OSINT - Open Source Intelligence - is a term that appears increasingly in conversations about compliance, due diligence and risk management. It is also frequently misunderstood. This article aims to clarify what it actually is, what it is not, and why it changes the nature of a verification.

What it is

OSINT consists of collecting, cross-referencing and analysing legally accessible information about a person, an entity or a situation. The word 'open' does not mean 'easy to find' - it means 'legally accessible to anyone who knows where to look'.

OSINT sources include: company registries across multiple countries, judicial and insolvency databases, national and regional press archives, professional and personal social media, international sanctions lists (OFAC, EU, UN, national treasury lists), public data leak databases, beneficial ownership registers, and consumer review and reporting platforms.

None of these sources is confidential. The value is created by structured cross-referencing using the right techniques - and knowing where to look when standard sources run out.

What it is not

OSINT is not surveillance. It does not involve tracking a person's movements, intercepting communications, accessing private data, or using infiltration techniques. Anything outside the perimeter of legally accessible sources is not OSINT - it is espionage, or the work of a private investigator.

OSINT is not mass surveillance. An OSINT verification concerns a specific target, within a defined framework, with a documented objective. It does not produce psychological profiles, does not listen to conversations, and does not track private activities.

Finally, OSINT is not a tool for harassment or investigation into private life. We do not work on matrimonial mandates, enquiries into private behaviour, or cases without a clear professional or commercial dimension.

What it finds

In practice, a well-conducted OSINT verification can surface: previous companies of a director dissolved under problematic conditions, a judicial history in one or more jurisdictions, exposure to international sanctions lists, affiliations with PEP actors or entities under regulatory monitoring, inconsistencies between declared background and available sources, reputational signals in the press or online platforms, presence of compromised data in leaked databases, and operational or structural links to entities that raise questions.

These elements are detected by no standard automated screening tool, because they correspond to no list match. They only appear in the structured cross-referencing of multiple sources, conducted by an analyst who understands the context and knows how to interpret what they find.

Why it changes the nature of a verification

A screening tool checks whether an entity or person appears on a list. OSINT checks who that entity or person actually is, beyond what they declare. That is not the same level of information, nor the same level of protection for the decision-maker relying on that verification.

A well-structured OSINT report does not just say 'nothing found' or 'alert'. It says: 'here is what we verified, here are the sources, here is what it reveals, and here is what we recommend'. It is a defensible document, not a ticked box.