
Authorised Corporate Service Providers must keep identity verification records for seven years from the date the check was completed — not five years from the end of the client relationship, which is what most firms' AML policies already say. Two different clocks, one client file, and most firms have only built for one of them.
You verify a director's identity, submit it to Companies House, and get the personal code back. Job done — or so it feels. But the ACSP obligation doesn't end there. It starts there.
From spring 2026, if your firm files at Companies House on a client's behalf — confirmation statements, accounts, PSC updates — you need to be a registered Authorised Corporate Service Provider (ACSP). Registration is a one-off £55 fee straight to Companies House, and it's simple enough. The part that catches firms out comes later, when a check nobody remembers doing needs to be produced, proven, and dated correctly — years after the person who ran it has moved on, and maybe the client has too.
The Economic Crime and Corporate Transparency Act 2023 introduced mandatory identity verification for anyone connected to a UK company. The rollout has three dates that matter to your practice:
That last date is why this has quietly become a firm-wide job, not a niche compliance task for whoever handles AML. If your firm files anything for clients at Companies House, this is coming for you whether or not you've ever run an identity check.
Here's the part that's easy to miss, because it looks like a rule you already follow.
Under the Money Laundering Regulations 2017, standard client due diligence records are kept for five years from the end of the business relationship. Most firms have this written into their AML policy already, and most staff know the number: five years, relationship ends, clock starts.
ACSP records run on a different clock entirely. Companies House requires ACSP verification records to be kept for seven years from the date the check was completed — regardless of what happens to the underlying client relationship. If the client leaves next year, the AML clock might start counting down. The ACSP clock doesn't care. It started the day you verified that director, and it runs for seven years no matter what.
Two clocks, same client, different start dates, different lengths. A firm that simply extends its existing AML retention policy to "cover" ACSP has actually built the wrong system — because the trigger event isn't the same event.
This matters because of who the record is actually about. AML due diligence is about the client relationship. ACSP verification is about the individual — a director, a PSC — and that person's link to a company can outlast, or end long before, your relationship with the firm they work for. A director might leave the company a year after you verify them; your ACSP record for that individual still needs to survive six more years, filed against a person who's no longer part of the client you're thinking of when you review retention.
If your working papers are built around the client folder — which is how most practices are structured — this is the gap. The record needs to survive independently of whether that folder is still active.

Companies House and the professional bodies are consistent on this: it isn't enough to have verified someone and moved on. You need to be able to reconstruct, on request, exactly what you did and why you were satisfied. That means keeping, per person verified:
The bar is prescriptive rather than risk-based. Under the Money Laundering Regulations, you can apply judgement — more scrutiny for higher-risk clients, less for straightforward ones. The Companies House identity verification standard doesn't work that way: every check follows the same fixed steps, matched to the same fixed evidence list, whether the director is a first-time founder or the fifth PSC you've verified for the same group this year.
This is where the seven-year rule stops being paperwork and starts being existential for a small firm. Under the Registrar (Identity Verification and Authorised Corporate Service Providers) Regulations 2025, a firm that fails to retain records to the required standard can be issued a notice of suspension. There's a 28-day window to object in writing, and if that doesn't resolve it, Companies House moves to a formal notice of cessation.

Lose ACSP status and you can't file at Companies House for any client — not just the one whose record went missing. Every confirmation statement, every set of accounts, stuck, while you sort it out. For a small practice, that's not an administrative fine. That's telling every client on your books that something's stopped.
And the record that trips this up is rarely the one from last month. It's the one from year four or five — filed correctly at the time, then quietly lost when someone left, a system was migrated, or a client's folder was archived and nobody thought to check whether an ACSP record was sitting inside it.
Prosperia, a UK accounting firm using Wórkiro, told us their aim is to keep historic files well beyond the seven-year legal obligation, ready for instant retrieval — not because ECCTA told them to, but because that's the standard they'd already set for the practice. That's the instinct the ACSP rule is now asking every firm to formalise: not "we probably kept that somewhere," but a record you could put your hand on today, for a person who might not even be a client any more.
It's the same instinct Lloydbottoms Chartered Accountants built into their move off a fifteen-year-old server system. As director Susan Rickerby put it: "It all stays in one place. People know they need to look at it because it's got their name on it." That's the ACSP record too, in effect — a check made against a named individual, findable on demand, independent of whoever ran it or whether they're still at the firm.
The pattern across both firms is the same one this new rule tests directly: is a record kept against the person, findable years later by someone who wasn't there when it was made — or is it kept against the file, and only as durable as that file happens to be?
The practical fix isn't a separate ACSP spreadsheet running alongside your AML system — that's exactly the kind of parallel process that gets forgotten when the person who set it up moves on. It's making identity verification, and its evidence, part of the same client onboarding flow you already run: AML checks, engagement letters and now ACSP verification, captured once, filed against the individual, timestamped, and kept independently of whether that client relationship is still active seven years from now. The same discipline that keeps working papers audit-ready — evidence linked to the record it belongs to, not floating in an inbox — is what an ACSP record needs to survive intact.
What is an ACSP for accountants?
An Authorised Corporate Service Provider is a business registered with Companies House to verify client identities and, from spring 2026, to file documents like confirmation statements and accounts on a client's behalf. Registration costs a one-off £55 and requires the firm to already be supervised by a UK AML body such as ICAEW, ACCA or HMRC.
How long must ACSPs keep identity verification records?
Seven years from the date the verification check was completed — a longer period than the five-year AML retention rule, and running on a different clock (from the check itself, not from the end of the client relationship).
What happens if an ACSP can't produce a required record?
Companies House can issue a notice of suspension, with a 28-day window to object, followed by formal cessation of ACSP status if the issue isn't resolved. A firm that loses ACSP status can't file for any client until it's reinstated.
Do all accountants need to register as an ACSP?
Only firms that verify client identities for Companies House need to register now. But any firm filing documents on behalf of clients — confirmation statements, accounts, PSC updates — will need ACSP status from spring 2026 to keep doing so.
Is ACSP record-keeping the same as AML record-keeping?
No. AML records under the Money Laundering Regulations are risk-based and tied to the client relationship (5 years from its end). ACSP records are prescriptive, tied to the individual verified, and kept for 7 years from the date of verification — regardless of what happens to the client relationship.