The Hidden Wiring Behind Your Clients — And Why Most Law Firms Can’t See It | Sysero
Beneficial ownership, investigative ontologies, and the AI-powered audit trail that’s quietly reshaping legal compliance.
Here’s a scenario that plays out in law firms every week.
New client comes in. Corporate entity, reasonable pedigree, wants you to handle an acquisition. Your conflicts team runs the name through the system. Clean. PEP and sanctions screen comes back clear. Engagement letter goes out. Everyone gets on with their day.
Six months later, a partner across the corridor discovers that the individual who ultimately controls your new client also happens to be the majority shareholder of a company you’re currently suing on behalf of another client. Nobody spotted it because the connection was buried three layers deep in a chain of holding companies, and your conflicts system only checks names — not ownership structures.
That’s not a hypothetical. It’s a structural blind spot, and almost every firm has it.
Your conflicts check has a depth problem
Traditional conflicts checking is essentially sophisticated text matching. Does this name, or something close to it, appear in our matter database? It’s good at catching the obvious — you’ve acted for this company before, or someone with this name appeared on a previous matter.
But it has no concept of who stands behind the name.
UK companies declare persons of significant control at Companies House. That’s useful — until you realise that Company A’s PSC is Company B, whose PSC is Company C, whose shares are held by a trust in Guernsey that happens to be administered by someone your firm has been advising for a decade. That chain is sitting right there in public data. Nobody’s looking at it because, until recently, traversing it programmatically was a pain.
That’s changing fast.
Following the thread
The approach that’s gaining traction involves recursively walking the Companies House API. You start with a target company and pull its directors, PSCs, shareholders, and subsidiaries. Then you do the same for each of those entities. And again. And again — until you’ve mapped the full ownership tree.
Now do that for every entity in your existing client portfolio.
What you end up with is a graph — a web of connections between people and companies. Drop that into a graph database and suddenly the question “does anything in this new client’s ownership chain overlap with anything in our existing book?” becomes a query that runs in milliseconds.
The clever bit is the entity resolution layer that sits in between. “J. Thornton” on one filing might be “James Robert Thornton” on another. Same person? The software cross-references dates of birth, addresses, and filing identifiers to work it out. It’s the kind of matching that would take a human analyst hours per entity — and there might be dozens of entities in a single ownership chain.
The ontology that investigative journalists built
Here’s where things get genuinely fascinating.
The data model underpinning the most promising approaches to this problem didn’t come from a compliance vendor or a Big Four consultancy. It came from investigative journalists.
FollowTheMoney is an open-source ontology originally developed by the Organized Crime and Corruption Reporting Project (OCCRP) for Aleph, their cross-border investigative platform. It was built by people who spend their careers tracing money through shell companies, mapping political influence networks, and connecting the dots between seemingly unrelated entities across jurisdictions. The same people who helped break stories from the Panama Papers to the Troika Laundromat.
What makes FtM elegant is how it models relationships. In most databases, you’d store a person and a company as records and draw a line between them. FtM treats the relationship itself as a first-class entity. An Ownership isn’t just an arrow connecting two nodes — it’s an object with its own properties: start date, percentage of shares, source of the data. A Directorship captures not just who directs what, but when they were appointed, when they left, and what role they held. Every relationship carries its own provenance.
This matters enormously for compliance. When you’re trying to explain to a regulator why a particular connection is or isn’t a problem, the metadata around the relationship is as important as the relationship itself. “This person owns 51% of that company” tells you something very different from “this person owned 3% of that company for six months in 2019.”
The FtM schema covers the full landscape of entities you encounter in ownership chain analysis: Person, Company, LegalEntity, Organization, Ownership, Directorship, Membership, Family, Associate — even Sanction and Debt. Each entity type defines its own properties, and entities reference each other through typed links, creating a rich graph that captures not just who is connected to whom, but how, when, and according to what source.
The ecosystem built around it is equally impressive. Entity matching — the ability to ask “does this person appear in that dataset?” with fuzzy, transliteration-aware name comparison. Data normalisation — cleaning up the messy, inconsistent reality of company registries where the same entity might appear with slightly different names, addresses, or identifiers across different filings. Finally merging entity fragments from multiple sources into coherent, deduplicated records.
This set of techniques has been battle-tested on some of the largest financial crime investigations in recent history.
There’s something quietly thrilling about the idea that the same data model used to trace oligarchs’ assets through Cypriot shell companies can now power routine compliance checks at a regional law firm. The tools built to hold the powerful to account are becoming the tools that keep ordinary businesses safe.
The report that writes itself
Finding a connection is one thing. Explaining it to a partner, an MLRO, or a regulator is another.
This is where things get interesting. Large language models are now being used to take the raw output of an ownership traversal — the API calls, the entity matches, the graph paths — and turn it into a narrative. Not a data dump. A readable document that says, in plain English: “Here’s who controls this company. Here’s how they connect to your existing client. Here’s why that matters. Here’s what you should do about it.”
The best versions include a full provenance trail — every API endpoint called, every data point retrieved, timestamped and hashed so the report is tamper-evident. Hand that to the SRA during a supervisory visit and you’re not just showing compliance. You’re showing a level of rigour that most firms can’t get close to manually.
It’s the difference between “we checked” and “here’s exactly how we checked, what we found, and the chain of evidence behind every conclusion.”
The quiet power of doing nothing (most days)
Here’s an underrated part of this picture: ongoing monitoring.
Firms tend to treat compliance as a moment — something that happens at onboarding and then sits in a filing cabinet. But ownership structures shift constantly. Directors resign. Shares change hands. Someone gets added to a sanctions list nine months after you opened the file.
The good news is that monitoring is surprisingly lightweight to run. The heavy lifting happens during the initial traversal. Once an entity is in the graph, keeping tabs on it is a delta operation — you’re watching for changes to filings you’ve already indexed, not re-running the entire analysis every day. On a quiet day, which is most days, monitoring catches nothing. On the day it catches something, it’s priceless.
The regulatory logic is simple: if a client becomes sanctioned three months after onboarding and you don’t notice, you face the same consequences as if you’d never checked at all. Continuous monitoring turns compliance from a photograph into a film.
The landscape is shifting
The firms that adopt this won’t just be better protected against regulatory risk. They’ll be offering their clients something genuinely valuable: the confidence that comes from knowing not just who they’re dealing with, but who stands behind them — all the way up the chain.
The question for any firm reading this isn’t really whether the technology works. It does. The question is how long you’re comfortable not using it.
