[COUNTERPARTY / ENTITY] - Collection Map
OSINT-018 Continuous Counterparty Monitoring - collection workspace. Central topic = the monitored counterparty (vendor, partner, investee, service provider, acquirer, board appointee). Branches = data-point categories keyed to §1 watch criteria and §2 collection lanes. Drop each collected value as a child node; expand it with source, date, and grade. Paste raw tool output into the node’s Notes. → feeds deliverable OSINT-018.
00 · Collection Plan - PIRs & EEIs
The questions this standing service must answer continuously. Tick each EEI as satisfied per cycle. → drives §1 Watch Criteria/Tripwires, §2 Collection Cadence & Sources, §4 Escalation & Notification Triggers, §6 Review & Renewal.
PIR-1 - Corporate standing: is the counterparty legally and operationally intact?
- EEI: current registered status in all relevant jurisdictions (active / struck off / dissolved)
- EEI: no undisclosed change of registered office, directors, or beneficial owner
- EEI: no filing for insolvency, administration, receivership, or voluntary winding-up
- EEI: certificate of good standing / equivalent confirms active status this cycle
PIR-2 - Ownership & control: have UBO or parent-company structures changed?
- EEI: current UBO(s) identified and cross-checked against seeding baseline (OSINT-013/014)
- EEI: no new parent, acquirer, or controlling interest has emerged undisclosed
- EEI: no new nominee / shell layer inserted between UBO and operating entity
- EEI: ownership changes notified (or absent notification - gap flagged)
PIR-3 - Sanctions, PEP & watchlist exposure: is the counterparty (or any UBO/director) newly listed?
- EEI: counterparty entity screened against OFAC SDN, EU, UK, UN, FATF grey/black lists this cycle
- EEI: all named directors/UBOs screened for PEP exposure and adverse watchlist hits
- EEI: no near-name / transliteration hit left unresolved
- EEI: screening date and database version recorded
PIR-4 - Adverse media & reputational events: has a significant negative story broken?
- EEI: keyword/alert sweep returns no unreviewed adverse hits this cycle
- EEI: any hit reviewed, graded A–F / 1–6, and routed through §4 escalation tiers
- EEI: social media / dark web chatter reviewed for counterparty mentions
PIR-5 - Financial health signals: are OSINT-visible distress indicators present?
- EEI: most recent accounts / annual returns filed on schedule and publicly available
- EEI: no new CCJs, liens, UCC filings, or judgments identified
- EEI: no observable contraction of workforce, facilities, or digital presence
- EEI: credit-rating or trade-reference change (if publicly available) noted
PIR-6 - Legal & regulatory actions: has a new proceeding or enforcement action been initiated?
- EEI: civil litigation docket checked (relevant jurisdictions)
- EEI: regulatory enforcement / FCA / SEC / SFC or sector-specific body actions checked
- EEI: criminal proceedings involving the entity or named principals checked
PIR-7 - Digital & infrastructure continuity: has the counterparty’s digital footprint changed materially?
- EEI: primary domains resolve correctly; no unexpected transfer, expiry, or new registrant
- EEI: corporate website / communications channels operational
- EEI: no breach / credential leak for counterparty domain(s) observed in current cycle
Collection gaps / RFIs (running)
- [open item] → route to [product / escalation tier]
- [open item]
00b · Monitoring Cadence & Triggers
Standing-up and steady-state cadence for the watch subscription. → drives §2 Collection Cadence & Sources, §3 Reporting Cadence & Product Format, §4 Escalation & Notification Triggers, §5 Service Levels (SLA).
Active watch items (per §1 - clone row per counterparty)
- [counterparty name - e.g. Acme Logistics Ltd]
- Watch item ref (→ §1 #):
- Observable indicator:
- Tripwire threshold:
- Severity tier: [Critical / High / Elevated / Moderate / Low]
- Last confirmed clean:
- Notes:
Refresh cadence by lane
- Sanctions / PEP screening: [e.g., continuous / daily automated sweep]
- Corporate registry: [e.g., weekly pull]
- Adverse media / news: [e.g., daily keyword alert]
- Financial filings: [e.g., on-filing trigger + quarterly manual check]
- Legal / court dockets: [e.g., weekly]
- Digital / domain: [e.g., weekly + on-transfer-event trigger]
- Dark-web / breach feeds: [e.g., continuous automated + weekly manual review]
Alert thresholds & tripwire definitions
- Critical (L×I 21–25): [e.g., OFAC SDN hit; insolvency filing; confirmed criminal referral]
- Notification target:
- Time-to-notify: [e.g., ≤ 1 hour of detection]
- High (L×I 16–20): [e.g., new regulatory enforcement; undisclosed change of UBO; court freezing order]
- Notification target:
- Time-to-notify: [e.g., ≤ 4 hours]
- Elevated (L×I 11–15): [e.g., adverse media tier-1 outlet; CCJ / lien filed; accounts filing overdue]
- Notification target:
- Time-to-notify: [e.g., ≤ next business day]
- Moderate / Low (L×I 1–10): [e.g., minor adverse mention; immaterial filing; personnel change non-principal]
- Notification target:
- Time-to-notify: [e.g., next routine periodic report]
Escalation path
- On-tripwire: [analyst → senior analyst → client point-of-contact; define by tier]
- Routine periodic: [e.g., periodic watch summary → account manager → client]
- Service-health escalation: [e.g., SLA breach → service owner → client]
- Offboarding trigger: [e.g., contract expiry / termination notice received]
Cadence review schedule
- Next watch-list review date:
- Next service-level review date:
- Renewal / re-scoping due:
01 · Entity Identity
Baseline identity record of the monitored counterparty, cross-checked against seeding product (OSINT-013/014) each cycle. → feeds §1 Watch Criteria (change-of-identity tripwires), Annex A Source Register.
Legal identity
- Registered legal name:
- Trading name(s) / DBA:
- Company / registration number:
- Registered jurisdiction:
- Entity type (Ltd / LLC / PLC / Partnership / other):
- Date of incorporation / registration:
- Registered office address:
- Current status (active / dissolved / struck off):
Identifiers & codes
- LEI (Legal Entity Identifier):
- VAT / tax registration number(s):
- DUNS / Creditsafe / equivalent:
- ISIN / ticker (if listed):
- Sector / SIC code:
Multi-jurisdiction registrations
- [jurisdiction - e.g. New York State]
- Registration number:
- Status:
- Source:
- Notes:
02 · Corporate Structure
UBO, parent, subsidiary, and joint-venture network. Changes here are high-priority tripwires. → feeds §1 Watch Criteria (PIR-2), §4 Escalation.
Ultimate beneficial owner(s) (UBO)
Clone per UBO. → feeds PIR-2, PIR-3. Check OpenCorporates, national registries, Orbis/GLEIF.
- [UBO name - e.g. J. Eriksson]
- Ownership stake (%):
- Control mechanism (direct / indirect / nominee):
- Jurisdiction of residence:
- Baseline record (OSINT-013 ref):
- Change since baseline: [Yes / No / Unknown]
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← OpenCorporates, GLEIF, national BO register
Parent / holding company
- [entity name]
- Jurisdiction:
- Relationship:
- Source:
- Change since baseline: [Yes / No / Unknown]
- Notes:
Subsidiaries / affiliates
- [entity name - e.g. Acme Asia Pacific Pte Ltd]
- Jurisdiction:
- Relationship / stake:
- Source:
- Notes:
Joint ventures / SPVs
- [entity name]
- Partners:
- Purpose:
- Notes:
03 · People - Directors, Officers & Key Principals
Named individuals tied to the counterparty; changes in directorship/key personnel are watch tripwires. → feeds §1 Watch Criteria (PIR-2, PIR-3), §3 Reporting, Annex A.
Directors / board members
Clone per individual. Screen each cycle. → tools: OpenCorporates, Companies House, local registries.
- [name - e.g. M. Vasquez]
- Role / title:
- Appointment date:
- Nationality / jurisdiction:
- PEP status: [Yes / No / Unknown]
- Sanctions hit this cycle: [Clear / Hit / Near-match]
- Adverse media this cycle: [None / See note]
- Change since baseline: [Yes / No]
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← Companies House, OpenCorporates, OFAC, EU/UK/UN lists
Senior officers / key staff (named in scope)
- [name]
- Role:
- PEP / sanctions status this cycle:
- Change flag:
- Notes:
Departures / new appointments since last cycle
- [name - departing or newly appointed]
- Type: [Departure / New appointment]
- Effective date:
- Significance / risk relevance:
- Notes:
04 · Registrations & Filings
Corporate filings, annual returns, and any new regulatory registrations or lapses. → feeds §1 Watch Criteria (PIR-1, PIR-5), §2 Collection Cadence.
Annual return / confirmation statement
- Last filed:
- Due next:
- Status this cycle: [On time / Overdue / Waived]
- Source / registry URL:
Accounts / financial statements (publicly filed)
- Period covered:
- Filed date:
- Status this cycle: [On time / Overdue / Qualified / Adverse opinion]
- Source:
- Notes:
Insolvency / winding-up filings
- Any filing this cycle: [None / Yes - see note]
- Filing type:
- Date:
- Source:
- Notes:
Sector / professional licenses
- [license / accreditation]
- Issuing body:
- Expiry / renewal:
- Status this cycle: [Active / Lapsed / Suspended]
- Notes:
05 · Digital & Infrastructure
Domains, IP ranges, email patterns, and social/web presence. Changes can signal distress or counterparty-impersonation risk. → feeds §1 Watch Criteria (PIR-7), §2 Collection Cadence.
Primary domains
Clone per domain. → tools: whois, crt.sh, DNStwist, SecurityTrails.
- [domain - e.g. acme-logistics.com]
- Registrant (WHOIS):
- Registrar:
- Expiry date:
- Change since last cycle (registrant / NS / MX): [None / Yes - see note]
- SSL cert issuer / SANs (crt.sh):
- Hosting / IP:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← whois, crt.sh, SecurityTrails
Corporate email pattern
- Pattern identified:
- Source:
- Notes:
Social media accounts (corporate)
Clone per platform.
- [platform - LinkedIn / X / Facebook / other]
- Handle / URL:
- Status this cycle: [Active / Dormant / New / Removed]
- Follower / engagement anomaly:
- Notes:
Breach / credential exposure this cycle
- [indicator / breach source]
- Date observed:
- Significance:
- Notes: ← HaveIBeenPwned, DeHashed, IntelligenceX
06 · Financials
OSINT-visible financial health indicators. Distress signals are §1 PIR-5 tripwires. → feeds §1 Watch Criteria, §4 Escalation (Elevated tier).
Filed accounts snapshot (most recent cycle)
- Revenue / turnover (if disclosed):
- Net profit / loss:
- Total assets / net assets:
- Accounts qualification: [Unqualified / Qualified / Adverse / Disclaimer]
- Source / period:
Credit & trade indicators
- Credit rating / score (public source):
- Rating agency / source:
- Change since last cycle: [None / Downgrade / Upgrade]
- Notes:
Financial distress signals
- [indicator - CCJ / lien / UCC filing / winding-up petition]
- Jurisdiction / court:
- Date:
- Amount (if public):
- Source:
- Escalation tier triggered:
- Notes:
Funding / investment activity
- [round / deal / filing]
- Date:
- Source:
- Notes:
07 · Commercial Footprint
Operating locations, key customers/suppliers, contracts. Changes can signal strategic shifts. → feeds §1 Watch Criteria (PIR-1, PIR-5), §6 Review & Renewal context.
Registered / operating locations
- [address / location]
- Type: [Registered / Operational / Warehouse / Other]
- Jurisdiction:
- Change this cycle: [None / Opened / Closed / Relocated]
- Source:
Known customers / end-clients (publicly disclosed)
- [customer name]
- Source:
- Relevance:
- Notes:
Key suppliers / sub-contractors (publicly disclosed)
- [supplier name]
- Criticality to counterparty: [High / Med / Low]
- Source:
- Notes:
Public contracts / tenders
- [contract / framework]
- Awarding body:
- Value (if public):
- Period:
- Source:
- Notes:
08 · Legal, Regulatory & Sanctions
The highest-priority tripwire domain. Any new listing, enforcement, or proceeding escalates immediately. → feeds §1 Watch Criteria (PIR-3, PIR-6), §4 Escalation (Critical / High tiers).
Sanctions & watchlist screening (this cycle)
- OFAC SDN / Consolidated: [Clear / Hit / Near-match]
- Screening date:
- Database version / date:
- Analyst sign-off:
- EU Consolidated List: [Clear / Hit / Near-match]
- Screening date:
- UK HMT Consolidated List: [Clear / Hit / Near-match]
- Screening date:
- UN Security Council Consolidated List: [Clear / Hit / Near-match]
- Screening date:
- FATF grey / black list (jurisdiction): [Clear / Listed / De-listed]
- Notes:
- Sector-specific lists (e.g. BIS Entity List, CAATSA): [Clear / Hit]
- List name:
- Notes:
PEP screening (directors/UBOs - this cycle)
- [individual screened]
- Result: [Clear / PEP hit / Associate]
- Database(s) used:
- Notes:
Regulatory enforcement actions
- [action / proceeding]
- Regulator / body:
- Jurisdiction:
- Date initiated:
- Status:
- Escalation tier:
- Source:
- Notes:
Civil litigation (new since last cycle)
- [case]
- Court / jurisdiction:
- Role (plaintiff / defendant):
- Claim / summary:
- Status:
- Source:
- Notes:
Criminal proceedings (entity or named principals)
- [matter]
- Jurisdiction:
- Status:
- Source:
- Notes:
09 · Reputation & Adverse Media
News, sector commentary, and social signals. Grade every hit; route through §4. → feeds §1 Watch Criteria (PIR-4), §3 Reporting Cadence (alert product), §4 Escalation.
Adverse media hits (this cycle)
Clone per hit. Grade reliability (A–F) and credibility (1–6) per Admiralty.
- [headline / outlet / date - e.g. Reuters, 2026-06-15, “Acme investigated for…“]
- Substance summary:
- Reliability (A–F):
- Credibility (1–6):
- Combined grade:
- Escalation tier triggered: [Critical / High / Elevated / Moderate / None]
- Status: [New alert raised / Incorporated in periodic report / Closed - not material]
- Notes:
Positive / neutral mentions (for baseline context)
- [item]
- Source / date:
- Notes:
Social media & forum sentiment (this cycle)
- [platform / channel]
- Notable themes:
- Change from prior cycle:
- Notes:
Dark-web / leak-site mentions (this cycle)
- [mention / paste / forum thread]
- Source:
- Substance:
- Escalation tier:
- Notes: ← DarkOwl, IntelligenceX, manual search
10 · Network & Affiliations
Related entities, shared infrastructure, and cross-counterparty linkages. Surfaces hidden exposure across the watch list. → feeds §1 Watch Criteria (PIR-2), §2 Collection Cadence, §6 Review & Renewal.
Related / affiliated entities (beyond corporate structure)
Clone per entity. → tools: OpenCorporates, national registries, shared-infrastructure analysis.
- [entity name - e.g. Acme Capital Partners LP]
- Relationship type: [Shared director / Shared address / Shared infrastructure / JV / Other]
- Jurisdiction:
- Risk relevance:
- Source:
- Attribution confidence: [Confirmed / Probable / Possible]
- Notes / tool output: ← OpenCorporates, GLEIF, Whoxy, SecurityTrails
Shared infrastructure indicators
- [indicator - e.g. shared IP / shared SSL cert / shared registrant email]
- Entities linked:
- Source:
- Notes:
Cross-counterparty linkages (across active watch list)
- [counterparty A ↔ counterparty B link]
- Link type:
- Risk implication:
- Notes:
Strategic partnerships / MoUs (publicly disclosed)
- [partner / agreement]
- Date:
- Source:
- Notes:
99 · Collection Admin
Working register - audit trail behind the monitoring service. Not a deliverable section but the evidence base for Annex A (Source & Watch-List Register) and Annex B (Onboarding/Offboarding Checklist).
Source register
Every material datum traceable to a graded source; feeds Annex A of the deliverable.
- [S-1 - source, e.g. Companies House, UK]
- Type: [Primary / Secondary / Tertiary]
- Reliability (A–F):
- Credibility (1–6):
- Date accessed this cycle:
- Notes:
Evidence archive (this cycle)
- [screenshot / capture ref + hash + URL + timestamp]:
Cycle log
- Cycle reference / period:
- Collector:
- Supervisor sign-off:
- Date submitted:
Open gaps / verification pending
- [item not yet resolved - e.g. UBO confirmation pending registry response]
- [item]
RFIs issued
- [RFI-001]
- Issued to:
- Date:
- Status: [Open / Answered / Closed]
- Notes:
Onboarding / offboarding status (→ Annex B)
- Scope sign-off captured: [Yes / No / Pending]
- Seeding baseline ingested (OSINT-013 ref):
- Collection lanes stood up: [Yes / No / Partial]
- Data retention schedule confirmed: [Yes / No]
- Offboarding trigger date (if known):