← Back to all briefings
Compliance 6 min read Published Updated Credibility 87/100

Compliance Briefing — October 26, 2023

The UK Economic Crime and Corporate Transparency Act 2023 introduces Companies House identity verification, corporate liability reforms, and expanded data-sharing powers that demand governance upgrades, phased implementation, and DSAR processes spanning ownership, filings, and AML investigations.

Zeph Tech Research Lead

Research lead, Zeph Tech

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)

Executive briefing: On the United Kingdom’s Economic Crime and Corporate Transparency Act 2023 (ECCTA) received Royal Assent, ushering in sweeping reforms to company formation, beneficial ownership verification, limited partnership regulation, corporate criminal liability, and information sharing among enforcement agencies. The legislation empowers Companies House to become a proactive gatekeeper, mandates identity verification for company directors, people with significant control (PSCs), and filing agents, and expands corporate criminal liability for economic crime. Organizations must overhaul governance structures, compliance programs, and data management capabilities to meet phased implementation milestones while safeguarding personal data and honoring data subject access requests (DSARs) under the UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018.

Governance responsibilities and oversight

Boards of UK-registered entities and overseas firms operating through UK limited partnerships should immediately assess ECCTA’s impact. Audit and risk committees must supervise readiness for Companies House identity verification, new filing requirements, and enhanced economic crime risk assessments. The legislation grants Companies House powers to query, reject, or remove filings, meaning inaccurate or incomplete submissions can trigger enforcement action. Boards should update governance charters to include ECCTA compliance, designate accountable executives (e.g., general counsel, chief compliance officer, money laundering reporting officer), and require quarterly reporting on implementation progress, identity verification status, and DSAR metrics related to company registry data.

Parent companies should coordinate across group entities to maintain consistent compliance. International groups must ensure subsidiaries adopt standardized policies for PSC validation, registered office requirements, and corporate service provider oversight. Governance frameworks should map out how data collected for identity verification and beneficial ownership tracking will be shared across functions (legal, compliance, privacy) and with third-party verification providers. Documentation must outline how DSAR requests related to Companies House filings, beneficial ownership records, and economic crime investigations will be processed within statutory deadlines while respecting law enforcement exemptions.

Implementation roadmap

ECCTA implementation will occur through staged secondary legislation beginning in early 2024. Organizations should plan for four phases:

  1. Mobilization (0–90 days): Establish an ECCTA program office with cross-functional representation. Conduct a gap analysis covering identity verification capabilities, PSC registers, registered email address requirements, and corporate crime risk assessments. Inventory personal data collected for compliance and confirm lawful bases for processing. Update privacy notices to explain new data uses, including sharing with Companies House and enforcement agencies.
  2. Identity verification build-out (90–210 days): Select or enhance digital identity solutions that meet Companies House standards (anticipated to align with the UK Digital Identity and Attributes Trust Framework). Develop procedures for verifying directors, PSCs, and filing agents, including manual fallback processes. Maintain auditable records of verification steps and integrate them with DSAR tracking systems so individuals can request access to their verification data, understand retention periods, or challenge inaccuracies.
  3. Filing and data quality enhancements (210–420 days): Update company secretarial processes to capture new mandatory information, including registered email addresses, restrictions on corporate directors, and increased transparency for limited partnerships. Implement validation controls and segregation of duties for submissions to Companies House. Enhance monitoring of anomalous changes flagged by Companies House queries and respond promptly. Document procedures for handling removal of fraudulent filings and notify affected individuals, including guidance on DSAR rights when records are suppressed.
  4. Economic crime governance (ongoing): Review and refresh anti-money laundering (AML) and counter-fraud programs to incorporate the new corporate criminal liability offence of failure to prevent fraud and the identification doctrine reforms that broaden attribution of criminal intent. Update whistleblowing channels, training, and investigation playbooks. Ensure DSAR processes account for law enforcement exemptions while providing permissible transparency to employees and third parties involved in investigations.

Data management, privacy, and DSAR implications

ECCTA significantly increases the volume and sensitivity of personal data held by Companies House and regulated entities. Identity verification will involve collection of passports, driving licences, biometric data, and address information. Organizations must implement privacy-by-design controls: encryption, secure storage, access controls, and retention schedules aligned with Companies House requirements and AML regulations. Conduct data protection impact assessments (DPIAs) for identity verification workflows and beneficial ownership databases. Ensure third-party service providers execute data processing agreements with clear obligations for DSAR support and breach notification.

DSAR teams should prepare for higher volumes of requests from directors, PSCs, and individuals named in filings seeking access to verification data, reasons for query or removal decisions, and records of disclosures to authorities. Establish procedures to authenticate requesters without creating additional identity risk, respond within one month (extendable by two months for complex cases), and document exemptions under UK GDPR Schedule 2 (crime and taxation) when withholding information. Provide clear explanations of retention periods, sharing partners, and rights to rectification. When Companies House or law enforcement agencies share queries about suspicious filings, maintain logs to ensure traceability and respond to DSARs with appropriate contextual information.

Limited partnerships now face new obligations: maintaining a registered office in the UK, providing a registered email address, filing annual confirmation statements, and ensuring general partners have legal personality. These filings may include personal data of partners and managers. Implement access controls and DSAR workflows to manage requests from limited partners or investors seeking information about their data in partnership filings.

Corporate criminal liability reforms and compliance integration

The Act introduces a new corporate offence of failure to prevent fraud for large organizations (meeting two of three thresholds: £36 million turnover, £18 million balance sheet, 250 employees). Boards must oversee the design of reasonable fraud prevention procedures, anticipated in forthcoming guidance from the UK Government. Integrate these procedures with existing AML, anti-bribery, and tax evasion controls. Document risk assessments, internal controls, and training modules, noting how personal data (e.g., employee investigation records, whistleblower reports) will be processed and handled under DSARs while respecting confidentiality and privilege.

ECCTA also reforms the identification doctrine, allowing prosecutors to attribute criminal liability to companies when senior managers commit economic crimes. Governance frameworks must define who qualifies as senior management, maintain registers of responsibilities, and ensure DSAR processes encompass investigation data. Implement legal hold procedures that pause deletion of records subject to litigation while documenting the lawful basis for retention when responding to DSARs.

Information sharing and cross-border considerations

The Act enhances data sharing among Companies House, HM Revenue & Customs, the National Crime Agency (NCA), and international partners. Organizations should map information flows, including suspicious activity reports (SARs), to ensure compliance with data protection obligations and maintain DSAR audit trails. When sharing data internationally, assess adequacy decisions or use appropriate safeguards (standard contractual clauses, international data transfer agreements). Update privacy notices and data sharing registers to reflect new disclosures mandated by ECCTA.

Multinational groups should harmonize ECCTA compliance with EU and U.S. beneficial ownership regimes (e.g., EU’s 5th Anti-Money Laundering Directive, U.S. Corporate Transparency Act). Align DSAR processes to manage requests across jurisdictions, coordinating with global privacy offices to ensure consistent responses and proper application of exemptions.

Training, culture, and stakeholder communication

Provide targeted training to company secretaries, compliance officers, finance teams, and board members on ECCTA requirements, identity verification procedures, Companies House interactions, and DSAR handling. Scenario-based exercises should cover responding to Companies House queries, managing fraudulent filings, and coordinating with law enforcement. Train DSAR teams on handling requests involving legal privilege and AML exemptions.

Communicate proactively with directors and PSCs about upcoming verification requirements, expected documentation, and privacy safeguards. Issue stakeholder briefings explaining how the organization will protect personal data while meeting transparency goals. For investors and lenders, highlight governance enhancements and fraud prevention measures to maintain confidence.

Next steps

Within 30 days, convene the ECCTA steering committee, initiate gap analysis, and update risk registers. Within 120 days, finalize identity verification solution designs, approve updated governance policies, and launch DPIAs. By late 2024, implement verification workflows, refresh filings to meet new content requirements, and complete training for all relevant personnel. Maintain continuous monitoring of secondary legislation and Companies House guidance, adjusting controls accordingly. Robust governance, disciplined implementation, and privacy-conscious DSAR processes will position organizations to comply with ECCTA while strengthening trust in corporate transparency.

Timeline plotting source publication cadence sized by credibility.
2 publication timestamps supporting this briefing. Source data (JSON)
Horizontal bar chart of credibility scores per cited source.
Credibility scores for every source cited in this briefing. Source data (JSON)

Related briefings

Curated signals from the same pillar or overlapping topics.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

  • Economic Crime and Corporate Transparency Act
  • Identity verification
  • Companies House
  • Failure to prevent fraud
Back to curated briefings