Company Due Diligence In The UK: What To Check Before You Sign

Working with a new supplier, taking on an investor, buying a company or even signing a big customer? That’s the perfect time to slow down and run company due diligence.

Good due diligence helps you validate who you’re dealing with, uncover risks early and negotiate better terms. It’s not about being suspicious - it’s about being smart, so you’re protected from day one.

In this guide, we’ll break down what company due diligence is, when to do it, the key legal checks under UK law, and a practical checklist you can use straight away.

What Is Company Due Diligence (And Why It Matters)?

Company due diligence is the process of investigating a business before you enter a significant relationship or transaction with them. Think of it as a structured risk assessment that confirms the company’s identity, ownership, compliance status, finances, contracts and reputation.

For small businesses, it’s crucial because:

• It reduces the chance of nasty surprises (hidden debts, disputes, or compliance issues).
• It helps you price risk correctly and negotiate stronger protections in your contracts.
• It speeds up post-signing operations - you know how the other side works and what you’re walking into.
• It can be essential for regulatory reasons (for example, anti-money laundering and sanctions screening in certain sectors).

In short, due diligence protects cash flow, reputation and management time. The modest upfront effort often saves far more time and money later.

When Should Small Businesses Run Company Due Diligence?

You don’t need a 200-page report for every new relationship. Tailor the scope to the deal size and risk. Common situations where company due diligence makes sense include:

• Buying a business or assets. This usually requires a full legal, financial and operational review, backed by a Business Sale Agreement or asset purchase agreement with warranties and indemnities.
• Taking investment or issuing shares. Expect investor due diligence on you - and you should vet the investor too. A clear cap table and a robust Shareholders Agreement set expectations and reduce disputes.
• Signing a material supplier or distributor. Check financial health, capacity and compliance before relying on them for critical inputs. Back it with a well-drafted Supply Agreement.
• Onboarding enterprise customers or partners. Larger organisations will ask about your compliance; you should also assess theirs, particularly information security and data protection.
• Hiring senior executives or appointing directors. Board-level diligence (background checks, conflicts and disqualification status) protects your governance.

As a rule of thumb, if the relationship is high value, long-term, or exposes your brand, data or regulatory posture - do due diligence.

A Step-By-Step Company Due Diligence Checklist (UK)

Here’s a practical checklist you can adapt to your situation. Start with core identity checks, then expand into legal, financial and operational areas as the risk profile increases.

1) Confirm Identity, Status And Ownership

• Companies House checks. Verify the registered name, number, incorporation date, status (active/dissolved), registered office and filing history.
• Directors and PSCs. Review directors, secretaries and the People with Significant Control register. Look for unusual changes or offshore structures.
• Group structure. Identify subsidiaries, holding companies and intercompany relationships.
• Sanctions and PEP screening. Where relevant, screen ultimate beneficial owners against UK sanctions lists and consider politically exposed persons (PEP) risk.

2) Review Corporate Governance

• Constitutional documents. Request articles of association, shareholder agreements and recent board/shareholder resolutions. Cross-check decision-making authority with your counterpart’s signatory.
• Share capital and cap table. Confirm the issued shares, classes, options and any encumbrances or pre-emption rights.
• Authority to sign. Ensure the person signing your contract has clear authority (director, company secretary or authorised signatory) and use a directors’ approvals trail where appropriate (a directors’ resolution can help on your side).

3) Legal And Regulatory Compliance

• Licences and permits. Confirm they hold any required sector licences, accreditations, or local consents.
• Data protection. If personal data will be exchanged, assess GDPR/UK Data Protection Act compliance, including their Privacy Policy, retention practices and security controls. For processors, insist on a robust Data Processing Agreement.
• AML/CTF (if applicable). For regulated activities, check anti-money laundering policies, customer due diligence processes and training.
• Bribery and modern slavery. Request anti-bribery and Modern Slavery statements/policies where relevant to their size/sector and supply chain.
• Health and safety. Ask for risk assessments, training records and incident logs if you’re relying on their operations.

4) Financial Health

• Accounts and management information. Review filed accounts, management accounts, cash flow forecasts and aged debtor/creditor reports.
• Funding and debts. Identify loans, debentures, charges (via Companies House), and contingent liabilities.
• Tax compliance. Check VAT registration, PAYE status and any HMRC correspondence or arrears.

5) Contracts And Key Relationships

• Top customers and suppliers. Review terms, renewal cycles, termination rights and dependencies. Note any “change of control” clauses that could be triggered by your deal.
• Standard terms. Evaluate their customer contracts, warranties, limitation of liability and service levels. Flag anything that could expose you if you’re partnering or reselling.
• NDAs and confidentiality. Put a mutual Non-Disclosure Agreement in place before exchanging sensitive information.

6) Intellectual Property And Technology

• Ownership. Confirm who owns code, content and brands. Ask for assignment agreements from contractors and employees.
• Trade marks and domains. Check registrations and any opposition or infringement disputes. Consider future protection with a trade mark application for your own brand.
• Security posture. For tech or data-heavy partnerships, assess security controls, incident response and audit results.

7) People And Employment

• Key staff. Understand who is critical to performance, their roles and notice periods.
• Contracts and policies. Review template Employment Contracts, staff handbooks and any bonus/commission plans.
• Disputes. Ask about grievances, tribunal claims, or ongoing investigations.

8) Litigation And Insurance

• Disputes. Request a schedule of claims, threatened disputes and settlements over the last three years.
• Insurance. Confirm coverage (public/products liability, professional indemnity, cyber, employers’ liability) and limits, plus any exclusions that affect your project.

9) ESG And Reputation

• Environmental and social risks. Ask for policies and evidence of implementation (especially for supply chains).
• Reputation checks. Media searches, adverse press and online reviews can reveal patterns you won’t see in documents.

10) Document Control And Reporting

• Data room. Keep a structured data room; request index lists and version control.
• Clarifications. Use a Q&A log to track answers and discrepancies.
• Escalations. If you find issues, decide whether to walk away, re-price the deal or insist on specific protections.

For acquisitions or bigger partnerships, a targeted scope led by legal and financial advisors is wise - a dedicated legal due diligence process can save months later.

What UK Laws Apply To Company Due Diligence?

Due diligence isn’t just “nice to have” - parts of it tie directly to legal duties in the UK. Key frameworks to keep on your radar include:

• Companies Act 2006. Sets corporate governance rules, director duties (to act with reasonable care, skill and diligence), filing obligations and shareholder rights. Your checks on authority to sign, filings and corporate approvals flow from here.
• UK GDPR and Data Protection Act 2018. If you’ll exchange or process personal data, you need a lawful basis, security measures and clear documentation, typically via a Data Processing Agreement and an up-to-date Privacy Policy.
• Money Laundering Regulations 2017 (as amended). Certain sectors must run customer due diligence (CDD) and ongoing monitoring. Even if you’re not in a regulated sector, a risk-based approach to verifying counterparties is good practice.
• Bribery Act 2010. Businesses must prevent bribery and can be liable for associated persons’ conduct. Ask for anti-bribery policies, training and reporting mechanisms.
• Modern Slavery Act 2015. Larger businesses must publish a statement on steps taken to prevent modern slavery; smaller businesses should still consider supply chain risk and ethical sourcing.
• Sanctions and Anti-Money Laundering Act 2018. Ensure you’re not transacting with sanctioned individuals/entities, especially if dealing cross-border.
• PSC regime. UK companies must maintain a register of persons with significant control. Review the PSC disclosures for ownership transparency.

Depending on your industry, you may also need to check FCA rules (financial services), MHRA (health), ICO guidance (data), or sector-specific licensing. If this feels overwhelming, don’t stress - the right structure and a focused checklist make it manageable.

What Documents Should You Ask For (And How To Use Them)?

The exact list will vary, but here’s a reliable pack for most deals:

• Corporate file: Certificate of incorporation, articles of association, cap table, PSC register, shareholder agreements and recent resolutions.
• Financials: Last three years’ accounts, management accounts, cash flow forecasts, bank statements, details of charges and loans.
• Tax: VAT registration, PAYE status, CT600 submissions and HMRC correspondence.
• Contracts: Top 10 customer/supplier agreements, standard terms, leases, licences and any change-of-control-sensitive contracts; consider a tailored Heads of Agreement early to set expectations.
• IP and tech: Trade mark registers, IP assignments from employees/contractors, software licences, security policies and audit results.
• HR: Template Employment Contract, handbook, disciplinary and grievance logs, and any settlement agreements.
• Compliance: Data protection policies, Data Processing Agreement templates, AML/CTF procedures (if applicable), anti-bribery and Modern Slavery policies.
• Litigation and insurance: Claim summaries, settlement agreements, insurance schedules and broker letters.

Use a simple scoring approach: critical, important, or informational. Critical issues should influence whether you proceed and on what terms. Important issues should alter pricing, timeline or specific contractual protections. Informational items confirm your understanding and help integration after signing.

Before you exchange any sensitive documents, put a two-way Non-Disclosure Agreement in place. It sets boundaries for confidentiality and use of information while you explore the deal.

How To Turn Your Findings Into Contract Protections

Due diligence is valuable by itself - but it’s even more powerful when you use it to shape your deal terms. Here’s how to translate findings into protections:

• Price and structure. If risks are identified (for example, customer concentration or short product warranties), reflect that in price, earn-outs, or staged milestones.
• Conditions precedent. Make completion conditional on specific actions (clearing a debt, renewing a key contract, or securing a licence).
• Warranties and indemnities. Use tailored warranties to confirm key facts and indemnities for known risks in your Business Sale Agreement or partnership contract.
• Disclosure letter. Where the seller can’t give a warranty because of an issue, it should be clearly disclosed (with evidence) so you can consciously accept or renegotiate.
• Limitations of liability. Calibrate liability caps and exclusions based on risk. Make sure they align across your supply chain to avoid gaps.
• Governance. If you’ll be co-owners, use a strong Shareholders Agreement to cover decision-making, share transfers and dispute resolution.
• Ongoing audit/assurance. For suppliers handling sensitive data or regulated activities, include audit rights and minimum security standards backed by a Data Processing Agreement.

If you’re acquiring a company or raising capital, involve legal advisors early - it’s far easier to negotiate protections before term sheets are agreed. Clear pre-signing documents and a robust completion checklist will keep the process on track.

Common Red Flags (And What To Do If You Spot Them)

Not every red flag is a deal-breaker - but each one should drive a specific response. Watch out for:

• Unclear ownership. A messy cap table or unexplained PSC entries. Ask for confirmatory documents or consider retentions/escrows until clarified.
• Late filings or frequent director changes. Could indicate governance issues. Explore the reasons and adjust warranty packages accordingly.
• Outstanding taxes or large trade creditor balances. Seek settlement or price adjustments; make completion conditional on clearance.
• Weak data protection posture. Missing policies, no training, or no breach logs. Require remediation plans, contractual security requirements and audit rights.
• Change-of-control clauses. Key contracts that can be terminated if you acquire the business. Make consent a condition precedent.
• Litigation or regulatory investigations. Obtain legal opinions, consider carve-outs and indemnities, or rethink the deal.
• Reliance on one customer or supplier. Build in transitional support, minimum terms, or reconsider valuation.

If in doubt, pause and re-scope the deal. It’s better to spend an extra week negotiating protections than months fixing problems after the fact.

Do You Always Need A Full Report?

No - make your due diligence proportionate. For example:

• Low-risk vendor: Companies House checks, sanctions screen, a quick policy review and a lean contract may be enough.
• Strategic partner handling data: Add security diligence, a deeper GDPR assessment and stronger contractual safeguards.
• Buying a business: Undertake legal, financial and operational diligence with a clear scope, a data room and dedicated advisors. That typically leads into a tailored Business Sale Agreement and a thorough completion checklist.

If you’re unsure how deep to go, a short call with a legal expert can help right-size the process for your budget and risk tolerance.

Key Takeaways

• Company due diligence is a structured way to verify who you’re dealing with, uncover risks early and negotiate better protections - essential for small businesses before major deals.
• Tailor the scope to the transaction: identity and corporate checks for low-risk vendors; full legal, financial and operational diligence for acquisitions or strategic partnerships.
• Map your checks to UK laws: Companies Act duties, UK GDPR/Data Protection Act obligations, AML/sanctions, Bribery Act and Modern Slavery considerations where relevant.
• Ask for the right documents - corporate, financial, tax, contracts, IP, HR, compliance and insurance - and protect information sharing with a Non-Disclosure Agreement from the outset.
• Turn findings into contract terms: conditions precedent, warranties/indemnities, disclosure letters, liability caps, governance arrangements and ongoing audit rights.
• Use strong core agreements to lock in protections, like a Shareholders Agreement, Supply Agreement and, for acquisitions, a robust Business Sale Agreement.
• Set yourself up for success by documenting data protection responsibilities with a Data Processing Agreement and maintaining a clear, compliant Privacy Policy.

If you’d like tailored help scoping or running company due diligence - or you need the right documents drafted - you can reach us at 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.