OSINT for Financial Investigation

Who this is for

Compliance officers, financial-crime investigators, KYC and AML analysts, forensic accountants, and investigative researchers working on asset tracing, beneficial ownership, and sanctions exposure. You are typically answering a question that will be filed — a due-diligence report, a suspicious-activity referral, a litigation exhibit — and the audience grades work on source provenance before it grades it on cleverness.

Start from the core methodology if you are new to OSINT; this guide assumes you know the four phases and covers the field-specific application.

Core techniques

Beneficial ownership tracing. Register by register, jurisdiction by jurisdiction, follow the equity chain until you hit natural persons or a dead end. Many jurisdictions now publish UBO registers; their coverage, thresholds, and accuracy vary. Expect to cross-check each step against at least one independent source: corporate filings, press coverage, litigation records, property records, or disclosures filed by the entity itself elsewhere.

Sanctions and PEP screening. OFAC, EU consolidated list, UK OFSI, UN Security Council, and jurisdiction-specific lists cover overlapping but non-identical populations. Screen against the current consolidated list at the date of the decision, and preserve a dated copy of the list in the evidence pack. A match is a hit, not a conclusion; investigate the candidate to confirm identity before treating the match as dispositive.

Corporate structure mapping. For any non-trivial entity, map parent, subsidiary, branch, and affiliate relationships explicitly. Use filings, disclosures, and specialist databases. Diagram the structure; unreadable ownership chains are almost always misunderstood.

Litigation and bankruptcy records. Court dockets, bankruptcy filings, and regulatory enforcement actions are primary, dated, adjudicated sources. They are often the highest-evidentiary-weight records available and should be retrieved directly rather than via press summaries.

Asset tracing in public data. Property records, vessel registries, aircraft registries, court judgements, tax-lien filings, and in some jurisdictions vehicle registrations. Cryptocurrency tracing is its own sub-discipline with its own tooling and pitfalls.

Network analysis. Entities and natural persons connected via directorships, shared addresses, shared phone numbers, shared email domains, or shared agents form patterns that are not visible one entity at a time. Use link-analysis tooling once the number of entities crosses what a spreadsheet can hold.

Essential tools

Company registry searches — jurisdiction-specific access and retrieval.
WHOIS and DNS lookup — registrant history and infrastructure ties that can corroborate corporate structure claims.
Google dorking — targeted retrieval of regulatory filings and disclosures that are indexed but hard to browse.
Wayback Machine — historical state of corporate websites, often revealing officer listings and addresses that current sites have removed.
Maltego — link analysis across entities, persons, addresses, and identifiers.
Metadata extraction — authorship and edit histories in filings and disclosures.
The Subthesis legal document analysis tool for entity extraction across long filings, court records, and leaked databases.
Specialist paid sources (OpenCorporates, Sayari, Orbis) for cross-jurisdictional corporate data; treat as necessary complements to primary registry retrieval, not replacements.

Legal and ethical considerations

Additional points specific to financial investigation:

Enhanced due diligence records are discoverable. Write the file assuming a regulator, a court, or an internal audit will read it.
Adverse-media findings require evidentiary weighting. Not every press hit is true; not every retraction is noticed. Grade adverse media against the primary-record standard the rest of the file uses.
Tipping-off rules. In regulated AML workflows, informing a subject that they are being investigated may itself be an offence. OSINT methods that create a notification or access log against the subject can violate this constraint accidentally.
Sanctions matches create obligations. A true-positive sanctions match often triggers reporting and freezing obligations with fixed deadlines. Plan the workflow so that a match surfaces within those deadlines, not weeks later.

Workflow example

A compliance team is onboarding a counterparty, a Cyprus holding company, for a significant transaction. The intelligence requirement becomes: "Identify ultimate beneficial owners of the Cyprus entity holding twenty-five percent or more as of the filing date; screen each natural person identified against consolidated sanctions and PEP lists; surface any adverse media relevant to the transaction."

Collection begins with the Cyprus registry and proceeds through the visible equity chain, archiving each filing and recording the registry's revision identifier. The chain terminates in a BVI entity whose UBO declaration names two natural persons. Each natural person is screened against OFAC, EU, and UK consolidated lists; one name matches a mid-tier PEP designation in a third jurisdiction. That match is corroborated via a second authoritative source to confirm identity — date of birth, nationality, and prior office held all align.

Analysis documents the chain as a diagram, cites every edge to a preserved filing, and grades the PEP match as confirmed. Adverse media is screened across primary news databases for the previous five years; two hits surface and are traced to primary documents where possible. One collapses under verification — a retraction had been issued — and is graded accordingly in the file.

The report cites every claim to a hashed artefact in the evidence pack. The PEP finding triggers the firm's enhanced-due-diligence procedure on its own track. The report explicitly states which claims it did not establish — specifically, whether the UBO declaration reflects current rather than historical holdings — and recommends a control to surface subsequent changes.

A common trap in financial OSINT: accepting a UBO declaration as authoritative because it was filed. Declarations are self-reported in most jurisdictions. Cross-check against the equity chain, against prior filings, and against independent reporting wherever the stakes justify the cost.