In Part 1, we mapped four ways ESG governance data fails the proof test:
- Questionnaires that nobody cross-checks against registers
- Aggregated databases that hide their sources and rate of refresh
- Social-pillar tools that treat governance as a checkbox
- Companies that use generic risk frameworks, where regulators expect specific verifications of specific companies
So what would it look like if the “G” pillar were based on actual register data?
Governance questions are register questions.
Who are the shareholders? Who is the ultimate beneficial owner? What’s the legal form? When was the entity incorporated? Who are the directors?
For each of those questions, there is an official source that provides the answer. Most ESG and GRC stacks just… don’t go and retrieve it. They use an intermediary, or a questionnaire, or a database that went to the source at some point in the past. When? Not sure.
Three countries, three different puzzles.
France. INPI’s RNE holds the legal name and registered address. INSEE’s SIRENE holds the employee count (effectif salarié) and activity code (APE/NAF). The greffe du tribunal de commerce holds the Kbis, the authoritative certificate of a company’s legal existence and current officers. Beneficial ownership declarations sit in the registre des bénéficiaires effectifs at the RNE. Four separate registers, four separate agencies. You need to query all four for a complete picture. ESG platforms sometimes query zero.
Germany. Core company data (legal form, address, authorized representatives) is recorded in the Handelsregister. Shareholder data is a separate story: it’s in the Gesellschafterliste, a document filed with the Amtsgericht. The Transparenzregister records UBO declarations. Retrieving the shareholders of a GmbH involves parsing a specific court filing in German and cross-referencing it with the Handelsregister entry. Saying “Source: German registers” for company data would be far too generic.
UK. Companies House provides structured data on directors and persons with significant control (PSCs) via an API. Shareholder data is different; it lives in filed confirmation statements (CS01) with specific reference numbers and dates. The legal name is an API call. The shareholder list is a document. Those are two completely different data sources, often combined into a single label.
What traceability actually means
“Sourced from commercial databases” tells you nothing. “Data verified against public records”… Alright? So… From what register? From which document? When?
Traceability means every data point traces back to a named register, a specific document, and a retrieval date. “Shareholders retrieved from Companies House confirmation statement CS01, filed 2025-03-15, reference 0000000.” That’s the bar.
At Topograph, this is how every API response works. Legal name, directors, shareholders, UBO: each field includes its source register, source document (where applicable), and retrieval timestamp. When UBO data comes from an official register (i.e., a declared UBO), it’s tagged as such. When it’s derived from the shareholder chain, that’s tagged separately, with the underlying data sourced from the relevant registers. You always know what you’re looking at and where it came from.
We built this for KYB compliance, where the traceability requirement comes from AML regulation, but it turns out that the same data layer (ownership chains, beneficial ownership, entity status, source-level traceability) is what G-pillar assessments need. We spent 18 months connecting to company registers across Europe and ended up with ESG infrastructure.
The gap nobody fills
The global GRC platform market is projected to grow by USD 44.2 billion between 2025 and 2029 (Technavio, CAGR 14.2%). ESG modules keep getting bolted onto GRC platforms. The platforms can grow, but the data underneath stays stale.
Topograph’s coverage currently spans 100 jurisdictions across Europe, Asia-Pacific, offshore financial centers, and the US, with rich, per-country documentation. You can instantly empower your GSC analysts with our web app, with zero integration needed. Or you can enrich your workflows by integrating our API.
If your supply chains reach into jurisdictions we don’t cover today, let us know, and our tech team will add them swiftly (provided there is an actual register to connect to!).
In Part 3 of this series, we’ll map the three regulatory frameworks that all point at this same missing layer. The enforcement clock is already running.
FAQ
Can I use Topograph to carry out ESG verifications?
The G pillar of ESG, Governance, is essentially about who owns a company, who controls it, and where its legal structure sits. This information lies in official company registers around the world, and Topograph builds direct, real-time connections to those registers to serve our AML clients. You can use Topograph to quickly and easily retrieve trustworthy G-pillar information.
What is source-level traceability for company data?
Every data point can be traced to a specific official source: which register (Companies House, the Handelsregister, INPI’s RNE), which document or API endpoint, and when it was retrieved. This is different from provider-level attribution such as “sourced from Orbis” or “sourced from Companies House,” which doesn’t tell.
Where does beneficial ownership data come from in Europe?
Official UBO registers are maintained by each EU member state, as required by AMLD4 and AMLD5. France files UBO declarations with INPI’s registre des bénéficiaires effectifs. Germany uses the Transparenzregister. The UK has persons with significant control (PSC) data at Companies House. Access conditions vary: some registers are publicly accessible, others need a legitimate interest application.
What registers do you need to verify a French company?
Four: INPI’s RNE (legal name, registered address, beneficial ownership), INSEE’s SIRENE (employee count, activity code / APE-NAF), the greffe du tribunal de commerce (the Kbis extract, the authoritative certificate of legal existence and current officers), and the registre des bénéficiaires effectifs at the RNE (UBO declarations). Each is maintained by a different agency.