KYC for company directors in the UK is not simply a passport check on the person whose name may appear at Companies House. Where a regulated provider carries out trust or company services, customer due diligence must identify the correct customer and beneficial owner, establish the ownership and control structure, understand the purpose of the relationship and respond to risk over time.

That provider process is separate from statutory Companies House identity verification. It is also separate from documents a website chooses to collect for its own onboarding. Completing one does not automatically satisfy either of the others. This page owns provider-side CDD; use the document-request risk guide for minimisation decisions and the Companies House guide for the official process.

Who this guide is for

This guide is for a proposed director who has received, or expects to receive, a KYC request from a service provider. It helps you ask who is checking you, why the company owner is also relevant, what evidence may be proportionate and when to pause.

It does not determine whether a particular provider is regulated, approve an appointment or give advice on an individual suspicious-activity decision. This site’s published materials do not yet confirm its legal entity, AML supervisor, ACSP status or data-controller information. Do not assume it is the regulated provider described in this guide, and do not upload sensitive documents without an invited and verifiable process.

What KYC and CDD mean in this setting

“Know your customer”, or KYC, is commonly used for identity and risk checks. The Money Laundering Regulations use the broader concept of customer due diligence, or CDD. CDD is not limited to collecting a photo ID. It includes identifying and verifying relevant people, understanding a legal entity and assessing the relationship.

Under regulation 28, a relevant person must, among other things:

  • identify the customer and verify that identity using documents or information from a reliable, independent source;
  • identify any beneficial owner and take reasonable measures to verify that person;
  • understand the customer’s ownership and control structure where the customer is a legal person;
  • assess and, where appropriate, obtain information on the purpose and intended nature of the relationship; and
  • conduct ongoing monitoring, including scrutiny of relevant transactions and keeping CDD information up to date.

The exact measures and evidence depend on risk. CDD should be sufficient to meet the obligation without becoming indiscriminate collection.

When a service may be a regulated TCSP activity

Money Laundering Regulations 2017, regulation 12, defines a trust or company service provider, or TCSP, to include a firm or sole practitioner that, by way of business, acts or arranges for another person to act as a company director. It also covers specified formation, address, trustee and nominee-shareholder services.

The word “arranges” is not unlimited. HMRC’s current registration guidance, updated on 30 June 2026, gives the example of selecting a director and completing some or all appointment formalities. It says normal recruitment-agency headhunting or advertising is not, on that basis alone, arranging.

The service actually supplied matters more than its marketing label. A business cannot avoid a regulatory analysis merely by calling itself a matching or recruitment platform. Conversely, it would be inaccurate to state without evidence that every introduction service is a TCSP.

If a business is carrying on TCSP activity, it must have the appropriate supervision through HMRC, the FCA or a qualifying professional-body supervisor. HMRC says a business applying to it must not operate until registration and fit-and-proper checks have been confirmed. Registration is not an endorsement of a proposed company or appointment.

Who is the customer?

Do not assume that the candidate is always the provider’s only customer. The answer depends on contracts, payment, instructions, contact and the service chain.

For example, a company owner may instruct and pay a provider to source a director. An intermediary may pass the service to an end user. The proposed director may have a separate relationship with one or more parties. HMRC’s TCSP guidance requires providers in a supply chain to understand the parties, why they are involved, who the end users are and which persons are customers for CDD purposes.

That is the provider’s legal analysis, not the candidate’s burden to solve. You can, however, ask:

  • Which legal entity is performing CDD?
  • Who does it regard as its customer or customers?
  • Who instructed it and who pays it?
  • Is another provider or intermediary relying on its checks?
  • Which proposed company and end user receive the service?

An unclear answer is material. It may mean the wrong person is being checked or that responsibility is being passed between organisations.

Why checking the proposed director is not enough

A genuine passport can show that a person exists. It does not explain who controls the company, where funds come from, why an additional director is wanted or whether the candidate will be allowed to exercise independent judgement.

The provider should identify the beneficial owner and understand ownership and control. A PSC entry may help, but “PSC” and “beneficial owner” arise in different legal contexts and do not always answer every AML question. Companies House itself warns that information on the register is not government approval of a business.

Appropriate review may include:

  • the customer’s legal identity and constitutional documents;
  • directors, PSCs, shareholders and ultimate beneficial owners;
  • an ownership chart where the structure is not simple;
  • the commercial reason for the company and the director service;
  • expected activity, customers, suppliers, countries and transaction patterns;
  • the source of funds or wealth where the assessed risk requires it;
  • sanctions and politically exposed person considerations;
  • relevant adverse information; and
  • the role of intermediaries and other providers.

The provider should not disclose monitoring thresholds or give advice that would help someone avoid detection. It should still be able to explain the categories of check, its role and the basic privacy consequences.

Risk-based CDD and enhanced due diligence

Risk based does not mean optional or arbitrary. It means the provider considers the service, customer, beneficial owner, geography, delivery channel, transactions and other relevant factors, then applies measures proportionate to the risk.

A straightforward ownership structure and documented commercial purpose may require a different evidence set from a long cross-border chain, unexplained nominee use or a request involving multiple companies. Higher-risk facts can lead to enhanced due diligence, more senior approval, stronger source-of-funds evidence or a decision not to act.

Nominee services carry recognised risks because they can obscure who controls a company or allow a registered director to be used as a figurehead. Those risks do not prove that every arrangement is unlawful. They do mean the provider should test the commercial rationale, the director’s understanding and information access, and the beneficial owner’s identity rather than treating a clean ID result as the end of the review.

A nominee director is still a director in law. KYC does not make it acceptable for the candidate to sign unread documents, surrender judgement or remain deliberately ignorant of company activity.

What the director may be asked to provide

The evidence should reflect the stated purpose and the provider’s risk assessment. It may include:

  • full legal name, previous names and date of birth;
  • residential and contact address;
  • a suitable photo identity document;
  • proportionate evidence of address;
  • nationality or residence information relevant to risk and sanctions controls;
  • information about other directorships, occupation or conflicts;
  • an explanation of the proposed role and relationship to the owner; and
  • clarification where independent sources do not match.

There is no universal rule that every person must send one provider a passport, selfie, utility bill and complete bank statement. A regulated provider must use reliable independent material, but document options and verification methods vary. Ask why each item is necessary and whether a less intrusive alternative is accepted.

A full bank statement deserves particular scrutiny. If the purpose is only address or account-name confirmation, ask whether a redacted statement, account confirmation or another document will suffice. Agree any redaction before altering evidence. Never provide a PIN, password, one-time passcode or remote access.

The guide on why ID documents may be requested gives a document-by-document safety check.

PEP, sanctions and adverse-information checks

A provider may ask about political exposure and screen relevant persons against applicable sanctions data. It may also review reliable public information where that helps assess risk. These checks serve different legal and risk purposes, so “background check” is too vague.

Being a politically exposed person, a relative or a known close associate does not by itself mean wrongdoing. It can trigger enhanced measures and approval requirements. A possible name match is not the same as a confirmed sanctions designation. The provider should have a process to resolve false positives and let you correct inaccurate personal data where applicable.

You should disclose requested information truthfully. Do not accept advice to vary a spelling, use another person’s document or structure control to avoid a check.

Ongoing monitoring after onboarding

For a regulated TCSP, CDD is not necessarily finished when documents are accepted. HMRC states that every TCSP service constitutes a business relationship. Ongoing monitoring may include reviewing whether activity fits the provider’s knowledge of the customer, refreshing records and reassessing changes in ownership, control, countries, services or transaction patterns.

A fixed annual review may be part of a provider’s process, but it does not automatically satisfy ongoing monitoring. Events can require earlier review, such as:

  • a new beneficial owner, director or intermediary;
  • a material change in business or geography;
  • unexplained payments or use of company accounts;
  • inconsistent instructions or documents;
  • adverse or sanctions information; or
  • loss of contact with the person said to control the company.

The registered director also needs enough current information to perform their own statutory duties. Provider monitoring cannot replace the director’s independent oversight.

Companies House verification is a different process

Mandatory Companies House identity verification began on 18 November 2025. The official process verifies that a person is who they claim to be and produces an 11-character personal code. It does not approve the company’s business, the beneficial owner, the provider or the appointment.

Verification is completed through GOV.UK One Login or a registered Authorised Corporate Service Provider. An ACSP must be AML supervised, but ACSP registration and AML supervision are not the same status. A supervised TCSP is not automatically an ACSP, and a site’s own upload form is neither process by default.

New directors from 18 November 2025 use their code for incorporation or appointment. Existing directors link their verified identity through the appropriate company’s next confirmation statement during the transition, according to that company’s due date. See the separate Companies House verification guide for the operational steps.

Data protection and record keeping

Before collecting data, the controller should identify each purpose and lawful basis. Its notice should state its legal name, contact details, recipients, transfers, retention periods, rights and ICO complaint route. The privacy notice should match the actual form.

AML record keeping has a specific scope. Regulation 40 generally requires specified CDD documents, information and transaction records to be kept for five years after a relevant business relationship ends. It then requires deletion of personal data obtained for the Regulations unless an exception applies.

That does not create a five-year period for all data held by all parties. Early applicant records, marketing information, raw biometric captures and documents collected for another purpose require separate analysis. Ask for category-specific periods rather than “we keep KYC for five years”.

As at 19 July 2026, this site’s privacy materials do not fully confirm the controller, purposes, processors, transfers, controls or retention by category. Read the current privacy information, but do not treat an incomplete notice as permission to upload.

Your right to question, pause or decline

You do not have a right to force a regulated provider to accept incomplete evidence or a risk it cannot manage. The provider may ask for more information or decline the relationship. You may also pause, seek independent advice or decide not to proceed.

Ask for:

  1. the provider’s full legal and trading names;
  2. its AML supervisor and verifiable registration details;
  3. its role in the proposed appointment;
  4. the identity of its customer and proposed company, where it can tell you;
  5. the purpose and accepted alternatives for each document;
  6. the applicable privacy notice and retention schedule; and
  7. a clear explanation of how Companies House verification will occur separately.

Some information about a suspicious-activity assessment may lawfully be restricted. That does not justify hiding the provider’s identity, omitting ordinary privacy information or falsely calling every document a Companies House requirement.

Illustrative examples

A reason to continue checking: a provider gives its legal identity, supervisor and registration route. It explains that a named company has instructed it, identifies the ownership information it needs, gives the candidate document alternatives and sets out privacy and retention terms. It checks the owner as well as the director and makes no promise of appointment. This is evidence of a structured process, not proof that the role is suitable.

A reason to stop: an intermediary checks only the candidate’s passport, refuses to identify the business owner and says Companies House registration proves the company is clean. It asks the candidate to follow all owner instructions and promises that “KYC removes the risk”. That approach misunderstands both CDD and director duties.

Candidate decision checklist

Before completing provider KYC, answer yes, no or not sure:

  • Is the provider’s legal entity and relevant supervision independently verifiable?
  • Has it explained whether it is a TCSP, recruiter, ACSP or another party?
  • Does it identify and review the customer, beneficial owner and control structure?
  • Is the commercial purpose of the service understandable?
  • Is each document proportionate and tied to a purpose?
  • Are privacy, recipients and category-specific retention clear?
  • Are Companies House verification and provider CDD explicitly separate?
  • Can I correct errors, ask questions and decline without pressure?

If any answer is no or not sure, pause. Verify the provider through its supervisor and ask for missing evidence. Do not respond by sending extra documents. The appropriate outcome may be to proceed after clarification, seek independent legal or compliance advice, or decline the proposed relationship.

Frequently asked questions

Is KYC legally required for every company director?

There is no single private KYC bundle that every director must provide to every organisation. A regulated business must apply the AML duties relevant to its customer and service. Directors also face a separate statutory Companies House identity-verification regime.

Why is the business owner checked if the director has provided ID?

The proposed director's identity does not establish who owns or controls the customer or why the company wants the service. AML CDD requires a relevant provider to identify the beneficial owner, take reasonable measures to verify that identity and understand the ownership and control structure.

Does a Companies House search complete AML due diligence?

No. The register is a useful source, but it is not a substitute for risk-based CDD. A provider may need reliable independent evidence, ownership information, purpose, source-of-funds context and ongoing monitoring.

Are PEP, sanctions and adverse-media checks always the same?

No. Applicable legal requirements and the depth of checking depend on the parties, service, jurisdictions and assessed risk. A provider should explain the categories it checks without disclosing controls in a way that would help someone evade them.

Can a provider keep my KYC documents forever?

No. Regulation 40 generally sets five years for specified AML CDD and transaction records after the relevant relationship ends, subject to exceptions. Other applicant data needs its own lawful and justified retention period.

Official sources and further reading

Access dates are shown for each source. Rules and guidance can change; reopen the source before relying on a time-sensitive point.

  1. Money Laundering Regulations 2017, regulation 12 — legislation.gov.uk; accessed 19 July 2026
  2. Money Laundering Regulations 2017, regulation 28 — legislation.gov.uk; accessed 19 July 2026
  3. Money Laundering Regulations 2017, regulation 40 — legislation.gov.uk; accessed 19 July 2026
  4. Check if you need to register for money laundering supervision if you're a trust or company service provider — HM Revenue & Customs; accessed 19 July 2026
  5. AMLG2500: Trust or Company Service Provider Guidance — HM Revenue & Customs; accessed 19 July 2026
  6. Verifying your identity for Companies House — Companies House; accessed 19 July 2026
  7. What privacy information should we provide? — Information Commissioner's Office; accessed 19 July 2026
Important: This article gives general UK information and is not data-protection advice. Use the cited official sources and obtain independent advice on the actual company, documents and personal circumstances before acting.