Toxic Combinations: What Banks Know That Businesses Don't
Banks spend millions building systems to ensure the person who can move money can't also approve it. Here's why the same logic — applied to the people running companies you do business with — is the due diligence most businesses have never thought to run.
There is a concept in banking so foundational it sits behind nearly every major financial controls framework in the world. It does not have a glamorous name. It is called segregation of duties — and in its most critical form, the banks refer to the violations it's designed to prevent as toxic combinations.
The idea is simple: certain combinations of access, authority, and capability should never exist in the same person at the same time. The person who can initiate a wire transfer should not also be the person who approves it. The analyst who can create a new vendor in the payments system should not also be the person who can authorise payment to that vendor. If both capabilities land in one set of hands, you don't have a risk — you have an open invitation.
Identity and Access Management teams at banks — the people who govern who can do what inside complex financial systems — spend considerable resources mapping these forbidden combinations. Their tools flag them automatically. When a user is granted a new access role, the IAM system checks it against a matrix of toxic combinations before it goes live. If the new role, combined with existing roles, creates a dangerous pairing, the request is blocked. A human reviews it. A business case is required. An audit trail is created.
This is not optional. It is mandated by APRA's CPS 234, by SOX controls for listed entities, by ISO 27001 frameworks, and by the practical lesson history keeps teaching: the biggest internal frauds almost always come down to one person having two capabilities they should never have held simultaneously.
"The fraudster is rarely the person with extraordinary access. They are the ordinary person with two ordinary accesses that, combined, become extraordinary."
The Problem Banks Solved Internally — That Nobody Solved Externally
Here is the interesting question: banks solved this for their own internal systems. Identity governance platforms like SailPoint, Saviynt, and CyberArk run sophisticated toxic combination matrices across thousands of enterprise roles every day inside major financial institutions.
But when that same bank's procurement team is onboarding a new supplier? When their accounts payable team is adding a vendor to the payments system? When their corporate banking team is extending a credit facility to a business customer? The toxic combination logic largely disappears. They are looking at the business from the outside now, and the tools don't carry over.
What does a toxic combination look like in a business entity, rather than an IAM role matrix? It looks like this:
A director who holds appointment across both a supplier entity and a related entity that owes money to that supplier's counterparty. An executive who sits on the board of a company while also being a beneficiary of a related trust that has a financial interest in that company's contracts. A business owner whose current trading entity is registered and active, while a previous entity under their directorship was deregistered under external administration — and the new entity has a suspiciously similar name and ANZSIC code.
None of these are captured by a standard credit check. None of them appear on a single register. You only find them when you cross-reference the right datasets against each other — and flag the combinations that shouldn't exist.
How Gumshoe Reads the Room
Gumshoe applies the same combinatorial logic that IAM teams use inside banks — but across the public record of business entity data that governs commercial relationships. Our detection engine doesn't look at individual data points in isolation. It looks at combinations. A single data point is a clue. The combination is the case.
When a business is submitted for verification, Gumshoe resolves it across three authoritative Australian registers simultaneously: the ABR, ASIC, and the PPSR. It then runs the merged entity record through a suite of toxic combination detectors. Here is what we are actually looking for.
The Phoenix Pattern: Active + Director Link to Deregistered Entity
An active entity shares one or more directors with a company that was deregistered — particularly one that was placed under external administration, wound up, or cancelled with outstanding liabilities — within the last 36 months. On its own, a deregistered company is a historical fact. On its own, a current directorship is unremarkable. Together, with a close time proximity and matching industry codes, they form a pattern the Australian Securities and Investments Commission has prosecuted repeatedly under phoenix trading provisions. Gumshoe flags it. The severity is high.
The Split Identity: ABR Active, ASIC Deregistered
The ABN is not cancelled. The entity is still registered with the ATO, still has GST registration, still has a trading presence. But a cross-check against ASIC reveals the underlying company structure was deregistered months ago. This entity is, in a structural sense, trading on a dissolved shell. Contracts with this entity may be unenforceable. Debt recovery if something goes wrong is complicated. The combination of "active ABR" and "deregistered ASIC" is not an administrative oversight you can overlook — it is a flag that requires explanation before you proceed.
The Encumbered Asset: Active Entity with General Security Agreement
The PPSR reveals an active general security agreement registered against the entity's entire property — meaning a creditor holds a charge over everything the business owns. On its own, a GSA is routine for any business that has borrowed against its assets. As a combination — GSA active, multiple secured parties, combined with a recent change in directorship or a company status flag from ASIC — it means the assets you might be relying on for recourse or continuity in a commercial relationship are largely spoken for by someone else.
The Nominee Web: Director with High Entity Count Across Jurisdictions
A director who holds appointment across ten or more entities simultaneously, spanning multiple states and industries, is not necessarily running ten businesses. They may be a nominee director; a person whose name appears on company structures as a formality while actual control sits elsewhere. Nominee directors are legal. They are also a standard mechanism in structures designed to obscure beneficial ownership. When a director cross-entity count is combined with entities in external administration, or with PPSR registrations against multiple related entities, the picture becomes harder to dismiss.
The Toxic Combination Matrix: Gumshoe's Detection Flags
Below is a representative set of the combinatorial flags Gumshoe surfaces in entity verification reports. Each flag represents not a single data point but a detected relationship between data points that, in combination, create elevated risk:
| Flag Code | Combination Detected | Severity | What It Means |
|---|---|---|---|
| PHOENIX_PATTERN | Active entity + director link to deregistered/wound-up entity (≤36 months) | HIGH | Classic phoenix trading signature; prior entity may have left creditors unpaid |
| STATUS_CONFLICT | ABR active ABN + ASIC deregistered company | HIGH | Entity trading on a dissolved company structure; contractual enforceability risk |
| ACTIVE_ADMIN | ASIC status: external administration / liquidation | HIGH | Entity is under administration; any transaction requires legal review |
| GSA_MULTI_SECURED | Active PPSR general charge + 3 or more distinct secured parties | HIGH | Assets heavily encumbered; limited recourse available in default scenario |
| RECENT_DEREGISTRATION_LINK | Related entity (shared director, similar name) deregistered ≤24 months | MED | Not confirmed phoenix; warrants direct inquiry before proceeding |
| DIRECTOR_HIGH_COUNT | Director holds ≥5 simultaneous directorships across distinct entities | MED | Possible nominee director arrangement; beneficial ownership may be obscured |
| PPSR_NO_EXPIRY | Active PPSR registration with no expiry date set | MED | Potentially perpetual security interest; unusual for standard commercial lending |
| ABN_RECYCLE | ABN cancelled + re-registered within 12 months, same or related director | MED | Possible restructuring to shed historical liability; pattern warrants investigation |
| ADDRESS_MISMATCH | ASIC registered address materially differs from ABR principal place of business | LOW | May be administrative; may indicate incomplete updates or deliberate separation |
| PPSR_RECENT_EXPIRED | PPSR registration expired within 24 months | LOW | Contextually relevant for credit assessment; indicates prior secured debt position |
Why This Matters More Than a Credit Check
A credit check tells you about financial behaviour that has already been recorded — defaults, judgements, court orders. It is a look at the past, as captured by the formal credit reporting system. Useful, but retrospective.
Toxic combination detection looks at structural relationships in the present: the combination of who controls this entity, what obligations are registered against it, what happened to other entities these people have run, and whether the pattern of those facts, taken together, looks like something you should be worried about before the credit system has a chance to record it.
This is the difference between finding out a supplier couldn't pay their creditors after they couldn't pay you — and finding out, before you sign, that three of the four people who control this business have done this before.
The banks learned this lesson building their IAM frameworks: it is not enough to check the individual. You have to check the combination. A person with read access is fine. A person with read access and write access and approval authority is a control failure waiting to happen.
Gumshoe applies that same logic to the commercial world. A director is a fact. A deregistered company is a fact. A PPSR general charge is a fact. The combination — the right director, the right history, the right encumbrance, at the right time — is a flag. And a flag, caught early, is worth considerably more than a claim lodged late.
"A clue is just a clue. A pattern is a case. Gumshoe reads patterns."
Know Before You Sign
Gumshoe cross-references ABR, ASIC, and PPSR data against a full toxic combination matrix for any Australian business entity. Search by ABN, ACN, or company name. Get a report in seconds, not days.
Run a Free Entity Check →