‘OSINT’ — the Due Diligence Resource You Can’t Afford to Ignore

Compliance officers know that they don’t need more data to strengthen their compliance programs; they need better data, along with the right analytical tools to translate that data into actionable insights you can use to manage customer risk.

Open-source intelligence — “OSINT” — is that data. And compliance technology has now evolved to the point that if you don’t incorporate OSINT into your AML compliance program, you won’t be meeting regulators’ expectations for effective, customer risk assessment.

‍

Why is OSINT so helpful? 

Well, consider what OSINT is: information about a person or business that comes from some publicly available source, such as…

• Websites, blogs, and online media that might mention or be written by your customer.
• Government databases such as corporate registries, court and criminal records.
• Open data projects such as databases run by the International Monetary Fund or the Financial Action Task Force or the International Consortium of Investigative Journalists.
• Geospatial data such as Google Earth or other satellite imagery. (In case you want to see just how big a customer’s yacht or villa actually is.) 

One can easily see the compliance benefits such data brings. OSINT is typically free, timely, and virtually inexhaustible. It can help to corroborate a customer’s identity, give a more complete understanding of his or her business history, or uncover ownership structures and relationships that don’t show up at onboarding. It provides color and detail on a customer or account holder that routine AML data — the information that your customer supplies in standard onboarding forms — can’t match. 

For example, say you are a bank that financed a luxury automobile to a customer — and six months later, that luxury vehicle went missing. Open-source intelligence, such as arrest records or local news articles, might help the lender discover that the customer had previously been indicted in connection with a high-end home break-in ring or insurance fraud. Such intelligence, however, is only useful before you extend financing to the customer, not once the car (and presumably the customer) are long gone.

‍

Regulators Are Expecting OSINT

We can also see the need for OSINT in enforcement actions from various AML regulators. In February 2024, the U.S. Office of the Comptroller of the Currency fined City National Bank $65 million for poor internal controls and AML procedures; among many other requirements, OCC ordered City National to implement new customer due diligence procedures “to collect, maintain, and update all information necessary to establish an accurate customer risk profile and facilitate ongoing monitoring to identify and report suspicious activity.” A bank can’t succeed at that without OSINT.

Further abroad, in 2023 Australian financial regulators sanctioned one of that country’s largest casino operators for lacking “appropriate procedures to ensure higher risk customers were subjected to extra scrutiny.” The regulator, Austrac, fined the casino operator, Crown Resorts and Crown Perth, to pay the equivalent of $300 million. Again, OSINT is crucial to achieve the sort of customer risk analysis regulators want to see. 

In short, weaving OSINT in your analysis brings a customer’s risk profile into sharp relief, so you can handle their transactions with proper care. That’s precisely the insight and actionable intelligence that regulators want to see as a “reasonable measure” to assess risk from customer due diligence programs.

On the other hand, when you ignore OSINT, you default to relying on whatever standard data you collect from all customers as part of their onboarding due diligence. Simply seeing a drivers licence, credit score, or pay slip are often not good indicators of risk. That is decidedly not the risk-based approach to customer due diligence that regulators have been emphasizing for years. 

‍

What are the challenges to using OSINT? 

So if OSINT is so great, why aren’t more teams using it?

First, there is a lot of it; just consider the endless ocean of social media data alone. If your compliance team uses manual processes to search and capture it all, they’ll quickly be overwhelmed. It’s also likely that they will fail to find some crucial detail, or log it in the wrong format, or otherwise fail to make the connections that bring a customer’s true risk to the surface. (That’s certainly true of humans, and even of rudimentary data analytics tools that just follow risk rules designed by humans: they aren’t intelligent enough to detect subtle but telling patterns.)

Second, OSINT often comes as unstructured data. Matching some pieces of unstructured data to the structured data you collect from a customer such as their name, DOB, and addresses, can be a difficult and very manual task. (On the other hand, this is a task tailor-made for artificial intelligence; the more data you feed it, the better it gets.)

Third, OSINT can sometimes be unreliable. People lie on social media; databases can cite the wrong person with a similar-sounding name as the actual person you want; satellite data might mislabel which yacht is in which berth. AML programs need to cross-reference OSINT in multiple ways (both with other OSINT you gather and the data you obtain from your customer directly) to be sure that what you find is accurate and reliable. With an endless amount of data, vetting becomes a challenge.

Taken together, these risks of OSINT mean that as a practical matter, you can’t reap the benefits of such intelligence while using simple manual processor, rules-based risk rating tools for customer due diligence. There’s simply too much data to gather, validate, and analyze. Your AML compliance program must embrace automated and intelligent due diligence processes, with a trusted partner that can gather and validate OSINT alongside you. 

‍

How the right provider can help

The right screening partner won’t just screen your customers against the latest watch lists. It will also pull all the OSINT it can find from credible sources (and a good partner will find a lot) and then use artificial intelligence and automation technology to refine that OSINT down to the correct, relevant intelligence about your customer. 

Put another way, the right screening provider will consolidate data that is both structured (from customer onboarding forms) and unstructured (from OSINT) to resolve a customer’s true identity — and his or her true risk profile — in seconds. 

Your team, in turn, can use that insight to understand real risks, faster and you can make better decisions at onboarding or resolve a case quickly and accurately. 

OSINT can be an invaluable source of information about your customers — and more urgently, at a practical level, it’s an indispensable part of your compliance program because you really can’t risk not using it. You just need the right technology and screening partners to unlock it, and consequently unlock the full potential of your AML compliance program.