[COMPANY/ENTITY] - Collection Map

OSINT-010 Vendor & Third-Party Integrity Vetting - collection workspace. Central topic = the counterparty entity under assessment. Branches = compliance screening dimensions. Drop each collected value as a child node; expand it with where it was found and what it links to. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-010.

00 · Collection Plan - PIRs & EEIs

The questions this collection must answer + the essential elements of information (EEI) for each. Tick as satisfied. → drives §3 Risk Rating & Onboarding Recommendation, §4 PIRs, §16 Verified Findings, §17 Gaps.

PIR-1 - Identity & Ownership: Is the entity real, in good standing, and who ultimately owns/controls it?

  • EEI: legal name, registration number, type, jurisdiction, incorporation date confirmed in registry
  • EEI: good-standing / active status verified as of as-of date
  • EEI: registered vs. operating address cross-checked (shell / virtual-office indicators absent)
  • EEI: parent / group / subsidiary structure mapped
  • EEI: beneficial owners (UBOs) identified to the applicable threshold (25% / 10% / 5%) with verification basis
  • EEI: entity-resolution confidence stated (Confirmed / Probable / Possible / Unresolved) with matched identifiers

PIR-2 - Restricted-Party Exposure: Is the entity, its owners, or principals subject to sanctions, export-control, or debarment?

  • EEI: entity screened against OFAC SDN/SSI, OFSI, EU Consolidated, UN Consolidated, BIS Entity/Denied Persons
  • EEI: 50%-rule / SDN-ownership exposure assessed for sanctioned owners
  • EEI: debarment checked (SAM.gov, World Bank, MDB cross-debarment lists)
  • EEI: all screening lists recorded with provider and version/as-of date
  • EEI: every hit dispositioned (true / false / inconclusive) with discriminating identifiers

PIR-3 - Corruption Exposure: Does the engagement present FCPA/UKBA bribery-corruption risk?

  • EEI: government / public-official interface confirmed or ruled out
  • EEI: compensation basis (success fees, commissions, offshore routing) documented
  • EEI: sub-agents / onward third parties identified
  • EEI: CPI-risk jurisdictions of operation flagged
  • EEI: vendor ABAC program maturity assessed (policy, training, prior enforcement)

PIR-4 - Viability & Integrity: Is the entity financially viable and free of disqualifying litigation, regulatory, labor, or reputational findings?

  • EEI: solvency / going-concern signals assessed (credit/risk scores, CCJs/judgments, insolvency events)
  • EEI: material litigation, regulatory fines, license suspensions, enforcement actions documented
  • EEI: adverse media screened across fraud / corruption / labor / environmental / safety themes
  • EEI: modern-slavery / ESG indicators assessed against statutory regime (UK MSA / LkSG / CSDDD / UFLPA)
  • EEI: infosec posture checked (certifications, breach history, processor status) where data access in scope
  • EEI: undisclosed related-party or family links between vendor principals and client personnel mapped
  • EEI: common ownership with competitors / collusion indicators checked
  • EEI: bid-rigging or procurement-process irregularity indicators noted
  • EEI: data-residency, sub-processor chain, and Art. 28 / CCPA obligations documented where applicable

Collection gaps / RFIs (running)

  • [open item] → route to [product / section]
  • [open item]

01 · Entity Identity & Verification

Confirm the entity is real, active, and is what it claims. → feeds §5 Legal Entity Verification & Corporate Structure.

  • Registered legal name:
  • Trading / DBA / brand names:
    • Source:
    • Confidence: [H/M/L]
  • Native-script / transliteration variants:
  • Entity type:
  • Jurisdiction of incorporation:
  • Registration / company number:
  • LEI (Legal Entity Identifier):
  • Tax ID / VAT number:
  • Incorporation date:
  • Status / good standing: [Active / Struck off / Dissolved / Suspended]
    • Source / registry:
    • Date verified:
  • Registered address:
  • Operating / principal address:
    • Address match / mismatch flag: [Match / Mismatch - virtual office? registered-agent only?]

Substance & Shell Indicators

  • Stated headcount / employees:
  • Observable operating footprint (website, premises, staff):
  • Age vs. contract size / scope plausibility:
  • Registered-agent-only / virtual-office flag: [Y/N]
  • Notes / tool output: ← (OpenCorporates, Companies House, local registry, LEI/GLEIF)

Licenses & Permits

  • License / permit required for service:
    • Issuing authority:
    • Status / expiry:
    • Source grade:

02 · Corporate Structure

Map the group hierarchy and ownership chain. Clone the block per entity in the corporate family. → feeds §5 Legal Entity Verification & Corporate Structure, §7 Beneficial Ownership & Control.

Parent / Ultimate Holding Company

Clone per level of the ownership stack.

  • [entity name - e.g. Holding Co Ltd]
    • Jurisdiction:
    • Registration number:
    • Ownership stake (% / nature):
    • Registry / source:
    • Shell indicators:
    • Confidence: [Confirmed / Probable / Possible / Unresolved]
    • Notes / tool output: ← (OpenCorporates, national registry, GLEIF, Orbis/Bureau van Dijk)

Subsidiaries / Affiliates

  • [subsidiary / affiliate name]
    • Jurisdiction:
    • Registration number:
    • Relationship to target:
    • Relevance to engagement:
    • Confidence:
    • Notes / tool output:

Nominee / Bearer / Trust Structures

  • Nominee shareholder / director identified: [Y/N]
    • Name:
    • Basis:
  • Bearer shares / instruments: [Y/N / Unknown]
  • Trust / foundation layer: [Y/N / Unknown]
    • Jurisdiction:
    • Notes:

03 · People - Directors, Officers, UBOs & Key Principals

Map every named controller, director, officer, and beneficial owner. Clone the block per person. → feeds §7 Beneficial Ownership & Control, §8 PEP & Government Nexus, §15 Conflicts of Interest.

Director / Officer

Clone per person. Run each through PEP, sanctions, and adverse-media checks.

  • [Full name - e.g. Jane A. Smith]
    • Role / title:
    • Appointed / resigned date:
    • Nationality / jurisdiction:
    • Other directorships / roles:
    • PEP status: [Y / N / Unknown]
    • Sanctions / watchlist hit: [Clear / Potential match / Confirmed]
    • Adverse-media flag: [Y/N]
    • Confidence (identity resolution): [Confirmed / Probable / Possible]
    • Notes / tool output: ← (OpenCorporates, Companies House PSC, national BO registry, Comply Advantage, WorldCheck, ACRIS)

Beneficial Owner (UBO)

Clone per UBO. Identify control by equity and by other means (contracts, financing, dominant customer).

  • [Full name - e.g. Ivan B. Petrov]
    • % ownership / nature of control:
    • Verification basis: [Registry / Disclosure / Inferred]
    • Layering / nominee flag:
    • PEP link: [Y/N - type: domestic / foreign / international-org / close associate]
    • Sanctions link: [Clear / Potential / Confirmed]
    • Conflict-of-interest link to client: [Y/N]
    • Confidence: [Confirmed / Probable / Possible / Unresolved]
    • Notes / tool output:

Key Operational Contacts / Management

  • [name - e.g. contact submitted by vendor]
    • Role:
    • LinkedIn / professional profile:
    • Verification status:
    • Notes:

04 · Registrations & Filings

Statutory filings that evidence viability, ownership changes, and financial red flags. → feeds §5 Legal Entity Verification, §10 Financial Viability, §11 Litigation & Regulatory.

Corporate Filings

  • Annual returns / confirmation statements filed: [Current / Overdue / Unknown]
    • Last filed date:
    • Source:
  • Change-of-ownership filings (last 3 yrs):
  • Change-of-director / officer filings (last 3 yrs):
  • Registered-address changes (last 3 yrs):
  • Notes / tool output: ← (Companies House, national registry, OpenCorporates)

Debarment & Exclusion Lists

  • SAM.gov / US federal excluded parties: [Clear / Hit]
  • World Bank debarment: [Clear / Hit]
  • MDB cross-debarment (EBRD, ADB, AfDB, IDB): [Clear / Hit]
  • EU / UK public-procurement exclusions:
  • Screened as of date:
  • Notes / tool output:

Export-Control & Restricted-Trade Filings

  • BIS Entity List / Denied Persons / Unverified List: [Clear / Hit]
  • ITAR / USML relevance: [Y/N]
  • Dual-use classification flag:
  • Notes:

05 · Digital & Infrastructure

Online presence verification - confirms operating substance and surfaces red flags (recently registered domain vs. aged contract, mismatch). Clone per domain or account. → feeds §14 Information Security & Data-Protection Posture, §5 Entity Verification.

Domains & Websites

Clone per domain.

  • [domain - e.g. vendorcorp.com]
    • Registrar / WHOIS registrant:
    • Registration date:
    • Hosting IP / ASN:
    • Website content vs. claimed capability - plausibility:
    • SSL / TLS certificate (crt.sh):
    • Dark-web / paste mention: [Y/N]
    • Notes / tool output: ← (whois, crt.sh, Shodan, VirusTotal, URLscan.io)

Email Infrastructure

  • Email domain(s) used:
  • MX / SPF / DMARC configured:
  • Free-email-only flag (red flag for a business): [Y/N]
  • Notes / tool output: ← (MXToolbox, hunter.io)

Social & Professional Presence

  • LinkedIn company page:
    • Headcount stated:
    • Plausibility vs. claimed size:
  • Other platforms (X, Facebook, trade directories):
  • External-breach / credential-exposure signals:
    • Notes / tool output: ← (haveibeenpwned, h8mail, holehe)

Infosec Certifications

  • ISO 27001: [Certified / Lapsed / None - certificate ref + expiry]
  • SOC 2 Type II: [Y/N - report period]
  • Other (PCI-DSS, Cyber Essentials, CSA STAR):
  • Certification verification source:
  • Notes:

06 · Financials

OSINT-level viability screen - not forensic reconstruction. → feeds §10 Financial Viability & Stability.

Credit & Risk Rating

  • Commercial credit / risk score:
    • Provider / date:
    • Grade / band:
  • Payment-performance indicator:
  • Notes / tool output: ← (Experian Business, D&B, Creditsafe, Kompass)

Filed Accounts

  • Latest accounts filed (period end / date):
    • Revenue (if disclosed):
    • Net assets / equity:
    • Going-concern note: [Y/N]
    • Auditor opinion:
  • Source:

Distress Indicators

  • CCJs / judgments against entity:
    • Value / jurisdiction / date:
  • Liens / charges registered:
  • Insolvency events (admin, CVA, liquidation): [Y/N - detail]
  • Late-payment / credit-flag history:
  • Revenue concentration / client-dependence flag:
  • Notes:

07 · Commercial Footprint

Confirms the vendor’s stated role and operational reality; surfaces supply-chain / labor exposure. → feeds §13 Modern Slavery, Labor & ESG, §5 Entity Verification.

Locations & Operations

  • Principal operating location(s):
    • Country/region:
    • Forced-labor risk flag (UFLPA scope / ILO risk): [Y/N]
  • Manufacturing / production sites:
  • Sub-tier suppliers / sub-contractors identified:
    • Jurisdictions:

Labor & Supply-Chain Integrity

  • Forced-labor / human-rights red flags:
    • Statutory nexus: [UFLPA / UK MSA / LkSG / CSDDD / Norway Transparency Act]
    • Severity:
  • Labor-broker use: [Y/N]
  • Audit / certification (SA8000, SMETA, amfori BSCI):
    • Currency:
  • Environmental / H&S record:
    • Significant incidents:

Key Customers / Contracts (if public)

  • [customer / contract reference (public only)]
    • Relevance (validates capability / government nexus):
    • Source:

The compliance-critical backbone. Clone the screening-subject block per entity/person screened. → feeds §6 Sanctions, Watchlist & Debarment, §11 Litigation & Regulatory.

Sanctions & Watchlist Screening

Clone per subject screened (entity + each UBO + each director/officer).

  • [Subject screened - e.g. Vendorcorp FZE]
    • OFAC SDN / SSI - list version/date: [Clear / Potential match / Confirmed]
    • OFSI (UK): [Clear / Potential / Confirmed]
    • EU Consolidated:
    • UN Consolidated:
    • 50%-rule / ownership-by-sanctioned-party applied: [Y/N]
    • Disposition of any hit (true / false / inconclusive + discriminating identifiers):
    • Notes / tool output: ← (OFAC SDN search, OFSI, EU Sanctions Map, Comply Advantage, WorldCheck, Refinitiv)

Litigation & Enforcement

  • [matter - e.g. US DOJ v. Vendorcorp 2022]
    • Forum / case reference:
    • Type: [Criminal / Civil / Regulatory / Labor / Environmental]
    • Status: [Pending / Settled / Judgment]
    • Materiality to engagement: [H/M/L]
    • Source grade:
    • Notes:

Regulatory & Licensing Actions

  • [action - e.g. FCA fine / SEC enforcement]
    • Issuing authority:
    • Date / status:
    • Materiality:
    • Notes:

09 · Reputation & Adverse Media

Structured screen across integrity themes. Clone the block per adverse finding. → feeds §12 Adverse Media & Reputational Screening, §9 ABAC Assessment.

Adverse-Media Theme Block

Clone per substantive adverse finding.

  • [theme - e.g. Fraud / Corruption / Sanctions Evasion / Labor / Environmental / Safety / Organized-Crime Ties / Product Failures]
    • Entity / principal named:
    • Summary:
    • Outlet / source:
    • Date:
    • Substantiation: [Substantiated / Reported / Rumor / Allegation]
    • Source reliability (A–F):
    • Information credibility (1–6):
    • Language / jurisdiction coverage gaps:
    • Notes:

PEP & Government-Nexus Findings

  • [person / entity]
    • PEP type: [Domestic / Foreign / International-org / Close associate / Family member]
    • Government role / position:
    • Relevance to engagement (government sales, permitting, customs):
    • Revolving-door flag (prior client-government touchpoint): [Y/N]
    • Risk weighting: [L/M/H]
    • Notes / tool output: ← (PEP databases, government gazette, LinkedIn, World-Check)

ABAC Indicator Block

Clone per ABAC risk factor identified.

  • [ABAC factor - e.g. offshore commission routing / sub-agent use]
    • Detail:
    • Engagement nexus:
    • Severity: [Indicator / Established]
    • Notes:

10 · Network & Affiliations

Map related entities and shared infrastructure that may indicate beneficial control, sanctions circumvention, or conflicts. Clone the block per related entity. → feeds §7 Beneficial Ownership, §15 Conflicts of Interest.

Clone per related entity.

  • [related entity name]
    • Relationship basis (shared director / address / phone / domain / UBO):
    • Jurisdiction:
    • Registration number:
    • Sanctions / PEP / red-flag status:
    • Relevance (circumvention risk / beneficial control / conflict):
    • Confidence: [Confirmed / Probable / Possible]
    • Notes / tool output: ← (OpenCorporates network graph, Orbis, Sayari, LittleSis, ICIJ Offshore Leaks)

Clone per identified relationship.

  • [relationship - e.g. Director of vendor is spouse of client procurement manager]
    • Parties:
    • Nature / basis:
    • Disclosed to client: [Y / N / Unknown]
    • Risk: [L/M/H]
    • Notes:

Bid / Procurement Integrity

  • Sole-source / no-competition flag: [Y/N]
  • Pricing anomaly vs. market: [Y/N]
  • Prior failed bid / disqualification: [Y/N]
  • Notes:

99 · Collection Admin

Working register - audit trail behind the deliverable, not a deliverable section itself.

Source Register

Every material datum traceable to a graded source. Clone per source.

  • [S-01 - source name / type]
    • Type: [Primary registry / Licensed database / Open-web / Vendor disclosure / News]
    • Reliability (A–F) / Credibility (1–6):
    • Provider & list version / as-of date (critical for sanctions):
    • Date accessed:
    • URL / reference:

Evidence Archive

  • [screenshot / capture ref + SHA-256 hash + URL + timestamp]:

Screening-Hit Log

  • List screened:
    • Provider / version date:
    • Subject screened:
    • Result: [Clear / Potential / Confirmed]
    • Disposition:

Open Gaps / Verification Pending

  • [item - e.g. UBO layer above Jersey holdco unresolvable from open sources → escalate to CDD]
  • [item]

RFI Register

  • [RFI raised → routed to §17 / product / analyst]
  • [RFI]