Compliance professionals might want to take note of a small but telling sanction that the Treasury Department recently imposed on a Virginia company — a case filled with important lessons about third-party due diligence and how to fulfill that task properly.

The Office of Foreign Assets Control (OFAC) imposed a $87,500 penalty on Cobham Holdings, an electronics company based in Virginia. Cobham’s offense? It had sent three shipments of goods to a Russian customer, which was majority-owned by another Russian business blocked by U.S. sanction law.

The transactions were done in 2014 and 2015 by one of Cobham’s subsidiaries, an operating unit called Metelics. Metelics had used Canadian and Russian distributors to send the goods to Almaz Antey Telecommunications Corp. Cobham didn’t discover those transactions until it was selling Metelics, and a potential buyer flagged those transactions as problematic.

Why so interesting to compliance officers? Because Metelics’ compliance function did try to perform due diligence on these transactions, and Almaz Antey Telecommunications was not on the U.S. sanctions list in 2015 — but its parent company, Almaz-Antey, was on the list.

Metelics’ third-party screening service only searched for the full name, Almaz Antey Telecommunications, rather than any partial matches such as Almaz-Antey. That misconfiguration of third-party screening software ultimately cost Cobham $87,500.

Compliance officers have several lessons to consider here.

First, proper configuration of third-party due diligence screening matters. OFAC faulted Cobham because the company did not use due diligence techniques sophisticated enough to match the risk of working in high-risk markets like Russia. OFAC’s notice specifically said: “This case demonstrates the importance of companies operating in high-risk industries to implement effective, risk-based compliance measures, especially when engaging in transactions involving high-risk jurisdictions.”

Those effective measures include configuring screening software so that it casts a wide net. Cobham’s screening software searched for an all-word match: “Almaz Antey Telecom,” even though Cobham had set the software for a fuzzy match to detect partial names.

For whatever reason, the software misfired. The result was a sanctions violation that Cobham should have been able to prevent; hence the penalty.

Second, remember what artificial intelligence around due diligence does. We have written before about how AI should typically work in due diligence: it reduces the number of false positives compliance officers should investigate, leaving them with a smaller number of true positives they must investigate.

Cobham’s misstep is the opposite scenario: it received a false negative, which led compliance officers at the firm to miss a truly suspicious transaction. In a roundabout way, this case is a good example of how technology and human skill should work together for an effective compliance program. Technology filters out the noise, to let human staff chase down the true signal.

Third, the rest of a compliance program still matters. Yes, Cobham had a due diligence failure. It also cooperated fully with OFAC after the compliance lapse; implemented new screening software that could identify partial matches like what Cobham had missed; and circulated a “lessons learned” bulletin to all its compliance personnel.

In other words, Cobham worked hard to rectify its error. The Justice and Treasury departments, the Securities and Exchange Commission, and other regulators have all made clear that as they weigh penalties for corporate misconduct, sincere efforts to improve compliance matter. Cobham faced a maximum possible penalty of $1.9 million for its offenses. It received an actual penalty of less than $88,000.

So will technology be a crucial part of effective due diligence in the future? Absolutely. So will training, resources, and good-faith efforts to fix mistakes. Businesses don’t need a detailed search to reach that conclusion any longer.