Company directors increasingly have to deal with personal identity theft on top of already substantial compliance requirements to meet their directors’ duties. The risk of identity theft is even greater for those company directors based in London than in other areas of the United Kingdom.

In 2017, a CIFAS report identified that company directors are twice more likely to be victims of identity fraud than other individuals. On Sunday, April 21, a Telegraph Money investigation found that 9,769 complaints were made to Companies House about its online database which holds personal information of company directors. 2,639 of those complaints were directly in relation to personal details in that online database and 356 of those attributed the public listing directly to their identity theft.

So what kind of information is contained on the Companies House database?

Section 163 of the Companies Act 2006, requires directors to provide personal information which is available on the Companies House public register:

  • The director’s full name and any former names
  • An address for service (the director can chose their company’s registered office)
  • The country or state (or part of the United Kingdom) in which the director is usually resident
  • The director’s nationality
  • The director’s business occupation
  • The director’s date of birth

The register has been publically available since 2015 and is found on the Companies House website. Additional historical information such as former addresses for service can also be obtained online.

What other platforms assist with identity theft?

Unsurprisingly, information contained on LinkedIn can also help fraudsters to steal your identity. Common types of personal information contained on LinkedIn includes: education history, employment history, current role and current location. This information assists fraudsters to gain historical information which can be used to support their use of your identity.

Other social media platforms such as Instagram, Twitter and Facebook can contain treasure troves of information. In some cases this may be information about an individual’s family, including the name and date of birth of their partner (who could be a co-signatory to a bank account) the individual’s whereabouts (such as on holiday overseas and not checking their post-box) and what they look like.

What does this mean for directors?

Unfortunately, the public nature of the Companies House register, that it is exempt from the GDPR under British law, and the increased use of social media platforms are key contributors to identity fraud for company directors.

As many people will know, applications for bank accounts, credit cards and loans, require a residential history for (usually) the past five years in addition to other personal identifying information such as, date of birth. Because of the historical information available on the register, and that some directors register their company to their personal residential address, company directors are more susceptible to identity theft and fraud than other individuals.

Publically available residential addresses also mean that physical mail which may also contain other person identifies and bank account information is liable to theft.

Common uses for stolen identities

Company directors’ identities are favourable for fraudsters because they are seen as more credible that an individual who is not a director. Meaning that if the director was to bulk purchase mobile phones or other technology, it is unlikely the point of sale would question that purchase in much detail.

Unsurprisingly, taking out loans, obtaining a credit card and gaining access to personal and business bank accounts to steal funds are common uses for stolen identities.

Government action to mitigate identity theft

In 2018, the Government took a small step to mitigate identity theft by modifying the address requirements it had in place for company directors. Prior to summer 2018, company directors were required to give a personal address which was available on the public register and only able to be removed if the person was at serious risk of violence or intimidation as a result of the company’s work. While this obligation has changed, the information remains a risk where the address for service is still a personal residential address.

What you should do to protect your identity

To protect your identity from theft, you should limit the personal information you make publically available through social media and other online sources. Information that can be used to steal identities includes personal addresses, dates of birth, and personal account information such as an email address which can also be used to verify a person’s identity.

While non-residential addresses can be used as addresses for service, it is important to remember that historical information can still be obtained through more detailed online searches. Furthermore, if a company’s registered address is one of its director’s personal residential addresses, this information will also still be available, regardless of the address you choose for service.

Other steps you can take include checking your credit history regularly, checking your personal and business bank account statements for unusual transactions, and notifying your bank if you identify any suspicious account activity. This might include if you are suddenly unable to access your online banking.

What you should do if you are, or think you might be, a victim of identity theft?

If you are a victim of identity theft and fraud then damage to your business, personal reputation and career can be irreparable if not dealt with swiftly.

First you should report your suspicion to the police as soon as you suspect that your identity has been stolen. You should also notify your bank of any suspicious account activity.

In some circumstances it may be necessary to contact specialist lawyers who can assist you to find, preserve and recover stolen monies and also help to identify those who are responsible for the crime.

Finally, when a crime has been committed but the enforcement agencies are not willing to investigate or prosecute, then so long as you can identify the offender, the option of bringing a private prosecution may be a route you wish to consider.