They are collected only on the initial application and not the renewal, and they are based on threat, or, if a file is flagged, then they can follow up and do the reference checks.
Obviously if we could do all the reference checks of every single licence, that might give a better picture, but we would never have the resources to do that type of in-depth check on all such licences.