Skip to main content

ADR-0065: Dissolved-entity onboarding block-by-default (audited override)

Status: Accepted Date: 2026-06-16 Supersedes: none Superseded by: none Deciders: Adrian (Soft4U), Claude Opus 4.8

Decision context:

  • Latency: one defensive status read on the requirements-review path (the onboarding gate); negligible.
  • Dependency surface: no new packages. A pure gate module + a service helper + endpoint wiring.
  • Debuggability: a blocked onboarding returns a clear 409 with the terminal status; the override emits a non-suppressible audit signal.
  • Reversibility: branch revert; additive.
  • Blast radius: the requirements-review gate gains a pre-signal check; nothing else changes.
  • Alternative considered: risk-score-only (rejected — a high score still lets a dead entity onboard).

Context

A dissolved/struck-off/in-liquidation entity was not blocked — it only inflated the risk score. AMLR Art. 19/20 require refusing onboarding where CDD cannot meaningfully be performed (a dead entity). There was no gate stopping a struck-off entity proceeding past requirements review.

Decision

Block-by-default at the requirements-review onboarding gate (approve_requirements), with an audited override:

  • Pure dissolved_entity_gate.evaluate_dissolved_block(status) — a normalised (case/space/hyphen tolerant) terminal-status check (TERMINAL_STATUSES: dissolved/struck_off/in_liquidation/liquidated/ ceased/deregistered/winding_up).
  • get_company_status reads the status defensively from additional_data (hoisted field → latest investigation_results), returning '' on unknown/error.
  • Wiring: terminal status + no override ⇒ 409, the workflow is never signalled; + override_dissolved + a non-empty override_justification ⇒ a non-suppressible dissolved_entity_override SignalEvent (status + justification), then proceed; override without justification ⇒ 400.
  • Fail-open on unknown status: only a known terminal status blocks — absence of a terminal status is not evidence of one, and the risk engine still scores it.

Consequences

Positive

  • A terminal-status entity cannot be onboarded silently; overrides are explicit and on the immutable audit trail (AMLR Art. 19/20).

Negative

  • A pre-signal status read on the onboarding path; an override path that officers must consciously use.

Neutral

  • The risk-score temporal dimension (eba_risk_matrix) stays — complementary, not replaced.

Alternatives Considered

Alternative 1: Keep risk-score-only

Rejected — a high score still lets a dead entity proceed; AMLR Art. 19/20 require a refusal gate.

Alternative 2: Block at raw case creation

Rejected — company status is typically unknown until pre-investigation runs; the requirements-review gate is the first reliable point. Fail-open on unknown status keeps creation unblocked.