Here's a home truth: people are creative when it comes to abusing IT systems, yet organisations can be extremely reluctant to recognise it.
A great example of this popped up recently, noted by internet lawyer Rick Shera who deals with the Companies Office regularly.
Shera's assistant discovered that if someone has a company director's driver's licence, the credential can be used to access registrations at the Companies Office.
Drivers' licences are de-facto ID cards in New Zealand regularly and don't think for a second that copies taken of them by all and sundry are all stored securely, or destroyed/deleted after a while.
As with a company key, a driver's licence (or passport details) for a director provides instant confirmation of authority online on the Companies Office website.
Once authority has been confirmed, it's possible to change registration details for a company online. Want to remove directors, transfer shares? Easy peasy.
Being able to change registration details like this could cause massive headaches.
Take company sales for example: the purchaser's solicitors check company details at the Companies Office before settlement to make sure they are as warranted by the seller.
Settlements often take place on a Friday and Shera said if a change is done around midday, not noticed and corrected soon after, it could lead to a purchaser hesitating to complete the transaction, or pulling out of the deal altogether.
That in turn could spark a legal fight as to whether or not the purchaser was entitled to a delay, or to cancel the deal, and there could be penalty fees for late settlement.
"On a $100m deal no chances can be taken and the stakes are high so it can make people do strange things," Shera pointed out. "This is the worst case but I've had deals fall over for less and cause huge litigation over who was right and who was wrong."
Shera shared another example in which a 5 per cent shareholder who is not a director and has no Companies Office authority says they are being treated prejudicially by a 95 per cent shareholder under the Companies Act, and that they were meant to have been transferred 51 per cent control.
If the minority holder has a copy of the 95 per cent shareholder's driver's licence (or passport details) they can give themselves authority and remove the other director. After that they appoint themselves, change the registered addresses and other details.
The problem here is that while the minority shareholder is breaching the Companies Act, that person could claim that so is the majority shareholder, and argue that they are entitled to take control.
In that situation, the Companies Office might not be able to sort out the changes until the entitlement argument is settled, perhaps in court. "I have seen shareholders do this, so being able to so easily grab authority could be dangerous," Shera said.
Someone grabbing the authority could add a bogus director to a company who then can sign up the entity to, for example, a long-term expensive lease or subscription.
Even if the pukka directors realise what's happened, the third party doesn't know that a bogus company officer signed up for a deal, creating an argument about whether or not a contract can be voided.
I asked the Companies Office if this should be tightened up and got the same canned response Shera did:
"The Companies Office would like to reassure all those on the register that there are checks and flags before authority is granted. These include immediately alerting legal company registrants to any new company authority requests.
"There is also an audit trail of any changes made under an authority, so fraudulently registered information can be promptly corrected," the agency said.
That's a disappointing response and the after-the-fact notification is flimsy protection at best.
The email doesn't ask "is this what you want to happen, Person With Authority?" and if it is, you get to approve or, if not, decline and report the illicit change.
Very few people, if any, monitor email accounts all hours of the day. What's more, changing a company's address under authority doesn't generate a notification email, I was able to confirm. Change the addresses, and Companies Office communications are redirected to wherever you'd like after authority is transferred. Do that to stop an annual return from being filed and you can get a company struck off.
Yes, there's an audit trail and register-tampering perpetrators will be caught. It will deter some people, but this loophole needs to close.
The Companies Office needs to make sure that "before authority is granted" actually does what it says.