The 5th Pillar of AML Compliance – is there more data?

On May 11th, the four pillars of AML were joined by a 5th. The long-awaited legislation introduces the need to identify the beneficial ownership of legal entities for consumer due-diligence. As such, US financial institutions have introduced enhanced internal customer checks and additional measures to prevent criminals from using the financial system by proxy. Whilst the legislation aims to improve customer due diligence, underlying challenges remain.

These extra measures are conducted internally, allowing room for error that could prove costly to institutions. Rather than building a relationship with external partners, financial institutions are becoming reliant on potentially incomplete databases and are as such not objectively evaluating the report. Know Your Customer (KYC) policies are only useful if the data used to action them is valid and representative.

The use of open source intelligence (OSINT) can provide additional insight and reassurance for AML checks to prevent these expensive mistakes from happening, ensuring that you’re getting the whole picture. No doubt, the implementation of the 5th pillar brings benefits and is a step forward for KYC, but the question still remains: What more can be done? Why are the additional insights of open source intelligence not being used?

AML checks have advanced, yes. But used in isolation they only provide a part of the story. The use of OSINT alongside traditional AML checks provides enriched information that can be used to identify beneficial ownership. In addition, OSINT allows the information to be validated and checked externally, eliminating the risk of internal checks missing ownership issues that might prove costly in the future.

The influence of open sources can empower the 5th pillar by allowing external validation of ownership structures, thus providing much needed reassurance. The 5th pillar is a step in the right direction for financial institutions aware but the use of OSINT can strengthen its power.

-Reece Wickens

The cost of doing nothing

The National Crime Agency released their National Strategic Assessment of Serious and Organised Crime recently, and they found that Fraud continues to be the most common form of crime in the UK, with over 3.4 million incidents recorded in the last financial year. The 2017 Annual Fraud Indicator (AFI) estimated that fraud cost the UK economy over £190 billion per year, with the private sector losing an estimated £140 billion, the public sector £40.4 billion and the last £6.8 billion being lost by individuals.

Why is this still the case when we have an abundance of technology available? The innovative, new, young tech leaders as well as the enthusiasm that the new generation have in combating crime should be reducing these loses significantly, so why aren’t they?

Could it be that old institutions want to stay using “best practice models” or the “checklists” of old policies and procedures? Could it be that old institutions want to ensure they are doing just enough due diligence to make the regulator happy? So much information is online. To continue to only follow the bare minimum in due diligence checks is dangerous and costly.

Having worked in financial crime for many years, I thought that our searches were robust, vigorous, and comprehensive, but I was wrong. Just checking an internal data base to make sure the bank account matches is not enough.

Take a customer who has been flagged for potential AML related concerns. Normally, you’d do a bank check; check your internal high-risk monitoring database (or whatever database you have) and maybe Google their name. If the individual has had prior convictions, there may even be some media online about them. This just affirms what you already know. Google only searches 4% of the internet – there’s so much more out there!

By leveraging the power of the open source intelligence, you can build a much bigger picture about a person or a company and build a much bigger picture.

But what if you looked at their online activity in a much more structured manner: their social media accounts, their home address, their general lifestyle? Using open sources mean that the world’s information is at your fingertips, allowing you to delve deeper and see the whole picture. It allows you to learn new information.

The industry needs to do more to combat financial crime than just checking a database, it must realise that open source intelligence needs to be embraced and not feared.

-Suzanne Lynch


In an ironic twist of fate, Thursday’s “World Password Day” was marked with the news that the passwords for all Twitter users globally had the potential to be exposed after a glitch in the company’s encryption process.

Breaches of online accounts and the leaking of personal details are becoming an ever more present concern. In the case of Twitter, an internal bug was to blame however many breaches are often the work of individuals with the intent to cause harm or create havoc. In documented cases in the past 6 years, not considering all those that are not yet announced, over 5 billion personal accounts have been victim to data breaches across platforms such as LinkedIn, Ashley Madison, MySpace, and Dropbox amongst others. But what does a breach mean to me and should I care? The answer is a simple yes.

A breached account means that the email address, username and password all have the potential to be exposed. Additionally, it can also give someone access to personal information, private photos and message chains, and entirely opens up the possibility of identity theft. How are your friends and colleagues to know that the person sending them links to phishing sites or posting content from your account is not you? This can lead to serious reputation concerns that affect both personal and professional life.

Taking the necessary steps to reduce vulnerability online start with password management including regularly changing passwords, using random strings of characters and using different passwords for each account. Nevertheless, password management is a chore. Everyone suffers from the frustration of typing passwords over and over again as we struggle to remember whether this one has an exclamation mark or not. Due to this, we often take the easy way out with simple to remember, repeated passwords across multiple accounts. However, if we stop to really consider how much information a single password is protecting, our attitude towards them would not be so lax.

Our analysts at Neotas regularly stumble upon breached accounts and passwords whether in screenings, SMR Fit and Proper checks or investment due diligence. Regardless of our research purpose, we work with all of our clients to provide recommendations and advice in order to ensure the safety of the individuals and to protect both the individual and organisation against any reputational damage or further data breach.

Schrödinger’s Personality Traits

In 1935, Erwin Schrödinger stated that a cat, placed in a sealed box with a jar of poison, is thought to be both alive and dead. Only once the box is opened does the scientist know whether they have a healthy living cat or a lifeless corpse. 

Imagine each recruit to a firm carries with them a sealed box. Inside the box is not a cat, but a personality, including honesty, motivations and integrity. Only once the employee is hired and the firm has paid the significant search, legal and hiring costs is the box opened and the true state of the personality confirmed. Until the costs have been covered, it is a pure gamble as to what is inside the all-important box; even numerous interviews and criminal record checks cannot change this.  

This has long been the case in recruitment and due diligence. Now, however, open source investigative methods can scrutinise the contents of the previously unreadable box and prevent firms risking the honesty and integrity of their business with each new hire. 

Through one of our recent investigations we uncovered a potential recruit operating online under an alias to post racist, homophobic and sexist content across numerous platforms. However, because the individual had no criminal past or financial trouble, traditional due-diligence approved them as an acceptable employee. Having someone with such explicit views working in a modern work environment would have created untold damage both internally and to the company’s reputation externally. 

If you interviewed this person and talked amicably about their past and their ideas for the future you almost certainly would have branded them an upstanding ambassador for the company. The reality is, posting hateful commentary is the antithesis of integrity. Doing so under a false name is the antithesis of honesty. 

Conducting open source investigations removes uncertainty in the hiring process; it protects a firm’s reputation and leaves no chance of unintentionally failing to comply with regulations. If Erwin Schrodinger was able to drill a hole in his proverbial cat’s box, he could have discovered the animal’s true state long before he went to the expense of removing the lid to find a dead feline.