CFOtech UK - Technology news for CFOs & financial decision-makers
United Kingdom

Guides

#
artificial intelligence
#
data analytics
#
digital transformation
#
fintech
#
health technologies

Search

Vistra bristol headshots 05.03.25 42 skyblue 2
#
Data Protection
#
Surveillance
#
Facial recognition

Why ECCTA ID verification could be a liability trap for law firms

Wed, 19th Nov 2025
By Alan Hughes, Executive Director, Vistra

The Economic Crime and Corporate Transparency Act (ECCTA) is reshaping the landscape of UK corporate governance and compliance. It introduces sweeping changes to UK company regulation, aimed at tackling fraud, money laundering and the abuse of shell companies.

A key pillar of the reform is mandatory identity verification for directors, PSCs, and other individuals involved in setting up or running UK entities, with the 12-month phased regime active since 18 November 2025. 

For law firms acting as ACSPs, the implications are substantial. Many will be responsible for directing clients to Companies House or other ACSPs that can provide specialist identity verification support, if not processing the verifications themselves. Losing oversight of which clients are compliant, particularly those that go to Companies House directly, could therefore become an issue for filings in the future. ACSPs also carry the responsibility of not just for making the verification but securely storing the sensitive personal data that they have gathered.

With the ID verification deadline fast approaching, the burden of compliance is becoming clearer and heavier for law firms.
 
The scale of the challenge

Over 7 million individuals are expected to go through the identity verification process. Yet only 1 million – less than 15% – had done so.

Many directors and stakeholders are unaware of the requirements or unclear on how to comply. Nearly a third (31%) of UK directors surveyed by Vistra in October were unaware of ID verification and its deadline. This is despite the risk of unlimited fines, the risk of not being able to operate the company and Companies House confirming that it will be taking a hardline stance against firms that have not completed ID verification by the deadline.

Identity verification under ECCTA goes far beyond a simple KYC process - it requires:

  • Verification of official documents such as passports or driving licences.
  • Biometric matching, including facial recognition and liveness checks.
  • Maintaining secure audit trails to evidence compliance.
  • Ongoing monitoring in some instances, depending on the client's profile.

For law firms, the challenge isn't only regulatory. The sheer amount of low-margin administrative work involved could mean needing to divert staff, train teams and implement new systems, all for a service that is essentially a one-off, clients see as routine and won't pay premium rates for. However, many firms may continue to retain company secretary books despite the lower revenues, with supporting on identity verification playing a strategic role in maintaining client relationships.

The liability trap

If a law firm acting as an ACSP incorrectly verifies a fraudulent or illegitimate entity, it can have serious repercussions.

All previous verifications performed by that law firm may be subject to review or invalidation, and the firm could face regulatory penalties, suffer reputational damage, loss of authorised status or legal consequences.

There is no formal "safe harbour" provision, meaning law firms acting as ACSPs bear the brunt of responsibility, with little protection.

Even well-intentioned law firms could be penalised if they fail to meet evolving verification standards. It's safe to assume that Companies House's hardline stance will also extend to ACSPs.

The risk is high, but the financial reward is minimal, making this an unattractive proposition for most practices.

Outsourcing to compliance specialists

Some law firms are already opting to outsource identity verification to trusted providers with specialist capabilities. 

By working with external experts, they gain access to advanced technology such as biometric software, document scanning, and fraud detection, while also reducing their exposure to compliance risk and human error. 

Outsourcing can significantly speed up onboarding and processing times, even when handling high volumes, and ensures the creation of professional audit trails that can withstand regulatory scrutiny. 

Just as importantly, it allows law firms to focus on client service and their core operations, rather than attempting to transform themselves into compliance technology firms overnight.

What law firms should do now

With millions of people getting ready to verify their identity, preparation is key. Firms that act early will be better positioned to manage client demand, avoid bottlenecks, and stay ahead of compliance risk. 

While there is a 12-month transition period, with varying deadlines within that time frame for directors and PSCs, law firms should avoid waiting for the inevitable last-minute rush. Clients will need time to gather and submit documents, complete biometric checks, and resolve any discrepancies; therefore, ACSPs must act now.

  • They should assess if they can manage document and biometric verification at scale, asking themselves if they have the infrastructure, trained staff, and robust risk controls needed to ensure accuracy and consistency. If not, it's better to identify the gap now than during the rollout.
  • If outsourcing, choose partners with proven expertise in financial services compliance. Look for providers that offer advanced technology, robust fraud detection measures and a proven track record of meeting regulatory standards.
  • Keep detailed, organised records of processes, verification tools, and decision-making rationale. Being able to show regulators evidence of acting diligently and in good faith can be a vital safeguard if an ACSP's verifications are ever challenged.

The ECCTA reforms are designed to bring greater clarity and integrity to UK company data, but their implementation presents real operational and regulatory risks for law firms. With millions of verifications due over the next 12 months, the profession finds itself in a high-stakes environment where errors could have lasting consequences.

Acting on these steps now will not only reduce the operational strain of the new ECCTA requirements but also help position ACSPs as reliable, compliant partners to clients navigating the same pressures.
 

Follow us on:
Follow us on LinkedIn Follow us on X
Share on:
Share on LinkedIn Share on X
Related stories
Harvey to open Paris office & hire EMEA sales chief
BioCatch warns AI agents will supercharge online fraud
AI-driven scams & Windows 11 reshape ATM crime risk
UK businesses brace for 2026 fiscal strain & AI oversight
Auditoria boosts UK, EU growth with new data hubs, hire

Top stories

YouLend & Teya launch SME cash advances in UK, Europe
Dun & Bradstreet outlines seven key compliance trends
YAP Global names Otto Jacobsson CEO amid crypto shift
Insight & Stripe expand AI-driven enterprise commerce
IMS to power Drive Smart app for Motability Scheme