Services

AI Fraud Prevention & Decisioning

Driving Licence Endorsements

Facial Liveness

User Verification

ID Verification

Simplify Onboarding

Markets

Airside

Car Hire

Construction

Crypto & NFT Marketplace

Education

Fintech

Logistics

News

About us

Pricing

Get Access

Your Legal Responsibilities When Proving Someone’s Identity

Elliot Sandhurst

11 Jun 2025

If your business asks people to prove who they are whether to work, rent, bank, travel, or gain access to sensitive sites then you’re already in the identity game. But the rules of that game are tightening.

From GDPR and AML regulations, to the new Data (Use and Access) Bill, the UK is entering a new phase of data-led, regulation-driven identity proof.

Let’s break down your legal responsibilities and what’s about to change.
Your Existing Legal Duties

Identity verification is already regulated under a patchwork of frameworks, depending on your sector:

Employment & Immigration

  • Home Office guidance under the Immigration, Asylum and Nationality Act 2006

  • Employers must conduct right to work checks using:

    • Original physical documents or

    • An approved IDSP (Identity Service Provider)

  • Failing to do this risks civil penalties of up to £20,000 per illegal worker

AML & KYC (Finance, Legal, Real Estate)

  • Governed by the Money Laundering Regulations 2017, supervised by the FCA, HMRC, or relevant professional bodies

  • You must:

    • Collect and verify official ID (passport, DL, etc.)

    • Assess source of funds, ownership, and PEP/sanctions status

    • Maintain records for at least 5 years

Security-Cleared Roles (Airports, Nuclear, Government)

  • Subject to BPSS, SC, or CTC clearance frameworks

  • Requires full verification including:

    • Birth certificate or passport

    • Address history

    • Criminal record checks

    • Confirmation that documents are valid and issued to the individual presenting them

What’s Changing: The Data (Use and Access) Bill

The Data (Use and Access) Bill introduces a regulatory framework for Digital Verification Services (DVS). It doesn’t just encourage better ID checks, it legally formalises how they should happen.

Key Takeaways:

  • DVS Trust Framework: The bill provides statutory powers to create a regulated environment for digital ID providers

  • Mandatory registration for providers who want to operate legally in regulated spaces

  • Trust Mark: A government-backed symbol showing a provider meets official standards

  • Public Authority Gateways: Enables real-time validation of data (e.g., from DVLA, HMRC)

  • Power of the Secretary of State to remove, restrict, or approve services

  • Backed by civil penalties, enforcement rights, and obligations to publish compliance reports

In short: unregulated ID checks won’t cut it much longer.

So What Are Your Legal Obligations?

If you're collecting, processing, or acting on identity information, you must ensure that:

  • You’re using legal grounds for processing (per UK GDPR)

  • Your storage practices meet security requirements

  • You can produce audit trails on request

  • You’re using a certified or approved provider if mandated (as is likely under the new DUA Bill)

  • You don’t rely solely on visual checks without validation

The Risks of Non-Compliance

Non-compliance doesn’t just risk a slap on the wrist. You could face:

  • Data protection fines under the UK GDPR (up to £17.5 million or 4% of global turnover)

  • Civil penalties under AML or immigration law

  • Loss of license from sector regulators (FCA, SRA, HMRC, etc.)

  • Criminal liability in extreme cases

In the future, as DVS regulations tighten, unverified checks could become a regulatory breach in themselves.

How Xertilox Helps You Stay Compliant

At Xertilox, we’re not guessing, we’re building our verification system in line with:

  • The upcoming Digital Verification Services Register

  • The DUA Bill’s Trust Framework

  • Existing legal duties under GDPR and industry-specific codes

Your Legal Checklist for Identity Verification

Use a compliant provider
Understand the rules that apply to your sector
Avoid visual-only or unverified checks
Provide clear, lawful consent and privacy terms
Keep auditable records
Prepare for the Trust Framework… it’s coming fast

Final Thoughts from Xertilox

At Xertilox, we welcome the introduction of the Data Use & Access Bill (DUA). It marks a pivotal moment for digital identity in the UK moving us from patchwork guidance to a formal, regulated framework that puts trust, transparency, and accountability at the heart of verification.

The establishment of the Digital Verification Service (DVS) and the forthcoming Trust Mark gives providers like us the tools and the responsibility to lead from the front. It’s not just a compliance box to tick it’s a chance to fight fraud head-on, raise the bar for security, and make identity work better for individuals and businesses alike.

Because in a world where anyone can be anyone, it's time we start proving identity — not just accepting it.

Need to verify identity the right way?

Book a quick call with our team to see how Xertilox helps you stay compliant, reduce risk, and onboard with confidence.
Schedule a Demo or visit Xertilox.com