Security Vetting and Background Checks: What They Cover and What They Miss

Most corporate clients who hire close protection services verify one thing: the operator’s licence. In the UK, that means the Security Industry Authority (SIA) close protection licence. The licence check takes 30 seconds on the SIA register. It confirms the licence is current. It does not tell you much else.

This is the vetting gap that produces the significant quality variance in private security services. The floor exists. The ceiling is self-defined, and clients who believe the licence confirms operational competence are operating on an incorrect assumption.

What a regulatory licence actually confirms

The SIA close protection licence in the UK confirms that the holder has completed an approved Level 3 Award training course (typically 140 hours), passed first aid training, and holds a criminal record check that met SIA standards at the time of licensing.

What it does not confirm: whether the training was delivered to a high or low standard (approved courses vary in quality), whether any claimed operational experience is real, whether the holder has operated in the specific environments relevant to a deployment, or whether their character and professional conduct would be assessed positively by people who have worked with them.

Other jurisdictions have equivalent systems with equivalent limitations. PSIRA registration in South Africa, POLRI certification in Indonesia, PNP-SOSIA licensing in the Philippines – each confirms a threshold. None confirms the individual operator is the right choice for a specific deployment.

Employment history verification

The most commonly skipped step in operator vetting is employment history verification. Operators provide a CV listing previous employers and roles. Those details are not checked. The previous employer listed may be a friend’s business that will provide a positive reference regardless of the actual working relationship. It may be a genuine company that employed the operator in a different capacity from what is claimed.

Employment history verification requires calling the HR department or the named supervisor at each listed employer, not the email address provided by the candidate. It means verifying dates of employment, the role held, and whether the individual would be eligible for rehire. For the five-year period immediately before the current role, this process takes time. It is the single step most likely to identify fabricated or embellished history.

For operators claiming military or special forces backgrounds, verification is more complex but not impossible. The regiment or unit and service number can be verified through the relevant defence authority. For UK operators, claims of service with the SAS, SRR, or 1st Battalion Parachute Regiment are sufficiently common in CV submissions – and sufficiently rarely genuine – to warrant specific verification rather than assumption.

Training certificate authenticity

Operators presenting training certificates should be able to name the awarding body, the course title, the dates attended, and the training provider. The awarding body can confirm whether the certificate is genuine. BTEC, City and Guilds, and other vocational awarding bodies maintain records that can be checked with appropriate consent.

Specialised training claims – HEFAT (Hostile Environment and First Aid Training), K&R procedures, TSCM awareness – should be checked against specific providers. A HEFAT certificate from RISC International, AKE, or similar established providers can be confirmed directly. A certificate from an organisation that cannot be independently verified should be treated with scepticism.

First aid certifications are time-limited. An operator whose first aid certificate expired two years ago does not have current first aid competence regardless of the initial training standard.

Insurance verification

Operators working through a registered security company should be covered by that company’s public liability insurance. Sole traders operating without company structure may hold personal public liability insurance, or may hold none.

Insurance verification requires a certificate issued directly by the insurer, not a document produced by the operator. The certificate should specify the activity covered. A general liability policy that does not specifically include “close protection” or “executive protection” activities may not pay out on a claim arising from those activities.

Minimum recommended coverage for close protection: public liability of at least £5 million, employers’ liability (if the company employs others), and professional indemnity. Check whether the policy covers international deployments if the operator is to travel with the principal.

Vetting the company, not just the operator

A sole trader with a personal licence has no organisational backup. If they are unwell on the day of deployment, there is no colleague to substitute. There is no supervisory layer. There is no internal quality standard beyond the individual’s own judgement.

A registered security company with a management structure, an internal vetting process, and public liability insurance represents a different quality of provision. The company’s corporate registration can be verified. Its insurance can be confirmed. Its management can be identified and contacted for reference. Its internal vetting process for operators can be assessed by asking for their standard onboarding procedure.

When asking for references, ask specifically for corporate client references – businesses that have engaged the company for close protection deployments rather than personal references or references from guard contracts. The operational context is different.

Building a vetting checklist

Before signing a security service contract, a minimum vetting checklist for the deploying company and the specific operators should cover:

• SIA licence (or country-equivalent) confirmed current on the register
• Criminal record check: when was it run, by whom, and what standard
• Employment history: five-year verification with direct employer contact
• Training certificates: awarding body and dates confirmed authentic
• Military/specialist background claims: specific verification where claimed
• Certificate of insurance: obtained directly from insurer, activities and limits confirmed
• Company registration: verified through Companies House or equivalent
• Specific operator named for deployment: not “the best available on the day”

For guidance on choosing an executive protection company overall, see our how to choose an executive protection company article. For deployment in high-risk international markets, see our hiring security personnel overseas guide. For the insider threat dimension that vetting is designed to address – and why the departure window carries the highest risk – see our insider threat and corporate security guide. For supply chain and logistics operations where driver and warehouse staff vetting is a specific cargo crime mitigation, see our supply chain security guide. For the retail sector security context where staff vetting is a primary insider theft and organised retail crime control – including luxury retail’s specific display and transit risk – see our luxury retail sector security guide. For the healthcare sector context where staff vetting is a front-line control against pharmaceutical insider theft, controlled drug diversion, and unauthorised access to restricted clinical areas, see our private hospitals and healthcare facilities security guide.

Sources: Security Industry Authority: Licensing standards and register (UK, 2024). PSIRA: Registration verification process (South Africa, 2024). ACFE: Employment screening guidance. UK Defence Authority: Verification of service claims process.