By Cynthia Hetherington

This past year has brought about a great deal of change in due diligence requirements for compliance regulations. The Committee on Foreign Investment in the United States (CFIUS) saw the Foreign Investment Risk Review Modernization Act of 2018 (FIRRMA) signed into law. CFIUS and FIRRMA didn’t capture as much attention as the European Union’s GDPR, but the impact on U.S. businesses is significantly more involved for open source investigators.

Our research efforts deconstruct foreign investors to address the “growing national security concerns over foreign exploitation of certain investment structures” who are investing into U.S.-based interests. If the investors don’t qualify, they will lose their opportunity. This work brings the best of what we investigators do into clear focus, as it requires expert due diligence efforts for national security. This is not the only due diligence requirement; states also have their own requirements.

In this 4-part series, we provide information on banks and financial institutions, business entities, non-profits, and franchises, so that when you conduct due diligence for your clients, you know you’re dotting all the i’s and crossing all the t’s. This week, we explore business entity records and Blue Sky Laws.

Business Entity Records

Businesses form in many shapes and sizes. They may be organized as corporations, limited liability companies, partnerships, limited liability partnerships, etc. They can be designated for-profit or not-for-profit, and they can be a public company (selling shares of ownership to the public) or non-public.

Two important facts to know about finding information about publicly traded companies:

  1. Publicly traded companies operating in the U.S. are required by federal law to register with the SEC.
  2. If a publicly traded company does not meet certain thresholds, then it submits filings to a state regulatory securities agency instead of the SEC.

A registration statement is filed with the appropriate securities exchanges and state securities regulators. This public document discloses information on management financial condition of the entity and describes how the proceeds of the offering will be used.

Either the SEC or these state agencies monitor the registered companies for any irregularities or potential fraudulent behavior.

First, we will examine how to find information on publicly traded companies at the federal level, then how to find information at the state level on both public and privately held companies at the state level. Then we’ll follow with an analysis of key vendors who offer excellent reference data online in this subject area.

Federal Sources: The SEC and EDGAR

Publicly traded companies must inform the public the complete truth about their financial data. All non-exempt companies (see below), foreign and domestic, are required to file registration statements, periodic reports, and other forms with the U.S. Securities and Exchange Commission (SEC). Since May 6, 1996, these documents are filed electronically using EDGAR—the Electronic Data Gathering Analysis and Retrieval system. This free record searching site, comprised of 21+ million records, is an extensive repository of available U.S. corporation information.

Reports publicly traded entities must file include:

  • 10-K: An annual financial report that includes audited year-end financial statements;
  • 10-Q: A quarterly, unaudited report;
  • 8K: A report detailing significant or unscheduled corporate changes or events;
  • Securities offerings, trading registrations, and final prospectuses; and
  • DEF-14: A definitive proxy statement offering director names, their compensation, and their position.

The above list is not inclusive. There are other miscellaneous reports filed, including those dealing with security holdings by institutions and insiders. Access to all of these documents provides a wealth of information.

A helpful introduction to searching publicly traded companies on EDGAR can be found here.

Additionally, the private sector has a number of vendors and data aggregators that offer access to EDGAR records. These vendors combine enhanced search tools with other added features with the basic EDGAR search.

State Sources of Business Entity Records

In general, businesses that are not public companies are registered at the state level, usually with the office of the Secretary of State. The typical types of business entities that have records available at the state level include:

  • Corporations (including Foreign and Non-Profit);
  • Partnerships (Limited, Limited Liability, and General);
  • Limited Liability Companies;
  • Franchises; and
  • Trade Names, Fictitious Names, Assumed Names*

* Fictitious names and trade names can be registered at either the local (county or city) or state level, depending on the state’s specifications.

Every state provides a business search tool on the web to find information on state-registered business entities. Usually these look-ups are free and include all business entities types, including non-profits. You may visit BRB Publications to find all the states’ links for free searches.

While most states have one central agency that oversees business entity records and filings, there are several exceptions of note:

  • Arizona: The Corporation Commission oversees corporation and LLC records as well as foreign (out-of-state) corporations registered to do business in the state. The Secretary of State oversees all partnerships including LPs and LLPs, as well as trademarks, service marks, and trade names.
  • South Carolina: The Secretary of State Division of Business Filings oversees corporation, LP, LLP, LLC, trademark and service mark records. However, in general, entities are not required to disclose the names of directors, officers, or members to the Secretary of State’s Office. Business corporations must submit the names of directors on the Annual Report that are filed with the Department of Revenue.
  • Kansas: The state of Kansas does not register sole proprietorship, d/b/a, assumed name, trade name, or fictitious name entities.

State Regulatory Agencies and Blue Sky Laws

Every state has securities laws—often referred to as Blue Sky Laws—designed to protect investors against fraud. These laws, which vary from state to state, typically require companies making small offerings to register these offerings before they can be sold in a particular state.

Records of the filings by companies registering under Blue Sky Laws, as well as any records of legal actions, are held by designated state regulatory securities agencies. These agencies oversee the licensing and regulation of securities broker-dealers, agents, investment advisers and investment adviser representatives, and financial planners. The agencies also protect investors against securities fraud by taking enforcement actions.

These records are open to the public and can be a great source of data when searching for assets, ownership records, or doing background investigations. An excellent links list to state regulatory agencies home pages can be found at the North American Securities Administrators Association website.

Next week, we continue our examination of due diligence investigations with a discussion of how to search business entity records.

Are you an analyst or investigator looking for advanced training on enhanced due diligence compliance? If so, check out Hg’s webinar series, where you can attend live sessions and receive CEUs or watch previously recorded sessions to beef up your OSINT skills.


In today’s global marketplace, investors are faced with multi-national compliance regulations. As veteran investigators in enhanced due diligence, Hetherington Group understands the business world and the legal and regulatory frameworks in which corporations and privately held companies operate.  Learn how our team can help you mitigate risk at home and abroad.



Cynthia Hetherington, MLS, MSM, CFE, CII is the founder and president of Hetherington Group, a consulting, publishing, and training firm that leads in due diligence, corporate intelligence, and cyber investigations by keeping pace with the latest security threats and assessments. She has authored three books on how to conduct investigations, is the publisher of the newsletter, Data2know: Internet and Online Intelligence, and annually trains thousands of investigators, security professionals, attorneys, accountants, auditors, military intelligence professionals, and federal, state, and local agencies on best practices in the public and private sectors.