logo
Right-to-Work compliance

Right to Work Document Fraud Detection — UK Compliance

A statutory defence depends on the documents you held — and a tampered PDF in your file is the documents you held. UK employers face civil penalties of up to £60,000 per illegal worker. The statutory excuse depends on having performed a compliant RTW check and retained the supporting documents. When those supporting PDFs were tampered before they reached your file, your defence collapses on Home Office audit. Read the file before it gets filed.

~3 sec
per document
35 checks
forensic layers
From $15
per month
1,500+
docs / month on Growth
Scope

htpbe? analyzes the structural layer of the PDF file — the layer that records every edit, even invisible ones. We don’t inspect holograms, phone photos, or ID biometrics. The official online RTW check (gov.uk share code) and IDVT vendor checks remain the primary identity step. htpbe? catches tampering on the supporting PDF evidence you keep on file.

When htpbe? returns INCONCLUSIVE on a Right-to-Work supporting document, that’s itself a fraud signal in this context — real gov.uk-issued letters and IDVT results always come from institutional systems, never from a desktop tool.

How it looks

One REST call, one deterministic verdict

Upload the PDF. The API returns INTACT, MODIFIED, or INCONCLUSIVE with named markers — in about three seconds.

What this looks like

How fake and tampered RTW supporting PDFs actually look

Three real fraud mechanics we catch at the structural PDF layer.

01

Share-code letter fabricated or edited

A worker generates a real share code on gov.uk for one immigration status, then opens the resulting confirmation letter in Word and edits the conditions or expiry — or fabricates an entire letter from scratch using the gov.uk template. Producer field shifts from gov.uk to Microsoft Word; structural metadata diverges.

02

BRP/passport scan with edited expiry or conditions

A scanned BRP or passport ID page PDF is opened in Adobe Acrobat and the visa expiry date or conditions are edited. The image layer is preserved; the underlying text layer or annotation layer changes. Structural analysis surfaces the divergence.

03

Supporting employment evidence backdated

For sponsor-licence audits, supporting payslips, contracts, or training records are backdated to align with the period the worker was supposedly compliant. Modification timestamps reveal the post-creation edits.

The scale

£60,000
maximum civil penalty per illegal worker since Feb 2024
~3 sec
per supporting document via API
Audit-ready
every verdict produces an audit trail of structural markers

Why your existing checks miss this

The IDVT covers the live identity check. It does not cover the file you keep.

Statutory defence requires both: a compliant check AND the retained evidence.

IDVT vendors (TrustID, Yoti, Onfido) handle the live identity verification step — and the statutory defence requires this for non-British/Irish citizens. But the RTW evidence file you retain for Home Office audit is what the auditor opens, not the IDVT live session. If a supporting PDF in that file was tampered between issuance and your retention, the defence falls. htpbe? inspects every supporting PDF at the moment it lands in your file — standalone, no Home Office API, no IDVT platform required.

Results in under 3 seconds30 to 1,500+ documents/monthFrom $15/mo
How it works

Five forensic layers, one deterministic verdict

Every PDF we receive passes through the same structural pipeline — no model training, no thresholds to tune.

01

Metadata analysis

Creation and modification timestamps, producer and creator fields, XMP metadata — the first layer exposes basic tampering.

02

File structure

Xref tables, trailer chain, incremental updates. Any edit after export leaves a structural fingerprint here.

03

Digital signatures

Signature chain integrity and post-signature modifications produce deterministic markers. Certainty-level signal.

04

Content integrity

Fonts, objects, embedded content, page assembly. Multi-session edits and inserted objects are visible at this layer.

05

Verdict with markers

Deterministic output: INTACT / MODIFIED / INCONCLUSIVE, with named markers for every finding — suitable for audit trail.

See the full 35-check breakdown
Document types

Right-to-Work supporting PDFs we check

Every type listed below is analyzed at the structural file layer — not the rendered image.

Share code confirmation letter PDF (gov.uk)Online RTW check result PDFIDVT vendor result PDFSponsor licence supporting payslip PDFSponsored worker contract PDFCoS supporting evidence PDFSettlement / pre-settlement status letter PDF
What htpbe? checks

Detection capabilities

Deterministic structural signals. No probabilistic scores, no model training.

Producer signature on the supporting PDF

gov.uk-issued letters carry a recognisable producer signature. IDVT vendor outputs (TrustID, Yoti, Onfido) also carry recognisable signatures. When the producer is Microsoft Word, Excel, LibreOffice, or a generic PDF library, the document was authored on a desktop — not exported from gov.uk or an IDVT platform.

Incremental update trail

Edits to share-code letters or scanned BRP/passport PDFs leave incremental updates in the xref chain. Authentic single-session exports have one xref; tampered files have two or more.

Annotation and form-field tampering

Form-field edits and annotation layer changes are tracked separately in PDF structure. Edited expiry dates or conditions on overlay annotations show structural traces.

Modification timestamp gap

A real share-code letter generated yesterday has CreationDate ≈ ModDate. A months-later modification on a "freshly issued" letter is a high-confidence flag for post-export editing.

Image stream artefacts

Scanned BRP or passport PDFs with edited regions show image-stream metadata mismatches — the edited region carries different JPEG/PNG compression than the surrounding scan.

Font subset divergence across pages

Multi-session edits or multi-source assembly leave font subset prefix shifts across pages of the same supporting document.

Integrate in minutes

Two HTTP calls to verify any RTW supporting PDF

Buyers can skip this section — developers, the integration is two HTTP calls.

Step 1 — submit the PDF

curl -X POST https://api.htpbe.tech/v1/analyze \
  -H "Authorization: Bearer $HTPBE_API_KEY" \
  -H "Content-Type: application/json" \
  -d '{"url": "https://your-storage/share-code-letter-A12B34C56.pdf"}'

Step 2 — read the verdict

{
  "id": "r1t2w3a4-5b6c-7d8e-9f0g-h1i2j3k4l5m6",
  "status": "modified",
  "modification_confidence": "high",
  "modification_markers": [
    "Microsoft Word producer detected on a gov.uk-format letter",
    "Two cross-reference tables — incremental update",
    "Annotation layer change detected"
  ],
  "producer": "Microsoft Word",
  "creator": "Microsoft Word",
  "creation_date": 1707091200,
  "modification_date": 1707350400,
  "has_digital_signature": false,
  "xref_count": 2,
  "has_incremental_updates": true
}

A genuine share-code confirmation comes from gov.uk — not Microsoft Word. Combined with two xref tables and an annotation-layer change, the verdict is modified at high confidence. The letter was authored or edited on a desktop after the gov.uk-issued original.

Get your API key — free test keys includedFull API documentation

Customer Stories

Teams that stopped document fraud

Compliance, finance, and risk teams use htpbe? to catch manipulated PDFs before they become costly mistakes.

Caught an invoice where the total had been changed by less than a thousand dollars. Without this I would have approved it without a second look.

Sarah M.

AP Manager

United States

We had three applicants in the same week with bank statements that looked completely fine. Two of them were flagged as modified. You simply cannot see this by reading the document — it is in the file structure.

Lars V.

Risk Analyst, Online Lending

Netherlands

Salary slips were coming with altered figures. We identified two problematic files before the placement was finalised.

Priya K.

HR Operations Lead

India

Since we started checking documents this way, we stopped two applications early in the process that would have been very difficult to reverse later.

Julien R.

Fraud Analyst, Fintech

France

Some applicants were sending PDFs that looked authentic but had been edited in ways not visible to the eye. We now ask for verified originals when something is flagged. Already saved us from a few bad decisions.

Marta S.

Compliance Coordinator

Spain

One invoice was caught because there was a mismatch between the document dates and structure. That particular case would have cost us significantly.

Tariq A.

Finance Manager

United Arab Emirates

FAQ

Frequently asked questions

No. The statutory excuse for non-British/Irish citizens still requires the gov.uk share-code online check or an IDVT-vendor result. htpbe? inspects the supporting PDFs you retain on file — share-code letters, IDVT results, sponsor-licence evidence — to confirm none were tampered between issuance and your retention. Use both.
Yes. A fabricated letter authored in Word lacks the gov.uk producer signature and the structured metadata genuine letters carry. The verdict is typically modified or inconclusive with producer-mismatch and missing-metadata flags.
Pure scans typically return inconclusive — institutional metadata is gone because the scanner authored a fresh PDF. Edited regions in scans (expiry dates, conditions) often leave image-stream metadata mismatches that htpbe? flags. Combine with IDVT or manual checks for raster image content.
Yes. Sponsor licence holders must retain supporting evidence for Home Office audit — payslips, contracts, qualification letters, RTW evidence. htpbe? produces a structured verdict with named markers for each PDF, suitable as an audit trail. Compliance teams use it to verify the file before it gets filed.
htpbe? returns INCONCLUSIVE when a supporting PDF lacks the institutional metadata that genuine gov.uk-issued or IDVT-vendor-issued documents carry — typically because the file was authored on a desktop with consumer software (Word, Excel, LibreOffice) rather than exported from gov.uk or an IDVT platform. In the RTW supporting-document context, INCONCLUSIVE is itself a high-confidence fraud signal: a real gov.uk share-code confirmation letter or IDVT result would never originate from a desktop tool. Treat INCONCLUSIVE on a RTW supporting document as fraud-positive and route the case to manual Home Office online check and compliance review before onboarding.
Related

Related solutions and guides

Solution

HR & Hiring

Pre-employment and onboarding document fraud detection for UK HR teams.

Read more
Technical guide

Sponsor Licence Document Fraud Detection

Sister page — same forensics for sponsor-licence supporting evidence.

Read more
Solution

KYC & Onboarding

Structural PDF forensics for proof-of-address, bank letters, and corporate documents.

Read more

Secure your workflow

Create your account — API key on signup, free test environment on every plan.
From $15/mo. No sales call. Cancel any time.

Secure your workflowView API docs