Cookie Settings

We use cookies and similar technologies to help personalise content, tailor and measure ads, and provide a better experience. By clicking OK or turning an option on in Cookie Preferences, you agree to this, as outlined in our cookie Policy.

Allow AllReject

Customise

Cookie Settings

Cookies are small text that can be used by websites to make the user experience  more efficient. The law states that we may store cookies on your device if they are strictly necessaryfor the operation of this site. For all other types of cookies, we need your  permission. This site uses various types of cookies. Some cookies are placed by third party  services that appear on our pages.

These items required to enable basic website functionality

Cookies used to deliver advertising that is more relevant to you and your interests.

Cookies allowing the website to remember choices you make (such as your user name, language, or the region you are in).

Cookies helping understand how this website performs, how visitors interact with the site, and weather there may be technical issues.

Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Confirm ChoicesCancel
cookie icon
Need Regulatory Help? Talk to the Experts
0203 371 1064Follow us

Digital Identity Verification for AML: A New Compliance Landscape

May 21, 2026

For a profession that has spent the last decade gradually moving away from photocopied passports and certified utility bills, the position on digital identity verification has long felt unsatisfactory. The technology has been widely available, the SRA has been broadly encouraging, clients increasingly expecting it, and many professional indemnity insurers actively preferring it. Despite all of this, until very recently, there has been no formal statement from government as to whether a digital identity check could properly be relied upon to discharge a firm's obligations under the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017(MLR 2017).

It should however be noted that the 2025 version of the Legal Sector Affinity Group AML Guidance Note does acknowledge that:

“In an increasingly digital age, it is clear that non face-to-face customer onboarding can no longer be viewed as always high risk (although it remains a key risk factor to be assessed in the context of the wider relationship) – a more nuanced approach should therefore be adopted to these types of relationships.

The use of EID&V is increasingly viewed as being as robust as traditional verification methods (physical documentary evidence such as passports, driving licenses etc.). Electronic verification methods are becoming increasingly more secure and sophisticated and may in fact be lower risk than traditional means in some circumstances. They can be used both at client on-boarding stage and as a tool for ongoing monitoring and the reapplication of CDD.”

The need to check the adequacy of any particular systems has now been made easier with publication in February this year by HM Treasury and the Department for Science, Innovation and Technology (DSIT) of official guidance[1].This was followed in March by SRA Update 148, which drew the attention of all regulated firms to the guidance and confirmed its status for AML compliance purposes. For the first time, the government has set out which digital identity processes will satisfy the requirements of the MLRs, and – just as importantly – those that will not. Firms that have been quietly assuming their current digital onboarding tools are fit for purpose now need to test that assumption against an objective benchmark.

In this article we look at what the new framework requires, how it interacts with the regime for biometric data (covered in an earlier article “Biometric Data and CDD Checks: A Data Protection Perspective”[2] and for Infolegal subscribers in our Guidance Note 11 “AML – the use of biometric data for AML checking”), and what the practical implications are for firms in the regulated sector.

Why Digital Identity Has Become Central to CDD

The starting point is the potential weakness of manual, paper-based client due diligence. Requiring clients to attend the office with a passport and a recent utility bill is slow, prone to fraud, and largely incompatible with the way in which many clients now expect to instruct a solicitor. The Covid-19 period accelerated a shift that was already underway, and firms have since adopted arange of electronic and biometric solutions. Platforms such as Thirdfort, Verify 365, Onfido, Armalytics and others have become a familiar part of the onboarding process for many practices.The drivers for this are not difficult to identify. Identity fraud now accounts for a very large proportion of total fraud reported in the UK, and property and conveyancing transactions remain a particular target for organised criminals. Cyber-risk consistently ranks at or near the top for many firms, and PII insurers have started to ask searching questions about how identities are verified, particularly on high-value transactions. The combination of regulatory expectation, commercial pressure and client preference has meant that, for most firms, the question is no longer whether to use digital identity tools, but which tools to use and how to deploy them.

The Position Before February 2026

What has been missing throughout this period of rapid adoption is any formal confirmation that digital identity checks actually satisfy the customer identification obligations under Regulation 28 of the MLRs. The Fifth Money Laundering Directive in 2018 gave digital verification a general regulatory endorsement, and HM Land Registry published its Digital Identity Standard in 2021, offering conveyancers a "safe harbour" against recourse for fraud in land registration applications where a compliant tool had been used. But the wider AML question – whether a digital check is a sufficient form of identity verification for MLR purposes – had never been formally answered.

Firms had, in effect, been making a reasonable assumption that reputable digital tools were doing the job. With no government list of approved providers and no clearly defined standard for AML use, the assessment of any particular tool was largely a matter of professional judgement. Following the government’s "Using digital identities with the Money Laundering Regulations" guidance in February 2026, however, the position has become markedly different.

The February 2026 Guidance and the DVS Register

The new guidance is anchored to the UK Digital Identity and Attributes Trust Framework[3], a government-administered certification scheme placed on a statutory footing by the Data (Use and Access) Act 2025. Providers that meet the framework's technical and governance standards are independently assessed by conformity assessment bodies overseen by the UK Accreditation Service (UKAS) and, when certified, are listed on the GOV.UK Digital Verification Services (DVS)Register[4].

The guidance makes three points that firms cannot afford to overlook.

  • First, certified and registered DVS providers can be used to fulfil identity verification obligations under Regulation 28 of the MLRs. This is the regulatory clarity that the sector has been waiting for.
  • Second, providers that are not certified against the trust framework and not on the DVS Register cannot reliably be considered suitable for AML identity verification.
  • Third, the firm's regulatory accountability does not transfer to the provider. Using a DVS handles the identity verification component of CDD only; everything else – the client and matter risk assessment, enhanced due diligence where appropriate, ongoing monitoring, source of funds checks and record-keeping under Regulation 40 – remains entirely the firm's responsibility.

The SRA, in Update 148[5], has reinforced this last point with particular emphasis. Firms should not assume that running a client through a digital tool discharges their wider CDD obligations. Understanding the purpose and intended nature of the business relationship, and ongoing scrutiny of the matter, are not aspects that digital identity covers. Regulation 19(4)(c) MLR 2017[6],which requires firms to take account of new technologies in their policies and procedures, is also flagged as something to bear in mind when adopting these tools.

It is worth noting one further point that the SRA has drawn out: the DVS Register and the HM Land Registry "safe harbour" standard are separate regimes[7]. A provider may be on one without being on the other, and conveyancers may need to satisfy both depending on the context. A provider advertising as "safe harbour compliant" is not automatically on the DVS Register, and the assumption that the two are interchangeable should not be made.

What the Trust Framework Actually Requires

For firms that have not engaged with the technical detail of digital identity, the framework can appear opaque. In essence, it sets out what a digital verification service has to do in order to be considered reliable. This includes the quantity and quality of identity evidence collected (whether, for example, the service reads the chip in a biometric passport rather than merely capturing an image of the document), how that evidence is cross-checked against authoritative data sources, the anti-impersonation measures in place (such as liveness checks to confirm that the person presenting an identity is real, present, and not a recording or static image), and the level of identity assurance achieved.

Levels of assurance are set out in Good Practice Guide 45 (GPG 45)[8], running from low to very high. Firms should not simply confirm that their provider is on the DVS Register, but should also satisfy themselves that the certification covers the use case they are relying on it for and at a level of assurance that is appropriate to the risk profile of their clients. A tool certified for low-risk right-to-work checks may not be appropriate for high-value conveyancing matters involving complex client structures.

A new "CertifID" trust mark was introduced in March 2026[9] alongside version 1.0 of the framework. Where displayed, it will indicate that a provider has been certified and is subject to ongoing oversight, which should help firms and auditors to make a quick visual assessment of whether a tool meets the required standard.

The Biometric Data Dimension

Behind almost every digital identity check sits a piece of biometric data – most commonly a facial scan matched against a passport or driving licence photograph, sometimes combined with fingerprint or other identifiers. Biometric data of this kind is classified as special category data under Article 9 of the UK GDPR[10], and its processing is generally prohibited unless one of the specific conditions in Article 9(2) applies.

For AML purposes, firms typically rely on Article 9(2)(g) – processing necessary for reasons of substantial public interest – supported by Schedule 1, Part 2, Paragraph 10 of the Data Protection Act 2018[11], which addresses the prevention or detection of unlawful acts. This provides a defensible lawful basis, but it does not exempt firms from the other requirements of the data protection regime. The use of biometric data engages the data minimisation principle, the requirements on secure storage,encryption, access controls, retention and deletion, and the rights of data subjects to be informed, to correct, and in limited circumstances to object to processing.

Two practical consequences follow. The first is that a Data Protection Impact Assessment (DPIA) is required. Processing biometric data for identity verification falls squarely within the kinds of high-risk processing for which a DPIA is mandatory under Article 35. The DPIA should identify the purpose of processing, assess the risks to data subjects, evaluate the proportionality of the use, and set out the technical and organisational measures used to mitigate risk. It should be reviewed when technology, providers or processes change, not filed away once completed. Our Guidance Note 11 sets out a structured framework of twelve issues that the DPIA should cover, ranging from purpose and necessity through legal basis, security, third-party providers, transparency and consent, data subject rights, and incident management. Infolegal subscribers also have access to a DPIA form on the Infolegal InfoHub to assist them with this.

The second consequence is that privacy policies and terms of business need to reflect what is actually happening. If a firm is using a tool such as Thirdfort, Onfido or a comparable platform, the privacy policy needs to disclose the processing of biometric data, identify the lawful basis, explain the retention period, and set out what rights the client has in relation to that data. Many firms updated their privacy notices for the introduction of the UK GDPR but have not revisited them since their digital onboarding tools went live. Now is the time to do so. The terms of business should also signpost the processing and refer the client to the privacy policy for further detail.

The Connection to Companies House Identity Verification

It is impossible to discuss digital identity for AML purposes without addressing the parallel regime introduced by the Economic Crime and Corporate Transparency Act 2023[12]. From spring 2025, company directors and persons with significant control (PSCs) became required to verify their identity, either through GOV.UK One Login or through an Authorised Corporate Service Provider (ACSP). The February 2026 guidance has, in effect, joined these two regimes together at the level of infrastructure: certified DVS providers can be used to verify the identity of company officers for both Companies House and AML purposes.

For firms that act as ACSPs, or that routinely onboard corporate clients and need to verify the directors and beneficial owners behind them, this is a useful simplification. A single, properly certified provider can potentially satisfy both obligations through one consistent onboarding journey. For firms that have set up two parallel systems – one for Companies House and another for AML – itis worth pausing to consider whether the position can be rationalised, and whether the AML-side tool is in fact on the DVS Register.

The Supervisory Context

This guidance arrives at a time when AML supervision of the legal sector is markedly more active than it has been in the past. The SRA's most recent AML report records a substantial increase in supervisory engagements during 2024-25, with conveyancing firms continuing to receive particular attention. Anyone who has been through a recent inspection will be aware that the focus is forensic: the inspector wants to see not only that policies exist, but that they are being applied on individual files, with documentation that supports the decisions taken.

Digital identity is now squarely within the scope of these inspections. An inspector reviewing onboarding documentation will be in a position to ask three direct questions: which provider was used; is that provider on the DVS Register; and does the firm's AML policy address its use of certified digital identity services? A firm that cannot answer these questions positively will have a compliance gap that is now far easier to identify and articulate than it was even a year ago.

Practical Steps for Firms

Against this background, there is a relatively short list of things that firms should be doing in the short term. The starting point is to confirm whether the firm's current digital identity provider is on the DVS Register. The register is publicly accessible on GOV.UK[13] and the check takes a matter of minutes. If the provider is not listed, the firm should ask the provider whether registration has been applied for and what the expected timescale is, and should consider whether an alternative provider is needed in the meantime.

Second, the firm should review what the certification actually covers. Being on the register is necessary but not sufficient – the certification needs to extend to the use case the firm is relying on it for, at an appropriate level of identity assurance given the firm's client and matter risk profile.

Third, AML policies, procedures and the firm-wide risk assessment should be updated to refer expressly to the use of certified digital identity services. The DPIA in relation to biometric data should be reviewed at the same time, both for substantive content and for currency. Privacy notices and terms of business should be aligned with what the firm is actually doing.

Fourth, staff involved in client onboarding need to understand the boundaries of what a digital tool can and cannot do. A successful DVS check verifies an identity; it does not assess client risk, perform source of funds checks, satisfy enhanced due diligence requirements or evaluate the purpose and intended nature of the retainer. These obligations remain entirely with the firm and need to be evidenced on the file.

Finally, record-keeping should be reviewed against Regulation 40 MLR 2017. Identity documents and CDD information must be retained for at least five years from the end of the business relationship or transaction, and that obligation applies whether the verification was carried out digitally or by traditional means.

Looking Ahead

The February 2026 guidance is unlikely to be the last word on this subject. Further amendments to the MLRs are expected during 2026 and the broader move – flagged in HM Treasury's review of the MLRs and in the consultation on transferring AML supervision of the legal sector to the FCA – is towards a more closely supervised and technically prescriptive regime. The direction of travel is now clear: digital identity is moving from being an optional efficiency to being an expected and properly regulated component of a compliant CDD process, but on the regulator's terms.

For most firms, the implications are manageable, but they do require attention rather than assumption. The combination of the new guidance, the Trust Framework, the data protection requirements that attach to biometric data, and the parallel Companies House regime mean that the regulatory architecture around client identification has become more complex and more demanding to navigate. Firms that engage with it proactively – checking their providers, updating their documentation, training their staff, and ensuring their DPIA and privacy notices are current – will be well placed when an inspector or insurer asks the question. Those that do not may find the conversation considerably less comfortable.

At Infolegal, we are updating our Guidance Note 11 on biometric data, our Office Procedures Manual, and the relevant precedent privacy policies and terms of business to reflect the February 2026 guidance, and the issues addressed here will form part of our forthcoming AML training updates. Subscribers will find the revised materials on the InfoHub in due course.

[1]https://www.gov.uk/government/publications/using-digital-identities-with-the-money-laundering-regulations

[2] https://www.infolegal.co.uk/articles/biometric-data-and-cdd-checks-a-data-protection-perspective

[3]https://www.gov.uk/government/collections/uk-digital-identity-and-attributes-trust-framework

[4]https://www.gov.uk/guidance/digital-identity-and-attributes-trust-framework

[5]https://www.sra.org.uk/news/news/sra-update-148-digital-id/

[6] https://www.legislation.gov.uk/uksi/2017/692/regulation/19

[7] https://www.gov.uk/government/publications/encouraging-the-use-of-digital-technology-in-identity-verification-pg81/practice-guide-81-encouraging-the-use-of-digital-technology-in-identity-verification

[8] https://www.gov.uk/government/publications/identity-proofing-and-verification-of-an-individual

[9] https://enablingdigitalidentity.blog.gov.uk/2026/03/16/uk-certifid-a-mark-of-trust-in-digital-verification-services/

[10] https://gdpr-info.eu/art-9-gdpr/

[11] https://www.legislation.gov.uk/ukpga/2018/12/schedule/1/part/2

[12] https://www.legislation.gov.uk/ukpga/2023/56

[13]https://www.gov.uk/guidance/digital-identity-and-attributes-trust-framework

Search
Recent Posts
CQS Audits: Why Conveyancing Firms Should Take Them Seriously
Digital Identity Verification for AML: A New Compliance Landscape
Sanctions Compliance – Sledge Hammers and Walnuts
Sign up to our newsletter
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Registered Office
2 Crown Lane
Sutton Coldfield
West Midlands B74 4SU

Terms & Conditions Privacy Policy
Infolegal Limited, incorporated in England & Wales (7851850). VAT: 128009728. 2 Crown Lane, Four Oaks, Sutton Coldfield, West Midlands, B74 4SU