There was an intriguing report from Sky News yesterday that UK Finance had warned its members that 800 fraudulent forms discharging the liabilities of 190 companies had been submitted to Companies House.
UPDATE: it turns out this article was completely wrong, and the story was actually much weirder, involving a “sovereign citizen” acting in a very bizarre way. We’ll keep the article up because it demonstrates a Companies House vulnerability, albeit one that has hopefully now been closed.
The report doesn’t make at all clear what the fraud was. Often it’s a bad idea to make details of frauds public. In this case we think there’s a public interest in revealing how the fraud works, both so companies can protect themselves against it, and so policymakers can see what the underlying vulnerabilities are, and how they can be fixed.
Our informed guess is that the fraud looked like this:
- Let’s take a random business – call it Amalgamated Widgets Ltd.
- Amalgamated Widgets Ltd currently has a £1m loan from MegaBank, secured by a mortgage.
- The fraudsters submit a fraudulent form MR04 to Companies House, supposedly on behalf of MegaBank, saying that the mortgage has been discharged. This doesn’t need to be a very sophisticated fraud. You could probably sign the form “xxx” and Companies House would accept it. There is an excellent guide to MR04 here, from law firm Stevens & Bolton LLP.
- The fraudsters then steal Amalgamated Widgets’ identity. Perhaps the fraudsters have hacked Amalgamated Widgets’ email system; perhaps they intercept the post; perhaps they just use social engineering; perhaps all of the above and/or something else. But this is a fairly sophisticated fraud.
- The fraudsters now pretend to be Amalgamated Widgets and apply for a new £1m secured loan from FriendlyBank. FriendlyBank sees the repaid MegaBank loan and thinks it’s perfectly rational that the company would be looking for a new loan to replace it.
- The fraudsters would probably need to fool a law firm into acting for them (because FriendlyBank would be suspicious if Amalgamated Widgets Ltd didn’t have a law firm acting for it). Or maybe the fraudsters have their own corrupted or fake law firm. Either way, this again requires quite a sophisticated fraud.
- Once the loan is granted, the fraudsters arrange for FriendlyBank to deposit the £1m loan in an account controlled by the fraudsters. Given that the fraudsters impersonated Amalgamated Widgets to apply for the loan, it’s not going to be too much of a challenge for them to set up an account in its name.
- The fraudsters then take the money and disappear.
- FriendlyBank has lost the £1m – its security will be void and it will have to try to track down the cash. Fraud unravels everything – so Amalgamated Widgets probably won’t be liable to FriendlyBank, and MegaBank’s original security will still probably be good.
Who is to blame?
There may well have been failings by Amalgamated Widgets (e.g. if its email got hacked), FriendlyBank (if it could have spotted the fraud), and any lawyers acting for the fraudsters (they’re either bent, or had an AML disaster). Maybe a corporate services provided got hacked and that gave access to hundreds of companies’ Companies House login details?
Probably everybody will sue everybody else. But the original sin was Companies House not requiring any proof of identity of the person submitting the MR04. That was the easiest bit of the fraud, without which nothing else would have been possible.
The Sky article suggests that perhaps Companies House was hacked. I very much doubt that was necessary. When you can register as a director in the name of Adolf Tooth Fairy Hitler, then filing an MR04 in the name of someone else isn’t terribly challenging. I expect, rather than file 190 paper forms (which would be tedious), the fraudsters created a Companies House account and then automated the process.
We are back to Companies House being a “giant fraud robot” – an incredibly efficient system which will accept anything that’s filed with it without verification. I say “potentially” because it looks like the banks did Companies House’s job for it, and spotted the problem – hopefully before the fraud had claimed any victims. But of course it’s possible that there are many similar frauds going on under the surface.
The question is whether the planned Companies House reforms will improve matters. I’m afraid I’m sceptical. Identity requirements for people making filings should in principle be a straightforward change, but on its own is insufficient – Companies House needs systems and people who can proactively identify suspicious transactions The banks took decades to build their current KYC systems. They’re very sophisticated, and far from perfect – but make financial malfeasance far more difficult than it was in the past. It’s very ambitious to think that Companies House can build something comparable within a few months.
For the moment, it would be wise for companies to regularly check the Companies House website for any suspicious changes.1I expect the banks do that already, and that’s how the fraud was caught.
Thanks to Matthew Letts, I and T for their insight into how the fraud may operate.
- 1I expect the banks do that already, and that’s how the fraud was caught.
9 responses to “The weird Companies House bank fraud”
Two things companies can do to make it more difficult are
1. Register for proof
2. Regularly change the authentication code.
Companies House allows you to set up an alert in respect of any company which notifies you of any activity in relation to that company. They could probably do more to publicise this but it is a free service and well worth doing in relation to any company you have an interest in whether as director/shareholder/lender etc.
Interesting stuff. As former banker your comments re solicitors intrigued me. When taking a security a bank would normally have had solicitors acting on its behalf to ensure all is in order. They would only use the company’s firm when they have verified the credentials of the firm. It may have all changed now though!
Thanks Dan.
The lack of transparency from Companies House is not helpful.
It is not reassuring that the charge may be “valid and enforceable”. They have to be registered at Companies House for a reason!
The problem for lenders is that checking that your charge is registered is very manual. You literally have to go into to each company of the Companies House website and have a look.
Companies House will have to come up with a solution for rectifying any issues. The normal route is a court application in each case with all of the cost that that entails.
If I was a lender I would get one of my tame nerds to write a script using the Companies House api to check all my borrowers/clients automatically every day. Fairly straightforward – possibly such tools exist off the shelf?
Dan – see below about the existing CoHo “follow” service, so no need for anyone to write anything!
Thanks Dan.
The problem for any lender is that the process of checking at Companies House to see if your charge still exists is very manual. You literally have to go into each company on the Companies House website to check.
It is also not very reassuring that that charge will be “valid and enforceable”. They have to be registered at Companies House for a reason!
Companies House will need to come up with a workable solution to put this right. The alternative is a court application in each and every case, with all of the costs associated with that.
Readers might be interested to know, if they don’t already, that if you have an online account with Companies House you can register to “follow” one or more companies, which means that you receive an automated email from Companies House if a filing (such as an MR04, as I understand it) is made in respect of that company. This might not greatly help the clearing banks with huge numbers of customers with secured borrowings but perhaps worth considering for some of the smaller secured lenders
Yes, just came on here to flag the “Follow” service. Companies can do this for themselves and not just rely on their lenders.
FWIW, a responsible corporate services provider will already do this for their clients and cross-check unknown filings with their clients.