KYC & compliance
Run due diligence on a client — screening, risk rating, enhanced due diligence and periodic review — and let the hard gate stop any document going out before KYC is done.
Honesty note: the compliance logic — risk scoring, the CDD gate, the dossier, EDD and the review radar — is fully built and working. But the external screening (sanctions / PEP / adverse media) ships as demo data until a provider is connected, and results are labelled "Demo data" in the app. Do not rely on it as a real watchlist search until then.
Where compliance lives
Open a task tied to a company and choose the Compliance tab in the right panel. If there is no KYC profile yet you will see Start KYC; once started, the tab shows the company’s KYC status, risk rating and score, and every compliance action in one place.
Customer due diligence (CDD)
CDD is the core check: identify and verify the client and the people behind it. CorpSec AI structures this for you — subject identity, beneficial owners (with a look-through to anyone holding 25% or more), the documents collected, and a full decision trail of who decided what and when.
Identity numbers (NRIC / passport) are always masked in the compliance view and anywhere the AI is involved — for example S****567A.
ScreeningDemo data
Screening checks a subject against sanctions, politically-exposed-person (PEP) and adverse-media sources. Click Run screening and CorpSec AI records the result, shows any hits with match scores, and lets you dispose of each one (False positive or Confirm match). An AI triage can also flag likely false positives to speed you up.
Out of the box this runs on demo data. Without a connected screening provider, screening is a keyword check that returns clearly-labelled sample hits — you will see a "Demo data" badge on the result. It becomes a real watchlist search only once a screening provider is configured for your firm.
The system is fail-safe about this: in production it will not treat a demo or unavailable screening result as a genuine clearance. So a document cannot pass the gate on the strength of demo screening alone once real compliance mode is on.
Risk rating
CorpSec AI scores each client Low / Medium / High from a set of explainable factors, and shows the score and the factors that drove it. The rating also sets how often the client must be reviewed — higher risk means a shorter review cycle.
Enhanced due diligence (EDD)
When a client is higher-risk or a trigger applies, the EDD section lists the extra checks required — such as establishing source of wealth and getting senior sign-off. EDD approval is subject to four-eyes: the person approving cannot be the person who prepared it.
Beneficial ownership (UBO tree)
CorpSec AI traces control through corporate layers and shows a beneficial-ownership tree — who ultimately owns or controls the company, following shareholdings up through parent entities. It highlights anyone reaching the 25% registrable-controller threshold used in Singapore, so you can see the real people behind the structure rather than just the immediate shareholders.
The UBO look-through feeds both the CDD dossier and the inspection pack — the same tree a regulator would expect to see when they ask "who is really behind this client?".
Nominee directors — fit & proper
For companies using a nominee director, the Nominee section records a fit-and-proper assessment and surfaces likely nominees the system detects heuristically, so you can confirm or dismiss each one. This helps you meet the CSP Act’s expectations around nominee arrangements — that the CSP knows who really directs the company and has assessed the nominee’s suitability.
The compliance hard gateLive
This is the safety net that makes the whole thing trustworthy: you cannot generate a document for a client whose CDD is not passed. If you try, CorpSec AI blocks it and tells you why — no KYC profile, a rejected client, an undispositioned sanctions hit, EDD still required, an expired review, and so on. The block is recorded in the audit log.
Today the gate is wired to document generation (single and bulk). Clearing KYC first is therefore the prerequisite for producing any filing or resolution for a client.
Periodic review
Every client has a next-review date based on its risk rating. CorpSec AI keeps a review radar and, when the scan runs, creates a review task and a reminder for any client that is due or overdue. The Compliance tab shows a per-company countdown — "Review due today", "Review overdue by N days", or "Next review in N days".
See the end-to-end walkthrough in Run a periodic KYC review.
Outputs: CDD dossier and STR
From the Compliance tab you can Export CDD Dossier — a complete, reconstructable due-diligence record (identity, risk, screening snapshots, documents, review schedule and decision trail) downloaded as a document. You can also Draft STR (a Suspicious Transaction Report) for high-risk clients or confirmed hits.
STR handling is deliberately gated. Because filing — or deciding not to file — a suspicious-transaction report is a serious, tipping-off-sensitive act, only high-sensitivity roles may draft, file or record an STR decision: the RQI, the named secretary, and firm admins. Anyone else is refused with a clear message.
This is the "tipping-off wall": junior preparers cannot open or act on an STR. If you need one drafted and cannot, it is because your role is outside the STR-sensitive set — ask your RQI or named secretary.
Frequently asked questions
Is the sanctions/PEP screening real?
Not by default. Out of the box it runs on demo data (a keyword check with sample hits, clearly badged "Demo data"). It becomes a live watchlist search only once a screening provider is connected for your firm.
Can I generate a document before finishing KYC?
No — and that is deliberate. The hard gate blocks document generation until the client’s CDD is passed, and records the block in the audit log. Complete KYC first.
Where does the company data come from?
From what you import or enter. Live registry (ACRA) lookup is not connected out of the box, so bulk "ACRA sync" resolves demo companies in Preview mode until a registry provider is configured.
What is the 25% look-through?
CorpSec AI traces beneficial ownership to identify anyone who ultimately owns or controls 25% or more — the registrable-controller threshold used in Singapore, shown as the UBO tree.
Who can draft or file an STR?
Only high-sensitivity roles — the RQI, the named secretary, and firm admins. This "tipping-off wall" is enforced on the server, so a junior preparer cannot draft, file, or record an STR decision.
This is a product guide for CorpSec AI. Where a feature runs on demo data or is not yet released, it is labelled as such. Compliance references are general information for Singapore corporate service providers, not legal advice.