02 Operator vs Dashboard · Verification Depth

Database match, or actually verified?

A database returning "match found" is not the same as a credential being verified. This deep dive walks through the four levels of verification depth, why database-only checks fail in most hiring corridors, and what multi-source institutional verification looks like when an operator builds the evidence chain from scratch.

Reading time: 14 minutes Series: Operator vs Dashboard, part 2 of 9 Last updated: April 2026
Key facts
The nine-part comparison
01 · Speed 02 · Verification depth 03 · Audit defensibility 04 · Case closure 05 · Risk visibility 06 · Client relationship 07 · Scalability 08 · Technology 09 · Data handling
Key takeaways
! Database-only verification produces a match, not evidence. A match is not defensible under audit.
4 There are four distinct levels of verification depth. Most dashboard vendors operate at Level 1 or 2.
Multi-source institutional verification (Level 3 and 4) produces evidence that survives regulator scrutiny.
? Five specific questions reveal whether your vendor's "verified" status is backed by a database ping or by institutional contact.
“Verified means the institution confirmed it. Everything else is a lookup.” The difference, card 02, OutsourceVerify home page

The home page comparison card on verification depth is deliberately brief. This page is the long version. The core argument: the word "verified" on a BGV report should mean that a human at the issuing institution (university registrar, HR department, licensing board) confirmed the credential. When all it means is that a database returned a record that matched the candidate's input, you have a lookup, not a verification. The distinction matters the moment anyone asks you to prove it.

What verification depth means

Verification depth describes how far down the evidence chain a vendor goes to confirm a candidate's credential. Think of it as a spectrum. At the shallow end, a system queries a database and checks whether the candidate's name and degree title appear. At the deep end, an analyst contacts the issuing institution directly, cross-references the response against a second independent source, and documents the evidence trail with timestamps, contact names, and method of confirmation.

The spectrum matters because each step deeper produces stronger evidence. A database match can be gamed (falsified records do appear in databases), can be incomplete (many databases cover only a fraction of institutions), and can be stale (records may not reflect revocations or corrections). Direct institutional contact is harder to forge, harder to circumvent, and produces a documented evidence chain that names a specific person at the institution who confirmed the credential.

Three categories define the spectrum:

Why the distinction is not academic In regulated industries (financial services, healthcare, insurance), auditors and regulators ask for the source of verification, not just the result. "Database match" is a weaker answer than "registrar confirmation via phone on 12 March, ref. #4471, confirmed by Ms. Sharma." The depth of the method determines the weight of the evidence.

Four levels of verification depth

We use a four-level framework to describe how deep a verification programme goes. Most dashboard vendors operate at Level 1 or Level 2. Operator-led programmes operate at Level 3 as the default, escalating to Level 4 when the corridor or risk profile demands it. Click each card to see the detail.

Level 01

Database match only

The system queries a single database (e.g., India's National Academic Depository, a commercial employment database, or a court records aggregator) and checks whether the candidate's claimed credential appears. If a record matches on name, institution, and year, the check is marked "verified". No human reviews the result. No institution is contacted. The entire process is automated and typically completes in seconds.
Limitations Database coverage is often partial. India's NAD, for example, covers roughly 40% of universities as of early 2026. A "no record found" result may simply mean the institution hasn't uploaded data, not that the credential is false. Conversely, a positive match does not confirm the credential is current, unrevoked, or accurately represented by the candidate.
Level 02

Database + automated API confirmation

The system queries multiple databases or APIs in sequence. For employment, this might mean checking a UAN (Universal Account Number) portal for PF contribution history, then cross-referencing against a commercial HR database. For education, it might query NAD and then a second aggregator. The results are reconciled automatically. If both sources return consistent data, the check is marked "verified". Still no institutional contact, but the multi-source consistency provides slightly stronger evidence than a single match.
Limitations Two databases drawing from the same upstream source do not constitute independent confirmation. If both rely on employer-submitted or university-submitted data, they share the same potential errors. API-level verification also cannot detect forged documents that were used to create the database record in the first place.
Level 03

Direct institutional contact

An analyst contacts the issuing institution directly. For education, this means reaching the university registrar's office by phone, email, or official verification portal. For employment, it means calling or emailing the HR department (not the candidate's manager, not a colleague, but HR) to confirm designation, tenure, and reason for separation. The response is documented with the contact's name, designation, timestamp, and method. This is the minimum depth that produces audit-defensible evidence.
Why this level matters Institutional contact produces a named, dated, method-specific record. It can detect credentials that appear in databases but have been revoked, amended, or misrepresented. It also catches cases where the candidate's claimed details (dates, designation, degree title) differ from the institution's records in ways a database match would miss.
Level 04

Multi-source triangulation with field verification

The analyst combines institutional contact with at least one independent secondary source and, where warranted, a physical field visit. For employment: HR confirmation is cross-referenced against UAN/PF records, payslip review, and (if the employer is unresponsive) a field visit to the registered office. For education: registrar confirmation is cross-referenced against the university's online convocation list or degree verification portal, and a field agent visits the campus if the institution is non-responsive or if discrepancy flags appear. Every source and method is documented independently.
When Level 4 is warranted High-risk roles (financial controllers, data custodians, regulated positions), candidates from corridors with high credential fraud rates, institutions that are non-responsive to standard channels, and any case where initial checks produce conflicting data. Level 4 is not the default for every candidate, but the capability to escalate must exist in the programme design.

Why database-only verification fails

The chart below shows the relative evidence quality produced by each verification method. Evidence quality here means: if this report is sampled by a regulator, an internal auditor, or a client's TPRM team, how well does the evidence support the "verified" status on the report?

Evidence quality by method
Defensibility of verification output by method used
Scale: 0% (no defensible evidence) to 100% (fully documented, multi-source, audit-ready).
Database match (single source)35%
35%
API confirmation (multi-database)55%
55%
Institutional contact (email)72%
72%
Institutional contact (phone)85%
85%
Multi-source + field verification95%
95%
Evidence quality scores reflect the proportion of regulatory and TPRM audit criteria satisfied by each method type, based on OutsourceVerify internal audit data across India, Philippines, and Poland corridors, 2023 to 2026.

The gap between 35% and 95% is not marginal. A database match satisfies roughly one third of the criteria a regulator or auditor would look for. It confirms that a record exists. It does not confirm who entered that record, whether it is current, whether it accurately reflects what the candidate claimed, or whether the institution stands behind it. Multi-source institutional verification satisfies nearly all audit criteria because it produces named sources, dated confirmations, method documentation, and cross-referenced evidence.

The false confidence problem Database-only verification is dangerous precisely because it looks clean on the report. The status says "verified". The client sees green. The audit trail, however, contains nothing more than a system log showing a database query and a match result. When the audit arrives, that "verified" status carries the weight of a search engine result, not an institutional confirmation.

The source hierarchy in practice

The diagram below compares how a dashboard vendor handles an employment verification versus how an operator handles the same check. Same candidate, same employer, same claim. Watch the steps animate as you scroll.

Dashboard vendor
01System queries UAN portal for PF contribution history.
02Match found: employer name appears in PF records.
03Dates of contribution align with claimed tenure (within 1 month).
04Check marked "verified" based on database match. No HR contact attempted.
05Report shows "Verified via government database". Designation and reason for separation: not confirmed.
vs
Operator model
01Analyst queries UAN portal for PF history as a starting reference.
02Analyst calls employer HR directly. Confirms tenure, designation, and separation type.
03Cross-references HR response against UAN dates. Notes a 2 month discrepancy in start date.
04Follows up with HR to clarify. Discovers candidate was on probation for 2 months before PF enrolment.
05Candidate's payslip reviewed for probation period. Full evidence chain documented: HR contact, UAN data, payslip, discrepancy resolution.

The dashboard vendor's report says "verified." The operator's report also says "verified." But the evidence behind each is fundamentally different. The operator's report can explain a discrepancy, name the HR contact who confirmed the tenure, and show the document that resolved the gap. The dashboard vendor's report contains a database query result and nothing else. Under audit, one holds. The other does not.

Country-specific depth requirements

Verification depth is not one-size-fits-all. Each corridor has its own institutional landscape: different database coverage levels, different response norms, and different fraud patterns. The examples below illustrate why a single global "database-first" approach produces unreliable results in the corridors where most offshore hiring happens.

South Asia: India, Pakistan, Bangladesh

Education: India's NAD covers approximately 40% of universities as of early 2026. For the remaining 60%, including many state universities, affiliated colleges, and deemed universities, there is no centralised database. A database-only education check on a candidate from an uncovered institution returns "no record found," which is indistinguishable from a false credential without direct registrar contact.

Employment: UAN/PF records confirm contribution history but do not verify designation, reporting line, or reason for separation. Small and mid-sized employers in India, Pakistan, and Bangladesh frequently lack structured HR departments, making phone and email the only viable channels for confirmation.

Criminal records: India has no unified national criminal database accessible to private verification firms. District-level court searches, often requiring physical visits or local agent networks, remain the standard. Database aggregators cover only a fraction of courts and carry significant lag in updates.

Southeast Asia: Philippines, Vietnam, Indonesia

Philippines: The Commission on Higher Education (CHED) maintains a database of recognised programmes, but individual degree verification requires direct contact with the university registrar. Diploma mills remain a documented concern, and database presence alone does not confirm institutional legitimacy. NBI (National Bureau of Investigation) clearances for criminal checks require direct application and cannot be reliably queried via API.

Vietnam: There is no centralised degree verification database. Universities maintain their own records, and verification must go through the institution's academic affairs office. Many institutions only respond to formal written requests with an official company letterhead and authorisation from the candidate.

Indonesia: The Dikti (Higher Education) database provides some coverage, but affiliated institutions under private universities are frequently missing. Employment verification in Indonesia relies heavily on direct HR contact, as no national employment database exists.

Eastern Europe: Poland, Romania, Ukraine

Poland: University degree verification typically requires direct contact with the dziekanat (dean's office). While Poland's POL-on system provides some centralised data on higher education, access for private verification firms is restricted. Employment verification depends on direct employer contact, as ZUS (social insurance) records are not accessible for private BGV purposes.

Romania: The Ministry of Education maintains degree records, but verification requests from foreign entities require notarised authorisation. Response times from Romanian universities can extend to several weeks without persistent follow-up.

Ukraine: Ongoing conflict has disrupted institutional archives in some regions. Verification of credentials from eastern Ukrainian universities may require alternative evidence chains, including cross-referencing with the EDBO (Unified State Electronic Database on Education) and direct contact with relocated administrative offices.

Latin America: Mexico, Brazil, Colombia

Mexico: The Registro Nacional de Profesionistas provides a database of registered professional degrees, but coverage is limited to federally registered titles. State university degrees and technical certifications often require direct contact with the institution. IMSS (social security) records can confirm employment tenure but not role or designation.

Brazil: Degree verification must go through the issuing institution's secretaria acadêmica. MEC (Ministry of Education) recognition confirms the programme exists but not that a specific individual graduated. Employment records through eSocial provide tenure data but require employer authorisation for access.

Colombia: The SNIES (National Higher Education Information System) covers recognised institutions, but diploma fraud involving unrecognised institutions is a documented risk. Employment verification relies on direct employer contact, as there is no centralised employment database accessible for BGV purposes.

The coverage illusion Dashboard vendors often cite "access to 200+ databases worldwide" as a depth indicator. The number of databases is irrelevant if those databases cover only a fraction of the institutions in your hiring corridors. What matters is: for each candidate, from each institution, did the vendor confirm the credential with the institution that issued it? If the answer is "we checked the database and found a match," ask what happens when the institution is not in that database.

What happens when depth is missing

38%
Credential discrepancies
Found only at Level 3+ that databases missed entirely
2.4×
Re-verification cost
When switching from a database-only vendor
60%
Indian universities
Not covered by NAD, requiring direct registrar contact

Shallow verification does not fail loudly. It fails silently. The report says "verified," the candidate is hired, and the gap in evidence sits dormant until something forces a closer look. Three scenarios illustrate what that looks like in practice.

Scenario 1: Fraudulent credentials slip through

A candidate claims an MBA from a mid-tier private university in India. The dashboard vendor queries NAD. The university is not in NAD's coverage. The vendor queries a commercial aggregator. No record found. The vendor marks the check as "unable to verify (no database coverage)" or, worse, finds a partial match on a similarly named institution and marks it "verified."

Eighteen months later, internal audit discovers the candidate never attended the institution. The degree certificate was purchased from a document forgery operation. The BGV report provided no protection because no one at the university was ever asked to confirm the credential. The database either missed it or matched it incorrectly. The exposure is now the client's: the candidate occupies a role that required the qualification, and the hiring decision relied on a verification report that looked complete but contained no institutional evidence.

Scenario 2: Regulator samples your verification reports

A financial services regulator conducts a thematic review of hiring controls across regulated entities. They request the full BGV documentation for 25 randomly selected employees. For each, they ask: what was the source of the verification? Who at the institution confirmed the credential? What method was used? Is the confirmation documented?

If your vendor operated at Level 1 or 2, the answers are: "government database," "automated system," "no institutional contact," and "system log." The regulator treats these as unverified hires. Your compliance posture now depends on how many of the 25 sampled employees fall into this category. At 40% or above, the regulator may require a remediation programme, including re-verification of all current employees at your cost.

Scenario 3: Re-verification costs after vendor switch

You switch from a database-only vendor to an operator-led programme. The new vendor reviews sample reports from the prior engagement. They find that 45% of "verified" employment checks contain no institutional contact record, and 30% of education checks were resolved by database match alone on institutions with known coverage gaps.

The new vendor recommends re-verifying all current employees whose checks were resolved below Level 3. For a workforce of 2,000, with an average of 3 checks per employee, the re-verification cost is roughly equivalent to running the original programme again at 35% to 40% of scope. The commercial impact: you paid your original vendor for verification you are now paying a second time to actually receive.

Operator-led depth in practice

The difference between a dashboard model and an operator model is not just "more databases." It is a fundamentally different approach to building evidence. The operator model treats every check as a case that requires a defensible evidence chain, not a query that requires a match.

Dashboard model

  • Default method: database query. Institutional contact only if no database match is found.
  • Verification status based on match/no-match binary.
  • No escalation chain when databases have gaps.
  • Report lists "source: national database" without specifying which database, query date, or match criteria.
  • Discrepancies between candidate claims and database records may go undetected if the match is close enough.

Operator model

  • Default method: direct institutional contact. Databases are a reference input, not the primary source.
  • Verification status based on institutional confirmation with named contact, method, and timestamp.
  • Structured escalation chain: email, then phone, then alternative contact, then field visit.
  • Report documents every source independently: database result, HR contact name, phone number used, confirmation date, and any discrepancies found.
  • Analyst judgment applied to resolve discrepancies, with documented reasoning and cross-reference evidence.

The operator model costs more per check. That is true, and it is the honest trade. What it buys is a report that contains actual evidence rather than database echoes. When your compliance team, your regulator, or your internal auditor pulls that report, the evidence is there: who confirmed it, how, when, and what they said. That is the difference between a verification and a lookup.

Structured escalation in detail At OutsourceVerify, every check follows a defined escalation protocol. Step one: database query for reference (not for closure). Step two: institutional contact via the primary channel (registrar email, HR phone). Step three: if no response within 48 hours, secondary contact channel (alternative email, direct line, dean's office). Step four: if still unresolved, field verification or local agent deployment. Each step is logged. The case closes only when evidence arrives or when documented reasonable exhaustion is reached, and "reasonable exhaustion" is defined per corridor, not per SLA clock.

Five questions to ask about verification depth

These questions reveal whether a vendor's verification programme operates at database level or institutional level. They work without needing access to sample reports.

  1. For each check type in my programme (education, employment, criminal, address), what is your primary verification method: database query, institutional contact, or both? Describe the default path, not the exception path.
  2. What percentage of your education checks are resolved by database match alone, without direct registrar contact? Break this down by corridor (India, Philippines, etc.).
  3. When a database has no coverage for a specific institution, what happens next? Walk me through the escalation chain for a non-covered university.
  4. For employment checks, do you contact the employer's HR department directly in every case? If not, under what conditions do you skip HR contact and rely on database records only?
  5. Can you show me a sample verification report that includes the full evidence chain: source name, contact method, contact person, confirmation date, and cross-reference documentation?

Frequently asked questions

What is database-only verification?

Database-only verification is when a background check vendor resolves a credential claim by querying one or more databases and marking the check as "verified" based on a match result. No one at the issuing institution (university, employer, licensing board) is contacted directly. The verification output is a system log showing that a database returned a record consistent with the candidate's claim. This method is fast and inexpensive, but it produces weak evidence that may not survive audit scrutiny, particularly in corridors where database coverage is incomplete.

How do I know if my vendor uses direct institutional contact?

Ask for a sample report and look for specific evidence of institutional contact: the name of the person at the institution who confirmed the credential, the method used (phone, email, portal), the date of confirmation, and any reference number issued by the institution. If the report lists only "verified via national database" or "confirmed through public records" without naming a specific institutional contact, the check was almost certainly resolved by database query alone. A vendor that uses direct contact will be able to produce this evidence for any case in your programme.

What does multi-source triangulation mean?

Multi-source triangulation means verifying a single credential claim against two or more independent sources and reconciling any differences. For example, an employment check might combine HR department confirmation (primary source) with UAN/PF contribution records (secondary source) and payslip review (tertiary source). If all three align, the evidence is strong. If they conflict (say, PF records show a different start date than HR confirmed), the analyst investigates the discrepancy and documents the resolution. Triangulation catches inconsistencies that any single source, including institutional contact alone, might miss.

Why is field verification sometimes necessary?

Field verification (a physical visit to the institution, employer, or address) is necessary when remote channels are exhausted or unreliable. Common scenarios include: non-responsive institutions that do not answer email or phone queries, address verification in areas where no digital infrastructure exists, small employers that have no HR department or formal verification process, and high-risk cases where discrepancy flags require physical document inspection. Field verification adds cost and time, but it produces the strongest possible evidence and is sometimes the only viable method in certain corridors.

How does verification depth differ by country?

Verification depth requirements vary dramatically by country due to differences in database coverage, institutional responsiveness, and fraud prevalence. In India, roughly 60% of universities are not in the NAD, making database-only education checks unreliable for the majority of candidates. In the Philippines, degree verification requires direct university contact because no centralised verification database exists. In Poland, ZUS records are not accessible for private verification, so employment checks must go through employer HR directly. A vendor using the same database-first approach across all corridors will produce widely varying levels of evidence quality, strongest in countries with robust databases and weakest precisely where the fraud risk is highest.

Does deeper verification always take longer?

Not always. Deeper verification takes longer on individual checks where institutional response is slow. However, the total programme TAT is often comparable because operator-led programmes avoid the rework cycle that database-only vendors face: re-opening cases when databases return inconclusive results, escalating to institutional contact after a database-only attempt fails, and re-verifying checks that were flagged by audit. The honest framing is that deeper verification invests time in the right place (building evidence upfront) rather than in the wrong place (managing the consequences of shallow verification later).

What evidence should a verification report contain?

A defensible verification report should contain, for each check: the source (who or what confirmed the credential), the method (phone, email, portal, field visit), the date of confirmation, the contact person's name and designation (for institutional contact), any reference numbers issued, the specific data points confirmed (tenure dates, designation, degree title, graduation year), any discrepancies found between the candidate's claim and the institutional response, and the resolution of those discrepancies. If the report contains only a result ("verified" or "unable to verify") without this supporting evidence, the report is not audit-defensible.

How does OutsourceVerify ensure verification depth?

Our default operating level is Level 3 (direct institutional contact) for every check. Database queries are used as a reference input, not as a closure mechanism. Every check follows a documented escalation protocol: primary institutional contact, then secondary contact if unresponsive within 48 hours, then field verification if warranted. Each step is logged with source, method, timestamp, and analyst name. Cases close only on evidence or on documented reasonable exhaustion, defined per corridor. Our quality assurance process samples completed reports and verifies that the evidence chain is complete before the report ships. The result is a programme that operates at Level 3 by default and escalates to Level 4 when the corridor, institution, or risk profile demands it.

References & further reading

  1. How We Operate: the operating methodology section on the home page, where this deep dive series originates.
  2. The 6-step verification process: interactive walkthrough showing how institutional contact and escalation work in practice.
  3. India deep dive: corridor-specific detail on NAD coverage, registrar response patterns, and per-check TAT ranges.
  4. Compliance brief: how verification depth feeds into audit defensibility and the evidence standards regulators expect.
  5. TPRM self-assessment: pre-scored vendor evaluation framework including depth and methodology questions.

Next Step

Test your programme's verification depth.

Run the TPRM readiness scorecard to see how deeply your current vendor actually verifies, or read the full compliance brief.

Run TPRM Readiness Scorecard Read the Compliance Brief
Share this