# Identity Is the New Perimeter: Navigating ECCTA in 2026 **Category:** COMPANY-SECRETARIAL **Author:** John Hotham **Published:** 2026-05-27 **Read Time:** 7 min read ## Summary The Economic Crime and Corporate Transparency Act has turned identity verification from an onboarding task into a continuous governance obligation. Companies House is no longer a passive registry. It is an active regulator. Your company secretarial function must evolve or become a liability. ## Full Content ![Identity Is the New Perimeter: ECCTA 2026](https://static.prod-images.emergentagent.com/jobs/26992fe9-5faf-46a6-964a-18031c56d2c1/images/c14e0e784f4dd8d65e21298525ca50a35582cac18887e9d76b3e23461d784519.png) In cybersecurity, we retired the network perimeter a decade ago. Zero trust replaced it. Identity became the control point. Everything flows from verified identity. Corporate governance is having the same moment. ECCTA has retired the assumption that Companies House is a passive filing cabinet. Identity verification is now the perimeter of corporate transparency. And most company secretarial functions are not ready. ## What Does ECCTA Change in 2026? **Definition:** The **Economic Crime and Corporate Transparency Act 2023** (ECCTA) is UK legislation that fundamentally transforms Companies House from a passive document registry into an active regulatory gatekeeper with powers to query, reject, and remove information, and mandates identity verification for directors, PSCs, and persons filing on behalf of companies. The key changes that are live or imminent in 2026: 1. **Identity verification for directors and PSCs** — No longer optional. Directors and persons with significant control must have their identity verified through Companies House or an Authorised Corporate Service Provider (ACSP). 2. **Enhanced Companies House powers** — The registrar can now query filings, request additional information, reject submissions that appear inconsistent, and annotate or remove data. 3. **Registered office and email requirements** — Every company must maintain an appropriate registered office address and a registered email address. 4. **Failure to prevent fraud offence** — Large organisations face corporate criminal liability for fraud committed by employees or agents acting for the organisation's benefit. 5. **Software-only filing (April 2027)** — Paper filing is being eliminated. All submissions will require digital channels. This is not incremental change. This is a regime change in how UK corporate governance interfaces with the state. ## Why Is Identity the New Perimeter? Because every governance action now flows from verified identity: - A director cannot be appointed without identity verification. - A filing cannot be accepted if the filer's identity is not confirmed. - A PSC change is not valid until the person's identity is verified. - An ACSP cannot file on behalf of a client without their own verification chain. Identity is no longer something you verify once during onboarding. It is a continuous obligation. Director identities must remain current. Verification status must be maintained. Changes in personnel require reverification workflows. The analogy to zero trust in cybersecurity is precise: never trust, always verify. Every transaction requires authenticated identity. The perimeter is not the company boundary. The perimeter is the individual. ## What Does This Mean for Company Secretarial Functions? If your CoSec function treats identity verification as a one-time onboarding task, you have a governance gap. ECCTA creates ongoing obligations: - **Director monitoring** — Are all director identity verifications current? Have any lapsed? Are new appointments queued for verification before filing? - **PSC accuracy** — Is your PSC register accurate? Have beneficial ownership structures changed without updated filings? - **Filing integrity** — Can you demonstrate that every filing was made by a verified person with authority to file? - **ACSP compliance** — If you use an ACSP, do they maintain adequate verification chains? Can you evidence their compliance? - **Structural change cascade** — When a director changes, does that trigger a review of their involvement in project governance, contract authority, and compliance roles? A static filing tool cannot do this. It files forms. It does not govern identity across your operational landscape. ## Simplif-i vs. The Field: CoSec Identity Comparison Table | Dimension | Simplif-i (Identity as Governance Perimeter) | Traditional CoSec Tools (The Field) | |---|---|---| | Identity verification approach | Continuous. Verification status tracked with expiry, renewal workflows, and governance routing | One-time. Verified at appointment, not monitored thereafter | | ECCTA readiness | Built into governance workflow. Identity events are governance events | Compliance with filing requirements. Identity is an admin task | | Director governance scope | Full. Director identity connects to project steering, compliance roles, contract authorities, and risk ownership | Limited. Director name, address, and appointment date in register | | PSC monitoring | Active. Changes in control structure trigger cross-module governance review | Passive. PSC register updated when someone remembers | | Filing integrity | Auditable. Every filing linked to verified filer identity with authority chain | Assumed. Filing submitted by whoever has system access | | Corporate structure visibility | Portfolio view across group entities with consolidated identity status | Entity-by-entity. Each company managed separately | | Contract connection | Native. Director changes trigger change-of-control clause review across all contracts | None. Contract management is a separate discipline | | Risk connection | Native. Identity verification failures route to enterprise risk register | None. Risk register is a separate tool | | Board calendar integration | Native. Verification renewals, filing deadlines, and governance events in one timeline | Separate. Filing reminders in one tool, board calendar elsewhere | | Failure to prevent fraud | Connected. Governance trail demonstrates corporate due diligence for Section 199 defence | Not addressed. Tool does not cover fraud prevention governance | | Pricing | £149/month Founding Member (full platform, all modules) | £33-£500/year per entity (filing tool only, no governance integration) | ## How Should a COO Prepare for ECCTA? ### 1. Audit Your Identity Verification Status Do you know the verification status of every director and PSC across every entity in your group? If the answer involves opening multiple systems or asking multiple people, you have a gap. ### 2. Establish Continuous Monitoring Identity verification is not a one-time event. Establish workflows that track verification currency, flag approaching expiry, and trigger renewal processes automatically. ### 3. Connect Identity to Governance When a director is appointed, that event should cascade through your governance landscape: project steering committees updated, contract authorities reviewed, compliance roles assigned, risk ownership confirmed. If director appointments exist only in a Companies House filing tool, you have a disconnected governance function. ### 4. Map the Failure-to-Prevent Exposure Section 199 creates corporate liability for fraud committed by associated persons. Your defence requires demonstrating "reasonable procedures." That means a governance trail showing you have systems, controls, and monitoring in place. A filing tool does not create this trail. A connected governance platform does. ### 5. Prepare for Software-Only Filing Paper filing ends in April 2027. Ensure your CoSec tooling supports full digital submission, maintains audit trails for every filing, and can handle the enhanced rejection and query workflows that Companies House will operate. ## What Happens If You Ignore This? - **Filing rejections** — Companies House will reject filings where identity verification is incomplete or expired. Rejected filings create compliance gaps and potential criminal exposure. - **Director disqualification risk** — Directors whose identity verification lapses may face restrictions on their ability to act. - **Section 199 exposure** — Without demonstrable governance systems, your defence against the failure-to-prevent-fraud offence is weakened. - **M&A complications** — Acquiring entities with incomplete identity verification creates Day 1 compliance exposure that should have been identified in due diligence. - **Audit findings** — External auditors will increasingly assess ECCTA compliance as part of governance reviews. Gaps will appear in management letters. ## The Bottom Line ECCTA has made identity verification the foundation of corporate governance in the UK. Companies House is no longer a filing cabinet. It is a gatekeeper. And your company secretarial function is no longer an admin role. It is a governance perimeter. If your CoSec tooling can only file forms, you are bringing a filing cabinet to a governance fight. You need a platform where identity events cascade through your entire operational governance: projects, contracts, risk, and compliance. **Simplif-i** treats company secretarial as a connected governance function. Identity verification flows into project governance, contract management, risk registers, and board reporting. One platform. All modules connected. Founding Member pricing: **£149/month**. [Start your free trial at Simplif-i.com](https://simplif-i.com/signup) --- --- Source: https://simplif-i.com/api/blog/readable/company-secretarial/identity-new-perimeter-navigating-eccta-2026 Web Version: https://simplif-i.com/blog/company-secretarial/identity-new-perimeter-navigating-eccta-2026 © Simplif-i - Unified Business Management Platform