Do your biometric ID checks meet the new Companies House requirements for accountants?

If you form companies or file with Companies House, you’re about to take on new responsibilities. Under the Economic Crime and Corporate Transparency Act 2023 (ECCTA), anyone who sets up, runs or controls a company will need to verify their identity.

Accountants who carry out this work will need to become Authorised Corporate Service Providers (ACSPs) and there’s a big shift in how you verify identity. Companies House now expects these checks to meet a prescribed standard, which includes biometric verification.

If you already perform AML checks under the Money Laundering Regulations 2017 (MLRs), this might sound familiar. But the Companies House rules are stricter, and following your normal AML routine may not be enough.

Before we go any further, we want to let you know that yes, AMLCC’s platform has already been updated to reflect the Companies House Identity Verification Standard. That means you can continue your AML work and ACSP checks inside our system, without needing a new provider or separate workflow.

What Companies House expects

To act as an ACSP, your firm must be:

• AML-supervised, by a recognised body such as ICAEW, ACCA, AIA or IFA; and
• registered with Companies House as an authorised provider.

You’ll then be responsible for verifying your clients’ identities to the Companies House Identity Verification Standard. This standard sets out exactly how verification must be done and what evidence you must keep.

The two ways to verify identity

Companies House gives ACSPs two routes to complete identity checks. The one you choose determines the level of technology and documentation required.

Option 1: Digital or biometric verification

This is the faster route, using an Identity Verification Technology (IDVT) system. You can rely on a single photographic ID, such as a passport, driving licence or biometric residence permit, if:

• the technology confirms the document is genuine (by validating the chip or cryptographic data); and
• it confirms the person is real (using facial matching or liveness detection).

This is what Companies House means by a biometric check.

Option 2: Manual verification

If you don’t have access to IDVT, you can use manual checks. This means collecting and reviewing two types of documents: one from Group A (e.g. passport or driving licence) and one from Group B (e.g. utility bill or bank statement).

Anyone carrying out these checks must be trained to detect forged or altered documents, and you must record the process in full. AMLCC includes this training.

In short:

• Option 1 = tech-driven biometric verification
• Option 2 = manual verification by trained staff

Both are valid, but only Option 1 meets the definition of a biometric check.

How it differs from your AML checks

Your AML obligations under the MLRs are risk-based, which means you decide how much verification is proportionate for each client.

Companies House, by contrast, uses a prescriptive model. Every step must be followed exactly, regardless of perceived risk.

To comply, your process must:

1. verify the authenticity of the ID (via chip or cryptographic validation);
2. link the person to the document (through liveness or facial matching); and
3. keep full records for seven years.

Under the MLRs, Regulation 40 requires you to retain AML records for five years after the business relationship ends. The Companies House standard extends that to seven, so you’ll need to update your record-keeping policy accordingly.

How to check if your biometric system complies

In short, a compliant biometric system authenticates the document, confirms the person’s identity, keeps a full audit trail and provides evidence on request. Before relying on your current AML software, interrogate how it actually works. Many platforms claim to perform “biometric checks”, but under the Companies House Identity Verification Standard, not all will qualify.

1. It validates the document’s chip or cryptographic data
A compliant system must read and verify the machine-readable zone or digital chip on a passport, driving licence or biometric residence permit. This proves that the document is genuine and unaltered.

If your platform only scans or photographs the image, it may detect tampering but it doesn’t verify the embedded security features. Chip or cryptographic validation is a required step for Option 1.

2. It confirms the person is real and matches the document
Liveness testing is non-negotiable. The system must prove that the individual is physically present — usually via a live video, movement prompt or facial recognition. Without this, you’re not verifying the person, only their paperwork.

3. It aligns with the UK Digital Identity and Attributes Trust Framework
Systems that follow this government framework meet recognised standards for fraud prevention, data security and auditability. While certification isn’t yet mandatory, using an aligned provider shows regulators that your system meets UK best practice.

4. It creates and retains full audit evidence for seven years
Keep a complete record of the verification: copies of IDs (where lawful), logs of each step, results, and who carried out the check. This exceeds the five-year AML requirement in Regulation 40 but is essential for ACSP compliance.

5. It allows secure sharing and evidence export
As an ACSP, you must prove verification to Companies House. Your system should export verification records or allow read-only access for inspectors. Without this, compliance is hard to demonstrate.

Common pitfalls to avoid

The best way to avoid these pitfalls is to make 100% certain that you use a biometric check that meets both regimes, and goes deeper to verify, record and evidence every step, not just capturing an image. 

1. Assuming your AML checks already comply
Many AML tools verify documents visually or by database match only. Unless they include chip validation and liveness testing, they won’t meet the Companies House biometric standard. Always confirm your provider meets the IDVT requirements for Option 1.

2. Skipping training for manual checks
If you use Option 2, Companies House expects staff to be trained in document-fraud detection. This goes beyond basic AML awareness. Without training records, you can’t prove compliance. Remember AMLCC includes compliant AML Training on this topic.

3. Weak record keeping
Both the MLRs and Companies House require a full audit trail, not just a copy of the ID. Keep step-by-step records of what was checked, by whom, when, and with what result.

4. Confusing AML and ACSP retention rules
AML records are five years. Companies House IDV records: seven years. GDPR still applies to both. Align your policies so data is held long enough to evidence compliance but deleted once the legal period expires.

5. Treating verification as a one-off
Identity verification isn’t static. Regulations evolve and technology advances. Schedule regular reviews of your provider’s updates, refresh training, and test your process annually to stay compliant.

How AMLCC helps accountants stay compliant

We’ve got you covered when it comes to the Companies House and MLRs’ requirements so you can still carry out both your AML and ACSP checks in one place. Inside AMLCC, you can:

• perform both biometric checks (Option 1) and manual checks (Option 2) within one system;
• validate chip or cryptographic data;
• conduct liveness testing and facial matching;
• store verification records for seven years, satisfying both the ACSP and AML regimes;
• link ID verification to client risk assessments and AML policies; and
• provide regulators or Companies House with secure, read-only access during inspections.

Final thoughts

For accountants, becoming an ACSP brings new opportunity and new responsibility. Your professional reputation now extends into the integrity of the Companies House register itself.

By upgrading your biometric checks, aligning record-keeping, and embedding training, you can meet these higher expectations confidently. AMLCC gives you the tools and guidance to do exactly that, efficiently, transparently and in full compliance.