In June 2025, HMRC reported a major incident: around 100,000 Personal Tax Accounts were compromised, leading to an estimated £49m in fraudulent repayments. The Comptroller and Auditor General has qualified HMRC's accounts on R&D relief, Child Benefit, and tax credits, in part because of identity and account-integrity risks. The cost of phoenixing and repeat fraud, where the same person opens new accounts under new identities to evade debts or liabilities, is significant. One way to reduce both is to require mandatory identity verification for all business tax account use. Today, GOV.UK One Login is used for personal tax; for business tax, existing users still use the Government Gateway, while from February 2026 new customers can register with One Login and existing users are migrated gradually. Extending verified identity (e.g. One Login) to business tax could help close that gap, because a single verified identity per person would tie all their business tax activity to one record and allow HMRC to bar that identity across entities. Today there is no described process for barring a person across all business tax entities or for automatic linkage to Insolvency Service or Companies House; One Login would enable that once policy and systems are in place. That would make it harder to phoenix and would enable HMRC (and, with the right data sharing, Companies House) to enforce a suspended or locked status so that people who have already had accounts locked for fraud cannot as easily obtain new credentials or take over shared accounts.

Why phoenixing and repeat fraud matter

The UK tax gap was £46.8bn in 2023 to 2024, about 5.3% of theoretical liabilities. HMRC has raised its estimate of tax lost to small business phoenixing to £836m. HMRC's tax debt stood at £42.8bn as at March 2025, and its annual report emphasises upstream compliance (getting things right before submission). Both point to the same thing: preventing bad actors from getting new accounts in the first place is more effective than chasing them after the fact.

How phoenixing works. Phoenixing is carrying on the same business through a series of companies that become insolvent in turn. Each time one fails, the business and assets move to a new company; the old company's debts are left behind and it is dissolved or liquidated. Lawful phoenixing exists (for example where a new company is set up fairly and directors are not disqualified), but unlawful phoenixing is when directors deliberately close a company to avoid liabilities, including tax and government support. Under Section 216 of the Insolvency Act 1986, a director of a company that has entered insolvent liquidation commits a criminal offence if they form or manage a new company with the same or a very similar name within five years, unless the court permits or a statutory exception applies. The Insolvency Service investigates director conduct; liquidators report to it, and in a large share of targeted cases directors are disqualified. Directors who dissolve a company improperly (for example by filing for strike-off without notifying HMRC or while debts remain) can face prosecution, disqualification for up to 15 years, and personal liability for the company's debts. So-called "burial liquidations", where an insolvent company is wound up with no proper scrutiny of whether value was stripped by directors, are a focus of that scrutiny. The gap: without strong, reusable identity checks, the same person can open a new business and new business tax accounts under the same or a new entity. Tying those accounts to a single verified identity makes that much harder. An important assumption: this only applies where phoenixing directors or their new companies actually use HMRC at all (for example VAT registration, Corporation Tax, Self Assessment, or reliefs). Where they operate entirely outside HMRC systems, identity verification on business tax accounts does not reach them.

A prominent example is the American candy shops on UK high streets (including Oxford Street): the same premises are let by the same or linked landlords to a succession of shell companies that dissolve and are replaced with new ones, leaving millions in unpaid business rates and a "whack-a-mole" problem for councils. One Login would not by itself solve this. Business rates are a local authority responsibility, not HMRC; the pattern relies on easy company registration with obscure ownership and on landlords letting to new limited companies. Addressing it needs Companies House director identity verification (so the person is on the record), business rates reform (who is liable, revaluations), and pressure on or responsibility for landlords, as well as stronger company registration checks. Mandatory identity verification for business tax closes the HMRC gap; the high-street pattern also needs rates and landlord levers.

In the Spring Statement 2025, the Chancellor announced a joint initiative between HMRC, Companies House, and the Insolvency Service to tackle phoenixism: upfront security deposits for new companies formed after liquidations (under the same control as the insolvent entity), stronger director personal liability, and a target to double tax protection from £125m to £250m by 2026–27. Internationally, Australia’s Phoenix Taskforce and Director Identification Number show how verified director identity and cross-government action can trace and disrupt repeat phoenixing.

HMRC's published strategy and briefing emphasise upstream compliance and the scale of unpaid debt (£42.8bn) as reasons to stop bad actors from obtaining new accounts in the first place. In schemes such as R&D tax credits (RDCO), HMRC already applies fit-and-proper tests and is "very unlikely" to approve anyone running a "continuation or resurrection" of a previously non-compliant or revoked business; similar logic for business tax accounts would align with that approach. R&D relief fraud, abuse of child benefit and tax credits, and the 2025 personal tax account incident show that identity and account integrity are not edge cases. They are central to protecting revenue and fairness.

One Login and mandatory identity verification

Today, business tax (Self Assessment, Corporation Tax, VAT) still uses the Government Gateway in practice for existing users; from February 2026 new customers can register with One Login and existing users are migrated gradually. Identity checks can include evidence such as passport or driving licence and an activation code for new services. HMRC design guidance now directs users to "Sign in with GOV.UK One Login" for proving identity; the Government Gateway user-ID pattern has been archived as GOV.UK One Login is phased in. With GOV.UK One Login, you prove your identity once (via the GOV.UK ID Check app, security questions online, or in-branch verification at a Post Office); that identity is then stored and reused for other services that need it, so you are not asked to verify again. For some users, Trusted Helper and similar routes exist so a friend or family member can help manage tax affairs, but research notes that identity verification can cause friction and not everyone succeeds first time (for example with the ID Check app or with P60 or credit-reference questions). HMRC advises against sharing sign-in details and provides a "digital handshake" so agents can be authorised without sharing credentials. That leaves a gap. Requiring verified identity (for example through GOV.UK One Login or a successor) to register or maintain a business tax account would do two things.

First, it would tie new entities to the same verified person. Phoenixing relies on being able to present as a new identity. If opening or maintaining a business tax account requires going through a single, reusable verified identity, it becomes much harder to shed the old one and start clean. Second, it would allow HMRC to enforce a suspended or locked status. Today there is no described process for barring a person across all business tax entities or for automatic link to Insolvency Service or Companies House; mandatory verified identity would enable such barring once policy and systems are in place. HMRC already suspends or locks online tax accounts where it suspects compromise or abuse; published guidance describes monitoring for suspicious sign-in attempts, asking the user to change their password where there is risk, and reporting to the helpdesk, rather than a formal appeal process for barring, and the UK Digital Identity and Attributes Trust Framework requires providers to consider whether thresholds could unfairly impact genuine users and to follow fraud dispute and resolution processes. In schemes such as RDCO and the Construction Industry Scheme, HMRC applies fit-and-proper tests and can bar reapplying for years. If someone has had a business tax account locked for fraud, the system could prevent them from opening a new business tax account without a controlled process (e.g. appeal or rehabilitation), instead of relying on them simply creating another account elsewhere. The Data (Use and Access) Act 2025 requires that where identity data is used to make significant decisions (such as barring access), people must be able to contest the decision and obtain human intervention. So any barring mechanism would need to sit within those safeguards, not replace them.

Would One Login fix the problem? It fixes the identity gap: today there is no single, reusable verified identity for business tax, so the same person can obtain new credentials for new entities and evade barring. One Login provides that identity and is therefore a necessary condition for effectively reducing phoenixing and repeat fraud among those who do use HMRC (VAT, CT, SA, reliefs). It does not touch phoenixing that happens entirely outside the tax system. It is not sufficient on its own. HMRC (and policy) must use it to link that identity across accounts and entities, to enforce barring so that disqualified or fraud-locked individuals cannot open new business tax accounts, and to align with Insolvency Service and Companies House data where relevant. Companies House director verification under ECCTA is not currently linked to HMRC or the Insolvency Service for blocking; the Spring Statement 2025 joint initiative is the intended direction. Without those policy and system choices, One Login only makes it easier to know who someone is; it does not by itself stop them from opening new accounts. Verification also does not prevent account takeover: if someone is tricked into sharing their sign-in details, a fraudster can still use their verified identity. So One Login raises the bar at the door and enables barring; it must be combined with clear barring logic, appeals, and ongoing security to have the intended effect.

Policy and service design for this sit within the broader framework of UK digital identity. The Data (Use and Access) Act 2025 establishes a statutory framework for Digital Verification Services (DVS), with a trust framework and register of certified providers, and under Section 46 applies strict safeguards when HMRC shares data with those providers (no further disclosure without the Commissioners' consent). That supports using verified identity for tax services without creating a mandatory national ID. HMRC has stated that a standardised, secure verification process will help prevent fraudsters and bad actors from entering the tax and customs system; identity checks under Good Practice Guide 45 (GPG 45) run against fraud databases and address histories. HMRC's own digital services and cross-government identity work build on that. The details of how a barred or disqualified status is defined for business tax, how formal appeals work, and how legitimate new businesses are not blocked remain design questions for implementation; the sources describe suspension, investigation, and restore of control, and the trust framework's requirements to protect genuine users and to use fraud dispute and resolution processes. When existing Gateway users move to One Login, HMRC uses a "binding" process to link their new verified identity to their legacy tax records so they are not asked to prove who they are again. The principle is clear: verification at the door, and persistence of that identity across accounts and entities.

Fitting HMRC's direction

HMRC's strategic direction is digital-first and focused on modernisation. GOV.UK One Login is to become the single sign-in and identity mechanism for government; the Government Gateway is being retired. Business and agent migration to One Login is the most complex part (delegated authority, employees, accountants, agents and organisations). HMRC's Transformation Roadmap states that existing individual customers will start to be onboarded to One Login towards the end of 2026 to 2027; for agents and organisations, transition depends on evolving the One Login solution, and HMRC is working closely with the Department for Business and Trade (DBT) and the Department for Science, Innovation and Technology (DSIT) to enable that as quickly as possible. A minister has indicated that Government Gateway will be ready for retirement during this parliament (by 2029). Until then, existing business tax users continue to use the Government Gateway and Agent Services Account; from February 2026 new customers can register with One Login and migration is gradual. Companies House has already moved ahead: from 13 October 2025 businesses must use One Login for WebFiling, and from November 2025 company directors and people with significant control must verify their identity under the Economic Crime and Corporate Transparency Act. When existing Gateway users transition, HMRC uses a "binding" process to map their new verified identity to their legacy tax records so they are not asked to prove who they are again. Extending mandatory identity verification to business tax accounts would be consistent with that direction and with the precedent already set at Companies House. It strengthens account integrity, supports upstream compliance, and reduces the scope for phoenixing and repeat fraud. It is a natural extension of existing work on digital identity and tax services, not a separate initiative.

Summary

Mandatory identity verification for all users of business tax accounts could reduce phoenixing by tying new entities to a verified person, and could allow HMRC to bar suspended, disqualified or fraud-locked individuals from opening new business tax accounts without a controlled process. Would you want to know if someone in your organisation had committed fraud in the past? With shared credentials it's harder to detect. If the pattern of standard behaviour for One Login use moves away from shared credentials, those who do share become easier to spot, reducing the noise around fraud signals. It is necessary but not sufficient: barring logic, appeals, and alignment with insolvency and company data must be in place for it to have full effect. Design would need to protect legitimate new businesses, provide a clear route for appeals, and offer alternative verification routes so people without standard ID or digital access are not excluded; data protection and security must be built in. The case for raising the verification bar for business tax is strong. The 2025 incident and the C&AG qualifications are a reminder that identity and account integrity are not optional. They are the foundation on which compliance and fairness rest.

Sources