Picture this. A compliance officer at a fintech gets an audit request. She pulls up the onboarding file for a UK company they approved six months ago. Company name, status, directors, shareholders — all there. Clean data. Proper KYB.
Then the auditor asks: "Where did the shareholder data come from? Show me the document."
She checks the provider documentation. "Data sourced from Companies House." Sure — but which document? The legal name came from the Companies House API, that's straightforward. But shareholders? Companies House doesn't serve that as a structured API field. That data lives in filed documents — confirmation statements, annual returns, share allotments. Each one is a separate filing with its own reference number and date.
She can't point to the document. Her provider never gave her a link to it.
That moment — the gap between having data and being able to trace it back to the original source document — is what we call the proof gap. And it's an industry-wide blind spot.
The real test isn't "do you have the data"
Let's be honest about what's happening in most KYB stacks today. You're paying a data provider. They give you company profiles. You plug them into your onboarding flow. Everything looks clean.
Until a regulator asks for evidence. A risk event triggers a review. An auditor wants to verify a specific data point. And suddenly the question isn't "do you have the data?" — it's "can you show me where it came from?"
Not a vague answer. The actual source document. The filing. The register entry.
Most compliance teams can't produce this on demand. Not because they're careless — because their data provider never gave them the trail back to the source.
"Sourced from Companies House" is a black box
Here's what a typical KYB data provider tells you: "This company profile was sourced from Companies House." Company-level attribution. Sounds reasonable.
But think about what that hides.
A UK company's legal name and directors come from the Companies House API — structured data, one endpoint. Shareholders are a completely different story. Companies House doesn't expose shareholder data as a simple API field. To get shareholders, you need to go into the filed documents: confirmation statements (CS01), annual returns, share allotment forms. Each is a separate filing with its own reference number.
When your provider says "Companies House," they're flattening two fundamentally different data sources into one label. The legal name was an API call. The shareholder list came from document CS01, filed on 2025-03-15, reference 0847291. These are not the same thing — but your provider treats them as if they were.
And it gets worse across borders. A German company's legal name comes from the Handelsregister, but shareholders come from the Gesellschafterliste — a completely separate document filed at a different time, in a different format. In France, the legal name comes from INPI's RNE API, while employee count comes from INSEE's SIRENE database — different agencies entirely.
Same company profile. Multiple registers. Multiple documents. Your compliance stack should reflect that reality — not hide it behind a single label.
When the auditor asks, you need the document
Regulators don't ask "what provider do you use?" They ask: "show me the evidence." Show me the document that proves this shareholder list is current. Show me the filing that confirms the UBO structure.
With the EU Anti-Money Laundering Regulation (AMLR) applying from July 2027, this is becoming explicit. The regulation requires "reliable and independent sources," cross-checking against registers, and maintaining audit-ready documentation showing which sources were used. Supervisory expectations will increasingly depend on the traceability of the data you hold.
If your data provider gives you a company profile but can't link each piece of it back to an original document or register entry — you're holding data with no evidence trail. And "trust us" is not a compliance strategy.
What document-level traceability looks like
At Topograph, every data point in an API response carries a link back to its source. Not "this came from Topograph" — but specifically:
- Which official register provided this data
- Which document or endpoint it came from
- A direct link to the source document when applicable
Take our UK example. When you request a company profile through Topograph:
- Legal name → Companies House API, direct structured field
- Directors → Companies House API, direct structured field
- Shareholders → Companies House, confirmation statement CS01 (filed 2025-03-15, ref 0847291) — with a link to the original filing
The legal name is an API call. The shareholders came from a specific filed document, and we tell you exactly which one. You can click through to the original filing. You can show it to the auditor.
The same principle applies everywhere. In Germany, shareholder data traces back to a specific Gesellschafterliste document. In France, the legal name traces to INPI (RNE) while employee count traces to INSEE (SIRENE). Each field, each source, each document — linked.
The audit scenario, solved
Back to our compliance officer. With Topograph, when the auditor asks "where did the shareholder data come from? Show me the document" — she doesn't guess.
She opens the company profile. She sees the source next to "Shareholders": UK — Companies House, confirmation statement CS01, filed 2025-03-15, reference 0847291. She clicks through to the original document. She shows the auditor.
For a German company? "Shareholders: DE — Handelsregister, Gesellschafterliste." Linked to the exact filing.
No phone call to the provider. No digging through documentation. No "trust us." The document is right there.
This is the difference between "we checked" and "here's the proof."
Why this matters now
Compliance is scaling. More companies, more countries, more automated onboarding decisions. But scale without evidence is just a faster black box.
The AMLR in 2027 will make source traceability an explicit requirement. But you don't need to wait for the regulation to ask the right question.
Ask your data provider:
"For any data point in your API response — can you link me back to the original source document?"
If the answer isn't an immediate yes, you're building on a black box.
Topograph provides direct, real-time access to data and documents from official company registers in 35+ countries. Every data point is fully traceable to its original source document.