What the Epstein Files Reveal About the Limits of Conventional Third-Party Due Diligence

Some of the most damaging reputational exposures sit in relationships due diligence programs aren’t designed to capture. Few criminal cases […]

Virna Di Palma Head of Global Content, Ethixbase360, Guest Contributor

What the Epstein Files Reveal About the Limits of Conventional Third-Party Due Diligence

Some of the most damaging reputational exposures sit in relationships due diligence programs aren’t designed to capture.

Few criminal cases of the past decade have prompted as much institutional self-examination as the one surrounding Jeffrey Epstein. The crimes themselves, the lives he upended, and the prestigious institutions and individuals that stayed close long after his reputation was known have been examined at length. Less examined is what the case reveals about how reputational risk moves through an organization, and how traditional third-party due diligence frameworks need to adapt to keep up with it.

For years, as Epstein circulated among political, business, academic and cultural circles, he invested in companies, transacted with banks, donated to universities and cultivated relationships with senior executives, board members and major donors — even as his reputation was, by any reasonable standard, no secret. As Matt Kelly, editor and CEO of Radical Compliance, put it in a recent Ethixbase360 webinar on the topic, “The problem wasn’t that nobody knew. It was that people rationalized obvious red flags because the relationships involved powerful individuals.” Organizations were exposed primarily through their senior leaders’ relationships with Epstein, and through a failure to act on information they already had.

Risk lives in relationships, not just contracts

Most third-party risk programs are built around entities a company pays or is paid by: vendors, suppliers, distributors, agents, intermediaries. That framing is necessary, but it is also incomplete. Epstein, as Kelly has noted, “didn’t really work with companies per se; he worked or associated with the board directors, CEOs, and super-star employees at those companies in a personal capacity.” He advised Leon Black personally, not Apollo. He socialized with Larry Summers and Bill Gates, not Harvard or the Gates Foundation. The reputational damage, however, attached to the institutions anyway, exposing a gap that conventional due diligence isn’t equipped to address.

If a due diligence framework only covers entities a company contracts with, it will almost certainly miss a meaningful portion of the organization’s actual exposure. Reputational risk travels through advisors, board members, co-investors, donors, family offices, philanthropic affiliations and the personal network that surrounds senior leadership. Few of these ties will ever appear in a contract register. Many of them will eventually appear in a regulator’s letter, a journalist’s investigation, or a stakeholder’s complaint.

Mapping every social tie a senior executive has is neither legal nor reasonable. But the Epstein case underscores the importance of applying a risk-based approach to understanding where reputational exposure actually originates and of building it into the frameworks organizations already have.

Traditional onboarding due diligence is not enough

Initial screening typically focuses on known red flags such as sanctions exposure, adverse media, and regulatory history. But onboarding is ultimately a snapshot in time — an assessment of whether a business relationship appears acceptable at that moment. What it often fails to capture is how reputational risk can evolve over the life of the relationship. Connections that appeared unremarkable in 2010 were viewed very differently under the scrutiny of 2019, and differently again following the disclosures of 2025 and 2026.

Organizations are now being asked not only, “What did you know?” but also, “What should you have known?” and “What should you have continued to monitor?” Expectations around third-party oversight have evolved far beyond what many compliance programs were originally designed to address. As Dan Seltzer, partner at Frost LLP, observed during an Ethixbase360 webinar, “Due diligence is no longer a one-time exercise. Relationships evolve, and organizations need monitoring frameworks that can identify when the nature of a relationship — or the risk attached to it — has materially changed.”

That does not mean every negative media mention requires immediate action. But organizations should be able to demonstrate that they have ongoing monitoring processes in place, that potential concerns are assessed over time, and that decisions around continued engagement are documented and risk-based.

Beneficial ownership vs. influence

Regulatory expectations around beneficial ownership analysis continue to evolve. The OFAC 50% Rule is now widely viewed as the minimum standard for a credible compliance program, not the endpoint. The Epstein case, however, highlights the limitations of relying too heavily on formal ownership analysis alone.

Traditional beneficial ownership reviews are designed to map legal structures: who owns what percentage of which entity, who exercises control, and whether ownership thresholds trigger sanctions or regulatory concerns. While that analysis remains essential, the reputational risks that later become most damaging often follow influence and access rather than formal ownership. They emerge through informal networks, social affiliations, longstanding personal relationships, and other connections that are typically invisible to standard ownership mapping exercises.

A third party may appear low risk from a purely legal ownership perspective while still maintaining relationships or associations that create significant reputational exposure. In that sense, a program anchored only to formal ownership thresholds can appear comprehensive on paper while still overlooking meaningful reputational risk.

Compliance and risk leaders should therefore develop a broader, risk-based understanding of influence, affiliations, and evolving reputational exposure alongside traditional ownership analysis. The question is no longer simply “Who owns this entity?” but increasingly “Who is connected to it, how, and could those relationships materially alter the organization’s risk profile over time?”

Senior-level exposure: a governance gap

In several Epstein-related matters, scrutiny attached directly to executives and board members whose past relationships or current external affiliations became sources of reputational risk — and, by extension, organizational risk.

Almost every large organization has a formal due diligence framework for third parties. Far fewer have an equivalent, defensible framework for assessing the external affiliations and potential reputational exposures of their own senior leadership, or of the senior leadership connected to key counterparties. As a result, important questions often fall into a governance gray area: where within the risk and compliance architecture should these concerns sit? Who is responsible for evaluating them? Where, in an environment of heightened scrutiny and online amplification, is the line — if any — between legitimate privacy interests and organizational risk management?

Organizations are unlikely to solve this challenge through expansive surveillance or endless disclosure questionnaires. The more practical approach is to build clearer escalation and governance mechanisms around reputational risk. That includes: ensuring compliance functions can raise concerns involving senior leadership without fear of retaliation; establishing defined escalation paths to independent board members or audit committees; integrating reputational risk into conflict-of-interest and disclosure processes; and creating crisis response protocols before issues emerge publicly. The goal is not to monitor every personal relationship, but to ensure organizations can identify and respond consistently when relationships create material ethical or reputational concerns.

As Matt Kelly noted during the webinar, “If employees believe there’s a privileged class within the organization that the rules don’t apply to, your ethical culture is done.” The Epstein case is, at its core, a story about ordinary standards not being applied consistently to individuals perceived as too powerful or influential to scrutinize. That is fundamentally a governance and compliance culture problem before it becomes a due diligence one, and it cannot be solved through screening technology alone.

Building a defensible framework

No compliance program, however sophisticated, can eliminate reputational risk entirely. What organizations can build, however, are frameworks that demonstrate reasonable awareness, document key decisions, and explain why a given relationship was maintained or terminated at a given point in time.

Several principles support that kind of approach. The working definition of “third party” should extend beyond the contract register to include advisors, board affiliations, major donors, and the influential personal relationships of senior leaders — connections that often sit outside the procurement system but remain part of the organization’s exposure. Monitoring should be continuous and meaningfully calibrated, with clear thresholds for when a signal warrants escalation. Beneficial ownership analysis should be paired with a broader view of influence and network connections that ownership data alone cannot surface. And organizations should establish a defined, independent path for raising concerns involving senior leaders, designed in advance, not during a crisis.

Regulators, journalists, and stakeholders are increasingly asking organizations not only what happened, but what they did to identify and manage the risks around them. The organizations best positioned to respond are those that have already broadened how they think about reputational risk, recognizing that it can originate beyond the entities a company pays or is paid by, develop over the life of a relationship, and involve senior leadership as readily as third parties. The Epstein case underscores that point, and the responsibility for compliance and risk leaders is to act on it before the next set of disclosures arrives.

This article draws on a recent Ethixbase360 webinar, “Reputational Risk and Third-Party Exposure: Compliance Lessons from the Epstein Files,” featuring Dan Seltzer, partner at Frost LLP, and Matt Kelly, editor and CEO of Radical Compliance.