Per-company Compliance Pack
In brief: Audit-defence ZIP for one specific company client, including linked-BO evidence.
The audit-defence ZIP for one specific company client, including the evidence for any beneficial owner who's also linked to one of your firm's individual clients.
Where you do it
Open the company profile → above the tab row, click Company pack.
Hidden on individual profiles (they're not the unit of audit defence for KYB).
What goes in the ZIP
Certivus-Company-Pack-{Name}-{YYYY-MM-DD}.zip
├── README.txt — manifest + summary
├── company-info.json — name, no., parent, full subsidiary tree
├── bo-register/
│ └── summary.json — every BO with linked-client markers
├── evidence/
│ ├── company-bos/ — BO identification uploads
│ └── company-sof/ — company's SoF / SoW evidence
├── linked-bos/
│ └── {Linked Person Name}/
│ ├── summary.json — link metadata
│ ├── summary.pdf — Phase 60: branded BO audit summary
│ ├── bo-uploads/ — that person's BO uploads
│ └── sof/ — that person's SoF / SoW evidence
├── subsidiaries/ — Phase 58 group structure roll-up
│ └── {Subsidiary Name}-{id8}/
│ ├── bo-register/summary.json — subsidiary's BOs
│ ├── evidence/company-bos/ — subsidiary's BO uploads
│ ├── evidence/company-sof/ — subsidiary's SoF
│ └── linked-bos/{name}/... — subsidiary's linked-individual evidence
└── audit-logs/ — Phase 58 audit slice
├── audit-log.json — structured rows (scope + truncation flag)
└── audit-log.csv — flat view for spreadsheet review
Subsidiary roll-up scope
The pack walks parent_company_id downward from the root company up to
3 levels deep (the typical limit for a UK group structure inspector
review). The full tree (including any nodes that were skipped because
of depth cap, cycle protection, or the safety-net node limit) is
recorded in company-info.json under subsidiary_tree.
Audit-log slice scope
audit-logs/audit-log.json contains every row in client_audit_logs
keyed to the root company, every bundled subsidiary, and every linked
BO individual — sorted newest first, capped at 5,000 rows. If the cap
is hit, truncated: true is set in the JSON and noted in the README.
How it differs from the firm-wide Compliance Pack
| Firm-wide pack | Company pack (this one) | |
|---|---|---|
| Where | Settings → AML Compliance | Company profile header |
| Scope | The firm's AML programme | One specific company client |
| Includes the firm's PCP / Annual MLRO / FWRA PDFs | ✅ | ❌ (those are firm-level) |
| Includes BO register for the company | ❌ | ✅ |
| Includes linked-individual KYC evidence | ❌ | ✅ |
The two are complementary — an inspector might ask for both ("show me your firm's programme" + "show me how you onboarded this specific client").
When the linked-BO evidence is empty
If a beneficial owner is not linked to an individual client
record (Phase 50 linking), nothing appears under linked-bos/ for
them. The BO still appears in bo-register/summary.json with
linked_client_id: null so the inspector can see they exist but
their KYC evidence is held elsewhere.
To pull the most out of the pack, link each BO who's also one of your individual clients via the Link to client button on the BO row (see Linking beneficial owners to clients).
Failures + what they mean
The README.txt lists every artefact that was attempted but failed
to download (e.g. expired signed URL, deleted file). These are
non-fatal — the rest of the pack still builds. Re-run the pack
download to retry the failures.
Per-linked-BO PDF (Phase 60)
For every linked BO, the pack now includes a consolidated
linked-bos/{name}/summary.pdf (2-3 pages, fully branded):
- Cover — BO name, parent company, overall status badge (CLEAR / IN PROGRESS / ATTENTION REQUIRED).
- Page 2 — beneficial-owner relationship (ownership %, PSC, nature of control, recorded date), identity verification status (provider, method, completed date, case id), AML/PEP/Sanctions screening (status, total hits, dispositioned hits, last screened), source-of-funds entries (declaration type, declared source, evidence-on-file flag), and a provenance note.
The PDF is auto-generated from live data each time you download the
pack — no manual step. If any per-BO PDF fails to generate (e.g.
network blip, missing case data), the rest of the pack still builds
and the failure is logged in the README.txt [skipped] list.
The raw uploads + JSON manifests stay alongside the PDF — the PDF is the summary, not a replacement for the underlying evidence.
Related
- Compliance Pack ZIP — firm-wide variant
- Linking beneficial owners to clients
- Group structure
Didn't find what you needed?
Contact support