The move, affecting up to 7 million directors and people with significant control (PSCs), is supposed to clean up the companies register and stamp out fraud. Instead, it may expose sensitive data to risk thanks to glaring flaws in the technology behind it.
Companies House confirmed that from November, all new directors and PSCs must verify their identity to be appointed or incorporated. Existing ones will need to confirm verification during the next 12-month confirmation statement cycle, or within 12 months for PSCs, depending on their status. Identity checks will be carried out using the GOV.UK One Login system or an authorised corporate service provider.
Companies House boss Louise Smyth insisted, “Identity verification will play a key role in improving the quality and reliability of our data and tackling misuse of the companies register.”
But behind the PR gloss, there’s growing concern that GOV.UK One Login is not fit for purpose. Despite handling critical personal data, the platform still hasn’t met Secure by Design standards set by the government itself. Assessments show open security holes, including unresolved vulnerabilities, insecure live environment logins, and overseas administrator access.
Cybersecurity firm, Ekco's Michael Perez, said: “Mandatory identity verification aims to address important challenges, reducing fraud, strengthening trust, and managing digital complexity. However, the current implementation raises valid concerns.”
He said: “Requesting millions of individuals to submit sensitive identity documents via a platform that hasn’t fully adopted Secure by Design principles introduces significant risk. It concentrates vulnerability and could expose users to breaches at a time when public confidence in digital systems is already under pressure.”
Perez warned that without proper safeguards, the vision for a trusted digital government could be undermined. “What’s needed now is greater assurance. The public deserves systems that are thoroughly tested and secure by design,” he said.
The government claims the process will be quick and easy, with GOV.UK One Login’s ID app reportedly taking 2.4 minutes on average. For the less tech-savvy, verification can also be done at the Post Office. But while 300,000 have already signed up during the voluntary phase, many are unaware of the system’s underlying risks.
The Economic Crime and Corporate Transparency Act 2023 forms the legal backbone of the changes, and the government’s own YouGov survey claims 81 per cent of business leaders back the plan. However, that support may prove fragile once the public gets wind of the shaky tech infrastructure supporting it.
From 18 November, anyone acting as a director without verified ID will be committing an offence. Companies House promises support and a ‘proportionate’ approach to enforcement, but that won’t matter much if the system ends up leaking ID data like a sieve.
The UK government insists everything is under control. But the real test will come when millions begin handing over their documents to a system already riddled with digital potholes.
