How to use OSINT for Supply Chain Due Diligence

Introduction

Why is Supply Chain Due Diligence important?

Effective Supply Chain Due Diligence is becoming more important than ever before.

Earlier this year, the German Supply Chain Due Diligence Act (Lieferkettensorgfaltspflichtengesetz) came into force. This act puts increased responsibility on companies to ensure there are no violations of human rights or environmental laws within their supply chain. Although it only directly applies to companies operating in Germany, it also has implications for companies in other jurisdictions: the introduction of this act has prompted discussions surrounding current supply chain measures more broadly. In fact, six months after the German legislation became active, the EU also voted to tighten its supply chain laws.

It’s clear that the increased attention on Supply Chain Due Diligence following Germany’s changes is having a tangible effect. Jurisdictions within the EU will soon have to introduce new measures, which will affect any companies linked to EU-based entities through the supply chain. This means that the time to review your Supply Chain Due Diligence strategy and its effectiveness is now.

Beyond the recent changes in legislation, companies have several other reasons to implement Supply Chain Due Diligence effectively. For example, taking measures to avoid reputational damage is a crucial part of a good brand protection strategy. Without effective Supply Chain Due Diligence, companies risk becoming associated with non-compliant, disreputable or even sanctioned entities. If these associations are made public, the company’s reputation could be at stake. Similarly, companies that fail to effectively assess the risk associated with third parties in the supply chain have an increased chance of exposure to corruption or financial damage, for example if a supplier turns out to be fraudulent or financially unstable.

What does effective Supply Chain Due Diligence look like?

It’s not always obvious how to implement Supply Chain Due Diligence effectively and practicing it can be challenging. For example, the large number of different entities involved in supply chains means it can be difficult to decide where to focus your resources. Some entities will be clearly identifiable as carrying an increased chance of risk and therefore warrant further investigation, but it’s also important to ensure risk is mitigated adequately for other, less obviously risky, supply chain entities.

In this article, we’ll demonstrate how Open Source Intelligence (OSINT) can help overcome these challenges. By allowing investigators to leverage live internet data and other public or licensable sources of information, OSINT provides valuable context and helps to identify risk more rapidly and accurately.

Suggested reading: Learn how others in your field are using OSINT and what they’re doing to get the most out of it with this free eBook.

Read on to see an efficient OSINT-led Supply Chain Due Diligence investigation in action and learn more about how to overcome common OSINT challenges.

Mapping Corporate Networks

In this investigation, we’re onboarding a new partner in our supply chain. Aided by Blackdot’s OSINT solution, Videris, we’ll use live internet data to identify what, if any, risk it represents.

Establishing Known Intelligence

To begin the investigation, we’ll map out what we already know about the company. In our case, this is their name and the city they’re based in. Videris makes it easy for the user to input and visualise this information, alongside any further intelligence uncovered within the case.

So far, the company appears compliant as it is active, UK-based and registered on Companies House. However, further investigation is required to get a full picture of the risk it presents. Indeed, registration on Companies House is far from a guarantee of legitimacy, so it’s prudent to conduct a deeper search.

Leveraging Corporate Records

Corporate records are a valuable starting point when investigating a company, as they can reveal information such as associated addresses and shareholders. However, without the right technology, leveraging corporate records can be manual, time-consuming and prone to human error. Using an OSINT solution like Videris allows the user to access the information they need in just a few clicks, freeing up valuable time within the investigation.

With Videris, users have access to a range of quality corporate records providers such as Moody’s Orbis and Dun & Bradstreet within one single platform. This data can then be viewed and analysed in one interface, alongside other data types, such as live internet data, PEPs and sanctions watchlists and adverse media.

Having selected the sources we wish to consult, we can run a search on the company we’re looking into. With Videris’ search function, analysts can get to the information they need faster and in fewer steps. Not only does it allow them to search many data sources at once without switching platforms, but it also ranks results and highlights keywords based on information that’s already in the case. This means that analysts can bypass the challenges presented by search engine optimisation (SEO). Instead of trawling through pages of irrelevant results, they’ll see the most relevant information first.

Our search of corporate records has revealed that the company has a single direct shareholder named Luis Felipe Tilleria Limongi. We can now learn more about this person by conducting a search to see if there are any additional officer records matching this name.

By consulting corporate records, we’ve uncovered that Limongi has executive relationships with 26 different companies. Not all of these companies are still active, and they appear to be across multiple industries, including financial services, real estate, utilities and asset management. It’s easy to determine Limongi’s relationship to these companies using the visualisation chart: he appears to be majority shareholder for most of them.

Searching Adverse News

So far, our due diligence search on this potential supply chain partner has revealed that the sole shareholder of the company is also the majority shareholder of 26 other companies. Although this is not necessarily a red flag, it certainly brings up questions that prompt further investigation. For example, of the companies that are no longer active, why did they cease to do business? Furthermore, why or how has he been so heavily involved in so many different types of business?

One of the benefits of Videris is that it allows analysts to consult a wide range of sources and types of data. By using many sources of relevant data, analysts can achieve a more complete understanding of risk. If they instead restrict the investigation to a limited range of data types, they are more likely to miss a crucial piece of information and therefore fail to accurately assess the risk an entity represents.

Having extracted value from analysing corporate records, we’ll now consult adverse news to gain further information on Limongi.

Optimising Search

Much like when we searched corporate records, the Videris search function allows us to search a range of sources at once and in one platform. It also gives us the ability to search on the surface web and deep web simultaneously, to ensure that we don’t miss any crucial information.

For this adverse media search, we’ll select Google and Bing – and their news functions – as well as LexisNexis and Dow Jones Factiva.

Our search across these sources has yielded 93 results.

Looking at these results, we can see the advantages of Videris’ search function in action. The highlighted yellow text draws the user’s attention to words that already appear in our investigation. This means it’s easier for the user to identify those results which are most likely to be relevant.

When conducting Supply Chain Due Diligence, analysts may find that relevant sources aren’t always written in the languages they speak. Without the right technology, translating search results into the right language takes up valuable time – and spotting risk within them takes even longer. However, Videris helps streamline our investigation here too, as it allows us to translate search results into another language and automatically flags risk with a single click.

To streamline the reviewing process even more, Videris uses natural language processing to sort the results into categories based on the type of risk they represent. These categories are easily viewed in the side bar or as a bubble chart, and the user can select the categories of most interest in order to filter the results further.

Investigating in a Secure Browser

After successfully filtering the search results, we can now look through the three that remain. Clicking on a result will open the webpage in Videris’ secure browser.

A key part of the Videris platform, this secure browser provides inbuilt security features that help the analyst to manage their digital footprint. These save the user time and make browsing the web a more secure and straightforward process.

By investigating the results of our adverse media search further, we can learn more about Limongi, the shareholder of our potential supply chain partner. It appears that he has previously been prosecuted for renting out properties using fake names and businesses. As a consequence, he and his associates were fined £79,000.

In other words, we’ve found clear risk associated with Limongi. This signals that onboarding Payment Collection Services Limited within our supply chain could have negative repercussions.

Reporting and Next Steps

At this point in the due diligence search, the analyst may decide that they have the intelligence they need to make an appropriate decision regarding the supply chain partner. If so, it’s now time for us to report on the investigation.

Exporting Findings

Using Videris, we’re able to easily create a report summarising the main findings of our due diligence investigation.

Most of our key intelligence is saved on the visualisation chart, where we’ve mapped out our potential supply chain partner’s corporate network. However, we can also save any pertinent websites as notes so they’re easy to refer back to.

For example, let’s create a note for the most important result of our adverse media search. Using the snipping tool, we can paste this article into Videris’ notes. The HTML steps will automatically be logged for audit purposes and we’ll be able to see an image summarising the key information.

Online data is constantly changing, so capturing web-based evidence in a timely manner is crucial. Usually, investigators have to do this manually. This is a lengthy, error-prone process that takes up valuable time and disrupts the flow of the investigation.

With Videris, however, investigators can streamline this process. As we saw above, when investigators use the snipping tool to capture evidence, website data such as the URL and HTML steps are automatically saved, meaning that they no longer have to do so manually. This automatic logging applies beyond the snipping tool, too. Whenever web-based data enters the case, Videris automatically captures sourcing and screenshots, saving the investigator time and reducing human error.

Generating a report is also simple within Videris. Report templates are customisable, meaning each company can display information in the way that works best for them. By default, case notes and visualisation charts can easily be exported either as a PDF or Word document.

Conducting Further Research

Alternatively, the analyst might wish to gain an even fuller picture of the risk this potential partner represents before presenting their report.

From here, we could investigate the other members of the rent-to-rent enterprise Limongi was part of in order to better understand his network and any potential exposure to it. We could also take a look at any publicly viewable social media content and connections or run a search on the dark web, depending on the information we wish to obtain.

These are far from the only avenues of further investigation available to us. Thanks to the range of sources it makes available to them, OSINT allows analysts to obtain a deep understanding of the risks associated with third parties. If analysts fail to make use of this breadth of available information, they risk missing important information which could revealed profound risks.

Using OSINT is crucial for companies that want to accurately and effectively identify risk in their supply chains. But the large volume and disparate nature of open source data (OSD) available means that simply using OSD alone isn’t enough to guarantee an efficient approach to investigations. Instead, companies should support their analysts with good OSINT technology to make sense of the available data and ensure Supply Chain Due Diligence can be as efficient as possible.

Supporting OSINT-led Supply Chain Due Diligence with Innovative Technology

At the start of the investigation, all we knew was that a company called Payment Collection Services Limited, registered in London, was under consideration as part of our supply chain. We’ve since been able to identify the ultimate owner of the company and investigate him. Using open source data through the Videris platform, we were able to uncover that there is risk associated with this officer and understand that onboarding the company as part of the supply chain might have negative repercussions.

Each stage of our Supply Chain Due Diligence search has been conducted using Videris, allowing us to unlock greater efficiency and reduce human error. For example, visualisation features have allowed us to easily understand complex networks and keep track of our case information. Additionally, automation and search ranking have given us access to the information we need faster.

Crucially, Videris has supported, not replaced, the analyst. It’s left them in full control of the investigation whilst allowing them to achieve greater efficiency and effectiveness.

Find out how Videris can transform your Supply Chain Due Diligence processes by booking a demo today.