Skip to content
AML ComplianceTechnologyRegulationsAccountantsLawyers

The six mandatory steps for ACSPs to master Companies House ID verification

Published

Person in athletic wear and sneakers running up concrete stairs, with a blue circular graphic in the background.

The new Companies House rules are coming, and for law firms acting as Authorised Corporate Service Providers (ACSPs), the game has changed. This isn't just "another AML check." The Companies House identity verification standard is prescriptive, black and white, with zero room for a risk-based approach. Every single step is mandatory, and failure to comply puts your client (and your ACSP status) at risk.

We know compliance can be confusing, so we’ve broken down the six mandatory steps directly from the official guidance. Think of this as your essential, no-nonsense guide to achieving Companies House compliance every single time.

Step 1: Ask for information about the person

What the Companies House guidance says: Obtain the person’s full name (including any former names), date of birth, home address, address history for the last 12 months, and email address.

Clarity is compliance. To avoid delays, first, pilot the process internally with your own directors or PSCs to iron out any friction points. Your client communication should clearly explain the 'why' - that this mandatory process is about protecting the public (and therefore, your clients) and cleaning up the register of fraudulent or fictitious directors.

You should look to include a clear, itemised list of the required personal data (including the 12-month address history) and a strong warning that failure to provide this will lead to penalties such as rejected filings and incorporations or loss of directory eligibility.

Step 2: Get evidence to verify the person’s identity

What the Companies House guidance says: Obtain the necessary documents. This will be Option 1 (one biometric document with cryptographic features) or Option 2 (two non-biometric documents, or one photographic and one non-photographic).

We recommend Option 1, which is obtaining a biometric document with cryptographic features, an example of this is a passport that contains a chip which holds secure, unique data. If your client does not have one, then they will need to fall back on Option 2, which will force a manual check which relies on a person who must be trained in detecting false documents to spot visual signs of tampering, which is riskier given the increasing sophistication of forged documents.

What happens if my client’s passport has expired? If a client's passport has a chip but is expired, you can still use it if it's up to 6 months expired, according to the guidance. If your firm decides to accept an expired document and you are using a technology provider to verify the document, you should check that they can do this for expired documents.

Step 3: Check the evidence is real

What the Companies House guidance says: Visually check for signs of tampering, damage, or forgery. If you're doing a manual review, the individual checking must be specifically trained to detect false documents.

This is where technology beats the naked eye. Manual checks introduce the risk of human error and fraud vulnerability, as document tampering can be sophisticated. Be honest, do you think you’d be able to spot a highly sophisticated false document from a real one and 100% trust your judgement?

Technology eliminates this by allowing you to digitally read the secure, encrypted data on the NFC chip, a feature humans cannot access easily. This is how you prove the document is genuinely issued and was not cloned or forged.

Step 4: Check it is a real identity and it belongs to the person claiming it

What the Companies House guidance says: Verify that the documents confirm the person’s name and date of birth. Crucially, confirm that the person physically matches the photo on the document.

As stated in the guidance, to lower the risk of accepting a synthetic identity, you must check their address history for the last 12 months. If this is difficult, you should ask for secondary documentation that proves they are a real person engaging in real-world activity. Examples include: a bank or credit card statement showing recent transactions, utility or council tax bills sent to the home address, or evidence of their passport usage over time.

As for being able to confirm the person physically matches the photo on the document, if using a technology provider, ensuring they have liveness detection is the way to combat deepfakes and advanced spoofing attacks. Liveness detection is a process that confirms the user is a real, live human being and not a photo, a pre-recorded video, a 3D mask, or a synthetically generated image (deepfake).

Step 5: Keep records of the identity checks

What the Companies House guidance says: Maintain records of all evidence and information used, including copies of documents, evidence of checks completed, and records of any failed verification attempts.

The 7-Year Rule is non-negotiable. This period is longer than the 5 years required by AML rules (MLR 2017, Regulation 40), and therefore takes precedence for ACSP-related verification records. If you cannot store records for this long, you are non-compliant and risk sanctions from Companies House.

To ensure compliance, ask your IDVT provider:

Does your platform store the full audit trail, including copies of documents and failure records, for a minimum of seven years, even after a client has been archived?

Can Thirdfort store identity verification records for the required seven years? Yes, we will store this on our platform for you. You can also download a complete record of the identity checks at any point to save into your own case management system or on-file storage

Step 6: Decide if you can verify the person’s identity

What the Companies House guidance says: Conclude that you are satisfied the person is who they claim to be and that you have met the required standard.

'Successful' verification means you have successfully completed all six mandatory steps using the approved evidence. You must then use the Companies House online service to submit the verified details. To do this, you need your firm’s ACSP registration number. Once you submit, Companies House issues the client their unique personal code.

If you feel you are not “satisfied the person is who they claim to be”, this might be because:

  • Your client is unable to provide the required evidence, such as the 12-month address history or sufficient supporting documentation to confirm the ID's authenticity.

  • There are discrepancies between the documents and your client's claimed identity (e.g., photo mismatch, data inconsistency, evidence of document tampering).

  • You, as an ACSP, have a reasonable suspicion of money laundering, terrorist financing, or fraud (such as a synthetic identity).

In this situation, you should:

  • Not submit verification: As an ACSP, you should not submit a verification statement to Companies House if you are not satisfied that the identity is real and belongs to the person claiming it.

  • Cease transaction: If satisfaction cannot be achieved, you must consider whether to continue the underlying business relationship or transaction.

  • File an SAR (if applicable): If you have knowledge or suspicion of money laundering, you should follow your firm's AML policies, which include the potential requirement to file a Suspicious Activity Report (SAR) to the National Crime Agency (NCA).

Conclusion: Making verification work for you

The new Companies House standard for ID verification is prescriptive, and for ACSPS, especially, it’s a non-negotiable. You can't afford shortcuts or risk-based workarounds here.

The key takeaway is simple: put technology to work for you. The right identity verification platform doesn't just manage this complex compliance burden; it transforms it into a secure, simple process. From reading cryptographic chips to liveness detection and automated record-keeping, investing in robust, modern IDVT tools will give you and your team the confidence of always meeting the new standard.

Quick Answers on the 6 Mandatory Steps

The most secure method is Option 1, which involves obtaining a biometric document with cryptographic features. We recommend this because technology can digitally read the secure, encrypted data on the NFC chip, eliminating the fraud risk associated with manual checks.

ACSPs must maintain verification records for a mandatory seven years. This period takes precedence over the standard five years required by the AML rules (MLR 2017, Regulation 40) for ACSP-related verification.

Liveness detection is a process that confirms the user is a real, live human being. This is necessary for compliance to combat deepfakes and advanced spoofing attacks, ensuring the person physically matches the photo on the document.

Yes, you can use an expired, chipped passport for verification if it is up to 6 months expired, as per the official guidance. If you use a technology provider, you should confirm their ability to verify expired documents.

If you are not satisfied that the identity is real, you must not submit a verification statement to Companies House. We advise you to also consider ceasing the underlying business transaction. If you have knowledge or suspicion of money laundering or fraud, you should follow your firm's AML policies, which include the potential requirement to file a Suspicious Activity Report (SAR).

Subscribe to our newsletter

Subscribe to our monthly newsletter for recaps and recordings of our webinars, invitations for upcoming events and curated industry news. We’ll also send our guide to Digital ID Verification as a welcome gift.

Our Privacy Policy sets out how the personal data collected from you will be processed by us.

Related articles