How to Build a Company-Wide Due Diligence Policy From Scratch

I. The Risk Landscape: Why a Formal Policy Matters

Fragmented due diligence across business units creates blind spots that expose your company to sanctions violations, hidden beneficial owners, and inconsistent screening workflows. Without a unified policy, high-risk customers are handled differently by geography or department, and complex ownership structures obscure ultimate beneficial owners (UBOs).

The Regulatory Imperative

FATF Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) guidance establish baseline risk-based approaches for identifying and managing customer risk. OECD Due Diligence Guidance for Responsible Business Conduct embeds due diligence into enterprise risk management, aligning internal controls with international expectations.

Non-compliance triggers regulatory penalties, financial fines, and remedial costs. More critically, regulators increasingly expect defensible, documented decision-making—not ad-hoc judgment calls.

The Business Cost

Undetected Politically Exposed Person (PEP) status, sanctions exposure, or adverse-media signals lead to prohibited transactions and regulatory consent breaches. These failures erode partnerships, restrict access to banking and capital, and generate reputational damage that outlasts the initial penalty.

The hidden cost is operational: retroactive investigations, contract terminations, and emergency compliance fixes consume senior management time and divert resources from growth.

What Happens Without a Policy

• Inconsistent risk posture: Sales teams in one region apply different standards than teams in another, creating regulatory gaps and internal confusion.
• UBO blind spots: Multi-layered ownership structures obscure beneficial owners; without standardized mapping logic, you cannot verify who controls the entity.
• Sanctions and PEP misses: Manual screening or fragmented databases allow high-risk counterparties to slip through, especially when names are transliterated or entities operate through intermediaries.
• No audit trail: When a regulator asks why you onboarded a customer, you have no date-stamped rationale, no data provenance, and no defensible record of the decision.
• Scaling bottleneck: Due-diligence volume grows with customer acquisition, but manual processes force you to hire proportionally—500 customers per analyst becomes 5,000 customers and 10 analysts.

A formal policy codifies who to screen, when to screen, and what to do with results. It replaces fragmented judgment with standardized triggers, escalation thresholds, and documentation standards that regulators recognize and auditors can verify.

The Policy-to-Execution Gap

A policy document on paper is inert. The real risk is that your COOs and compliance leads cannot execute the policy at scale without a technology layer to enforce scope, triggers, and escalation logic.

Diligard operationalizes your policy framework with AI-powered screening across UBOs, sanctions, PEPs, adverse media, and litigation history. Real-time risk scoring, auditable outputs, and coverage in 190+ countries deliver policy compliance in under 4 minutes per review—without adding headcount.

Your compliance team shifts from manual data gathering to risk-informed decision-making, with full regulatory defensibility and audit trails automatically generated.

The Seven Components of a Defensible Policy

A company-wide due diligence policy must codify who to screen, when to screen, and what to do with results—or it remains an inert document that cannot prevent risk. The following seven components transform policy into repeatable, auditable execution.

Scope Definition: Who & What to Screen

What to screen for: Ultimate Beneficial Owners (UBOs), sanctions designations (OFAC, UN, EU), Politically Exposed Persons (PEPs), adverse media, and litigation history. These are non-negotiable data points under FATF Customer Due Diligence (CDD) guidance and OECD Due Diligence Guidance for Responsible Business Conduct.

Who triggers screening: Customers, vendors, contractors, counterparties, and beneficial owners across all geographies and transaction types. Fragmented screening by business unit creates blind spots; policy must apply uniformly.

Jurisdictional harmonization: UBO thresholds vary—25% in most FATF-aligned jurisdictions, 20% in some EU states, 50% in others. Your policy must adopt a single global standard (typically 25%+ ownership or control) and flag jurisdiction-specific variances for local reporting compliance.

Screening Triggers: When to Act

Risk-based triggers: Transaction size, geography (high-risk or FATF grey-list jurisdictions), industry vertical (defense, extractives, finance), customer tenure, and ownership changes. FATF guidance mandates a risk-based approach; triggers must be explicit and measurable.

Escalation thresholds: Define when CDD escalates to Enhanced Due Diligence (EDD). Triggers include PEP status, sanctions exposure, adverse media involving financial crime or corruption, and complex or opaque ownership structures. Without clear thresholds, high-risk customers slip through on inconsistent judgment.

Ongoing monitoring cadence: Low-risk customers: annual re-screen. Medium-risk: semi-annual. High-risk: quarterly or event-driven (ownership change, new adverse media, regulatory action, transaction anomaly). Event-driven triggers must be automated via adverse-media feeds and corporate-change alerts.

Tool Selection & Data Integration

Data sources: Corporate filings, regulatory registries (Companies House, INPI, SEC), sanctions lists (OFAC, UN, EU), adverse-media feeds, and litigation databases. Coverage must span 190+ countries to avoid jurisdictional blind spots.

Data quality standards: Disparate sources produce inconsistent quality, language barriers, and outdated filings. Your policy must mandate reconciliation logic—cross-referencing ownership data from multiple registries, corroborating PEP status against sanctions lists, and flagging conflicts for manual review. AI-assisted reconciliation is essential at scale.

Automation vs. manual review: Define which screening outputs auto-approve (low-risk, no hits), which route for manual review (medium-confidence matches, fuzzy name hits), and which auto-escalate (high-confidence sanctions or PEP matches, severe adverse media). This prevents bottlenecks and ensures consistent application.

Escalation & Decision Matrices

Risk scoring logic: Composite risk ratings must combine UBO complexity, PEP status, sanctions hits, adverse-media severity, and jurisdiction risk. For example: PEP + high-risk jurisdiction = automatic EDD; adverse media + sanctions hit = hold pending senior approval.

Approval hierarchy: Low-risk customers: auto-approved by system. Medium-risk: reviewed and approved by compliance analyst within 2 business days. High-risk (EDD cases): escalated to compliance lead or legal counsel with documented rationale and sign-off. Without a hierarchy, approvals stall or bypass controls.

Rejection criteria: Clear rules for when to refuse or terminate a business relationship—confirmed sanctions match, credible adverse media of money laundering or corruption, inability to verify UBO after reasonable effort. Ambiguity in rejection criteria invites inconsistent risk tolerance across teams.

Documentation Standards & Auditability

Data provenance: Record the source, retrieval date, and version of every screening data point. If a regulator or auditor asks why you onboarded a customer, you must produce the exact data set reviewed, the date it was current, and the decision rationale.

Decision rationale: Document why a high-risk customer was approved or escalated. Example: “PEP status confirmed via [source]; adverse media reviewed and determined not credible; approved subject to annual re-screen.” Date-stamped evidence is non-negotiable for regulatory defense.

Retention policy: Specify how long records are kept—typically 5–7 years post-relationship termination, or longer if litigation holds apply. FATF and OECD guidance stress robust record-keeping as a core control.

Review & Refresh Cadence

Policy review frequency: Annual governance review to ensure alignment with regulatory changes (new sanctions regimes, updated FATF recommendations, jurisdiction-specific UBO rule changes) and business growth (new product lines, geographic expansion, M&A activity).

Data refresh triggers: Re-screen customers when ownership changes, new adverse media appears, regulatory status shifts, or the customer relocates to a higher-risk jurisdiction. Event-driven refreshes must be automated; manual calendar tracking fails at scale.

Audit trails: Maintain logs of all policy updates, screening rule changes, and compliance checks. Regulators will ask: “How did your policy evolve, and how did you ensure consistent application during transitions?”

Change Management at Scale

Headcount-free execution: Due-diligence volume grows with customer acquisition, vendor onboarding, and M&A activity. Without automation, headcount scales linearly—a compliance team handling 500 customers per analyst becomes a bottleneck at 5,000. Automation absorbs volume; your team shifts from data gathering to risk-informed decision-making.

Consistent application: Standardized workflows and decision rules ensure no business unit under-screens or creates ad-hoc exceptions. The policy applies uniformly across executive hires, investors, supply-chain partners, and legal counterparties. Inconsistency is a regulatory red flag and a litigation liability.

Diligard operationalizes these seven components with AI-powered screening across UBOs, sanctions, PEPs, adverse media, and litigation—delivering risk-scored, auditable reports in under 4 minutes. Your COOs and compliance leads define the policy; Diligard executes it at scale across 190+ countries without adding headcount.

Tool Selection & Data Integration

Your policy must specify which data sources will be queried, how data quality will be assured, and where automation ends and manual review begins. Without this, every screening becomes a negotiation.

Data Sources: What You Must Cover

Corporate filings and registries: Annual reports, shareholder registers, beneficial-ownership disclosures filed with corporate registries (Companies House, INPI, SEC). These are primary sources for UBO identification and ownership-chain validation.

Sanctions lists: OFAC (U.S. Office of Foreign Assets Control), UN Security Council Consolidated List, EU Consolidated Financial Sanctions List, and jurisdiction-specific lists (e.g., UK HM Treasury). Real-time screening against these lists is non-negotiable under FATF Customer Due Diligence guidance.

PEP databases: Politically Exposed Persons lists covering current and former government officials, heads of state-owned enterprises, and immediate family members. PEP status is a mandatory EDD trigger.

Adverse-media feeds: News archives, regulatory enforcement actions, criminal investigations, and civil litigation records. These detect reputational and legal risks that corporate filings and sanctions lists miss.

Litigation databases: Court filings, arbitration awards, and bankruptcy proceedings across multiple jurisdictions. Litigation history reveals patterns of financial distress, contractual disputes, and fraud allegations.

Data Quality Standards: Reconciliation Logic

Data retrieved from 190+ countries arrives in different languages, with inconsistent formatting, outdated timestamps, and conflicting information across sources. Your policy must mandate reconciliation rules.

Language barriers: Corporate filings in Arabic, Mandarin, or Cyrillic require translation and transliteration. Automated systems must normalize names and entities to avoid false negatives (missed matches) or false positives (spurious alerts).

Outdated information: A shareholder register filed 18 months ago may no longer reflect current ownership. Your policy should specify maximum data age (e.g., corporate filings must be <12 months old) and trigger re-verification if data is stale.

Conflicting records: When a regulatory filing lists one UBO and a press release names another, your system must flag the discrepancy for manual review. Document which source was prioritized and why.

Confidence scoring: Assign confidence levels to each data point (verified via official filing = high; inferred from third-party database = medium; based on media mention = low). This informs escalation decisions and audit defensibility.

Automation vs. Manual Review: Decision Points

A defensible policy draws clear lines between what the system auto-approves, what routes to a human analyst, and what triggers immediate escalation.

Auto-approved outcomes: Clean screening results with no sanctions hits, no adverse media, no PEP status, and verifiable UBO data from recent filings. Risk score below a defined threshold (e.g., <30 on a 0–100 scale). These customers proceed without manual intervention.

Manual review queue: Medium-confidence sanctions matches (fuzzy name similarity but no corroborating identifiers), low-severity adverse media (e.g., minor civil litigation), or ownership structures with one layer of complexity. Routed to a compliance analyst with a 2-business-day SLA.

Auto-escalated to EDD: High-confidence sanctions hits, PEP status, multiple adverse-media signals, or UBO chains spanning three or more jurisdictions. These require senior approval, enhanced documentation, and potentially external validation (e.g., independent investigator).

Integration Architecture: Policy-to-Execution Gap

A policy document that specifies “screen all vendors” is inert without a technology layer to enforce it. Your COOs and compliance leads need automated workflows that mirror the policy’s scope and triggers.

API-driven screening: Integrate due-diligence checks into onboarding workflows, procurement systems, and CRM platforms. When a new vendor is entered, the system auto-triggers screening and returns a risk score before the contract is signed.

Batch processing for existing relationships: Schedule periodic re-screening (annual, semi-annual, or quarterly based on risk tier) without manual calendar management. Automated alerts notify compliance when a customer moves from low-risk to medium or high.

Audit-trail automation: Every screening result is logged with data source, retrieval timestamp, risk score, and decision outcome. Your compliance team documents exceptions and escalations; the system handles routine record-keeping.

The Diligard Advantage: Speed, Scale, and Auditability

Diligard scans 500M+ global records—corporate filings, sanctions lists, PEP databases, adverse media, and litigation history—across 190+ countries in under 4 minutes. The platform applies reconciliation logic to normalize names, resolve language barriers, and flag conflicting data.

Risk scores are generated using policy-defined weights (e.g., sanctions hit = +50 points; PEP status = +30 points; adverse media = +20 points per incident). Outputs include confidence levels, data provenance, and escalation recommendations aligned with FATF CDD and EDD guidance.

For executive due diligence, M&A due diligence, and legal compliance intelligence, this speed and depth prevent bottlenecks while maintaining regulatory defensibility.

Common Pitfalls in Tool Selection

Over-reliance on single-source data: Sanctions-only screening misses adverse media and litigation; corporate-registry-only checks miss beneficial-ownership layers. A comprehensive policy requires multi-source coverage.

Ignoring data refresh cadence: Static databases become outdated within months. Your policy must specify how frequently data sources are updated (daily for sanctions lists; quarterly for corporate filings).

Lack of version control: When a customer was screened, which version of the OFAC list was used? Audit trails must capture data version and timestamp to defend decisions during regulatory review.

Manual data stitching: Analysts copying data from five different portals into a spreadsheet introduce error and delay. Integrated platforms (like Diligard) eliminate manual aggregation and ensure consistency.

Regulatory Anchors: What Standards Require

The OECD Due Diligence Guidance for Responsible Business Conduct embeds due diligence into enterprise risk management, requiring companies to identify, prevent, and mitigate adverse impacts in their business relationships. This means your data-integration architecture must support end-to-end traceability—from initial screening through ongoing monitoring and periodic re-verification.

FATF guidance emphasizes risk-based approaches: higher-risk customers demand enhanced data sources (e.g., investigative reports, cross-border asset searches) and more frequent updates. Your policy must specify when to escalate from standard corporate-registry checks to deeper intelligence layers.

Knowledge Nugget: Data Provenance is Non-Negotiable

Every screening result must record: data source, retrieval date, version of the database, and confidence level. Without this, you cannot defend a decision during a regulatory exam or litigation hold. Diligard auto-generates provenance logs; manual processes inevitably lose evidence.

Knowledge Nugget: False Positives Erode Trust

Aggressive screening that flags 40% false positives trains business teams to distrust compliance. They route around the system or pressure analysts to “just approve it.” Calibrate your matching thresholds and reconciliation rules to minimize noise while catching genuine risks.

Knowledge Nugget: Technology is the Scale Lever

Manual due diligence cannot scale beyond ~1,000 customers per analyst. If you plan to grow from 500 customers to 5,000, automation is not optional. The policy codifies the rules; the technology (Diligard) executes them at speed and scale, preventing headcount from becoming your bottleneck.

IV. Guardrails: Regulatory Anchors & Key Challenges

A defensible due diligence policy must respect three regulatory pillars: FATF Customer Due Diligence (CDD) and Enhanced Due Diligence (EDD) guidance, which establishes baseline risk-based screening and escalation thresholds for high-risk customers; OECD Due Diligence Guidance for Responsible Business Conduct, which embeds due diligence into enterprise risk management and value-chain accountability; and jurisdiction-specific UBO identification standards, which define control thresholds and beneficial-ownership disclosure rules across 190+ countries. Together, these frameworks mandate that your policy codifies who to screen, when to escalate from CDD to EDD, and how to document every decision with auditable provenance.

Regulatory Standards That Anchor the Policy

FATF CDD and EDD Guidance

FATF requires financial institutions and designated non-financial businesses to apply risk-based CDD to all customers: identity verification, beneficial-owner identification, and understanding the nature and purpose of the business relationship. When risk indicators are present—PEP status, sanctions exposure, high-risk jurisdiction, or adverse media—the policy must escalate to EDD: enhanced identity checks, senior management approval, and ongoing monitoring with documented rationale.

The policy must define explicit escalation triggers: PEP status (customer, director, or UBO), any sanctions hit (OFAC, UN, EU), domicile or substantial operations in FATF grey-list or non-cooperative countries, credible adverse media on financial crime or corruption, and ownership structures that obscure UBOs or involve shell entities across multiple jurisdictions.

Without codified triggers, high-risk customers are handled inconsistently—approved by one business unit, rejected by another—creating regulatory exposure and audit failures.

OECD Due Diligence Guidance for Responsible Business Conduct

OECD guidance integrates due diligence into enterprise governance, not just compliance. The policy must identify, prevent, and mitigate adverse impacts across the value chain—customers, vendors, counterparties, and ultimate beneficial owners. This requires a formal process: scope definition, risk assessment, mitigation actions, tracking, and public communication of due-diligence efforts.

For operations directors and compliance leads, this means the policy is not a static document. It must include review and refresh cadence—annual governance reviews to ensure alignment with regulatory changes, periodic re-screening of existing customers based on risk rating, and event-driven re-screens when ownership changes, new adverse media appears, or jurisdiction risk shifts.

Jurisdiction-Specific UBO Identification Standards

UBO thresholds differ by jurisdiction: 25%+ ownership in the EU and UK, 20% in some Gulf states, 50% in others. Control definitions also vary—some jurisdictions recognize voting rights, others consider board seats or day-to-day operational authority. Your policy must harmonize these into a single global standard (e.g., 25%+ ownership or control) and apply it uniformly, with jurisdiction flags for local reporting and enhanced scrutiny where thresholds are lower or definitions broader.

Without harmonization, your policy creates blind spots: a 30% shareholder flagged in one region is missed in another, and complex cross-border structures exploit inconsistencies to obscure beneficial ownership.

Key Challenges That Derail Implementation

1. Complex Ownership Structures

Multi-layered entities—holding companies, trusts, offshore vehicles—obscure ultimate beneficial owners. A target entity may be owned by Company A (60%), which is itself owned by Company B (40%), which is controlled by a trust with discretionary beneficiaries. Your policy must mandate layer-by-layer ownership tracing, corroboration across corporate filings and regulatory disclosures, and documentation of control mechanisms (voting rights, board appointments, trustee authority).

Diligard automates multi-layer ownership mapping across 190+ countries, flags discrepancies between sources, and consolidates UBO data into a single auditable report. Your compliance team reviews and approves; the system maintains the audit trail.

2. Data Quality Gaps

Corporate filings are often outdated, incomplete, or filed in local languages. Sanctions lists contain transliteration errors. Adverse-media feeds vary in credibility and timeliness. A defensible policy requires data quality standards: reconciliation logic to handle inconsistencies, confidence scoring to flag low-quality inputs, and provenance tracking so every data point is traceable to source and date of retrieval.

Without this, your compliance team spends hours manually cross-checking sources, or worse, approves customers based on incomplete or stale data—both operationally expensive and legally indefensible.

3. Jurisdictional Variance

A global policy must operate across differing UBO thresholds, sanctions regimes (OFAC vs. EU vs. UN), and PEP definitions (some jurisdictions include family members and close associates, others do not). Your policy must adopt a single process with country-level flags: apply the most stringent standard globally (e.g., 25% UBO threshold, family-member PEP coverage) and document jurisdictional nuances for local reporting.

Failure to harmonize creates inconsistent risk posture: a customer approved in one market is rejected in another for the same ownership structure, eroding trust in the policy and inviting workarounds.

4. High-Risk Customer Handling

Determining when to apply EDD without slowing business requires clear, traceable decision logic. Your policy must define a risk-scoring matrix: PEP status, sanctions exposure, adverse-media severity, jurisdiction risk, and ownership complexity combine into a composite score. Scores above the EDD threshold trigger manual investigation, enhanced documentation, and senior approval; scores below auto-approve or route for routine manual review.

Without this, high-risk customers are either waved through (creating regulatory exposure) or held indefinitely (creating business friction)—both outcomes stem from ambiguous escalation rules.

5. Documentation and Auditability

Every screening decision must have a date-stamped, sourced record: who made the decision, when, on what data, and why. FATF and OECD stress robust record-keeping to demonstrate that the policy was applied consistently and that high-risk approvals or rejections were reasoned, not arbitrary.

Manual processes inevitably lose evidence—emails are deleted, spreadsheets overwritten, rationale forgotten. Diligard auto-generates audit trails: data provenance, risk scores, decision logic, and approver sign-off are captured in real time and retained per your policy’s retention schedule.

6. Privacy and Cross-Border Data Handling

Collecting UBO data, adverse-media signals, and litigation history triggers data-privacy obligations—GDPR in the EU, POPIA in South Africa, local data-protection laws globally. Your policy must balance due-diligence needs with lawful data processing: documented legitimate interest or legal obligation, data minimization (collect only what is necessary), and secure cross-border transfer mechanisms (standard contractual clauses, adequacy decisions, or binding corporate rules).

Without this, your policy exposes the company to privacy fines and injunctions, or forces compliance teams to under-screen customers in high-privacy jurisdictions—neither outcome is acceptable.

7. Scaling Without Headcount

Manual due diligence cannot scale beyond ~1,000 customers per analyst. As your company grows to 5,000 or 50,000 customers, headcount grows proportionally—or the compliance team becomes a bottleneck, slowing onboarding and approvals.

A defensible policy must embed automation: standardized scope and triggers reduce decision ambiguity; automated data gathering eliminates manual database searches; risk scoring and escalation logic route customers to the appropriate tier (auto-approve, manual review, or hold/reject) without human touch for low-risk cases; and audit-trail automation captures every decision, freeing compliance teams to focus on edge cases and EDD investigations.

Diligard operationalizes the policy framework: AI-powered screening across UBOs, sanctions, PEPs, adverse media, and litigation history delivers risk-scored, auditable reports in under 4 minutes. Your compliance team defines the thresholds and approval rules; the system executes them at scale, maintaining a lean team as customer volume grows.

The Cost of Inaction

Legal Exposure

Misidentification of UBOs or failure to apply CDD/EDD triggers regulatory penalties, consent breaches, and sanctions violations. FATF and OECD emphasize governance and risk-based controls to mitigate this; a formal, auditable policy is your first line of defense in regulatory examinations and enforcement actions.

Financial Risk

Undetected sanctions, PEP status, or adverse-media signals lead to prohibited transactions, remedial investigations, and fines. The cost of a single missed sanctions hit can run into millions in penalties and remediation—far exceeding the cost of implementing a robust policy and technology layer.

Reputational Damage

Poor due diligence invites public scrutiny, erodes stakeholder trust, and impacts partnerships and access to banking or capital. OECD and sanctions literature underscore the reputational stakes of responsible conduct; a company known for weak due diligence faces higher costs of capital and reduced competitive positioning.

Operational Cost of Remediation

Failed or delayed risk flags necessitate expensive retroactive compliance fixes: re-screening thousands of existing customers, terminating high-risk relationships, and conducting internal investigations. This is mitigated by a formal policy with clear triggers and automated execution that catches risks before they become liabilities.

Tool Selection & Data Integration

Your policy cannot execute without a technology layer that enforces scope, triggers, and escalation at the volume and velocity of business growth. Manual research—whether via spreadsheet, database subscriptions, or outsourced analysts—collapses under scale.

Data Sources: Coverage Determines Policy Credibility

A defensible due diligence policy requires access to:

• Corporate filings and registries: Annual reports, shareholder registers, and beneficial-ownership disclosures from 190+ jurisdictions to map UBO structures and validate control.
• Sanctions lists: OFAC (U.S. Treasury), UN Security Council, EU consolidated lists, and country-specific designations updated in real time to catch prohibited persons and entities.
• PEP databases: Politically Exposed Persons across government, military, and state-owned enterprises, with family and close-associate coverage to flag indirect exposure.
• Adverse media feeds: News, court filings, and investigative reports covering fraud, corruption, money laundering, sanctions violations, and financial crime allegations.
• Litigation databases: Civil and criminal case filings, judgments, and enforcement actions to identify legal risk patterns and enforcement exposure.

Per FATF Customer Due Diligence guidance, institutions must use reliable, independent sources. Incomplete or outdated data creates false negatives—clean reports on high-risk entities—that regulators classify as control failures.

Data Quality Standards: Reconciliation Logic Is Not Optional

Raw data from 190+ countries arrives in inconsistent formats, languages, and update frequencies. Your policy must define:

• Source reconciliation: Cross-check ownership claims from corporate filings against regulatory disclosures and third-party registries to catch discrepancies or omissions.
• Language normalization: Transliterate names, addresses, and entity types to handle non-Latin scripts and detect matching entities across languages.
• Date stamping and versioning: Record when each data point was retrieved and from which source. Outdated data invalidates screening decisions and exposes the company to liability.
• Confidence scoring: Flag data points with low confidence (e.g., inferred UBO from indirect ownership vs. verified via beneficial-ownership register) so analysts know which require manual confirmation.

Manual reconciliation of multi-jurisdiction data is a headcount trap. AI-powered normalization and entity-resolution logic is the only scalable path.

Automation vs. Manual Review: Decision Routing at Scale

Define which screening outcomes auto-approve, which escalate for manual review, and which auto-reject:

• Auto-approve: Clean screening (no sanctions, PEP, or adverse-media hits; verified UBOs; low-risk jurisdiction; no litigation). These flow directly to onboarding or contracting without analyst touch.
• Manual review queue: Medium-confidence flags (fuzzy sanctions match, PEP family member, minor adverse media, or complex ownership requiring validation). Route to compliance analysts with a 2-business-day SLA.
• Auto-escalate to EDD: High-confidence risk signals (exact sanctions match, primary PEP status, credible adverse media on financial crime, or high-risk jurisdiction). Hold customer onboarding; escalate to senior compliance or legal for investigation and sign-off.
• Auto-reject: Prohibited person or entity per sanctions list, or policy-defined red lines (e.g., terrorism financing allegations, active criminal indictment for fraud). No exceptions; customer relationship is terminated or refused.

Your policy codifies these rules. The technology platform executes them. Diligard automates data gathering, entity resolution, risk scoring, and routing—delivering a risk-assessed report in under 4 minutes with full audit trails. Your compliance team focuses on edge cases and EDD approvals, not on manual database searches.

Integration With Existing Workflows: CRM, Onboarding, Contract Systems

Due diligence must integrate with your onboarding and procurement workflows to prevent circumvention:

• CRM triggers: Automatically screen new customers, vendors, or contractors when a record is created or updated in the CRM.
• Onboarding gates: Block progression to contract signature or payment until due diligence is complete and approved.
• Ongoing monitoring hooks: Schedule periodic re-screens and trigger event-driven re-screens (ownership change, adverse-media alert, jurisdiction risk upgrade) automatically.
• Audit export: Generate compliance reports for internal audit, external examiners, or regulators with full data provenance and decision rationale.

Manual handoffs between systems create delays and gaps. API-driven integration ensures the policy is enforced in real time, at every decision point.

Technology Is the Scale Lever

Without automation, due diligence headcount scales linearly with customer or vendor volume. A compliance analyst manually screening 500 customers becomes a bottleneck at 5,000. With AI-powered screening across sanctions, UBOs, PEPs, adverse media, and litigation history, one analyst can oversee 2,000–3,000 reviews, focusing on high-value decisions rather than data gathering.

Your policy defines the rules. Diligard executes them across 190+ countries, with auditable outputs and real-time risk scoring. This is how you scale due diligence without scaling headcount—and how you make your policy executable, not just aspirational.