When you think of identity theft, you might be inclined to link it to database breaches or cruel social engineering tactics on behalf of cold callers. But if fraudsters want easy access to personal information without breaking the law, they need look no further than Companies House.
According to The Telegraph, Companies House receives a complaint every three days from someone who believes their personal details have been stolen from its website. Research carried out by the newspaper also revealed that 9,769 complaints had been made to Companies House over a three-year period, with 356 of those people claiming they’d been a victim of fraud.
If you’re a company director, this will doubtless raise concerns. But how have we reached this point, and what can you do to limit the chances of your Companies House listing resulting in identity theft?
GDPR and Companies House: the truth
When the General Data Protection Regulation was introduced nearly a year ago, UK businesses invested significant time and expense in getting their data protection rules in order. What you might not be aware of is the fact that Companies House is exempt from the GDPR’s stringent rules under UK legislation.
This means the usual rights relating to data erasure, portability and rectification don’t fully apply to the UK’s registrar of companies, and fraudsters have clearly become acutely aware of the fact.
Experts believe the rise in online fraud relates to the public becoming more relaxed about sharing their details online, and fraudsters discovering new ways to obtain personal data without resorting to database hacks or social engineering tactics. The absence of GDPR rules for Companies House simply exacerbates these factors.
Why are company directors targeted?
The large number of identity theft complaints relating to Companies House shouldn’t come as a surprise. Company directors are viewed by fraudsters (rightly or wrongly) as being more creditworthy thanks to their established careers and the likelihood they have valuable assets.
When a criminal obtains personal data, it’s typically used to set up fake bank accounts, obtain credit cards, or as a method to gain access to other financial accounts. With a Company Director’s personal information to hand, these forms of crime can become significantly easier to undertake.
A report released by CIFAS in 2018 revealed that 76% of company director identity theft victims had their home address registered on Companies House as their business address.
So, what are they doing wrong?
An easy mistake to make as a company director
If you become registered as a company director, you need to provide your date of birth, personal address and service address (now referred to as the ‘correspondence address’). It’s common for people to list their personal address for both – and that’s where the problems begin.
Companies House doesn’t publicly list the residential address by default, but the service address is always made available. That means anyone can access the information, providing they have a computing device and connection to the internet.
If you’re a company director, it might have been some time since you set up your directorship, but if you head over to the Companies House website, you’ll be able to quickly find which address you have publicly listed.
Even if you’re a director of a company that’s been wound up, you’re just as vulnerable due to the fact your personal details may be kept on the register for up to six years after the close date of the business.
There’s a simple solution
If you’ve just carried out the above search on your own details and now fear for the safety of your personal data, it’s important not to panic.
Although the number of fraud complaints relating to Companies House is high, with over four million companies registered in the UK and at least one director listed for each, the chances of you being targeted are still relatively low.
Regardless, it pays to be prepared and do all you can to protect your personal data. Obtaining a listing on Companies House benefits both the public and your business, but by listing your home address as the correspondence address, you’ll be opening yourself up to potential fraud.
There are two simple solutions:
- List the correspondence address as your business address.
- Rent a PO box type of address and get mail forwarded periodically.
- Ask a professional like your accountant to use their address as the correspondence address. That way they can react to anything urgent. The right accountants will offer this service!
However, there’s still a risk even after you’ve made the change. Once you’ve changed your correspondence address, the old address will remain part of the public record, including those of dissolved companies. Thankfully, a law passed in 2018 means you can change or remove historic addresses, but it does come at a cost of £55 per document.
It’s worth reiterating: if you’re a company director, there’s no need to panic. Although identity theft continues to rise in the digital age, you can significantly limit your chances of becoming a victim by taking simple precautions.
Your Companies House listing might have been the last place you’d expect fraudsters to target, but with our advice above in hand, you can be one step ahead of them.
- Anyone can access the correspondence address of a director on Companies House
- Companies House isn’t subject to GDPR rules
- Using your home address for the registered office of the business and your correspondence address isn’t advisable
- The correspondence address can be changed to that of your accountants (a service we provide)
If you’d like to discuss any concerns with us please do get in touch.