A spreadsheet of names and an email thread of signed forms are not the same as an evidence pack a court will trust. Section 250 needs documentation that is immutable, timestamped, and produced through a process you can trace end to end. Here is what that looks like in practice.
Why documentation integrity matters for Section 250
Section 250 of the Crime and Policing Act 2026 (2026 c. 20) lets a criminal offence committed by a senior manager be attributed to the organisation itself. The scope is wide: any criminal offence under the law of England and Wales, Scotland or Northern Ireland, committed within the actual or apparent scope of that person's authority, can land on the body corporate or partnership too. It is not limited to offences created by the Act.
If that attribution is ever tested, the documentation your firm produced will be read by your own legal counsel, by the FCA's lawyers, and possibly by a judge. Evidence that cannot prove its own integrity carries little weight. A file that could have been edited after the fact, that has no clear chain of custody, that does not record when it was made or by whom, is easy to discount.
No file format is admissible by itself. A court decides admissibility case by case, on questions of authenticity, integrity and chain of custody. What you can do is build a record that answers those questions cleanly before anyone asks them.
The PDF/A-3B standard
PDF/A-3B is defined by ISO 19005-3, the standard for long-term document preservation. Level B means the file reliably reproduces the same visual appearance whenever and wherever it is opened, which is precisely what you want from a record meant to be read years later.
The format forbids the things that make a document slippery. No dynamic content, no external references, no embedded scripts, so there is nothing that can quietly change what the page shows after generation. It does allow embedded file attachments and XMP metadata, so an XML audit log can travel inside the same file as the document it describes, along with metadata asserting creation date and origin. CoverProof generates every board evidence pack in PDF/A-3B.
Cryptographic hashing and tamper detection
A document hash is a cryptographic fingerprint of a file's contents. SHA-256 is the algorithm used in legal and regulatory work, and it is the one CoverProof uses.
When your evidence pack is generated, we record the SHA-256 hash of the PDF in our audit database. Change a single character in the file later and the hash no longer matches. Producing the recorded hash next to the file shows a regulator or a court that the document in front of them is byte-for-byte the one created at the time of your gap analysis. That is the integrity half of what a court assesses, made checkable in seconds.
What the audit trail has to record
The audit trail inside a Section 250 evidence pack should capture the whole cycle: when the gap analysis ran, which individuals it flagged as uncovered, when declarations went out and confirmation that they were delivered, when each one came back with a timestamp and the declarant's identifier, and every non-response or refusal along the way.
The point is that this trail lives in the PDF. A separate spreadsheet or email chain can be lost, deleted, or quietly amended, and once it is detached from the document it no longer proves anything about how that document came to be.
What does not meet the standard
A list of names in a spreadsheet. An email thread with declarations attached. A Word document holding signed forms. None of these stand up for Section 250. They are editable, they carry no cryptographic integrity, and they say nothing about the process that produced them.
If that is what your compliance team is planning to hand over in an FCA investigation or a legal proceeding, fix it before 29 June 2026. That date is fixed by statute, two months after Royal Assent, with no commencement order and no regulatory discretion to move it. Run the gap analysis, send the declaration cycle, and generate the evidence pack while you still have room to do it properly.
Related articles
Ready to identify your Section 250 exposure?
Import your SM&CR register, run your gap analysis, and download a PDF/A-3B evidence pack. First analysis is free.
Start Free Gap Analysis →Sources
- Crime and Policing Act 2026, s.250www.legislation.gov.uk/ukpga/2026/20/section/250
- Civil Evidence Act 1995, ss.8–9www.legislation.gov.uk/ukpga/1995/38/section/8
- ISO 19005-3 (PDF/A-3)www.iso.org/standard/57229.html
- Economic Crime and Corporate Transparency Act 2023, s.196www.legislation.gov.uk/ukpga/2023/56/section/196
- FCA Registerregister.fca.org.uk/