ECCTA identity verification: what the November 2026 deadline means for supplier due diligence

The Economic Crime and Corporate Transparency Act 2023 (ECCTA) is the most significant reform to UK company law in a generation. One of its central provisions, mandatory identity verification (IDV) for directors and Persons with Significant Control (PSC), is now live and working its way through the register. The rollout launched on 18 November 2025 and features a 12-month transition period ending 17 November 2026, with specific deadlines triggered by each company's confirmation statement date or the individual's month of birth. If you assess suppliers for a living, this matters to you, even if your own company is already compliant.

What ECCTA identity verification actually does

For years, becoming a director of a UK limited company required little more than submitting a name and an address to Companies House. That openness made the register one of the world's most accessible, and, critics argued, one of the most easily abused. Fictitious appointments, fraudulent incorporations, and opaque ownership structures were persistent problems the system lacked the tools to address.

The verification requirement transforms Companies House from a passive record-keeper into an active gatekeeper, designed to prevent anonymous control of companies and improve corporate data reliability. Under the new regime, UK directors, LLP members, Persons with Significant Control, and people filing information at Companies House are legally required to undergo identity verification, following which they receive a unique identifier known as a personal code.

Identity verification will make it harder for people to set up companies or appoint directors using fake or stolen identities. It will make it easier to expose disqualified directors and link multiple directorships to one person, helping to identify criminal networks. It will also help Companies House take enforcement action, as they will know who is really behind a company.

The deadline picture is more complicated than it looks

There is no single cut-off date that applies to every company. The 18 November 2025 date marks the start of the mandatory regime, not a single universal deadline. The practical deadline depends on each individual's role and the next filing trigger.

For directors of existing companies, the clock runs to the confirmation statement. Existing individual directors and LLP members must verify their identity before the next confirmation statement is filed after 18 November 2025, and their personal IDV codes must be provided with that statement. The consequence of missing that window is operational, not just administrative: if any director has not verified, regardless of whether their own deadline has technically passed, the company cannot file at all. A company with ten directors that has nine verified and one who has not yet acted cannot submit its confirmation statement.

For PSCs who are not also directors of the same company, the rules differ. Existing individual PSCs who are not directors of the same company must verify their identity by the 14th of their birth month, for example, if born in March, the deadline to complete IDV is 14 March 2026.

Companies House estimates that 6 to 7 million individuals will need to verify their identity by mid-November 2026. That is a large number of people, and the compliance picture across the register will be uneven for much of this year.

The presenter and agent requirements are following on a separate track. Changes originally slated for Spring 2026 are now envisioned to take effect no earlier than November 2026, including mandatory IDV for presenters, meaning identity verification will become a compulsory prerequisite for any individual delivering documents to the Registrar. Alongside this, third-party agents such as law firms and accountants filing on behalf of companies must register as an Authorised Corporate Service Provider (ACSP).

What this means when you are assessing a supplier

From a supplier due diligence perspective, IDV creates both a new data signal and a new risk category to consider.

The data signal is straightforward. Once the transition period closes in November 2026, any company that has failed to get its directors and PSCs verified will face filing blocks and enforcement action. From November 2026, enforcement escalates, and non-compliance becomes a criminal offence punishable by fines of up to £5,000 per individual, potential director disqualification, and Companies House striking the company from the register. A supplier whose directors have not verified by the time their confirmation statement falls due is already exhibiting a compliance gap, one that is visible on the register.

The broader point is what IDV reveals about the people behind your supplier. Until now, the director and PSC data on the register could not be trusted as a reflection of real, verified individuals. A name and date of birth were simply asserted, not confirmed. From this year onwards, that changes. Every name on the register must now correspond to a verified individual. That is a meaningful shift for anyone trying to understand who actually controls a company.

Consider how this interacts with sanctions screening. When we screen a supplier at Senserity, we check the company itself, each current director, and each PSC, whether an individual or a corporate entity, against the UK sanctions lists maintained by the Office of Financial Sanctions Implementation (OFSI). A sanctions match against a director or PSC is one of the most serious findings we can surface. The reliability of that check depends, in part, on the accuracy of the underlying register data. As IDV embeds itself into the register, the confidence we can place in director and PSC identity information will increase, which makes screening outputs more meaningful.

You can see how we approach this kind of layered screening on our compliance due diligence page.

What to look for in your supplier base now

The transition period does not mean you can defer attention on this. For suppliers with confirmation statements due in the first half of 2026, directors and PSCs are already at or past their personal deadlines. There are a few practical things worth checking when you review a supplier through Companies House or through a platform like Senserity.

First, look at filing behaviour around confirmation statements. Late filing of a confirmation statement is a criminal offence, and the single point of failure created by one unverified director is a genuine compliance risk. A supplier that suddenly goes quiet on confirmation statement filings after November 2025 may have a verification problem. Second, pay attention to director and PSC changes. A new director being appointed to an existing company needs to have their identity verified before their appointment is notified to Companies House. The obligation falls on both the individual and the company. A company appointing directors without following this process is breaching the Companies Act 2006.

Third, note the scope of what is coming for agents and presenters. Once the new ECCTA regime for filing comes into effect, filing at Companies House will only be possible either by a person who has had their identity verified or by an Authorised Corporate Service Provider (ACSP). Suppliers relying on unregistered formation agents or informal filing arrangements will need to adapt. Those that are slow to do so will generate compliance flags.

If you want to understand how Senserity monitors filing behaviour and officer changes as part of ongoing supplier monitoring, the help section on risk tests is a useful starting point.

The register is becoming more reliable, not less useful

The direction of travel here is positive for anyone doing supplier due diligence professionally. A register where every director and PSC has had their identity confirmed is a materially better tool than one built on self-assertion. The transition period is messy, and the phased rollout means the picture will be incomplete until late 2026, but the underlying reform is sound.

The practical implication for procurement and compliance teams is to treat the next six months as a period of heightened attention on director and PSC data, not reduced attention. Suppliers that navigate the IDV requirements cleanly are demonstrating exactly the kind of basic corporate discipline that correlates with lower risk overall. Those that struggle, miss confirmation statement deadlines, or end up with filing blocks are telling you something worth knowing.