Webinar: 5 Sanction Screening Mistakes That Can Cost You Big Time
Transcript for “5 Sanction Screening Mistakes That Can Cost You Big Time”
Giovanni Gallo: Hello everybody and welcome to Five Sanction Screening Mistakes That Can Cost You Big Time. Presented to you by ComplianceLine, I’m your host Giovanni Gallo. As we get into this, let’s go over some quick logistics here. So please ask questions in the comment section on the sidebar, on your webinar screen. We’d love this to be interactive and we’re here to serve you. So we really want to find out what’s important to you. If there’s something that we cover that you’d like more information on or that maybe that we don’t cover and you’d like us to talk about, then we’d love to do that for you.
We will send this recording around at the end of the presentation. To all registrants, please share that, again, we’re trying to help and if this can be helpful to someone else on your team or someone else in our community, let’s do that. And you will receive a certificate of participation. And just because we love being helpful, we’re going to send you a nice infographic about these five mistakes that we go over and three bonus ones in there just ’cause we love you.
So I’m your host Giovanni Gallo. I’m co-CEO of ComplianceLine. We offer the industry’s best case management issue intake and hotline services. We do exclusion screening and licensed checking. And in addition to our whistleblower hotline solutions, we also provide current era modern e-learning and compliance training for people who don’t want their employees to be bored to death from bad training. So let’s get into it.
So as we talk about sanction screening, if the data were clear and the standards were precise, it would be hard enough. You still have monthly checks to do. You have hundreds or tens of thousands of employees to check. And there are a bunch of, you know, hundreds of lists and a bunch of different agencies that you need to monitor. But we all know that the data are not clear and the standards are not precise. So what does that leave us with? You know that data matching and decision challenges can cause you to take more time to do this than you’d like, they can cause you to really miss some important risks within your organization and they can ultimately make this a harder and more risky venture than you set out to conduct.
So names have a lot of variations and they’re not always recorded in a consistent format. So you can have middle names and initials and maiden names and things like that. The exclusion databases, the agencies that you’re checking with, they have different standards of what information they report. You don’t always have date of birth or you don’t always have the date of the sanction in the same format and things like that. That can make it hard. These agencies, they give you guidance but they don’t give you direct instructions on how to assess a match. So it’s left up to you to have a good amount of discretion and to make sure that you are checking the right information and comparing the right fields and ultimately making a prudent decision on whether you have a risk and whether an employee or a volunteer or someone else needs to be separated from your organization.
Ultimately, there are multiple ways to determine and rule out a match even within a single database. And then when you have dozens or hundreds of databases and different standards across those, it makes things really hard for you. So what we’re gonna try to do today is go through some things that are gonna help you avoid some of these mistakes, hopefully have a clearer process and ultimately find the risks in your organization and clear those out.
So the first one we’re gonna talk about is searching too many lists. Contrary to what some believe, having more information isn’t better, especially if that information is not relevant to likely risks for you. The other one is an over-reliance on public databases. If you think that you have all the information and you make decisions when you really could have clearer information, you may miss some risks and either fire someone unnecessarily or let somebody remain in your organization when you shouldn’t have. The third one is gonna be focusing on type two errors. Now, this can be a problem because if your whole system is built around these type two errors, then we believe that the biggest risks are in type one errors. That’s where you have a false negative and you don’t think somebody is an exclusion candidate or a match and you let them remain in your organization. Type two errors can obscure some of the most important risks in your organization.
The fourth is ignoring the Death Master File. So this social security number, Death Master File really has a wealth of information and really precise information that can help you identify bad actors that you may not be able to find out any other way. And then the last one is mishandling your interactions with employees. That can cost you extra time. It can lead to lawsuits, and can also harm your culture if you don’t handle them properly. So we’ll talk about all these things and see if we can help you out.
So the first one we’re gonna talk about is searching too many lists. So what you’re gonna deal with here is if you indiscriminately search every list available, then there are a bunch of things that can go wrong. One thing is you’re gonna be spending too much effort on the wrong focus. We all have a lot to do within the compliance function and working on unnecessary things is it flows into or sucks attention away from other things.
Another is that you’re gonna burn out your team. Someone who’s continually doing work that never results in a positive forward momentum, in this case of finding a risk and clearing it out, can really demoralize your team and just put too much stress and strain on them. And ultimately it’s probably wasting your budget, not just the man hours or employee time that’s spent on it, but also if your vendor is charging you for a bunch of lists that you don’t need, then you’re gonna be at risk of not hitting your ROI. So doing all of this extra unnecessary work isn’t just a waste of your team’s effort and budget, but it might lead you to focus on work that obscures the most damaging risks within your organization without providing any meaningful risk reduction.
So what we advise everyone to do is to take this intelligent, balanced and contextualized look at which lists are going to hit that sweet spot of having a high potential of identifying a sanction party that is putting your company at risk versus the amount of work that it takes. And like I said earlier, some people may have the sense that the more work you do or the more things that you can check, the better. But I think that as we become more mature and seasoned not only sanction screeners but ethics experts and compliance professionals, we realize that there is way too much data out in the world for us to actually check it all.
What we need to become experts at is identifying the areas that have the most risk and taking a prudent and balanced approach to checking the right things. Spending our time looking in the right amount of depth into the areas where we’re gonna have the most likelihood of finding a risk. And then having a scaled approach to how we manage risks that are less likely.
So one example of this is if you’re a very local medical provider and you only recruit from your town and you don’t have any insurance contracts or physicians or anything like that across state lines and you end up searching sanction lists in every single state, in states where you’ve never recruited anybody from, where you don’t have any patients from and things like that, you might end up searching a name and getting hundreds of results back that you need to review that are from a state or from an agency that has no relevance to you. So if there are vendors out there that like to just push that, “Hey, we have hundreds of databases and there are thousands of things that we’re gonna give you access to,” really what they can do is just give you amount of work that is unnecessary and we believe that a good vendor, a good partner or just a good advisor within your team should help you get to that right balance of what is my level of risk exposure and what is the level of work that’s going to manage the risks that I have by searching the right databases. What I want you to remember is more databases does not mean better. The right number and the right set of databases are gonna give you that right balance of I’m checking all the areas where I’m likely to have risks and I’m not creating a bunch of unnecessary work for my team.
So the second one for us to go over is an over-reliance on public databases. This is something that if someone’s new to the sanction screening game or if, you know, you have a vendor that just kind of does this as a side business and just thinks that it’s easy cause you can download databases, you’re really gonna miss out on some really important information. What people don’t realize sometimes is that your view into your sanction data is too limited if you’re just relying on a fully automated search. If all of your searches are done against downloaded data from these different agencies, what you may not realize is that it’s insufficient for the thorough sanction screening you need to protect your organization and your patients. Well, what we’ve realized because we’ve been doing sanction screening longer than anybody else in the industry, we were the first to market with a product for this because we had some big clients who saw this regulation coming up and asked them to help with it because we had been so helpful with some other things, there are a lot of agencies that have information that they don’t list publicly that you can’t download and automate, but you can find out by interacting with them directly. With some of those, it’s an online request form or it’s an email or it’s actually, imagine this, picking up the phone and calling them and asking for information.
But a proper sanction screening process should acquire, consider and analyze information available at agencies. But that is not available in the publicly-posted databases. And an example of that might be that an agency might have social security data for the sanctioned individual and they’re not gonna put that on their website and let people download it. But you can contact them and say, “Hey, I’m searching for Chris Jones and his social security ends in four, five, six, seven. Can you check this against this specific sanction and tell me if that sanctioned individual has the same social security number?” Well, that’s great information for you to have because you may not be able to rule it out. And you may be sitting there saying, “Hey, this might be the same Chris Jones,” you know, in the sanction as my employee and you can’t definitively say it’s not. If you or your vendor or your team know to contact the agency, then you can call them up, check that. And they might say, “Oh no, this sanctioned individual, Christopher Jones, has a different social security number.” They’re probably not gonna tell you what it is, but they can tell you no, it’s not that one. And then you can move on, you can clear off your list, the Chris Jones who works for you.
You have confidence that at least for that sanction they are not causing a problem. And then you can move on to the next one instead of having to do an investigation or just making a guess with unclear information.
So these sanctioning agencies, they have powerful, non-public insight and clarity. And usually this comes up at this crucial stage in your sanction screening process that you can only clear out by interacting with them. This is, you’ve, you know, compiled your list, you’ve picked your databases, you’ve done your automated, you know, scalable IAT-based search. And you’ve cleared out everything that you can based on the information, you know, publicly. But by contacting them they can help you rule out an exclusion and avoid having this an unnecessary uncomfortable conversation with an employee where you say, “Hey, “Dr. Chris Jones, you know, I really think you got sanctioned.” And then Chris says, no, “That was definitely not me,” etc. In addition to that, in saving that interaction, it can give you much needed information before engaging a lengthy investigation so you can act quickly with assurance and remove a disqualified physician.
So that was risk number two. Wanna make sure that you remember not to completely rely on the data that you can download from a database, what you really want to do is make sure that at some point in your sanction screening process when needed, someone has the knowledge and the bandwidth and the ability to follow-up directly with agencies and get some of this information that you can make good decision with.
So we’re gonna go to number three here and that is focusing on type two errors. The mistake that you can make is that some vendors brag a lot and push a lot about how their system avoids type two errors. And we’re gonna get real sciency and technical with you guys here, but we’re gonna talk about an issue that is pretty simple when we put it into normal language. So what you don’t wanna do is focus too much on type two errors. So you can see here type one errors are false negatives. That means that you’re unaware that an employee has been matched. You see a match of Dr. Chris Jones and Dr. Christopher Jones and you say, “Oh, negative match. You know, my employee is not a problem,” and you move on. That’s a type one error. You have a negative match but it’s false. What you should have realized is that those are the same person and you need to get this physician out of your system before you, you know, put patients at risk and your reimbursement at risk. Those type one errors are what really your vendor and your team should be looking out for. Because if you rule out a match and you say that, “Oh no, Dr. Chris Jones is fine. You know, he was never sanctioned,” and he actually was, that’s a type one error and that’s a big risk.
So let’s talk about what type two errors are. And if you pay attention, you’ll see a bunch of people in, you know, the vendor marketplace saying how they’re so good at managing type two errors. For our team, it’s a little confusing to us because it doesn’t seem like the smartest thing to be talking about. And what it might be is just…it’s something that’s easier to talk about and easier to build an automated, you know, low effort algorithm on. Type two errors are false positives. So that’s where you know, you have, you know, Christina Jackson and, you know, Dr. Jackson works for you and you go and check a sanction for, you know, Christina Jones Jackson, and you think that that’s a positive, but you think it’s a positive match and you go have…you go look into it more or you go have a discussion with Dr. Jackson and it’s actually a false positive. So that means that you have a positive match or you think you have a positive match, but you are wrong about it. So the error there as you go and talk to the employee and the employee says, “No, that’s definitely not me. Never happened. Here’s some proof or documentation or let’s look into it more.”
So those type one or false negatives end up posing a much greater risk to patients, to your reimbursement, to your reputation and to fines. And because of that greater risk, type one errors should be prioritized as a point of excellence in your exclusion screening process. So whether you outsource this to a vendor, whether you just have some software that you buy and then your team does the work or you do what we call full service and you have a vendor provide a full end-to-end solution, you should be making sure that your system and your processes are built around identifying and ruling out type one errors mostly. If someone is talking way too much about type two errors, then you…or talking about avoiding false positives, then you wanna watch out for that. So as you build your process, you wanna make sure that you screen, identify and potentially view all the likely false negative matches. That’s where your risk is.
Carefully identify your true positive matches and remove those entities so they stop putting your patients at risk. Definitely where you can avoid it, type two errors are errors and you should be looking out for them in any good system is gonna do that. But if all someone’s talking about is type two errors, then they’re missing the point that those false negatives are the ones where you’re gonna let someone stay in your organization, you’re gonna assume that they’re fine, when in reality they’ve been sanctioned and you may be a month or a year away from a regulator finding out, clawing back your reimbursement and putting the safety of your patients at risk with that person or that entity there. So for risk number three, I want you to remember that false negatives are the biggest thing that you wanna look out for. You don’t wanna be ignoring a match and thinking that it’s negative and be wrong about it.
So let’s get into number four. So number four is ignoring the Death Master File. So in case you didn’t know, the federal government makes available this social security Death Master File. And what is really great about that is that the social security number is one of the best pieces of data that we have in order to clearly identify a listed or sanctioned individual with someone who’s on your roster. It’s like a unique identifier number. You know, people can share the same birth date and they can share the exact same name even, but they can’t share the same social security number. So when you can compare against that, it’s one of, if not the best way to identify a match. And what the social security Death Master File is, is a list from the federal government of all the deceased people and their social security numbers.
So what this allows you to look out for is if somebody’s on your roster, one of your employees, physicians, volunteers, etc. is using a social security number that’s on this Death Master list, not only was this Death Master list search helped you identify that, but not having this could lead to a bunch of false information and you missing or ruling out a bunch of sanctions.
So you might have an employee who has submitted a fraudulent social security number and they could be caring for your patients, which is very concerning, obviously. And by searching this, you can find that out. And, you know, something that we’d like to point out to people here is that it’s not just about finding these…finding someone who may be committing social security fraud, maybe they’re falsifying their identity or somehow they’ve obtained a deceased person’s social security number. But if you keep…if you’re not checking this list and you keep making decisions based on someone’s falsified social security number, you might be making a bunch of decisions that you think are really clear answers. Because like we started talking about here, that social security number is kind of treated as the gold standard unique identifier for an employee because it’s so unique and you know, only one issue per person and it’s never duplicated.
If you’re running off a falsified social security number, you might be doing some of the things we talked about earlier, contacting an agency and saying, “Hey you know, here’s one of my employees, here’s his social security number.” And they say, “Oh, that doesn’t match this sanctioned individual.” Well, we generally, you know, in the sanction screening space and you know, anybody who is doing background checks and things like that very heavily rely when we can make a comparison, we rely on that social security number. So if you’re not checking this, you could be making a bunch of decisions that you think are really clear and direct on false information, which can put you at a lot of risk and obviously put your organization and your team at risk.
And ultimately, this is one of those things that we really started at the beginning of our webinar today talking about, about how there’s a lot of potential confusion in this process. And there is not really clear guidance from agencies on what you have to do to stay compliant. You just need to make sure that you don’t fall into noncompliance. And having these falsified social security numbers in your roster can put you there into some hot water.
So what we’ve seen is, you know, maybe five years ago in you know, 2015, 2017 this was kind of a nice to have for a lot of people. And this is going through this cycle where it’s moving through kind of the people and the organizations who have the most exacting compliant standards have already adopted this. And the social security Death Master is quickly becoming a standard best practice that more and more people are asking for and realizing the value of it to clean up their list and identify any bad actors in their employee, volunteer and physician list.
So we’re moving along here. So number five here is mishandled interactions. So this one, we wanna look at what happens when you find a sanction that you’re concerned about and then you need to follow-up with an employee and either have them confirm or deny it or have them separate from your organization. So when you’re matching data is concerning enough that you’re pretty convinced that you needed an additional check even though you don’t know for sure, even sometimes when it seems pretty likely that an employee has sanctioned, it has been sanctioned, you’re frequently gonna engage that employee or physician in a discussion where you share your discovery of the sanction with them, where you say, we’ve identified the sanction, it seems like it matches you and you give them a chance to answer that.
So the biggest errors that people make on these interactions are to not have these interactions at all. So think about that. If you just terminate an employee, anytime you see something questionable or anytime even you’re convinced based on, you know, you think that the state matches and birth date is close enough and the name is close enough, if you just terminate them when you see something questionable, then that’s bad. Or if you just never have that gray area discussion when you’re not sure, then you’re likely making some errors. And you should consider whether this is an area where you can drive some continuous improvement in your overall compliance organization and especially within your sanction screening process.
So when damaging individuals remain employed or even worse when hardworking, honest physicians are separated due to mistakes of your team, then that can cause a lot of problems. So what we recommend for everybody is it’s a best practice to implement a waiver process where once you’ve done all you can, you’ve done some of the things that we’ve talked about, pick the right databases, you’ve gone through and search them. You’ve compared the information that you have available to you. You’ve done the extra step of checking the social security Death Master and even checking with the agencies. Once you’ve gotten to that point and the comparable information that you have on your public list and through direct contact with the sanctioning agency, you should have that discussion with an employee, give them a chance to add any new information to the process and potentially give them the option to sign a waiver that states that, you know, despite some of this information matching up that that’s not them. And that should be one of the final steps, if not the final step in your process. And you should also make sure that those interactions, you’re treating your employees with respect, you’re, you know, kind of giving them the consideration, the time to answer it. And, you know, maybe most importantly, keeping an audit of those conversations and those waivers so that if there’s ever a mistake made, you can go to a regulator or an auditor and say, here are all of the steps that we follow. We follow them consistently. Here’s a record of all of the waivers that we’ve gotten and things like that.
So as we wrap up here, we’d love to take any questions that you have and so please put those in the chat and we wanna go over a little bit what you should expect from your vendor. So we think that as you’re looking for a vendor in the space, again we’ve seen this market mature over the past 10 years or so where people start off usually saying, “Hey, the data is publicly available and, you know, how hard can it be? We’re just gonna search it.” Maybe they advanced to, “We’re gonna download some software or we’re going to buy a license and we’ll do the searches themselves.” As this becomes bigger and more risky and more complex, people are increasing looking to vendors like ComplianceLine’s SanctionCheck team to take this work off their plate to shield them from this risk and ultimately to provide a full end-to-end solution, which we call full service. That’s gonna do everything from starting your initial search of your list through that waiver process.
So you should demand that you get a complete and robust process including direct agency follow-up and employee attestations. Those should all be part of the process. You should be expecting robust technology and automation with the configuration that’s sufficient to fit your team, your budget and your risk tolerance. If you have friends across the compliance space, you know that different organizations look at things differently. You might be in different lines of business or operate in different states and your solution should really be configured to meet the risk tolerance and the budget that you have, not just kind of fitting you into a box and someone telling you that, yeah, of course everyone should do this.
Your vendor should provide clear advice and they should be facilitating your exclusion choices based on your risk exposure and your tolerance. We also think that a good partner is going to educate you and collaborate with you on how to handle data gaps and unclear comparisons. There’s a bunch of fuzzy matches and confusing standards across, you know, these dozens or hundreds of lists. And your vendor should be a partner with you to help you make good decisions there. Vendor should also be updating you on changes and improvements that can reduce your work and improve your risk coverage. You should be seeing continuous improvement come out of that vendor in their software, in their knowledge, in their responsiveness to regulations. And a partner should flexibly enable your team to collaborate, report and share responsibility across departments in geography. Whether that’s data and analytics or access for different users or segmentation of data, these are all things that as we work in a cross functional, complex environment where compliance is touching everything across the organization your vendor should make that easier for you and not put you into more silos.
Your vendor should always be available and responsive to answer questions, advise on challenges, and help your team make decisions. And finally, we think that the way to test all of these things and to really see if you have a good partner is find out if they actually care. You care about your team, the people you work with, right? You care about your employees, the people you’re protecting. We believe that a vendor, just because they sign a contract with you should not be off the hook to care about your mission and care about your people. So you can see that in how responsive they are, how thoughtful they are in giving answers, their willingness to say yes when you need something, even if you hadn’t anticipated it before. Those are the types of things that separate a vendor from someone who just sells you a contract and then waits for you to enforce it. And we believe that the work that ethics experts are doing in this day and age is important enough that every vendor should be on your team and help you move your mission and your projects forward.
So this has been a presentation from ComplianceLine. Our solution SanctionCheck is the most trusted end-to-end sanction screening solution in the industry. We have the fastest turnaround time, the most responsive service, the lowest error rate, and we get perfect solutions that perfectly fit your organization. We’re so confident in that and we have so much experience in this that we back all of our work with a $5 million ActionCheck guarantee. And that’s just one other way that we help you stay safe, that we help you relax about having this process completely done and that we show our dedication to caring as much about you and your team as you do.
So I really appreciate everyone joining today. This has been a presentation by ComplianceLine on the Five Sanction Screening Mistakes That Could Cost You Big. I’m Giovanni Gallo. It’s been a pleasure sharing some time with you today and I just want you to know that the SanctionCheck team is here to help you, whether you’re a client or not. And we hope that while you’ve honored us by sharing some of your time with us today, that this has been something that has made you smarter, that has made you better at your job and made you more effective.
Thank you.