Entity Verification is the bedrock for identifying who is in a third-party network and getting clarity on the associated risks. Entity Verification is also key to processes like customer and supplier onboarding, customer lifecycle management, perpetual KYC, fraud prevention, master data management, and much more.
Moody's conducted an original study into the topic of Entity Verification, with input from 350 risk and compliance professionals from 50 countries. A report containing all the findings from the study is available now for download.
Following the launch of our Entity Verification report, we hosted a panel discussion led by Johanna Konrad, Moody’s managing director for entity verification, and guests included:
Here we provide a digest of the panel’s discussion - sharing perspectives on Entity Verification with a sector lens; its importance in the field of third-party risk management and compliance, and what is needed in the process of Entity Verification for it to operate most successfully.
Johanna: What keeps you awake these days and what role does entity verification play in that?
Astrid: Entity verification is at the heart of what we do. It's not only a regulatory obligation, but it feeds into all our downstream controls in financial crime prevention. It’s what helps us do accurate customer risk assessments and monitoring. How are we going to detect suspicious activity if we don't understand what type of businesses we're dealing with?
Entity verification therefore isn’t a place to “cut corners”, but at the same time it is where a lot of manual effort is being spent. Anti-money laundering (AML) analysts may have to go from trade register to trade register, downloading PDFs, uploading PDFs, copy-pasting information. When is that manual effort valuable and worthwhile, and when is it not? We don’t want to skip entity verification, not at all, but there are opportunities to do things more efficiently.
In societies like the Nordics, where I’m based, there's a high degree of digitization already. So, for the past five years at Danske Bank, I've been wondering how we use good quality public registers to improve the know your customer (KYC) data we have and create more efficient processes for entity verification.
Johanna: That gives us a great overview of the priorities of Entity Verification for banks. Over to Gabriela from the corporate world. You're leading global vendor risk management at Cargill, which is a multinational food corporation, so we're talking about vendors here versus customers. Clearly, it's important to make sure you know who you're working with given that issues with vendors can have significant impacts on your operations. So, what is entity verification doing for you and how important is it in your daily work?
Gabriela: It’s a key aspect for our day-to-day life. Working for a multinational, dealing with suppliers, customers, shareholders and all interested parties, the reputational aspect has become so crucial. We can’t control reputational risk, if Entity Verification isn’t done correctly in the right places.
For us, knowing who we do business with and exactly where we do business; how different suppliers might be connected to each other and so on, is critical to identifying different types of risk. This is true from a financial, legal, ESG, regulatory, and reputational perspective. All aspects of risk become connected.
We need to have a strong basis of understanding and to us that begins with the Entity Verification process, which becomes the steppingstone to everything else.
Johanna: Olivier, you have spoken about the challenges around collecting, processing and making data available across systems. You also mentioned the fact that this may be easy, if you build Entity Verification from scratch, but it's obviously more complex when you work with legacy systems that have evolved over time.
What is your view on this challenge and what does Entity Verification do in that overall picture?
Olivier: Good data is absolutely key for our organization. We have to put data resilience and quality at the center of what we do. We also have to try to harness the power of clean and reliable data on every party we want to conduct business with.
Broadly speaking, the key focus for implementing tools for Entity Verification in a global organization is to answer a simple question - we need to know who we are doing business with.
We have to make sure we screen and monitor every entity without doubling or tripling work. For a global organization, you may have different systems of verification, but you don't want to miss anything. So, this is how we set the priorities when we start working on implementing a system for Entity Verification, because we may have multiple systems of verification already embedded in the organization across different markets, jurisdictions, businesses, products and services.
We have to think globally and approach the capacity to screen and monitor thousands, or even millions of counterparties and entities. This means we have to focus on our processes and think about the risks and prioritize the areas into which we want to implement the system. And we have to think about combining solutions to maximize risk coverage and get the fastest return.
A global organization will start with customer onboarding because every party who are new to a bank have to be properly screened and monitored, but you also want to have the best tools possible to gather the most reliable data to conduct investigations and report to your authorities.
You need to implement tools while assessing their compatibility with different systems you already have and working with the new system you want to implement. You want it to be as effective as possible, and as seamless as possible, while offering collaborators the capacity to reach and access the best data.
It’s important to think about efficient coupling of systems before substituting one system for another. This could mean operationally mapping different systems together, and to perform this art you have to rely on the experts in the field.
Johanna: Moody’s study into Entity Verification has indicated how important Entity Verification has become - can you confirm that’s your experience, and tell us a bit more about why you think that is the case? Gabriela, you have said Entity Verification is “coming out of the back office”, tell us more about that.
Gabriela: We have seen Entity Verification as part of our KYC process, as we're onboarding new clients or new suppliers. But now we are starting to see regulations from a sustainability and ESG perspective, and we're being made responsible not only for our own supply chains, but also for our extended supply chains.
So now, you don't just hear talk of Entity Verification from the people involved in the onboarding, but from commercial teams; ethics and compliance teams; and the board. Everyone wants to know who the person is that they are doing business with, and that’s going to continue to be the case.
We're seeing a lot of things happening in EMEA and North America in supply chains, news is now widely available and can become viral in seconds which means knowing exactly who we do business with is critical. It's no longer something we tick off, but it’s really something that's becoming embedded in every process.
Astrid: From a banking perspective, Entity Verification is already incredibly important. But a reflection on what you say, Gabriela, is a recognition that many places in an organization might be doing Entity Verification, and now we need to think about how we bring that together. How do we make sure data is reused; information is shared; that overall records are kept straight and there aren’t different views of a customer? That's something that's going to become a greater focus.
Olivier: We have said data is important, especially clean data, but for a global organization, we look across many different areas and business processes when we gather data. Ultimately, and especially when you have to report things like suspected financial crime to the authorities, you have to be as accurate and precise as possible, because you are reporting onto something that will bear consequences. The criticality of what you do relies on data.
You have been able to gather and verify data – if you implement systems to collect and pool data, check, monitor, and verify it, it is absolutely critical that your system operates to the highest standard, as you can’t risk reporting something that’s inaccurate. It's not a surprise that every organization is looking into Entity Verification – small and large – because it is important all organization.
Johanna: Obviously there are barriers to creating the perfect golden record or reaching data maturity. What are the key ones that stand out? Is it mainly data input quality, getting reliable data from authoritative sources, or is it a systems issue in terms of getting data from one part of an organization to another
Olivier: For larger corporations, it could be all these barriers at the same time. I prefer to say, “existing conditions” or “legacy systems” though, because they are not really “barriers”.
Every sensible manager and stakeholder are aware that we need to rely on accurate data to thrive and compete. However, you also need to actively comply with regulatory requirements, and this is a reality you must acknowledge.
Different levels of your organization have to define the best route to a successful implementation of Entity Verification, so this isn’t about barriers, it is about defining what the organization needs, and where.
If you want to deploy a verification system, while trying to make the best of multiple systems of data record, you have first to pool your data in a data lake or into a platform. Then you can think about moving to the holy grail of a unique system for verification. The last part, the difficult part probably, is then to adjust the systems without any loss and build trust in the new system before achieving a transformative move.
Gabriela: One thing to add is the importance of how you embed Entity Verification into a culture of day-to-day work. You can have the best platform, the best data, the best process set up, and if the culture is not there, you'll do a good job at cleansing, implementing, and putting it in place, but maintaining and making sure the records stay accurate will get lost unless everybody knows their step in the process, and their accountability in the process. Embedding that culture will make whatever you implement and whatever process you set continue to work over time.
Astrid: We have challenges as an industry with siloed data and coupled with Gabriela and Olivier's points about legacy and the importance of culture, I'm also a pragmatist. What are the highest value areas where we need to share data and have one view and do the technical integrations? And then how do we share this between people to solve the most pressing challenges?
Johanna: To continue that line of thought - Gabriela, you talked about keeping information up to date. Obviously at the time of onboarding, there is a collection exercise and typically quite good data is gathered, but then as relationships with customers or suppliers continue over the years, it is a challenge to make sure you keep that record up to date and get as close as possible to having a golden record.
Given our digitalized world and processes becoming more dynamic, is that significantly impacting Entity Verification - and the perpetual part of it - positively?
Astrid: There is recognition that it's a dynamic world and we need to keep our Entity Verification up to date. A lot of the work we do is pushing our processes to be more fit for digital and getting that digitized foundation of the customer record.
We think about: what are the key data elements that are important to constitute a customer record? What are the data sources available to us? How do we create the feed of information that's important to us, so we can get the foundation of entity verification in place efficiently?
Then there are two other elements to consider - not forgetting the risk-based approach - where is this dynamic update most pressing? Where is it most valuable? It's easy to say we want to keep all our customer records up to date all the time, but we need to invest in our priorities.
A third element I'm interested in is how we can intelligently detect risks associated with entities. Maybe looking beyond the data we have on an entity’s record and applying in-house monitoring or partnering with external data providers who have oversight of those entities. This should enable us to identify risk triggers and put investigators on the job to look at whether an entity is actually legit, when necessary, because it's not difficult to set up a “legitimate” company.
Gabriela: Going back to having it [Entity Verification] as a foundation - if we don't make sure we track this data and we don't have a good view for getting to a golden record, especially in a global environment, it becomes so much harder to detect all other risks.
Are there legal, sanctions, reputational or cyber risks or anything else associated? Are we looking at the right entity? Is this entity a valid one? As we've seen multiple times, creating a company legally in any country is not so hard. Making sure we do business with the right entities, that's where the challenges are. And having that view globally is even more challenging.
When we think about a golden record or creating one view, that's our biggest use case.
Johanna: We heard about the rise of AI in Moody’s Entity Verification study too, and people are starting to think about how they use AI to help them automate parts of Entity Verification or compliance processes.
AI is a broad term. It could be anything from data extraction from documents to AI supported analytics to something else we might see in the future, such as AI compliance agents. But what are your thoughts on the evolution of AI and machine learning, and are you already deploying any AI supported processes
Olivier: We know the topic can’t be left untouched because AI is everywhere. And in truth I think there are obvious touch points with AI and Entity Verification. We are talking about verification of data attached to entities operating with numerous other entities, so we want to know more about entities in our network, which means the counterparties of entities we’re connected with.
There needs to be a way to extend what we know and want to know if we want to be able to understand the bigger picture. Having a way to connect the dots is important to us and this is where machine learning can help. AI models are useful to reach another level of performance.
If we venture into AI, that will probably be more around AI recognition models rather than AI generation models, because we are looking at discriminating and verifying first and foremost, and this needs clean and reconciled data to achieve better recognition.
That said, we could use some form of generative AI to help fill in the missing pieces of a picture or point us to the right direction and find the data we are missing based on reverse pattern analysis. These things could be explored, attached to, or linked to an Entity Verification tool.
There will certainly be some work needed to reinforce the verification process with AI/machine learning models. But in my view, that will probably be used to start to decipher or approach data we cannot easily retrieve.
Astrid: My reflection is, I’m not surprised there hasn’t been such big adoption yet in our space [risk and compliance], because it is so heavily regulated. We might be risk-averse working in financial crime risk management, right? I think following the regulatory expectations and attitude towards AI application in our area is going to continue to be interesting.
Question: Acquiring reliable data for entity verification is definitely a challenge. Can the panel share their experience in this area or any recommendations for acquiring and leveraging reliable data internally or externally?
Gabriela: For me, in terms of efficiency and how we can verify the information we have, partnering with the right third parties has been crucial and finding a partner that understands the business, understands the industry, and that has a global footprint has been key to driving a process that gives value.
Verifying the entity is one thing, but understanding the footprint of that entity, which is also part of verification, is another. Are they owned by somebody that we shouldn't be doing business with? Who are they partnering with? We can only get these things through a trusted third party.
Astrid: In the Nordics, we have digitally available corporate registries that we use and can have integrations with. But sometimes that will only give you so much of the picture.
Of course, there are available data sources to help open-source investigations, but I think there will always be some manual investigation, particularly for larger and more international customers where we need skilled analysts to do the work. And sometimes you need to reach out to the customer and confirm what you've learned. There's no bulletproof answer.
Olivier: You have to rely on good processes first to access the data you need. So if you're talking about customers, for a global bank it’s all about process - you have to have robust processes to gather the data - and then we have multiple vendors to verify the data.
We want to verify, screen, monitor, and cross check. And because we are talking about Entity Verification, if you want to reach a greater level of performance, you need to unify the way you are verifying the data and cross checking it.
It starts with a process. Everybody in your organization must be trained to access and to understand what data they should gather and to follow the process, which has to be replicable across your organization. Then you can move legacy systems to something more platformed for verification that is unique to your organization.
Question: Can you share what questions you feel are most important for onboarding third parties to understand who you're doing business with? How can other practitioners best match findings to understand either financial or reputational risk within an entity?
Astrid: They are the core data elements of a customer, like name of company, unique identifier, the legal name - all the basic identification questions that need to be in place and that you need to verify accurately. There are questions that help you get a sense of what type of business they are in, and there might be available industry codes and so forth.
Sometimes you need to enrich this further and identify if there is a special requirement category with a higher risk relevant for financial crime for instance. So then you are asking either an analyst or the customer to engage a bit on the business to understand what type of business it might be.
Gabriela: A unique identifier is key to investigating in local bureaus and registries. These are things like: are they doing business with the government or are they related to governments? This is key because it raises a whole other set of questions. And the industry an entity belongs to is also key along with where you are doing business as it might raise another set of questions.
Astrid: Geographical footprint, which you brought up Gabriela, is key. What are the geographical risks associated with the entity? With all these broad considerations, entity verification becomes more complex than the simple act of comparing one record to another and seeing if they match.
Olivier: Again, this is about process. You have to understand what you need for risk assessment, because it will be different from field to field - corporate banking, private banking, marketing, financial crime – it’s all different. When you know what you need, then you can define your process and assess risk more exactly, as you don't want to miss anything.
Moody’s would like to thank our panel of experts, along with Context+, for supporting our study into Entity Verification.
If you have any questions about this paper or Moody’s solutions for Entity Verification, please get in touch with the team any time – we would love to hear from you.