history. This includes any convictions, cautions, reprimands, and warnings held on the Police National Computer. Additionally, an enhanced DBS check may include relevant information from local police forces and other authorized bodies, such as details of ongoing investigations or any other pertinent information that may impact the individual’s suitability for the role.

How far back does a DBS check go?

A DBS check provides a comprehensive overview of an individual’s criminal record history, including both spent and unspent convictions, cautions, reprimands, and warnings. The timeframe covered by the check is unlimited, meaning it can potentially reveal relevant offenses from any point in the applicant’s past, regardless of how long ago they occurred.

Can I do a DBS check on myself?

Yes, individuals can apply for a basic DBS check on themselves. This type of check provides a snapshot of an individual’s unspent convictions and conditional cautions held on the Police National Computer. However, for roles involving work with children or vulnerable adults, an enhanced DBS check is typically required, which necessitates the involvement of an employer or an authorized organization.

What do you need to pass a DBS check?

To successfully pass a DBS check, individuals must not have any relevant criminal convictions or cautions that would deem them unsuitable for the role they are applying for. The decision to proceed with an applicant’s employment is ultimately at the discretion of the employer, who will assess the DBS check results in the context of the specific job requirements and responsibilities.

What will fail a DBS check?

A DBS check may be failed if an individual has certain criminal convictions or cautions that are deemed incompatible with the role they are applying for. The nature and severity of the offenses, as well as the potential risks associated with the job, will be considered by the employer. Additionally, providing false or incomplete information during the DBS application process can also result in a failed check.

Does your criminal record clear after 7 years in the UK?

No, criminal records in the UK do not automatically clear after a specific period of time, such as 7 years. Once an individual has a criminal conviction or caution on their record, it remains there indefinitely unless specific circumstances apply, such as receiving a pardon or the conviction being overturned on appeal.

How long do crimes stay on DBS?

Criminal convictions and cautions remain on an individual’s DBS record indefinitely, regardless of the time that has elapsed since the offense occurred. This information is retained to ensure employers have access to a comprehensive overview of an applicant’s criminal history when making hiring decisions, particularly for roles involving work with vulnerable groups.

Do arrests show up on DBS?

Arrests, by themselves, do not typically show up on a DBS check. However, if an arrest led to a conviction or caution, those offenses will be included in the DBS record. Additionally, for enhanced DBS checks, relevant information from local police forces may be disclosed, which could include details about arrests or ongoing investigations, even if they did not result in a conviction.

What convictions are not protected?

In the context of DBS checks, certain convictions are not subject to filtering or protection rules, meaning they will always be disclosed on a DBS certificate. These include offenses related to violence, sexual offenses, safeguarding offenses, and any offenses committed against children or vulnerable adults. Employers may consider these unprotected convictions as relevant when assessing an applicant’s suitability for a role.

What offences are never filtered from DBS?

Certain offenses are considered so serious that they are never filtered or removed from DBS certificates, regardless of the time that has elapsed since the conviction. These offenses include, but are not limited to, murder, manslaughter, rape, sexual offenses involving children, kidnapping, and offenses related to terrorism. These convictions will always be disclosed to employers, as they are deemed highly relevant to safeguarding and public protection considerations.

How much does a DBS check cost?

The cost of a DBS check can vary depending on the level of check required and the organization conducting the check. As of January 2023, the Disclosure and Barring Service charges £23 for a basic DBS check and £40 for an enhanced DBS check. Additionally, some organizations may charge an additional administration fee to cover their operational costs.

How much does a basic DBS check cost?

As of January 2023, the Disclosure and Barring Service charges £23 for a basic DBS check. This type of check reveals any unspent convictions and conditional cautions held on the Police National Computer. It is important to note that some organizations may charge an additional administration fee on top of the DBS fee.

Can I start work before the DBS check is completed?

In some cases, employers may allow individuals to start work before their DBS check is completed, provided that appropriate risk assessments and safeguarding measures are in place. However, this decision is at the discretion of the employer and is typically dependent on the nature of the role and the level of risk involved. For positions involving work with vulnerable groups, it is generally recommended to have the DBS check completed before starting employment.

Can a job offer be withdrawn due to a DBS check?

Yes, a job offer can be withdrawn or rescinded if the results of a DBS check reveal information that the employer deems incompatible with the role or raises concerns about the applicant’s suitability. Employers have the right to make informed decisions based on the information obtained through the DBS check, taking into account the specific requirements and responsibilities of the position.

Can my employer see my DBS online?

No, employers cannot directly access an individual’s DBS check results online. The Disclosure and Barring Service provides the DBS certificate to the applicant, who must then share the results with their employer. Employers can, however, track the progress of the DBS application through an online system, but they do not have direct access to the results.

Does a DBS expire after 3 years?

No, DBS certificates do not have an expiration date. Once issued, a DBS certificate remains valid unless there is a change in the individual’s criminal record. However, some organizations may have policies that require employees or volunteers to renew their DBS checks periodically, typically every 3 years, to ensure they have the most up-to-date information about an individual’s criminal history.

What offences are never filtered from DBS?

As mentioned earlier, certain offenses are considered so serious that they are never filtered or removed from DBS certificates, regardless of the time that has elapsed since the conviction. These offenses include, but are not limited to, murder, manslaughter, rape, sexual offenses involving children, kidnapping, and offenses related to terrorism. These convictions will always be disclosed to employers, as they are deemed highly relevant to safeguarding and public protection considerations.

What convictions are not protected?

What convictions are never spent?

In the UK, there are certain convictions that are never considered “spent” under the Rehabilitation of Offenders Act. These include serious offenses such as murder, manslaughter, rape, and offenses related to terrorism. Convictions that are never spent will always be disclosed on a DBS certificate, regardless of the time that has elapsed since the offense occurred.

Do arrests show up on DBS?

Neotas Social Media Check and Social Media Screening

Schedule a call today!
We highlight behavioural risks identified across social media profiles and the wider internet. Supplements the background screening process. Learn more about how we can help you conduct social media screening and background checks in a safe and compliant manner.

Using OSINT For Good to Support Environmental Investigation Agency

October 13, 2023April 21, 2020 by Neotas Ltd

Neotas use OSINT for good to help EIA stop killings of endangered Asian leopard

Neotas use OSINT For Good to Support Environmental Investigation Agency

Neotas are proud to use OSINT for good (#OSINTForGood) to support and assist Environmental Investigation Agency (EIA) in their efforts to investigate environmental crime.

The recent report published by EIA highlights the threat towards Asia’s leopard population due to illegal killings in aid to meet the demand for their body parts. A number of Chinese pharmaceutical companies named in the report list leopard bone as an ingredient for their medical products.

“The illegal killing of leopards for their body parts in Asia is driving the species towards extinction. They have already disappeared from Laos, Vietnam and Singapore and are on the brink of extinction in several other countries. Demand for their bones, primarily from Chinese consumers, is one of the drivers of the trade. Leopard bone is used in similar ways to tiger bone, steeped in rice wine to produce health tonics and used in other traditional medicines.” – EIA, Bitter Pill To Swallow, March 2020

Our team of in-house experts used OSINT technology to map out the international links between potential actors involved in the trade. The EIA’s research aims to highlight the leopards rapid decline and the need to revisit certain trade regulations in place.

We’re proud to have been able to support EIA and will continue to spread their message and assist their work against this issue. The support comes as part of an ongoing mission for Neotas to join the worldwide community using #OSINTForGood, which also includes taking part in a global competition to help uncover missing persons information.

You can access the full EIA report here.

Locating Missing People: A Crowdsourced and Global Use of OSINT

October 13, 2023April 12, 2020 by Neotas Ltd

Over the Easter weekend a team of Neotas Analysts participated in the Tracelabs Global Missing Persons Capture The Flag competition. The aim of the competition is to use Open Source Intelligence (OSINT) to help locate missing people around the world. Information identified ranges from social media profiles to deep web documents and dark web databases, with more points scored depending on the relevance of the information. At the end of the 6 hours, the information is collated and sent to law enforcement to assist with their search.

With the competition hosted in Canada, the Neotas team worked between 11pm to 5am using a spectrum of investigative OSINT techniques to locate information relating to 15 different missing people. Each person was unique, with their own online presence, relationships, hobbies and story. One case led to social media profiles under a completely different name, whilst forum posts displaying personal and sensitive information were uncovered for another individual. In some cases, significant individuals were identified, including people with whom one individual had started talking online a few days before going missing. Previous addresses and vehicles were submitted, as well as information posted by strangers relating to the day the person was last seen. All of this information is useful to law enforcement in building possible leads.

At the end of the 6 hours, and after 168 submissions deemed beneficial to law enforcement, the team finished the competition in 7^th place. The top 10 finish is an incredible result in only our second global OSINT competition, and is an improvement on the 12th place finish in our debut. Other teams to feature in the top 50 included Cyber Security specialists, experienced hackers, leading private investigators and law enforcement officers. Each of the 177 teams used their skills to do OSINT For Good and have contributed to a very important cause.

A huge thank you to Tracelabs and all the volunteers for running such a successful event. Neotas will definitely be back next time, aiming for another top 10 finish and crucially another chance to assist law enforcement in bringing people home safely.

Ollie had a whale of a time competing in the latest Missing Persons #CTF with some of the @NeotasLtd team. Proud of the intel passed to law enforcement and of finishing 7th in a field of 177 teams. As always a massive thank you to @TraceLabs and all the volunteers #OSINTForGood pic.twitter.com/O1SDgoedq5
— Where is the OSINT Orca? (@NeotasOrcas) April 12, 2020

Avoid the cost of a bad hire with online reputation screening – Do’s and Don’ts of Online Reputation Screening

March 22, 2025March 18, 2020 by Neotas Ltd

Online Reputation Screening

Avoid the cost of a bad hire with online reputation screening

Online reputation screening has become an essential component of the hiring process. It helps employers gain a comprehensive understanding of potential hires beyond what is presented in resumes and interviews. Using the full breadth and power of online reputation screening, we help companies make the right hire and open a healthy dialogue with employees about their behaviour online.

What is online reputation screening?

Online reputation screening is a pre-employment background check that scans a candidate’s full digital footprint, including social media background screening. Using publicly available data, we conduct OSINT-powered background checks to reveal the true character and behaviours of a prospective hire beyond a CV or traditional database checks.

Do’s and Don’ts of Online Reputation Screening

Do’s

Apply Social Media Policy Equitably: Implement your organisation’s social media policy consistently for both new hires and current employees. Allow new hires the opportunity for coaching and the chance to delete old posts that may not reflect their current behaviour or attitudes. This approach promotes fairness and gives candidates a chance to align with your company’s values.
Use Accredited Third-Party Providers: Engage an accredited third-party provider that adheres to relevant screening standards, such as POSS from AFODD. These providers are equipped to conduct thorough and unbiased checks, ensuring that the process is professional and compliant with legal standards.
Include Positive Flags: When conducting online reputation screening, it is crucial to consider both positive and negative indicators. A balanced view helps in recognising a candidate’s strengths and achievements alongside any potential risks.
Consistent and Structured Screening: Conduct online reputation screening as part of a consistent and structured background screening programme. Avoid ad hoc screenings; ensure that every candidate undergoes the same level of scrutiny to maintain fairness and consistency in your hiring process.
Inform and Obtain Consent from Candidates: Always inform candidates that open-source checks will be part of the screening process and obtain their explicit consent. Transparency in your screening practices fosters trust and ensures candidates are aware of what to expect.
Focus on Employment-Related Risks: Prioritise identifying employment-related risks, such as violent behaviour, sexism, hate speech, and discriminatory behaviour. These factors can significantly impact workplace safety and culture, making them critical to assess during the screening process.

Don’ts

Avoid Internal Social Media Checks: Do not conduct social media checks internally. This practice can introduce discriminatory bias and violate privacy standards. Internal checks are prone to subjectivity and can inadvertently lead to unfair hiring decisions.
Don’t Focus Solely on Negatives: Avoid concentrating exclusively on negative findings during the screening process. A balanced view that includes positive attributes and achievements provides a more comprehensive understanding of the candidate.
Don’t Lose Context: Maintain context when reviewing potential business risks related to employment. Understand the broader circumstances surrounding any flagged behaviour to avoid misinterpretation and ensure a fair assessment.
Don’t Rely on Candidates to Direct the Search: Candidates may have multiple aliases online, and relying on them to direct where to look can lead to incomplete or biased information. Use thorough and systematic search methods to uncover all relevant information.
Exclude Protected Characteristics: Ensure that any reports generated from the screening process do not include protected characteristics such as race, religion, gender, sexual orientation, or age. This practice is essential to prevent discrimination and uphold ethical standards in hiring.

Implementing these do’s and don’ts will help you navigate the complexities of online reputation screening effectively, ensuring a fair, legal, and comprehensive evaluation of potential hires.

Ensuring your organisation follows the rules above could lower your employment risks and help you avoid the cost of a bad hire.

We are an accredited provider of online reputation screening and adhere to the POSS standards as laid out by AFODD. We help organisations recruit with confidence and avoid bad hires by flagging employment related business risks.

Schedule a call with our team today to discuss your social media screening needs, or build a no-obligation estimate using our pricing tool.

Social Media Background Checks Do’s & Don’ts for Employers

Neotas Social Media Background Checks and Social Media Screening

Schedule a call today!
We highlight behavioural risks identified across social media profiles and the wider internet. Neotas supplements the background screening process. Learn more about how we can help you conduct social media screening and background checks in a safe and compliant manner.

Related Case Studies on Social Media Screening

Neotas Social Media Screening and Online Reputation Screening Services:

OSINT Due Diligence: the new litmus test for investors

October 13, 2023March 17, 2020 by Neotas Ltd

OSINT Due Diligence: the new litmus test for investors

Private equity firms and investors are increasingly placing focus on management due diligence and the importance of understanding people, cultural fit and capability. Due diligence that harnesses open source intelligence (OSINT Due Diligence) unlocks more meaningful insights into teams and companies, informing business decisions and protecting the financial health and reputation of investors.

Private equity dealmaking is soaring to its highest level since the lead-up to the financial crisis, as companies chase investment opportunities for a record amount of $2.5tn. With so much at stake, it absolutely pays to know more in today’s digital era.

“Perceptions have been shifting slowly across the private equity investor world so that understanding management isn’t confined just to looking at top team personalities. Instead, managing risk and increasing value is seen to rest on harnessing all available data to inform business decisions, covering top executives, team effectiveness, organisational structures and processes, people capacity and capability in target/investee companies.”
Dr. Mike Hicks, Catalysis Advisory

People are the key to the success of any deal, with the long-term strategy and direction of the firm steered and shaped by management teams. Insights into the true behaviour, character and networks of those sitting at the helm of investee firms often sit in the public domain on the Internet.

For instance, in the case of the abusive CEO, we uncovered numerous behavioural red flags via open sources available for all to see. By flagging this to the private equity firm, the reputational risk was flagged before the deal, mitigating reputational risk and equipping our client with insights that would have otherwise been missed.

Private equity firms use our OSINT-powered due diligence to know who they’re dealing with, helping lower the risks. Protect and improve the reputation and financial health of your firm. Schedule a call with our team today to discuss OSINT due diligence, or build a no-obligation estimate using our pricing tool.

Manchester City on guard after Pep Guardiola’s emails hacked

October 13, 2023March 4, 2020 by Neotas Ltd

Pep Guardiola’s emails hacked :

Last week, it was reported that a man is being questioned by Greater Manchester Police for his alleged involvement in hacking Manchester City manager Pep Guardiola’s emails. A contractor employed by the club through an IT firm two years ago, he has claimed that the hack was “the easiest thing I’ve ever had to do”.

The IT worker claimed to have accessed Guardiola’s account from his mobile and downloaded personal emails, confidential transfer exchanges and his entire contacts book. He also allegedly trying to sell the emails for £100,000. Manchester City had terminated the services of the consultant and the company he was contracted to two years ago, but the story is breaking now.

Insider risk is real. We have previously uncovered insider fraud at a financial services firm, with a rogue IT worker attempting to sell client data on the dark web. Our findings were reported to Greater Manchester Police. Whilst we don’t know all the details of this rogue IT worker, it brings into light the importance of employee screening that harnesses online due diligence.

Oftentimes we find potential risks relating to employees through their online behaviour. The likelihood is that if the rogue IT worker is bragging in real life, his behaviour will be mimicked online, perhaps even through multiple aliases. Online reputation screening would have potentially flagged this behaviour sooner.

We hope that this doesn’t happen again and that it has triggered proactive measures by Manchester City and the IT firm to use online reputation screening. If so, it should be carried out to the Personnel Online Screening Standard (POSS) as laid out by the Association for Online Due Diligence (AFODD).

Get in touch today to strengthen your employee screening processes and protect your firm’s reputation.

Regulators now require OSINT – what next for AML and CDD?

October 13, 2023March 3, 2020 by Neotas Ltd

Regulators now require OSINT – what next for AML and CDD?

The regulators have called for the use of open source internet and social media checks (OSINT) in anti-money laundering (AML), enhanced customer due diligence (CDD) and conduct surveillance measures. So, if the regulators require OSINT – what are financial institutions doing to meet these regulatory guidelines?

The European Banking Authority states that enhanced due diligence (EDD) measures include “carrying out open source or adverse media searches” [EBA, p.2]. By using OSINT, banks can build a more complete customer profile, including the source of the customer’s wealth and information on any associations the customer may have in different jurisdictions.

OSINT can also bridge the gap when dealing with PEPs and high-risk customers, according to the FCA’s Financial Crime Guide “using, where available… open source internet checks to supplement commercially available databases.” [FCA, p. 186] OSINT analyses all publicly available information on the Internet and should be used to complement existing processes. This is a mean feat for in-house teams, which is where technology helps.

Our unique blend of OSINT, machine learning and natural language processing enables us to dig deeper and faster into people, entities and networks. Coupled with advanced analytics and deep industry expertise, we provide zero false positives and complete customer profiles.

The use of OSINT stretches beyond customers. In the US, FINRA have highlighted its use in conduct surveillance and monitoring employees. “Monitoring traders, registered representatives, employees…structured data and unstructured data…social media profiles and other communications”. [FINRA]. Here, OSINT and social media screening can pinpoint people risk faster, for instance by uncovering aliases and cached data, helping to protect firms in the digital era.

Financial institutions use our open source enhanced due diligence to strengthen their compliance programmes. Make sure you have a defensible position back to the regulator.

Schedule a call with our team today to discuss OSINT due diligence, or build a no-obligation estimate using our pricing tool.

Locating Missing People: A Crowdsourced and Global Use of OSINT

October 13, 2023February 20, 2020 by Neotas Ltd

Locating Missing People: A Crowdsourced and Global Use of OSINT

At the beginning of February, Neotas Analysts took part in a global competition in which they contributed to active global missing persons investigations. They joined a community of 140 teams of OSINT practitioners from around the world, ranging from law enforcement officers to threat intelligence analysts and information security bounty hunters, in a Capture-the-Flag event organised by TraceLabs.

With the competition hosted in Canada, it meant snacks and energy drinks were at the ready for a 6-hour nocturnal challenge as the team set out to gather intelligence on 7 live missing persons cases from Canada, USA and Australia. Points were scored for any information which could lead to the location of the missing person, including social media profiles, IP addresses, activity on the dark web, recent friends and associates, unique identifiers, and geolocation of activity.

The event was a fantastic way of harnessing both the skills and curiosity of experts in the field in a concerted effort to support law enforcement teams often lacking in resources. Over 6 hours, hundreds of participants submitted pieces of intelligence which could be collated and passed on to law enforcement to aid in their investigations.

Finishing in 12^th place out of 140, we are thrilled to have contributed to the collection of valuable intelligence and finishing so high up on a leaderboard which was full of OSINT specialists from around the world was an added bonus. Our team made over 120 submissions to the event total of 5000+ – a record total amount of submissions from such an event and a significant achievement from a volunteer-run challenge.

We are proud to see yet another application of #OSINTForGood and its community growing so quickly. Thank you to TraceLabs for putting on a very worthwhile and successful event, we will see you at the next one!

Orla is full of pancakes and taking a well earned break – but can you tell us where she’s gone? #Osint #Geolocation #Verification #CTF pic.twitter.com/Hnr9A6cdmv
— Where is the OSINT Orca? (@NeotasOrcas) February 26, 2020

Social media screening in the spotlight after government controversy

October 13, 2023February 20, 2020 by Neotas Ltd

Social media screening in the spotlight after government controversy

Social media background screening is again in the spotlight after the latest controversy involving a UK government official. The UK Government is once again under scrutiny for its hiring and vetting process, following the “reprehensible” and “racist” comments online of Downing Street adviser Andrew Sabisky.

Online reputation screening and social media background checks remain absent from the official public sector hiring guidelines. As a result, high profile, avoidable controversies such as this continue to crop up. With the likelihood being that there are still unsavoury comments out there in the public domain, waiting to be found – surely, it’s time for governments to introduce social media screening to its background check policies?

Mr. Sabisky, who has since resigned as the PM’s top aide, recently prompted fury with his views on eugenics, race and women. In 2014, he wrote that to stop unplanned pregnancies from creating a “permanent underclass”, there should be legal enforcement of contraception. His comments online also suggested that black Americans had lower IQs than white Americans.

Ian Lavery, the chairman of the Labour Party wrote in a letter to the PM, “there are unanswered questions about how someone with such abhorrent views was ever considered for employment in the first place.” The spotlight is now focused on the Government, with their recruitment and vetting processes very much in question. Business minister Kwasi Kwarteng has also stated that the Government’s hiring process should be “looked at”.

It is no surprise that when unsavoury comments are discovered online, the reputational damage and public outcry can be huge. As we’ve stated before, a proactive attitude towards online reputation screening could have mitigated risk from the outset and informed the hiring process.

Our message to any employer would be that if it’s out there for all to see, wouldn’t you want to see it first? We just hope the Government seriously considers online reputation screening, following the footsteps of the Federal Government in the US.

Online Reputation Screening should be provided by independently accredited providers to ensure it is conducted in a legal and compliant manner, such as those accredited by the Association For Online Due Diligence (AFODD). Only employment-related business risks should be flagged such as terrorism, violent content, and hate and discriminatory behaviour. Online reputation screening helps firms to recruit with confidence and gives employers the opportunity to open up a healthy dialogue about their behaviour online.

If you would like to know more about social media screening, please feel free to schedule a call with our team here. Alternatively, you can build a no-obligation quote using our pricing tool here.

Guide for SRA-regulated firms: Offensive Communications Online

October 13, 2023February 5, 2020 by Neotas Ltd

Guide for SRA-regulated firms: Offensive Communications Online:

As our online and offline personas increasingly converge, the spotlight is being shone on law firms and the online behaviour of their members. The SRA has recently updated its guidance, warning “the same ethical obligations of professional conduct apply in an online environment”. We take a look at what this means in practice and how law firms can ensure compliance today.

What online behaviour is offensive?

The SRA has experienced a significant increase in the number of complaints concerning inappropriate communications, including the use of social media inside and outside of practice. The regulator expects professionals to “behave in a way that demonstrates integrity and maintains the trust the public places in you and in the provision of legal services”. Examples of the type of behaviour they have investigated (and referred to the SDT) include hate and discriminatory behaviour, the use of derogatory language, sexually explicit comments and abusive comments directed towards other firms or clients. The list goes on.

Who is at risk?

Managers of firms hold the responsibility to ensure that their members do not cross these lines. SRA-regulated firms “must take all reasonable steps to ensure that the firm complies with [our] regulatory arrangements”, including “identifying, monitoring and managing all material risks to the business”.

If a member of your firm sends or posts an inappropriate or offensive communication, it not only puts you at risk under the SRA Principles, but it also has the potential of causing significant reputational and financial damage. For example, if clients react by withdrawing their business or are deterred from instructing your firm. In some circumstances, you could also be liable for your employee’s actions if the communication amounts to victimising or harassing a third party.

How can you ensure compliance and mitigate risk now?

1. Put a social media policy in place

There is no one-size-fits-all approach here. You should ensure you have a policy that feels in line with company culture as well as ensuring compliance and best practice. Also, consider the nature and size of your firm to determine whether you need to put further systems or controls in place.

2. Only identify business-related risks

Only posts that fall within agreed risk categories should be captured and reported on, which would typically include issues such as racism, sexism, illegal activity, or anything that could bring the firm into disrepute. By ensuring a robust approach to checks it will now be easy to ensure that new hires, promotions and scheduled reviews can all be screened quickly and any risks will be highlighted without becoming intrusive.

3. Make use of technology and trusted third parties

Here technology can help. Don’t spend significant time internally trying to monitor as you will not be efficient or compliant and will undoubtedly review content that you don’t want or need to see. A trusted third party will save you time, ensure you only see business-relevant information and will deliver an auditable, robust process that will meet the Regulator’s expectations.

4. Beware of online pseudonyms

As the SRA points out, “anonymity is not guaranteed; material which you post under a pseudonym may still be traced back to you”. The technology goes far beyond a simple name check and we routinely identify multiple online aliases tied to one individual. Having a very corporate account on Twitter for example and a second “angry” account under a different username does not mean that the rules won’t apply.

As the regulator and the press are increasingly picking up on conduct issues, social media best practice and online reputation screening becomes critical in mitigating the risk for firms.

If you’d like to know more about how to quickly implement a compliant and cost-effective approach to help protect your firm and its members, please give us a call on 0208 090 2622.

Bad hires: Don’t become another victim!

December 11, 2024January 21, 2020 by Neotas Ltd

Preventing Bad Hires: Strategies for Effective Talent Acquisition. Explore how to avoid costly hiring mistakes and build a high-performing team with our insightful guide.

Bad hires: Don’t become another victim

We all know that bad hires can have detrimental effects on your business. The cost is significantly higher than just their salary as the negative impact on reputation or team moral can be challenging to say the least. A high turnover of staff creates instability within a business and can affect its day to day functioning of a business, slowing everything down. In short, smart hiring decisions will always be a critical challenge for any business.

So, should we do more when screening new hires?

We now live in a digital age and there is more information about all of us than there has ever been, but some processes have not evolved to capitalise on this. Employee references and data base checks only show a part of the picture. There is a wealth of open source data on an individual, from social media to wider media sources that that can reveal more about a person. By utilising open source data and technology you can uncover an individual’s “online footprint” and gain an understanding of how they choose to engage with the world. While most people that we screen at Neotas meet the requirements of any employer’s robust social media policy, there are an important percentage that fall dramatically short.

In the past few months we have seen racism, sexism, graphic content and illegal activity, to name just a few of the categories we include. While the final decision to hire always falls to the prospective employer, some of these candidates clearly showed behaviour that could be genuinely damaging to the prospective team. Yet almost all of this information is missed by the more traditional background screening process. What may be more surprising is bad behaviour appears at all levels of seniority, from the second Twitter account a CEO used to make highly political and vitriolic statements ,to senior managers caught on video for football hooliganism, to more junior hires that are perhaps “angry online” but would benefit from some coaching on how our online and real-world personal brands are now closer than ever.

It’s time to know more about the cultural fit of your candidates BEFORE they join and the technology, speed and cost of these makes that makes it more practical than ever before. Don’t be the last one to see information that is freely available for your customers, colleagues or competitors to view online. Make sure you “Know More” when it matters.

If you want to know more about compliant, easy to implement social media checks or deeper dive reputational checks, including how social media checks can enhance your due diligence process, please give us a call on 0208 0902 622.

The Campaign Crisis: MPs and their Mishaps

October 13, 2023December 11, 2019 by Neotas Ltd

Managing The Campaign Crisis: Strategies for Effective Crisis Communication and Resolution. Learn how to navigate and overcome campaign-related challenges with our expert insights and guidance.

The Campaign Crisis: MPs and their Mishaps :

As election day looms, we look back at what has been a tumultuous campaign for MP candidates from all parties. As is becoming the norm in British politics, online blunders and revelations have once again ended several political careers. In a previous blog post we highlighted the mistakes made by Change UK, but here we explore how political parties have failed to grasp the importance of online due diligence and social media checks.

The SNP dropped a candidate over anti-Semitic posts shared on Facebook, whilst offensive tweets from a prospective Lib Dem MP were deemed to have brought the party “into disrepute”. Having formed in January, the Brexit Party found themselves in a scramble to produce hundreds of MP candidates to stand across the United Kingdom. In this rush to field candidates, any semblance of due diligence went out of the window.

Stoke North candidate, Daniel Rudd, was dropped after the emergence of homophobic and racist tweets from his personal account. In a bizarre attempted show of support for animal rights, he also suggested conducting pharmaceutical testing on ‘Remainers’ instead. He has since deleted his Twitter profile.

Brighton Kemptown candidate, Dr Graham Cushway, came under fire for his past involvement in a ‘Nazi vampire’ themed heavy metal band. A simple Google search of his name will lead you to articles from 2012 describing his acrimonious departure from the band. Once the connection is made, you can find the candidate (under his stage name of Graham Lord Pyre) sporting the SS Totenkopf insignia on his Gestapo-style costume in photos on the band’s website.

Candidate Jill Hughes also faced increasing scrutiny for the disparity between claims on her social media profiles and her actual accomplishments and accolades. For example, she listed herself as the ‘CEO’ of Money Magnet on her LinkedIn since November 2017 but only registered the company on 10 October this year.

These were avoidable slip-ups, as adverse content was there for anyone to find. Political parties and candidates face greater scrutiny in the press, and the lack of due diligence conducted led to a great deal of wasted time and money. We have highlighted the need for online reputation screening to help build a complete picture of job candidates, but this should be no different for political candidates.

Cookie	Duration	Description
AWSALBTG	7 days	AWS Application Load Balancer Cookie. Load Balancing Cookie: Used to encode information about the selected target group.
AWSALBTGCORS	7 days	AWS Classic Load Balancer Cookie: Used to map the session to the instance. This cookie is identical to the original ELB cookie except for the attribute &SameSite=None;
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
debug	never	Cookie used to debug code and website issues
shown	session	Session cookie to control number of times a pop up is shown.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
AnalyticsSyncHistory	1 month	Used to store information about the time a sync took place with the lms_analytics cookie
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.

Cookie	Duration	Description
li_gc	2 years	Used to store consent of guests regarding the use of cookies for non-essential purposes
rl_anonymous_id	1 year	Generates an unique anonymous Id to identify a user and attach to a subsequent event.
rl_user_id	1 year	to store a unique user ID for the purpose of Marketing/Tracking

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_107495977_1	1 minute	Set by Google to distinguish users.
_gat_UA-107495977-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
attribution_user_id	1 year	This cookie is set by Typeform for usage statistics and is used in context with the website's pop-up questionnaires and messengering.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.