Digitalising client due diligence checks

As technology begins to advance, Mirror encourages regulated businesses to embrace natively digital documentation, rather than the traditionally relied upon paper documents and signed names processes. Our CEO Nick Williamson highlights why, instead of compliance being a challenge, a fraud risk and a time consuming process, it offers an opportunity to improve and digitalise.



Compliance aligns incentives between the regulator, the customer and the business. The three parties involved in an onboarding transaction have differing goals which need to accounted for. If one party has too much of a burden placed on them, or they aren't able to accomplish their goal, the client-firm relationship doesn't take place.

In practice, compliance often serves as a gatekeeping function where we have processes that we follow and paperwork that we file, and it ends up being a time tax and a direct monetary tax on many regulated businesses.


With the creation of Mirror, we were always focussed on how we reframe compliance. Instead of it being a dreaded checklist, where we tick boxes and check off items, we wanted to look at compliance differently. As a series of set facts that we assemble to give us comfort, so that we can move forward with a client; whether that's onboarding somebody into a law firm, or facilitating a transaction as an insurance company.


When looking at traditional documentation and the proxy they offer for the facts we need, we looked at the ways we can get to the root of those facts directly. Many find themselves using copies of passports as a proof of identity and copies of utility bills as proof of address, and often we forget about why we do so in the first place. And now this paperwork doesn’t come in the mail with a seal on them, but instead they live as PDFs in a server somewhere, and firms are seeing this as something that makes processes harder.


Historically, having that physical document gave us some assurance,but in reality, these documents now live in servers and increasingly, identity documents have biometric chips. This leads to a situation where there are very high bars to forge the electronic signatures associated with these documents, and in comparison, we now see low bars for forging the paper versions.


And then there is where the verification is happening. If you're relying on, for example, an Experian search (that somebody else will complete) how can you trust that they know that, for example, John Smith definitely lived on Main Street, and that they had robust processes that actually were able to validate that information they were given?

Whilst technology has flipped the traditional feelings about what is secure on its head, many of us find that we're still acting as if the fact we're holding a document gives us some security, because it gives us comfort that there is something tangible there. At Mirror, we’ve looked at how we can take the digital signatures that are associated with these documents and actually pass them directly to the regulated business trying to onboard a client.


It is no surprise that costs of compliance are rising year on year, and fraud is an increasing financial threat to regulated business. It's getting easier and cheaper to commit fraud on vast scales, especially with things like ransomware attacks, and new scams appearing every day, such as deep fake voice simulators. It's getting more and more difficult for us to address these sorts of frauds, whether it's an actual fraud or it's a misrepresentation that falls foul of regulations.


In response, we keep adding more complexity and more cost to the compliance process, because then we can at least demonstrate that we're trying to fix the problem, even if at almost every step of the process, we feel lost in doing so, and we don't necessarily know how our actions are connecting to the problem of fraud and security risk.


So how can Mirror resolve the issues around fraud and security risk and offer a more technologically driven client onboarding process?


In the case of a passport, for example, the solution is fairly straightforward. It comes with a chip, where we can scan the chip with supporting liveness checks. For other documents, such as utility bills, our system allows us to verify the digital signature that comes up every time that you see a little green padlock in your browser, where the browser is using SSL to secure that connection between the person browsing the website, or logging into their utility provider or bank. We've built a tool that allows us to capture those documents and verify both the origin of the document, but also the fact that the person that we're trying to onboard is authorised against that document. All this is accomplished without compromising security for either the user or the server itself.


We were always keen to deliver software that removes unnecessary things which don't provide additional security. They just give us a security blanket to make us feel like we're doing something without getting to the root of the problem. So instead of somebody trying to look at a PDF of a utility bill that came in as an email attachment and saying, “I think that looks good” or “I think it does that”, we have a piece of technology that can unequivocally tell you it’s a valid and authentic document, without the human driven admin.


With Mirror we also narrow the onboarding points of information, making sure that we can certify with certainty that the facts presented correlate with, and are absolutely meant for, your client or organisation you’ll be working with.

We allow the user to hold on to their data, lowering the cost of complying with privacy regulations, but in a way that allows our systems to flag any tampering of that data at any point. We also acknowledge that almost every individual now and almost every company has these digital documents available to them because of the push for paperless billing and the prevalence of electronic IDs. As everybody needs to renew their passport every ten years, the vast majority of active passports now contain chips which can be verified remotely to a standard that's much higher than even the most skilled compliance officer.


Mirror has been developed with the core principle of turning compliance on its head. All regulated businesses require certainty; who a person is, where their money comes from, and does their story add up in a way that satisfies us and satisfies the regulator as to why we're happy to go into business with this person? But how we obtain that information is up to us and Mirror allows companies to complete client onboarding without misspending time, money and effort on the process.


Compliance is a security function as much as it is anything else, and when there's a mismatch between what you're actually doing and what you think you're doing, that's when an opportunity for fraud can take advantage of that mismatch in order to exploit your system.


I don't think you can talk to anybody who works in a regulated business and not have compliance as being one of the top problems that they deal with day in, day out. It is fairly cliche, but at the same time, I think it's very much been demonstrated that if we're going to continue to do the same thing, we're just going to continue to get the same results.


For Mirror, it meant we could challenge how we think of identity, KYC and due diligence from the ground up and in a way that's still compliant with UK law and in most jurisdictions that follow similar AML regimes. As a result, we have a product that saves time, saves money and saves effort, whilst eliminating security risks.