What the UK’s digital identity guidance means for COLPs and MLROs

This is not a new permission - it’s a clearer benchmark

The guidance confirms that firms can use digital identity services to satisfy identity verification under Regulation 28, provided the approach is appropriate to the risk.

That position isn’t new.

What is new is the clarity around what “good” looks like - and the increasing role of independently certified providers within that.

For COLPs and MLROs, this shifts the conversation from “Are we allowed to use eIDV?”, to “Can we justify the level of assurance our approach delivers?”

The key shift: from vendor choice to assurance and evidence

The guidance points directly to the UK Digital Identity and Attributes Trust Framework (DIATF), which introduces:

• Certification standards for digital identity providers

• A government register of approved Digital Verification Services (DVS)

• Defined assurance levels and confidence frameworks

This matters because it creates a more objective way to assess identity verification.

In practice, you should expect scrutiny to move toward questions like:

• Is the provider independently certified?

• What level of assurance does the verification journey achieve?

• What evidence supports that outcome?

• Is the process auditable and repeatable?

This is a shift from “which tool did you use?” to “what level of confidence did you achieve, and why was it appropriate?”

What this means in practice for your role

1) You may need to evidence why your approach is appropriate

A risk-based approach remains central. However, the expectation is moving toward being able to clearly articulate:

• Why a given level of identity assurance is sufficient for a specific client or matter

• What checks were performed (e.g. document validation, biometrics, fraud signals)

• How the outcome can be evidenced in an audit or regulatory review

For example:

In a high-value residential conveyancing transaction involving a remote client, you may need to justify why a lower-assurance verification method was considered sufficient, particularly in light of known impersonation risks in the sector.

2) Supplier due diligence is becoming more structured

Historically, due diligence on eIDV providers has often relied on:

• Reputation

• Cost

• Market presence

• Product features

Going forward, you should expect a more structured approach, including:

• Whether the provider is certified under the Trust Framework

• Whether they are listed on the DVS Register

• What assurance levels their service is designed to meet

• What independent assessment underpins those claims

Certification is not mandatory, but it is increasingly likely to become a benchmark for defensibility.

3) Higher-risk matters may require higher-assurance identity verification

The guidance places clear emphasis on fraud resilience and strong identity assurance, including:

• Biometric verification

• Validation of cryptographic credentials (e.g. passport chips)

• Use of authoritative data sources

• Detection of impersonation and synthetic identity risks

This does not mean applying the highest level of verification in all cases.

However, it does mean that where risk is higher, you should be able to demonstrate that your identity verification approach reflects that and that the controls used are proportionate to the risk.

Digital identity is only one part of your AML framework

It’s worth reinforcing: this guidance is narrowly focused on identity verification.

Your broader AML obligations remain unchanged, including:

• PEP and sanctions screening

• Adverse media (where appropriate)

• Source of funds/source of wealth

• Ongoing monitoring

Digital identity should be understood as one component of a wider control framework - not a replacement for it.

Where Thirdfort fits

Thirdfort is certified under the UK Digital Identity and Attributes Trust Framework (DIATF) and is listed on the government’s Digital Verification Services (DVS) Register.

For COLPs and MLROs, that matters for one reason: independent assurance.

It provides an externally validated basis for demonstrating that your identity verification provider meets a recognised standard.

Delivering appropriate assurance in practice

Thirdfort’s identity verification journeys can be configured to align with the level of assurance required for different risk scenarios.

Where higher assurance is needed, this is typically achieved through:

• NFC-based passport verification (chip reading combined with biometric matching), or

• Combined document, biometric, and electronic data checks

These approaches are designed to:

• Validate that identity evidence is genuine and unaltered

• Confirm the individual is the rightful holder of that evidence

• Apply multiple fraud controls to reduce impersonation risk

• Produce a clear, auditable result

Where such a journey is completed successfully with no relevant risk indicators, it can provide a high level of confidence in the individual’s identity, consistent with the direction set out in government guidance.

The practical takeaway

You do not need to change your approach to identity verification overnight.

But you should ensure that your current approach is:

• Defensible - you can explain why it is appropriate for the risk

• Evidenced - you can demonstrate what was done and what assurance was achieved

• Auditable - outcomes can be reviewed and relied upon

• Supported by credible providers - independently certification

The direction of travel is clear: identity verification is becoming less about tools, and more about assurance, evidence, and accountability.

For COLPs and MLROs, the question is no longer just “are we using a technology solution?” - but “is our provider independently recognised, and can they evidence the level of assurance they deliver for the risk, and how they achieve it?”