By Mateusz Pniewski on Growth Business – Your gateway to entrepreneurial success The Companies House incident highlighted the outdated way business data is handled in a time where fraud is rife. This is how we overcome it The post How a major glitch by Companies House revealed an uncomfortable truth
Mateusz Pniewski
Five million entities were left open to fraud and exposure after an incident at Companies House allowed people to edit firms’ data.
Despite Companies House acting quickly to resolve the glitch, the vulnerability exposed a dangerous myth about why business data needs to be addressed. Core Registries are relied upon to ensure key business data is protected, so if this trust is lost, vulnerabilities can be revealed which affect more than just the platform itself.
This incident, which occurred without the knowledge of companies affected, resulted in unauthorised users having access to registered details of legitimate businesses, including director names, registered addresses and ownership records. They also had the ability to change these details, once accessed.
It is incidents like this that emphasise why businesses need consistent visibility and ongoing risk assessments to prevent fraudsters accessing and manipulating registry data, if exposed businesses risk having their accounts seized, and can fall victim to fraudulent credit histories, or identity fraud.
It acts as another timely reminder why Know your Business (KYB) processes and Ongoing Due Diligence (ODD) have to be prioritised. We cannot fully rely on key registries anymore, so what does this mean for the future of KYB checks?
Why static checks are unreliable
There is an assumption engrained into how many organisations approach KYB compliance, that verifying a company at the point of onboarding is sufficient. You run the check, confirm the directors, validate the registered address, tick a box, job done. It’s a model built for a world where business data is more stable and fraud is far less frequent.
But static, one-time checks at onboarding are not enough; not today. A one-time check conducted weeks or months before a glitch like this offers no protection against what happens after onboarding. Businesses change too quickly for this snapshot to be accurate.
Modern fraud is advanced, intelligence-driven and relentless. Bad actors are just as clued into compliance processes as the compliance teams themselves: they know the gaps and they exploit them, and a prime target is the period from when a company is onboarded and the next time it is reviewed. New companies join supply chains, directors leave and join, registered addresses are changed – and it causes absolute chaos.
On so many occasions, these changes pass through public registries unnoticed for months. For example, if a payment firm onboards a new merchant in January, at that initial point, all registry checks pass. But by March, the company’s director had been replaced, and the registered address had been changed. Whether or not these are legitimate changes remains to be seen, but that’s the point – without continuous monitoring, these updates may go unnoticed for the longest time.
The Companies House glitch brought the full extent of the problem into view, as even the source can be manipulated or corrupted. Building a compliance framework on a single point-in-time check is therefore a liability, plain and simple.
The role of Ongoing Due Diligence as a core business strategy
Businesses must be able to continuously verify that the information they rely on about corporate entities remains accurate and up-to-date. Regulators are cracking down on ongoing due diligence, with the Financial Conduct Authority (FCA) leading the charge, declaring onboarding-only KYB as being insufficient as a standalone defence against financial crime. Firms need a comprehensive onboarding process, yes, but they also need to consider how they’ll detect and respond to material changes in that party’s risk profile over time.
Those that cannot demonstrate a continuous monitoring capability are increasingly exposed, both to enforcement action and to the underlying fraud risks that a static approach fails to catch.
No registry, no matter how credible or authoritative, should be treated as the final word on a company’s legitimacy. Effective KYB requires layered verification with steps to cross-reference multiple data sources, combine registry data with document checks and monitor in real time to build a more resilient picture of corporate identity. By automating global registry data sourcing, primary document collection, complex ownership tree structuring and EDD procedures, firms can remove friction from merchant and corporate onboarding while maintaining rigorous compliance standards. As regulation intensifies and onboarding volumes grow, these businesses need flexibility, not rigid, one-size-fits-all workflows.
Companies are beginning to recognise the importance of tracking corporate data in real time, spotting organisational change allows companies to act quickly and prevent risk. What is necessary now is layered verification and continuous monitoring, because when public registries fail then so does trust in the business ecosystem.
Incidents like this remind us why businesses cannot rely on one single source of truth. Emerging threats harm companies, partners and customers which is why building strong KYB frameworks and embedding ongoing due diligence into compliance processes creates protection against future threats.
Mateusz Pniewski is CEO of TransactionLink.
Linking your communications is the key to better data and visibility – Data siloes are the biggest barrier to visibility. Unifying your communications will give you a much clearer overview – here’s how
How data management can boost start-up growth – From analytics to security, good data management should be a serious consideration for any start-up chasing high growth
Failure to Prevent Fraud offence and what you need to do now – The new Failure to Prevent Fraud offence is now in effect. Find out what you need to do so that you don’t get caught out
