[COMPANY/ENTITY] - Collection Map
OSINT-010 Vendor & Third-Party Integrity Vetting - collection workspace. Central topic = the counterparty entity under assessment. Branches = compliance screening dimensions. Drop each collected value as a child node; expand it with where it was found and what it links to. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-010.
00 · Collection Plan - PIRs & EEIs
The questions this collection must answer + the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Risk Rating & Onboarding Recommendation, §4 PIRs, §16 Verified Findings, §17 Gaps.
PIR-1 - Identity & Ownership: Is the entity real, in good standing, and who ultimately owns/controls it?
- EEI: legal name, registration number, type, jurisdiction, incorporation date confirmed in registry
- EEI: good-standing / active status verified as of as-of date
- EEI: registered vs. operating address cross-checked (shell / virtual-office indicators absent)
- EEI: parent / group / subsidiary structure mapped
- EEI: beneficial owners (UBOs) identified to the applicable threshold (25% / 10% / 5%) with verification basis
- EEI: entity-resolution confidence stated (Confirmed / Probable / Possible / Unresolved) with matched identifiers
PIR-2 - Restricted-Party Exposure: Is the entity, its owners, or principals subject to sanctions, export-control, or debarment?
- EEI: entity screened against OFAC SDN/SSI, OFSI, EU Consolidated, UN Consolidated, BIS Entity/Denied Persons
- EEI: 50%-rule / SDN-ownership exposure assessed for sanctioned owners
- EEI: debarment checked (SAM.gov, World Bank, MDB cross-debarment lists)
- EEI: all screening lists recorded with provider and version/as-of date
- EEI: every hit dispositioned (true / false / inconclusive) with discriminating identifiers
PIR-3 - Corruption Exposure: Does the engagement present FCPA/UKBA bribery-corruption risk?
- EEI: government / public-official interface confirmed or ruled out
- EEI: compensation basis (success fees, commissions, offshore routing) documented
- EEI: sub-agents / onward third parties identified
- EEI: CPI-risk jurisdictions of operation flagged
- EEI: vendor ABAC program maturity assessed (policy, training, prior enforcement)
PIR-4 - Viability & Integrity: Is the entity financially viable and free of disqualifying litigation, regulatory, labor, or reputational findings?
- EEI: solvency / going-concern signals assessed (credit/risk scores, CCJs/judgments, insolvency events)
- EEI: material litigation, regulatory fines, license suspensions, enforcement actions documented
- EEI: adverse media screened across fraud / corruption / labor / environmental / safety themes
- EEI: modern-slavery / ESG indicators assessed against statutory regime (UK MSA / LkSG / CSDDD / UFLPA)
- EEI: infosec posture checked (certifications, breach history, processor status) where data access in scope
PIR-5 - Client-Side Risk: Does the entity have undisclosed conflicts, related-party ties, or data/security exposure affecting the client?
- EEI: undisclosed related-party or family links between vendor principals and client personnel mapped
- EEI: common ownership with competitors / collusion indicators checked
- EEI: bid-rigging or procurement-process irregularity indicators noted
- EEI: data-residency, sub-processor chain, and Art. 28 / CCPA obligations documented where applicable
Collection gaps / RFIs (running)
- [open item] → route to [product / section]
- [open item]
01 · Entity Identity & Verification
Confirm the entity is real, active, and is what it claims. → feeds §5 Legal Entity Verification & Corporate Structure.
Legal & Registration Details
- Registered legal name:
- Trading / DBA / brand names:
- Source:
- Confidence: [H/M/L]
- Native-script / transliteration variants:
- Entity type:
- Jurisdiction of incorporation:
- Registration / company number:
- LEI (Legal Entity Identifier):
- Tax ID / VAT number:
- Incorporation date:
- Status / good standing: [Active / Struck off / Dissolved / Suspended]
- Source / registry:
- Date verified:
- Registered address:
- Operating / principal address:
- Address match / mismatch flag: [Match / Mismatch - virtual office? registered-agent only?]
Substance & Shell Indicators
- Stated headcount / employees:
- Observable operating footprint (website, premises, staff):
- Age vs. contract size / scope plausibility:
- Registered-agent-only / virtual-office flag: [Y/N]
- Notes / tool output: ← (OpenCorporates, Companies House, local registry, LEI/GLEIF)
Licenses & Permits
- License / permit required for service:
- Issuing authority:
- Status / expiry:
- Source grade:
02 · Corporate Structure
Map the group hierarchy and ownership chain. Clone the block per entity in the corporate family. → feeds §5 Legal Entity Verification & Corporate Structure, §7 Beneficial Ownership & Control.
Parent / Ultimate Holding Company
Clone per level of the ownership stack.
- [entity name - e.g. Holding Co Ltd]
- Jurisdiction:
- Registration number:
- Ownership stake (% / nature):
- Registry / source:
- Shell indicators:
- Confidence: [Confirmed / Probable / Possible / Unresolved]
- Notes / tool output: ← (OpenCorporates, national registry, GLEIF, Orbis/Bureau van Dijk)
Subsidiaries / Affiliates
- [subsidiary / affiliate name]
- Jurisdiction:
- Registration number:
- Relationship to target:
- Relevance to engagement:
- Confidence:
- Notes / tool output:
Nominee / Bearer / Trust Structures
- Nominee shareholder / director identified: [Y/N]
- Name:
- Basis:
- Bearer shares / instruments: [Y/N / Unknown]
- Trust / foundation layer: [Y/N / Unknown]
- Jurisdiction:
- Notes:
03 · People - Directors, Officers, UBOs & Key Principals
Map every named controller, director, officer, and beneficial owner. Clone the block per person. → feeds §7 Beneficial Ownership & Control, §8 PEP & Government Nexus, §15 Conflicts of Interest.
Director / Officer
Clone per person. Run each through PEP, sanctions, and adverse-media checks.
- [Full name - e.g. Jane A. Smith]
- Role / title:
- Appointed / resigned date:
- Nationality / jurisdiction:
- Other directorships / roles:
- PEP status: [Y / N / Unknown]
- Sanctions / watchlist hit: [Clear / Potential match / Confirmed]
- Adverse-media flag: [Y/N]
- Confidence (identity resolution): [Confirmed / Probable / Possible]
- Notes / tool output: ← (OpenCorporates, Companies House PSC, national BO registry, Comply Advantage, WorldCheck, ACRIS)
Beneficial Owner (UBO)
Clone per UBO. Identify control by equity and by other means (contracts, financing, dominant customer).
- [Full name - e.g. Ivan B. Petrov]
- % ownership / nature of control:
- Verification basis: [Registry / Disclosure / Inferred]
- Layering / nominee flag:
- PEP link: [Y/N - type: domestic / foreign / international-org / close associate]
- Sanctions link: [Clear / Potential / Confirmed]
- Conflict-of-interest link to client: [Y/N]
- Confidence: [Confirmed / Probable / Possible / Unresolved]
- Notes / tool output:
Key Operational Contacts / Management
- [name - e.g. contact submitted by vendor]
- Role:
- LinkedIn / professional profile:
- Verification status:
- Notes:
04 · Registrations & Filings
Statutory filings that evidence viability, ownership changes, and financial red flags. → feeds §5 Legal Entity Verification, §10 Financial Viability, §11 Litigation & Regulatory.
Corporate Filings
- Annual returns / confirmation statements filed: [Current / Overdue / Unknown]
- Last filed date:
- Source:
- Change-of-ownership filings (last 3 yrs):
- Change-of-director / officer filings (last 3 yrs):
- Registered-address changes (last 3 yrs):
- Notes / tool output: ← (Companies House, national registry, OpenCorporates)
Debarment & Exclusion Lists
- SAM.gov / US federal excluded parties: [Clear / Hit]
- World Bank debarment: [Clear / Hit]
- MDB cross-debarment (EBRD, ADB, AfDB, IDB): [Clear / Hit]
- EU / UK public-procurement exclusions:
- Screened as of date:
- Notes / tool output:
Export-Control & Restricted-Trade Filings
- BIS Entity List / Denied Persons / Unverified List: [Clear / Hit]
- ITAR / USML relevance: [Y/N]
- Dual-use classification flag:
- Notes:
05 · Digital & Infrastructure
Online presence verification - confirms operating substance and surfaces red flags (recently registered domain vs. aged contract, mismatch). Clone per domain or account. → feeds §14 Information Security & Data-Protection Posture, §5 Entity Verification.
Domains & Websites
Clone per domain.
- [domain - e.g. vendorcorp.com]
- Registrar / WHOIS registrant:
- Registration date:
- Hosting IP / ASN:
- Website content vs. claimed capability - plausibility:
- SSL / TLS certificate (crt.sh):
- Dark-web / paste mention: [Y/N]
- Notes / tool output: ← (whois, crt.sh, Shodan, VirusTotal, URLscan.io)
Email Infrastructure
- Email domain(s) used:
- MX / SPF / DMARC configured:
- Free-email-only flag (red flag for a business): [Y/N]
- Notes / tool output: ← (MXToolbox, hunter.io)
Social & Professional Presence
- LinkedIn company page:
- Headcount stated:
- Plausibility vs. claimed size:
- Other platforms (X, Facebook, trade directories):
- External-breach / credential-exposure signals:
- Notes / tool output: ← (haveibeenpwned, h8mail, holehe)
Infosec Certifications
- ISO 27001: [Certified / Lapsed / None - certificate ref + expiry]
- SOC 2 Type II: [Y/N - report period]
- Other (PCI-DSS, Cyber Essentials, CSA STAR):
- Certification verification source:
- Notes:
06 · Financials
OSINT-level viability screen - not forensic reconstruction. → feeds §10 Financial Viability & Stability.
Credit & Risk Rating
- Commercial credit / risk score:
- Provider / date:
- Grade / band:
- Payment-performance indicator:
- Notes / tool output: ← (Experian Business, D&B, Creditsafe, Kompass)
Filed Accounts
- Latest accounts filed (period end / date):
- Revenue (if disclosed):
- Net assets / equity:
- Going-concern note: [Y/N]
- Auditor opinion:
- Source:
Distress Indicators
- CCJs / judgments against entity:
- Value / jurisdiction / date:
- Liens / charges registered:
- Insolvency events (admin, CVA, liquidation): [Y/N - detail]
- Late-payment / credit-flag history:
- Revenue concentration / client-dependence flag:
- Notes:
07 · Commercial Footprint
Confirms the vendor’s stated role and operational reality; surfaces supply-chain / labor exposure. → feeds §13 Modern Slavery, Labor & ESG, §5 Entity Verification.
Locations & Operations
- Principal operating location(s):
- Country/region:
- Forced-labor risk flag (UFLPA scope / ILO risk): [Y/N]
- Manufacturing / production sites:
- Sub-tier suppliers / sub-contractors identified:
- Jurisdictions:
Labor & Supply-Chain Integrity
- Forced-labor / human-rights red flags:
- Statutory nexus: [UFLPA / UK MSA / LkSG / CSDDD / Norway Transparency Act]
- Severity:
- Labor-broker use: [Y/N]
- Audit / certification (SA8000, SMETA, amfori BSCI):
- Currency:
- Environmental / H&S record:
- Significant incidents:
Key Customers / Contracts (if public)
- [customer / contract reference (public only)]
- Relevance (validates capability / government nexus):
- Source:
08 · Legal, Regulatory & Sanctions
The compliance-critical backbone. Clone the screening-subject block per entity/person screened. → feeds §6 Sanctions, Watchlist & Debarment, §11 Litigation & Regulatory.
Sanctions & Watchlist Screening
Clone per subject screened (entity + each UBO + each director/officer).
- [Subject screened - e.g. Vendorcorp FZE]
- OFAC SDN / SSI - list version/date: [Clear / Potential match / Confirmed]
- OFSI (UK): [Clear / Potential / Confirmed]
- EU Consolidated:
- UN Consolidated:
- 50%-rule / ownership-by-sanctioned-party applied: [Y/N]
- Disposition of any hit (true / false / inconclusive + discriminating identifiers):
- Notes / tool output: ← (OFAC SDN search, OFSI, EU Sanctions Map, Comply Advantage, WorldCheck, Refinitiv)
Litigation & Enforcement
- [matter - e.g. US DOJ v. Vendorcorp 2022]
- Forum / case reference:
- Type: [Criminal / Civil / Regulatory / Labor / Environmental]
- Status: [Pending / Settled / Judgment]
- Materiality to engagement: [H/M/L]
- Source grade:
- Notes:
Regulatory & Licensing Actions
- [action - e.g. FCA fine / SEC enforcement]
- Issuing authority:
- Date / status:
- Materiality:
- Notes:
09 · Reputation & Adverse Media
Structured screen across integrity themes. Clone the block per adverse finding. → feeds §12 Adverse Media & Reputational Screening, §9 ABAC Assessment.
Adverse-Media Theme Block
Clone per substantive adverse finding.
- [theme - e.g. Fraud / Corruption / Sanctions Evasion / Labor / Environmental / Safety / Organized-Crime Ties / Product Failures]
- Entity / principal named:
- Summary:
- Outlet / source:
- Date:
- Substantiation: [Substantiated / Reported / Rumor / Allegation]
- Source reliability (A–F):
- Information credibility (1–6):
- Language / jurisdiction coverage gaps:
- Notes:
PEP & Government-Nexus Findings
- [person / entity]
- PEP type: [Domestic / Foreign / International-org / Close associate / Family member]
- Government role / position:
- Relevance to engagement (government sales, permitting, customs):
- Revolving-door flag (prior client-government touchpoint): [Y/N]
- Risk weighting: [L/M/H]
- Notes / tool output: ← (PEP databases, government gazette, LinkedIn, World-Check)
ABAC Indicator Block
Clone per ABAC risk factor identified.
- [ABAC factor - e.g. offshore commission routing / sub-agent use]
- Detail:
- Engagement nexus:
- Severity: [Indicator / Established]
- Notes:
10 · Network & Affiliations
Map related entities and shared infrastructure that may indicate beneficial control, sanctions circumvention, or conflicts. Clone the block per related entity. → feeds §7 Beneficial Ownership, §15 Conflicts of Interest.
Related Entities - Shared Infrastructure / Common Ownership
Clone per related entity.
- [related entity name]
- Relationship basis (shared director / address / phone / domain / UBO):
- Jurisdiction:
- Registration number:
- Sanctions / PEP / red-flag status:
- Relevance (circumvention risk / beneficial control / conflict):
- Confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← (OpenCorporates network graph, Orbis, Sayari, LittleSis, ICIJ Offshore Leaks)
Conflicts of Interest - Vendor-to-Client Links
Clone per identified relationship.
- [relationship - e.g. Director of vendor is spouse of client procurement manager]
- Parties:
- Nature / basis:
- Disclosed to client: [Y / N / Unknown]
- Risk: [L/M/H]
- Notes:
Bid / Procurement Integrity
- Sole-source / no-competition flag: [Y/N]
- Pricing anomaly vs. market: [Y/N]
- Prior failed bid / disqualification: [Y/N]
- Notes:
99 · Collection Admin
Working register - audit trail behind the deliverable, not a deliverable section itself.
Source Register
Every material datum traceable to a graded source. Clone per source.
- [S-01 - source name / type]
- Type: [Primary registry / Licensed database / Open-web / Vendor disclosure / News]
- Reliability (A–F) / Credibility (1–6):
- Provider & list version / as-of date (critical for sanctions):
- Date accessed:
- URL / reference:
Evidence Archive
- [screenshot / capture ref + SHA-256 hash + URL + timestamp]:
Screening-Hit Log
- List screened:
- Provider / version date:
- Subject screened:
- Result: [Clear / Potential / Confirmed]
- Disposition:
Open Gaps / Verification Pending
- [item - e.g. UBO layer above Jersey holdco unresolvable from open sources → escalate to CDD]
- [item]
RFI Register
- [RFI raised → routed to §17 / product / analyst]
- [RFI]