Test catalogue

Checks whether directors have completed identity verification as required under ECCTA 2023. Each director has a 14-day window (set by Companies House) during which they must submit a verification statement. A director is considered verified when appointment_verification_start_on is populated — indicating CH has received the statement. Directors with a window scheduled but not yet verified are flagged as pending.

Checks whether any active directors have missed their mandatory identity verification deadline under ECCTA 2023. The verification window is defined by two dates: appointment_verification_statement_date (window opens) and appointment_verification_statement_due_on (window closes — the hard deadline). Verification is completed when appointment_verification_start_on is set by CH. Outcomes: Overdue (score 0, critical) where deadline has passed with no verification_start_on; Due Soon (score 40, high) where deadline falls within 30 days; Not Yet Required (score 80) where CH has not yet set any due dates; Verification Current (score 100) where all directors with due dates have verified. Works alongside COM-010.

Checks whether Persons with Significant Control (PSCs) have completed identity verification under the Economic Crime and Corporate Transparency Act 2023 (ECCTA). Since 18 November 2025, all new PSCs must verify their identity before their appointment can be registered. Existing PSCs are being phased in over a 12-month transition period ending November 2026, with each PSC's verification window triggered by their birth month. PSCs who are also directors follow the director verification timeline instead. Verification can be completed online via GOV.UK, at a Post Office, or through an Authorised Corporate Service Provider (ACSP). This test requires Companies House API enrichment data — the bulk PSC snapshot does not include verification fields. If enrichment data is not yet available, the status is shown as unknown. If enriched but no verification dates have been set by Companies House, verification is not yet required for that PSC.

Flags PSCs whose appointment_verification_statement_due_on (window deadline) has passed without a corresponding appointment_verification_start_on (completion date) — indicating overdue mandatory identity verification. Note: appointment_verification_statement_date is the window open date (not a completion signal); appointment_verification_end_on is a revocation date (not a deadline). Critical compliance failure once enforcement begins. Works alongside COM-020 for PSC verification tracking.

Checks whether the company itself appears as a match against the UK Sanctions List (UKSL). This is the most direct and severe sanctions risk — the entity itself may be a designated person or entity. The OFSI Consolidated List closed on 28 January 2026; the UKSL is now the sole source for all UK sanctions designations. Matches can be AUTO_CONFIRMED (company number match or exact name+identifier) or POTENTIAL (fuzzy name match requiring review). Any confirmed match means the company is legally prohibited from certain business activities under UK sanctions law.

Checks whether any current or former director of the company matches a designated individual on the UK Sanctions List (UKSL). Director matches are identified via name matching with optional DOB confirmation. A sanctioned director creates indirect sanctions exposure — the company may not be directly sanctioned, but having a designated person as a director raises serious legal and reputational concerns.

Checks whether any Person of Significant Control (individual) of the company matches a designated individual on the UK Sanctions List (UKSL). A sanctioned beneficial owner represents the most direct ownership-level sanctions risk — the company is effectively owned or controlled by a sanctioned person. This is arguably more severe than a director match because PSCs have direct financial interest and control.

Checks whether any corporate Person of Significant Control matches a sanctioned entity on the UK Sanctions List (UKSL). This identifies cases where a company's controlling corporate owner is itself a sanctioned entity — indicating the subject company is part of a sanctioned corporate structure. This can be detected via registration number match or name matching.

Produces a composite sanctions exposure score for the company by aggregating all four match types (direct company, director, PSC individual, PSC corporate). The score considers the number of matches, confidence levels, match statuses, and whether exposure is direct (company) vs indirect (associated persons). This provides a single at-a-glance sanctions risk indicator.

Identifies which specific sanctions regimes the company or its associated persons are designated under. Different regimes carry different implications — Russia sanctions involve asset freeze and trust services restrictions, while Global Anti-Corruption sanctions may have different enforcement priorities. Knowing the specific regime informs the customer about which sanctions obligations apply.

Analyses the specific types of sanctions imposed on matched designations — asset freeze, travel ban, arms embargo, trust services sanctions, director disqualification. Each type has different business implications. Asset freeze means no financial dealings. Trust services sanctions restrict company formation/administration services. Director disqualification prevents holding directorship positions.

Assesses whether sanctions matches for this company have been reviewed and dispositioned by a user. Unreviewed matches represent an open compliance gap — the organisation knows there are potential matches but hasn't confirmed or dismissed them. This test drives the workflow by highlighting which matches need human attention.

Analyses the confidence levels and match methods across all sanctions matches for this company. Helps users understand the quality of matches — HIGH confidence (name+DOB exact, company number) matches are very likely genuine, while LOW confidence (name-only fuzzy) matches are mostly noise. This guides triage priority and helps users understand which matches to review first.

Identifies whether matched designations originate from UK-only sanctions, UN sanctions, or both (UK|UN). This context matters because UK-only sanctions apply specifically under UK law post-Brexit, while UN sanctions have broader international application. Dual-listed (UK|UN) designations indicate the most internationally recognised sanctions targets.

Analyses the designation dates and last update dates for matched designations associated with this company. Recently designated entities represent emerging risks that may not yet be widely known. Designations that were recently updated may have had sanctions types changed or expanded.

Gatekeeper test that checks whether sanctions screening has been performed for this company at all. If the company has not been screened against the UK Sanctions List (UKSL), all other COM-030 to COM-044 tests will return NOT_APPLICABLE. The OFSI Consolidated List closed on 28 January 2026; the UKSL is now the sole source for all UK sanctions designations. This test flags the screening gap and encourages the customer to initiate screening.

Extracts and presents the UK statement of reasons for any matched designations. The statement of reasons explains why the person/entity was designated and provides critical context for risk assessment. This is a document-level insight that helps the customer understand the nature of the sanctions exposure beyond just the name match.

Reports the number of known aliases for matched designated persons/entities. A high alias count indicates a complex identity with many known names — these individuals/entities are harder to screen for and may be deliberately obscuring their identity. The alias count informs the quality of the name-matching process.

Assesses whether matched designations have strong identifiers (UK company number, passport, national ID, business registration) that could be used to validate or refute a name-based match. A designation with a known UK company number that matches the subject company is the strongest possible confirmation. A designation with passport/national ID can be cross-referenced against director records.

Checks the charity registration status. Active charities are operating normally. Not Submitted indicates missing required returns. Also detects charities flagged as insolvent or in administration.

Assesses the charity annual return submission status. Double default means two consecutive years of non-submission and may trigger regulatory action.

Detects charities using professional fundraisers or commercial participators without required written agreements — a regulatory compliance breach under the Charities Act 2011 s.162.

Detects charities subject to Charity Commission regulatory action including statutory inquiries, official warnings, interim managers, and published inquiry reports. The most serious regulatory interventions indicating governance failures, fraud, or mismanagement.

Checks whether the charity has previously been removed from the register and the reason for removal. A re-registered charity with a prior removal may warrant additional scrutiny.

Identifies charities registered with additional regulatory bodies — Ofsted, CQC, FCA, Homes England. Provides sector context and indicates additional compliance obligations.

Detects whether HMRC is the petitioner in a winding-up petition. HMRC petitions indicate unpaid tax debts and systemic non-compliance with tax obligations, carrying particular significance as HMRC is a preferential creditor with extensive enforcement powers.

Checks whether the organisation has an active ICO data protection registration. Under the Data Protection Act 2018, most organisations processing personal data must register with the ICO. An expired or missing registration is a legal compliance failure that can result in enforcement action and fines up to £4,350.

Assesses how close the ICO registration is to expiring. Registrations are typically renewed annually. An upcoming expiry signals potential administrative neglect or intentional lapse. For procurement, a supplier whose registration is about to expire creates risk of non-compliance mid-contract.

Measures how long the organisation has been continuously registered with the ICO. A long registration history indicates mature data protection practices. A very short registration may indicate a newly compliant or previously non-compliant organisation.

Identifies the ICO data protection fee tier. Tier 1 (£52/yr) is for micro organisations with ≤10 staff or ≤£632k turnover. Tier 2 (£78/yr) for SMEs with ≤250 staff or ≤£36m turnover. Tier 3 (£3,763/yr) for large organisations. Fee amounts updated February 2025. Provides an independent proxy for organisational size.

Validates whether the ICO public authority self-declaration is plausible by cross-referencing against Companies House company category and SIC code. Public authority status under UK GDPR is defined by s.7 of the Data Protection Act 2018 (referencing FOIA 2000 Schedule 1). Private commercial entities with non-public-sector SIC codes that claim public authority status are flagged as likely registration errors. Companies with public administration SIC codes that do not claim public authority status are flagged as possible under-declarations.

Assesses whether the organisation has designated a DPO based on ICO registration data. Under UK GDPR Art 37, DPO appointment is mandatory for public authorities and organisations conducting large-scale monitoring or processing of special categories.

Assesses whether the DPO is contactable via the ICO register. UK GDPR Article 37(7) requires organisations to publish DPO contact details and communicate them to the ICO. Email is the primary required contact method. Note: the DPO name is opt-in on the ICO register — its absence is fully compliant and is not treated as a gap. Flags where no email or phone is recorded for a designated DPO.

Analyses multiple ICO registrations to distinguish legitimate patterns from potential duplicates. The ICO registration model is per legal entity (one registration covers all sites and offices). Multiple simultaneous active registrations are legitimate for group structures — the ICO provides a bulk payment process for organisations with more than one registration. Flags only where active registrations share the same payment tier and near-identical start dates, suggesting a duplicate rather than a genuine group structure.

Analyses addresses associated with sanctioned entities matched to this company to identify high-risk jurisdictions. Cross-references sanctions_address data with FATF grey/black list countries and known high-risk jurisdictions to assess geographic exposure of sanctions matches.

Assesses the confidence level of sanctions individual matches by analysing available biometric and identifying data (date of birth, nationality, passport numbers, national ID numbers) from the sanctions_individual table. Higher data overlap increases match confidence and reduces false positive risk.

Assesses whether the ICO data protection fee tier is appropriate for the organisation's actual size. Applies special rules: registered charities are always capped at Tier 1 regardless of size; public authorities are assessed on staff count only (not turnover); Community Interest Companies follow standard commercial rules. Flags possible under-registration (a civil offence with penalties up to £4,350) or over-registration. Requires financial filing data to verify.

Checks whether the company has any linked Food Standards Agency (FSA) food hygiene records. All UK food businesses must register with their local authority under food safety law. For companies with food-related SIC codes, the absence of any FSA record may indicate a registration gap. Companies outside the food sector are not expected to have FSA records.

Checks whether any of the company's food establishments have a low hygiene rating. In England, Wales and Northern Ireland, ratings of 0 (urgent improvement necessary), 1 (major improvement necessary) or 2 (improvement necessary) trigger mandatory follow-up by the local authority. In Scotland, an ImprovementRequired rating is the equivalent. A low rating at any establishment is a significant compliance concern for supply chain and due diligence purposes.

Checks the proportion of establishments that are awaiting their first inspection or a follow-up inspection. A small number awaiting inspection is normal for newly registered businesses. A high proportion across a company's portfolio may indicate rapid expansion, recent ownership changes, or an inspection backlog at the local authority.

Identifies establishments where the FSA has flagged that a reinspection is pending. This usually means the business has requested a re-rating after making improvements, or the local authority has scheduled a follow-up visit. A pending reinspection alongside a low current rating suggests a known problem is being addressed.

Checks whether a company is authorised or registered with the Financial Conduct Authority (FCA) Financial Services Register. The FCA is the UK regulator for financial services firms and markets. Status values include Authorised, Registered, and "See full details" (for dual-regulated firms overseen by both the FCA and the Prudential Regulation Authority). Business types include: Regulated (directly authorised), EMD (Electronic Money Directive - firms authorised to issue e-money, e.g. Revolut, Wise), Appointed Representative (firms operating under another firm's authorisation), and CBTL (Consumer Buy-To-Let). Flags companies that are no longer authorised or have had their authorisation cancelled.

Checks for Financial Conduct Authority (FCA) and Prudential Regulation Authority (PRA) enforcement actions recorded against the firm on the Financial Services Register. Enforcement actions include fines, public censures, suspensions, and restrictions. These are formal regulatory sanctions imposed following investigation of rule breaches, and are publicly disclosed on the FCA Register.

Checks whether the Financial Conduct Authority (FCA) has imposed specific regulatory requirements or conditions on the firm. Requirements are restrictions or obligations beyond the standard rules, which may indicate past regulatory concerns, remediation programmes, or limitations on the firm's permitted activities. A firm with multiple requirements warrants closer review.

Flags companies whose Financial Conduct Authority (FCA) authorisation status has changed recently. A status change within 30 days is flagged as medium concern; within 6 months as low concern. Recent changes may indicate regulatory action, voluntary withdrawal, business restructuring, or a change in the firm's regulated activities. Stable status over many years is a positive signal.

Informational summary of the regulated activities the firm is permitted to conduct under its Financial Conduct Authority (FCA) authorisation. Displays the firm's business type, permission count, and key regulatory statuses. Acronyms used: MLR (Money Laundering Regulations) status indicates whether the firm is supervised by the FCA for anti-money laundering compliance; PSD (Payment Services Directive) / EMD (Electronic Money Directive) status shows whether the firm is authorised as a payment institution or e-money issuer under UK retained EU regulations. Client money permission indicates whether the firm is permitted to hold or control client funds.

Identifies companies with financial services SIC codes (Section K: 64-66, covering banking, insurance, and financial intermediation) that are not found on the Financial Conduct Authority (FCA) Financial Services Register. Companies conducting regulated financial activities in the UK are required to be authorised or registered with the FCA under the Financial Services and Markets Act 2000. Absence from the register for a company with a financial services SIC code may indicate the company is operating without required authorisation, or that the FCA registration is held by a different entity within the corporate group.

Detects winding up petitions from the Creditsafe negative information feed and grades them by case status rather than by mere existence. Active petitions (Open/Filed/Adjourned/Pending) indicate immediate risk of compulsory liquidation - critical when HMRC is the petitioner (unpaid tax debt serious enough for court action), high severity for other creditors. A petition that has progressed to a winding up order (Wound Up) is treated as the most severe outcome, as the company has been wound up. Petitions that are no longer active (Withdrawn, Dismissed, Struck Out, Discharged) are surfaced as historical context: a low-severity warning if resolved within the last 12 months, otherwise informational. HMRC is identified from the petitioner name only; the Creditsafe case-type code (HMCWUP) is generic to all winding up petitions and is NOT an HMRC indicator. Where a petition exists, Creditsafe provides the petition date, court case number, status, case type, petitioner name, and the petitioner's legal representative.

Tracks the compliance category risk score across multiple assessment runs and uses linear regression to determine whether compliance risk is improving, stable, or deteriorating. A score decrease of 5 or more points indicates improvement, a change within 5 points is stable, and an increase of 5 or more points indicates deterioration. Compliance is one of the largest test categories so trajectory changes here are highly significant and tend to reflect genuine shifts in a company's regulatory posture. The result includes a confidence grade from A to D based on how much data is available. Grade A (high confidence) requires at least 6 data points spanning 180 or more days. Grade B (good confidence) requires at least 4 data points spanning 90 or more days. Grade C (low confidence) requires at least 2 data points spanning 30 or more days. Grade D (insufficient data) means the history is too short or too sparse to draw meaningful conclusions. A newly assessed company will typically start at grade D and improve as assessments accumulate over weeks and months.

Monitors key certifications such as Cyber Essentials, ISO 27001, and ISO 9001 and alerts when any were valid at the last assessment but have since expired. Lapsed certifications may indicate cost-cutting or a failed reassessment.

Alerts when a company or its directors have been newly matched against UK and international sanctions lists. Sanctions compliance is a legal requirement — any match demands immediate review.

Detects new Environment Agency enforcement actions since the last assessment, including prosecutions, enforcement orders, warning letters, and compliance notices. Increasingly important for organisations with environmental and sustainability commitments.

Alerts when a company's accounts filing status has changed — for example, going from current to overdue, or escalating from overdue to severely overdue. Accounts going overdue is a well-established early warning sign that can precede insolvency by 6 to 12 months.

Aggregates all compliance-category test results into a single 0-100 score. The largest category (122 tests). Normalised for test coverage.

Alerts when a company's confirmation statement filing status changes — for example, going from current to overdue. An overdue confirmation statement is a precursor to compulsory strike-off and means register data may be unreliable.

Checks whether the company's annual accounts are overdue at Companies House. Overdue accounts are a strong signal of governance weakness and potential financial distress. Companies that fail to file may be struck off. Accounts overdue by more than 6 months are a particularly serious concern.

Checks when accounts were last filed at Companies House. Very stale accounts (2+ years since last filing) suggest the company may be dormant, non-trading, or experiencing difficulties even if not technically overdue.

Identifies the type of accounts filed (Abbreviated, Full, Micro Entity, Dormant) and implications for data availability. A change from full to abbreviated accounts may indicate a desire to reduce disclosure. Dormant accounts indicate no trading activity.

Reports whether the company's accounts are audited, subject to independent examination, or audit exempt. Audited accounts provide the highest level of assurance. Most UK SMEs qualify for audit exemption. Companies voluntarily submitting to audit demonstrate higher governance standards.

Identifies companies that file dormant accounts but report employees or turnover — an inconsistency that may indicate incorrect filing, transitional status, or potential regulatory non-compliance. A dormant company should have no significant accounting transactions.

Evaluates the length of the company's most recent accounting period and flags non-standard lengths. Standard UK accounting periods are 12 months, though 13 months is also treated as normal. Warning triggers for extended periods of 14–18 months (permitted but unusual — typically indicates a first-year filing, a change of accounting reference date, or restructuring) and for shortened periods under 12 months (may indicate a change of accounting reference date, preparation for disposal, or a restructuring event). Fail triggers if the period exceeds 18 months, which is the legal maximum under the Companies Act — this is non-compliant and may indicate a filing error. A period length of null is noted but not flagged.

Detects companies where turnover is absent from filed accounts despite strong evidence it should be present. Since HMRC moved to mandatory full iXBRL tagging under FRS 102 (for periods beginning on or after 1 January 2015), every taggable item in the accounts — including turnover — must carry an XBRL tag. When the tag is missing, downstream tests such as the turnover assessment return no result, creating a blind spot in financial risk scoring. The test looks for four types of evidence that turnover ought to have been tagged: cost of sales is present (a trading company cannot have cost of sales without revenue); total assets exceed the small-company balance sheet threshold of £5.1 million; employee count exceeds 50; or the filing is explicitly typed as full accounts. Where cost of sales is available, a minimum turnover figure is inferred from it, since revenue must be at least as large as the cost of generating it. Outcomes are scored on confidence. A warning with a score of 30 is issued where both cost of sales is tagged and the company clearly exceeds medium-size thresholds (over £18 million total assets or over 250 employees), as the tagging omission is highly likely. A score of 40 applies where either cost of sales is present or the company is large. A score of 50 or 55 applies where size indicators point to a medium-or-above company but evidence is less direct. Where no signals are present — consistent with a small or abbreviated filing where turnover disclosure is optional — the test returns not applicable. A pass with a score of 100 is given when turnover is correctly tagged.

Identifies where the company was incorporated and flags high-risk or opaque jurisdictions. Companies registered in secrecy jurisdictions, tax havens, or countries with weak AML controls present elevated due diligence requirements. For overseas companies registered under an FC number, any UK establishments (branch registrations) are shown alongside the jurisdiction risk assessment. These establishments operate under UK law and enforcement regardless of the parent company's home jurisdiction, providing important regulatory context.

Assesses jurisdiction risk of corporate persons with significant control (PSCs) based on their country of registration. Corporate entities registered in secrecy jurisdictions (such as BVI, Panama, Seychelles), Crown Dependencies (Jersey, Guernsey, Isle of Man), or other opaque jurisdictions present elevated beneficial ownership risk. This is one of the strongest red flags in beneficial ownership due diligence. Each flagged entity is listed with its name, jurisdiction, and risk classification. Jurisdictions are assessed against FATF blacklisted and grey-listed countries, sanctioned jurisdictions, secrecy jurisdictions, Crown Dependencies, and tax-efficient financial centres.

Tracks the review status of disqualification matches. Pending matches indicate automated screening has identified a potential match but a human reviewer has not yet validated it. A high volume of unreviewed pending matches represents a screening process gap. Helps monitor due diligence workflow completeness.

Identifies companies where disqualification screening has not yet been performed. If a company has active directors or persons of significant control but no screening results on record, the automated screening process has not yet run for this company. This is a data completeness gap that users should be aware of when relying on disqualification checks.

Cross-references the number of charge records collected from Companies House against the summary totals held in the company profile (total charges, outstanding, fully satisfied, part satisfied). Mismatches of more than one in any category may indicate that charge data was only partially retrieved during enrichment, that there is a timing gap between when charges were filed and when enrichment last ran, or that some charge records were not collected. A mismatch does not mean charges are missing entirely, but it does mean other charge tests may be working from incomplete data.

Checks whether any directors or persons with significant control of this company also direct or control other companies that have received criminal convictions from the Health and Safety Executive. An HSE conviction at another company under the same leadership may indicate poor health and safety governance practices that could affect this company.

Checks whether any directors or controllers of this company are connected to other companies where a Health and Safety Executive conviction involved a fatality or a fine exceeding £1 million. A fatality-related HSE conviction is the most serious health and safety outcome and represents a significant governance concern when linked through shared leadership.

Checks whether any directors or controllers of this company are connected to other companies that have received HSE enforcement notices, including improvement notices and immediate prohibition notices. Enforcement notices represent formal regulatory intervention for unsafe working conditions and capture a broader pattern of health and safety concerns than criminal convictions alone.

Identifies directors or controllers of this company who are connected to multiple other companies with HSE enforcement actions, whether convictions or notices. A person linked to repeated health and safety issues across different companies suggests a pattern of poor safety governance. Flags individuals connected to two or more affected companies.

Checks whether any directors or controllers of this company are connected to other companies that have received Environment Agency enforcement actions. Reports the type of action (enforcement notice, court case, or caution), its severity, the relevant legislation, and the date. Environmental enforcement at a connected company may indicate governance practices that could affect this company.

Specifically checks for Environment Agency court prosecutions among companies connected through shared directors or controllers. Court prosecutions are criminal matters and represent the most severe environmental enforcement outcome. This is a subset of the broader environmental enforcement check, focused on the highest-risk actions.

Displays a visual network map showing the connections between this company and other companies in its director network that have received regulatory enforcement actions from the HSE or Environment Agency. The map highlights connecting individuals and colour-codes companies by enforcement type, making regulatory contagion paths easy to trace.

Checks whether peer companies connected through shared directors hold ISO, SSIP, or Cyber Essentials certifications that this company lacks. If companies in the same leadership network commonly hold certifications that this company does not, it may indicate a gap in standards or accreditation that could affect competitiveness and compliance. Note: certification data is only available for companies that have been assessed through Senserity's enrichment process, so this comparison becomes more comprehensive as platform coverage grows.

For companies identified as tender competitors in the same procurement markets, checks their certification holdings including ISO, SSIP, and Cyber Essentials. If competitors hold certifications that this company lacks, it indicates a potential competitive disadvantage and compliance gap. This is more commercially relevant than peer-based benchmarking as it compares actual market competitors. Note: certification data is only available for companies that have been assessed through Senserity's enrichment process, so competitor certification coverage improves as more companies are analysed on the platform.

If this company is dual-registered as a charity, checks for adverse regulatory events on the charity side such as removal from the Charity Commission register or a published regulatory report. Regulatory action against the charity reflects on the commercial entity and its leadership, and represents elevated governance risk.

Checks whether the company has any Gender Pay Gap submissions on record, indicating it employs 250+ people and is subject to mandatory reporting. A match indicates regulatory visibility and ESG data availability.

Assesses the magnitude of the mean hourly gender pay gap from the latest submission. A positive value means men are paid more on average; a negative value means women are paid more. Very large gaps in either direction indicate structural pay inequality and potential ESG/reputational risk.

Assesses the median hourly gender pay gap, which is less susceptible to outlier distortion than the mean. A large median gap indicates the pay inequality is structural and widespread rather than driven by a few highly-paid individuals.

Evaluates the gender gap in bonus payments (mean and median). Bonus gaps can be significantly larger than hourly pay gaps and indicate disparities in performance recognition, commission structures, or profit-sharing. Extreme values (>100%) can indicate structural issues in bonus allocation.

Compares the percentage of men and women receiving bonus pay. A significant difference in participation rates indicates systemic bias in bonus eligibility, regardless of the bonus amount gap. Also flags employers where only one gender receives bonuses.

Analyses the gender distribution across pay quartiles (lower, lower-middle, upper-middle, top). A glass ceiling pattern shows increasing male dominance at higher quartiles, while a sticky floor shows female concentration in lower quartiles. Extreme imbalance (>80% one gender in any quartile) indicates structural workforce segregation.

Evaluates the companys track record of submitting GPG reports on time. Repeated late submissions indicate poor regulatory compliance culture and may suggest broader governance weaknesses. Late submission is a legal requirement breach under the Equality Act 2010.

Analyses the gender pay gap trend across multiple reporting years using linear regression computed directly from the year-by-year submissions. Three metrics are calculated from the mean hourly pay gap series (falling back to median if mean is unavailable): the slope (percentage points change per year), R-squared (how well the linear trend explains the data — 1.0 is perfect fit, 0.0 is no fit), and the standard deviation (volatility measure in percentage points). The test classifies patterns into seven outcomes: Highly volatile (stddev above 15pp, score 35 warning — erratic swings with no reliable trend); Moderately volatile (stddev above 8pp with R-squared below 0.3, score 50 warning — unstable readings); Strong worsening (R-squared at least 0.5 with slope above 1pp/yr, score 30 warning); Mild worsening (R-squared at least 0.3 with slope above 0.5pp/yr, score 50 warning); Strong improving (R-squared at least 0.5 with slope below -1pp/yr, score 90 pass); Mild improving (R-squared at least 0.3 with slope below -0.5pp/yr, score 80 pass); Stable (stddev below 3pp, score 75 pass). Falls back to no clear pattern (score 65 pass) when none of these conditions are met. The display shows a multi-series trend chart with both mean and median hourly pay gap plotted across reporting years.

Records the employers self-reported size band from GPG submissions. This provides independent workforce sizing data that can be cross-referenced against Companies House employee counts and financial data. Size changes between years may indicate growth, contraction, or restructuring.

Checks how recently the company last submitted a GPG report. If a company previously reported but has stopped, it may have dropped below the 250-employee threshold (contraction), restructured, or is simply non-compliant. Uses a 12-month window from the latest submission date before flagging as overdue.

Checks whether the employer has provided a link to their own gender pay gap narrative or action plan. The GPG service allows employers to optionally include a URL to their own analysis, explanation, and action plan. Providing this link indicates proactive transparency and commitment to addressing the gap.

Compares the mean and median hourly pay gaps to detect skewed pay distributions. When the mean gap is significantly larger than the median, it indicates a small number of very highly-paid men are pulling the average up (executive pay effect). When the median is larger, it indicates broad-based structural inequality across the workforce.

Identifies employers where women are paid more than men on average (negative pay gap). While this is not inherently negative, extreme reverse gaps may indicate workforce segregation or data quality issues. It is a notable insight for ESG profiling.

For late submissions, assesses the severity of lateness. Submissions filed slightly late indicate minor process issues; submissions filed months or years late indicate serious compliance failures. The Equality and Human Rights Commission (EHRC) can take enforcement action against employers who fail to report.

Checks whether the company has published a modern slavery statement on the gov.uk registry. Under the Modern Slavery Act 2015 s.54, commercial organisations with annual turnover >=£36m must publish an annual statement.

Evaluates a composite risk score for the company's most recent modern slavery statement, based on the UK Government's Modern Slavery Statement Registry data. The score is additive — each deficiency in the statement increases the score, so a higher score means greater risk. Components: missing mandatory areas under MSA s.54(5) (up to +30 if fewer than 3 of 6 areas covered, +10 if fewer than 5); no anti-slavery policies (+25); no staff training (+15); no social audits (+15); no grievance or whistleblowing mechanisms (+10); each ILO forced labour indicator identified (+5 each, up to 11 indicators); and first-time statement (+10). Risk levels: LOW (0–14), MODERATE (15–29), ELEVATED (30–49), HIGH (50+). Most organisations score LOW — the average is around 8.

Assesses whether the statement covers all six mandatory areas required by MSA s.54(5): organisation structure, policies, risk assessment, due diligence, training, and goals/KPIs.

Checks whether the modern slavery statement was approved within the 6-month window required by the Modern Slavery Act. Late approval indicates poor governance attention to modern slavery compliance.

Evaluates the breadth and quality of anti-slavery policies declared in the statement. Organisations declaring no policies represent a significant compliance red flag.

Assesses whether the organisation has identified specific modern slavery risks in their operations or supply chains. The structured risks field captures descriptions, affected areas, groups, countries, and mitigation measures.

Checks whether the organisation has identified ILO indicators of forced labour. The 11 ILO indicators include abuse of vulnerability, deception, restriction of movement, isolation, physical/sexual violence, intimidation, retention of identity documents, withholding wages, debt bondage, abusive conditions, and excessive overtime. The most serious finding is identifying indicators but taking no action.

Evaluates whether the organisation provides modern slavery awareness training and the breadth of its training programme, based on the UK Modern Slavery Statement Registry data. Scoring uses a base of 45 plus 10 points per recipient group named (capped at 95). Possible recipient groups on the registry include: your whole organisation, procurement staff, human resources, executive-level staff, front line staff, suppliers, the wider community, and other. Outcomes: Fail (score 15) if the organisation explicitly declares no training; Warning (score 35) if training is not addressed in the statement; Pass (score 45) if training is included as a mandatory area but no recipient groups are specified; Pass (score 55–95) scaling with the number of recipient groups listed — for example, 1 group scores 55, 3 groups score 75, and 5 or more groups score 95. Training is one of the six mandatory areas under MSA s.54(5)(e).

Assesses the breadth of monitoring mechanisms: social audits, grievance mechanisms, and worker engagement channels. Organisations with none of these represent a significant detection gap.

Assesses the organisation's experience with modern slavery reporting using two data points from the UK Modern Slavery Statement Registry: the self-declared years_producing_statements field on the latest statement, and the count of statements held on the registry. The registry offers three experience levels: "This is the first time", "1 to 5 years", and "More than 5 years". Scoring: first-time reporters score 60, reflecting less mature compliance processes; organisations with 1–5 years of experience score 80; experienced reporters with more than 5 years score 90. All outcomes are a pass — this is an informational assessment rather than a compliance check. The year range of statements on the registry is also reported for context.

Classifies the organisation's sector(s) and maps them to known high-risk sectors for modern slavery. Construction, food/agriculture, fashion/textiles, and mining carry inherently higher risk.

Records the self-reported turnover band from the modern slavery statement. Larger organisations are expected to have more mature anti-slavery programmes. Can be cross-referenced with financial data for consistency.

Checks whether the organisation has provided a URL to their full statement and whether a PDF copy is available. Under MSA s.54(7), statements must be published on the organisation's website. Email-only access violates public accessibility requirements.

Measures how recently the organisation published a modern slavery statement to the UK Government's Modern Slavery Statement Registry. The test takes the most recent statement (ordered by statement period end date) and calculates the number of months since that date. If the period end date is not available, it falls back to the approval date, then the last updated date. Scoring: 12 months or less scores 85 (pass, current); 12–18 months scores 40 (warning, potentially overdue); over 18 months scores 15 (fail, likely overdue). Note: this test only assesses submissions to the government registry. An organisation may have published a more recent statement on its own website without submitting it to the registry — this itself represents a compliance gap, as organisations are expected to publish annually on the GOV.UK registry.

Checks whether the organisation has included measurable goals and KPIs as required by MSA s.54(5)(f). This is the most commonly omitted mandatory area — only 64% include goals. Absence suggests a backwards-looking compliance exercise rather than continuous improvement.

Produces an overall quality assessment of the organisation's modern slavery statement by aggregating eight components into a score out of 100, with a letter grade from A to E. Components: Mandatory Areas coverage (max 30 — 5 points per area under MSA s.54(5), 6 areas); Policy Breadth (max 10 — based on number of anti-slavery policy types); Training Coverage (max 10 — based on whether training is provided and the number of recipient groups); Monitoring Pillars (max 15 — 5 points each for social audits, working conditions engagement, and grievance mechanisms); Risk Identification (max 10 — based on number of risks identified); ILO Indicator Handling (max 10 — highest score for identifying indicators and taking action, lowest for identifying indicators with no action); Goals and KPIs (max 5 — whether goals are included and progress is demonstrated); Timeliness (max 10 — based on how quickly the statement was approved after the period end). Grades: A (80+), B (65–79), C (50–64), D (35–49), E (below 35). Outcomes: score 65 or above is a pass, 40–64 is a warning, below 40 is a fail.

Validates the statement reporting period. Anomalous periods (very short, very long, or misaligned with typical financial year-ends) may indicate compliance issues or organisational changes.

Analyses the proportion of a company's public sector contracts awarded through non-competitive procurement methods (direct award and limited tendering) versus competitive methods (open and selective). A high ratio of non-competitive awards raises questions about transparency and whether the company could win contracts in open competition. The test requires a minimum volume of contracts before ratio analysis is meaningful: companies with 1–3 awards are reported as informational only (a single direct award may simply reflect the nature of that specific requirement); companies with 4–5 awards apply softer thresholds (warning only if over 80% non-competitive); companies with 6 or more awards apply the full threshold — over 50% non-competitive triggers a warning (score 50), otherwise the method mix is reported as a pass (score 80).

Reports whether this company is classified as an SME (Small or Medium Enterprise) in public procurement records. SME status can affect eligibility for reserved contracts, prompt payment provisions, and government targets for SME spend. Discrepancy between self-declared SME status and actual company size may indicate misrepresentation.

Evaluates how many recognised standards and certifications a company holds relative to expectations for its size and industry sector. Cross-references ISO certifications, Cyber Essentials, SSIP safety accreditation, and ICO data protection registration to assess whether the company's certification coverage is appropriate for the sectors it operates in.

Identifies specific certification gaps where a company holds some but not all of the certifications expected for its industry sector. Rather than just producing a score, this test highlights the particular missing certifications and explains why they would be expected, giving actionable guidance on where to strengthen compliance coverage.

Checks whether a company with an active website that appears to collect data (cookies, contact forms, or email addresses) is properly registered with the Information Commissioner's Office (ICO). A company processing personal data without ICO registration is potentially in breach of the Data Protection Act 2018.

Analyses the expiry dates of all certifications and registrations — including ISO standards, Cyber Essentials, SSIP safety accreditation, and ICO registration — to identify upcoming expiry clusters or already-expired credentials. Multiple certifications expiring in the same window creates administrative burden and increases the risk of temporary compliance gaps.

Checks whether a company's ICO data protection registration payment tier is consistent with its apparent size. A company registered at the lowest payment tier but showing indicators of being a large organisation may be under-declaring to the ICO, which is itself a compliance issue that could attract regulatory attention.

Checks for contradictions between a company's certification holdings and enforcement records. For example, a company holding ISO 45001 (occupational health and safety) or SSIP safety accreditation while also having recent HSE enforcement notices or convictions is a significant credibility concern — it suggests the certification may not reflect actual working practices.

Produces a single aggregate compliance and certification risk score (0–100) by consolidating the results of six underlying compliance assessments: Cyber Maturity (XCC-001, 20% weight) covering web security, email security, Cyber Essentials, and ISO 27001; Certification Posture (XCC-002, 15%) measuring certifications held versus sector expectations; Certification Gaps (XCC-003, 15%) penalising each missing expected certification; ICO & Web Presence (XCC-004, 15%) checking ICO registration against active website data processing; Expiry Alignment (XCC-005, 10%) flagging expired or soon-to-expire certifications; and Enforcement Contradictions (XCC-013, 15%) identifying companies holding safety certifications despite recent enforcement actions. The score includes a confidence rating based on how many of the five data sources have been enriched — if fewer than two are available, the test cannot produce a meaningful result.

Cross-references the company's FSA food hygiene ratings with its ISO 22000 certification status. ISO 22000 is the international standard for food safety management systems, so a company holding this certification would be expected to achieve consistently high hygiene ratings. If any establishment is rated 0, 1, or 2 despite the company holding ISO 22000, this represents a coherence gap — either the certification does not cover those sites or the management system is not being effectively implemented.

Flags companies with HSE criminal convictions (especially fatality-related) that also file modern slavery statements. A company convicted of criminal health and safety failures while claiming to address forced labour risks presents a fundamental credibility gap in worker welfare commitments. Examines whether conviction severity correlates with modern slavery statement quality.

Compares the quality of a company's modern slavery statement against its apparent size and resources, using indicators from multiple sources including employee count, employer size band, and turnover. Identifies companies where statement quality is disproportionately poor relative to their scale — a large, well-resourced company filing a minimal statement raises more concern than a smaller company doing the same.

Analyses a company's modern slavery statement sector classifications against its employer size and industry sector to build a sector-adjusted risk profile. Certain sectors (construction, agriculture, hospitality) carry inherently higher modern slavery risk — this test identifies whether companies in high-risk sectors have proportionally stronger statements to match their elevated exposure.

Compares compliance discipline across both reporting obligations: GPG submission timeliness (late submissions, days late) vs modern slavery statement continuity and approval timeliness. Companies that are late or non-compliant on both reporting obligations demonstrate a pattern of regulatory disregard rather than isolated incidents.

Benchmarks a company's modern slavery statement quality against peer companies in the same industry sector and turnover band. Assesses factors including the breadth of areas covered, risk assessment depth, and policy comprehensiveness relative to peers. Identifies whether a company is a leader or laggard in its peer group for modern slavery compliance.

For companies covered by group modern slavery submissions, compares the group-level statement quality with entity-level ESG signals (individual company GPG, HSE record, environmental record). A strong group-level statement may mask poor performance at individual entity level.

Assesses whether a company meets its mandatory ESG reporting obligations based on company size: gender pay gap reporting (required for employers with 250 or more employees) and modern slavery statements (required for organisations with turnover above £36 million). Uses employee count and staff costs from Companies House financial filings to determine obligations. Staff costs are used to distinguish genuine employers from holding companies — a company reporting 250+ employees with significant staff costs is paying wages and should file its own GPG report, while a company with 250+ employees but negligible staff costs is likely a group entity whose employees are legally employed and file under operating subsidiaries. Note: the staff costs heuristic has a known limitation with charity trading subsidiaries and certain group structures where staff are employed by the parent entity and their costs recharged to the subsidiary via intercompany charges. In these cases, the subsidiary's accounts show significant staff costs but the parent is the legal employer. This distinction is only visible in the free-text notes of filed accounts, not in the structured data we extract, so these cases may be flagged as missing GPG when the obligation is actually met by the parent's filing.

Compares the date of the most recent financial filing against the Creditsafe report date to identify companies where the credit assessment may be based on stale financial data. If the latest filing is >18 months older than the credit report, the credit score may not reflect current reality.

Cross-checks mortgage summary counts from Companies House bulk data against detailed charge records from API enrichment. Mismatches may indicate incomplete enrichment, data staleness, or timing differences affecting the reliability of charge-based risk assessments.

Detects companies that have downgraded their filing type (e.g., full to abbreviated, micro-entity, dormant) and correlates with credit score changes. Filing downgrades reduce transparency; paired with credit decline, suggests deliberate obscuration of deteriorating performance.

Cross-references how quickly a company pays its suppliers (from Creditsafe payment data) with whether its own accounts are filed on time at Companies House. Companies that pay suppliers late AND file accounts late exhibit a pattern of systemic non-compliance that is more concerning than either issue alone. Slow supplier payments alone may just be cash management, and late filings alone may be administrative — but both together suggest deeper financial or organisational problems.

Assesses how complete the financial intelligence picture is by checking which data sources are available and current. Helps users understand the reliability and confidence level of all other financial assessments. Also serves as an enrichment recommendation engine.

Detects contradictions between a company's official status at Companies House (active, dissolved, in liquidation, etc.) and legal proceedings data from other sources. For example, a company listed as active but with winding-up petitions in The Gazette, or a company marked as dissolved but with recent CCJs being filed against it. These contradictions can indicate early-stage insolvency proceedings not yet reflected in the official status, or data timing differences that need investigating.

Identifies companies where HMRC is the petitioner in gazette winding-up petitions, and cross-references with Creditsafe HMRC petitioner detection. HMRC petitions signal unpaid tax debts — when corroborated across both gazette and Creditsafe, the signal is highly reliable. A company with HMRC petitions from multiple sources represents severe compliance and financial risk.

Identifies PSCs who have sanctions matches AND hold majority control (75 pct+ ownership or voting rights). A sanctioned person with majority control has power to direct company operations, making sanctions risk operational under OFSIs 50 pct rule.

Detects companies where the same person has sanctions matches in BOTH the director and PSC match tables. Cross-corroboration from two independent source records significantly increases match confidence. Data shows 1018 companies with this overlap.

Identifies companies controlled by a corporate PSC where that corporate PSC entity has its own sanctions matches. Sanctions risk propagates through ownership chains under OFSIs 50 pct rule: if the controlling entity is sanctioned, the controlled entity may be subject to sanctions by association.

Assesses what percentage of a company's people (directors + PSCs) have been screened against sanctions lists. Identifies gaps where screening has not been performed, creating blind spots in compliance coverage.

Checks whether sanctions matches exist at any level of the company's ownership and control structure. Four layers are examined: Company Direct (the company itself matched against sanctions lists), Directors (individual directors matched against sanctioned persons), PSC Individuals (persons with significant control matched against sanctioned persons), and PSC Corporates (corporate entities with significant control matched against sanctioned organisations). The test reports how many layers have matches and the highest match confidence found. If all matches are low confidence the test warns; if any match is medium or high confidence it fails. A company can have sanctions exposure at multiple layers simultaneously, which indicates deeper structural risk. For example, both a director and the company itself appearing on sanctions lists is more concerning than a single low-confidence match at one layer.

Identifies directors or PSCs who have sanctions matches but have NOT completed ECCTA identity verification. The combination is alarming: a person potentially on sanctions lists whose identity has not been independently verified.

Identifies directors or PSCs who have disqualification matches but have NOT completed ECCTA identity verification. A disqualified person who has not been identity-verified could be genuinely disqualified and acting illegally, or a false positive that verification would resolve.

Identifies directors or PSCs who have adverse media hits but have NOT completed ECCTA identity verification. Without identity verification, cannot distinguish between common-name false positives and genuine matches to persons involved in financial crime or terrorism.

Calculates a composite score measuring the gap between identity verification coverage and risk signal presence. Companies where many persons have risk signals but few are verified have the largest gap. Drives prioritisation of verification effort.

Identifies any person with a sanctions match who holds a controlling position: sole director, company secretary, or PSC with significant ownership/voting control. A sanctioned person in a controlling position is an operational crisis, not just a compliance concern.

Determines whether a web and email security assessment has been performed for this company's domain. This is the gateway test for all CYB-category insights — without a completed webemail enrichment, none of the subsequent cyber security tests can run. A result of not applicable indicates that no domain has been identified for this company, or that the enrichment has not yet been executed. All other CYB tests depend on this data being present.

A composite headline score (0–100) summarising the company's overall web and email cyber security posture, calculated from the results of all individual CYB tests including email authentication, SSL/TLS configuration, HTTP security headers, reputation checks, and website security controls. A higher score indicates stronger security hygiene. Scores below 40 are considered critical, indicating significant exposure across multiple areas; 40–59 is poor; 60–74 is fair; 75–89 is good; and 90 or above is excellent. This score is intended as an executive-level summary — individual category tests provide the underlying detail.

A composite score (0–100) measuring the strength of the company's email authentication and anti-spoofing controls, drawing on the results of CYB-005 (SPF), CYB-006 (DMARC), and CYB-007 (DKIM). Email authentication is one of the most critical controls for preventing domain impersonation — without it, attackers can trivially send emails that appear to come from the company's domain, enabling phishing, procurement fraud, and business email compromise. A weak email security score is a significant red flag in supplier and procurement due diligence contexts.

A composite score (0–100) measuring the strength of the company's website security controls, drawing on results across SSL/TLS configuration (CYB-011 to CYB-013), HTTP security headers (CYB-014 to CYB-019), website operational status (CYB-020 to CYB-022), and reputation checks (CYB-023 to CYB-025). A weak web security score indicates that the company's website has limited protections against common attack classes including man-in-the-middle interception, cross-site scripting, clickjacking, and MIME sniffing. Poor web security hygiene can also indicate broader neglect of IT security practices.

Checks whether the company's domain has a Sender Policy Framework (SPF) record and evaluates its enforcement strength. SPF is a DNS record that defines which mail servers are authorised to send email on behalf of the domain. Without SPF — or with a weak policy — the domain can be trivially spoofed for phishing, supplier fraud, and impersonation attacks. The SPF record's enforcement mechanism determines how receiving mail servers should treat unauthorised senders: a hard fail (-all) instructs servers to reject spoofed messages outright; a soft fail (~all) allows them through but marks them as suspicious; a neutral or permissive policy (?all or +all) provides no real protection. Only a hard fail configuration offers meaningful defence against email spoofing.

Checks whether the company has a DMARC (Domain-based Message Authentication, Reporting and Conformance) policy and evaluates its enforcement level. DMARC builds on SPF and DKIM to instruct receiving mail servers on how to handle messages that fail email authentication checks. Without DMARC, spoofed messages may still reach recipients even when SPF is configured. The policy level determines the response to authentication failures: a reject policy instructs servers to block the message entirely; quarantine sends it to the spam folder for review; none applies no action and is monitoring-only, offering no real protection. Only a reject policy provides meaningful defence against domain impersonation and email-based fraud.

Checks whether DKIM (DomainKeys Identified Mail) signing is detected for the company's domain. DKIM works by attaching a cryptographic signature to outgoing emails, allowing receiving mail servers to verify that the message was genuinely sent by the domain and has not been altered in transit. It is the third pillar of email authentication alongside SPF and DMARC — without DKIM, emails are more vulnerable to tampering and spoofing, and DMARC enforcement is weakened. Unlike SPF and DMARC, DKIM records are not published at a fixed DNS location; they use named selectors, so detection is probabilistic based on probing common selector names. A confident detection indicates DKIM is likely in use, but absence of detection does not definitively confirm it is missing.

A composite assessment of the three foundational email authentication standards — SPF (CYB-005), DMARC (CYB-006), and DKIM (CYB-007) — presented as a single at-a-glance view of email security completeness. All three standards work together: SPF defines which servers are authorised to send email for the domain; DKIM cryptographically signs messages to prove they have not been tampered with; and DMARC ties the two together by specifying what to do when messages fail authentication, and enabling reporting. A domain with all three properly configured is well-protected against email spoofing and impersonation. Missing or weakly configured components leave gaps that attackers can exploit — for example, a strong SPF with no DMARC means unauthorised messages may still reach recipients. In supplier due diligence, a weak email authentication triad is one of the highest-risk indicators of vulnerability to procurement fraud.

Checks whether the company's DMARC record includes reporting directives that enable visibility into email authentication activity. DMARC supports two reporting tags: rua (aggregate reports) sends regular summaries of all email traffic referencing the domain, showing which sources are passing or failing authentication; ruf (forensic reports) sends detailed reports on individual messages that fail authentication. Without these reporting tags, a company has no way to monitor whether its domain is being spoofed, identify legitimate services that may be misconfigured, or track progress when tightening email security policies. Reporting is particularly important during the transition from a none or quarantine DMARC policy towards full reject enforcement.

Checks whether the company's domain has MX (Mail Exchange) records configured in DNS, which are required for the domain to receive email directly. The presence or absence of MX records determines how other email-related tests are interpreted: where MX records exist, the domain is actively used for email and SPF, DMARC, and DKIM controls are assessed normally; where MX records are absent, the company likely uses a different domain for email communications — for example, a company whose website is at one domain but whose staff email through another. In this case, dependent email security tests return as not applicable rather than failing, to avoid penalising companies for a configuration that is not inherently risky. A warning is raised to flag that the email domain may differ from the registered domain.

Checks whether the company's website has a valid SSL/TLS certificate, which is the foundation of encrypted HTTPS communication. An SSL certificate serves two purposes: it encrypts data transmitted between the user's browser and the web server, preventing interception; and it provides identity assurance that the site belongs to the organisation it claims to represent. Three failure conditions are assessed: no certificate means the site has no encryption at all, leaving all data transmitted in plaintext; a self-signed certificate has not been verified by a trusted certificate authority and will trigger browser security warnings for all visitors; and an invalid certificate — for example one issued to a different domain — provides encryption but no identity assurance. Any of these conditions is a significant security failure and will typically cause browsers to display prominent warnings that deter visitors.

Monitors how many days remain before the company's SSL/TLS certificate expires. An SSL certificate must be renewed before it lapses — an expired certificate causes browsers to display a full-page security warning blocking access to the site, which can immediately halt web traffic, damage customer trust, and disrupt operations. Four threshold levels are assessed: an already-expired certificate is a critical failure; fewer than 14 days remaining is a high-severity warning requiring urgent action; 15 to 30 days is a medium warning indicating renewal is overdue; and over 30 days is a pass. Modern certificates are typically issued for 90 days (Let's Encrypt) or up to one year, and most hosting providers offer automated renewal — a lapsed certificate therefore indicates either a manual renewal failure or an unmonitored infrastructure. Returns not applicable if no SSL certificate is present.

Evaluates the type of SSL/TLS certificate in use on the company's website. Three certificate types exist, offering different levels of identity verification: Domain Validated (DV) certificates confirm only that the applicant controls the domain — they provide encryption but no verification of the organisation's identity, and are issued automatically within minutes; Organisation Validated (OV) certificates require the certificate authority to verify the legal identity of the organisation before issuance, providing a higher level of trust; Extended Validation (EV) certificates involve the most rigorous vetting process and were historically associated with a green address bar in browsers. Both OV and EV certificates indicate the company has undergone identity verification with a trusted authority. A DV certificate is common and not a failure, but OV or EV indicates a greater investment in establishing trust. Returns not applicable if no certificate is present.

Checks whether the company's website has HTTP Strict Transport Security (HSTS) configured and evaluates the strength of the policy. HSTS is an HTTP header that instructs browsers to always connect to the site over HTTPS, even if a user types the address without it or follows an HTTP link. Without HSTS, users are vulnerable to protocol downgrade attacks where an attacker intercepts the initial HTTP request before the site can redirect to HTTPS, potentially stealing session cookies or credentials. Three aspects are assessed: whether HSTS is present at all; whether the max-age directive meets the recommended minimum of one year (31,536,000 seconds), which determines how long browsers remember the policy; and optionally whether the domain is eligible for HSTS preload, a browser-maintained list that enforces HTTPS even on the very first visit before any header has been seen. A short max-age is a warning as it reduces the window of protection.

Evaluates the presence and quality of the Content Security Policy (CSP) HTTP header on the company's website. CSP is the primary browser-level defence against cross-site scripting (XSS) attacks — a common vulnerability where attackers inject malicious scripts into web pages viewed by other users, potentially stealing session tokens, credentials, or customer data. A CSP header tells browsers which sources of scripts, styles, and other resources are permitted to load. However, the quality of the policy matters as much as its presence: directives such as unsafe-inline and unsafe-eval effectively disable XSS protections by allowing arbitrary inline scripts to run; wildcard sources (*) permit content from any origin; and http: sources expose users to content from insecure connections. Only a well-configured CSP without these weaknesses provides meaningful protection.

Checks whether the company's website implements protections against clickjacking attacks. Clickjacking is a technique where an attacker embeds a legitimate website invisibly inside their own malicious page using an iframe, then tricks users into clicking buttons or links they cannot see — for example, unknowingly submitting a form, approving a transaction, or revealing credentials. Two mechanisms provide protection: the X-Frame-Options HTTP header, which instructs browsers to prevent the page from being embedded in a frame; and the CSP frame-ancestors directive, which offers more granular control over which origins are permitted to embed the page. The CSP directive is the modern standard and takes precedence where both are present. Absence of either leaves users of the company's web applications exposed to this class of attack.

Checks whether the company's website sends the X-Content-Type-Options: nosniff HTTP header. Browsers normally rely on the Content-Type header declared by the server to determine how to handle a file, but without this protection some browsers will attempt to "sniff" the actual content of a response and override the declared type — for example, treating a text file or image as executable JavaScript if it appears to contain script content. Attackers can exploit this behaviour by uploading files to a website (such as profile images or documents) that contain hidden script content, which the browser then executes in the context of the site. Setting the nosniff directive instructs browsers to strictly honour the declared Content-Type and never attempt to guess it, closing off this attack vector. It is a simple, low-cost header with no legitimate reason to omit.

Evaluates the Referrer-Policy HTTP header on the company's website, which controls how much information about the originating URL is shared when a user navigates to another site or when the page loads third-party resources. When a user clicks a link or a page loads external scripts and images, browsers automatically send a Referer header to the destination containing the URL of the current page. Without a restrictive policy, this can expose sensitive information embedded in URLs — such as internal page paths, search queries, session identifiers, or customer reference numbers — to third-party analytics providers, advertising networks, or any external service the site communicates with. A well-configured Referrer-Policy such as no-referrer or strict-origin-when-cross-origin limits what is shared, protecting user privacy and reducing the risk of inadvertent data leakage.

Evaluates the security attributes applied to cookies set by the company's website. Cookies are commonly used to maintain user sessions, store authentication tokens, and track preferences — making them a frequent target for attackers. Three key security attributes determine how well cookies are protected: the Secure flag restricts the cookie to HTTPS connections only, preventing it from being transmitted over unencrypted connections where it could be intercepted; the HttpOnly flag blocks JavaScript from accessing the cookie, protecting against theft via cross-site scripting (XSS) attacks; and the SameSite attribute controls whether the cookie is sent with cross-site requests, mitigating cross-site request forgery (CSRF) attacks. Missing or misconfigured attributes on session or authentication cookies can expose users to session hijacking and account takeover. If no cookies are detected on the website, this test returns not applicable — this typically means the site does not use session-based functionality or was not reachable during assessment.

Checks whether the company's website is operational and returning a successful HTTP response, and whether the content appears to be a genuine business website rather than a placeholder. A non-responding or error-returning website may indicate that the company has ceased trading, that the domain is no longer maintained, or that there is an active infrastructure outage. The test also detects parking pages — placeholder sites typically served by domain registrars when a domain is registered but no website has been deployed — which can indicate an inactive or dormant business. In a supplier or due diligence context, an unresponsive website is an early indicator of operational risk. Returns not applicable if no domain is associated with the company.

Checks the redirect behaviour of the company's registered domain and assesses whether it follows secure practices. Two distinct issues are evaluated: first, whether the domain redirects to an entirely different domain — which may indicate a legitimate business change such as an acquisition, rebrand, or domain consolidation, but could also signal domain hijacking or an outdated Companies House filing pointing to a domain now owned by a third party; second, whether the site correctly redirects HTTP traffic to HTTPS, ensuring users who visit the insecure version of the site are automatically upgraded to an encrypted connection. A domain that does not enforce HTTPS redirects leaves users vulnerable to traffic interception. If the domain is unreachable or returns no response, this test returns not applicable, as redirect behaviour cannot be assessed without a live site.

Measures the response time of the company's website in milliseconds, recorded during the security assessment crawl. While website performance is not a direct security vulnerability, slow or degraded response times can be an indicator of wider infrastructure health issues. A consistently slow or unresponsive site may suggest under-resourced or neglected hosting infrastructure, which often correlates with delayed patching, outdated software stacks, and reduced operational resilience. In a due diligence or supplier risk context, poor web performance can be an early signal of financial pressure, reduced IT investment, or operational strain. It may also indicate that the site is experiencing an active incident such as a DDoS attack or server outage at the time of assessment. If the site was unreachable during the assessment, this test returns not applicable.

Checks whether the company's IP address or domain appears on any Spamhaus blocklists, which are among the most widely trusted and widely used threat intelligence feeds in the world. Spamhaus maintains several distinct lists, each targeting a different threat type: the SBL (Spamhaus Block List) identifies IP addresses directly involved in sending spam or controlled by spammers; the XBL (Exploits Block List) covers IPs compromised by malware, botnets, or exploits being used to send malicious traffic; the PBL (Policy Block List) flags IP ranges that should not be sending email directly, typically residential or dynamic IP allocations; and the DBL (Domain Block List) identifies domains associated with spam, phishing, or malware distribution. A listing on any of these is a serious signal — the majority of global email providers and enterprise mail gateways use Spamhaus data to filter or block incoming traffic, meaning a listed company may find its emails silently rejected or quarantined. In a supplier or due diligence context, a Spamhaus listing can indicate compromised infrastructure, poor security hygiene, or prior involvement in malicious activity.

Checks whether the company's domain appears in the URLhaus database, a threat intelligence feed maintained by abuse.ch that tracks URLs and domains actively used to distribute malware. URLhaus is populated through a combination of automated detection systems and a global community of security researchers who report malicious URLs in near real-time, making it one of the most current and operationally relevant malware threat feeds available. A listing indicates that the domain has been observed hosting or distributing malicious payloads — such as ransomware droppers, trojans, or exploit kits — either because the company is deliberately involved in malicious activity, or more commonly because their website or hosting infrastructure has been compromised by an attacker and is being used without their knowledge. In either case, a URLhaus listing is a critical finding: it means the domain is actively flagged as dangerous by security vendors and endpoint protection products, which may block access to the company's website entirely. For supplier or procurement due diligence, a listing indicates severely compromised cyber hygiene and poses a direct risk to anyone interacting with the company online.

Checks whether the company's domain is flagged by Google Safe Browsing, a threat intelligence service maintained by Google that identifies websites involved in phishing, malware distribution, and unwanted software. Google Safe Browsing data is used directly by Google Chrome, Mozilla Firefox, Apple Safari, and a wide range of security products and enterprise web filters — meaning a flagged domain will trigger a full-page browser warning for the vast majority of visitors before they can access the site. These warnings are highly visible and explicit, typically stating that the site has been reported as dangerous, and most users will not proceed past them. The consequences for a flagged business are severe: website traffic drops sharply, customer trust is damaged, and any email or link shared from the domain may be blocked or flagged by security tools. Listings arise from direct compromise — where an attacker has injected malicious content into the site — or from deliberate phishing and fraud activity. Like URLhaus, a Google Safe Browsing listing is a critical finding that warrants immediate investigation and remediation by the company.

Checks whether the company's website exposes sensitive files, directories, or administrative paths that should not be publicly accessible. Common exposures checked include .env files (which can contain database credentials, API keys, and passwords), .git repositories (which can expose full source code and commit history), backup SQL files, server-status pages, and CMS administrative interfaces such as wp-admin. The test distinguishes between two levels of risk: paths that are actually accessible and return content are flagged as failures, as they represent genuine exposure of potentially sensitive data; paths that exist but return proper 403 Forbidden or 404 Not Found responses are flagged as warnings, indicating the paths are present but protected. Note that if the site returns non-standard responses for all paths (soft 404/403 behaviour), some results may be false positives — the soft_404_detected flag in the evidence should be checked when interpreting findings.

Checks whether the web server has directory listing enabled, a configuration setting that allows anyone browsing to a directory path to see a list of all files and subdirectories within it rather than receiving an error. Directory listing is almost always unintentional and represents a significant information disclosure risk — it can expose backup files, configuration files, uploaded documents, old versions of scripts, and the full file structure of the website. This information assists attackers in identifying targets for further exploitation. Directory listing is disabled by default in most modern web server configurations, so its presence typically indicates a misconfiguration or oversight. When detected, the specific directories found to be exposed are recorded in the evidence.

Identifies the Content Management System (CMS) in use on the company's website and checks whether the detected version is current. A CMS is the software platform used to build and manage website content, and many businesses rely on popular off-the-shelf platforms rather than custom-built sites. Senserity detects seven platforms: WordPress, Joomla, Drupal, Shopify, Wix, Squarespace, and Magento. Version currency is critical for self-hosted platforms — WordPress, Joomla, Drupal, and Magento — where outdated versions frequently contain publicly disclosed security vulnerabilities that are actively exploited by automated scanning tools, often within days of a vulnerability being published. Joomla 3.x and Drupal 7/8 are end-of-life and no longer receive security patches. WordPress alone powers over 40% of all websites globally, making it the most heavily targeted CMS. Hosted platforms such as Shopify, Wix, and Squarespace manage updates centrally, so version risk is lower. If no CMS is detected, this test returns not applicable — the site may be custom-built, statically generated, or the platform may not be identifiable from the public-facing response.

Identifies the technology stack in use on the company's website, including web server software, programming language, framework, and hosting or CDN provider. From a security perspective, the primary concern is version disclosure — where a server reveals not just what software it runs, but the specific version number and underlying operating system (for example, Apache/2.4.58 (Ubuntu)). This information directly assists attackers in identifying known vulnerabilities for that exact version, reducing the effort required to mount an attack. Best practice is to suppress or obscure version information in server headers. The test is informational rather than scored as a pass/fail — the technology details are recorded for context and the version disclosure risk is noted where present.

Evaluates domain registration data retrieved via WHOIS lookup, providing intelligence on the age, ownership, and registration status of the company's domain. Four aspects are assessed: domain age flags domains registered less than one year ago as suspicious — a newly registered domain associated with an otherwise established company can indicate fraud, impersonation, or a recently created shell entity; expiry imminence warns when a domain is due to expire within 30 days, which may indicate administrative neglect, financial difficulty, or risk of the domain lapsing and being registered by a third party; registrar identity records which organisation manages the domain registration; and WHOIS privacy protection notes whether the registrant details are hidden behind a privacy proxy service, which is common practice but worth flagging on a business domain. Due to GDPR, many domain registrars now restrict or redact WHOIS data — where a lookup fails for this reason, the test returns a neutral result rather than a failure, as data unavailability is not itself a risk signal. If no domain is associated with the company, this test returns not applicable.

Reports on subdomains discovered for the company's domain and identifies any that are considered risky due to their nature or exposure. Development, staging, test, and admin subdomains (such as dev.company.com, staging.company.com, or admin.company.com) are frequently deployed with weaker security controls than production environments — they may have default credentials, unpatched software, or reduced access controls — yet are exposed on the public internet. The test also checks for wildcard DNS configurations, which resolve any subdomain to the same IP address regardless of whether a service is running there; this can mask the true number of subdomains and creates a risk of subdomain takeover, where an attacker registers a service at an unclaimed subdomain path. Returns not applicable if no subdomains are discovered.

Evaluates the fundamental DNS (Domain Name System) configuration for the company's domain, checking that the core records required for a functional and well-managed online presence are in place. DNS is the system that translates domain names into the IP addresses and server locations needed to route web traffic, email, and other services — misconfigured or missing DNS records can render a website or email system inaccessible. Four record types are assessed: the A record maps the domain to an IPv4 address and is the most fundamental DNS record — its absence means the domain cannot resolve to a website and indicates either abandonment or a serious configuration failure; nameservers define which DNS provider is authoritative for the domain and must be present for any DNS resolution to function; AAAA records provide IPv6 addressing and while not mandatory, their presence indicates modern, forward-looking infrastructure; and MX records direct incoming email to the correct mail server — their absence is noted but assessed separately by CYB-010 given that some companies use a different domain for email. Missing A records or nameservers are treated as failures; absent AAAA and MX records are informational only.

An informational test that explains how Senserity determined the email domain used for assessment, and surfaces any alternative domains or contact email addresses discovered during the website crawl. Understanding the email domain source is important context for interpreting other email security tests such as CYB-005, CYB-006, and CYB-007. Three source methods are possible: primary indicates the company's registered domain has MX records and is used directly for email; primary_no_mx indicates the registered domain was used as the basis for assessment even though no MX records were found — common where email is handled on a subdomain or separate infrastructure; and website_scrape indicates that the email domain was inferred from email addresses found on the company's website, typically used when the registered domain alone gives insufficient signal. Where the email domain differs from the website domain — for example a company whose website is at one domain but whose staff email addresses use another — this is noted as context. Any additional domains or email addresses discovered during the website crawl are also recorded here. This test always returns as informational and does not contribute to risk scoring.

Identifies the email service providers and sending platforms authorised in the company's SPF record to send email on behalf of their domain. SPF records list the services permitted to send legitimate email — common examples include Microsoft 365, Google Workspace, Mailchimp, SendGrid, HubSpot, and Salesforce. This is primarily an informational test that reveals which platforms the company relies on for email, but it also flags a governance concern: more than five authorised senders is flagged as a warning, as an excessively long list of permitted senders may indicate that old or unused service authorisations have not been cleaned up, weakening the overall effectiveness of the SPF record. Returns not applicable if no SPF record is present or no providers can be identified.

A composite summary test that evaluates the presence of all five key HTTP security headers across the company's website, providing an at-a-glance view of browser-level security posture. HTTP security headers are directives sent by a web server that instruct browsers on how to behave when handling the site's content — they are one of the most straightforward and widely recommended controls in web security, yet are frequently misconfigured or missing. The five headers assessed are: HSTS (HTTP Strict Transport Security), which enforces encrypted HTTPS connections; Content Security Policy (CSP), which defends against cross-site scripting attacks; X-Content-Type-Options, which prevents MIME-type sniffing; X-Frame-Options, which protects against clickjacking; and Referrer-Policy, which controls what URL information is shared with third parties. Each is also assessed individually in CYB-014 through CYB-018. Scoring is based on the number of headers present: all five present is a pass; three or four is a warning; two or fewer is a fail. A site with few or no security headers suggests limited attention to web security hygiene, as these headers require minimal effort to implement and have no impact on legitimate site functionality.

Identifies whether the company's website is served through a Content Delivery Network (CDN) or DDoS protection service such as Cloudflare, Akamai, AWS CloudFront, or Fastly. A CDN distributes website content across a global network of servers, improving load times and availability. From a security perspective, CDN providers typically also offer DDoS mitigation — absorbing large volumes of malicious traffic before it reaches the origin server — and conceal the origin server's real IP address, making it harder for attackers to target directly. CDN usage is a positive signal indicating investment in resilience and security infrastructure. However, absence of a CDN is not a failure — many legitimate businesses host directly — so this test always returns as a pass, with a higher score awarded where a CDN is detected.

Evaluates whether the company's DMARC record includes an explicit subdomain policy (the sp= tag), which controls how authentication failures on subdomains are handled. Without an explicit subdomain policy, subdomains inherit the main domain's DMARC policy by default — but this inheritance is not always reliable, and many organisations overlook subdomain protection when configuring DMARC. An attacker can exploit unprotected subdomains to send convincing fraudulent emails from addresses such as billing.company.com or payments.company.com, which are particularly effective in procurement and invoice fraud. Four outcomes are possible: an explicit reject policy on subdomains is the strongest protection; quarantine provides partial protection; where no sp= tag is present, subdomains inherit the main domain policy (a pass if that policy is reject, otherwise a warning); and where no DMARC record exists at all, this test returns not applicable as the concept of subdomain policy does not apply.

Evaluates which TLS (Transport Layer Security) protocol versions the company's website supports. TLS is the encryption protocol underpinning HTTPS — older versions contain known vulnerabilities that have been publicly disclosed and exploited. TLS 1.0 and TLS 1.1 are deprecated by all major browsers and standards bodies including PCI DSS, and their continued support is a compliance failure for any organisation handling payment card data; they are susceptible to attacks such as POODLE and BEAST. TLS 1.2 is the current accepted minimum standard. TLS 1.3 is the latest version, offering improved security through a streamlined handshake and removal of legacy cipher suites, and its presence is a positive indicator of up-to-date infrastructure. Supporting deprecated versions alongside modern ones is a failure — servers should be configured to disable TLS 1.0 and 1.1 entirely. Returns not applicable if TLS version data is unavailable.

Analyses the Subject Alternative Names (SAN) listed on the company's SSL/TLS certificate. A SAN certificate covers multiple domain names under a single certificate — the SAN field lists every domain and subdomain that the certificate is valid for. Reviewing the SAN list can reveal related brands, subsidiary domains, internal hostnames, or development environments that share the same certificate. A small SAN list is normal and expected. However, a very large SAN list — more than 50 domains — is flagged as a warning, as it typically indicates the company is using a shared hosting certificate issued to many unrelated customers by the same provider, which may suggest lower-cost or commodity hosting infrastructure rather than a dedicated setup. Returns not applicable if no SAN data is available.

Checks whether the company publishes an MTA-STS (Mail Transfer Agent Strict Transport Security) policy, which prevents email delivery over unencrypted SMTP connections. Without MTA-STS, SMTP encryption is opportunistic — a man-in-the-middle attacker can strip the STARTTLS offer and intercept email in plaintext, even when both the sending and receiving servers support TLS. MTA-STS publishes a policy declaring that senders must verify the receiving server's TLS certificate and refuse delivery if encryption cannot be established. Three policy modes exist: enforce actively blocks unencrypted delivery and provides full protection; testing allows delivery but requests failure reports so the domain owner can monitor before enforcing; none effectively disables the policy.

Checks whether the company has configured SMTP TLS Reporting (TLS-RPT, RFC 8460) by publishing a DNS record at _smtp._tls.<domain>. TLS-RPT allows a domain owner to receive reports from sending mail servers about TLS negotiation failures — for example, if a sender attempted to deliver email using TLS but encountered certificate errors, policy mismatches, or protocol downgrade issues. This is the monitoring companion to MTA-STS: without TLS-RPT, a company deploying MTA-STS has no visibility into whether legitimate senders are experiencing delivery failures due to the policy. Even without MTA-STS, TLS-RPT provides valuable operational intelligence about email transport security.

Composite assessment of email transport layer security combining MTA-STS enforcement status and TLS-RPT monitoring. While SPF, DMARC, and DKIM (tested separately) authenticate the sender of an email, this assessment evaluates whether email content is protected during transmission between mail servers. A company with both MTA-STS in enforce mode and TLS-RPT active demonstrates mature email transport security — they are both preventing plaintext email delivery and monitoring for any issues. The absence of both indicates that email between this company and its correspondents may be vulnerable to interception by network-level attackers.

Checks whether the company holds a current, valid Cyber Essentials or Cyber Essentials Plus certification. Cyber Essentials is a UK Government-backed scheme administered by IASME on behalf of the NCSC (National Cyber Security Centre) that certifies organisations have implemented five foundational technical controls: firewalls, secure configuration, access control, malware protection, and patch management. These controls address the most common cyber attack vectors and provide a baseline level of cyber hygiene. Many UK public sector contracts and government frameworks now require CE certification as a minimum condition for supplier approval. An expired or absent certification may indicate inadequate cyber security posture, ineligibility for certain contracts, or simply that the company has not yet pursued certification.

Identifies whether the company holds a basic Cyber Essentials (CE) or Cyber Essentials Plus (CE+) certification. Both certifications cover the same five technical controls, but differ significantly in how compliance is verified: basic CE is a self-assessment, where the organisation answers a questionnaire and attests to its own compliance; CE+ involves an independent technical assessment by an accredited assessor, including hands-on verification of the controls in place. CE+ therefore provides a substantially higher level of assurance. Organisations handling sensitive personal data, operating in regulated sectors, or bidding for higher-value government contracts are often required to hold CE+ specifically rather than the basic self-assessed certification.

Monitors how close the company's Cyber Essentials certification is to its expiry date. CE and CE+ certificates are valid for 12 months from the date of issue and must be renewed annually to remain current. A certificate approaching expiry without evidence of renewal may indicate a lapse in security commitment, administrative oversight, or difficulty in meeting the certification requirements again. For procurement teams, this is important context — a supplier's certification should remain valid throughout the duration of a contract, so a certificate expiring within the contract period warrants clarification. This test flags certificates nearing expiry so that procurement decisions can account for renewal status.

Assesses how recently the company's Cyber Essentials certification was awarded. Since CE certificates are valid for 12 months, a recently issued certificate indicates the company has undergone a current assessment of their cyber security controls against the five CE technical domains: firewalls, secure configuration, user access control, malware protection, and patch management. An older certificate, even if not yet expired, may reflect a security posture assessed some time ago — cyber threats evolve rapidly, and a company's controls may have changed since certification. The certification date therefore provides useful context alongside the expiry date when evaluating the currency of a supplier's cyber security assurance.

Evaluates the confidence level of the match between the company name searched and the name on the Cyber Essentials certificate found. Because the IASME certification register is searched by company name, and companies may be certified under a trading name, parent company name, or slight name variation, not all matches are exact. An exact match provides high confidence that the certificate belongs to the company being assessed. A partial or fuzzy match may indicate a legitimate variation — such as a subsidiary certified under a group name — but could also represent a different company entirely. Where match confidence is low, manual verification of the certificate reference against the IASME register is recommended before relying on the result.

Confirms whether a Cyber Essentials certification search has been performed for this company. This is a data completeness check — if no screening record exists, the company's CE certification status is unknown rather than confirmed absent. A not-screened result should not be interpreted as meaning the company lacks certification; it means the enrichment has not yet been run for this company. Once screening is performed, the result will reflect the actual certification status found on the IASME register.

Identifies whether the Cyber Essentials certification search for this company encountered errors during the enrichment process. Search failures can occur for a variety of reasons including API issues, rate limiting by the IASME register, network errors, or scraping problems. Where errors are detected, the certification result should be treated as indeterminate — a failed search does not confirm that the company lacks certification, only that the lookup was unsuccessful. Persistent errors on re-run may indicate a systemic issue with the enrichment for this company and may require manual verification.

Monitors how recently the Cyber Essentials screening was performed for this company. Since CE certificates are valid for 12 months, screening data older than six months may not reflect the current certification status — the company may have renewed, allowed their certificate to lapse, or upgraded from CE to CE+ since the last check. Regular re-screening ensures that procurement and risk decisions are based on current information. This test flags stale screening data so that affected companies can be prioritised for re-enrichment.

Verifies that a valid certificate reference number (UUID) is recorded for the company's Cyber Essentials certification. The certificate reference is a unique identifier assigned to each certificate by IASME, the scheme administrator, and can be used to independently verify the certification directly on the IASME or NCSC certification register. A certificate claim without a reference number cannot be independently verified and should be treated with lower confidence. Where a reference is available, procurement teams can confirm the certificate's authenticity, the certified organisation name, the certification level, and the expiry date through the public register.

Tracks the cyber risk category score across multiple assessment runs and uses linear regression to determine whether cyber risk is improving, stable, or deteriorating. A score decrease of 5 or more points indicates improvement, a change within 5 points is stable, and an increase of 5 or more points indicates deterioration. Cyber posture can change rapidly due to events such as certificate expiry, new vulnerabilities, or email configuration changes, so this trajectory can be more volatile than other categories. The result includes a confidence grade from A to D based on how much data is available. Grade A (high confidence) requires at least 6 data points spanning 180 or more days. Grade B (good confidence) requires at least 4 data points spanning 90 or more days. Grade C (low confidence) requires at least 2 data points spanning 30 or more days. Grade D (insufficient data) means the history is too short or too sparse to draw meaningful conclusions. A newly assessed company will typically start at grade D and improve as assessments accumulate over weeks and months.

Monitors for multiple cyber-related tests deteriorating at the same time. Two simultaneous failures raise a warning; three or more suggest systemic IT neglect and trigger a high-priority alert. Examples include SSL expiring alongside SPF removal or Cyber Essentials lapsing.

Aggregates all cyber-category test results into a single 0-100 score. Covers website security, SSL/TLS, email authentication, ICO, Cyber Essentials.

Checks whether the company holds an active ISO 27001 (Information Security Management System) certification. ISO 27001 is the gold standard for information security management and is often mandatory for suppliers handling sensitive data.

Calculates a composite cyber maturity score combining four key areas: web security, email security, Cyber Essentials certification status and level, and ISO 27001 information security certification. Each component is weighted to produce a 0–100 score reflecting the organisation's overall cyber posture. A higher score indicates stronger, more comprehensive cyber security across both technical controls and formal certifications.

Compares a company's Cyber Essentials certification status with its actual observed web and email security posture. A significant gap between holding a certification and the reality of security controls may indicate the certification was obtained without genuine, sustained security implementation.

Compares a company's ISO 27001 information security certification with its actual observed web and email security controls and Cyber Essentials status. An ISO 27001-certified company should demonstrate above-average security practices — significant shortfalls raise questions about the robustness of the certification.

Analyses the relationship between a company's web security score and email security score to identify an unbalanced cyber posture. Balanced security across both areas is a sign of maturity, while a significant gap suggests the company may be applying point solutions rather than managing security systematically.

Checks whether a Creditsafe credit report has been obtained for this company. This is the gateway test — all other CRD-xxx tests depend on a report existing. A missing report means either the company hasn't been enriched via Creditsafe, the search failed, or the company is not in Creditsafe's database.

Evaluates the Creditsafe risk score (1-100 scale where higher = safer) to assess the company's overall creditworthiness. Scores below 30 indicate high risk; 30-50 moderate risk; 51-70 low risk; 71+ very low risk. Companies scored as "Not Scored" typically have active insolvency or severe adverse information.

Classifies the company by its Creditsafe credit rating band (A through E, or Not Scored). A = Very Low Risk, B = Low Risk, C = Moderate Risk, D = High Risk, E = Not Scored. Particularly important for companies that fall to "Not Scored" status which typically indicates active insolvency or winding-up proceedings.

Evaluates the maximum recommended credit exposure for this company as determined by Creditsafe. Critical for procurement professionals to size contracts appropriately and manage financial exposure. A NULL or zero credit limit with a "Not Scored" rating is a severe red flag.

Evaluates the maximum recommended contract value as determined by Creditsafe. The contract limit is typically higher than the credit limit and represents the total contract value that Creditsafe considers appropriate. Important for large procurement contracts where the total value significantly exceeds the credit terms.

Evaluates the statistical probability that the company will become insolvent within the next 12 months, as calculated by Creditsafe's scorecard models. The Probability of Default (PoD) is expressed as a percentage — for example, 0.07% indicates very low risk while 3.0% indicates high risk. Thresholds are aligned to Creditsafe's official UK risk bands: Band A (Very Low Risk) has a PoD below 0.19%, Band B (Low Risk) ranges from 0.19% to 0.74%, Band C (Moderate Risk) from 0.75% to 2.99%, and Band D (High Risk) is 3.0% and above. The PoD is shown alongside the Creditsafe rating band for easy cross-reference with the Credit Risk Score (CRD-002) and Credit Rating (CRD-003). Particularly useful for quantitative risk assessments and portfolio-level risk aggregation.

Detects whether the company's credit rating has changed from its previous assessment. A downgrade signals deteriorating financial health. Particularly important for ongoing supplier monitoring — a ratings downgrade is often an early warning of financial distress.

Evaluates the company's payment behaviour based on reported trade payment data. This score reflects how reliably the company pays its suppliers on time. Weaker payment behaviour correlates with late payments, disputes, and potential cash flow problems.

Analyses the average number of days the company pays beyond agreed payment terms, compared to its industry average. Company DBT showing N/A means Creditsafe has insufficient trade payment references on file to calculate a reliable figure — it does not mean zero days late. The Industry figure is the average DBT across all companies in the same broad sector as defined by Creditsafe (broader than SIC code — typically at section or division level, e.g. Construction, Manufacturing), calculated from Creditsafe's own trade payment database. A company paying significantly worse than its industry peers is a stronger negative signal than absolute DBT alone.

Evaluates the direction of the company's payment behaviour over recent periods. A "Worsening" trend is an early warning signal that a company is taking longer to pay its bills — often a precursor to cash flow difficulties.

Calculates the percentage of reported trade payments that were made late. A high late payment ratio indicates systematic cash management problems. This is a more granular measure than DBT because it shows what proportion of invoices are affected, not just the average delay.

Analyses the distribution of late payments across aging buckets (within terms, 0-30 days, 31-60 days, 61-90 days, 90+ days). Reveals not just whether payments are late, but HOW late. Critical for understanding the severity of payment delays.

Evaluates current outstanding balances owed to trade creditors, distinguishing between amounts still within terms and those that are overdue. Severity scales with overdue value: £50K+ is high severity (significant exposure), £10K-£50K is medium (fail), £1K-£10K is medium (warning, minor balance), under £1K is low (trivial). Any overdue amount triggers the test but small balances for companies with otherwise healthy payment profiles (see CRD-011 late ratio) may reflect invoice disputes rather than systemic payment issues.

Evaluates the company's latest shareholders' equity as reported in the Creditsafe report. Negative shareholders' equity means liabilities exceed assets — a balance sheet insolvency indicator. Provides an independent data point that may be more recent than the last Companies House filing, cross-checking FIN-010/FIN-011.

Evaluates the calculated_risk_level and calculated_risk_score fields which represent Senserity's own risk assessment derived from Creditsafe data. This is a composite score factoring multiple Creditsafe signals (credit rating, CCJs, insolvency, payment behaviour) into a single risk level for quick triage.

Assesses the volume and availability of trade payment data reported for this company. Companies with more trade references provide more reliable payment behaviour signals. Very few or no trade references mean payment score and DBT figures may be unreliable.

Evaluates the company's operational status as reported by Creditsafe, which may include additional status detail beyond Companies House. This can catch status changes faster than CH updates and provides Creditsafe's own interpretation. Supplements FIN-001 (CH company status).

Tracks the company's overall risk score across multiple assessment runs and uses linear regression to determine whether risk is improving (score decreasing by 5 or more points), stable (within 5 points), or deteriorating (score increasing by 5 or more points). Requires at least two historical runs to calculate a trajectory. The result includes a confidence grade from A to D that indicates how reliable the trajectory analysis is, based on the number of data points and the time span they cover. Grade A (high confidence) requires at least 6 data points spanning 180 or more days. Grade B (good confidence) requires at least 4 data points spanning 90 or more days. Grade C (low confidence) requires at least 2 data points spanning 30 or more days. Grade D (insufficient data) means the available history is too short or too sparse to draw meaningful conclusions — for example, many runs within a few days would still receive a D because the time span is too narrow to establish a genuine trend. A newly assessed company will typically start at grade D and improve as assessments accumulate over weeks and months.

Tracks the financial category risk score across multiple assessment runs and uses linear regression to determine whether financial risk is improving, stable, or deteriorating. A score decrease of 5 or more points indicates improvement, a change within 5 points is stable, and an increase of 5 or more points indicates deterioration. Financial trajectory is particularly important for supplier and acquisition assessments where it serves as a leading indicator of emerging problems. The result includes a confidence grade from A to D based on how much data is available. Grade A (high confidence) requires at least 6 data points spanning 180 or more days. Grade B (good confidence) requires at least 4 data points spanning 90 or more days. Grade C (low confidence) requires at least 2 data points spanning 30 or more days. Grade D (insufficient data) means the history is too short or too sparse to draw meaningful conclusions. A newly assessed company will typically start at grade D and improve as assessments accumulate over weeks and months.

Flags when a company's credit score has changed since the last assessment. Even small movements on the Creditsafe scale represent a shift between risk bands, so any real change is highlighted.

Alerts when a company's official status at Companies House has changed — for example, moving from Active to In Administration, Liquidation, or Dissolved. Any status change is significant and may require immediate action.

Detects when a new insolvency event has appeared since the last assessment, such as administration, liquidation, or a winding-up order. Active insolvency directly threatens a company's ability to trade and fulfil contracts.

Flags when a new mortgage or charge has been registered at Companies House since the last assessment. New charges may represent routine refinancing or could indicate emergency borrowing under financial pressure.

This is the overall company risk score — the single headline number that represents the combined assessment across all nine risk categories. It produces a score from 0 to 100, where 0 indicates the lowest risk and 100 the highest. The score is calculated in two stages. First, each category's severity-weighted average is combined using configurable category weights: Financial (20%) and Legal and Compliance (15% each) carry the most weight as they represent the most material risks to business relationships. Governance (12%), Operational (10%), and Cyber (10%) follow as core structural and technical indicators. Media (8%) captures reputational signals, while Social/ESG (5%) and Network (5%) provide supplementary context. Second, the Red Flag mechanism checks for specific catastrophic conditions — sanctions matches, insolvency, company dissolution, disqualified directors, HSE fatality convictions, and serious adverse media. If any Red Flags are detected, a tier-based bonus is added to the weighted average: Tier 1 (+60) for existential risks, Tier 2 (+40) for severe risks, or Tier 3 (+20) for significant risk factors. Only the highest tier applies. This ensures that companies with truly dangerous conditions cannot hide behind a low average from passing tests. When no Red Flags are detected, the score equals the weighted category average. Within each category, individual test results are weighted by severity: critical tests carry the most influence, followed by high, medium, and low. Info-severity tests are excluded from scoring. The score adjusts for test coverage — when fewer tests have run, only the available results contribute. Category weights can be customised per tenant. This score feeds into the risk grade (DRV-065), the Red Flag analysis (DRV-069), and is used by the use-case summary tests as their baseline.

Aggregates all financial-category test results into a single 0-100 score. Each test result is weighted by its severity tier — critical tests carry the most influence, followed by high, medium, and low. Info-severity tests are excluded from scoring. The score is normalised for test coverage so that missing tests do not artificially inflate or deflate the result. A lower score indicates fewer and less severe risk factors in this category.

Converts the overall company risk score (DRV-055) into a letter grade from A to E and enriches it with trend, confidence, and peer context. The grade is the single most visible indicator of a company's risk profile, appearing in page headers, watchlist tables, and comparison views. Grade thresholds: A = Excellent (0–14), B = Good (15–29), C = Adequate (30–49), D = Concerning (50–74), E = Critical (75–100). Lower scores represent lower risk. The grade is enriched with three optional context signals when available. The trend arrow (from DRV-001) shows whether the company's risk trajectory is improving, stable, or deteriorating based on linear regression across historical assessment runs — this requires at least two prior assessments and becomes more reliable as data accumulates over time. The score confidence band (from DRV-041) indicates how much trust can be placed in the current score by combining data completeness, enrichment freshness, and the proportion of insight tests that produced scorable results — high confidence means the score is based on comprehensive, recent data, while low confidence signals gaps that may change the score once filled. The sector percentile ranking (from DRV-042) shows where the company sits relative to other assessed companies in the same industry, matched by SIC division then broader section, providing peer context for whether a score is typical or unusual for the sector. Each grade is mapped to a fixed tracking score (A=7, B=22, C=40, D=62, E=87) for trend analysis, ensuring that grade changes produce consistent movements on trend charts regardless of the exact underlying score.

Identifies and explains the Red Flag triggers that have affected the overall company risk score. Red Flags detect specific high-severity conditions — sanctions matches, insolvency, company dissolution, disqualified directors, HSE fatality convictions, and financial crime media exposure — and add a score bonus to the weighted average. This test shows which flags fired, what tier they belong to, the bonus applied, and the breakdown of the weighted average before and after the adjustment. When no Red Flags are detected, the test confirms the score is based purely on the weighted category average.

Checks whether the company is active, dissolved, in liquidation, or in another risk state. This is a critical first-line check as inactive or distressed companies pose immediate supply chain risk. For overseas companies registered under an FC number, when the company is active, the test also checks UK establishment status. An active FC company with open UK establishments confirms ongoing UK operations. An active FC company where all establishments have closed may indicate withdrawal from the UK market.

Calculates the company's age from incorporation date and flags very new companies (under 1 year) as higher risk due to limited track record. New companies have higher failure rates and less verifiable history.

Assesses the company's registered charges (mortgages, debentures, fixed/floating charges). A high number of outstanding charges may indicate heavy borrowing and financial pressure. Tracks total charges, outstanding, satisfied, and partly satisfied.

Detects companies that are likely dormant based on SIC code 99999 (Dormant Company No Significant Accounting Transactions). A dormant company is not actively trading and presents risk if it is supposed to be your supplier or partner. May also indicate a shell company.

Provides the company's industry classification based on SIC codes and flags certain high-risk or notable industry sectors. Useful for sector risk profiling and identifying shell-like classifications.

Specifically detects the Active - Proposal to Strike off status which indicates Companies House has proposed or is in the process of removing the company from the register. The company may be struck off within 2-3 months unless action is taken.

Analyses the historical rhythm of accounts filings by measuring intervals between consecutive period-end dates. Establishes a baseline cadence from the median of the last 5 inter-filing intervals. The current gap (months since most recent period end) is reduced by the statutory filing allowance (6 months for PLCs, 9 months for all other company types) before comparison — ensuring companies that have not yet reached their deadline are never flagged. The adjusted gap is then compared against the baseline to detect whether a company is running late relative to its own established pattern. Requires at least 3 historical filings to compute a reliable baseline. Distinct from FIN-003 (legally overdue) and FIN-004 (absolute filing recency).

Evaluates the company's most recent net asset position from filed accounts. Negative net assets (liabilities exceed assets) indicate balance sheet insolvency — the company owes more than it owns. This is a fundamental solvency indicator.

Examines shareholder funds (equity) from the most recent accounts. Negative shareholder funds indicate accumulated losses exceeding initial capital investment. Persistent negative shareholder funds suggest reliance on external funding or creditor forbearance.

Assesses working capital (current assets minus current liabilities) and the current ratio (current assets ÷ current liabilities). The current ratio measures whether a company can meet its short-term obligations. Below 1.0 means liabilities exceed assets (fail) — the company cannot cover its debts. Between 1.0 and 1.5 indicates a limited buffer (warning). Above 1.5 is healthy. Significantly negative working capital (below -£10,000) is also flagged regardless of ratio. This is a more immediate liquidity indicator than net assets or gearing.

Evaluates the company's cash and bank balances from filed accounts. Low or zero cash relative to liabilities indicates limited liquidity buffer. A company may have positive net assets but critically low cash, making it vulnerable to short-term shocks. Also calculates Cash Coverage — the percentage of short-term creditors (amounts due within one year) that could be settled from cash alone. For example, cash of £60,000 against short-term creditors of £100,000 gives 60% coverage. Below 10% is considered low; below 5% is critically low. The previous year's cash balance is shown as a secondary value to indicate the year-on-year trend.

Evaluates the company's total asset base from filed accounts. Reports the split between fixed assets (non-current: property, equipment, intangibles — things the business owns for the long term) and current assets (cash, debtors, stock — things expected to convert to cash within a year). Also calculates the fixed-to-current ratio: fixed assets divided by current assets. A ratio above 1.0 means more long-term assets than short-term (typical of asset-heavy businesses such as manufacturers or infrastructure companies). A ratio below 1.0 means more liquid, short-term assets (typical of service businesses or consultancies). For example, fixed assets of £247,000 and current assets of £212,000 gives a ratio of 1.17:1. Many micro and abbreviated filings do not include the breakdown, in which case only the total is shown.

Analyses the company's liability structure — total liabilities, split between short-term (creditors within one year) and long-term (creditors after one year). The gearing ratio (total liabilities ÷ shareholder funds) measures how much the company relies on debt versus equity. A ratio below 1:1 means more equity than debt (conservative). Between 1:1 and 2:1 is moderate leverage. Above 2:1 indicates heavy reliance on debt. Above 4:1 is critical. High short-term liabilities relative to current assets indicate refinancing risk.

Reports the company's turnover (revenue) from filed accounts where available. Turnover is only disclosed in full accounts and micro entity accounts (approximately 2.3% of filings) — abbreviated accounts, the most common filing type, do not include it, so a not applicable result is expected for most companies. Where two consecutive years of turnover are available, the Year-on-Year (YoY) change is calculated as: ((current year - prior year) / prior year) x 100. For example, turnover of £500,000 against a prior year of £400,000 gives +25.0% YoY; turnover of £300,000 against £400,000 gives -25.0% YoY. The previous year figure is shown as a secondary value for direct comparison. A decline of more than 20% triggers a warning; more than 50% is high concern.

Evaluates profitability from filed accounts. Checks profit/loss, operating profit, gross profit and margins where available. Consecutive loss years are graded: 5+ years is high severity (systemic, score 10), 3-4 years is medium (sustained, score 20), 2 years is low (emerging concern, score 35). A single year loss is a low warning (score 45). A declining profit trend exceeding 20% year-on-year is also flagged. When consecutive losses are detected, a year-by-year breakdown shows the loss trajectory alongside turnover and margin.

Reports the number of employees from filed accounts and analyses the year-on-year trend. Significant workforce reduction may indicate financial distress or restructuring. Zero employees in a non-dormant company is unusual. Year-on-Year (YoY) change is the percentage difference in headcount between the most recent filing and the prior year: ((current - previous) / previous) x 100. For example, 10 employees against a prior year of 8 gives +25.0% YoY; 6 employees against 8 gives -25.0% YoY. The previous year headcount is shown as a secondary value for direct comparison. Warning triggers: decline of more than 30% YoY (workforce reduction signal); zero employees for a non-dormant company; headcount above 1,000,000 (likely a data error). Growth above 100% YoY is noted but does not trigger a warning.

Measures how much financial data is available in the company's most recent filing by checking 15 key fields: turnover, gross profit, profit/loss, net assets, total assets, fixed assets, current assets, shareholder funds, creditors due within one year, creditors due after one year, debtors, cash in bank, staff costs, employee count, and operating profit. The percentage shown is the proportion of these fields that contain a value — for example, 9 out of 15 fields populated gives 60%. This score provides important context for all other financial insights: a low score means many tests will return "not applicable" simply because the data was not disclosed, not because there is a problem. Full accounts typically score 60–100%; abbreviated and small company accounts 20–60%; micro-entity accounts often 0–20%; dormant filings usually 0%.

Analyses year-on-year trends across up to 8 key financial indicators (net assets, shareholder funds, working capital, cash, total assets, turnover, profit/loss, employees) using up to 5 years of filings. A decline is defined as a fall of more than 5% versus the prior year. Indicators are weighted by importance: net assets and working capital carry double weight. Warning triggers when the weighted decline score reaches 3 or more; fail triggers at 6 or more. For example, net assets falling 10% (weight 2) plus cash falling 8% (weight 1) = weighted score of 3, triggering a warning. Stable or improving metrics across the majority of indicators results in a pass.

Identifies whether the company files consolidated (group) accounts, indicating it is a parent company with subsidiaries. Consolidated accounts aggregate financial data across the entire group, which can make an individual entity appear larger or healthier than it is in isolation. This insight is informational only — it does not trigger a warning or fail. The result is always a pass, with the badge distinguishing between consolidated (group) accounts and individual entity accounts. Where group accounts are filed, users should be aware that other financial insights reflect the group position rather than the parent company alone, and that subsidiary-level analysis may be needed for a complete picture.

Identifies the currency used in the company's most recent filed accounts and flags any change from the prior year. GBP is the standard; non-GBP reporting indicates the company's primary operations or parent entity may be overseas, which can introduce exchange rate risk and makes direct financial comparisons more complex. The only trigger for a warning is a change in reporting currency between years — for example, switching from GBP to EUR — as this may indicate a change of ownership, restructuring, or operational shift. Non-GBP currencies without a change (EUR, USD, or other) result in a pass with a contextual note. GBP with no change is a straightforward pass. For overseas companies registered under an FC number, any UK establishments are noted as corroborating evidence of UK operations when non-GBP reporting is detected.

Calculates debtor days (trade debtors / turnover x 365) and debtor concentration (debtors as a percentage of current assets) where data is available. Debtor days measure how long on average customers take to pay. For example, debtors of £100K on turnover of £400K equals 91 days. Debtor concentration above 80% means most current assets are tied up in unpaid invoices, creating liquidity risk. Warning triggers above 90 debtor days or 80% concentration; fail triggers above 120 days. When turnover is unavailable, only the debtors balance is shown.

Calculates staff costs as a percentage of turnover using the formula (Staff Costs / Turnover) x 100. For example, staff costs of £80K on turnover of £200K equals 40.0%. Where employee headcount is also available, average cost per employee is computed (Staff Costs / Employees). High ratios above 80% indicate very labour-intensive operations, which is noted but does not trigger a warning — this is normal for professional services, care, or consulting businesses. A negative ratio indicates a data anomaly. The test is not applicable if either staff costs or turnover are missing from the filing.

Checks whether any financial data exists for the company and classifies the reason if none is found. Where financial history exists, the test passes and gates all other financial insights. Where no history exists, the outcome depends on company status and age. Dormant companies pass — no filings are expected. Dissolved or converted companies pass — they are closed and historical absence is expected. Companies in liquidation or insolvency fail with critical severity — they ceased filing due to formal insolvency proceedings, not negligence. Companies in administration, receivership, or voluntary arrangement fail with high severity — same reasoning. New companies under 2 years old trigger a warning as their first filing may not yet be due. All other established companies with no filings fail with medium severity as possible serial non-filers. This test should be read alongside FIN-003 (accounts overdue) which assesses filing timeliness from Companies House metadata.

Measures the charity's latest gross annual income and classifies it into size bands (micro <£10K, small £10K–£100K, medium £100K–£1M, large £1M–£10M, major £10M+). Zero-income charities are flagged as potentially dormant or newly established. Provides financial scale context for all other charity financial tests.

Calculates the ratio of latest expenditure to latest income to identify deficit spending. A ratio above 1.2 triggers a warning; above 1.5 is a fail. Charities spending with zero income are flagged as a fail. A low ratio (significant underspend) is noted as informational. Not a substitute for trend analysis — see FIN-036 for multi-period patterns.

Evaluates the charity's total net assets from its latest financial filing. Net assets represent everything the charity owns minus everything it owes, and is the single most important indicator of financial viability. Negative net assets indicate technical insolvency — the charity owes more than it owns. Positive but declining net assets year-on-year are flagged as a warning when the decline exceeds 25%. Also surfaces how the asset base is split between unrestricted, restricted, and total funds to provide a complete picture of financial position.

Evaluates the charity's unrestricted (free) reserves from its latest financial filing. A charity can show positive total net assets while being operationally insolvent if all funds are locked in restricted or endowment funds — money that cannot legally be used for day-to-day operations. Negative unrestricted funds mean the charity cannot meet current obligations from available resources regardless of its overall balance sheet position. Positive reserves are assessed against monthly expenditure to calculate how many months of operational cover is available; fewer than 3 months triggers a warning in line with Charity Commission guidance on adequate reserves.

Assesses charity reliance on government contracts and grants as a proportion of total income, and visualises how income is split across government contracts, government grants, and other sources. Dependency of 75% or more triggers a warning — policy changes, budget cuts, or contract losses at this level could severely impact operations. Dependency between 50–74% is noted as moderate. Below 50% is considered acceptable diversification.

Checks whether the charity has disclosed employees earning over £60,000. Charities are legally required to report this. The total employee headcount is shown alongside the high-earner disclosure flag to provide proportionality context — a charity with 500 staff disclosing high earners is very different from one with 3 staff doing so. Note that the source data records only whether any employees earn over £60K, not how many; the precise count is not published by the Charity Commission. This is an informational indicator rather than a risk flag.

Plots income and expenditure across all available annual filing periods to identify financial trajectory. Income declining for 3 or more consecutive years triggers a warning. A persistent deficit — where expenditure exceeds income in the majority of periods — is also flagged. Requires at least 2 periods of data to produce a meaningful trend. Contextualises the single-period snapshots in FIN-030 and FIN-031 by showing whether the current position represents a stable pattern or a deteriorating one.

Assesses how completely the latest Charity Commission annual return is populated across 17 key financial fields covering income breakdowns, expenditure breakdowns, asset and fund positions, employee count, and high-earner indicator. Scored as a percentage of fields present in the most recent filing period. Results are banded into three outcomes: None (0 fields, score 20) where no financial history exists at all; Limited (under 50% populated, score 40) where data is too sparse for reliable analysis; Partial (50–75% populated, score 65) where core figures are present but some breakdowns are missing; and Full (over 75% populated, score 85) where rich data is available. This test directly contextualises FIN-030 through FIN-036 — a Limited or None result means those tests either cannot run or should be treated with caution.

Classifies the company into one of four size bands defined under the Companies Act 2006, using the most recently filed turnover and employee count. Micro: turnover up to £632,000 and up to 10 employees. Small: turnover up to £10.2 million and up to 50 employees. Medium: turnover up to £36 million and up to 250 employees. Large: exceeds medium thresholds. Where only one metric is available, classification is based on that metric alone. Where both are available, both must fit the band. This is an absolute classification against statutory thresholds — it does not compare the company against others in its sector or SIC code. All outcomes are informational and score 75.

Counts the number of outstanding (unsatisfied) registered charges against the company. While having charges is normal for a trading business, a high number of outstanding charges can indicate heavy leverage, multiple secured creditors competing for the same asset pool, or a pattern of refinancing rather than repaying debt. Fewer than four outstanding charges is considered within normal range; four or more signals elevated leverage; ten or more is exceptionally high and typically associated with distressed financing structures.

Identifies whether any outstanding charge includes a floating charge that covers all the company's property and assets. A blanket floating charge gives the secured creditor priority over substantially all assets if the charge crystallises — typically triggered by default, appointment of a receiver, or insolvency. For unsecured trade suppliers, being behind a blanket floating charge holder means they would rank last for repayment in any insolvency scenario.

Identifies whether any outstanding charge contains a negative pledge covenant — a contractual undertaking by the company not to create further security over its assets without the existing lender's consent. A negative pledge restricts the company's ability to raise additional secured finance and indicates the lender has imposed tight covenant controls. Its presence does not mean the company is in distress, but it is a signal that financing headroom may be limited.

Identifies outstanding charges that contain fixed charges over specific named assets such as property, plant and equipment, or intellectual property. Unlike floating charges, a fixed charge attaches to the specific asset immediately and gives the charge holder absolute priority over that asset ahead of all other creditors in any insolvency. The nature and value of fixed-charged assets reveals which of the company's key assets are encumbered and unavailable to other creditors.

Calculates the proportion of a company's registered charges that have been fully satisfied (discharged). A low satisfaction rate — where many charges have been created but few repaid — may indicate the company relies on revolving credit facilities, has a pattern of refinancing rather than repaying debt, or has not filed satisfaction notices correctly at Companies House. A high satisfaction rate suggests the company has a track record of repaying secured obligations.

Identifies charges created or satisfied in the last 12 months. New charges indicate recent secured borrowing — this may reflect growth financing or, in the context of other risk signals, distress funding. Recent satisfactions suggest debt is being repaid or that assets have been sold. Rapid new charge creation (three or more in 12 months) is treated as a warning sign of accelerating leverage. This test is a leading indicator of financial trajectory.

Analyses the age distribution of outstanding charges by grouping them into bands (under 2 years, 2–5 years, 5–10 years, and over 10 years). Charges registered over 21 years ago predate the Companies Act 2006 and warrant particular scrutiny — they may represent genuine long-term structural debt, or they may indicate that satisfaction notices were never filed despite the underlying loan being repaid. Either way, very old outstanding charges suggest the charge portfolio may not accurately reflect current financing arrangements.

Analyses the diversity of secured lenders across the company's outstanding charges. A company with all outstanding charges held by a single lender has concentrated lender risk — that lender has significant influence over the company and could enforce their security, restrict further borrowing, or appoint a receiver in the event of default. Multiple lenders may indicate a healthier diversified financing structure, though it also introduces inter-creditor complexity where lenders may have competing priorities.

Analyses outstanding charges by type to provide a structural view of the company's secured financing arrangements. Charge types carry different risk implications: debentures grant the lender a floating charge over all company assets and are typically used by banks for general lending facilities; fixed charges (mortgages, legal charges) are secured against specific named assets such as property or equipment and give lenders priority on that asset in insolvency; debentures combining fixed and floating elements offer the broadest security coverage; security agreements and factoring arrangements cover receivables or stock; and credit agreements relate to revolving or hire-purchase facilities. A concentration of debentures or fixed and floating charges from multiple lenders may indicate a highly leveraged position. The table shows each charge type grouped by lender, with the oldest and newest creation dates indicating when charges of that type were first and most recently registered — useful for understanding how long a financing arrangement has been in place and whether new secured lending has been added recently.

Identifies companies with no registered charges at all. The absence of charges may be a positive indicator — the company may be entirely self-funded through equity or retained profits, or it may have access to unsecured credit facilities such as overdrafts. However, absence of charges may also indicate the company is too early-stage or too small to have secured lending, or that enrichment data has not yet been collected. This finding should be interpreted alongside company age, size, and financial data.

Analyses this company's public sector tender awards to detect over-reliance on a small number of buyers. Calculates a Herfindahl-Hirschman Index (HHI) — a standard measure of market concentration used in economics and competition analysis. The HHI is computed by summing the squared share of each buyer as a proportion of total awards: a company winning all contracts from a single buyer scores 1.0 (maximum concentration), while awards spread evenly across many buyers approaches 0.0. An HHI above 0.5 with three or fewer buyers flags significant revenue dependency risk — if a key public sector client is lost, it could materially impact the company. An HHI between 0.25 and 0.5 indicates moderate concentration worth monitoring.

Checks whether charities linked to this company — either through dual registration or through director-trustee crossover — are flagged as insolvent or in administration. A charity in financial distress connected to a commercial entity poses reputational and potential financial risk, especially if the company has financial relationships with the charity.

Calculates the total value of public sector contracts awarded to this company where a value has been disclosed. Not all contract awards include a value — the test reports the proportion of awards with values alongside the total. This provides insight into the scale of public sector revenue and the financial significance of government work to the company.

Measures the concentration of a company's public sector contracts across different buyers (contracting authorities). A company reliant on a single buyer for most of its public contracts faces significant concentration risk — loss of that relationship could dramatically impact revenue. The test requires a minimum volume of contracts before concentration analysis is meaningful: companies with 1–3 awards are reported as informational only (a single contract can only have one buyer by definition); companies with 4–5 awards apply softer thresholds (warning at most, never fail); companies with 6 or more awards apply full thresholds — over 80% from one buyer is a fail (score 20), over 60% is a warning (score 40), and a diversified buyer base scores 80.

Identifies whether this company has been awarded any high-value public sector contracts (>£1M, >£10M, >£100M). Large contract awards indicate significant operational capability and financial capacity but also represent concentration risk if a single contract dominates revenue.

Analyses the trend in total annual contract value for this company's public sector awards over time. An increasing value trend indicates the company is winning larger contracts. A declining value trend may indicate competitive pressure or budget constraints in their buyer base.

Assesses how dependent a company may be on public sector revenue by evaluating four dimensions of its tender award history. Each dimension is rated high, medium, or low: Award Volume (high if over 20 contracts, medium if 6–20, low if fewer than 6); Value Scale (high if total contract value exceeds £1M, medium if £100K–£1M, low if under £100K); Buyer Concentration (high if all contracts from a single buyer, medium if 2–5 buyers, low if 6 or more); Recency (high if most recent award within 12 months, medium if 12–36 months, low if over 36 months). Each dimension scores 100 (high), 50 (medium), or 10 (low), and the composite is the average of all four. The composite is then inverted to produce a health score — higher dependency means a lower score. Grades range from A (no high dimensions, minimal dependency) to E (all four dimensions high, critical dependency). Companies with 4 high dimensions fail (significant concentration risk), 3 high trigger a warning, and fewer than 3 pass. High public sector dependency carries unique risks including government budget cuts, procurement policy changes, and payment timing issues.

For charities that are also Companies House entities, combines charity-specific financial data with external ESG signals (GPG, modern slavery, enforcement). Identifies charities where financial distress coincides with poor social compliance, which may represent imminent reputational risk.

Compares the Creditsafe credit score against three filed financial indicators: net assets, working capital, and profit/loss. When these diverge (e.g. strong credit score but negative financials, or low score despite positive accounts), it highlights a gap between the credit bureau's real-time assessment and the most recent annual filing. Divergence is not necessarily an error — Creditsafe incorporates live trade payment data, CCJs, and other signals that may be more current than annual accounts. The test identifies where further investigation would be valuable.

Cross-references the number and status of outstanding charges against the company's total assets, net assets, and working capital to assess whether the secured debt burden is proportionate to financial capacity. Covers all companies with mortgage data from Companies House.

Correlates an overdue accounts filing date with financial trend data to identify companies where late filing coincides with deteriorating finances. Late filing alone is common; late filing plus declining net assets and profitability is a strong distress signal.

Calculates the debt-to-asset ratio from filed financials and contextualises it against the nature and volume of registered charges. High leverage with multiple outstanding floating charges covering all assets is significantly more concerning than high leverage with a single fixed charge on specific property.

Where Creditsafe tracks a previous_risk_score, compares the direction of credit score movement with the direction of financial performance trends. A rising credit score with deteriorating financials (or vice versa) signals a lag risk — the credit agency hasn't caught up with reality yet.

Compares how quickly the company pays its suppliers against its actual cash reserves and working capital. A company that pays suppliers slowly but holds strong cash reserves may simply be managing cashflow strategically. A company that pays slowly AND has weak cash is likely under genuine financial pressure and may struggle to meet its obligations.

Contextualises CCJ exposure reported by Creditsafe against the company's total assets and turnover from filed accounts. A £50K CCJ against a £100M company is trivial; the same against a £200K company is existential. Individual CCJ tests report existence and value in isolation — this test provides proportionality.

Compares the Creditsafe recommended credit limit against the company's filed turnover and total assets to assess proportionality. An unusually low credit limit relative to company scale may indicate hidden risk factors known to credit agencies but not yet visible in filings.

Analyses whether secured creditors represent concentration risk, and correlates with financial trajectory. A company with all debt concentrated in a single lender AND declining finances is at higher risk of sudden enforcement action compared to diversified lending. Requires charge detail enrichment to identify individual lenders.

Compares multi-year employee headcount trends against revenue trends. Growing revenue with falling headcount suggests efficiency/automation; falling revenue with stable headcount suggests margin compression; rapidly growing headcount with flat revenue signals overexpansion.

Detects new charges registered during a period of financial deterioration. New secured borrowing while financials are declining may indicate emergency funding, refinancing under pressure, or preparation for insolvency. This pattern is invisible when examining charges or financials independently.

Checks whether the direction of the Creditsafe credit score aligns with the company's profitability trend from filed accounts. When both are moving the same way, confidence in the financial picture is higher. When they diverge — for example, profits are falling but the credit score hasn't moved — it may indicate the credit agency hasn't yet reacted, or there are factors not visible in the accounts. Note that these sources cover different timeframes: profit/loss compares annual accounting periods, while the credit score may have changed more recently or less recently than the accounts.

Tracks working capital trajectory alongside accumulation of outstanding charges. Companies whose working capital is deteriorating while accumulating more secured debt follow a classic pre-insolvency pattern. Neither metric alone tells the full story.

Cross-validates Creditsafe probability_of_default against actual solvency indicators from filed accounts (net assets, shareholder funds, working capital). Identifies whether statistical default probability aligns with accounting reality.

Cross-references company age (incorporation date) with financial profile maturity. Young companies (<3 years) with high leverage and micro-entity filings carry different risk than mature companies (10+ years) with the same profile. Age contextualises all financial assessments.

For companies reporting both cash and profitloss data, calculates implied cash burn rate and estimates runway (months until cash depleted at current rate). Critical for assessing viability of loss-making companies that may still be in growth/investment phase.

Uses turnover, employee count, and industry sector to estimate revenue concentration. Very high revenue-per-employee relative to industry norms may indicate contract-dependent businesses or companies with few large customers — a concentration risk.

Assesses whether net assets exceed implied secured obligations. Negative net assets with multiple outstanding charges means the company is technically balance-sheet insolvent with all assets claimed by secured creditors — unsecured creditors likely to recover nothing.

Cross-validates shareholders equity from Creditsafe against shareholder funds from Companies House filed accounts. Significant discrepancies may indicate timing differences, data quality issues, or estimation vs actuals.

Composite scoring combining signals from multiple financial sources into a single weighted financial health measure. Uses filed financials (net assets, working capital, profitability, cash), Creditsafe metrics (risk score, payment score, PoD), and charge burden. Headline financial health metric synthesising all available financial intelligence — a higher risk score reflects weaker overall financial health. Degrades gracefully when data sources are unavailable.

Cross-validates turnover reported by Creditsafe against revenue from Companies House filed accounts. Significant discrepancies may indicate timing differences between the credit report and the most recent filing, consolidated vs entity-level reporting, or data quality issues. Creditsafe sometimes reports zero turnover for companies that do file revenue figures, which flags a data gap in the credit bureau records.

Compares the outstanding trade creditor balance from Creditsafe payment data against short-term creditors from filed accounts. The Creditsafe figure represents a live sample of supplier invoices reported to the credit bureau, while the filed figure includes all short-term liabilities (trade creditors, tax, accruals, deferred income). The Creditsafe balance is normally smaller than filed creditors. If it exceeds the filed figure, this may indicate understated liabilities in the accounts. The test also flags where a high proportion of the trade balance is overdue, which signals payment distress even when the total is within normal bounds.

Cross-references Companies House charge records with gazette notices for the same company, identifying patterns where secured creditors may be enforcing charges. Detects companies with outstanding charges that also have winding-up petitions from creditors, appointment of administrative receivers, and gazette notices published shortly after new charges were delivered.

Identifies companies under active winding-up proceedings (from gazette notices or Companies House insolvency records) that also have outstanding charges registered at Companies House. This indicates competing claims on company assets — secured creditors (charge holders) vs unsecured creditors in the winding-up. The presence of floating charges covering all assets is particularly significant.

Identifies whether the DPO appears to be outsourced or external. Indicators include a DPO organisation name different from registration organisation and a DPO address at a different postcode. An outsourced DPO is legitimate but indicates the organisation may not have in-house data protection expertise.

Assesses the number of trading names associated with the ICO registration. Multiple trading names suggest the organisation operates multiple brands or business lines processing personal data. Very high counts may indicate group structures or franchises.

Assesses the quality and confidence of the link between ICO registration and Companies House record. A high-confidence link increases reliability of cross-referencing. A missing link may indicate a sole trader, partnership, or unincorporated body.

Tracks the governance category risk score across multiple assessment runs and uses linear regression to determine whether governance risk is improving, stable, or deteriorating. A score decrease of 5 or more points indicates improvement, a change within 5 points is stable, and an increase of 5 or more points indicates deterioration. Governance changes tend to be step-function rather than gradual, driven by discrete events such as board changes, PSC updates, or new filings. The test also flags sudden large movements of more than 15 points between consecutive runs. The result includes a confidence grade from A to D based on how much data is available. Grade A (high confidence) requires at least 6 data points spanning 180 or more days. Grade B (good confidence) requires at least 4 data points spanning 90 or more days. Grade C (low confidence) requires at least 2 data points spanning 30 or more days. Grade D (insufficient data) means the history is too short or too sparse to draw meaningful conclusions. A newly assessed company will typically start at grade D and improve as assessments accumulate over weeks and months.

Detects changes to the board of directors — appointments, resignations, or both. A single change is common, but multiple simultaneous resignations or all directors leaving is a well-known warning sign of impending insolvency.

Detects changes in the ownership structure of a company by comparing the number and type of persons with significant control. Changes may indicate acquisitions, corporate restructuring, or governance instability.

Alerts when a company's director has been newly matched to a disqualification order. It is a criminal offence under the Company Directors Disqualification Act 1986 for a disqualified person to act as a director, and engaging with such a company carries significant legal risk.

Aggregates all governance-category test results into a single 0-100 score. Weighs critical/high severity failures more heavily. Normalised for test coverage.

Generates a structured executive summary of this company's overall risk profile across all assessed categories. The summary opens with the company name, overall risk score, and letter grade, then highlights the strongest and weakest risk categories, calls out any critical or high-severity test failures that warrant immediate attention, and closes with a brief outlook. This is designed to appear at the top of a company report and provides a comprehensive at-a-glance narrative covering Financial, Governance, Compliance, Cyber, Legal, Media, Operational, Social/ESG, and Network risk areas.

Evaluates this company as a potential partner from your organisation's perspective. Your company is identified by the 'Self' label on your watchlist (the earliest entry is used if multiple exist; it does not need to be active, but must have been enriched at least once). The assessment answers: if we partner with this company, what risks does that introduce to our business? Shared directors are identified first — these represent potential conflicts of interest where the same person holds positions at both organisations. The partner's overall risk score and grade are shown to indicate their general risk profile. Network overlap shows companies you are both already connected to through shared directors. New connections shows how many additional companies would enter your combined network that you don't currently reach — and how many of those carry risk signals such as insolvency or dissolution. The partner's dissolved and insolvent director connections are counted separately as financial risk exposure. The overall score runs from 0 to 100, with shared directors and the partner's own risk profile carrying the heaviest penalties.

Identifies the legal entity type of the company as registered at Companies House and assesses the transparency and risk implications of the structure. Different entity types carry materially different disclosure obligations, which affects how much can be verified about ownership, control, and accountability. Four classifications are applied: standard types — including private limited companies and private unlimited companies — represent the most common UK corporate structures with standard disclosure requirements and are treated as low risk; elevated transparency types — public limited companies (PLCs) and limited liability partnerships (LLPs) — are subject to more stringent regulatory requirements than standard private companies, including enhanced filing obligations, and are passed with a note; reduced transparency types — limited partnerships, Scottish partnerships, and overseas entities — have significantly lower disclosure requirements, including limited obligations to file accounts or disclose beneficial ownership, and are flagged as a warning warranting additional due diligence; and charity types — including charitable incorporated organisations (CIOs), companies limited by guarantee, and royal charter companies — are not-for-profit structures regulated separately and are passed with an informational note. An unknown or unrecognised company type is flagged as a low-severity warning. For overseas companies registered under an FC number, any UK establishments (branch registrations) are identified and displayed, showing the company's tangible physical presence in the UK. Active establishments indicate ongoing UK operations, while the absence of any establishments may suggest limited verifiable UK footprint.

Checks for previous company names recorded at Companies House and evaluates the frequency of name changes. Each entry in the name history shows the former name and the date on which the company changed to its next name. Name changes are common and often entirely legitimate — reflecting rebrands, mergers, acquisitions, or changes in business focus — but frequent changes can also indicate attempts to distance the company from a negative trading history, adverse media coverage, or legal proceedings. One or two previous names are treated as normal; three to five changes are noted; six or more changes trigger a warning. A name change within the past 12 months is highlighted as it may affect how the company is recognised by counterparties, credit reference agencies, or regulatory bodies. The full name history is presented for due diligence context.

Analyses the company's registered address for risk signals across four areas. First, it checks whether the address matches a known virtual office or formation agent address — locations used by thousands of companies as a registered address without any physical presence. Senserity maintains a comprehensive list of the most common such addresses across England (including 71-75 Shelton Street, 128 City Road, 86-90 Paul Street, 20 Wenlock Road, 27 Old Gloucester Street, and others), Scotland (including 50 Lothian Road Edinburgh and 272 Bath Street Glasgow), Wales (including Newport and Swansea agent addresses), and Northern Ireland (including Belfast and Carrickfergus addresses). Virtual office addresses are legal and widely used — they are flagged as a low-severity warning as a transparency indicator rather than a definitive risk. Second, it detects the Companies House default address (CF14 8LH) — assigned when a company fails to file a valid registered address — which is a medium-severity warning indicating a potentially dormant, abandoned, or non-compliant company. Third, it flags PO Box addresses, which have not been valid registered office addresses since March 2024 under the Economic Crime and Corporate Transparency Act. Fourth, it checks for incomplete addresses or missing postcodes as data quality indicators. For overseas companies registered under an FC number, the test recognises that the registered address is inherently outside the UK and suppresses the misleading missing-postcode flag. Instead, it provides context on where the company is registered and whether it maintains any UK establishments, giving a more complete picture of the company's physical presence.

Identifies whether the company is also registered as a charity and whether that registration is active. Charities have additional governance requirements and restrictions on commercial activities.

Counts active directors per company and provides board size as a governance metric. Flags companies with 0 directors (critical governance gap), sole director (key person risk), or unusually large boards (20+).

Identifies companies where a single individual holds all director appointments, creating significant key-person dependency. If that person becomes incapacitated, resigns, or is disqualified, the company has no authorised decision-maker.

Flags companies with zero active directors — a serious governance and legal deficiency. Under Companies Act 2006, every private company must have at least one director who is a natural person. LLPs are excluded as they use designated members instead.

Identifies companies with corporate directors. Corporate directors create opacity in governance chains, as the ultimate human controllers may be obscured through layers of corporate entities. Under Companies Act 2006 s.155A (inserted by the Small Business, Enterprise and Employment Act 2015 but not yet commenced), all companies will be required to have at least one natural person director. No commencement date has been confirmed.

Flags companies where all directors are corporate entities with no natural person director. This represents maximum opacity in governance — no identifiable human is directly accountable. Under Companies Act 2006 s.155A (inserted by the Small Business, Enterprise and Employment Act 2015 but not yet commenced), this structure will become non-compliant once the provision is brought into force. No commencement date has been confirmed. Does not apply to LLPs, which operate under a different governance model.

Analyses the nationality distribution of active directors, indicating whether the board is nationally homogeneous or internationally diverse. Nationality data is sourced from Companies House filings and is self-declared by officers. A warning is raised when nationality data is missing for more than half of directors, as this limits visibility into governance composition. Where data is available, results are presented as a breakdown by nationality across all active directors. This is an informational insight — no outcome is scored negatively solely on the basis of nationality mix. International diversity may reflect cross-border operations, foreign ownership structures, or diaspora business networks. All-British boards are equally valid. Results are not available for corporate directors, who do not have a nationality field.

Analyses the country of residence of active natural-person directors, flagging companies where the majority reside outside the United Kingdom. Residence data is sourced from Companies House officer filings and is self-declared at the time of appointment or update. All four UK nations (England, Scotland, Wales, Northern Ireland) and common variants (United Kingdom, Great Britain, GB) are treated as UK-resident. Corporate directors are excluded as they do not hold a country of residence. The majority is calculated only against directors with known residence data — those with no residence declared are counted separately and do not affect the pass/fail outcome. A warning is raised when non-UK residents outnumber UK residents among directors with declared residence. This is a low-severity flag as international director residence is common in legitimate businesses, but may warrant further review in due diligence contexts where UK accountability or enforceability of directors duties is relevant.

Analyses tenure distribution of active directors. Very long-serving boards (all 20+ years) may indicate entrenchment. Very new boards (all under 1 year) on established companies may indicate recent restructuring or distress. Mixed tenures suggest healthy board renewal.

Detects high director turnover — multiple appointments and/or resignations within the past 12-24 months relative to board size. Rapid changes can signal internal disputes, financial distress, governance failures, or preparation for sale/restructuring.

Analyses director age distribution from date-of-birth fields. Very young directors (under 21) may warrant scrutiny. Very elderly boards (all 75+) may indicate succession planning needs. Only age bands are displayed, not actual dates of birth.

Checks whether the company has an appointed company secretary. PLCs are legally required to have a secretary under Companies Act 2006 s.271. Private companies may choose to appoint one. Presence indicates more formal governance arrangements.

Summarises occupations declared by active directors. Can indicate professional board composition, industry expertise, or concerning patterns such as all directors listing NONE or RETIRED as occupation.

Identifies companies using a corporate secretary service. Common practice indicating outsourced governance administration. Generally positive for governance quality as it suggests professional company administration.

Flags directors whose appointment date predates the company incorporation date — a data quality anomaly indicating filing errors, data migration artefacts, or unusual corporate history such as re-registration under a new number. Warrants investigation.

Counts directors lacking date of birth on record. Missing DOB hinders identity matching, age verification, sanctions screening, and disqualification matching. Corporate directors are excluded as they have no DOB by nature.

Assesses LLP governance by counting active designated members. Under the LLP Act 2000 s.8, every LLP must have at least two designated members. Designated members carry statutory duties equivalent to company directors. Only runs for LLP entities.

Checks whether the company has any registered Persons with Significant Control (PSCs), either individual or corporate. Since June 2016, most UK companies must maintain a PSC register disclosing who ultimately owns or controls the company. This test verifies PSC registration and also recognises legitimate reasons for having no PSCs: companies traded on a UK or EU regulated market are exempt from PSC requirements, and some companies file formal PSC statements explaining their ownership structure (e.g. no registrable person exists). A warning is raised when only corporate PSCs are registered, as ownership cannot be traced to a named individual. Related tests GOV-052 and GOV-055 provide additional detail on whether corporate PSCs can be traced and whether multi-layer ownership structures exist.

Identifies the highest ownership band held by any individual PSC. Companies with 75-100% individual ownership have concentrated control. The 25-50% band indicates shared control. Informational context for understanding the power structure behind the company.

Identifies companies with exactly one individual PSC — a sole beneficial owner. Most common ownership pattern for UK micro-entities. Represents concentrated control and key-person dependency at ownership level. Combined with GOV-011 (sole director), indicates a single point of failure.

Counts individual PSCs per company as a measure of ownership complexity. Companies with 6+ individual PSCs have unusually complex beneficial ownership structures that may indicate investment vehicles, family trusts, or structures designed to fragment visibility.

Provides a detailed breakdown of all natures of control held by the company PSCs. The Companies House PSC register uses a structured vocabulary of 68 control types covering ownership, voting rights, appointment rights, and significant influence — each with variants for direct, trust, and firm holdings.

Identifies companies where beneficial ownership is held through a trust structure. Trust-held ownership adds a layer of opacity — the PSC is named but exercises control through a trust, meaning the full beneficial ownership chain may include additional parties not visible on the PSC register. Relevant for AML due diligence.

Identifies companies where beneficial ownership is held through a firm (partnership or unincorporated entity). Firm-held ownership means the named PSC exercises control through a partnership or other unincorporated body not registered at Companies House, adding complexity to the ownership chain.

Identifies companies where any or all beneficial owners reside outside the UK. Non-UK resident beneficial owners may be harder to reach, subject to different legal jurisdictions, and may indicate offshore control structures. Notable contextual factor for due diligence.

Detects recent changes to beneficial ownership — new PSC notifications or cessations within the past 12 months. Changes in beneficial ownership are among the most significant corporate events, potentially indicating sale, investment, restructuring, or succession.

Flags PSCs whose notification date predates the company incorporation date — a data quality anomaly indicating filing errors, data migration artefacts, or unusual corporate history. PSC notification should occur on or after incorporation or after 6 April 2016 when the PSC register was introduced.

Identifies PSCs who hold significant influence or control without any ownership or voting rights. These are shadow controllers who exert influence without holding shares. This is the least transparent form of PSC control and warrants enhanced due diligence. May indicate nominee arrangements, contractual control, or informal power structures.

Lists all corporate entities registered as Persons with Significant Control. Corporate PSCs indicate beneficial ownership flows through another legal entity rather than directly to a natural person, adding a layer to the ownership chain that must be traced.

Identifies corporate PSCs that cannot be traced to a known company in the Senserity platform. When a corporate entity controls a company but we have no corresponding record for that entity, we cannot investigate its directors, ownership, financial health, or risk profile. This is common for overseas parent companies (particularly those registered outside the UK) and does not necessarily indicate wrongdoing — it represents a gap in ownership transparency that may warrant manual investigation. Related test GOV-030 checks whether any PSC is registered at all, and GOV-055 detects multi-layer corporate ownership chains.

Flags corporate PSCs that have no registration number AND cannot be resolved to a known company. A corporate entity exercising significant control that cannot be independently verified through any company register. Corporate PSCs that have been matched to a company by name are considered verifiable even without a registration number.

Identifies the highest ownership band held by any corporate PSC. A corporate entity holding 75–100% ownership has total control through an intermediary structure. This is common in holding company and subsidiary arrangements and is reported here for transparency.

Detects companies where the corporate PSC is itself owned by another corporate entity, creating a chain of corporate ownership. Each additional layer adds opacity and makes it harder to identify the ultimate beneficial owner. The test traces ownership chains up to 3 levels deep. More than two layers is unusual for legitimate UK SMEs, though it is common for subsidiaries of large multinationals and holding-company structures. A finding here is a transparency indicator, not necessarily a concern.

Identifies corporate PSCs holding control through a trust structure. A corporate entity holding through a trust creates a double layer of opacity — both the corporate structure and trust arrangement can obscure the ultimate beneficial owner. This is relevant to Anti-Money Laundering (AML) due diligence, which requires businesses to identify and verify the individuals who ultimately own or control a company before entering into a business relationship.

Identifies corporate PSCs with significant influence or control without ownership or voting rights. A corporate entity exercising hidden influence without a visible ownership stake is the most opaque form of corporate control. May indicate contractual arrangements or management agreements.

Detects recent changes to corporate beneficial ownership — new notifications or cessations within 12 months. Corporate ownership changes indicate acquisitions, disposals, group restructuring, or corporate transactions. A new offshore corporate PSC replacing a UK one is particularly notable.

Analyses the legal form and governing law of corporate Persons with Significant Control (PSCs). The combination of legal form, legal authority, and country provides context about the regulatory framework governing the controlling entity. Unusual forms (foundations, associations, Special Purpose Vehicles (SPVs)) may indicate structures that are harder to investigate.

Classifies the charity legal structure. Charitable Incorporated Organisations (CIOs) and Scottish Charitable Incorporated Organisations (SCIOs) provide limited liability. Unincorporated associations and trusts expose trustees to personal liability. The legal structure affects risk profile when contracting.

Evaluates the number of trustees for governance adequacy. Charity Commission recommends at least 3 trustees. Single-trustee charities lack oversight and present key-person risk.

Identifies charities where trustees include organisations rather than natural persons, which reduces transparency of who actually controls the charity. Where organisation trustees are found, the table lists each organisation's name, whether it holds the chair role, and its appointment date.

Detects charities where trustees receive benefits or payments, which can indicate conflicts of interest. Five benefit types are checked from the latest filed accounts: (1) Trustee receives benefit — any form of benefit from the charity; (2) Payments to trustee for role — direct remuneration for acting as trustee (unusual as trustees are normally unpaid volunteers); (3) Trustee receives services payment — payment for professional or other services provided to the charity; (4) Trustee receives other benefit — benefits not covered by the above categories; (5) Trustee resigned for employment — a trustee stepped down to take paid employment with the charity. Each type is permitted by the Charity Commission only with explicit authority in the governing document or specific commission consent. Multiple types active simultaneously represent a stronger governance concern.

Identifies charities involved in asset transfers — receiving or sending. Indicates organisational changes such as mergers, splits, or restructuring. Transfers out may indicate wind-down.

Checks whether the charity has a trading subsidiary and whether any trustee is also a director of that subsidiary, which represents a potential conflict of interest. When a trustee overlap is found, the table shows the trustee name, the subsidiary they direct, their role, and appointment date. When no overlap exists, the table lists the subsidiary companies with their company number and status.

Verifies whether a charity with a registered company number is properly linked to a Companies House record in the platform. A missing link means company-level insights such as filing history, director data, and financial analysis are unavailable for this charity.

Identifies charities that are part of a larger charity group structure. Important for understanding the true controlling entity and resource dependencies.

Identifies charities designated as religious bodies, which carry specific regulatory exemptions depending on their regulator. In Scotland (OSCR), designated religious charities are exempt from: seeking OSCR consent for certain constitutional changes; OSCR directions to stop activities or suspend trustees; Court of Session appointment of judicial factors or trustees; and trustee disqualification rules under the Charities and Trustee Investment (Scotland) Act 2005. In England and Wales (Charity Commission), religious charities with income under £100,000 are 'excepted' from registration and therefore not required to submit annual returns, accounts, or trustees' annual reports to the Commission — though they must still maintain accounting records and comply with charity law. These exemptions mean less public reporting data may be available for such organisations.

Identifies whether any current or former directors, PSC individuals, or charity trustees associated with this company have been matched to the Companies House disqualified officers register. A confirmed match to a currently disqualified individual who still holds an active appointment is one of the most serious governance risks — it is a criminal offence under CDDA 1986 s.13 for a disqualified person to act as a director without court permission.

Evaluates the quality and reliability of disqualification matches by analysing the composite confidence score derived from name similarity, date of birth matching, postcode matching, and company name confirmation. Higher confidence reduces the risk of false positives. Low-confidence matches require manual review before acting on the finding.

Analyses whether the disqualification match is against a director, PSC (person with significant control), or charity trustee. A disqualified person serving as a director is a criminal offence; a disqualified person as a PSC indicates they maintain control/influence despite the ban; a disqualified trustee raises charity governance concerns. Multiple person type matches for the same individual compound the risk.

Analyses the length of the disqualification period as an indicator of the severity of the original misconduct. Under CDDA 1986, disqualification periods range from 2-15 years. Short periods (2-5 years) indicate less serious matters. Medium periods (6-10 years) indicate significant misconduct. Long periods (11-15 years) indicate the most serious cases including fraud, wrongful trading, or severe unfitness.

Classifies the disqualification as either a court order or a voluntary undertaking. Under CDDA 1986 s.7, the Insolvency Service can accept a disqualification undertaking as an alternative to court proceedings. A court order means the case went to trial. Both carry the same legal force but court orders may involve more serious or contested misconduct.

Analyses the specific legislative provision and reason for the disqualification. Different sections of CDDA 1986 indicate different types of misconduct: s.2 (criminal conviction), s.3 (persistent filing breaches), s.4 (fraud), s.6/s.7 (unfitness after insolvency), s.8 (investigation), s.8ZA (instructing unfit directors), s.9A (competition). This gives the deepest insight into why someone was disqualified.

Identifies the companies named in the disqualification order or undertaking. If the target company itself is named, this is a direct risk indicator. If other companies are named, it provides context about the individual track record. Multiple companies in a single disqualification suggest a pattern of misconduct across multiple entities.

Identifies whether the disqualified individual has been granted court permission to act as a director of specific companies despite their disqualification. Under CDDA 1986 s.17, a disqualified person may apply to court for leave to act as a director of a named company, subject to conditions. Permission mitigates immediate legal risk but the disqualification history remains relevant.

Detects individuals subject to more than one disqualification event. Multiple disqualifications for the same person are extremely rare and indicate a serial offender who has either breached a previous disqualification or been found unfit on separate occasions. Significantly higher risk than a single disqualification.

Monitors how close a disqualification is to expiry. For currently disqualified individuals, provides timeline perspective. For recently expired disqualifications, indicates the individual was recently banned and should still be treated with caution. Approaching expiry may indicate the individual will soon seek new directorships.

Extracts and presents the case identifier from the disqualification record, enabling users to research full case details via the Insolvency Service or court records. The case_identifier can be used to find the Insolvency Service press release or court judgment providing the detailed narrative of the misconduct.

Verifies whether disqualification screening records are properly linked to the correct company. Ensures data integrity between screening results and company records — unlinked or incorrectly linked matches could lead to false positives being shown against the wrong company, or genuine matches being missed.

Checks whether the combined minimum ownership implied by all active PSC ownership bands is mathematically consistent. Each band has a defined floor (25-50% = 25%, 50-75% = 50%, 75-100% = 75%). If the sum of floors across all PSCs exceeds 100% the register contains an arithmetic impossibility — multiple PSCs are simultaneously claiming a larger stake than can exist. A warning is raised for marginal overlap (101-149%), which may reflect band-boundary rounding. A fail is raised for clear impossibilities (150%+), such as three PSCs each filing 50-75% ownership.

Checks whether the company's annual confirmation statement is overdue at Companies House. Every company must file a confirmation statement at least once every 12 months, plus a 14-day filing window. Failure to file is a criminal offence and can trigger compulsory strike-off proceedings. Overdue confirmation statements also mean the register data (officers, PSCs, SIC codes, address) may be stale and unreliable. Outcomes range from current filing (score 100) through increasing overdue severity bands to critical (score 10) for statements overdue by more than 6 months.

Checks when the company last filed a confirmation statement with Companies House. A confirmation statement verifies that the register data — officers, PSCs, SIC codes, and registered address — is correct and up to date. A company that has not confirmed its details in over 14 months may have stale register data. Companies with no confirmation statement filed in over 2 years are a significant governance concern, as the reliability of all other register-based checks is undermined.

Compares the company's accounts filing compliance with its confirmation statement compliance to assess overall filing discipline. A company that keeps both filings current demonstrates good corporate governance. Selective compliance — where one filing is current but the other is overdue — may indicate priorities or resource constraints. Both filings overdue simultaneously is a strong signal of systemic governance failure and potential dormancy or distress.

Identifies whether any registered charge indicates that the company is acting as a bare trustee — meaning it holds the charged assets legally in its own name, but beneficially on behalf of another party. This is an unusual arrangement that may indicate complex corporate structures, nominee arrangements, or special purpose vehicle arrangements where the company does not actually own the assets it appears to have charged. It warrants further investigation to understand the true beneficial ownership of the encumbered assets.

Identifies companies that both compete for the same public sector contracts and share one or more directors with this company. A director sitting on the boards of two competing bidders raises serious conflict of interest concerns, with implications for governance and procurement integrity.

Identifies individuals who are both directors of this company and trustees of one or more charities. This dual role creates a potential conflict of interest — the individual may influence company resources toward or away from charities they govern. Reports all individuals with crossover roles and their associated charity details.

Extends the trustee-director crossover check by examining whether any charities where this company's directors serve as trustees have experienced adverse regulatory events, such as removal from the register, a published Charity Commission report, or unusual asset transfers. Regulatory concerns at a charity governed by the same individual who directs this company call into question their oversight capabilities.

Checks whether this company is also registered as a charity, either as a Charitable Incorporated Organisation or as a dual-registered entity. If so, the company is subject to both Companies House and Charity Commission oversight, and its directors may have dual fiduciary duties. Returns the charity details including registration status, income, and any regulatory events.

For each director of this company, counts the number of charities they serve as trustee. A director who is trustee of five or more charities while also directing commercial companies may have divided attention and limited governance capacity. Returns a per-director summary of their charity trustee commitments.

Detects potential conflicts of interest where this company has won tender contracts from a buyer organisation, and a director of this company also directs or has connections to that buyer. A director with ties to both a supplier and a buyer in the same procurement process is a serious integrity concern.

Identifies whether the modern slavery statement is an individual or group submission and assesses the accountability dilution risk. Under the Modern Slavery Act, a parent organisation may publish a single group statement covering all subsidiaries. While efficient, large group submissions risk generic language that fails to address the specific risks, sectors, and geographies of each entity — a concern raised by the UK Independent Anti-Slavery Commissioner. Scoring reflects this: individual submissions score 85 (no dilution); small groups of up to 10 organisations score 75 (pass, minor dilution); medium groups of 11–50 organisations score 55 (warning, material dilution risk); large groups of 50+ organisations score 40 (warning, significant dilution risk). The parent name and number of covered organisations are reported for context.

Verifies that the organisation listed on the UK Modern Slavery Statement Registry has been successfully matched to a Companies House record. This linkage is essential for cross-referencing the modern slavery statement data with all other company intelligence held by Senserity, including financial data, officer records, and other compliance checks. Matching is performed using the company registration number provided in the registry data. Outcomes: Pass (score 85) if a verified match exists; Pass (score 70) if a match exists but the method was not recorded.

Compares a company's gender pay gap performance with its broader governance quality to identify whether equality issues correlate with wider management concerns. Examines the mean and median gender pay gaps, whether the gap is improving or worsening over time, and compares this with governance signals such as accounts filing timeliness and company maturity. Companies with both a worsening pay gap and poor governance compliance may be showing signs of systemic management weakness rather than an isolated equality issue.

Combines charity governance indicators (reporting status, regulatory events, trustee structure) with charity financial health metrics (income trends, expenditure balance, net assets, reserves) to produce a holistic charity health assessment. A charity with poor governance AND financial deterioration is a materially higher risk than one with issues in only one area.

Flags charities that have HSE enforcement notices, HSE convictions, or Environment Agency enforcement actions. Charities with regulatory enforcement represent a specific governance concern — trustees have oversight obligations, and enforcement against a charity may indicate governance failures beyond the operational issues themselves.

Calculates a composite people risk score for a company by aggregating all person-linked risk signals: sanctions matches (director, PSC individual, PSC corporate), disqualification matches, and adverse media hits on individuals. Weights are applied by match confidence level and signal type. Produces a 0-100 score where higher = more risk.

Calculates the ratio of people with risk signals to total people associated with a company (directors + PSCs). A company with 2 directors where both have sanctions matches is far more concerning than a company with 50 directors where 2 have matches.

Identifies companies where the same individual has risk signals from multiple independent sources (e.g., sanctions match AND disqualification match AND adverse media hits). Multiple independent signals on the same person dramatically increases risk confidence.

Analyses whether recent board/PSC changes correlate with people risk events. Detects patterns such as resignations after sanctions listings, new directors appointed who already have risk signals, or PSC changes coinciding with adverse media coverage.

Identifies companies where the sole director (key person dependency) has a sanctions match. Zero governance resilience combined with sanctions flag. Even LOW confidence warrants investigation in this context.

Assesses whether the board has sufficient governance depth to absorb people risk events. Calculates a resilience ratio: (board_size - risk_directors) / board_size. A 2-person board with 1 sanctions match means 50 percent of governance is compromised.

Identifies companies where corporate directors (inherently opaque - cannot screen individuals behind them) coexist with sanctions matches on other people. The combination may indicate deliberately obscured sanctioned individuals.

Detects unusual board turnover patterns coinciding with people risk events: mass resignations after sanctions listings, rapid appointment-resignation cycles around disqualification dates, or director replacements correlating with adverse media coverage.

Compares a company's governance maturity against its people risk exposure to identify whether governance is keeping pace with risk. Governance maturity is scored from 0 to 100 based on indicators such as board size, whether a company secretary is appointed, company age, PSC transparency, absence of corporate director opacity, diversity of board roles, and whether accounts are up to date. People risk exposure is scored from 0 to 100 based on accumulated risk signals from sanctions matches, disqualification matches, and adverse media hits across all directors and PSCs. The test then measures the gap between the two scores. When governance maturity exceeds risk exposure, the company has sufficient oversight for its risk level and the test passes. When risk exposure slightly exceeds governance maturity (gap up to 20 points), the test warns that governance may not be keeping pace. When the gap exceeds 20 points, the test fails, indicating that the company's governance structures are significantly under-equipped relative to the people risk it carries. A well-governed company with no risk signals is the best outcome. A poorly governed company with high risk exposure is the worst.

Creates a per-person risk profile for every director and PSC associated with a company, aggregating signals from all available sources. Produces person-level risk scores and a company-level summary showing which individuals carry the most risk.

Cross-references disqualification matches against active director records. A person matched to a disqualification record who is currently an active director may be committing a criminal offence under the Company Directors Disqualification Act 1986.

Master composite test combining all B2 people risk indicators into a single comprehensive due diligence score. Aggregates: people risk score, risk density, multi-signal concentration, governance resilience, sanctions coverage, verification gap, and individual risk accumulation into a weighted composite 0-100 score.

Detects whether any reported trade payments have been escalated to legal action for recovery. This is the most severe indicator of payment failure — it means suppliers have given up on commercial recovery and are pursuing legal channels.

Checks whether the company has any County Court Judgements (CCJs) registered against it. CCJs are legal determinations that the company owes money and has failed to pay. Outstanding (unsatisfied) CCJs are particularly concerning as they indicate the company has still not resolved its debts even after court action.

Evaluates the total monetary value of CCJs registered against the company. Large CCJ values relative to company turnover or net assets are particularly concerning and may indicate systemic problems rather than isolated disputes.

Evaluates how recently CCJs have been registered against the company. Recent CCJs (within 12 months) are much more indicative of current financial problems than older ones. CCJs remain on the register for 6 years.

Displays the individual CCJ records on file from Creditsafe, including the judgement date, court, amount, status, and case number. Status of "Outstanding" means the judgment debt has not been paid and the CCJ remains active. Status of "Satisfied" means the company paid the debt in full and the court was notified — while positive, a satisfied CCJ still indicates the company was taken to court. This is an informational display; the risk signals are assessed in CRD-015 (existence), CRD-016 (value), and CRD-017 (recency).

Checks for insolvency events reported via Creditsafe, including winding-up petitions, administration appointments, notices of intention, and other formal insolvency proceedings. Active insolvency events are critical red flags. Supplements LEG-001/LEG-002 from Companies House data.

Analyses the chronological progression of insolvency events. Maps the typical insolvency journey: petition → appointment → administration/liquidation. The speed of progression and type of proceedings reveal the severity and likely outcome.

Tracks the legal risk category score across multiple assessment runs and uses linear regression to determine whether legal risk is improving, stable, or deteriorating. A score decrease of 5 or more points indicates improvement, a change within 5 points is stable, and an increase of 5 or more points indicates deterioration. Legal events such as new CCJs, Gazette notices, and court judgements are discrete events that cause step changes rather than gradual drift. The test also flags step changes of more than 10 points between consecutive runs as potential legal events. The result includes a confidence grade from A to D based on how much data is available. Grade A (high confidence) requires at least 6 data points spanning 180 or more days. Grade B (good confidence) requires at least 4 data points spanning 90 or more days. Grade C (low confidence) requires at least 2 data points spanning 30 or more days. Grade D (insufficient data) means the history is too short or too sparse to draw meaningful conclusions. A newly assessed company will typically start at grade D and improve as assessments accumulate over weeks and months.

Flags when new County Court Judgements have been registered against the company since the last assessment. New CCJs are a strong indicator of payment disputes and financial difficulty.

Alerts when new London Gazette notices have appeared for the company. Gazette notices — particularly those relating to insolvency, winding-up petitions, or compulsory strike-off — are often the earliest public signal of serious financial distress.

Aggregates all legal-category test results into a single 0-100 score. Covers CCJs, Gazette notices, charges, insolvency, court judgements.

Checks whether the company has any active insolvency cases (liquidation, administration, CVA, receivership, moratorium). Active insolvency is one of the most critical risk indicators — the company may be unable to fulfil contractual obligations and creditor claims are subject to statutory priority.

Identifies whether the company has any historical (concluded) insolvency proceedings. Even resolved insolvency events indicate past financial distress and may signal structural weaknesses. Important for due diligence — a company that has been through administration or a CVA may have restructured debts, changed ownership, or shed liabilities.

Categorises the types of insolvency proceedings the company has been subject to. Different case types have very different implications: compulsory liquidation (court-ordered, typically creditor-driven, terminal), CVL (directors decision, terminal), MVL (solvent wind-down, benign), administration (rescue attempt), CVA (restructuring deal with creditors), receivership (secured creditor enforcement), moratorium (temporary breathing space).

Extracts and displays the insolvency practitioners (IPs) appointed to the company cases. IPs are licensed professionals who manage insolvency proceedings. Their identity, firm, and number of appointments can indicate the scale and seriousness of proceedings. Multiple practitioner appointments may indicate complex or contested cases.

Identifies active charges that are directly connected to insolvency proceedings. Two signals are checked: whether a charge has been formally linked to one or more insolvency cases on the Companies House record, and whether the assets secured under the charge have been ceased or released. Either signal indicates that a secured creditor has become involved in insolvency proceedings — the lender may have enforced their security and taken possession of assets, or an insolvency practitioner may have sold secured assets to repay creditors. This is a strong indicator of serious financial distress and is considered a high-severity finding.

Specifically checks for an active moratorium — a temporary legal protection from creditor action introduced by the Corporate Insolvency and Governance Act 2020 (CIGA 2020). A moratorium gives a company breathing space (initially 20 business days, extendable with court or creditor consent) during which creditors cannot commence or continue legal proceedings, enforce security, or wind up the company. Obtaining a moratorium is a significant signal of acute financial difficulty — it means the company has acknowledged it needs protection from its creditors while it explores a rescue plan.

Checks whether any insolvency-related notices have been published in the London, Edinburgh, or Belfast Gazette for this company. Publication in the Gazette is a legal requirement at key stages of formal insolvency proceedings including winding-up petitions, administration appointments, creditors' meetings, and liquidation. The presence of any gazette notice is a significant risk signal indicating the company is or has been subject to formal insolvency proceedings. This is the gateway test for all other gazette-based tests.

Classifies the type of insolvency process the company is or has been subject to, based on the gazette notice category codes. The main types are: Compulsory Winding-Up (a court has ordered the company to be wound up — the most severe outcome); Creditors' Voluntary Liquidation (CVL — directors have acknowledged the company cannot pay its debts and shareholders have passed a winding-up resolution); Administration (a formal rescue attempt where an administrator takes control); Members' Voluntary Liquidation (MVL — a solvent wind-down by shareholders, not an insolvency event); and Administrative Receivership (a secured creditor with a floating charge appoints a receiver). Progression patterns such as Administration followed by CVL indicate that a rescue attempt failed.

Detects whether a winding-up petition has been filed against the company that has not yet been resolved by a court order or dismissal. A winding-up petition is filed in court by a creditor claiming the company cannot pay its debts; once presented it is published in the Gazette and typically results in an order or dismissal within weeks. An active unresolved petition is one of the most urgent risk signals in supplier due diligence — the company may be on the verge of compulsory liquidation.

Detects whether a court has issued a compulsory winding-up order against the company. A winding-up order is issued by the court following a successful petition, and means the company is placed into compulsory liquidation with an Official Receiver appointed. This is the most severe and terminal insolvency outcome — it is irreversible except in extremely rare circumstances where a court agrees to rescind the order.

Detects whether an administrator has been appointed for the company. Administration is a formal insolvency rescue procedure in which a qualified insolvency practitioner (the administrator) takes control of the company and attempts to rescue it as a going concern, achieve a better outcome for creditors than immediate winding-up, or realise assets for distribution. Approximately 16.8% of companies that enter administration subsequently enter CVL, meaning the rescue fails. If subsequent liquidation notices are also present, this test will reflect that outcome.

Detects whether a creditors' meeting has been gazetted for the company. A creditors' meeting is a formal step in the Creditors' Voluntary Liquidation (CVL) process at which creditors vote on the appointment of a liquidator. Its publication in the Gazette means the directors have formally acknowledged that the company cannot pay its debts and that a winding-up resolution has been passed or is imminent. This notice often appears before the liquidator appointment and can provide earlier warning of a CVL than waiting for the liquidation notice itself.

Constructs a chronological timeline of all gazette notices for this company, showing the full progression of insolvency proceedings in date order. This is particularly valuable when there are multiple notices — it reveals the sequence of events (for example, petition followed by order, or administration followed by CVL), the speed at which proceedings escalated, and whether the process is still active or has concluded. A timeline showing recent notices suggests proceedings may be ongoing.

Assesses how recently the company's most recent gazette notice was published. Notices within the past 30 days indicate active or very recently concluded proceedings. Notices within 90 days suggest proceedings are recent and material risk remains elevated. Notices within a year are treated as recent history. Notices older than a year are classified as historical. Recency scoring is used alongside the type and volume of notices to assess overall insolvency risk.

Identifies companies where a winding-up petition was filed but was subsequently dismissed by the court. A dismissal means the company successfully defended against the petition — typically by paying the debt, disputing the debt, or reaching a settlement with the petitioner. A dismissed petition is a positive outcome, but the fact that a creditor was sufficiently aggrieved to take formal court action is itself a risk signal that should be noted during due diligence.

Detects whether a moratorium has been obtained under Part A1 of the Insolvency Act 1986, as introduced by the Corporate Insolvency and Governance Act 2020. Unlike administration, a moratorium does not involve an insolvency practitioner taking control — the company's directors remain in charge. However, a monitor (a licensed insolvency practitioner) must be appointed to oversee the moratorium. The moratorium signals financial distress requiring creditor protection, and if it was followed by insolvency proceedings, that progression is highlighted.

Assesses the total number of gazette notices and the rate at which they were published (notices per month) to indicate the complexity and urgency of insolvency proceedings. A single notice typically represents a straightforward single-stage process. Two notices is typical for a multi-stage process. Three or more notices indicates a complex or prolonged insolvency history. Companies with four or more notices are in the top 1.3% by volume, suggesting multi-stage proceedings. A high velocity (more than two notices per month) suggests rapid deterioration.

Checks whether this company has been screened against the National Archives Find Case Law database, which contains published court judgements from England and Wales. Screening must be performed as part of the enrichment process before any court-related insights can be assessed. If screening has not been completed, court risks are entirely unknown. This is the foundation test for all other court insight tests.

Determines whether the company appears as a named party in any published court judgements. Court involvement — regardless of the company's role or the outcome — indicates elevated legal complexity and increases the likelihood of governance, compliance, or commercial disputes. The absence of court cases is a positive indicator of clean legal standing. Cases are identified through AI-assisted matching of company names in published judgements from the National Archives.

Evaluates the highest risk level assigned across all confirmed court cases for this company. Risk levels (Critical, High, Medium, Low, None) are determined by AI analysis of each judgement, considering factors such as the nature of the dispute, the company's role, the severity of any adverse outcome, financial penalties or remedies awarded, and the court's assessment of the company's conduct. This test reflects the worst-case risk exposure from court involvement.

Calculates a composite risk score by summing the AI-assigned risk scores across all confirmed court cases. Individual case scores range from 0 to 100 and reflect the severity of each case. The aggregate score captures cumulative legal exposure — a company involved in many medium-risk cases may present more concern than one with a single high-risk case. Scores of 30 or above are flagged as a warning; 60 or above as a high-risk fail; 90 or above as critical.

Analyses the roles the company has played in court proceedings. Being a defendant or respondent means the company has been accused or challenged by another party; being a claimant or appellant means the company initiated the action. A pattern of predominantly defensive roles (defendant or respondent) suggests the company is regularly the subject of legal action rather than pursuing its own claims, which is a stronger risk signal than primarily being a claimant.

Calculates the proportion of court cases where the company received an adverse outcome — either losing the case outright or partially losing. A high adverse outcome rate indicates the company frequently finds itself on the wrong side of court decisions, which may reflect governance failures, non-compliance with contracts or regulations, poor employment practices, or disputed commercial conduct. This rate is calculated only for cases where outcome data is available from the AI analysis.

Categorises all confirmed court cases by the type of court in which they were heard. Employment tribunal cases suggest workforce management issues such as discrimination or unfair dismissal. Intellectual property cases relate to brand protection or infringement disputes. Insolvency and Companies List cases are a critical financial health signal. Planning court cases suggest development or regulatory disputes. Court of Appeal and Supreme Court cases indicate high-stakes disputes escalated beyond first instance. This classification helps identify patterns in the nature of the company's legal exposure.

Assesses how recently the company has been involved in published court cases, based on the judgement dates. Court cases within the past 12 months indicate active or very recent legal exposure. Cases between 1 and 3 years ago represent diminishing but recent risk. Cases older than 3 years are considered historical. The most recent judgement date is used as the primary driver of this assessment.

Specifically identifies cases where the company was a defendant or respondent and the court found against them. This combination — being accused by another party and losing — is the most concerning pattern in court case analysis. A single such case warrants attention; multiple cases suggest a persistent pattern of adverse court findings which may indicate systemic governance, compliance, or commercial conduct issues.

Identifies cases heard in the Employment Tribunal or Employment Appeal Tribunal (EAT), which handle disputes between employers and employees. Employment cases typically involve claims of unfair dismissal, discrimination, harassment, or wage disputes. A single employment case may be incidental, but multiple cases suggest systemic HR or management issues. Employment tribunal exposure is treated as a material ESG (social) risk indicator, particularly relevant for organisations with large workforces.

Identifies cases heard in IP-related courts, including the High Court Intellectual Property List and the Patents Court. IP litigation indicates the company is either defending its own intellectual property rights (as claimant) or has been accused of infringing another party's rights (as defendant). Being a defendant in IP cases may indicate allegations of trade mark infringement, patent misuse, or copyright violations. Being a claimant indicates active IP portfolio management. The company's role and outcome are highlighted.

Identifies cases that have reached the Court of Appeal or Supreme Court, indicating a dispute significant enough to be escalated well beyond the original first-instance court. Appeals are expensive and time-consuming — a company pursuing or defending an appeal has invested heavily in litigation, suggesting the stakes are high. The presence of appeal cases indicates complex or high-value disputes that have not been resolved quickly.

Identifies cases heard in the High Court Insolvency and Companies List, which handles formal insolvency proceedings, company administration, and related financial matters. The presence of insolvency court proceedings goes beyond what is visible in Companies House or Gazette data — it means formal judicial scrutiny has been applied to the company's financial viability or structure. This is treated as a critical-severity finding regardless of the outcome.

Checks whether the full court judgement documents have been successfully retrieved and stored for each confirmed court case. Document availability enables reviewers to read the actual judgement text rather than relying solely on the AI-generated summary. Where documents are unavailable, the risk scoring and party analysis from other court tests may be based on incomplete information, limiting the depth of due diligence that can be performed.

Provides a chronological view of all confirmed court cases involving the company, displayed as a timeline ordered by judgement date. This is primarily an informational display to help reviewers understand the history and frequency of the company's court involvement at a glance. Escalating or clustering legal activity may signal deteriorating governance or compliance posture. Each event is colour-coded by risk level.

Identifies cases heard in the Planning Court, which deals with judicial reviews of planning decisions, challenges to development consents, and disputes over planning conditions. Planning court involvement is contextual rather than inherently risky — it is most relevant for property developers, construction companies, infrastructure operators, and land owners. It may signal development risk, community opposition, regulatory challenges, or challenges to local authority decisions affecting the company's sites or operations.

Provides the full AI-generated case summary and outcome narrative for each confirmed court case involving the company. The summaries are produced by analysing judgement documents retrieved from the National Archives Find Case Law database and explain the nature of the dispute, the legal arguments, and the outcome in plain language. This card is the primary source for understanding what a case was actually about — the other court tests provide aggregate risk scores and classifications, while this card surfaces the substantive content. A citation link to the original judgement on the National Archives website is included where available. Important: the AI Summary and Outcome Detail fields are generated automatically by an AI model and may contain errors, omissions, or mischaracterisations of the original judgement. They are intended as a starting point for review only. Always refer to the original judgement document via the Citation link before drawing any conclusions or making decisions based on this information.

Reconstructs the complete insolvency chronology by combining Gazette petition notices, winding-up orders, liquidator appointments, creditors meetings, administration appointments, Companies House insolvency records, and Creditsafe insolvency events. Produces a unified timeline showing the progression of insolvency proceedings across all data sources, with date anchoring and gap detection.

Calculates a composite legal exposure score by aggregating CCJ count and value (from Creditsafe), court case count and adverse outcomes (from National Archives), gazette notice count weighted by category severity, and insolvency proceedings (from Companies House). Uses weighted scoring: CCJs (weight 3 per outstanding, 1 per satisfied), court adverse outcomes (weight 4 for loss, 2 for partial loss), gazette critical notices (weight 5), gazette high notices (weight 3), insolvency active (weight 10). Score normalised to 0-100.

Cross-references Creditsafe CCJ records with National Archives court cases for the same company. Identifies where CCJs are corroborated by court case documentation (higher confidence), CCJs exist without matching court records (Creditsafe-only signal), and court cases exist that could result in future CCJs (forward-looking risk). Matches on company_number and approximate date/court correlation.

Identifies companies where a gazette winding-up petition or winding-up order exists, and checks whether a corresponding Companies House insolvency case has been recorded. A gazette petition without a Companies House insolvency may indicate an early-stage proceeding not yet reflected in official records, or a petition that was dismissed. A Companies House insolvency without gazette notice may indicate a voluntary arrangement.

Tracks whether companies with CCJ history subsequently entered insolvency proceedings. A pattern of accumulating CCJs followed by gazette insolvency notices or CH insolvency records indicates the classic debt spiral: unpaid judgements to creditor petitions to formal insolvency. Also identifies companies that emerged from insolvency but still have outstanding CCJs.

Analyses the gazette notice sequence for each company to identify incomplete insolvency processes. Expected sequence: petition to winding-up order to appointment of liquidator. Identifies petitions without subsequent orders, orders without liquidator appointments, and processes that started but have no resolution notices.

Identifies companies where National Archives court cases relate to insolvency proceedings. Cross-references court names across court judgements, gazette notices, and Companies House insolvency records. Detects insolvency court proceedings corroborated by gazette or Companies House records, commercial court cases that preceded insolvency, and employment tribunal cases preceding insolvency.

Evaluates confidence in legal risk signals by checking how many independent data sources report findings. A single source (e.g. only CCJs from Creditsafe) is treated as indicative — it could be significant but lacks corroboration. Two sources confirming legal activity (e.g. CCJs and court cases) raises confidence to probable. Three or more sources makes the signal confirmed. Also flags cases where sources contradict each other, such as a dismissed petition in The Gazette while Creditsafe still reports active insolvency.

For companies with gazette winding-up petitions, tracks the outcome by searching for subsequent gazette notices: a winding-up order means the petition succeeded, a dismissal means it failed, and an administration appointment indicates an alternative resolution. Calculates petition success rate and identifies serial petitions.

Analyses the temporal relationship between Creditsafe CCJ records and Companies House insolvency events. Identifies CCJs that predate insolvency, CCJs that post-date insolvency commencement, and CCJs on companies where Creditsafe reports insolvency events but CH has no matching record (or vice versa).

Analyses the direction of legal risk over the past 12 months by combining gazette notice frequency trend, CCJ accumulation rate, court case filing rate, and insolvency status changes. Classifies trajectory as improving, stable, deteriorating, or critical escalation. Uses a 3-month rolling window to smooth noise.

Tracks the media risk category score across multiple assessment runs and uses linear regression to determine whether media risk is improving, stable, or deteriorating. A score decrease of 5 or more points indicates improvement, a change within 5 points is stable, and an increase of 5 or more points indicates deterioration. Media risk is highly volatile because a single adverse article can cause a temporary spike. To account for this, the test uses an exponential weighted moving average with a decay factor of 0.7 to smooth volatility and prevent false alarms from short-lived spikes. The result includes a confidence grade from A to D based on how much data is available. Grade A (high confidence) requires at least 6 data points spanning 180 or more days. Grade B (good confidence) requires at least 4 data points spanning 90 or more days. Grade C (low confidence) requires at least 2 data points spanning 30 or more days. Grade D (insufficient data) means the history is too short or too sparse to draw meaningful conclusions. A newly assessed company will typically start at grade D and improve as assessments accumulate over weeks and months.

Flags when a company that was previously clear of adverse media is now showing results, or when adverse media has been resolved. A new adverse media flag warrants further investigation into the nature and credibility of the coverage.

Aggregates all media-category test results into a single 0-100 score. Covers adverse media screening for company and PSC individuals.

Checks whether an adverse media screening has been completed for this company. The screening searches for the company name across news and media sources, classifying results into six risk categories: financial crime, organised crime, terrorism, regulatory enforcement, violent crime, and political exposure. Returns pass if screening completed successfully, warning if the search encountered an error, and not applicable if no screening record exists. This is the gateway test for all other MED tests — without a completed screening, all category and risk tests will return not applicable.

Detects whether the company name has returned any adverse media hits from the screening. Distinguishes between categorised hits (articles classified into one or more of the six adverse categories) and uncategorised hits (mentions of the company that did not meet the threshold for any adverse category). Returns fail if categorised hits are found, pass with a neutral mention count if only uncategorised hits exist, and pass with no hits if the company is clean. Low match confidence triggers an additional caveat recommending manual review. Related to MED-003 (risk scoring) and MED-010 (match confidence).

Evaluates the computed adverse media risk score and risk level for the company based on its categorised hits. The risk score is calculated using a weighted logarithmic algorithm: financial crime and organised crime carry the highest weight (10), followed by terrorism (8), regulatory (7), violent crime (5), and political (1). Risk level thresholds are: HIGH ≥ 50, MEDIUM ≥ 30, LOW ≥ 15, NONE < 15. Returns fail for HIGH risk, warning for MEDIUM, and pass for LOW or NONE. A scorecard display shows the numeric score. Low match confidence is surfaced as a caveat.

Checks for adverse media hits classified in the financial crime category, covering fraud, money laundering, bribery, corruption, embezzlement, tax evasion, and related offences. Financial crime carries the maximum category weight (10) in the risk scoring algorithm. Returns fail with article headlines and source links if any hits are found, pass if the company is clean in this category. Up to five supporting articles are surfaced as evidence. A high-risk finding here contributes significantly to the overall MED-003 risk score.

Checks for adverse media hits classified in the organised crime category, covering links to criminal networks, gang activity, trafficking operations, and organised criminal enterprises. Carries the maximum category weight (10), equal to financial crime. Returns fail with article evidence if hits are found, pass if clean. Findings in this category represent severe supply chain risk — association with organised crime is typically disqualifying for due diligence purposes.

Checks for adverse media hits classified in the terrorism category, including links to terrorist organisations, financing of terrorism, and extremist activities. Carries a category weight of 8. Returns fail with article evidence if hits are found, pass if clean. Terrorism findings are rare but represent the most serious category of adverse media; any finding should trigger immediate escalation and review regardless of the overall risk score.

Checks for adverse media hits classified in the regulatory category, covering enforcement actions, fines, penalties, licence revocations, compliance failures, and regulatory investigations by bodies such as the FCA, ICO, CMA, and HSE. Carries a category weight of 7 and is the most frequently triggered adverse category in practice. Returns fail with article evidence if hits are found, pass if clean. Regulatory findings range from minor historic penalties to active enforcement — the supporting articles should be reviewed to assess materiality.

Checks for adverse media hits classified in the violent crime category, covering assault, murder, threats, and other violent offences linked to the company or its operations. Carries a category weight of 5. Returns fail with article evidence if hits are found, pass if clean. Violent crime hits may indicate unsafe working environments, criminal management, or reputational risk, and warrant manual review of the supporting articles to determine context.

Checks for adverse media hits classified in the political category, covering politically exposed persons (PEPs) in the company, controversial political donations, lobbying disputes, and government corruption links. Carries the lowest category weight (1) as political mentions are common for larger companies and are often informational rather than concerning. Returns warning (not fail) if hits are found, pass if clean. Political findings require contextual judgement — the supporting articles should be reviewed to determine whether the exposure represents genuine risk.

Assesses the confidence level of the adverse media name match based on a name uniqueness score (0–100). Common or generic company names may generate false positive hits due to collisions with unrelated entities sharing the same name. Confidence bands: high ≥ 70, medium 40–69, low < 40. Returns pass for high and medium confidence, warning for low confidence. Low confidence findings with adverse hits require manual review to confirm the articles genuinely relate to this company rather than a namesake.

Analyses the spread of adverse media hits across all six categories to assess breadth of exposure. A company with hits across multiple categories is materially more concerning than one with hits concentrated in a single area. Returns warning if hits span three or more categories, pass if hits are limited to one or two categories, and not applicable if no categorised hits exist. Displays a bar chart showing article counts per category with category-specific colours.

Reports whether adverse media screening was extended to the PSC individuals and directors associated with the company. Individual screening is triggered when the entity-level screening identifies concerning results, or can be force-triggered manually. Returns pass if individual screening was completed, warning if triggered but incomplete, pass (with a note) if not triggered, and not applicable if the company has no entity screening record. The count of individuals screened is shown. This is the gateway test for MED-013 through MED-017.

Detects whether any PSC individual or director associated with the company has adverse media hits from individual-level screening. Applies the same logic as MED-002 but for each screened person: distinguishes categorised hits (classified adverse articles) from uncategorised hits (neutral mentions). Returns fail if any individual has categorised hits, pass with a neutral mention note if only uncategorised hits exist, and pass if all individuals are clean. Results are shown in a table with name, role, hit count, risk level, and match confidence.

Evaluates the adverse media risk score and risk level for each screened PSC individual and director, using the same weighted logarithmic algorithm as MED-003. Identifies the highest individual risk level across all screened persons and ranks individuals by risk score. A company may be clean at entity level while individual directors or PSCs carry significant adverse media risk. Returns fail for HIGH individual risk, warning for MEDIUM, and pass for LOW or NONE. Results are shown in a ranked table.

Assesses name uniqueness and match confidence for each individual screened through adverse media. Common names are more prone to false positives — a hit against "Mark Smith" may relate to any of many unrelated people, not the specific director or PSC associated with this company. Uniqueness is scored 0–100 based on name characteristics: common first names (e.g. James, Sarah) apply a −20 penalty, common surnames (e.g. Smith, Jones) apply a −25 penalty, multi-part names (middle names present) add +5 per extra part, and long or distinctive surnames add a further bonus. Confidence bands are: High (≥70), Medium (40–69), Low (<40). The Reasoning column explains which factors drove the score — for example "Common first name (Mark), 3-part name" — so reviewers can understand why a name was assessed as low or medium confidence without needing to consult documentation. Returns a warning if any individual with adverse media hits has low match confidence, as those results require manual review to confirm the articles relate to the person linked to this company rather than a namesake.

Tracks the manual review status of individual adverse media results where hits were found. Each screened individual with hits has a review status: pending (not yet reviewed), reviewed, dismissed, or escalated. Returns fail if any results are escalated, warning if any results remain pending review, and pass if all results have been reviewed or dismissed. Displays a table showing reviewer name, review date, and status for each individual with hits. Unreviewed results indicate outstanding compliance actions.

Analyses the roles held by screened individuals in relation to the company — PSC only, director only, or both. An individual who is both a PSC (person with significant control) and a director has been deduplicated in screening but represents amplified risk, as they exercise both ownership/control and day-to-day management. Returns a role distribution summary. This is an informational test; its findings provide context for interpreting results from MED-013 and MED-014.

Assesses how recently the adverse media screening was performed. Adverse media is time-sensitive — regulatory actions, legal proceedings, and reputational events can emerge rapidly. The enrichment module applies a 30-day freshness window, but older results may miss recent developments. Returns pass for screenings within 30 days, pass with a refresh recommendation for 31–90 days, warning for 91–180 days, and warning (stale) for over 180 days. Particularly important for companies under active investigation or with prior adverse findings.

Produces a composite adverse media risk score combining the entity-level risk score with the highest individual-level risk score across all screened PSCs and directors. Takes the maximum of the two scores to determine the combined risk level, using the same thresholds as MED-003: HIGH ≥ 50, MEDIUM ≥ 30, LOW ≥ 15, NONE < 15. A company with a clean entity profile but high-risk individuals still registers as high combined risk. This is the summary test used to indicate overall adverse media exposure for the company.

Checks whether source articles are available as evidence for adverse media findings. Each category can store article details including headline, body text, source link, and timestamp. Returns pass if all hit categories have supporting articles, warning if some categories have hits but no article evidence (making it impossible to verify the finding), and not applicable if no categorised hits exist. Missing articles do not invalidate the hit count but reduce the auditability of the screening result.

Tracks the network risk category score across multiple assessment runs and uses linear regression to determine whether network risk is improving, stable, or deteriorating. A score decrease of 5 or more points indicates improvement, a change within 5 points is stable, and an increase of 5 or more points indicates deterioration. Network risk changes when connected entities change, for example when a director joins or leaves, or when a related company enters insolvency or dissolution. The test also flags step changes of more than 10 points between consecutive runs as potential connected-entity events. The result includes a confidence grade from A to D based on how much data is available. Grade A (high confidence) requires at least 6 data points spanning 180 or more days. Grade B (good confidence) requires at least 4 data points spanning 90 or more days. Grade C (low confidence) requires at least 2 data points spanning 30 or more days. Grade D (insufficient data) means the history is too short or too sparse to draw meaningful conclusions. A newly assessed company will typically start at grade D and improve as assessments accumulate over weeks and months.

Aggregates all network-category test results into a single 0-100 score. Covers director networks, ownership chains, contagion risk.

Identifies directors of this company who also hold active directorships at other UK companies. Shared directors create network connections between companies which may indicate corporate group structures, professional or nominee directors, or potential conflicts of interest. Useful for understanding the broader business relationships of key individuals and assessing governance risk.

Identifies Persons with Significant Control (PSCs) who are beneficial owners of multiple companies, indicating ownership network connections. A PSC is an individual or entity that holds significant influence or control over a company, typically through shareholding, voting rights, or the right to appoint directors. A single individual owning multiple companies may indicate a corporate group, serial entrepreneur, portfolio investor, or potential conflicts of interest. Precursor to full network graph analysis in Phase C.

Maps the network of companies connected to this company through shared directors. When a director serves on the boards of multiple companies, those companies are linked — creating an interlock network that can reveal corporate group structures, potential conflicts of interest, or governance concerns. The test displays an interactive graph showing directors as connecting nodes between companies. Scoring is proportionate to board size, using the average number of connections per director rather than the absolute total. An average of up to 2 connections per director with no outliers is considered proportionate. An average of 2 to 5 is moderately connected. An average above 5 is unusually high. If any individual director has more than 10 connections despite a low average, this is flagged as an outlier. Any connection to a company with adverse status such as dissolved, in liquidation or administration escalates the result, with severity adjusted based on how long ago the adverse event occurred — recent events within the last 2 years carry full weight, while events from over 10 years ago are treated as historical context. Related tests NET-004 and NET-005 provide detail on connections to dissolved and insolvent companies.

Identifies directors of the target company who also direct (or previously directed) companies that have been dissolved, struck off, or closed. This is a contagion risk indicator — directors associated with failed companies may carry governance risks. Severity is adjusted based on how long ago the dissolution occurred: events within the last 2 years carry full weight, events from 2 to 5 years ago are treated as moderate risk, events from 5 to 10 years ago as aging, and dissolutions from over 10 years ago are treated as historical context with significantly reduced severity. The table includes a Years Ago column showing when each dissolution occurred.

Checks whether any current or former director of this company has ever been associated with a company in insolvency proceedings. This includes directors who have since resigned from either the target or the insolvent company. Shows Active at Target, Active at Insolvent, and Years Ago columns so you can see whether the link is current or historical and how long ago the insolvency event occurred. Severity is adjusted based on time since the insolvency began — recent events within the last 2 years carry full weight, while events from over 10 years ago are treated as historical context with significantly reduced severity. See also NET-020 which is stricter and only flags directors currently active at both companies simultaneously.

Identifies directors who simultaneously serve at this company and at another company in the same SIC sector (matched at the 4-digit class level). This can reveal potential conflicts of interest, intelligence leakage, or anti-competitive arrangements through common directorship. Holding companies, dormant entities, non-trading companies, and head office vehicles are automatically excluded since sharing directors with corporate group vehicles is a normal governance pattern, not a competitive concern. If the target company itself has a non-competitive SIC code (e.g. holding company), the test returns not applicable. The table shows the director name, linked company, SIC code, and company status. Two or more same-sector matches triggers a fail (score 30); one match raises a warning (score 60).

Measures how connected the company's board is to the wider corporate network by calculating the average number of external company appointments per director. A low density (under 2 per director) means the board is primarily focused on this company. A moderate density (2 to 5) indicates significant external connections, common for larger companies. A high density (above 5) suggests directors are heavily spread across many other companies, which may dilute their focus or indicate professional nominee arrangements.

Detects reciprocal board relationships where a director from this company also serves at another company, and a different director from that company also serves at this company. This two-way board overlap indicates a close relationship between the two companies — often a legitimate corporate group structure, diversified business, or strategic partnership, but sometimes an indicator of undisclosed control or coordination. Dormant and non-trading shell companies are excluded as these are typically administrative arrangements. One or two reciprocal relationships raise a warning, while three or more trigger a fail.

Maps the full corporate ownership structure above and below this company — showing parent companies, ultimate owners, and subsidiaries. This reveals the complete group hierarchy that is often not visible from individual company filings alone. Understanding where a company sits within a corporate group is important for assessing financial exposure, governance independence, and whether obligations like modern slavery statements or gender pay gap reporting are met at group level.

Measures how many layers of ownership exist above and below this company. Parent layers represent companies that own this company (or own its owners), while subsidiary layers represent companies that this company owns. A simple structure with one or two layers is straightforward and transparent. Three or four layers is moderate and common for corporate groups. Five or more layers indicates a deeply layered structure that can make it harder to identify the ultimate beneficial owner and may warrant further investigation.

Detects circular ownership patterns where Company A owns Company B, which owns Company C, which owns Company A (or any cycle length). Not all circular ownership is concerning — Employee Ownership Trusts, nominee arrangements, and intra-group treasury structures commonly create legitimate cycles. This test classifies each cycle by examining the company names involved: EOT and trustee structures are recognised as benign, nominee holdings are flagged as expected, intra-group cross-ownership receives a low warning, and only unexplained cycles where none of these patterns apply are raised as a governance concern.

Identifies the company at the very top of the ownership chain — the ultimate parent that has no further corporate owner above it. The test follows all ownership paths upward and distinguishes between genuine share ownership routes (solid purple lines) and nominee or voting-only arrangements (dashed amber lines). When a company has both a share-owning parent and a separate nominee holding voting rights, both routes are shown on the graph. The genuine share-ownership parent is identified as the true ultimate owner. A nominee company typically holds voting rights on behalf of the actual owner and is not the real parent. If the ultimate parent has an adverse status such as dissolved or in liquidation, this is flagged as a concern.

Counts all companies owned directly or indirectly by this company (up to 5 levels deep) and assesses their health by checking each subsidiary's status at Companies House. Subsidiaries with adverse status — dissolved, in liquidation, or in administration — may indicate financial stress within the corporate group and potential contagion risk to the parent. Companies with Active - Proposal to Strike off status are also flagged. The table includes a Years Ago column for adverse subsidiaries showing how long ago the event occurred. Severity is adjusted based on time since the adverse event — a subsidiary dissolved 15 years ago carries far less weight than one dissolved recently. Three or more adverse subsidiaries or more than half unhealthy triggers a fail, with the score reflecting the recency of the worst event.

Checks the full ownership chain (both upward to parent companies and downward to subsidiaries) for any dissolved, struck-off, or closed companies. A broken link in the ownership chain may affect control, create legal complications, or indicate orphaned entities. Dissolved entities in the upstream (parent) chain are more serious as they may break the chain of control over this company. The table includes a Years Ago column showing when each dissolution occurred. Severity is adjusted based on recency — a parent company dissolved 20 years ago is treated as historical context, while a recent dissolution is flagged with full severity.

Measures how interconnected the target company's board is by calculating the clustering coefficient — the proportion of the target's directors who also share directorships with each other at third-party companies. A highly clustered board may indicate a closed network, reducing independent oversight.

Identifies pairs of companies that share 2 or more active directors with the target company. Companies sharing multiple directors likely operate as a de facto group, even if no formal ownership link exists. This reveals hidden group structures invisible to ownership-only analysis.

Calculates how many distinct companies are reachable within 2 hops from the target company through director connections. A large 2-hop reach indicates the target is well-connected in the broader corporate ecosystem, which can be positive (networking) or concerning (contagion exposure).

Shows a table of each active director and their external company portfolio. Columns include director name, total companies held, active, strike-off, dissolved, insolvent, and a time-adjusted health percentage. The health score accounts for how long ago adverse events occurred — dissolved or insolvent companies from over 10 years ago contribute only 25% of their weight to the health calculation, while recent adverse events carry full weight. Recent and Legacy columns show how many of each director's adverse companies fall into each time band. A director whose portfolio contains only legacy dissolutions from decades ago will score much higher than one with recent failures. Fail if any director has recent insolvent exposure or an extreme dissolution rate. Warning if elevated dissolution rate or high directorship count. Pass if all directors have clean portfolios.

Identifies directors of the target company who hold active directorships at an unusually high number of companies (>=10). Extreme counts may indicate nominee/shell company patterns, corporate service providers masquerading as genuine directors, or governance capacity concerns.

Checks whether any director who is currently active at this company is also currently active as a director at a company in insolvency proceedings. Both directorships must be live right now — this is the most severe form of insolvency contagion risk, as the person is simultaneously directing a failing company while serving on your board. Severity is adjusted based on how long ago the insolvency began — a company that entered liquidation 30 years ago but remains technically in that status carries far less risk than one that entered administration recently. The table includes a Years Ago column showing when the insolvency event occurred. See also NET-005 which casts a wider net and includes historical associations with insolvent companies.

Shows a breakdown of each director's external appointments by role type — how many companies they serve as director, secretary, or other roles (e.g. LLP member). Flags a warning if any director at this company only holds secretary roles elsewhere, which may indicate limited governance experience or a nominee arrangement. Columns: Director, External company count, As Director, As Secretary, Other Roles, Role Summary.

Shows the industry sectors represented across the director network, ranked by company count. For each SIC code found among linked companies, displays the code, sector description, number of companies operating in that sector, and which directors provide the connection. Useful for understanding the breadth of industries your directors are involved in and identifying potential conflicts of interest or sector concentration.

Identifies individuals who are both a director and a person with significant control (PSC) at this company. Shows a table with Name, Director Role, and PSC Control (share ownership, voting rights, right to appoint directors, or significant influence). Scoring is adjusted for company size: for companies with 1–2 directors, director-PSC overlap is the default state and is not penalised. For companies with 3–4 directors, high-control overlap is capped at a medium warning. For larger boards (5+ directors), majority control overlap is flagged as a fail since independent oversight is expected at that scale.

Identifies individuals who both direct and control the target company AND simultaneously direct/control other companies. This reveals concentrated control across multiple entities by a single person — the strongest key-person risk pattern, as one individual's incapacity could impact multiple businesses.

Detects patterns where a person has significant control over a parent company of this company but does not serve as a director on this company's board. This shadow director pattern — control through ownership layers without visible board presence — may indicate deliberate distancing from governance responsibilities. The person can influence this company's direction through their control of its parent without being subject to the duties and accountability that come with a formal directorship.

Calculates what proportion of the target company's active directors are also PSC controllers of the same company. Scoring is adjusted for company size: for companies with 1–2 directors, complete overlap is the structural norm for UK SMEs and is not penalised. For companies with 3–4 directors, high overlap is noted but capped at a low-severity warning. For larger boards (5+ directors), high overlap is treated as a governance concern since separation of ownership and management is expected at that scale.

Identifies foreign or unresolved corporate ownership by following the ownership chain upward through the graph and then checking the corporate PSC register for entities registered outside the UK. Shows a table with Entity name, Country, Registration number, Registered At, and their Control (share ownership, voting rights etc). Foreign ownership is not inherently negative but is important context for jurisdictional risk assessment and understanding where ultimate control lies. Fail if multiple foreign owners found. Warning for a single foreign owner or unresolved UK entities.

Detects when a single entity reaches this company through more than one ownership or control route. For example, a parent company that both directly owns this company and also owns an intermediary that owns this company. Multiple paths to the same target suggest deliberate structuring to reinforce control or create redundancy — which may be legitimate group planning or a red flag for control obfuscation. This pattern is most common in complex corporate groups and investment structures. Fail if an entity reaches via 3+ paths. Warning for 2 paths.

Checks whether directors of parent companies also serve on this company's board. When a parent company actively places directors on a subsidiary's board, it indicates engaged group management and governance oversight. When no parent directors sit on this board, the company may be a passive investment or an orphaned subsidiary with limited group-level oversight.

Estimates the total size of the corporate group by following the ownership chain upward to the ultimate parent company, then counting all subsidiaries beneath it. Where the ultimate parent is a foreign-registered company (not held on the UK Companies House register), the subsidiary count may show as zero because the full group structure is not available in UK data. The group size shown reflects UK-registered entities only.

Checks whether any director of this company appears on a sanctions list. Searches across UK, EU, US and other international sanctions regimes. A sanctioned director is a critical compliance risk — the company may be subject to asset freezes, transaction restrictions, or regulatory action. Shows the director name, sanctions regime, designation date, and asset freeze status.

Checks whether any person with significant control (PSC) over this company, or any corporate owner in the ownership chain, appears on a sanctions list. This is more severe than a sanctioned director because PSCs have material influence over company operations and beneficial ownership. A sanctioned controller may trigger automatic sanctions obligations on the company itself.

Analyses the distinct sanctions regimes (OFAC, EU, UN, UK) affecting persons connected to the target company director/PSC network. Multiple regime exposure indicates the network is flagged across multiple jurisdictions, dramatically increasing compliance risk for international operations.

Provides a composite summary of all 1-hop sanctions exposure for the target company: count of sanctioned persons by role (director, PSC, corporate owner), confidence level distribution, and overall risk classification. Synthesises across all relationship types in the graph.

Checks whether this company itself, or any parent company in its ownership chain, appears on a sanctions list. Company-level sanctions are the most direct form of sanctions exposure — they may result in asset freezes, transaction prohibitions, and legal restrictions on doing business with the company. Also checks upstream parent companies since sanctions on a parent can propagate obligations down to subsidiaries.

Identifies indirect sanctions exposure through shared directors. Checks whether this company shares a director with another company that has a sanctioned director or controller. This means a sanctioned person is just two steps away — connected via a shared directorship. While not a direct sanctions obligation, this proximity warrants enhanced due diligence and monitoring.

Traverses corporate ownership chains (OWNS edges) to discover parent/sibling companies whose directors or PSCs have sanctions matches. Catches exposure through corporate group structure — if your parent company other subsidiary has a sanctioned director, you share an ownership-based sanctions proximity.

Extends sanctions traversal to 3 hops through the director network: target -> director -> other company -> their director -> another company -> sanctioned person. Reveals the broader sanctions neighbourhood for proximity scoring. While 3-hop exposure is lower risk than 1-2 hop, it provides essential context for understanding the sanctions landscape.

Calculates a composite sanctions proximity score based on: distance to nearest sanctioned entity (1-hop, 2-hop, 3-hop), confidence weighting (HIGH/MEDIUM/LOW), number of distinct sanctions paths, regime diversity, and relationship type. Higher scores indicate greater proximity to sanctioned entities and therefore greater risk.

Shows the shortest path from this company to any sanctioned entity in the network. Traces the chain of directors, controllers, and ownership links that connect your company to a sanctioned person or organisation. This helps you understand exactly how the sanctions exposure arises and which relationships form the link, so you can assess whether the connection is close enough to require action.

Checks whether any director or person with significant control at this company is currently subject to a disqualification order or undertaking. Disqualified individuals are banned from acting as company directors, and their presence in a leadership or controlling role is a serious governance red flag. Matches are verified using date of birth and company history to reduce false positives — where a name matches but the date of birth does not, the match is rejected. Confirmed matches result in a critical failure, while probable matches that need manual review are flagged as warnings.

For each disqualified person connected to this company, shows every other company they are linked to as a director or controller. This reveals the full reach of a disqualified individual across the corporate network — every company potentially affected by their disqualification and any patterns of continued involvement despite the ban.