As you are aware, the All Party Group met with representatives of Companies House in January 2007 to discuss their work to protect the information of those companies who register with them.

  The meeting followed concerns expressed by both the police and private businesses, that processes within Companies House were not conducive to protecting directors' and companies' information against the threat of identity fraud. In particular, the Metropolitan Police expressed concerns that it was too simple for fraudsters to register a bogus company, or change the details of an existing organisation in order to gain credit and purchase supplies on the reputation of an established business.

  Our understanding is that the broad role of Companies House is to receive and make information available on British Companies and their Directors. The organisation holds a vast quantity of information, including (at the beginning of 2007) the details of over 2.3 million limited companies and 5 million directors.

  According to Companies House, over 6.5 million documents are received and over 4.5 million searches made each year. Companies House also informed the Group that the service is intended to be fast, low cost and flexible, making it easier to register and form a company in the UK than in most other countries.

  However, Companies House did concede to the Group that this structure does give rise to a number of issues. In a statement to the Group Companies House set out that:

"We receive the information in good faith and carry out basic checks to ensure that it has been correctly filed but we do not have the statutory powers to validate or verify the information we receive".

  In particular, during the course of our investigation, the Group heard of three primary ways in which the Register can be abused:

—  Bogus filing, and information filed by an incorrect source—for example false registered office changes, false appointments.

—  Filing of false information—companies or directors filing false information about themselves, for example, false auditor details, false addresses.

—  Wrongful use of information held on the register—for example use of directors details as part of account takeover fraud and identity fraud.

  During a meeting with the Metropolitan Police, officers from Operation Sterling explained how such activities facilitate the illegal acquisition of goods and services:

"Criminal networks would add a fictitious director to the Companies House register and then change the company's registered address to a false `front' address. They would then order high-value easily disposable goods, such as computers, phones and even top of the range motor vehicles on credit using the targeted company's good name and credit rating. Once the goods were delivered they would make off, leaving the supplier without payment and the targeted company with its `reputation' to repair".

  Further to this, the Group heard of specific cases of fraud through Companies House, including the following testimonial from AXA:

"AXA has been a victim of a fraud perpetrated by changing a subsidiary's registered office address at Companies House. Drawing on the credibility of the AXA brand, this allowed a fraudster to rent property and obtain goods, none of which were ever paid for. Tracing allowed the creditors to identify our offices as a previous registered address and alert all parties to the fraud. iii. Whilst the impact of this fraud on AXA is relatively limited, this type of event has the potential to damage our brand, and there is an opportunity cost in that it requires management time to resolve".

  According to Companies House, each month the organisation passes around fifty instances of fraud to the police for investigation. While this may only be a small percentage of 550,000 monthly filings, the impact on companies and their officers can be significant. The Metropolitan Police informed the Group that each successful attack via Companies House can net well over £100,000.

  Companies House has adopted a series of activities, directed at preventing the first of the above types of fraud. These include:

1. Electronic filing of information—using a secure password and company authentication code.

2. PROOF—PROtected Online Filing—a company elects to file certain information only in electronic format and agrees that any paper filings will be rejected.

3. A Monitor service—which alerts a company to any changes to their company record.

  An email alert system has also been created notifying companies when information is changed on their records, such as appointments of new directors, or apparent change of headquarters.

  The Group believes that these systems are effective tools to help prevent and flag up suspicious activity relating to company information. However, we have some serious reservations about the current effectiveness of these measures.

  Despite many companies electing to file information electronically, the Group was informed by Companies House in January 2007 that only 2% of organisations had signed up to PROOF, only 10% to the text alert service, and that all but 50,000 of the 2,000,000 companies registered at Companies House have yet to switch to filing only electronically.

  Companies House also informed the Group of a number of additional mechanisms being prepared to help prevent fraud. These included:

—  working with companies and business organisations to raise awareness, promote the three-point plan and increase the take up of PROOF;

—  an automatic sign-up to PROOF;

—  analysing cases of fraud to identify trends and high risk groups;

—  the creation of a new offence within the Company Law Reform Bill of false filing; and

—  a move to data rather than form based filing, which would allow for further checking and validation options to be explored.

  During their communications with the Group, AXA suggested a system of electronic alerts, to be sent to firms when changes to Companies House details are requested, using hyperlink based verification mechanisms to confirm any changes. This system would operate in a similar way to that used by webmasters to verify user registrations or password changes, and would have the added advantage of providing an extra level of identity verification through the use of validated email addresses.

  The Metropolitan Police also proposed that data supplied during new company formations should be verified to ensure the validity of the data supplied, thereby preventing false filings.

  The Group believes that Companies House has made some progress to address the risks currently facing the organisations it holds information on. However, we believe that a stronger approach is necessary in order to prevent fraudsters taking advantage of the information held on its databases.

  In particular, the Group would like to see the compulsory membership of the PROOF and monitoring alerts initiatives introduced. There should also be an assessment of the benefits which would be provided by statutory legislation enabling Companies House to demand verification of all information at the point of submission.

  We believe there is also a case for restricting the amount of information publicly available through the Companies House database. During a meeting with the Office of the Information Commissioner it was suggested that access to personal details should be restricted to members of the register. This would automatically restrict access and ensure that attempts to view data could be effectively monitored.

  During 2006 a police officer was permanently stationed at Companies House to provide first hand assistance as part of "Operation ST£RLING". During this year, the officer disrupted over 490 impending attacks on UK business, by disseminating data on "false changes" promptly to the credit reference agencies who, in turn, issued alerts on those engaged in supplying goods on credit. While there remains a close working relationship between the Metropolitan Police and Companies House, an officer is no longer stationed in Cardiff.

  The Group has commended the Metropolitan Police Force for its efforts in cooperating with Companies House, and believes that the potential for future collaborations should be examined.

  Finally, Companies House must work with the private sector, and police to raise awareness of the types of frauds outlined in this paper, and the steps which can be taken to defend against them.

  I hope that this paper outlines the key areas of concern which we have around the current processes within Companies House. While we understand that the organisation provides a vital service, in the current data security environment it is vital that organisations which handle large amounts of data ensure that they set in place the utmost protections.

March 2008