Security and fraud experts have raised concerns over an identity verification scheme for company directors in the UK, designed to reduce money laundering and financial crime.
Companies House is the government agency responsible for incorporating, maintaining, and dissolving limited companies in the UK. It announced on Tuesday that from November 18, all directors and “people with significant control” (PSCs) of companies will by law need to verify their identities.
The government claimed that this will help to attract investment by improving transparency and giving confidence to consumers and investors, as well as provide greater protection against fraud.
“Identity verification will play a key role in improving the quality and reliability of our data and tackling misuse of the companies register,” said Companies House CEO, Louise Smyth.
Read more on UK financial crime: Money Laundering Dominates UK Fraud Cases
However, Michael Perez, director at managed service provider Ekco, warned that the One Login ID verification service used by the government is itself a security risk.
He claimed it has failed to meet all government Cyber Assessment Framework outcomes and has historically been plagued by issues including software vulnerabilities and insecure logins.
“Requesting millions of individuals to submit sensitive identity documents via a platform that hasn’t fully adopted secure-by-design principles introduces significant risk,” Perez argued.
“It concentrates vulnerability and could expose users to breaches at a time when public confidence in digital systems is already under pressure.”
Separately, Jonathan Frost, director of global advisory EMEA at BioCatch, warned that the 12-month rollout of the scheme leaves “a clear window for criminals to abuse.”
Under the rules announced this week, existing directors must confirm identity verification when filing their next annual confirmation statement, while existing PSCs will have 12 months from November 18.
“Companies House must act swiftly to introduce robust controls to close this window of vulnerability and prevent serving as a gateway for fraudulent filings that undermine the integrity of bank due diligence and facilitate economic crime,” Frost argued.
“Like banks, the agency should focus on behavioral insights, monitoring device use, behavioral patterns and anomalies across the lifecycle of a company, to detect suspicious activity without adding friction for genuine users.”
A Foundation to Fight Fraud
However, experts are agreed that something needs to be done about corporate fraud.
“Banks invest vast sums into double-checking Companies House data, distracting from their efforts to tackle economic crime,” said Frost.
“The National Economic Crime Centre has also highlighted this issue in its recent Public Private Threat Update, which warned that the abuse of companies creates a significant money laundering risk.”
Silvija Krupena, director of the Financial Intelligence Unit at RedCompass Labs, agreed describing the government’s plan as “an overdue but essential measure.”
She added: “But regulation on paper isn’t enough. Real impact depends on how effectively this is implemented and how proactively the private sector responds. Financial institutions and technology companies must lean in, analyzing behavioral red flags, patterns and anomalies that traditional checks miss.”