The manual identity verification flow serves as the secondary, failsafe mechanism for establishing the identity of clients who are unable to successfully complete the automated biometric journey. In a professional corporate services environment, technical friction such as the lack of a modern smartphone, poor internet connectivity, or possession of a non-biometric legacy passport must not serve as an absolute barrier to service. However, the UK government and HMRC are clear that a manual alternative must not be a soft option. This policy mandates that human-led checks must reach an equivalent standard of evidentiary rigour as the AI-driven Veriff process. By providing this alternative, My Office Address Limited ensures universal access to its business address
The primary purpose of this human-led process is the mitigation of impersonation risk. When a client is not physically present, the burden of proof falls upon our compliance team to verify that the documentation provided is both authentic and in the physical possession of the applicant. Human-led due diligence allow for a nuanced, qualitative assessment that automated systems may occasionally overlook, such as the subtle context of a client’s business model or the specific nature of their residency documents. This process is the ultimate gatekeeper function of our business; it ensures that every person for whom we provide a registered office or director service address has been vetted by a trained professional who is personally accountable for the integrity of that verification.
Manual processing is not a default selection but is reserved for specific, documented circumstances. These include technical failures within the Veriff API, cases where the applicant possesses valid government identification that lacks the necessary machine-readable components for digital scanning, or where a client has a legitimate accessibility requirement that prevents the use of facial recognition technology. Clients who fail the automated liveness check twice are automatically redirected to this manual flow. By clearly defining these eligibility criteria, we prevent system shopping where a high-risk applicant might seek to bypass automated fraud detection by opting for a manual review, ensuring that our compliance resources are focused on legitimate cases.
The statutory landscape for virtual office providers has become significantly more rigorous. This manual flow is built to align specifically with the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017). Under these regulations, My Office Address Limited is classified as a relevant person and must perform Customer Due Diligence (CDD). Furthermore, we adhere to the strict requirements of the Economic Crime and Corporate Transparency Act (ECCTA), which mandates that company service providers must verify the identity of any individual for whom they are filing information at Companies House. This SOP ensures that our manual checks meet the verified status required to generate the statutory verification codes necessary for modern UK corporate filings.
HM Revenue & Customs (HMRC), our primary supervisor, requires that all TCSPs (Trust or Company Service Providers) apply a Risk-Based Approach to identity. For non-face-to-face manual verifications, HMRC expects a high-level of assurance. This means that simply receiving an emailed copy of a passport is insufficient. Our framework requires a multi-layered evidentiary pack, including a Selfie with ID and third-party database validation, to achieve a level of certainty that matches a physical encounter. Failure to maintain these standards would not only put our HMRC registration at risk but would also expose the business to severe civil and criminal penalties. This section of the SOP serves as our Compliance Shield, documenting the exact steps we take to satisfy these high regulatory expectations.
Every manual verification performed under this SOP is subject to the oversight of our Money Laundering Reporting Officer (MLRO) or their designated deputy. The MLRO is responsible for the final risk rating of the client. In a manual flow, the MLRO must sign off on any application where the documents provided are unusual or where the client originates from a high-risk jurisdiction. The MLRO has the ultimate authority to refuse service, even if all documents appear valid on the surface, if the commercial rationale for the business relationship is unclear. This human oversight is the cornerstone of our integrity; it ensures that the manual verification process is a robust, professional, and legally defensible activity that protects the reputation of My Office Address Limited.
The primary identification document must be a government-issued photographic ID that provides definitive proof of the individual’s legal name, date of birth, and nationality. We categorise these as Group A documents. The gold standard for manual verification is a valid, unexpired United Kingdom or International Passport. If a passport is unavailable, we accept a UK Photocard Driving Licence (Full or Provisional) or a National Identity Card from an EEA or equivalent high-trust jurisdiction.
In a manual flow, the compliance officer must scrutinise these documents for physical integrity. We do not accept black-and-white copies, screenshots, or documents with obscured security features. The image must be a high-resolution, full-colour scan or photograph showing all four corners of the document. Any sign of digital manipulation, such as inconsistent pixelation around the date of birth or a mismatched font in the Machine Readable Zone (MRZ), will result in an immediate rejection and a potential Internal Suspicious Activity Report (ISAR) to our Money Laundering Reporting Officer.
To establish the client’s current residential status, we require a Group B document. This must be a formal document issued by a reputable institution that displays the applicant’s full name and their current residential address (not a P.O. Box or a business address). Acceptable documents include Utility Bills (Gas, Water, or Electric), Council Tax Statements, or Bank/Building Society Statements. For a manual check to be valid under HMRC 2026 guidelines, these documents must be dated within the last three months.
Certain documents are explicitly excluded from this manual flow due to the ease with which they can be forged or altered. These include mobile phone bills, store card statements, and documents printed from non-secure online portals that lack a verifiable header or footer. For international clients, we require that these documents are provided in English or accompanied by a certified translation. The residential address provided must match the address recorded on our client database exactly; any discrepancy triggers an automatic request for a secondary proof of address to ensure the client is not attempting to obfuscate their true location.
The temporal validity of a document is non-negotiable in a manual compliance audit. We do not accept identity documents that have expired, even if the expiration occurred within a recent timeframe. The only exception to this is where a client provides a valid extension of validity certificate issued by their respective embassy or government department. For Proof of Address documents, the 90-day rule is strictly enforced. If a bank statement is 91 days old at the time of the manual review, it is deemed invalid for the purposes of Customer Due Diligence (CDD).
Because a manual flow lacks the Active Liveness detection of the Veriff AI, we implement the ID-in-Hand protocol. The applicant must provide a high-resolution photograph (a selfie) showing them holding their Group A identity document next to their face. The compliance officer must be able to clearly read the details on the ID and compare the photograph on the document with the face of the person holding it.
This step is critical for preventing Synthetic Identity Fraud, where a criminal uses a stolen or forged ID scan without actually possessing the physical document. The applicant must ensure that their hand does not obscure any text on the ID and that the lighting is sufficient to prevent shadows from masking their facial features. If the Selfie appears to be a digital composite (a deepfake or a superimposed image), the application is immediately escalated for a high-risk review.
In cases where the selfie is inconclusive, or where the client is flagged as a high-risk individual (such as a Politically Exposed Person), My Office Address Limited reserves the right to request a short Video Verification. The client is asked to record a 10-second video where they hold their ID, state their full name and the current date, and turn the ID slightly to show the holographic security features reflecting in the light. This provides a dynamic layer of security that is nearly impossible to replicate with static forgeries. This video is then stored as part of the client’s permanent compliance file, providing a robust audit trail for future HMRC inspections.
Every manual review involves a technical check of the document’s security features. For passports, the compliance officer verifies the Machine Readable Zone (MRZ) the two lines of text at the bottom of the data page. The officer uses a checksum calculator to ensure that the numbers in the MRZ (representing the passport number, DOB, and expiry) match the visual data on the page. We also look for Tactile Features or watermarks that should be visible even in a high-resolution scan. By combining these manual forensic checks with the liveness protocol, we ensure that our manual ID flow remains a high-assurance barrier against financial crime.
Once the compliance officer has verified the physical authenticity of the provided identification, the applicant’s full legal name and date of birth must be screened against the UK Consolidated Sanctions List and global financial watchlists. This process is a mandatory statutory requirement designed to prevent the provision of corporate services to individuals or entities subject to asset freezes or trade restrictions. In a manual flow, this screening must be performed using a reputable, real-time compliance tool. We do not rely on static lists, as international sanctions (particularly those relating to high-risk jurisdictions) can change daily.
Furthermore, we must identify whether the applicant is a Politically Exposed Person (PEP), or a family member or close associate of a PEP. Under the 2026 UK regulations, we distinguish between Domestic PEPs (UK-based) and Foreign PEPs. While Domestic PEPs are generally treated as lower risk unless specific red flags are present, all PEP identifications in a manual flow trigger an automatic requirement for senior management sign-off. The compliance officer must document the specific role held by the PEP and assess whether the proposed business relationship with My Office Address Limited poses a heightened risk of bribery or corruption.
A professional manual verification includes Adverse Media screening. This involves searching international news databases and regulatory warning lists for any involvement of the applicant in financial crime, professional misconduct, or insolvency proceedings. While a negative news report does not always result in an automatic rejection, it informs our risk rating and may trigger a requirement for more detailed explanations regarding the client’s business history.
We also cross-reference the applicant’s details against internal and external fraud databases to identify Known Fraudulent Patterns, such as the use of a residential address that has been linked to previous shell company registrations or identity theft incidents. By layering these external checks over the manual document review, we ensure that our human-led due diligence is as effective as the most advanced AI systems at identifying high-risk actors.
For corporate clients, manual verification extends beyond the individual applicant to the legal entity itself. We must verify the entity’s status at Companies House (or the relevant international equivalent) and map the Ultimate Beneficial Ownership (UBO) structure. We are legally required to identify any Persons with Significant Control (PSC) typically anyone owning more than 25% of the shares or voting rights.
In a manual flow, the compliance officer must obtain a current register of Members or a share certificate and verify the identities of all PSCs to the same 1+1 standard. Under Regulation 30A of the MLRs, we must also report any material discrepancies between the beneficial ownership information provided to us and the information currently held on the public register at Companies House. This ensures that the corporate structures using our business address are transparent and legally accountable.
Enhanced Due Diligence (EDD) is a mandatory statutory requirement for any client established in a high-risk third country, as defined by the FATF (Financial Action Task Force) and HM Treasury’s Advisory Notices. If a manual applicant is resident in, or their company is incorporated in, a jurisdiction on the Black or Grey lists, we must apply more stringent monitoring. This includes obtaining additional independent evidence of their identity and conducting more frequent reviews of their account activity. We do not permit standard manual verification for clients from these regions; their files are automatically escalated to the MLRO for an in-depth risk appraisal.
For high-risk clients or those involved in unusually large transactions, we are legally required to establish the Source of Wealth (SoW) and Source of Funds (SoF). SoW refers to the origin of the client’s entire body of wealth (e.g., inheritance, long-term business profits, or investment portfolios), whereas SoF refers to the specific funds used to pay for our services.
In a manual flow, we may request supporting evidence such as audited business accounts, payslips, or property completion statements. We do not tick a box by merely asking for the information; the compliance officer must evaluate whether the evidence provided is plausible and consistent with the client’s known professional profile. This ensures that My Office Address Limited is not being used to facilitate the layering or integration stages of money laundering.
The Economic Crime and Corporate Transparency Act has introduced a Duty to Report for authorised service providers. If our manual due diligence reveals that a director’s residential address or a PSC’s nationality differs from what is currently recorded on the public register, we must notify Companies House. This is a critical part of the 2026 UK corporate reforms designed to improve the accuracy of the register. By integrating this reporting requirement into our manual flow, we demonstrate to our regulators that we are an active and responsible participant in the UK’s fight against economic crime.
In a manual verification environment, the final decision-making process must be clearly delineated from the initial document collection phase to ensure objectivity. Once the compliance officer has completed the 1+1 document check and the liveness protocol, they must submit a verification summary to a senior member of the compliance team or the Money Laundering Reporting Officer (MLRO). This summary must explicitly state whether the identity has been verified to a high-level of assurance and whether any red flags were identified during the screening of Sanctions or PEP lists.
An approval results in the activation of the client’s account, while a rejection requires a formal notice of refusal. Under the Economic Crime and Corporate Transparency Act (ECCTA), if we refuse a client due to suspicions of identity fraud or money laundering, we may be legally required to file a suspicious activity report (SAR) with the National Crime Agency (NCA) before notifying the client. The logic behind every approval or rejection must be documented in our internal compliance logs, ensuring that if HMRC conducts an audit in three years’ time, the rationale for accepting a specific manual applicant is immediately transparent and defensible.
Upon the successful completion of a manual identity verification, My Office Address Limited, acting as an Authorised Corporate Service Provider (ACSP), will notify Companies House of the successful verification. This notification is a statutory requirement under the Economic Crime and Corporate Transparency Act. This allows Companies House to link your verified status to your unique personal code, which is required for all directors and Persons with Significant Control (PSC) to perform statutory filings. While the code itself is issued and maintained by the Registrar, our role is to provide the professional assurance necessary for its activation.
Every manual verification culminates in the creation of a permanent Client Compliance File. This is a digital sealed envelope that contains the full history of the due diligence process. It must include the high-resolution scans of the identity and residency documents, the Selfie-with-ID photograph, the results of the Sanctions/PEP screening, and the timestamped approval from the MLRO. This file is the primary evidence we use to demonstrate our adherence to the Money Laundering Regulations 2017. It is stored separately from general customer service notes to ensure that only authorised compliance personnel can access the sensitive personal and special category data within.
In accordance with Regulation 40 of the MLR 2017, My Office Address Limited must retain all records related to customer due diligence for a period of five years after the business relationship has ended. This 5-Year rule is a statutory mandate that supersedes the general right to erasure under the UK GDPR. Even if a client cancels their business address service, we are legally required to keep their manual verification file on record. This ensures that if the client is later investigated for financial crime, the authorities can access the original identification evidence we collected at the time of onboarding. Once this five-year period has elapsed, the data is flagged for permanent deletion, unless we are instructed otherwise by a court order or law enforcement agency.
Given the high risk of identity theft, all manual verification files are protected by AES-256 bit encryption at rest and are only transmitted via secure, TLS-encrypted channels. Access to these files is strictly limited to the MLRO and designated compliance officers through Multi-Factor Authentication (MFA). We do not store manual ID scans on local desktop computers or unencrypted cloud storage; instead, they are housed within a vulnerability-tested environment that undergoes regular penetration testing. By treating these manual files with the same level of cryptographic security as our automated Veriff data, we ensure that our manual-flow clients enjoy the highest level of digital protection available in 2026.
When a manual compliance file reaches the end of its statutory five-year retention period, it is destroyed using secure disposal protocols that meet the BS EN 15713 standard for the destruction of confidential material. For digital records, this involves a secure wipe that overwrites the data multiple times, making it unrecoverable by forensic tools. If any physical documents were received (which we strongly discourage), they are destroyed via industrial-grade cross-cut shredding at an ISO-certified facility. This rigorous cradle-to-Grave management of identity data ensures that My Office Address Limited remains a trusted, compliant, and legally resilient partner for UK businesses.