OSINT 101

Financial crime compliance has been on a fast-track evolution this past month, with fresh guidance, reports and enforcement priorities reshaping how organisations assess risk and shore up controls. From the latest UK AML/CTF risk assessment to new corporate offence regimes and revamped ethics standards, here’s a concise roundup of must-know developments across four key pillars. 1. Anti-Money Laundering & Counter-Terrorist & Proliferation Financing The UK’s National ML/TF Risk Assessment 2025, published in late August by the National Crime Agency and HM Treasury, highlights how criminal cash flows, digital channels and proliferation financing are creating fresh vulnerabilities for firms. Link: https://www.nationalcrimeagency.gov.uk/national-risk-assessment-2025 Shortly after, the NCA and FCA jointly released their System Priorities 2025 framework, identifying nine equal-weight focus areas—from sanctions evasion to telecoms fraud—to help organisations align controls with highest-impact threats. Link: https://www.fca.org.uk/publication/system-priorities-2025.pdf Finally, the FATF’s June 2025 update to its Forty Recommendations and Interpretive Notes refines risk-based measures for financial inclusion and proliferation financing, ensuring mutual evaluations remain robust. Link: https://www.fatf-gafi.org/en/publications/Fatfrecommendations/Fatf-recommendations.html 2. Anti-Bribery & Corruption In early August, the C5 International Anti-Corruption Conference in London convened global experts to debate FCPA-style risks, the UK’s upcoming corporate failure-to-prevent fraud offence and evolving “adequate procedures” guidance. Details: https://www.c5-online.com/ac-london/ UK Finance’s blog “Hot Topics in Anti-Bribery and Corruption 2025” spotlighted three priority shifts: new anti-corruption leadership roles, reinvention of the ABC practitioner’s remit and private-sector enforcement drivers. Link: https://www.ukfinance.org.uk/news-and-insight/blog/hot-topics-in-anti-bribery-and-corruption-2025 Globally, Hogan Lovells’ Bribery & Corruption Outlook 2025 underscored how political change and AI-enabled compliance tools are set to reshape enforcement dynamics across the US, UK, EU, APAC and LATAM. Link: https://www.hoganlovells.com/en/news/2025-a-year-of-change-in-bribery-and-corruption-enforcement 3. Anti-Fraud On 18 August, the CPS and SFO issued updated joint guidance on the new “failure to prevent fraud” corporate offence, effective 1 September 2025. Large organisations now face unlimited fines unless they can demonstrate reasonable fraud-prevention procedures. Full guidance: https://www.cps.gov.uk/cps/news/organisations-must-prepare-now-new-fraud-prevention-law Meanwhile, the UK Finance Annual Fraud Report 2025 revealed total fraud losses topped £1.1 billion in 2024, with remote-purchase scams surging even as APP fraud eased. Link: https://www.ukfinance.org.uk/policy-and-guidance/reports-and-publications/annual-fraud-report-2025 Cross-industry analyses, such as Accountancy Age’s primer on preparing for ECCTA’s fraud-prevention measures, stress the need for integrated risk management and cross-department collaboration. Insight: https://www.accountancyage.com/2025/06/02/how-organisations-can-prepare-for-the-new-fraud-prevention-measures/ 4. Ethics & Codes of Conduct ICAEW’s 2025 update to the Code of Ethics — effective 1 July 2025 — introduces new provisions on technology risk, public-interest entity definitions and mindset expectations for accountants. Link: https://www.icaew.com/insights/viewpoints-on-the-news/2025/apr-2025/icaew-publishes-2025-update-to-code-of-ethics ICAS rolled out its 2025 Code of Ethics on 1 January 2025, incorporating international technology and confidentiality revisions and an expanded scope for listed-entity oversight. Link: https://www.icas.com/regulation-technical-resources/documents/icas-code-of-ethics-2025 Looking ahead, insolvency practitioners must prepare for the revised Insolvency Code of Ethics and Complaints Guidance, both coming into effect on 1 October 2025, further cementing ethical rigour in turnaround and restructuring. Link: https://insolvency-practitioners.org.uk/important-changes-coming-soon-revised-insolvency-code-of-ethics-and-igp-dealing-with-complaints-effective-1-october-2025 Staying abreast of these rapid-fire regulatory shifts is essential for future-proofing compliance programmes and demonstrating robust financial-crime defences. For detailed toolkits, practical checklists and world-class training and consulting, visit us at https://lessonslearned.co.uk and follow our LinkedIn page: https://www.linkedin.com/company/lessonslearned

If you are the busy owner of a firm which has to comply with the Anti-Money Laundering (AML) laws and regulations, hardly a day will go past without someone trying to sell you "digital onboarding". But what exactly is it? And can it (indeed, can anything) really be "quicker, easier, cheaper, better" without compromising on that old-fashioned quality of 'doing a job properly'? Some people reading this may associate digital onboarding exclusively with e.g. the use of mobile phone apps to dispense with the need for a physical passport check in the office, and/or with screening tools which will crawl the internet for sanctions, PEPs and adverse media "hits". But in reality, those are just one part of a bigger whole which, if done in totality, can save you hundreds or even thousands of man-hours per year, as well as protecting you against fines and penalties . So, as a guide for the uninitiated, we summarise below all the things that it's now possible to do with, and within, a digital onboarding platform. Remember that the big, game-changing difference is that the end-client is providing all their required information and documentation direct into one, single upload link which you send to them, and that from then on, all that data and documentation can be sent to any of your other systems, without need for human intervention. And we'll assume for the sake of argument that we are comparing this with a (non-digital) onboarding model whose primary mechanism is the sending, completion and return of PDF documents to and from clients via email, with subsequent extraction and onward use by staff members of the information contained in them. (NB A word of warning in advance: if some clients, for whatever reason, aren't comfortable, competent and/or enabled with technology, then you're still going to have to do it the old way – so don't ditch the old skills completely.) Basic data capture & validation Allows end-clients to input core information digitally, without the need for emails, meetings and phone calls. Highlights where information is missing or inconsistent and warns the client immediately (so that you don’t waste time chasing them after you discover it two weeks later.) Also saves the time of staff no longer engaged in re-keying data into practice management and accounting systems. Validation-based risk alerts Silently highlights the presence of static identified risks, e.g. businesses where cash or crypto is, unexpectedly, the main method of payment, or where the stated turnover is very high for the number of employees. How long would it take you to spot this? UBO Builder – ownership self-declaration Allows entity end-clients to create an organogram of their ownership structure and to make legally necessary declarations which can then be verified from public sources. AI-enabled business model and source of wealth enquiries Prompts end-clients to provide an appropriate level of detail on their business models and SoW. Reads answers and raises silent alerts where clients have failed to provide the requested level of detail, enabling human follow-up. Generally results in much higher quality levels in what is a major area of concern for regulators. AI-enabled automated risk alerts As above but raises silent alerts where it detects business activities with heightened financial crime risk – for example, connections to defence, precious metals, fine art, luxury goods and other high-risk sectors. Would all your staff spot such issues themselves? Remote ID&V (e-verify) UK Allows end-client to be legally identified and their address verified without the need for documentation, e.g. for electoral roll and other trusted government sources. Saves time on production and review of ID&V documentation, in a way which is acceptable to regulators and won’t result in negative inspection findings. Remote ID&V (mobile phone) Allows end-client legally to identify themselves through remote matching of a live video against an uploaded ID document such as a passport or driving licence. Saves time and trouble on office visits and photocopying of physical documents, in a way which is acceptable to regulators and won’t result in negative inspection findings. General document upload Allows end-client to upload soft copies of documents such as passports, driving licences and utility bills and save them to a centralized but client-specific location. Saves time and trouble on office visits and photocopying of physical documents and/or on staff having to detach email attachments and manually save them to the (correct) file. Automated screening (Sanctions/PEPs/Adverse Media) Conducts automated silent background checks against end-client during onboarding and alerts firm to Sanctions, PEP or Adverse Media risk. Saves time and removes human error from staff having to re-key names and details into separate search and screen software programmes. Source of Funds - Open Banking checks Conducts automated checks into end client’s bank account to verify stated sources of funds such as salaries, pensions and investment income. Reduces time taken by staff in the analysis of source of funds documentation. Automated risk assessment & scoring Automatically calculates a pre-final risk score based on end-client input of information during onboarding. Can be onboarder-supplemented for final risk rating. Injects consistency and discipline into the process and reduces the risk of the firm being adversely affected by poor staff understanding of risk assessment requirements. Digital signature of documents and notices Allows end-client digitally to acknowledge and sign required contractual and regulatory agreements, notices and terms & conditions. Saves time and trouble on staff having to detach email attachments and manually save them to the (correct) file. AI NLP Biz-model validation – Positive Screening Conducts automated silent ‘genuineness’ checks against entity end-clients to search for positive indicators that their business operations are genuine - e.g. by analysing their staff profiles, marketing/outreach and customer review activities against known genuine businesses of the same type. Saves time on staff having to conduct multiple manual web searches to obtain the same results (which many will not have the skill or experience to do anyway). AI-enabled document analysis Reads documents such as passports, utility bills and bank statements uploaded by end-clients to check that they are within date and are of the type stated. Saves time on staff review of documentation and reduces human error – e.g. failing to spot that documents are out of date. Companies House API - Active Directors auto-upload Auto-imports the names and details of current active directors of entities during onboarding and asks end-clients to confirm or change. Easier for clients to complete and saves time on manual research on the Companies House website. Companies House API – Persons of Significant Control auto-upload As above but for Persons of Significant Control. Onboarding pipeline tracker and management tool Allows you to keep track of how many new clients have either completed, or have yet to complete, onboarding (plus their relevant assigned fee-earners) and to intervene if things are going too slowly. Tim Parkman Managing Director, Lessons Learned Ltd

Friday 25 July 2025

When Boards Break—and How the Corporate Governance Code tries to pull them back

Friday 11 July 2025  The compliance landscape continues to shift as regulators implement new frameworks and businesses adapt. Below are the latest developments across four core areas of financial crime compliance. Anti-Money Laundering & Counter-Terrorist and Proliferation Financing The European Anti-Money Laundering Authority (AMLA) officially began operations on 1 July 2025, gaining direct and indirect supervisory powers over high-risk financial entities to harmonise AML/CFT standards across the EU. Denmark also introduced new requirements on the same date, mandating that operators providing gambling services across EU/EEA markets register in the Danish Gambling Authority’s Money Laundering Register to curb illicit transactions. 🔗 Read more: Clarity on the implementation timeline for a strengthened EU AML/CFT framework (Arendt) 🔗 Read more: Denmark updates anti-money laundering requirements (ReadWrite) 2. Anti-Fraud The Home Office published its latest update to the Independent Review of Disclosure and Fraud Offences on 3 July 2025, highlighting the need for enhanced whistleblowing mechanisms, public–private partnerships, and legislative reforms to tackle fraud, which now accounts for an estimated 43% of crime in England and Wales. Meanwhile in Indonesia, the Financial and Development Supervisory Agency (BPKP NTB) convened a focus group on 2 July to accelerate fraud risk assessment in regional governments, calling for stronger early-detection controls and a fraud-aware culture. 🔗 Read more: Independent Review of Disclosure and Fraud Offences: update July 2025 (GOV.UK) 🔗 Read more: BPKP NTB urges stronger local anti-fraud measures (ANTARA News) 3. Anti-Bribery & Corruption The latest “Anti-Bribery Compliance in 2025” report outlines significant global updates: an expanded scope covering both public- and private-sector bribery (including foreign bribery), tougher sanctions tied to global turnover, and new offences for evidence tampering and whistleblower retaliation. In the UK, anti-corruption priorities are heating up as the government appoints Tom Hayhoe as Covid Anti-Corruption Commissioner and Margaret Hodge as Anti-Corruption Champion, with a new national strategy expected to steer enforcement in the months ahead. 🔗 Read more: Anti-Bribery Compliance in 2025: Key Global Updates (JDSupra) 🔗 Read more: Hot Topics in Anti-Bribery and Corruption for 2025 (UK Finance) 4. Ethics & Codes of Conduct The ICAEW Code of Ethics 2025 took effect on 1 July, embedding new requirements around professional mindset, technology use, integrity in group audits, and non-compliance reporting (NOCLAR). Down under, the Strata Community Association Australasia launched a unified National Code of Ethics for strata managers and service providers in Australia and New Zealand, setting ten core principles and an Ethical Decision-Making Framework to raise industry standards. 🔗 Read more: Code of Ethics 2025: are you ready? (ICAEW) 🔗 Read more: SCA Unveils National Strata Ethics Code (Mirage News) Lessons Learned Ltd works with multilateral institutions, private sector corporations and NGOs to embed best practices in financial crime compliance and business ethics through leadership, governance, policies and training.

Friday 4 July 2025

Friday 27 June 2025

The Danish philosopher, Søren Kierkegaard, wrote that "Life is lived forwards, but understood backwards". By which he meant, I guess, that sometimes we have to make our own mistakes before we can hope to understand why we made them. If that's true, then it's cold comfort to investors now scrambling to try and get something back from Indian electric vehicle maker BlueSmart Mobility , but it's worth remembering that we've definitely been here before. It was back in 2008 that financial journalist Alex Dalmady stuck his neck out and did what so few had done before. Risking potential bankruptcy and ruin (or worse...) he publicly called Stanford International Bank (SIB) as a fraud before the ponzi scheme there had been discovered. And he did so using his 'Duck Theory' - as in 'If it looks like a duck, and it quacks like a duck, then it probably is a duck!' The Duck Theory had four main indicators which applied to SIB, and it's instructive to see now how they slot not only into more recent cases such as FTX but also into many of the other fraud “classics” of the last few decades: 👉 "It's too good to be true." - FTX, so youthful, was sponsoring major sporting events and venues costing hundreds of millions. Just as SIB and Sir Allen Stanford did with international cricket. 👉 "It can do what no-one else can do." - FTX was offering returns at significantly above-competitor rates. Just like Bernie Madoff and his ‘elite-only’ funds. 👉 "There are only a few people, or one person, overseeing everything." - FTX management - and financial management (in a complex business) - was tightly controlled with limited genuine external oversight. Just like Nick Leeson and Barings (remember them, Old-Timers?) all those years ago. 👉 "There are very few incentives for whistleblowers." - Well, are there ever? But with massive investment rounds, huge celebrity endorsements, stunning growth multiples and a Rockstar CEO, based and regulated in an easily-impressed offshore jurisdiction and pumping cash (real, fiat cash) into good causes, who wanted to analyse the actual chemical contents of such a punch bowl? Sub-prime mortgage/CDO scandal, anybody? Of course, (and as Kierkegaard may have known), the problem with these types of 'red flags' is that whilst they are commonly found in frauds which have occurred, in themselves they cannot accurately predict fraud because they are too widespread, i.e. they can be found in businesses and situations where fraud and cheating have never been discovered because they have never existed. As an example, I have waited for years for 'explosive revelations' about how the New Zealand All Blacks manage to score so many points in the final quarter of a game. But no, just a lot fitter and more determined it would seem than most teams that they play. At most, these red flags can help us by telling us where to look more closely. And it is there that we encounter the real problem in all this - that the most common fate of those who shine a light and report a problem is... To be ignored. Consider; there were warnings - in some cases multiple warnings over several years - of trouble afoot in Wirecard , Danske Bank , The sub-prime mortgage market, the Madoff Funds , Enron , WorldCom and many more. These warnings came from informed, educated, not-obviously-insane people, in many cases insiders with a deep knowledge of the industries and sectors concerned. Yet no meaningful action was taken. Why? The full chains of causation for each are unique, but in seeking to 'understand backwards' so that we can at least try to 'live forwards' in a more savvy and alert way, it's worth remembering some truths about human nature that I would go so far as to say are profound - i.e., inescapable. We are overly optimistic - 'Optimism bias' in humans is well established in the literature of psychology (e.g. see Optimism Bias ). Maybe it's nature's saving mechanism for our species which, uniquely, (so far as we can tell) is self-aware of its own mortality, but we sure do like to look on the bright side. It may happen to others, but it won't happen to us. At senior levels within organizations this can translate into an unwillingness to believe that the worst is possible. "Nothing to see here. Everything's going to be OK, trust me!" We don't like to receive bad news - or deliver it - 'Shoot the messenger' is an instinct as old as bad news itself. In a 2019 study series , a team from Harvard found that participants generally saw the person who delivered negative information as less likeable. And the more unexpected the bad news was, the more upset the participants were. It's not hard to see the application of this in corporate settings. "I really wish you hadn't told me that. Why do you always have to do this?" We seek out data which confirms what we already believe - And we ignore or explain-away data which contradicts it. Confirmation Bias is another apparently universal trait established in multiple experiments. In a world teeming with information, it's essential that we have mechanisms for shutting out 'non-essential' data. But where corporate malfeasance is a possibility, a capacity to pay special attention to information which doesn't fit with existing 'hunky-dory' assumptions is not only advantageous, it's essential.  We don't like being the 'odd-one-out' - The trait of 'conformity' is another one that's been well established ever since Solomon Asch conducted his 'stick-length' experiments which showed people's preparedness to answer simple questions incorrectly in order to 'fit in' with the group - despite the evidence of their own senses. "Why take the risk of appearing panicky and credulous in the face of dire warnings, when no-one else appears to be doing so?" And "How am I going to explain why we chose not to make an 80% investment return, when so many others did?"