CoverProof / Methodology
How CoverProof achieves Section 250 compliance
Six steps from SM&CR register import to litigation-grade evidence pack. Every step documented, every decision auditable, every timestamp server-recorded.
Six steps from SM&CR register import to litigation-grade evidence pack. Every step documented, every decision auditable, every timestamp server-recorded.
CoverProof takes your SM&CR register, uses AI (Claude) to classify who is in scope for Section 250, requires human approval before sending any declaration, delivers declarations via zero-login unique links, tracks completion in real time, and generates a PDF/A-3B evidence pack with SHA-256 cryptographic signing and immutable audit trail. The full process takes under 1 hour for a typical firm.
Upload your SM&CR register as a CSV — the same format exported from the FCA Register Extract Service (RES). CoverProof accepts the FCA standard 17-file pipe-delimited format or a simplified CSV with individual names, roles, and function codes. The import process validates the data structure and flags malformed rows before any classification runs.
What we check: FRN consistency, duplicate IRNs, malformed function codes, missing mandatory fields. What we do not check: the accuracy of your source data — CoverProof is a classification and workflow tool, not an auditor of your HR records.
CoverProof uses Claude (Anthropic's AI model) with structured JSON output to assess each individual against the verbatim s.250(3) statutory test: does this person play a significant role in (a) the making of decisions about how the whole or a substantial part of the activities of the organisation are to be managed or organised, or (b) the managing or organising of the whole or a substantial part of those activities? The test covers all activities — not only financial ones — and is independent of FCA approval status.
Classification output per individual: (1) Exposure likelihood — HIGH / MEDIUM / LOW, (2) Confidence score (0–100) and tier — High Confidence / Moderate Confidence / Low Confidence — Review Required, (3) Reasoning steps — the analysis pathway applied, (4) Rationale — plain-English summary, (5) Uncertainty flags identifying information gaps. All Medium and Low-confidence classifications are flagged for human review. Your compliance team makes the final call on every individual.
The gap report shows every individual classified as IN scope (requiring a declaration) or BORDERLINE (requiring human review), with a plain-English explanation of why. Compliance staff can override any AI classification — marking an individual as OUT of scope with a documented reason, or promoting a BORDERLINE case to IN. Override decisions are recorded in the audit trail.
CoverProof does not send any declaration without explicit approval. The review step is mandatory. This is not a configuration option.
Once approved, CoverProof generates a unique signed URL for each declaration recipient. The URL contains a cryptographically signed token that identifies the specific declaration, the firm, and the recipient. Recipients click the link, review the declaration text, and submit. No account creation. No password. No friction.
Declaration emails are sent via Resend with delivery tracking. CoverProof records: send timestamp (UTC), delivery confirmation, open event, completion timestamp, IP address at completion. All timestamps are server-side — not self-reported by the recipient.
Every declaration has a RAG (Red/Amber/Green) status. Green: completed. Amber: sent but not yet completed, within the expiry window. Red: not completed and approaching or past expiry. CoverProof sends automated expiry reminders and allows one-click re-sending to non-responders. The evidence pack records every re-send attempt — which is itself legally significant documentation of reasonable steps taken.
Declaration expiry periods are configurable. The default is 30 days from send date. Expired declarations that have not been completed trigger an automatic alert to the compliance team.
CoverProof generates a PDF/A-3B document (ISO 19005-3 compliant) containing: the gap analysis report with all classifications and overrides; a declaration status log showing every send, re-send, completion, and expiry event; the SHA-256 document hash recorded in the CoverProof audit database at generation time; and an immutable XML audit log embedded in the PDF.
PDF/A-3B is the archival standard for long-term document integrity. The SHA-256 hash recorded at generation allows verification at any future point that the file has not been modified. These properties are designed to meet the documentation standards required in legal and regulatory proceedings. Courts ultimately determine admissibility — the pack provides the strongest evidential foundation currently achievable for this type of compliance record.
CoverProof uses AI for initial classification only. Every classification is subject to mandatory human review before any declaration is sent.
CoverProof uses Claude (Anthropic's AI model) to assess each individual against the verbatim Section 250(3) statutory test: does the person play a significant role in (a) the making of decisions about how the whole or a substantial part of the activities of the organisation are to be managed or organised, or (b) the managing or organising of the whole or a substantial part of those activities? The test covers all organisational activities — not only financial ones — and applies regardless of FCA approval status. The AI reasons over role title, function codes, and seniority indicators. Every Medium and LOW-confidence classification is flagged for human review. Your compliance team makes the final decision — CoverProof does not send declarations without explicit approval.
Three factors: (1) PDF/A-3B format — the ISO 19005-3 standard for archival documents with embedded metadata; (2) SHA-256 cryptographic hash — recorded in the CoverProof database at generation time, allowing verification that the document has not been modified; (3) Immutable audit trail — every declaration event is timestamped in UTC server-side and embedded as XML in the PDF. These properties are designed to meet the documentation standards required in legal and regulatory proceedings. Courts determine admissibility on the facts of each case — the pack provides the strongest evidential foundation currently achievable for this type of compliance record.
Yes. Compliance staff can override any AI classification — marking an individual as OUT of scope (with a documented reason) or promoting a BORDERLINE case to IN scope. Every override is recorded in the audit trail with the user, timestamp, and stated reason. The evidence pack includes the override log.
CoverProof tracks non-response and allows one-click re-sending. Every re-send attempt is recorded with a timestamp. The evidence pack includes the full re-send history — which documents your firm's reasonable steps to obtain declarations from uncovered individuals. This documentation is legally significant even when a declaration is not ultimately obtained.
CoverProof imports from the FCA Register Extract Service (RES), the same bulk data feed that the FCA uses for its official register. The RES provides weekly snapshots in pipe-delimited format covering firms, individuals, approved persons (SMF roles), and AR relationships. CoverProof uses this as the ground-truth baseline for your SM&CR approved persons, cross-referenced against your gap analysis.
PDF/A-3B (ISO 19005-3) is the international standard for archival documents intended for long-term preservation. It requires: embedded metadata, no external dependencies (fonts, images, and content must be embedded), and a self-describing document structure. CoverProof generates to this standard because evidence packs may be required in proceedings years after the June 29, 2026 deadline.
The SHA-256 hash recorded in the database at generation time means that if your evidence pack is ever challenged — if someone claims the document was altered after the fact — you can produce the original hash and prove the file is unmodified. This is the same tamper-evidence mechanism used in legal e-discovery.
The first gap analysis is free — see your Section 250 exposure in under 10 minutes.
Start your free gap analysisQuestions about the methodology? Email us