Do you know who I am?

Richard Simms explains how he would get around your ID checks – and why you wouldn’t notice

If I wanted to bypass your identity checks I wouldn’t need fake passports or forged signatures. I wouldn’t need to hack your systems or bribe your staff. I’d just walk straight into your business – documents in hand, a plausible story ready – and pass through your onboarding with little resistance.

This isn’t about corruption. It’s about the gaps that exist in so many AML policies, controls and procedures (PCPs). I’ve been in professional practice for over 25 years and been my firm’s Money Laundering Reporting Officer for 15 of them. I know how stretched most businesses are, and how easy it is to assume a new client is fine when everything looks in order.

Let me show you how I’d do it. And, more importantly, how to stop me.

Step 1: Crafting a convincing persona

The trick is to look like I belong. I wouldn’t pose as someone flashy or unusual. I’d arrive as a small business owner, consultant or modest investor. Someone who fits your client profile and doesn’t stand out. I’d tailor my story to your business, and back it up with:

• A LinkedIn profile with a small network and a vague job title.

• A basic website for my consultancy business.

• A virtual office address in a respectable postcode (legally available for as little as £50 a year).

• Clean-looking documents: utility bill, driver’s licence… all real, or close enough to pass. This profile is deliberately bland, nothing about it screams risk. That’s why it works. If you’re busy, if everything looks in order, and if there are no immediate red flags, you’re unlikely to look deeper.

So where do these documents come from?

Synthetic identities are often created using real personal data harvested from breaches, phishing or bought on the dark web. A UK driving licence or utility bill template costs under £200. A common trick is combining a real National Insurance (NI) number with a fabricated identity: new name, address or job title. Because the NI number is genuine, it bypasses superficial checks.

The UK government explicitly warns that NI numbers should not be used as proof of identity – they’re not private, not secure and frequently abused in fraud.

Step 2: Exploiting the gaps

A convincing identity is only half the job; I still need you to accept it. That’s where your processes come in. Once I’ve got the right documents I rely on your process to do the rest.

Manual checks: Many businesses still carry out manual checks—visually inspecting passports, driving licences and utility bills. But under time pressure or without adequate training, staff may overlook subtle signs of forgery or accept documents at face value. Some common indicators of a forged or fraudulent identity document include:

• Inconsistent fonts or font sizes on the document.

• Low-quality or pixelated images and watermarks.

• Holograms that don’t reflect correctly when tilted.

• Signatures that appear printed rather than hand-written.

• Physical wear inconsistent with the issue date (e.g. heavy wear on a recently issued ID).

• A photo that doesn’t match the holder’s physical appearance or appears digitally manipulated.

Digital checks: Many ID verification tools are designed to check format and validity – not cross-reference the identity as a whole. They confirm whether a passport is expired or if a utility bill matches a postcode, but often fail to verify whether the individual behind the identity truly exists or has a credible background and, most importantly, is the person claiming that identity.

Many electronic ID checks fail to verify if the individual is a real person and who they claim to be, whether their story makes sense, or whether their background aligns with the risk. In other words, the technology checks the documents –not the person.

As highlighted in the UK government’s identity verification guidance, National Insurance numbers are not private, are often shared, and are vulnerable to misuse in identity fraud schemes. If the name, date of birth and NI number line up with something plausible, most systems will let it through.

If your checks don’t dig beneath the surface –if they stop at verifying documents, not identities – then I’m in.

Step three: Illusion of legitimacy

Passing the ID check is just the start. Once I’m through the door I make my fake identity look real.

I’ll open a UK bank account using the same documents I gave you. Since most banks use similar ID verification software, if I passed your checks I’ll likely pass theirs too.

Then I’ll build out a backstory:

• Invoices from my ‘consultancy’ to other companies I control.

• PAYE records showing a modest salary.

• A lease agreement linking me to a physical address.

• Light online presence: company details on Companies House, maybe a few blog posts or job ads.

It’s a curated but convincing profile. And it’s designed to fit what most professionals expect from a small, compliant business.

Meanwhile, you’re processing dozens of similar clients, many with far messier setups. I’m polite, responsive, I pay on time. Nothing about my file stands out. And that’s the point.

Step four: Using your credibility

Now comes the part where your role becomes central to the whole plan.

As a regulated accountant, your professional standing gives my synthetic identity a powerful cloak of legitimacy. When you verify my identity, file my accounts and submit my tax returns, it reassures banks, regulators and law enforcement that proper checks have been done.

The ‘unwitting enabler’ isn’t just theory. According to the UK’s National Crime Agency, professionals like accountants are among the most commonly exploited actors in money laundering schemes, often without realising it. Criminals use regulated firms to lend credibility to front companies, shell structures and fake directors.

A real-world case study from the Consultative Committee of Accountancy Bodies (CCAB) illustrates this risk clearly. In the example, a small accountancy firm continued to process VAT returns for a client despite spotting implausible sales data and unusual business behaviour.

The firm failed to question the underlying transactions or consider whether a Suspicious Activity Report was necessary. As a result, they inadvertently helped facilitate VAT fraud by legitimising the client’s filings.

The case study is available from CCAB here Even where there’s no criminal intent, the consequences are real. And they’re more common than most firms realise.

When HMRC investigates

Eventually, someone asks the right question.

I’ve submitted a VAT return showing substantial consultancy income, offset by large, vague expense invoices. My business seems profitable on paper, but the transactions don’t quite make sense.

HMRC looks closer. They discover:

• The company was registered just six months ago, with a virtual office as its business address.

• The director has no digital presence – no LinkedIn profile, no past trading history.

• The expense invoices lack clear descriptions and appear to be from companies with minimal traceable activity.

Under the new Companies House rules introduced by the Economic Crime and Corporate Transparency Act, identity verification is required for all company directors and beneficial owners.

In this case, the business would have needed to pass those checks. But the fact that the company was still able to be set up, despite later suspicions, demonstrates that passing basic ID verification doesn’t eliminate risk. The documents may still have been forged or genuine documents misused, which is why further checks by professionals remain essential.

What happens next?

HMRC will often pass its concerns to another authority (typically the National Crime Agency or a law enforcement body) if it suspects the issue goes beyond tax non-compliance. That’s when the case moves from a routine check to a potential money laundering investigation.

You’re the accountant on record. You filed the VAT return and prepared the accounts. By the time you’re being asked for your client file, you’re no longer just a service provider: you’re part of the investigation.

These next questions are most likely to come from law enforcement or a regulatory authority, after HMRC has passed the case on. If your AML supervisor or professional body becomes involved, this questioning could be as part of a disciplinary or compliance review triggered by that referral.

So:

• What checks were done at onboarding?

• Did you verify the identity and beneficial ownership?

• Did you question the nature of the client’s trade or the substance of the invoices?

• Was there a rationale for not applying enhanced due diligence?

If you relied solely on supplied documents, without further probing the client’s story or source of funds, then the investigation doesn’t stop with the company. It turns to you. If you can’t answer clearly or your file doesn’t contain the evidence, your business is exposed.

What you must be able to show

Under Regulation 28 of the UK Money Laundering Regulations, you must demonstrate that you:

• Obtained and verified identification documents, including reliable, independent sources for both individuals and legal entities.

• Identified the beneficial owner and took reasonable steps to verify them, especially in layered or opaque structures.

• Assessed the purpose and intended nature of the business relationship, including the client’s business model, transaction types, and funding sources.

• Determined and recorded the client’s risk

profile, factoring in jurisdiction, sector, ownership, delivery channels, and more.

• Applied ongoing monitoring, meaning you didn’t file the client away and forget them. You must check that activity aligns with expectations.

How to stop me

Risks are part and parcel of working in a regulated profession. But while you can’t eliminate them entirely, you can understand where those risks lie and take steps to mitigate them.

1. Cross-reference client information

Use multiple data points– Companies House, credit reference data, open-source searches – to verify the story, not just the documents.

2. Don’t accept an NI number as ID

It’s not a reliable identity check and is specifically discouraged by UK government guidance.

3. Dig into vague business models

Descriptions like ‘advisory’, ‘consultancy’ or ‘investment support’ should prompt deeper questioning.

4. Train your team to escalate

Junior staff handling onboarding need confidence, knowledge and authority to question anything that doesn’t feel right.

5. Use smart AML systems

Look for tools that go beyond checklists – ones that encourage more details to be gathered and added about the client and the risks so you can flag unusual patterns, relationships and behaviour over time.

The bottom line

I wouldn’t need to break your systems, I’d just need to blend into them. A clean-looking identity. A plausible business. A modest company with just enough documents to pass.

By the time you realise what I’ve done I’ll be long gone. And you’ll be left trying to prove you did everything right.

But you can stop it by asking one more question, digging one layer deeper and staying one step ahead of people like me.

Because if I can see the weaknesses in your system, so can everyone else who’s looking for a way in.

• Richard Simms, Founder and Director of AMLCC