Every year, your Bar Association asks you to complete an AML/CFT self-assessment questionnaire. Risk mapping, beneficial owner identification, PEP screening, documentation of fund origins. The framework is serious, the obligations real, the controls announced.
But there is a structural limitation to this type of framework that most lawyers understand intuitively without necessarily articulating it: it relies almost entirely on what the client declares.
Self-certification as a blind spot
When a new client enters a relationship with your firm, you request documents. They provide them. You verify them against available registries. You tick the boxes. KYC is done.
The problem is that someone who wants to conceal something generally does it well. The documents are consistent. The declarations hold together. The surface profile is clean. And you have neither the time, the tools, nor the mandate to go beyond what the client has chosen to show you.
What the AML questionnaire asks you to verify - beneficial owner identity, source of funds, existence of ongoing proceedings - relies on declared information. What it cannot ask you to do is independently verify whether those declarations correspond to reality.
What open sources reveal that forms don't see
Independent verification through OSINT - open source intelligence - operates precisely in that space. Not to replace your KYC process, but to go where it stops.
In practice, this can mean: a declared beneficial owner whose cross-referencing with foreign registries reveals an undisclosed PEP exposure. A fund structure whose intermediate layers trace back to a FATF-monitored jurisdiction. A client presented as an entrepreneur whose BODACC search reveals three companies dissolved under similar conditions over the past five years.
None of this information is secret. It is all legally accessible. It simply does not surface in a process based on what the client declares.
The value of an independent audit trail
Beyond detection, there is a second issue that the AML questionnaire raises indirectly: the defensibility of your position if a matter is ever challenged.
Saying you verified is one thing. Showing how, with which sources, on which date, and what you found, is another. A structured, sourced and dated report produced by an independent analyst does not substitute for your legal obligation - it documents and reinforces it.
That is the difference between a compliance file that ticks boxes and a compliance file that genuinely protects the decision-maker if something surfaces later.
And for staff recruitment
Your Bar's questionnaire makes it clear: the duty of vigilance extends to recruitment candidates. A collaborator who brings their client base, a partner joining the firm - these are third parties whose profile, history and affiliations may create an exposure you had not anticipated.
Here too, independent verification goes beyond the CV and references: digital footprint, public positions, past affiliations, consistency of declared background with available sources.
What we do in practice
At YMV & Co., we conduct independent OSINT-based verification on clients, counterparties and recruitment candidates for law firms. The deliverable is a Go / No-Go / Monitor report, structured and sourced, designed to sit directly within your AML compliance file.
We operate alongside your process, not instead of it. Our role is to cover the layer that forms are not designed to reach.