top of page
Search

When the External Due Diligence Report Becomes the Problem

  • Writer: Tomasz Kruk
    Tomasz Kruk
  • Sep 28, 2025
  • 5 min read

Updated: Apr 16

For more than two decades, I have relied on external due diligence reports — a relationship best described as love and hate. Without naming names, here is what that experience has taught me about the three incompatible frameworks most organisations never realise they are choosing between.
For more than two decades, I have relied on external due diligence reports — a relationship best described as love and hate. Without naming names, here is what that experience has taught me about the three incompatible frameworks most organisations never realise they are choosing between.

A company rejects a perfectly legal counterparty...


A signed contract is frozen mid-execution...


A deal disappears quietly in a compliance queue...


None of these situations involve a sanctioned entity.


None of them involve missing data.


The failure is interpretation.


The problem no one is naming


External due diligence reports are not failing because they lack information. In fact, the opposite is true. They contain more data than ever before.


They fail because they make it too easy to confuse:


  • data with conclusions

  • proximity with prohibition

  • vendor terminology with legal meaning


This is not an occasional issue or a matter of user error. It is structural.


Across organisations, industries, and tools, the same pattern repeats: information that resembles risk is treated as risk itself.


The Interpretation Gap


The core failure can be reduced to a single observation:

Proximity to sanctions is presented—and read—as sanctions itself.

This is the Interpretation Gap.


It emerges when a vendor-defined category is treated as if it carried legal force, when a keyword is interpreted as evidence, or when a report is read as though it were a conclusion rather than an input.


Once that gap appears, the outcome is predictable: decisions are made confidently, but on the wrong basis..



Most organisations rely on just one due diligence provider and by definition assume that they are using the best tool to answer simple questions.


They are not.


Each provider is built on a different philosophy, optimised for a different user, and designed to answer a different question. The outputs may look similar on the surface, but they are not interchangeable.


Provider A is designed for maximum data completeness. It aggregates large volumes of information—ownership structures, historical roles, associations, media—often with exceptional depth. However, that depth comes at a cost. The report does not prioritise what matters, and it does not distinguish clearly between a legal hard stop and a piece of historical or contextual information. The user is expected to make that distinction independently.


Provider B is optimised for screening accuracy. It excels at identifying where a name appears across sanctions lists, watchlists, and internal categories. However, its output is heavily keyword-driven and relies on internal taxonomy that resembles legal classification without actually being one. Outside a trained screening environment, the result often looks like analysis while functioning as structured data.


Provider C takes a different approach. It is designed to support decision-making by presenting a narrative and, in many cases, an explicit conclusion. This makes it more accessible and reduces the risk of misinterpretation. Its limitation is that it does not aim to provide the same depth of underlying data and should not be relied upon as a sole source in complex cases.

The consequence of these differences is straightforward:

No single provider answers all three critical questions—what data exists, where the name appears, and whether there is a real compliance issue.

Yet organisations routinely behave as if one report does all three.


A compliance officer moving between these tools is not simply reviewing data. They are translating between frameworks—often without realising it.


Sanctions: where decisions fail fastest


This is the area where the gap between presentation and legal reality becomes most dangerous.


The legal framework itself is clear. It distinguishes between three fundamentally different situations:


An entity is sanctioned


It appears on an official list such as OFAC, EU, UK, or UN. This creates a legal prohibition.


An entity is linked to a sanctioned party


There may be ownership or control exposure. This requires legal analysis and depends on thresholds and jurisdiction.


An entity is described using sanctions-related terminology in a report


Labels such as SCO, “implicit sanctions,” or similar categories are vendor-defined. They are signals for further review, not legal conclusions.


There is no such thing as “almost sanctioned.” You are either pregnant, or not.


However, in practice, the second and third categories are routinely treated as if they were the first. This is particularly evident in the way certain vendor labels are presented—visually and linguistically indistinguishable from confirmed designations.


The legal consequence of those labels is zero.


The operational consequence is often a blocked deal.


The cost of getting it wrong


These errors are not abstract. They translate directly into business impact.

Revenue is lost when lawful counterparties are rejected. Contracts are delayed or abandoned because of misinterpreted signals. Internal resources are consumed in resolving issues that do not exist. Commercial teams begin to see compliance not as a partner, but as an obstacle.


In each case, the data remains unchanged.


Only the interpretation differs.


Where good data turns into bad decisions


The same structural issue appears beyond sanctions, particularly in three areas.


Ownership data without legal context


Reports provide detailed ownership structures and percentages, but rarely explain the legal thresholds that determine their relevance. As a result, minority holdings are frequently treated as if they triggered sanctions rules, and the 50% test is applied incorrectly.


Adverse media without differentiation


Allegations, historical reporting, and confirmed enforcement actions are often presented together without distinction. Older, unresolved issues can appear as significant as current regulatory findings, creating a false sense of risk.


Associations without relevance


Entities are linked through broad and often historical relationships, with no indication of their strength or current significance. In the absence of context, these links are interpreted as evidence of exposure.


In all of these cases, the underlying data is accurate.


The absence of interpretation is what creates the error.


The governance failure


At the centre of the issue lies a governance problem that is rarely acknowledged.


These tools were designed to support decision-making. They are now being used as if they were decisions.


The complexity of their output obscures this shift. Responsibility for interpretation is effectively outsourced to systems that were never designed to carry it.


Under time pressure, ambiguity does not lead to deeper analysis. It leads to caution. And caution, when applied to misinterpreted data, produces outcomes that are indistinguishable from legal error.


The rule that fixes most of it


There is one principle that resolves a large proportion of these issues:

No vendor label constitutes a legal prohibition. Only an official designation does.

Everything else is input that requires interpretation.


What effective due diligence actually requires


A report is not a decision. It is the starting point of a process.


That process has four steps:


Data — what the report contains


Qualification — what is fact, inference, or gap


Legal classification — what the law actually requires


Decision — what action follows


When these steps are collapsed, the Interpretation Gap appears.


One non-negotiable control


There is a single step that should never be omitted:

Verify sanctions at the source.

Official lists—OFAC, EU, UK, SECO—are authoritative, current, and publicly available.

If this step has not been performed, the analysis is incomplete.

If all sources fail - ask the management of the company you are checking. They may be transparent, helpful. They may save your time and money.

Final point


External due diligence reports remain essential. They provide valuable data and are an integral part of any compliance framework.


But they are not conclusions.


They are inputs.


The organisations that understand this distinction make better decisions—faster, with greater confidence, and at lower cost.


Those that do not will continue to block the right deals for the wrong reasons.


Most compliance failures are not caused by missing risk. They are caused by treating data as conclusions.



Verify directly — official sources, no subscription required


US OFAC (SDN and non-SDN): sanctionssearch.ofac.treas.gov

EU Sanctions Map: sanctionsmap.eu/#/main

EU Full Consolidated List: webgate.ec.europa.eu/fsd/fsf

Switzerland SECO/SESAM:

UN Security Council: unscr.com/en/sanctions/1718



The full analytical paper — including the complete legal architecture of sanctions categories, provider-by-provider comparison across six failure modes, and the companion Toolkit with a hard-stop/false-positive checklist and plain-English abbreviation dictionary — is available to download below:



Comments

Thanks for submitting!

  • Facebook
  • Twitter
  • LinkedIn

tomasz@kruk.ch

+41 792295723

Seestrasse 7, 6330 Cham, Switzerland

Contact

bottom of page