Performing due diligence on third parties can be hard. When you discover that your third party is still in diapers, however — that’s pretty much a surefire sign something is amiss.

The diaper scenario isn’t made up. Earlier this year the watchdog group Global Witness reported that 4,000 toddlers are listed as beneficial owners of companies registered in the United Kingdom. Five individuals in the U.K. Companies House registry are listed as owning more than 6,000 corporate entities. Filing a bogus corporate registration is easy to do, complete with fictional executives, fictional funding, and fictional names.

The United States is little better. Corporate ownership is registered at the state level, with Delaware leading the country in registrations specifically because creating a new legal entity is so quick and easy. We could say the same for registries in Panama, the Bahamas, and elsewhere. The scandals of the Panama Papers(2015) and the Paradise Papers(2017) are rooted in trusts, shell companies, and other corporate structures all legally registered but cloaked in ownership mystery.

Such stories are all the more unsettling to compliance professionals these days, as the May 11 deadline draws near for new customer due diligence (CDD) rules to go into effect in the United States. Those rules will require financial firms to identify and verify the beneficial owners and controllers of legal entities doing business with the firm.

At the preliminary level, companies can rely on evidence supplied by the customer about beneficial owners and controllers. That is, the person opening the account can supply the documentation you need, and that can suffice provided that your firm “has no knowledge of facts that would reasonably call into question the reliability of such information.”

That provision alone can be a big if. Other parts of the CDD rules specify that a firm must perform enough due diligence to develop a risk profile of the customer, so you can implement effective monitoring after the account is opened and detect suspicious transactions.

All of that means firms will need to perform better due diligence on customers. And as we see from the 4,000 toddlers supposedly running businesses in Britain, while screening beneficial ownership data against corporate registries is a useful first step, by no means should it be the only step.

Effective customer due diligence must be able to withstand the scrutiny of hindsight. After an adverse incident happens, somebody — a regulator, the board, an auditor, an angry public on social media — will ask, “How did this legal entity become a customer? What did your firm do to try to determine that this customer was legitimate?”

Questions in hindsight can be painful, and not always fair. Compliance officers need to answer them anyway.

First, your employees will gather that ownership information from the customer opening the account. You will also need to collect more information about, as the rules say, “the nature and purpose of customer relationships.”

Should any of that information raise suspicions, more due diligence will be required. Corporate registries are slowly becoming more useful to answer those questions, but more in-depth screens and investigations will still be part of the toolkit — probably until long after those 4,000 toddlers are grown adults in the corporate world themselves.

By working alongside an experienced ABAC compliance provider who understands the risks facing your business, you can empower your key decision makers to act strategically and confidently. Steele’s full-service solutions can be adapted to any stage of your businesses compliance program; to help you meet the challenges of the changing global landscape.