What's in a Company Wallet

The company wallet includes multiple data points and different layers of verification that will make it harder for fraudsters to set up fraudulent companies or impersonate others.

Firstly, what is a wallet?

A reasonable definition of a wallet is given by the government in their digital identity trust framework (although they use the rather abstract term 'holder service' to mean a wallet): "a user-facing device, service, software or app that allows a user to collect, store, view, manage or share identity and/or attribute information and reuse it in multiple scenarios over time".

A wallet is essentially a data container, and the data could be ID data, payments data, accounts data or digital assets - anything you want to keep in it. The key benefit of storing and sharing data in a wallet is that digital certificates can be attached to the data to ensure it can be independently verified as correct and untampered with. A secure audit trail can be verified so that whoever reads the data can know who did any previous verification and to what standards. This increases trust and security in processes.

A wallet also means that the company identity is portable and available to use in various ways, whether a business is applying for a loan, verifying the identity of a supplier, or setting up an online business account with a digital platform such as Facebook or Google.

For individuals, digital wallets have been around for many years in various iterations; wallets that store payment credentials are used for Apple/Google Pay, for instance, and can store boarding and loyalty cards and, more recently, ID information. In Europe, eIDAS2 legislation mandates that each state make a digital ID wallet available by Christmas 2025. In the UK, many providers on the government’s Digital Identity and Attributes Trust Framework (DIATF) have ‘reusable ID’ wallet services that can store ID data to avoid having to rescan ID documents every time you prove who you are.

In the summer of 2024, CFIT convened a coalition of interested parties who would use, supply or receive data from a ‘company ID’ wallet.

How to set up a company wallet?

If the company is new, the directors will need to incorporate it with Companies House via the existing company formation process (either directly or via an authorised 3^rd party). This process could be adopted at Companies House in 2025 as part of the government’s drive to broaden the use of digital identity verification services.  This will provide an additional check on the creation of new companies at Companies House and those who manage them.

To set up a company wallet once the company exists, a company director or an authorised party would carry out the following steps:

1. Create an account with a certified Company ID wallet provider, certified under the government’s DIATF ID framework. This could include a cloud or on-device service (e.g. a mobile app).
2. Add their individual DIATF-certified ID details to the company wallet account.
3. Invite other directors and PSCs as well to confirm their ID details via their chosen ID providers.
4. Add verified company data from trusted sources via secure APIs where available (e.g. Open Banking).

• Company ID registration details, from Companies House (company number, registered address, Directors, Person with Significant Control, beneficial owners).
• Other public registration details (e.g. FCA register, certifications, insurance)
• Public company information to inform the company’s trading location and what the company does (websites, social accounts)
• Tax registration (e.g. HMRC VAT number)
• Banking details (e.g. Open Banking transaction scoring for credit, accounts receivable sort code/account numbers)
• Credit reference agency data (credit score)
• Verified accounts (Companies, Houses, accounting packages)
  
  

Once the data needed for a given use case has been added, it can be shared with a new Third Party, such as a bank, as input into the ‘Know Your Business’ onboarding process. Having the data to hand in the wallet saves the company director and the bank time, as they don’t need to collect it all during the onboarding process, and any previous checks done on the data can be re-used.

Research undertaken by CFIT estimates that the time taken by a bank to process an application for a new account to confirm the identity of the company could be reduced by at least half using a digital company ID, improving the speed at which the business could access finance.

An evolving market

There are likely to be iterations of company wallet services as Companies House (CH) adopts ID verification over the next few years:

• Today – no CH ID verification; DIATF company wallet providers can pull CH data via API but need to match director IDs to the CH-held names and month/year of birth. Directors can do ID verification via DIATF services into company wallets.
• Next year – ID verification via One Login (not connected to DIATF processes). CH will have ID-verified directors, but this data initially is not expected to be sharable with DIATF wallets in a verifiable way. DIATF wallet providers will still need to data-match ID directors to CH-held data. Directors will need to do two ID verifications (one with CH via One Login and one via DIATF services).
• Future – CH and DIATF ID verification becomes interoperable, with data sharing between One Login and DIATF wallets.

For wallet service providers, most of the rules within the DIATF relate to individual IDs; the industry will need to work with the government to define any specific rules that may be needed to cover ‘role-based IDs’ (ID credentials that enable humans to act on behalf of businesses), or the company ID itself. Any defined ‘company ID’ rules can then be captured either in a future version of DIATF or as a ‘supplementary code’ if that is the most effective means of delivery.

CFIT has set up a Working Group that will define the trust and governance rules that providers of company ID services can adopt to bring the company wallet to market. This group will be issuing a proposal to DSIT in the New Year.

In association with this, the Working Group will look more closely at which data elements are needed to support the most popular use cases and methods required to verify these data to ensure only the right amount of information is shared to inform the identity of the business in the use case. This will help company ID providers and SMEs limit and control the amount of data they share to accurately confirm their identity.