We reported on Monday that, if you incorporate a UK company, you are likely to receive an official-looking letter from “Company Registry” charging you £45. It’s a scam, and a large and well-organised one.
We’ll be naming and shaming the legitimate businesses who are facilitating the scam. The first was Tide, who signed up the scammers as an affiliate and paid them referral fees.
Today it’s Stripe, the payment company, who processed all of the victims’ payments to Company Registry. But, to their credit, Stripe have responded quickly to our report, and blocked the scammers from their systems.
The scam
If you incorporate a UK company, you are likely to receive a letter like this from “Company Registry” (company-registry.org):
It looks like an official document – an invoice for a service that has already been purchased (“Pending”, “Complete activation”, “These are the next steps”, “IMPORTANT!”).
The reference to a “COVID 19 New Business Relief Deduction” again gives the impression this is an official letter.
It isn’t. It’s a scam. More about that in Monday’s report.
The link to Stripe
If you “activate your account” with Company Registry, you’re presented with this payment page:
The code for the page shows that Stripe processes the payments:
Stripe is an “Authorised Electronic Money Institution” regulated by the Financial Conduct Authority (FCA). Needless to say, they shouldn’t be proceeding payments for a fraudster.
FCA rules require electronic money institutions to have effective procedures to prevent them being used to facilitate financial crime. That includes customer due diligence and ongoing monitoring.1See paragraph 3.80 et seq of the relevant FCA guidance). Most financial institutions have very sophisticated2And historically also very fallible “know your client” (KYC) and anti-money laundering (AML) systems for this purpose.3I know these systems well, because I used to advise some of the world’s largest financial institutions on how to make sure these systems didn’t facilitate tax evasion. Stripe were not a client, but if I was advising them now I’d say there is a risk they could be criminally liable if – as seems plausible – Company Registry has committed tax evasion.
But in this case, sophisticated systems weren’t required, merely one look at Trust Pilot4The handful of positive reviews are all from users in the US, where Company Registry doesn’t conduct business. or a Google search:5Unsurprisingly, a Google search (“open source research”) is usually one of the first steps a KYC/AML team takes when onboarding clients or counterparties.6This Google search, as with others we refer to in our reports, was conducted via a UK VPN using Chrome in “incognito” mode, so it should be representative of the results for a general UK user, and not customised for Tax Policy Associates.
We understand Stripe was Company Registry’s payment processor from when the scam started around October 2021. At that point there wouldn’t have been obvious signs that Company Registry was a scam. But in April 2023, Companies House published a warning about Company Registry which was widely circulated. The obvious conclusion: Stripe doesn’t update its KYC/AML checks on its clients effectively enough, and/or frequently enough.
Stripe’s response to our report
We have been regularly checking Company Registry’s website – at some point in the last week, its payment processing system failed. Attempts to make payment result in an error.7Company Registry’s API fails to receive a response from Stripe, and fails with a 500 error.
We infer that Stripe stopped processing payments for Company Registry, either as a result of our reports, or as a result of earlier tweets. That breaks the Company Registry scam, at least for now – which is excellent news.
We reached out to Stripe for comment: they said that (understandably) they are unable to comment on individual users/clients.
The good and bad news
The bad news is obvious: Stripe didn’t spot obvious signs that their client was fraudulent, and processed payments that furthered their criminal enterprise.
But there is some good news:
- We expect Stripe will be making a “suspicious activity report” to the regulator. That should include the details of the people behind Company Registry (which Stripe should have obtained during its KYC process). This information should assist law enforcement with pursuing those responsible.
- Stripe now knows that all the payments made to Company Registry are suspicious – it should reverse them, and refund the victims of the scam.
We’ll also be asking the FCA to investigate Stripe’s KYC/AML processes.
We assume Company Registry will try to change their payment provider. It would be extremely disappointing if any regulated institution were to accept Company Registry as a client – but watch this space.
- 1See paragraph 3.80 et seq of the relevant FCA guidance).
- 2And historically also very fallible
- 3I know these systems well, because I used to advise some of the world’s largest financial institutions on how to make sure these systems didn’t facilitate tax evasion. Stripe were not a client, but if I was advising them now I’d say there is a risk they could be criminally liable if – as seems plausible – Company Registry has committed tax evasion.
- 4The handful of positive reviews are all from users in the US, where Company Registry doesn’t conduct business.
- 5Unsurprisingly, a Google search (“open source research”) is usually one of the first steps a KYC/AML team takes when onboarding clients or counterparties.
- 6This Google search, as with others we refer to in our reports, was conducted via a UK VPN using Chrome in “incognito” mode, so it should be representative of the results for a general UK user, and not customised for Tax Policy Associates.
- 7Company Registry’s API fails to receive a response from Stripe, and fails with a 500 error.
6 responses to “Stripe has now blocked the Company Registry fraud – but why did it facilitate it?”
If Companies House knew about this 3 years ago, why didn’t they approach these and Tide first?
Frankly in this case, it shouldn’t be up to you to get this done.
Incompetence or worse from those who run Companies House.
It is them who should be named and shamed or least justify their complete inaction.
Is ACCO another scam I subscribe but the only contact I have is when they pressure me into renewing
If you’re not getting any value from the subscription, why do you keep paying it? There seems to be a lot of organisations with ‘ACCO’ in the name, hard to tell which one you are referring to (but I suspect not the cancer charity?)
Well done Dan. Why and how do so many of these scummy scams succeed when they shouldn’t if companies like Stripe do their jobs correctly?
I also had an issue with Stripe in regard to a payment they processed for an entity which was “selling” financial products in England but had no FCA approval. I reported to the FCA who will keep a copy on their file as well as to Stripe given this was a breach of their own requirements as well as the FCA regulations. Same response, they will investigate but cannot disclose any customer details. Pointless reporting to Fraud UK but I did send the response from Stripe to FCA who acknowledged. I also copied all my correspondence to my credit card issuer through whom I paid the fraudster and although they have refunded, it is worthwhile copying in all parties to provide a track record and history. The more reports that go in to regulators, they will be forced to investigate further and to “stamp out” these dishonest payments and tactics to clean up the payments system which is overdue and subject to abuse.
Hello, I received one of these letters, however it was from Companies House, rather than Company Registry. It looked like a scam so I ignored it.