Jonathan Bennett
At the end of February, a landmark piece of guidance was issued by His Majesty’s Treasury and the Department for Science, Innovation and Technology. This long-awaited update sets out the government’s position on the use of digital identity verification (IDV) technology in relation to the Money Laundering Regulations (MLRs).
Digital IDV has long been used by regulated firms as a means of confirming the identity of their clients. While the government and AML regulators such as the SRA have encouraged its adoption, whether these solutions fully met the requirements of the MLRs had, until now, remained unclear.
The new guidance provides much-needed clarity. It confirms that digital identity verification technology can be used to “fulfil… Regulation 28 of the MLRs by verifying a customer’s identity using certified and registered digital identity services.” Crucially, it also states that, to meet MLR obligations, regulated firms can only rely on IDV providers that have been certified against the UK Digital Identity and Attributes Trust Framework. The guidance is explicit: “Digital verification services which are not certified and therefore not on the DVS register cannot reliably be deemed suitable for identity verification in compliance with the MLRs.”
How Law Firms Can ensure IDV Compliance
In light of this guidance, law firms must now be able to demonstrate that their digital identity verification provider is certified against the UK Digital Identity and Attributes Trust Framework (soon to be known as the UK Digital Verification Services Trust Framework) and is listed on the government’s official Digital Verification Services Register.
These changes reflect the rapid evolution of digital identity, alongside an ongoing public consultation into a potential national digital ID system. While clearer direction on which providers can be relied upon is a positive step, the definition of a “reliable” standard of verification still requires careful interpretation.
IDV providers can be certified against the framework for specific schemes, such as right-to-work checks, or to demonstrate their ability to meet defined identity assurance levels, as outlined in Good Practice Guide 45 (GPG 45). These levels of confidence range from low to very high and are determined by multiple factors, including:
- The quantity and quality of evidence collected
- The strength and authenticity of that evidence
- Cross-referencing against authoritative data sources
- The ability to link the evidence to the individual presenting it (for example, through biometric checks)
The 2026 guidance marks a significant shift from ambiguity to enforceable standards in digital identity verification for AML compliance. Law firms can no longer rely on uncertified providers and must ensure their IDV solutions meet the requirements of the UK trust framework and are listed on the official register.
While questions remain around how “confidence levels” should be applied in practice, the direction of travel is clear: certified, high-assurance digital identity verification is fast becoming a regulatory baseline rather than a best practice.