Government ID Verification: UK Digital Identity and e-Government Programmes

Government ID verification — the process of confirming that a person is who they claim to be by checking credentials issued by a recognised public authority — sits at the centre of compliance in 2026. Three forces have converged to make this year the inflection point: the Data (Use and Access) Act 2025 came into force and placed the UK Digital Identity Trust Framework on a statutory footing; GOV.UK One Login now serves more than 42 government services; and eIDAS 2.0 deployment is driving cross-border digital identity acceptance across Europe. For regulated UK businesses, understanding how these frameworks interact is no longer optional — it is a core operational requirement.

---

What Is Government ID Verification?

Government ID verification is the systematic process of checking identity claims against credentials issued by a government authority, such as a passport, driving licence, or biometric residence permit. Unlike general identity proofing, it relies on documents or digital certificates that carry the weight of state issuance — conferring a legally recognised level of assurance to the check.

Regulated businesses care about this distinction because multiple legal obligations tie compliance to government-issued credentials specifically. The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLR 2017), Regulation 28, requires firms to verify customer identity using reliable, independent sources — a threshold that government-issued documents reliably meet. Similarly, right-to-work checks under the Immigration, Asylum and Nationality Act 2006 mandate inspection of specific government-issued documents or Home Office online services. The EU's Anti-Money Laundering Directive 6 (AMLD6 / Directive (EU) 2024/1640) extends equivalent requirements to UK firms with EU operations.

In short, government ID verification is the evidentiary backbone of AML, KYC, and right-to-work compliance in 2026.

---

The UK Digital Identity and Attributes Trust Framework (DIATF)

The UK Digital Identity and Attributes Trust Framework (DIATF) is the national scheme that certifies identity service providers (IDSPs) and sets the rules for how digital identity products must operate in the UK. As of April 2025, the Data (Use and Access) Act 2025 placed the UK Digital Identity Trust Framework on statutory footing, replacing the interim beta framework (legislation.gov.uk, Data (Use and Access) Act 2025).

The Department for Science, Innovation and Technology (DSIT) maintains the public register of certified IDSPs. Businesses using a certified IDSP to carry out right-to-work or right-to-rent checks can establish a statutory excuse against civil penalties — a significant compliance benefit.

The Three Confidence Levels

The DIATF defines three assurance levels for identity checking:

• Low confidence — basic identity attribute verification, suitable for low-risk transactions.
• Medium confidence — document-level verification with some evidence of binding to a real person; accepted for right-to-rent checks and some employment screening.
• High confidence — full identity proofing including biometric matching and fraud checks; required for regulated financial services onboarding and right-to-work checks for foreign nationals.

Choosing the correct confidence level is not discretionary. The Home Office's Employer's guide to right to work checks specifies which DIATF levels are acceptable for each document type and worker category.

GOV.UK One Login

GOV.UK One Login is HMRC's and DSIT's shared single sign-on infrastructure for UK public services. By April 2026, it supports access to more than 42 government services — including HMRC self-assessment, DBS checks, and the DVLA driving licence portal. GOV.UK One Login uses a reusable digital identity credential that, once verified to medium or high confidence, can be shared across participating services, reducing the burden on both users and businesses that integrate via the GOV.UK Sign In API (gov.uk/one-login).

For regulated businesses, this matters because GOV.UK One Login-verified identities may be accepted as part of a broader CDD process where the IDSP is DIATF-certified, though firms retain ultimate responsibility for AML obligations under MLR 2017.

---

Government-Issued ID Documents in the UK

The UK recognises several categories of government-issued identity document, each with a different issuing authority, security profile, and regulatory acceptance.

The UK passport is an ICAO Doc 9303-compliant biometric document, meaning it carries a chip storing the holder's facial image and personalised data, readable via NFC. The DVLA photocard licence does not carry a chip but includes a 2D barcode and UV security features. The Biometric Residence Permit carries a chip and is used to verify immigration status via the Home Office Employer Checking Service.

From 1 January 2025, BRPs are being phased out in favour of eVisas — a fully digital immigration status held in the Home Office's online system. Employers and landlords should now use the View and Prove service rather than a physical BRP when checking right-to-work or right-to-rent for affected individuals.

---

Regulatory Framework: MLR 2017, AMLD6, and eIDAS 2.0

The legal architecture governing government ID verification in 2026 spans domestic UK law, retained EU law, and new EU instruments with extraterritorial reach.

The Money Laundering Regulations 2017, as amended by the Money Laundering and Terrorist Financing (Amendment) (No. 2) Regulations 2022, remain the primary domestic AML instrument, requiring all firms in the regulated sector to apply customer due diligence (CDD) using reliable, independent sources (legislation.gov.uk, MLR 2017).

The EU's sixth Anti-Money Laundering Directive, AMLD6 (Directive (EU) 2024/1640), requires EU member states to transpose new AML provisions by 10 July 2027. UK firms with EU-based customers or subsidiaries must track transposition progress, as AMLD6 imposes stricter beneficial ownership rules and extends the definition of politically exposed persons (PEPs).

eIDAS 2.0 — the revised EU regulation on electronic identification — requires EU member states to offer citizens a European Digital Identity (EUDI) Wallet by late 2026. The EUDI Wallet will carry verified government identity attributes, including national ID and driving licence data. UK firms accepting EU customers should review our detailed analysis in eIDAS 2.0 and the European Digital Identity Wallet.

The Information Commissioner's Office (ICO) has issued guidance on the lawful bases for processing identity document data under UK GDPR. Firms must identify a lawful basis — typically legal obligation (Article 6(1)(c)) or legitimate interest — before collecting and retaining copies of identity documents. The ICO's guidance on ID document data is binding for UK-based processors.

The Financial Conduct Authority's Financial Crime Guide sets out expectations for FCA-regulated firms and should be read alongside MLR 2017 when designing CDD procedures.

---

How Automated Government ID Verification Works

Automated government ID verification combines several complementary techniques to achieve reliable, scalable identity checking.

OCR and MRZ parsing extract machine-readable data from the document's Machine Readable Zone — the two lines of encoded text at the bottom of passports and travel documents. OCR accuracy directly determines whether downstream checks will succeed. Our platform processes over 3,200 document types across 32 jurisdictions, achieving 98.7% OCR accuracy on government-issued identity documents, which is a material improvement over the industry baseline of approximately 94%.

NFC chip reading (sometimes called ePassport reading) involves using a device's NFC radio to read data stored on the chip of ICAO-compliant documents — UK passports, EU national ID cards, and BRPs. The chip contains a facial image and document data secured by Active Authentication and Extended Access Control protocols, making it extremely difficult to clone or tamper with.

Biometric liveness detection and face matching compare the portrait extracted from the document (OCR or chip) with a selfie or video taken in real time. Liveness detection is critical: it distinguishes a live person from a photograph, video replay, or 3D mask. The best-performing systems combine passive liveness analysis with active challenge-response prompts.

Cross-referencing against authoritative sources closes the loop by querying document-issuing databases — for example, HMPO's Document Checking Service (DCS), accessible to certified providers, or the DVLA's My Licence Online API. For foreign nationals, the Home Office Employer Checking Service provides a definitive right-to-work confirmation that supersedes physical document inspection.

---

Challenges in 2026: AI-Generated Fakes and Deepfakes

The biggest emerging threat to government ID verification in 2026 is AI-generated document fraud. On our platform, AI-generated fraudulent identity documents increased from 3% of fraud attempts in 2024 to 12% in 2025, reflecting the rapid commoditisation of generative AI image tools capable of producing visually convincing passports and driving licences. Identity documents account for 19% of all document fraud types we detect — the single largest category by volume.

The specific threat vectors include:

• Synthetic document generation — AI models trained on real document templates that produce plausible-looking images with fabricated data.
• Face-swap deepfakes — real-time deepfake tools that substitute a fraudster's face onto a genuine identity holder's document during video verification.
• Metadata manipulation — altering EXIF data and file signatures to make AI-generated images appear to have been captured on a device camera.

Detection countermeasures must operate at multiple layers: pixel-level analysis for inconsistent compression artefacts, geometric checks for font spacing and security feature placement, and behavioural signals during liveness checks. For a broader view of how these trends are evolving, see our analysis in Digital Identity Trends 2026.

---

Automating Government ID Verification with CheckFile

CheckFile is built for regulated businesses that need accurate, audit-ready government ID verification at scale. Whether you are onboarding retail banking customers, verifying tenant identities, or running right-to-work checks for a large workforce, CheckFile provides the document intelligence layer that underpins compliant processes.

Key capabilities include:

• Multi-document support across UK passports, photocard driving licences, BRPs, eVisas, and 3,200+ international document types — supporting both domestic and internationally mobile workforces.
• NFC chip verification for ePassports and BRPs, providing chip-level tamper detection aligned with DIATF high confidence requirements.
• AI fraud detection using ensemble models trained on emerging synthetic document patterns, updated continuously as new fraud techniques emerge.
• Audit-ready outputs that capture verification method, confidence score, data extracted, and timestamp — the documentation trail required by MLR 2017 and FCA expectations.
• DIATF-aligned confidence scoring so your compliance team can map each check to the correct assurance level for the regulatory obligation at hand.

For financial services firms building CDD and KYC workflows, our banking KYC solutions integrate directly with onboarding platforms via REST API. For information on how CheckFile secures and processes identity document data in compliance with UK GDPR, visit our security page.

The Industry Verification Guide provides a sector-by-sector breakdown of verification obligations and how automated document checking maps to each regulatory requirement.

Explore CheckFile's full capabilities on the CheckFile homepage.

---

Frequently Asked Questions

What counts as a government-issued ID in the UK?

A government-issued ID in the UK is any identity document produced and issued by a UK public authority or an equivalent foreign authority recognised under UK law. The primary examples are: UK passport (issued by His Majesty's Passport Office), UK photocard driving licence (DVLA), Biometric Residence Permit or eVisa (Home Office), and — for foreign nationals — national identity cards issued by EEA member states. Documents such as National Insurance cards and NHS numbers are government-issued but do not function as standalone identity verification instruments because they lack a photograph and biometric component.

Is government ID verification mandatory under UK AML rules?

Yes, for firms in the regulated sector. Under MLR 2017, Regulation 28, regulated firms must verify the identity of customers before establishing a business relationship, using reliable and independent sources. Government-issued documents — or digital identity checks using a DIATF-certified IDSP — are the standard method of satisfying this requirement. Simplified due diligence may apply in lower-risk situations, but firms must document their risk assessment and cannot simply omit identity verification.

How does GOV.UK One Login affect business identity verification?

GOV.UK One Login is a government-operated identity platform for accessing public services — it is not a general-purpose B2C identity verification product. However, it creates an important precedent: verified GOV.UK One Login credentials, achieved through a DIATF-certified identity check, can form part of a regulated firm's CDD process where the firm's risk assessment supports reliance on that credential. The FCA and HMRC are expected to clarify reliance conditions for One Login credentials in forthcoming guidance. Businesses should not assume that a customer holding a GOV.UK One Login account has been verified to the level required for AML purposes without independently confirming the assurance level of the underlying check.

What is the difference between DIATF medium and high confidence?

DIATF medium confidence requires verification that the identity document is genuine and that some binding exists between the document and the person presenting it — typically a photograph comparison. DIATF high confidence adds a stronger liveness check, biometric face matching against the document photograph, and a fraud risk assessment. For regulated financial services, right-to-work checks for foreign nationals, and most KYC obligations, high confidence is required. Medium confidence is sufficient for right-to-rent checks and some lower-risk employment screening contexts. The Home Office and DSIT published updated confidence level guidance in March 2025 following the Data (Use and Access) Act 2025 receiving Royal Assent.

Can businesses rely on digital identity certificates instead of physical documents?

Yes, where the digital identity certificate has been issued by a DIATF-certified IDSP and the assurance level meets the requirement for the specific obligation. Under the Data (Use and Access) Act 2025, certified digital identities have equivalent legal standing to physical document checks for right-to-work and right-to-rent purposes. For AML/KYC purposes, the position is more nuanced: MLR 2017 permits reliance on electronic identification systems that are secure against fraud and misuse, and FCA-regulated firms must satisfy themselves that the system meets that bar. In practice, NFC-based ePassport verification combined with certified liveness detection consistently satisfies both DIATF high confidence and MLR 2017 reliability requirements.

---

This article is for informational purposes only and does not constitute legal, financial, or regulatory advice.