Back to insights
Methodology2026-03-01

Public sources only: why the source limit makes the programme defensible

Limiting periodic verification to publicly available sources is not merely an ethical choice. It is the legally correct methodology under nFADP Art. 6 — and the foundation of an auditable, defensible programme.

The public / private line

There is a fundamental difference between:

  • reviewing what a covered employee has posted publicly on LinkedIn, and
  • accessing their private messages or account activity.

    • The first is an assessment of publicly available information — no different from reading a published article or consulting a commercial registry. The second is intrusive data collection that creates its own regulatory exposure.

    Premtrace operates strictly in the public sphere. We access platforms and sources that any member of the public can reach without authentication or special access. If information requires a login, a password or any form of access restriction, we do not retrieve it.

    Why the source limit is legally load-bearing

    nFADP Art. 6 — data minimisation

    Processing must be proportionate to the purpose. For fit-and-proper verification, the purpose is to assess whether a covered employee's publicly visible conduct remains consistent with the firm's standards and regulatory obligations. Reaching into private communications would exceed that scope and breach the minimisation principle.

    Overriding-interest balance

    The nFADP Art. 31 overriding-interest basis for periodic verification holds precisely because the intrusion on the individual is bounded: only what the person has themselves made public is reviewed. Extending to private data would tip the balance against the individual's interests and could invalidate the legal basis.

    Auditability

    A programme that accesses only public sources can be fully described and justified. At examination, you can state exactly what was searched, where and why. A programme that reaches into private data raises questions about the legal authority for that access that are difficult to answer cleanly.

    What we do not do

    To be unambiguous, Premtrace never:

  • accesses private social-media accounts or direct messages
  • uses credentials, proxies or fake profiles to reach restricted content
  • acquires data from data brokers or purchased databases
  • monitors employee devices, networks or internal communications
  • retrieves content behind login walls or access controls

    • What public sources catch

    Public-source verification identifies the risks that matter most for fit-and-proper purposes:

  • public statements creating reputational or conduct risk for the firm
  • undeclared directorships or interests visible in commercial registries
  • sanctions-list entries — SECO, OFAC SDN, EU consolidated
  • adverse media in the Swiss and international press
  • PEP status and proximity links

    • Those are the findings your Compliance Officer needs. They are all discoverable from public sources. No intrusive access is necessary or appropriate.

    The right standard

    A periodic programme built on public sources alone is proportionate, legally grounded and explainable. That combination — not the breadth of sources reached — is what makes it defensible at examination.

    See the programme in practice

    Book a 30-minute demo. We’ll walk through a live cycle and present the attestation binder your Compliance Officer signs off.

    Book a demo