The Green Light: How the New MLR Guidance Modernises Digital Identity for Regulated Firms in the UK

What’s in Store:

Digital Identity allows individuals to prove who they are electronically, reducing reliance on physical documentation.
Digital Identity Verification Services (DVS) act as independent, trustworthy source of information when certified.
The UK Digital Identity and Attributes Trust Framework sets standards to ensure security, accuracy and credibility of digital verification service providers.
UK’s AML/CFT Framework lets Relevant Persons to use independent sources to verify customer identities provided they are legitimate and reliable.
Certified providers listed in the UK register can be relied upon when choosing an independent Digital Verification Service Provider.
Relevant Persons must still apply Risk-Based Approach and conduct full Customer Due Diligence beyond digital verification.

Anti-Money Laundering (AML), Counter Financing of Terrorism (CFT) and Counter Proliferation Financing (CPF) compliance in the UK is undergoing a significant transformation with the introduction of digital identity verification services.

HM Treasury and Department of Science, Innovation and Technology (DSIT) have issued guidance that provides a clear roadmap for Relevant Persons on how to leverage digital verification to meet their legal obligations for AML/CFT/CPF Compliance.

What is Identity in the context of the UK?

An identity is a set of characteristics or attributes of a person. A single attribute may not adequately describe a person, but a combination thereof can help identify a person.

What is Digital Identity in the context of the UK?

A digital identity is an electronic version of an individual’s identity that allows them to prove who they are without showing physical documents such as passports or ID cards.

It is a simple and secure way for someone to prove their identity by sharing verified information, such as their name, age, or address, or biometric data, such as a fingerprint or face scan, through a trusted digital system.

These digital identities are created and verified by specialist digital identity service providers who check the information against authoritative sources before allowing it to be shared.

The rationale behind it is to ensure that identities are securely verified once, so that businesses can rely on it rather than repeating the process from scratch.

What is Digital Identity Verification?

Digital Verification Services (DVS) are independent sources of identity information. They are reliable platforms that confirm a person’s identity digitally and provide verified results to businesses in need.

Digital Verification Services are usually provided by various digital identity and attributes providers that thoroughly validate the data. Their workflow involves document authentication, biometric checks, database verification, and fraud detection controls. An individual’s identity data is checked by these service providers, so the organisations receiving it can bank on it confidently.

What is the role of the UK Digital Identity and Attributes Trust Framework?

The UK has introduced a formal framework that sets the standards for the use of digital identities and Digital Verification Service Providers, known as the “UK Digital Identity and Attributes Trust Framework.”

This framework lays down how DVSP must operate and establishes rules covering areas such as security safeguards, privacy protections, data accuracy, fraud prevention measures, and technical reliability.

This stringent framework ensures that those Digital Verification Service Providers who adhere to these laid requirements can only become certified DVSPs.

Moreover, the UK maintains a public register overseen by the Office for Digital Identities and Attributes (OfDIA) that lists certified digital identity and attribute service providers. Certified DVSPs are registered on this list.

This framework provides the necessary trust factors for businesses relying on DVSPs for identity verification.

Legal Obligation for Identity Verification in the UK for AML/CFT/CPF Compliance

The Sanctions and Anti-Money Laundering Act, 2018 (SAMLA) and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations, 2017 (MLR) are the primary AML/CFT/CPF legal framework in the UK.

MLR, 2017 outlines the definition of Relevant Persons that are subject to specific AML/CFT/CPF regulatory requirements in the UK.

According to Regulation 8 of MLR, 2017, Relevant Persons are:

Credit and Financial Institutions
Auditors, Insolvency Practitioners, External Accountants and Tax Advisers
Independent Legal Professionals
Trust or Company Service Providers
Real Estate Agents and Letting Agents
High Value Dealers
Art Market Participants
Crypto Asset Exchange Providers
Custodian Wallet Providers
Casinos

These Relevant Persons are legally mandated to apply Customer Due Diligence (CDD) measures under MLR, 2017.

Regulation 27 of MLR, 2017 states that CDD measures must be applied,

While establishing business relationships
Carrying out an occasional transaction that amounts to a transfer of funds exceeding 1,000 Euros
There is suspicion of ML/TF activity regardless of any transaction threshold.
There are doubts about the veracity or adequacy of documents or information previously obtained for identification.

The obligation of Identity Verification of customers for Relevant Persons has been explicitly stated in Regulation 28 of MLR, 2017.

Intersection of Digital Identity Verification and AML/CFT/CPF Compliance in the UK

Digital Identity Verification fits directly into AML/CFT/CPF Compliance in the UK, as the legal framework in the UK allows businesses to rely on third-party sources when verifying identities.

Regulation 28 (18) (a) of MLR, 2017, states that Relevant Persons can verify the customer’s identity on the basis of documents or information from a reliable source which is independent of the person whose identity is being verified.

Regulation 28 (19) allows Relevant Persons to use electronic identification processes as reliable and independent sources for identity verification. To be compliant, these processes must be secure from fraud and provide a necessary degree of assurance that the person is who they claim to be.

Certified digital verification services can meet this requirement when they satisfy government standards. This means that digital identity can be used to support compliance with Regulation 28 obligations, provided the Digital Identity Verification Service,

Assess independently
Certified against the UK digital identity and attributes trust framework
Appear on the official DVS register

The key takeaway that Regulators such as FCA and HMRC often stress is that technology can support compliance, but it must be trustworthy, transparent and properly governed.

Digital Verification Services, which are not certified and not on the DVS register, cannot be suitable for identity verification in compliance with the AML/CFT/CPF framework of the UK.

But it should be noted that Regulation 39 of MLR, 2017 shifts the ultimate liability of accurate CDD and identity verification to Relevant Persons. It states that while a Relevant Person may rely on a third party to apply certain CDD measures, the Relevant Person remains ultimately liable for any failure to apply those measures correctly.

What is Digital Identity Verification Process?

A digital identity verification is a process involving 5 steps that involves gathering evidence, checking the genuineness of the evidence, checking if the identity existed over time, checking if the identity is at high risk of identity fraud and determining the identity belongs to the person who it is claiming to be.

Gathering Evidence for the claimed identity

The first step in digital identity verification when relying on Digital Verification Service (DVS), is that the Relevant Person should first ensure that sufficient identity evidence has been collected to support the customer’s claimed identity.

This means confirming that the DVS has obtained appropriate identity attributes and supporting data from reliable sources.

Checking the genuineness and validity of the evidence

The next step for Relevant Person is to confirm that the evidence used by the DVS has been checked for authenticity and validity.

This includes ensuring that the identity documents or data relied upon are genuine, unaltered and issued by certified and legitimate DVS.

Checking if the claimed identity has existed over time

The following step is to check if the claimed identity has existed over time and whether the DVS has verified the same.

This helps ensure that the identity is not newly created or artificially generated for fraudulent purposes.

Checking if the claimed identity is at high risk of identity fraud

The subsequent step is to determine whether the DVS has assessed the risk of identity fraud associated with the claimed identity.

This may include checks against fraud indicators, suspicious activity patterns, synthetic identities or other risk signals.

Checking if the identity belongs to the person who is claiming it

The final step is to ensure that the identity belongs to the person who it is claiming it to be.

This typically involves biometric or similar checks that link the verified identity information to the person interacting with the business.

Benefits of Leveraging Digital Identity for AML/CFT/CPF Compliance in the UK

Leveraging Digital Identity solutions for AML/CFT/CPF Compliance in the UK offers various advantages to the Relevant Persons alongside regulatory acceptance.

These benefits include,

Swift customer onboarding
Fewer errors compared to manual identity verification
Stronger protection against impersonation or fraud
Better audit trails
Improved customer experience as clients no longer need to upload multiple documents or attend in person, which is especially valuable for remote or international onboarding.

Best Practices for Relevant Persons in the UK to Thoroughly Fulfil AML/CFT/CPF Obligations

Relevant Persons in the UK using digital identity for identity verification must adopt some of the well-structured practices to ensure that compliance is thoroughly achieved in line with the UK’s AML/CFT/CPF legislative framework.

Using the UK Register of Certified Digital Identity Providers

While selecting a Digital Identity Service Provider, the Relevant Persons must use the UK register of certified digital identity providers. This digital identity services register allows Relevant Persons to confirm the certification of the provider and choose services suitable for their risk profile.

Relying on certified providers also ensures that the identity verification process is based on trustworthy and recognised sources, as these providers have already been evaluated against government standards.

Reviewing Provider Certifications Regularly

Relevant Persons must review their chosen provider’s certification regularly. Certification status can change, so it is important to check that the chosen provider remains listed and compliant.

Additionally, periodic reviews ensure that the service continues to meet the regulatory expectations, risk appetite, and operational needs of the businesses.

Applying the Ultimate Risk-Based Approach for Customer Onboarding

Relevant Persons must note that the ultimate application of the Risk-Based Approach during customer onboarding is in their hands. They should not assume that the digital identity covers all aspects of CDD, such as the dissecting purpose and nature of business relationships.

Thus, it is advisable to supplement digital identity checks with additional risk assessments. Relevant Person must treat digital identity verification as one component of their AML/CFT/CPF program rather than a substitute for oversight.

Conducting Enhanced Due Diligence Where Necessary

Relevant Persons must continue to assess customer risk and apply Enhanced Due Diligence (EDD) where appropriate after utilising digital identity.

It should be kept in mind that digital identity can support identity verification, but it does not absolve Relevant Persons from the broader AML/CFT/CPF obligations under MLR, 2017.

Maintaining Detailed Verification Records

Relevant Persons must keep clear records of identity checks, data sources and verification outcomes to meet the Record-Keeping requirements as outlined in Regulation 40 of MLR, 2017.

Training Staff on Digital Verification

Relevant Persons must impart proper training to their staff on the concept of digital identity verification.

Staff should understand how digital identity works, its limitations, where further measures are required, and a lot more. Apart from that, staff should also know about certified and registered DVSPs.

How AML Consultants UK Can Help to Achieve Excellence

Integration of digital identity into the AML/CFT/CPF framework is not just a technical step; it requires the right controls, risk framework and internal understanding for Relevant Persons.

AML Consultants UK assists businesses in the UK to strengthen the specific areas that matter most when adopting digital identity for AML/CFT/CPF Compliance.

Through its customised Policies, Controls and Procedures documentation services, it helps Relevant Persons to ensure digital identity verification is aligned properly with a documented risk-based framework that aligns with the regulatory expectations for customer onboarding in the UK.

With their Customer Due Diligence and KYC Remediation Services, they support businesses to combine digital identity for identity verification and also ensure that additional risk-based measures are applied.

Through AML, CFT, and CPF Training Services, it facilitates robust training sessions on digital identity that equip staff to understand how digital verification works and when additional checks are needed. This ensures that sound judgment is applied rather than solely relying on automated tools.

AML Consultants UK also provides digital ID software selection services aimed at meeting your custom workflows and procedures.

Strengthening AML/CFT/CPF Compliance Through Certified Digital Identity

Digital identity is no longer a future concept in the UK’s AML/CFT/CPF framework; it is a recognised and regulated mechanism that can support identity verification. Through certified Digital Verification Services (DVS), Relevant Persons can access reliable and independent sources of information to meet their CDD requirements.

The UK Digital Identity and Attributes Trust Framework, along with the official register of certified providers, has created a structured certification system that brings clarity, consistency and confidence to use digital verification.

However, digital identity does not replace regulatory responsibility. The relevant person must continue to apply a Risk-Based Approach, conduct EDD where necessary, and maintain appropriate records. Thus, technology strengthens compliance, but professional judgment and governance remain essential.

With a thoughtful implementation of digital identity in AML/CFT/CPF program, supported by proper guidance, internal controls and trained staff, digital identity can enhance both regulatory compliance and customer experience for Relevant Persons in the UK.

Integrate Digital Identity in the Right Way!

Build a Robust AML/CFT/CPF Compliance Program with AML Consultants UK’s Expert Services

FAQs: Strengthening AML/CFT/CPF Compliance Through Certified Digital Identity

If I use a digital ID provider, does that tick the Regulation 28 box?

In most cases, yes. The updated guidance says that if you use a provider that is certified under the UK Digital Identity and Attributes Trust Framework (DIATF) and is listed on the DVS Register, that can count as using a “reliable and independent source” for verifying identity.

If the digital check is wrong, am I still responsible?

The responsibility stays with you. Even if a provider does the check, you remain accountable for your CDD decision. You still need to consider the customer’s risk and decide whether the digital check is enough or whether you need Enhanced Due Diligence (EDD).

Can I use digital ID to verify company directors too, or only individual customers?

You can use it for directors as well. The guidance makes it clear that certified Digital Verification Services (DVS) can be used to meet verification duties for company directors, not only individual clients.

What if we already use a digital ID provider that is not on the DVS Register?

Treat that as a red flag and review it straight away. The guidance effectively warns that if a service is not certified against the Trust Framework, it may be difficult to justify it as suitable for MLR compliance. Continuing with an uncertified provider could attract awkward questions from your supervisor during an audit.

Does a digital ID check cover everything in CDD?

Digital ID typically covers identification and verification only. You still need to do the other CDD pieces, including documenting the purpose and intended nature of the relationship, and completing ongoing monitoring.

How should we handle record-keeping when a digital provider is involved?

Regulation 40 still applies in full. You must keep CDD records for five years after the relationship ends. Practically, that means your provider must give you a proper, downloadable audit trail. This should include the evidence behind the result and the key controls, such as the anti-impersonation measures used, in a format your supervisor will accept.

Does this replace sector guidance like JMLSG or LSAG?

Think of it as an add-on, not a replacement. Sector guidance still matters, but if anything conflicts, the Money Laundering Regulations are the legal baseline, and this guidance reflects HM Treasury’s interpretation of them. It is also a signal that supervisors (for example, the SRA or FCA) may update their own guidance to align.

Is DIATF certification now “mandatory” for AML-focused digital ID services?

Not mandatory in the sense that a company cannot operate without it. But in practical, commercial terms, it is becoming close to essential. The guidance points regulated firms towards certified services on the DVS Register as the level of assurance expected for Regulation 28. If you are not certified, many regulated clients will struggle to justify you through vendor due diligence.

What technical standards are expected from RegTech vendors?

RegTech vendors are expected to meet the standards in the Trust Framework, which align with GPG 45 for identity proofing. In plain terms, that usually means strong anti-impersonation controls (such as liveness checks) and robust verification methods, including biometrics where relevant.

If the digital ID result is “Passed”, can I skip EDD?

A pass result only supports identity verification. If the customer or the activity is high risk, such as a high-risk jurisdiction, unusual complexity, or red flags around the source of funds, you still need to apply EDD. Digital ID is a verification tool, not a shortcut around the risk-based approach.