What Is Companies House PROOF and Does It Really Protect Your Business in 2026

Companies House PROOF (Protected Online Filing) restricts certain company filings to secure digital channels and authorised users, reducing the risk of unauthorised paper submissions. It strengthens control over sensitive changes, but it does not eliminate identity fraud or fully protect against director impersonation.

What exactly is Companies House PROOF?

Companies House PROOF is a free service that blocks specific paper filings and forces changes to be submitted online through authenticated channels, reducing the risk of forged documents altering company records.

PROOF stands for “Protected Online Filing.” It allows a company to limit how key forms reach Companies House. When enabled, filings such as director changes or registered office updates cannot be submitted on paper. This removes a known fraud vector where attackers send forged documents by post.

The service works by linking filings to authorised digital access. Only users with valid credentials and access permissions can submit changes. Companies House then validates these submissions against its systems. This process increases traceability and reduces anonymous alterations.

PROOF applies to defined filing types. Examples include forms for director appointments, address changes, and certain statutory updates. It does not cover every possible filing. That scope matters when evaluating protection levels.

How does PROOF work in practice?

PROOF works by enforcing online-only submissions for selected filings, verifying access through account credentials and authentication codes, and rejecting paper forms for protected changes, thereby reducing unauthorised amendments to company data.

When a company activates PROOF, Companies House flags the account. The system then rejects paper submissions for the protected forms. This step removes a high-risk entry point for fraud.

Online submissions require credentials tied to the company’s filing account. Users must enter an authentication code, which acts as a shared secret. The platform logs each submission, creating an audit trail that can be reviewed.

Three core controls operate together:

• Enforce digital submission for defined forms.

• Validate access using authentication codes.

• Record submission metadata for traceability.

If a user lacks the correct authentication code, the system blocks the filing. This mechanism reduces casual or opportunistic fraud. It does not verify the real-world identity of the person using the code.

What risks does PROOF actually reduce?

PROOF reduces risks linked to forged paper filings, unauthorised address changes, and illicit director updates submitted by post, improving data integrity and auditability within the Companies House register.

Paper filings historically enabled attackers to submit false forms with minimal verification. PROOF closes that gap by rejecting those documents. This directly reduces incidents where a company’s registered office or officers change without consent.

It also improves visibility. Digital submissions generate timestamps and user-linked records. Investigations become faster because the system provides structured logs.

Three risk areas see a measurable reduction:

• Forged postal submissions that alter company details.

• Unauthorised changes to registered office addresses.

• Illicit director appointments or removals via paper forms.

Despite these gains, PROOF does not address all fraud vectors. Attackers can still target digital access points if credentials are exposed.

Where does PROOF fall short?

PROOF does not verify the real identity of users, prevent authentication code misuse, or stop sophisticated impersonation attacks, meaning determined fraudsters can still manipulate company data through compromised digital access.

The core limitation is identity assurance. PROOF confirms that a valid code was used, not that the user is the legitimate director. If an attacker obtains the authentication code, they can submit changes within the system’s rules.

It also does not monitor behavioural anomalies. For example, multiple rapid filings from unfamiliar locations may pass if the code is correct. There is no built-in biometric or document-based identity check.

Three gaps remain significant:

• No biometric or document-based identity verification.

• No real-time anomaly detection for unusual filing patterns.

• No protection against internal misuse by authorised users.

These gaps explain why PROOF is a control, not a complete defence.

Does PROOF protect against director fraud?

PROOF offers partial protection against director fraud by blocking paper-based manipulation, but it does not stop impersonation using stolen credentials or authentication codes, which remain common entry points for fraudulent changes.

Director fraud often involves impersonation. Attackers gather personal data, obtain the authentication code, and submit digital forms. PROOF does not challenge the identity behind the submission.

Companies House relies on the authentication code as the primary control. If that code is shared, reused, or exposed, the system treats the submission as valid. This creates a dependency on how securely the code is managed.

For a deeper explanation of how this mechanism operates, read How Companies House authentication codes prevent director fraud, which breaks down the code lifecycle and common vulnerabilities.

Effective defence requires layered controls. PROOF handles one layer—submission channel restriction. Identity verification and monitoring must be added elsewhere.

What additional protections do businesses need?

Businesses require layered controls such as identity verification, secure authentication code management, filing alerts, and continuous monitoring to prevent unauthorised changes and detect fraud attempts early.

A resilient setup combines multiple safeguards that validate both access and identity. Identity Verification Services validate director credentials using official UK compliance frameworks. These services confirm that a real person, not just a valid code, initiates a change.

Key controls include:

• Verify identity using government-issued ID and facial matching.

• Secure authentication codes with restricted access and rotation policies.

• Monitor filings with real-time alerts for any changes submitted.

• Audit user activity logs to detect unusual patterns.

These measures close the gaps left by PROOF. They ensure that even if a code is exposed, additional checks block or flag suspicious activity.

For organisations seeking structured protection, the Business Fraud Protection service integrates these controls into a single framework, aligning with UK compliance requirements and Companies House processes.

How does PROOF compare to full business fraud protection?

PROOF is a single control focused on submission channels, while full business fraud protection combines identity verification, access control, monitoring, and response processes to prevent, detect, and mitigate fraud across the company lifecycle.

PROOF operates at the filing layer. It limits how data enters Companies House. Full protection spans the entire risk surface, from user identity to ongoing monitoring.

A comprehensive approach includes four components:

• Prevent: enforce identity checks and secure access.

• Detect: monitor filings and user behaviour in real time.

• Respond: trigger alerts and block suspicious submissions.

• Recover: maintain audit trails and support remediation.

This layered model addresses both external attackers and internal misuse. It also aligns with regulatory expectations for due diligence and data integrity.

For decision-stage evaluation, review Stop business registration fraud with proactive protection, which outlines implementation steps and expected outcomes for UK companies.

When should a company enable PROOF?

A company should enable PROOF immediately after incorporation or when assuming control of an existing entity, especially if it handles sensitive transactions, maintains valuable assets, or has multiple directors with shared access.

Early activation reduces exposure from day one. Newly formed companies often have simple access setups, making it easier to enforce secure practices. For existing companies, enabling PROOF blocks a known risk channel without disrupting operations.

Triggers that increase urgency include:

• Frequent director or address changes.

• Multiple users are accessing the filing systems.

• High-value transactions or intellectual property holdings.

Activation is straightforward through Companies House. Once enabled, the system enforces online-only submissions for protected forms.

Also explore,

5 Warning Signs That Your UK Limited Company Is Being Targeted by Fraudsters 

How Fraudsters Hijack a UK Company at Companies House Without You Knowing 

How should businesses manage authentication codes securely?

Businesses manage authentication codes securely by restricting access, storing them in encrypted systems, rotating them periodically, and assigning accountability to specific authorised users to reduce leakage and misuse.

The authentication code functions like a master key. Treating it as a shared secret across many users increases risk. Access control must be explicit and limited.

Practical controls include:

• Store codes in encrypted password managers with role-based access.

• Rotate codes at defined intervals, such as every 90 days.

• Assign a single accountable owner for code distribution.

• Log every use of the code with user identification.

When these steps are enforced, the probability of unauthorised use declines significantly. Combined with PROOF, they form a stronger baseline.

Companies House PROOF improves security by eliminating paper-based fraud routes and enforcing authenticated digital submissions. It raises the baseline for data integrity but does not verify identity or prevent credential misuse.

A complete defence requires layered controls that validate who submits changes and monitor activity continuously. My Company Registration delivers this through structured Business Fraud Protection, combining identity verification, secure access management, and real-time monitoring aligned with UK compliance frameworks. 

My Company Registration applies these controls consistently, enabling companies to prevent, detect, and respond to fraud with measurable assurance. My Company Registration integrates these safeguards with Companies House processes, ensuring protection remains effective as risks evolve.

Frequently Asked Questions

What is business fraud protection for UK companies?

Business Fraud Protection is a set of controls that prevent unauthorised changes to company records, verify identities, and monitor filings. My Company Registration delivers Business Fraud Protection by combining identity checks, secure authentication management, and real-time alerts aligned with Companies House processes.

How does business fraud protection prevent director impersonation?

Business Fraud Protection prevents director impersonation by verifying identity using official documents and biometric checks before allowing changes. My Company Registration applies these verification steps alongside secure authentication code handling to block unauthorised filings.

Is Companies House PROOF enough to stop business fraud?

Companies House PROOF reduces risks from paper-based fraud but does not verify user identity or prevent credential misuse. Business Fraud Protection adds identity validation, monitoring, and access controls, which My Company Registration integrates for stronger protection.

What are the key features of business fraud protection services?

Business Fraud Protection services include identity verification, authentication code security, filing alerts, and activity monitoring. My Company Registration combines these features to ensure company data remains accurate and protected against unauthorised changes.

When should a company implement business fraud protection?

A company implements Business Fraud Protection immediately after incorporation or when control changes occur, such as new directors or ownership updates. My Company Registration ensures these protections are active early to reduce exposure to fraud risks.