Electronic Verification Systems: What They Can (and Can’t) Do

If you work in a law firm, chances are your inbox is full of messages from electronic verification providers telling you that you need their system, urgently. Some promise to transform your compliance. 

Others offer plug-and-play KYC. 

Most throw around acronyms like EV, PEP, KYB, and CDD as if they were interchangeable. Phew!

AML Acronym Definitions in Electronic Verification Systems

EV = Electronic Verification

PEP =  Politically Exposed Person

KYB =  Know Your Business

KYC = Know Your Client

CDD = Client Due Diligence

But before you rush to sign a contract with a EV provider, it’s worth stopping, and taking a breath. Because while electronic verification systems can absolutely support your AML program, they are not a silver bullet, and relying on them too heavily (or misunderstanding what they actually do) can leave you and your firm exposed.

Here’s my clear-headed look at what these systems can do well, and where they still need a human in the loop.

What Most Electronic Verification (EC) Systems CAN Do

Let’s start with the positives. When used well, electronic verification systems can:

Speed up ID checks

Most platforms allow you to verify an individual’s identity by scanning their passport and proof of address. Some go a step further and use biometric checks, matching the passport chip with a selfie to ensure the person really is who they say they are.

Access corporate registry data

For corporate clients, some systems automate the “KYB” (Know Your Business) process. They can automate retrieving company information, identifying beneficial owners, and in some cases, tracing multi-layered ownership structures automatically.

Screen for PEPs and sanctions

Screening for politically exposed persons (PEPs) and sanctioned individuals is vital, especially as the rules tighten. Most providers connect to commercial databases that flag potential matches.

Offer pre-configured risk assessments

Some systems help structure your client matter risk assessment (e.g. First AML). These tools guide users through questions and assign a risk rating, providing consistency and record-keeping.

These features save time, reduce admin, and help create a clear audit trail, particularly in large or high-volume firms.

What They CANNOT Do (At Least, Not Reliably)

Here’s the reality: despite the marketing and sales talk, there are some things no electronic system can do on its own.

Confirm that the person in front of you is REALLY your client

Many systems validate that the name and DOB you’ve input match real records. But that’s not the same as confirming that the person sitting across from you is the same person whose passport has been uploaded. If your system doesn’t include biometric verification or in-person ID confirmation, you could be signing off a forged identity.

Detect false positives (or false negatives) automatically

PEP and sanctions databases can throw up hundreds of matches for common names. Most of these will be false positives. You still need a person to:

• Check date of birth

• Compare photographs

• Eliminate irrelevant hits

Without human review, you could miss a genuine match, or delay a matter unnecessarily.

Make judgement calls on risk

An algorithm can’t tell you whether the structure of a deal “makes sense”. It can’t detect a red flag in the narrative of a transaction, or question why a client is using an unusual funder.

That’s the lawyer’s job.

Replace your policies and procedures

No system will work properly unless it’s embedded in a clear, firm-wide process. If lawyers don’t know when to use the system, or what to do with the results, it quickly becomes expensive shelf ware.

Real-World Pitfall: The Illusion of Compliance

In the UK, one firm integrated an electronic verification system assuming it was checking dates of birth as part of its standard identity verification. Three years later, they discovered that feature hadn’t been enabled.

Despite having “passed” hundreds of ID checks, the system hadn’t actually verified this key piece of information. It took an internal audit to reveal the gap.

If you'd like my team and I to do your INTERNAL AUDIT please get in touch.

So what’s the lesson here?

Always test your system before you roll it out. Try deliberately inputting wrong information and see what happens. 

You need to know what the system will catch, but more importantly what it won’t.

Questions to Ask a Provider Before You Buy

Are they up to date? Are sanctions lists and registries pulled from official sources?

Try unusual names, common names, and deliberate errors.

Do you get supporting documentation (e.g. original news article, photo, date of birth)?

You don’t want a one-size-fits-all system that can’t adapt to your policies.

Most systems struggle with trusts, which require human-led review. What support is built in?

Is there onboarding support? Will lawyers know how to interpret results?

In Conclusion - Choose the Tool That Fits Your Process

Too many law firms, in my experience, buy systems and then try to retrofit their processes around them. It should be the other way around.

Start by working out:

1. What your policy requires

2. What information you need

3. What evidence you want to retain

Then find a provider that helps you do that more efficiently.

And even then, don’t stop thinking. Use the system, but also Google your client. Review the file. Ask the awkward questions. No technology can replace good judgment and healthy scepticism.

Because when the regulator knocks, they won’t be auditing your tech. They’ll be auditing you.

Thanks for reading.