The Economic Crime and Corporate Transparency Act 2023 is quietly transforming Companies House from a passive registry into something more like a financial crime gatekeeper. At the heart of this shift is mandatory identity verification and the creation of Authorised Corporate Service Providers (ACSPs), sometimes referred to as Companies House authorised agents.
For many law firms, particularly those with company, commercial, banking or private wealth clients, becoming an ACSP will feel like a natural extension of what they already do. For others, it will look like a new regulatory burden they would rather avoid.
You do not need to be an ACSP to exist as a law firm. But if you want to keep filing at Companies House for clients, and if you want to help those clients through the identity verification process, ACSP status could become part of your future.
What is an ACSP – in law firm terms?
Companies House defines an ACSP as a supervised intermediary that can verify identities for Companies House and file on behalf of others. That intermediary can be a business (for example, a company or partnership) or an individual (for example, a sole practitioner or freelance solicitor). Solicitors’ firms are explicitly within scope, provided they are supervised by a UK AML supervisory body. Currently this is the SRA, but this is due to change to the FCA.
Once registered, your firm is given an authorised agent account and a unique identifier. You can then add people who work for the firm to that account.
In other words, “ACSP” is really an overlay on top of what you already are. You remain an SRA-regulated law firm. You remain AML-supervised. ACSP status simply allows you to play a specific role in the new Companies House regime.
Do law firms actually have to register?
There are two separate questions lurking here:
- Do you have to register as an ACSP in order to continue your legal practice?
- Do you have to register as an ACSP if you want to file at Companies House for your clients?
The answer to the first question is no. ACSP status is not a condition of holding a practising certificate or running a law firm.
The second question is more nuanced. For now, only agents that plan to verify the identity of clients for Companies House need to register as ACSPs. That is the initial gateway. Over time, however, Companies House has been clear that all agents who file on behalf of clients, including law firms, will need to be registered. From spring 2026, filing as a third party will be an ACSP-only function.
This means you have a genuine strategic choice in the short term. You can let clients verify directly with Companies House, using GOV.UK One Login and the direct identity verification route. Or you can step into the ACSP role, add verification to your service offering, and become your clients’ gateway to the new regime.
If you routinely incorporate companies, make Companies House filings, manage corporate groups, act on share sales or financings, or run an active company secretarial function, the second option will be attractive. If Companies House filing is only an occasional add-on to other work, and you are happy for clients to deal with Companies House directly, you may decide to delay ACSP registration or keep your role limited to filings once that becomes possible.
The ACSP timeline
The timetable is compressed enough that law firms do need to engage with it rather than wait to see what happens.
Companies House opened the ACSP registration route in March 2025. In April 2025, authorised agents gained the ability to tell Companies House when they had verified someone’s identity using an online service.
Identity verification itself becomes a legal requirement in November 2025, triggering a 12-month transition period. During that period, existing directors and people with significant control must verify their identities, broadly aligned to confirmation statement cycles and, for some PSCs, the month of their birth.
From spring 2026, only ACSPs will be able to file on behalf of others. At that point, if you are still acting as a filing agent but have not registered as an ACSP, you will be forced to stop.
For a corporate or banking team that has quietly taken responsibility for Companies House filings for years, that is not a trivial change. It is worth mapping which clients will be affected, which of your practice areas rely on you being able to file, and what would happen to those clients if you stepped away from that role.
Can your firm become an ACSP?
The eligibility test is simple on paper. To register, you must be supervised under the Money Laundering Regulations and you must remain supervised throughout. The guidance lists company formation agents, solicitors and accountants as obvious examples of eligible agents.
In practice, there are a few traps that have already caught out accountancy practices and will just as happily snare law firms. ICAEW has highlighted issues such as applicants using trading names rather than legal entity names, mis-describing their legal form, or quoting a personal regulatory or membership number instead of their firm’s AML supervision reference.
Before you apply, it is worth doing a housekeeping exercise:
- Check your AML supervision details: firm name, legal form, supervisor, registration or reference numbers.
- Make sure those details line up across SRA records, Companies House, your letterhead and website.
- Decide which entity is actually applying – the LLP that employs staff, the service company, or another part of the group.
If you are applying as a freelance solicitor, ensure that you use the SRA number attached to your freelance practice, not your personal SRA number.
Get that wrong, and you risk delay and potentially a refusal.
ACSP identity checks are not just “more AML”
For lawyers steeped in the Money Laundering Regulations, it is tempting to assume that the Companies House identity verification standard is simply another variant of client due diligence. The language is familiar. Several of the documents are the same. The reality, however, is that ACSP checks sit alongside AML rather than within it.
AML due diligence is risk-based. You weigh up the inherent risk of money laundering and terrorist financing, consider mitigating and aggravating factors, and apply proportionate measures. A politically exposed client in a high-risk jurisdiction will trigger deeper scrutiny than a low-risk, domestic consumer. The Regulations are explicit about this flexibility.
Companies House verification is different. The identity verification standard is prescriptive. For each person you verify, you are expected to follow the steps in the standard in full, from information gathering, through to document checks, fraud prevention, record-keeping and final decision. There is no option to dial down the checks because the matter feels low risk.
The objectives differ as well. AML is about protecting the financial system and your own firm from criminal abuse. Companies House verification is about cleaning up the public register: ensuring that the individuals shown as directors, PSCs and presenters are real people, properly linked to corporate roles, not fictional names or identity theft victims.
Record-keeping is another point of divergence. Under the MLRs, you would normally hold CDD records for at least five years from the end of the business relationship or the date of an occasional transaction. Under the Companies House regime, ACSPs must keep records of identity checks for a minimum of seven years from the date of verification, regardless of the underlying client relationship.
These may feel like fine distinctions, but from a compliance perspective they are important. Your ACSP process will need to be clearly documented and auditable in its own right, even if you sensibly align it with your AML framework.
What the Companies House standard expects
The standard itself is detailed, but the underlying logic is straightforward.
First, you must gather core information about the person you are verifying: their full name, current and recent addresses, date of birth and contact details. This is similar to what you would already collect when onboarding a private client, director or shareholder.
Secondly, you must obtain evidence of identity, either through technology-supported checks of a biometric or machine-readable document, or through a more traditional, manual review of documents such as passports, driving licences and utility bills. If you choose the manual path, you will usually be looking for a combination of at least two documents, including photo ID and proof of address.
Thirdly, you must make sure the documents are genuine. If you are relying on a technology provider, that means understanding what their software does. For example, whether it reads and validates the chip on an e-passport, whether it checks for signs of tampering, and how it flags anomalies. If you are checking documents manually, your staff will need training in document security features and fraud indicators; simply looking at a passport in a meeting will not be enough.
Fourthly, you must be satisfied that the documents relate to a real, living person, and that they belong to the individual in front of you. That involves familiar techniques such as comparing the photograph to a live image or video call, cross-checking details against third-party data where appropriate, and looking for inconsistencies in the story.
Fifthly, you must keep records. Not just copies of documents, but evidence of the steps you have taken, the checks the technology carried out, and your reasons for reaching a decision. These records must be held securely for at least seven years and be capable of being produced to Companies House on request.
Finally, you must make a positive decision: you either verify the person and tell Companies House you have done so, or you conclude that you cannot verify them. In borderline cases, that may mean asking for more documents, escalating to a senior colleague, or recommending that the individual uses the direct Companies House route instead.
Manual versus digital models
The standard does not force you to adopt identity document validation technology. You can, in theory, run a purely manual process, with trained staff examining original documents and making notes of their checks.
For some small, locally focused practices dealing mainly with familiar clients, that may be viable. You will still need to invest in training frontline staff to recognise forged or altered documents and to follow Home Office-style guidance on document examination. You will need a quality assurance regime. And you will need to accept that the process will be relatively slow and heavily dependent on individual judgement.
For most firms contemplating more than a handful of verifications, the case for using specialist technology is strong. Third-party providers can validate cryptographic features of biometric documents, use liveness detection and facial recognition tools, and integrate sanctions and PEP screening as part of a unified workflow. In some cases, firms will already be using similar tools for AML purposes and can extend those contracts to cover the Companies House standard as well.
However, you cannot outsource responsibility to technology. Even if an external platform performs the checks, you remain the ACSP in the eyes of Companies House. It is your name that appears on the public list of authorised agents. It is your officers who are responsible for compliance and who could face sanctions if things go wrong.
Risk management
As an ACSP you are taking on a defined regulatory role with its own risk profile.
From a Companies House perspective, failure to comply with the legal requirements (for example, failing to remain AML-supervised, not keeping seven-year records, or not providing information when asked) is an offence. In serious cases, they can suspend your ACSP status or cease it entirely. That will immediately stop you filing or verifying for clients, and they will publish the fact of that suspension or cessation.
From a professional and commercial perspective, there are broader concerns. If you wrongly verify a fraudster who goes on to use a UK company to cause loss, there is a clear litigation and insurance angle, as well as professional regulatory implications. If you mishandle the verification process for an important client, or misunderstand their deadlines, and they cannot file on time, there is obvious scope for complaints and reputational damage.
You will also be handling rich, sensitive personal data, including identification documents and, in some cases, biometric identifiers. That raises familiar data protection questions: do your privacy notices explain this processing? Have you done a DPIA? Have you checked where your technology provider stores data and on what legal basis? Are your retention and deletion schedules aligned with the seven-year ACSP requirement?
None of this should deter a well-run firm, but it does mean that ACSP work needs to be designed and governed as a compliance area in its own right, not left as an unstructured bolt-on to existing company secretarial tasks.
Implementation for law firms
Seen in the round, becoming an ACSP is a project. For a typical firm, a sensible sequence might look like this.
You start by making a strategic decision. Do you want to continue filing for clients beyond spring 2026? If yes, ACSP registration is not really optional. Do you want to add identity verification as a client service or leave that to Companies House and third-party providers? The answer will depend on the nature of your client base, your appetite for investing in systems, and how central corporate governance is to your practice.
Once the direction of travel is agreed, you can tackle eligibility and housekeeping. You ensure your AML supervision details are accurate and consistent, you agree which entity will apply, and you obtain the necessary internal approvals. You then submit the application to register as an authorised agent, taking care to use the precise legal name and correct supervision references.
The next stage is process design. You map the Companies House identity verification standard against your existing onboarding and AML procedures and create a dedicated ACSP procedure. That document explains who collects what information, which documents are acceptable, how checks are conducted, what happens when checks fail, and how records are stored and retrieved. You build simple checklists and workflows to make compliance achievable for busy fee-earners and support staff.
In parallel, you decide on your operating model. If you choose to work with an ID verification provider, you select and contract with one, carry out technical and legal due diligence, and build the integration points into your case management or onboarding systems. If you intend to rely more heavily on manual checks, you plan and deliver the necessary training and quality assurance.
Training deserves particular attention. Colleagues need to understand the rationale for ACSPs, the broad contours of the new Companies House regime, and the specific steps they must follow. Case studies of address hijacking and shell company abuse help to bring the issues to life and to avoid the perception that this is just more red tape.
Before offering the service widely, many firms will sensibly run a pilot. Your own partners and linked companies make ideal test cases: you can verify their identities, file the necessary confirmations, and refine your communication and internal processes without risking an external client relationship.
Only then do you roll out to clients. That stage involves clear, jargon-free communication: explaining why identity verification is being introduced, setting out the options, describing what you will and will not do, and being explicit about timescales, fees and responsibilities. You might choose to prioritise large groups and complex structures first, where the risk of disruption is greatest, and then move through the rest of your portfolio as confirmation statement dates approach.
Finally, you monitor and refine. You sample completed verifications, check that records meet the standard, track any issues with your technology provider, and update policies and training when Companies House guidance changes. You make sure you are able to respond quickly if Companies House asks questions about particular filings or identity checks.
Need more support? We can:
- Provide an accredited ACSP identity verification service
- Train your team on the ACSP regime
- Draft policies and templates
