Due Diligence Now Includes Digital Behaviour
The Rise of Social Media Screening in Compliance
CEO & Co-Founder, BA (Hons), QTS, FRSA — Hermes Digital
In 2018, a major UK financial institution withdrew a senior appointment after a pre-employment digital screening revealed a pattern of social media activity that was incompatible with the institution's regulatory obligations. The candidate's qualifications were impeccable. Their professional references were strong. Their financial and criminal background checks were clear. The digital screening identified what every other diligence process missed — because no other process was designed to look.
The incident was not an anomaly. It was an early indicator of a structural shift in how organisations assess risk associated with individuals. Due diligence — historically confined to financial records, criminal databases, directorship searches, and personal references — now includes digital behaviour. And the organisations that have not adapted their diligence processes to include this dimension are operating with a gap in their risk assessment that grows more consequential with every passing year.
The Compliance Rationale
The integration of digital behaviour into due diligence is not driven by curiosity. It is driven by compliance obligation.
UK employers, particularly those in regulated sectors, have a legal duty to assess the fitness and propriety of individuals in positions of influence. The Financial Conduct Authority's Senior Managers and Certification Regime requires firms to certify that individuals performing senior management functions are fit and proper — a determination that encompasses honesty, integrity, and reputation. The Prudential Regulation Authority applies equivalent standards.
These determinations cannot be made comprehensively without reference to digital behaviour. An individual's social media activity, public commentary, professional associations, and digital conduct provide evidence relevant to fitness and propriety that is unavailable through any other diligence channel. The regulator has not yet mandated digital screening explicitly, but the direction of regulatory expectation is clear: the firm that fails to identify a fitness issue that was discoverable through reasonable diligence will be held accountable for the omission.
Beyond financial services, the Equality Act 2010, the UK GDPR, and employment law create a framework in which an employer's failure to identify discriminatory, harassing, or otherwise problematic behaviour by a candidate — behaviour that was publicly available on social media — creates legal exposure. The defence that "we did not look" is increasingly untenable in a regulatory environment that expects organisations to exercise reasonable care in their appointment processes.
What Digital Screening Reveals
Digital screening identifies categories of risk that are invisible to traditional due diligence.
Behavioural patterns. A candidate's social media activity over time reveals patterns of behaviour — temperament, judgement, professional conduct — that a curated CV and a structured interview are designed to conceal. Aggressive or confrontational online interactions, discriminatory commentary, or evidence of poor professional judgement provide data points that are relevant to the appointment decision and unavailable through any other means.
Association risk. The professional and personal networks visible through digital platforms reveal associations that may create compliance, reputational, or operational risk. A candidate connected to individuals under regulatory investigation, associated with organisations on sanctions lists, or linked to entities with adverse reputational histories presents risks that emerge only through digital analysis.
Consistency of representation. Discrepancies between the information a candidate presents in their application and the information available in their digital footprint — different employment dates, omitted roles, exaggerated qualifications, undisclosed directorships — are identifiable through systematic digital screening and frequently invisible to traditional reference-based processes.
Historical conduct. Archived content — deleted social media posts recoverable through web archives, historical forum activity, cached professional profiles — reveals conduct that the candidate may have believed was no longer accessible. The digital record is more permanent than most individuals assume, and more discoverable than most diligence processes are designed to find.
The Methodology Question
The value of digital screening is a function of the methodology applied. Automated keyword-based screening — the approach employed by most bulk-processing services — identifies surface-level issues through algorithmic pattern matching. It flags profanity, identifies explicit content, and categorises posts by topic. It does not interpret context, assess judgement, or evaluate the significance of what it finds.
The limitations of automated screening are significant. Irony is indistinguishable from sincerity. Professional commentary on a sensitive topic is indistinguishable from personal endorsement. A post sharing a news article about extremism is flagged identically to a post endorsing extremism. The false positive rate of keyword-based screening degrades trust in the process and creates legal risk in the assessment.
Human-reviewed digital screening addresses these limitations by applying analytical judgement to the data that automated tools collect. The human analyst interprets context, distinguishes commentary from conduct, evaluates patterns rather than isolated incidents, and produces assessments that reflect the nuance the compliance decision requires.
The distinction matters legally as well as practically. The UK GDPR and the Data Protection Act 2018 require that decisions with significant consequences for individuals are not based solely on automated processing. Digital screening that informs employment or appointment decisions must incorporate meaningful human review to satisfy this requirement.
The Candidate's Position
The rise of digital screening in compliance creates obligations in both directions. Organisations have a duty to conduct reasonable diligence. Individuals have an interest in ensuring their digital footprint reflects the professional standing they wish to present.
The executive who has never audited their own digital footprint — who does not know what a comprehensive search of their name, their email addresses, their username history, and their platform activity would reveal — is operating with an exposure they have chosen not to measure. The exposure does not diminish through ignorance. It persists until it is discovered — by an employer, a regulator, a journalist, or an adversary.
A self-screening exercise — conducted before the external diligence process, by a service with the methodology to identify what an adversary or a compliance officer would find — converts an unknown vulnerability into a manageable one. The content that cannot be removed can be contextualised. The content that can be removed should be. The content that does not yet exist can be governed to ensure it does not create future exposure.
The choice is not whether your digital behaviour will be evaluated. It is whether you will evaluate it first.
Frequently Asked Questions
Why has digital behaviour become a standard component of due diligence and compliance?+
Digital behaviour is now integrated into due diligence because compliance obligations demand it. UK employers in regulated sectors have a legal duty to assess fitness and propriety under frameworks including the FCA Senior Managers and Certification Regime, which requires firms to certify individuals are fit and proper — a determination that encompasses honesty, integrity, and reputation. These determinations cannot be made comprehensively without reference to digital conduct, which provides evidence available through no other diligence channel. The defence that an organisation did not look is increasingly untenable.
What categories of risk does social media screening reveal that traditional background checks miss?+
Digital screening identifies four categories invisible to conventional due diligence: behavioural patterns (temperament, judgement, and professional conduct visible across social media activity over time); association risk (connections to individuals under regulatory investigation or linked to sanctioned entities); inconsistency of representation (discrepancies between CV information and the digital record, including undisclosed directorships or exaggerated qualifications); and historical conduct (archived and recoverable content that the candidate may believe is no longer accessible but remains discoverable through web archives and cached profiles).
Why is automated keyword-based screening insufficient for compliance-grade digital due diligence?+
Automated keyword screening identifies surface-level issues through pattern matching — flagging profanity, explicit content, or topic categories — but cannot interpret context or assess judgement. Irony is indistinguishable from sincerity; professional commentary on a sensitive topic is flagged identically to personal endorsement. The false positive rate degrades trust in the process and creates legal risk. Beyond methodology, UK GDPR and the Data Protection Act 2018 require that decisions with significant consequences for individuals are not based solely on automated processing — meaningful human review is a legal requirement, not merely a quality preference.
How should candidates and executives approach their own digital footprint before a due diligence process?+
An individual who has not audited their own digital footprint is operating with an exposure they have chosen not to measure, and that exposure persists until discovered by an employer, regulator, journalist, or adversary. A self-screening exercise conducted before the external diligence process — using the same methodology a compliance officer would apply — converts an unknown vulnerability into a manageable one. Content that can be removed should be; content that cannot can be contextualised; content that does not yet exist can be governed to prevent future exposure.
What legal framework governs social media screening in UK employment and compliance contexts?+
Several overlapping frameworks apply. The FCA's Senior Managers and Certification Regime requires fitness and propriety assessments for senior financial services individuals. The Equality Act 2010 creates exposure where an employer fails to identify discriminatory or harassing behaviour that was publicly available through social media. UK GDPR and the Data Protection Act 2018 require that significant decisions not be based solely on automated processing and mandate lawful basis for personal data processing. Digital and social media screening must be structured to satisfy all three frameworks simultaneously.