RapidLEI at ICA Compliance and Financial Crime 2025 | Leonardo Royal Hotel, London St Paul’s
We were at ICA’s Compliance and Financial Crime conference this week, where Tom Edwards, Executive Chair of RapidLEI, joined a fireside conversation on a topic that does not always get the attention it probably deserves: the reliability of the entity identity data underpinning compliance decisions. His argument was that the financial sector has spent years building sophisticated crime-detection infrastructure on top of entity data that is often incomplete, fragmented, or simply out of date.
The problem hiding underneath KYC
The conversation opened with a challenge to a piece of conventional compliance wisdom.
KYC, Tom argued, was designed around individuals. Passport, address, date of birth. When it comes to corporate entities, KYB has largely been bolted on as an afterthought. Firms onboard a legal entity at a point in time, capture a snapshot of its structure, and then largely stop looking.
The problem: unlike individuals, organisations change constantly. Restructures, acquisitions, new subsidiaries, new beneficial owners. Entity data starts decaying from day one.
Historically, there was no universal identifier for legal entities. Different jurisdictions, different registries, different numbering schemes, most of which do not talk to each other. A single entity operating across borders can appear as three or four unconnected records inside a bank’s fragmented system. It is a structural vulnerability, and sophisticated bad actors know exactly how to exploit it.
What an LEI is and why it matters
That structural gap led the conversation naturally into the Legal Entity Identifier itself. For those in the room less familiar with the LEI, Tom explained its fundamentals: a 20-character, globally standardised, ISO-regulated code that answers two deceptively simple questions of “who is who” and “who owns whom.”
Every LEI is backed by verified reference data: the entity’s legal name, its registered address, its jurisdiction of formation, and its ownership structure, including direct and ultimate parent relationships. That data is held in a single, publicly accessible global directory, maintained by a federated network of accredited issuers and overseen by the Global Legal Entity Identifier Foundation (GLEIF).
What makes the LEI different from a company registration number or a tax ID is interoperability. A UK Companies House number means nothing in Singapore. A German Handelsregister entry does not resolve in New York. The LEI is designed to work the same way everywhere, across every jurisdiction and every registry, giving institutions a single, verified thread to pull on when they need to know who they are dealing with.
The question Tom put to the room was why, given all of that, more institutions have not operationalised it beyond the narrow regulatory mandates that require it.
Entity identity failure in the real world
Two real-world episodes surfaced at different points in the conversation to illustrate where entity identity breaks down.
Covid supply chain collapse (2020–21). As supply chains fractured, buyers fell victim to fraudulent contracts from entities that had never been properly verified. Validated supplier identity records could have prevented significant losses. The episode highlighted how entity identity risk is not confined to financial services, instead it sits squarely in physical trade, procurement, and supply chain management.
Russian sanctions (2022 onwards). The enforcement challenge was not identifying sanctioned individuals. It was identifying the entities behind the entities. Shell structures, name variations, weakest-link jurisdictions. In every major evasion case, the common thread was an entity identity record that was incomplete, stale, or deliberately fragmented. Sanctions have become considerably more complex than screening a name against a list and increasingly demand answers about ultimate beneficial ownership, about layered corporate structures, and about whether the entity sitting two or three levels above a counterparty triggers a restriction that a surface-level check would miss.
Both examples reinforced the same underlying point: entity identity infrastructure was not built for the speed, complexity, or opacity that modern global trade demands.
ICA conference themes
Several sessions earlier in the day had already touched on themes that fed directly into the fireside conversation.
Transaction times are compressing. The Instant Payments Regulation and Verification of Payee requirements are collapsing screening windows from hours to seconds. You cannot manually investigate an entity in real time. You need pre-verified, machine-readable entity data already in your systems before the payment arrives. Without it, the choice is binary: block legitimate payments or let suspect ones through.
Sanctions are no longer a simple screening exercise. Multiple speakers throughout the day had touched on how sanctions compliance now extends well beyond matching names on a list. Screening must account for beneficial ownership, complex group structures, and jurisdictional layering, which are the very areas where fragmented entity data creates the biggest blind spots.
Entity identity challenges extend far beyond financial services. Shipping, physical trade, and supply chain management all face the same fundamental question: do you know who this organisation actually is? The financial sector has been the primary regulatory focus, but the entity identity gap is just as problematic in industries where LEI adoption is not yet mandated.
Regulations are converging, fast
The third thread of the session covered the regulatory pressure now bearing down on compliance teams simultaneously.
The EU’s AML Regulation is harmonising CDD and beneficial ownership requirements across member states. Firms will need updated, verifiable entity data, not snapshots from onboarding three years ago.
As Tom discussed, the Instant Payments Regulation compresses the screening window. You cannot manually investigate an entity in real time. You need pre-verified, machine-readable entity data already in your systems before the payment arrives. Without it, the choice is binary: block legitimate payments or let suspect ones through.
DORA extends entity identification into ICT supply chains. Firms now need to know their technology providers and subcontractors with the same rigour applied to financial counterparties. Different flavour, same underlying question: who is this organisation, and how current is that answer?
FATF 16 & 24, meanwhile, is pressing jurisdictions on cross-border transparency and beneficial ownership registries. The direction of travel is clear.
All of these regulations share the same underlying assumption: that institutions can reliably answer who they are dealing with. As Tom noted, that is not always a safe assumption.
What Compliance Leaders should do now
Tom closed with two practical challenges for the room.
First: where LEIs are not mandatory, could they still solve your entity identity problem? Many financial transactions are directly linked to a physical shipment where goods move across borders, through ports, and between warehouses. The financial transaction itself can look perfectly clean, but the physical side of the trade could be fraudulent or sanctions-breaking. Shipping, supply chains, physical trade: these are areas where entity identity risk is real, but LEI adoption remains largely voluntary. The question is whether waiting for a mandate is a defensible position when the risk is already there.
Second: where LEIs are mandatory, how are you actually managing them? Not just for your own organisation, but for all of your counterparties. Start by finding out who owns the responsibility today. Is it compliance? Operations? Legal? Someone in finance who moved on two years ago? It is, Tom suggested, a question fewer people in the room could answer than they might expect.
The practical consequence is worth sitting with. A single lapsed LEI can block an entire fund from executing or reporting trades. Billions in AUM, unable to move. Not because of fraud, not a sanctions breach, not a cyber incident. Because nobody renewed an identifier that costs less than a hundred pounds a year. The fix is straightforward; the consequence of not doing it is considerably less so.
The broader point, though, is that entity identity is not purely a compliance matter. The same question, do you actually know who this organisation is, applies when assessing counterparty risk, screening suppliers, onboarding clients faster, or reducing the friction in cross-border payments. A regulated, globally standardised identifier with verified ownership data is also a trust signal that can inform better decisions across the business, from procurement to credit to fraud prevention. The value tends to extend well beyond the compliance team once people start thinking about where unreliable entity data is quietly creating risk or slowing things down. That conversation, about how LEI can work harder across an organisation, is something we were genuinely pleased to be at ICA to explore.
