Today's compliance professionals have abundant resources to make better decisions about their clients and supply chain partners faster and with greater confidence than ever before. However, accessing those resources online poses challenges: maintaining privacy, protecting computer networks from malware or intrusion, and just finding good sources among the plethora of paid and free services found online. Also, many compliance professionals are locked into a particular program or workflow, be it handed down by routine, mandated by management, or completely self-served, limiting the potential for expanding their knowledge base or confirming their conclusions. Here are five resources you may want to introduce to your open-source toolkit to enhance your security, shorten your search time, and improve your results if you are not currently using them in your due diligence workflow.
A hardware solution to protect your network
The most important thing to remember about conducting open-source investigations is that you cannot trust everything you find; this includes the data or the source, the server, and websites you might explore to gather information. One of the things I often recommend is to establish a "dirty machine" for open-source work to protect
The most important thing to remember about conducting open-source investigations is that you cannot trust everything you find.
your corporate or personal systems from potential malware lurking on dodgy websites you might want to visit in your quest for the real story. An inexpensive laptop or portable solution is my favorite answer. Find a machine running any operating system ("OS") that can give you a good and safe web-browsing experience, with a price point that won't make the accounting folks cringe should you have to bin it due to malware from a dodgy website. And be sure to keep the OS, browser, and any other programs you use updated to protect your machine to the greatest extent possible.
A private connection and a browser that forgets
The following two tools are a power couple: a private web browser and a virtual private network ("VPN"). During a recent class on open-source investigative techniques, a student raised an excellent point about the choice of browser to use while conducting deep-dive research into a subject, noting that their use of the DuckDuckGo1 web browser had several advantages over other solutions. As an early adopter of the plucky little product, I had to agree. Still, with private browsing functions available on most web browsers today, similar functionality is available for those more comfortable with their old favorites.
The browser only solves half of the privacy challenge, as you may need to mask your location and encrypt your traffic, especially if you are on a public network. A VPN hides your actual internet protocol ("IP") address, a numerical identifier that allows the server to know who is connected to it. Find a good service that provides several virtual servers in different locations, so you can visit sites from other cities or countries to prevent leaving a virtual breadcrumb trail back to your home network. And while free services may seem tempting, it is often true that you get what you pay for, especially since bandwidth is not free.
Three online surces to check a company fast
Since open-source research is often reliant on the data provided by a webpage, it's a good idea to start with the universal resource locator ("URL") of the company website or email. Is the new client using a free domain email for work? While small businesses may need to save money by using free webmail accounts or website builders, this might also be a red flag for someone hoping to make a quick deal while maintaining anonymity.
For companies with a unique URL, a quick look at the domain registration using a WhoIs search site like DomainTools2 will give you an idea as to how long the site has been registered. Although privacy services are commonplace, they can sometimes provide contacts or links to the company responsible for the registration. A company bragging about years of experience with a website established months ago might be a good candidate for a more in-depth search.
Sometimes, a quick web search can find a significant amount of detailed information about a company, including official commercial registration data. But when that fails, where should you start?
I recommend a trip to OpenCorporates.com, 3 a database containing registration data for over 200 million companies at the time of writing.
Described as being built on a "public benefit business model", OpenCorporates provides a free web-based search function where you can see registration details and corporate officer information, as well as potential connections to other organizations or persons.
You may also wish to go straight to the source, but where can you start to find online corporate registries? A visit to the Organized Crime and Corruption Research Project's Catalogue of Research Databases4 is a good start: the site provides a sortable list of corporate registrars, patent offices, and other regional or local registries for use in company research. The site maintains links to over 1,000 sources from 181 countries. Some online registries require a fee, but others can access or provide basic information free of charge.
Now, off to the races!
With your machine and browser sorted, your network protected, and a few sites to start searching, it's time to decide how to work this into your routine. Unless you have a small client list, it may be unrealistic to try and conduct deep-dive research on every client or every potential partner. Establishing a triage system based on what information you have, such as your company's history with the subject and what information you seem to lack, such as new addresses or unusual orders, can help you decide which ongoing relationships might require a fresh look. New clients may come in the door with an excellent pedigree, where a verification may only require a basic due-diligence search online. But consider a deep-dive on newer companies with a minimal web presence or who don't provide detailed information about their business.
Footnotes
2 https://whois.domaintools.com/
4 https://id.occrp.org/databases/
Originally Published by Export Compliance Manager
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
