Reasonable steps under Section 250: documenting compliance for evidential admissibility

The shape of a Section 250 defence

Section 250(1) attributes the senior manager's offence to the organisation. The defence path runs through showing that the organisation took reasonable steps to prevent the senior manager from committing the offence within the actual or apparent scope of their authority. "Reasonable steps" is the operative phrase. It is not a single document. It is a chain of actions documented over time: the firm identified who its senior managers were; the firm informed them of their s.250 status; the firm required them to declare compliance with the relevant standards; the firm reacted to non-responses and incomplete declarations; the firm escalated when something looked wrong. Each link in the chain must be evidenced contemporaneously — built before the offence, not constructed after.

The Civil Evidence Act 1995, sections 8–9

In civil proceedings, the route to admit business records like an evidence pack runs through the Civil Evidence Act 1995. Section 8 establishes that a statement contained in a document may be received in evidence; section 9 establishes that a document forming part of the records of a business or public authority may be received in evidence without further proof, provided the document is duly certified. The practical effect: an evidence pack that visibly forms part of the firm's business records — kept in the ordinary course of business, produced through a consistent process, attributable to the firm — clears a substantial evidential hurdle by virtue of how it was produced, before the contents are even examined. The pack does not have to be a sworn statement; it has to be a business record.

What makes a document a "business record"

There is no single test, but case law on the equivalent provisions identifies recurring features. The document was made by a person acting under a duty (rather than out of choice). The document was made contemporaneously with the events it records (rather than reconstructed later). The document was made in a process the business follows in the ordinary course (rather than improvised for the proceedings). The document is part of a series — a chain of similar records following the same process — that lends credibility to any one of them. A board evidence pack that captures the firm's ongoing Section 250 programme satisfies each of these features when it is generated by an automated, versioned process the firm runs on a regular cycle.

Why immutability matters more than encryption

A pack that was generated, hashed, and timestamped at production time is more credible than one that was retrieved from a sealed digital store. The reason is evidential: the hash is the record of what the firm produced, when. If the firm later produces a document that matches the hash, the document has not been altered since the hashed event. If the firm produces a document whose hash differs from the audit-database record, the discrepancy is itself evidential. The PDF/A-3B format (ISO 19005-3) is designed for exactly this lifecycle — a self-describing document with no external dependencies, with embedded XMP metadata locating the document in its production context. CoverProof generates evidence packs to this standard and records the SHA-256 hash in the audit database at the moment of generation; see our Sample evidence pack for a full example.

The RFC 3161 trusted timestamp

A SHA-256 hash recorded in the firm's own audit database is internally consistent. To make the timestamping itself defensible against a "the firm could have backdated the database" argument, a second timestamp is required — one issued by an entity outside the firm's control. The RFC 3161 Timestamp Protocol provides this. A Trust Service Provider (TSP) is sent the SHA-256 hash; the TSP returns a Timestamp Token signed by the TSP and dated by the TSP. The Token is embedded in the evidence pack. The result is a chain: the hash binds the document to the moment of timestamping; the TSP timestamp binds that moment to an external authority. A reviewer in 2028 can verify both ends.

The audit trail beyond the pack

An evidence pack is a snapshot. The reasonable-steps defence requires evidence of the programme that produced the snapshot: the gap analysis was triggered on a date, declarations were sent on dates, individual responses were received on dates, reminders were sent on dates, escalations were made on dates. CoverProof records every such event in an append-only audit log keyed to the firm. The evidence pack PDF includes this audit log as a structured XML attachment so a reviewer reading the pack can follow the timeline without needing access to the live system. A reviewer who does need access can verify that the pack's audit log matches the live audit log via the recorded hash.

What a reviewer will ask, and what the evidence must answer

"Did the firm know who its senior managers were?" — the gap analysis with documented methodology and per-individual classification record answers this. "Did the firm act on what it knew?" — the declaration audit log, with timestamps for issued / accessed / submitted / expired / bounced, answers this. "Did the firm take action when something looked wrong?" — the audit log of reminders sent and escalations recorded answers this. "Can the firm prove the documents we are reading were the documents the firm produced at the time?" — the SHA-256 + RFC 3161 timestamp answer this. The defence is the union of those four answers, and the evidence pack is built to surface all four in one document.

What a compliance officer should do this quarter

Establish the cadence of evidence-pack generation now. A pack generated on the day of the deadline is less credible than a pack generated as part of an ongoing quarterly cycle that happens to include the deadline. Document the methodology before you need it: the firm's policy on how the gap analysis is performed, who reviews classifications, when overrides happen, what is escalated. Test the chain end-to-end: generate a pack, verify the hash, retrieve the timestamp, save the artefact in the firm's document management system, record the act. The day the firm is asked to produce its Section 250 evidence is not the day to discover that the timestamping integration was not configured correctly.

Related articles