Supplier Due Diligence in the UK: A Practical Guide

Q: Is supplier due diligence a legal requirement in the UK?

Not generally, but sector-specific obligations apply — anti-money-laundering rules for regulated sectors, the Modern Slavery Act for larger businesses, GDPR data-processor obligations, and Bribery Act defences. Beyond compliance, due diligence is the standard a court or insurer will judge you against if a supplier failure causes loss.

Q: What's the difference between due diligence and a background check?

Background checks usually refer to individuals (DBS checks, employment verification). Supplier due diligence applies to the corporate entity, its officers and its PSCs. The two overlap when a small supplier is effectively one person.

How to run supplier due diligence in the UK — what to check, which public sources to use, and how to weigh risk against contract value.

Supplier due diligence in the UK means checking, before you sign, whether a vendor is financially solvent, legally constituted, properly governed and operationally able to deliver what they've quoted. In 2026 most of the evidence is public — Companies House, the Insolvency Service, the Gazette, the courts register, sector regulators — but raw filings are not a decision. Good due diligence translates those filings into a risk picture scaled to the contract in front of you.

TL;DR

UK supplier due diligence is the structured check you do before awarding a contract, distinct from a credit score and broader than KYC.
The core areas are financial, legal, governance, reputational and operational — each answered from a different mix of public and paid sources.
Companies House is the spine: accounts, confirmation statements, officers, persons with significant control, charges and filing history.
Match effort to contract value. A £3,000 one-off doesn't need a £500 deep dive; a three-year £400k FM contract probably does.
Director history is often more predictive of failure than the company's own filings — phoenixing and serial liquidations are visible if you look.
Paid bureaux add scored credit limits and trade-payment data; they don't replace reading the accounts in context.
Output a written, dated record. If the relationship goes wrong later, "we checked" is worth nothing without evidence.

What does "supplier due diligence" actually mean in the UK?

It's the work a buyer does to test a supplier's claims and surface risk before money or commitment changes hands. In a UK B2B context, that typically covers five things: can the supplier pay its bills, is it who it says it is, is it governed competently, what is its reputation in market, and can it deliver the work to standard.

It is not the same as a credit check (which is a backwards-looking score on the legal entity) and not the same as KYC (which is identity verification driven by anti-money-laundering law). Due diligence borrows from both but is broader, more contextual, and is meant to inform a commercial decision rather than satisfy a regulator. If you want the long version of that distinction, the due diligence vs credit check guide goes through it.

What should I actually check?

The honest answer is: it depends on what you're buying, from whom, and at what stake. But there is a defensible default set most UK buyers should work through.

Financial health

Read the latest filed accounts at Companies House. For small companies that means abridged or filleted accounts, which are thinner than they look — you still get a balance sheet, and the trend across two or three years usually tells you more than any single year. The signals that should slow you down include falling net assets, a balance sheet propped up by intercompany debt, late filings, qualified auditor opinions on larger companies, and any registered charges that suggest cashflow has been refinanced. The red flags in supplier financials guide catalogues the patterns that should make you ask follow-up questions.

For micro-entities and very young companies you will often have almost no published financial data. That is not in itself a problem; it just shifts the weight of the assessment onto director history, trade references and the contract structure.

Legal status

Confirm the entity is the entity you're contracting with. UK limited companies have a unique eight-digit company number — use it, not the trading name, when you write the contract and when you pay invoices. Check the registered office, the SIC codes, any charges registered against the company, and whether the company has been issued a strike-off notice in the Gazette. A live proposal to strike off is the single fastest disqualifying signal you can find for free.

If the company has County Court Judgments registered against it, that is a strong signal it is failing to pay people on the terms it agreed. What a CCJ actually is and what it tells you is worth understanding properly — a single small CCJ from years ago is different from a pattern of recent five-figure judgments.

Governance

Look at the officers and the persons with significant control (PSC). The questions worth asking: how long have the current directors been there, who left recently, is the PSC clearly stated, and does the ownership structure match what the supplier told you in the pitch. Sudden churn at director or PSC level immediately before a contract bid is worth a direct question.

The deeper governance check is on the directors as individuals — their other directorships, prior insolvencies and any disqualifications. Director history checks explains how to read for phoenixing (the same people, same trade, new company every few years after the last one folded owing money) and why a clean company file can sit on top of a director history that should give a procurement team pause.

Reputational and operational

This is where public data thins out. Press mentions, Trustpilot and Glassdoor patterns, LinkedIn for staff turnover, the supplier's own case studies and references. For regulated sectors — security (SIA), construction (CHAS, Constructionline), care, food, financial services — check the relevant register directly rather than trusting a logo on the supplier's website.

Operational checks are where you ask for the things that can't be inferred from filings: insurance certificates with current dates, accreditations, sample work, named referees you can actually phone. A supplier who can't produce a current employer's liability certificate within 24 hours is telling you something.

Which public sources cover which checks?

Most UK supplier due diligence rests on a small, well-known set of free public sources, plus paid bureaux for the things public data doesn't reach.

The free ones worth knowing in detail are covered in Companies House checks explained. In short: Companies House for filings, officers and PSC; the Insolvency Service register and The Gazette for strike-offs, liquidations and administrations; the Registry Trust for CCJs; HMRC's VAT number checker for VAT registration; the ICO register if the supplier handles personal data; and the relevant sector regulator for licensed trades.

What public sources do not give you: live trade-payment behaviour (whether the supplier currently pays its own suppliers on time), a scored credit limit, granular sentiment, or anything resembling a forward-looking opinion. That is where paid credit bureaux earn their fee, and where analyst-reviewed reports like Vendrpulse's add the contextual layer that a raw score doesn't.

When is a paid bureau worth it?

If the contract is small, the supplier is well-established and the public file is clean, the public sources alone are usually enough. Where a bureau pays for itself is where you want a scored credit limit (because someone internally needs a number to point at), where you need trade-payment behaviour data, or where the supplier is too small or too new for the public filings to tell you much.

A bureau score is not a decision. Two suppliers with identical credit scores can have wildly different risk profiles once you read the directors, the charges and the sector context. Use the score as one input, not as the answer.

How should I size the effort to the contract?

The single most common mistake in UK procurement is running the same depth of due diligence on every supplier regardless of exposure. The opposite mistake — only checking the big contracts — leaves you exposed on the long tail of small suppliers who, in aggregate, often represent more spend than the headline deals.

A workable default for a mid-market UK buyer:

Under £5,000 or one-off: a quick public-record check. Confirm the entity exists, isn't being struck off, has filed accounts in the last 18 months, and that the trading name matches the registered company. Ten minutes of work.
£5,000 to £50,000, or recurring under that value: full public-record pass — accounts, directors, PSC, charges, CCJs, sector register if relevant. Document it.
£50,000 to £250,000, or multi-year: the above plus a scored bureau report or analyst review, references taken and checked, insurance and accreditation evidence on file.
Over £250,000 or business-critical: full analyst-reviewed report, on-site or video visit, named referee calls, and explicit sign-off from whoever owns the budget. Consider re-running the check annually.

Your numbers will differ. The point is to write the policy down and apply it consistently, so that the question "did we do due diligence here" has a defensible answer regardless of who ran it.

What does a good due diligence record look like?

A dated PDF or report, in a shared place, naming the specific company number checked, the date of the latest filing reviewed, the sources used, the risks identified and the decision taken. That last part is the one most teams skip — a list of facts isn't due diligence, a list of facts plus a written judgement is.

If the relationship later goes wrong, the question from finance, audit or insurance will be "what did you know and when". A dated report answers that. A folder of screenshots does not.

Vendrpulse's how-we-check page sets out exactly which sources go into each report and how the scoring is weighted, so the methodology is auditable rather than implicit.

Where do sector-specific concerns change the picture?

Some verticals have failure modes that don't show up in a generic check. A few examples worth flagging:

Facilities management and cleaning suppliers often run on thin margins, high staff turnover and TUPE exposure on contract changeover — the operational risk is usually larger than the financial one.
Construction and fit-out contractors carry retention, payment-chain and CIS-status risks that mean a clean balance sheet today can become a stalled site in six months.
IT services and MSP suppliers need a deeper look at sub-processor exposure, ICO registration and security accreditations than the headline filings will tell you.
Recruitment and staffing agencies sit on payroll funding lines that can collapse quickly; director history is often more predictive here than current accounts.
Security services suppliers must hold an SIA approved-contractor licence; the SIA register is the single most important check and is free.

The supplier onboarding checklist covers the full operational sequence — the contract artefacts, the data-sharing paperwork, the payment setup — that sits alongside the diligence work itself.

What does this look like in practice?

A typical mid-market UK procurement team running this well does three things consistently. They keep a written policy that maps contract value to diligence depth. They run the actual checks against the company number rather than the trading name, so they don't get fooled by a similarly-named entity. And they keep the resulting reports somewhere finance and legal can find them later — not in the buyer's inbox.

The tools to do this in-house are mostly free. The cost is analyst time, and the bottleneck is usually consistency rather than capability. That is the gap commissioned reports fill: the same methodology applied the same way to every supplier, with a dated artefact at the end.

FAQ

Is supplier due diligence a legal requirement in the UK?

Not generally, no. There is no single statute that says "you must run due diligence on your suppliers". But sector-specific obligations bite hard in places: anti-money-laundering rules for regulated sectors, the Modern Slavery Act for larger businesses, GDPR data-processor obligations, and Bribery Act due-diligence defences. Beyond compliance, due diligence is the standard a court or insurer will judge you against if a supplier failure causes loss.

How long does a proper supplier due diligence check take?

A skilled person can run a sound public-record check on a single UK company in under an hour if the file is clean, and in two to three hours if there are complications worth following up. Adding bureau data, references and a written risk note pushes that to half a day. Deep diligence on a critical supplier — sites, calls, accreditations — runs over several days.

What's the difference between due diligence and a background check?

Background checks usually refer to individuals — DBS checks, employment verification. Supplier due diligence applies to the corporate entity, its officers and its PSCs. The two overlap when a small supplier is effectively one person, in which case director-level checks do double duty.

Can I rely on the supplier's own self-certification?

For low-value, low-risk suppliers, yes, with sample audits. For anything material, no. Self-certification is a useful screening tool — it tells you whether the supplier can answer the questions and whether their answers match independent records — but it is not evidence in itself. Verify against Companies House, the sector register and the insurer.

How often should we re-run due diligence on existing suppliers?

Annually for material suppliers, on contract renewal for the rest, and ad-hoc whenever something changes — a director leaves, ownership shifts, a Gazette notice appears, or the supplier asks to renegotiate payment terms. Most failures are visible in filings weeks or months before they become a crisis; the only way to catch that is to look again.

What does a Vendrpulse report cover that a Companies House search doesn't?

The reading. Companies House gives you filings; a Vendrpulse report scores them in the context of the sector and the contract value, weighs the director history against the company file, factors in CCJs, charges, insolvency flags and reputational signals, and ends with a written analyst judgement rather than a pile of PDFs. You can see a sample report for the specific format.