By Jaye Hackett Chief Technology Officer at Vouchsafe
Fraud teams have been handed a really vital tool, in the form of the government’s 1.0 release of the new digital verification service trust framework. This document is the rulebook that companies that verify identity, age and address will need to follow.
It explains what certified providers must do, how they should handle data, and what good digital verification is supposed to look like.
It matters now because identity checks are under pressure.
AI tools have made it far easier to create convincing fake documents, spoof biometrics and even build a believable trail of a made-up identity online. Fraudsters can automate this and do it at an industrial scale.
Systems built for a world of slow, manual attacks look dated.
All this unpleasantness means that this new framework is particularly timely; a roadmap for how we can all shift away from document checks and toward digital evidence that can be reliably verified.
Clearer rules for digital ID wallets
One important change is a stronger focus on digital wallets and the services that check the credentials inside them.
The framework adds rules for “holders”, which store digital credentials, and “orchestrators”, which validate and pass them on.
If digital IDs are going to become the go-to for KYC checks, they can’t be black boxes. There needs to be transparency in what each one has come from, and the new rules are a step toward that.
A new trust mark
The second big change is a formal trust mark.
Providers that have been independently audited against the framework will be able to display it on their websites and materials.
It will give buyers a quicker way to tell who has actually been certified and who has not.
It will not remove the need for supplier due diligence, but it should make it easier to separate stronger providers from those making broad claims without the same level of assurance.
Now that the government has confirmed that all KYC/AML checks should use certified providers, this should be an easy thing for procurement teams to look for.
Tighter rules on data use
The framework also tightens the rules on how providers can use verification data after it’s been collected.
Certified providers are not allowed to use data for things like marketing, and the new framework extends this to cover metadata like the kind of evidence used.
These limitations make the whole system more trustworthy.
Better guidance for vouching
The most practically important change is the updated vouching guidance.
There’s eleven million people in the UK who don’t have a passport or driving licence, and they’re often shut out of services that need identity checks.
Using a vouch from a trusted referee gives them a safe, easy way to get verified.
The old vouching guidance was not very useful, but this version lays the foundation for a “digital guarantor” system that could transform the economy and make a real change to digital inclusion.
What it means for fraud fighters
The age of visual document checks is ending. They were built for a world where documents were harder to fake and attackers operated at human speed.
That world has gone.
The updated trust framework will not solve identity fraud on its own, but it does give the market a much better foundation for fighting it.
Firms using certified providers don’t need to get certified themselves, but they will still need to follow the framework’s rules.
So, businesses cannot treat certification as a way to outsource responsibility. They still need to use these services in the right way, with the right controls and within the right boundaries.
That is why the new framework is such a valuable tool for fraud fighters. It gives firms a clearer, stronger basis for using digital ID properly in a threat landscape that has changed for good.
Jaye Hackett is Chief Technology Officer of Vouchsafe, a company that helps firms replace traditional document-based identity checks with digital ID acceptance, with fallbacks for those without.
Photo by freestocks on Unsplash
