How it works
A documented, three-step process
From your current SM&CR register to an immutable board evidence pack — without building anything, without chasing anyone for logins.
Start your free gap analysis →Map your significant role population
Upload your FCA register extract. CoverProof maps every approved person against the Section 250 criteria — flagging individuals in significant roles who fall outside your SM&CR perimeter.
Versioned multi-stage classifier with mandatory human review
A versioned, multi-stage pipeline — not a free-form chat with an LLM. Cleanly-covered cases hit a pre-LLM deterministic lookup; the rest route to the primary classifier (Sonnet or Haiku) at temperature 0 with a structured Zod schema, methodology version pinning, SHA-256 prompt fingerprint, and input-hash cache. Medium-confidence rows are deliberately re-sampled so disagreement flags them for review. Every Medium and Low row routes to your reviewer queue.
Send structured declarations. Generate an immutable evidence pack.
CoverProof sends zero-login declaration requests to every uncovered individual. As declarations come in, your board evidence pack builds automatically — PDF/A-3B compliant, timestamped, and SHA-256 hashed.
CoverProof does not make scope determinations. At each step, your compliance team reviews and confirms the classifications before any declaration is sent or any pack is generated.
Curious how Step 02 actually works? See the classification pipeline →
Built for FCA-regulated firms that need to show their working
A declaration is only as good as the evidence trail behind it.
Evidence packs structured for court use
PDF/A-3B documents (ISO 19005-3) with embedded XMP metadata, SHA-256 tamper-detection hash recorded in the audit database at generation, and immutable audit log. Generated server-side — no headless browser, no fragile third-party renderer. Technical specification available on request. Whether specific documents are admitted in any particular legal proceeding is subject to judicial discretion.
Zero-login declarations
Recipients complete their declaration without creating an account. No friction, no IT overhead, no excuse not to respond. Completion rates are higher when the barrier is a URL, not a signup form.
Versioned multi-stage classifier — not a chat prompt
Every classification ties to a methodology version with a SHA-256 prompt fingerprint. Cleanly-covered cases short-circuit to a pre-LLM deterministic lookup; the rest run on the primary classifier (Sonnet or Haiku) at temperature 0 against a typed Zod schema. Medium-confidence rows are deliberately re-sampled three times — disagreement itself escalates the row. Pre-merge benchmark gate blocks any version that regresses against the held-out fixtures. Full pipeline documented at /methodology.
Row-level data isolation
Multi-tenant architecture with Row Level Security at the database layer. Your firm's data is isolated by design — not by configuration or trust.
Audit-grade timestamps
Every declaration send, every download, every status change — timestamped in UTC and recorded to an immutable log. You can prove exactly what happened and when.
FCA Register cross-reference
When FCA API access is configured, CoverProof cross-references each individual against the live FCA approved persons register — verifying their registration status and SMF function codes against the authoritative source.
Section 250 doesn't add to your regulatory obligations.
It creates criminal ones.
This is not a regulatory fine with an FCA enforcement cap. It is a criminal liability statute. The distinction is material.
Crime and Policing Act 2026 — Section 250 (verbatim enacted text)
“Where a senior manager of a body corporate or partnership (“the organisation”) acting within the actual or apparent scope of their authority commits an offence under the law of England and Wales, Scotland or Northern Ireland, the organisation also commits the offence (subject to subsection (2)).”
s.250(1), Crime and Policing Act 2026 (c.20). The section attributes the offence to the organisation; it does not itself set the penalty — on conviction the organisation is liable to the underlying offence’s own penalty, which for offences tried on indictment is an unlimited fine.
s.250(3) defines “senior manager” as an individual who plays a significant role in the making of decisions about how the whole or a substantial part of the activities of the organisation are to be managed or organised, or in managing or organising those activities. The test is functional — it covers all activities, not only financial ones, and applies regardless of FCA approval status.
Unlimited fine
Corporate criminal conviction
Section 250 imposes criminal liability on the organisation — not a regulatory fine with a cap. When a senior manager commits any offence within their authority, the organisation commits it too.
No statutory safe harbour
No adequate-procedures defence
Unlike the Bribery Act or ECCTA failure-to-prevent provisions, Section 250 contains no adequate-procedures defence. Documented governance does not create a statutory shield — but it is material to prosecutorial discretion.
Your current register misses them
Outside SM&CR perimeter
SM&CR covers FCA-approved persons. Section 250 uses a separate functional test — it reaches anyone playing a significant role in managing or organising a substantial part of the firm's activities, regardless of FCA approval status.
June 29 is statutory
The FCA cannot extend it
This is not a regulatory deadline that can be pushed. The date is written into primary legislation. It does not move.
Practical questions about the workflow
What changes for your team day-to-day.
How long does CoverProof take from upload to first evidence pack?
Most firms complete the full cycle — register import, AI gap classification, compliance team review, declarations sent — in under one hour. The AI classification itself runs as a background job at temperature 0 and typically finishes in under 5 minutes for registers of up to 500 individuals. Declarations are then sent via zero-login links so recipients can complete them without an account.
Do I need to install anything?
No. CoverProof runs entirely in the browser. There is no agent, no on-premise component, and no integration with your internal systems required. You upload a CSV export of your SM&CR register, the platform classifies each individual against the s.250(3) statutory test, and your compliance team reviews each classification before any declaration is sent.
What file format does CoverProof accept for the SM&CR register?
CSV exported from any SM&CR register system. The standard columns CoverProof reads are: full name, role title, function code (if applicable), department, and email. CoverProof does not require a specific schema — it normalises columns at import time and flags any rows that cannot be classified for human review.
Does CoverProof or my compliance team make the scope determination?
Your compliance team. CoverProof produces an AI-classified provisional rating (High, Medium, or Low coverage need) with the statutory reasoning persisted to the audit trail. Every Medium and Low classification is flagged for human review by default. No declaration is sent and no evidence pack is generated until your compliance team has reviewed and approved the in-scope population. CoverProof does not make legal determinations.
What if the AI classification is wrong?
Three layers catch a wrong classification before it can reach a declaration. (1) Confidence-tier routing — every Medium and Low row routes into your reviewer queue by default; nothing auto-passes. (2) Override path — your team can re-classify any row; the override carries a documented reason, user, and timestamp into the audit trail and into the evidence pack. (3) Reproducibility — methodology version pinning, SHA-256 prompt fingerprint, and input-hash caching mean any persisted classification is re-runnable for audit; the primary classifier path runs at temperature 0, with Medium-tier rows intentionally re-sampled at non-zero temperature so ambiguity escalates them. Drift monitoring (see /trust/quality) runs nightly on a deterministic 5% sample to catch any prompt-level regression in production.
Can we re-run the gap analysis after the FCA updates the register?
Yes. CoverProof re-imports the register on demand and re-classifies any new or changed entries. The previous classification snapshot remains in the audit trail — the evidence pack always reflects the state at the moment of generation, so a later re-analysis does not invalidate prior packs. Declaration cycles continue to track expiry independently.
Ready to close your gap?
From upload to first evidence pack in under one hour.