Whitepaper
12 min readThe UK already has a working digital identity infrastructure. The legislation is in place. The governance is operational. Certified providers are verifying identity and age for regulated businesses at scale.
✓ You have full access. Scroll down to read.
The UK already has a working digital identity infrastructure. The legislation is in place. The governance is operational. Certified providers are verifying identity and age for regulated businesses at scale, and HM Treasury has confirmed that these services meet anti-money laundering requirements for identity. DSIT puts the economic benefits of widespread adoption at £701 million a year, with the sector already delivering £2bn of economic growth and 10,000 jobs.
The debate has moved on from whether the UK should adopt digital identity. It is now about how the next phase is structured:
OneID has spent six years building and delivering identity verification within the trust framework. We were the first company to be certified as an orchestration provider and as a holder/wallet provider.
We have structured our approach to identity at scale around the six principles of the UK’s trust framework: privacy, transparency, inclusivity, interoperability, proportionality, and good governance. For each, we describe what good delivery looks like, where the risks sit, and what we have learned.
We have been delivering digital identity services within the UK’s trust framework since its earliest iterations. Over 10 million people have verified their identity or age through OneID in 2025 alone. This article draws on six years of building, testing, and scaling verification across regulated industries. We know what the UK has. We know what it needs, what works and what doesn’t from lived experience. And we understand the risks of getting it wrong.
The UK does not need to build an identity ecosystem from scratch. It already has it.
Legally valid digital identity services have existed since 1 December 2025, when Part 2 of the Data (Use and Access) Act 2025 commenced. The Act placed the Digital Verification Services Trust Framework on a statutory footing, creating a regulated ecosystem where providers verify identity and age to government-defined standards, under independent certification and government oversight.
The foundations go deep. The trust framework sets the rules. UKAS-accredited ‘Conformity Assessment Bodies’ audit providers against those rules. Open identity standards, GPG44 for authentication and GPG45 for identity proofing, build on established global protocols from W3C and OpenID Connect. OfDIA, sitting within DSIT, governs the framework, maintains the public register, and published the 1.0 pre-release in March 2026. A government-protected trust mark will follow once certification against the new version opens later this year.
The government is actively steering regulated sectors toward these services. HM Treasury and DSIT published joint guidance on 26 February 2026 confirming that providers on the DVS register can satisfy identity verification requirements under Regulation 28 of the Money Laundering Regulations. Supplementary codes are live for right to work, right to rent, and DBS checks. Mandatory licence conditions under the Licensing Act 2003 are being updated to allow DVS for alcohol age verification.
OfDIA estimates that widespread adoption of digital identity could deliver £701 million per year in economic benefit to the UK.
None of this is theoretical. It is up and running, right now, serving millions of people across the economy.
The government should focus limited resources on building services that only the government can provide, which includes:
The underlying government services; benefits, tax, healthcare, education etc. These services need to be inclusive (accessible by everyone in the country who needs them) and delivered according to entitlement (i.e. those who are entitled are aware of and can get the service, those who aren’t, like fraudsters, don’t).
The focus of the government consultation on digital identity launched in March 2026 is on improving government services. It is necessary to digitise services to make them more accessible, more effective and cheaper to run - but this isn’t digital ID; digital ID is the access layer rather than the underlying service. The two topics should be split and handled separately.
Government digital credentials; the government digital roadmap announced in January 2025 requires all departments to offer digital credentials alongside physical equivalents by the end of 2027. Only the government can issue and sign government digital credentials.
Providing services and issuing government credentials sit naturally with the government. Issuing and cryptographically signing official credentials requires the authority of the issuing department (e.g. DVLA signs digital driving licences, HMPO signs digital passports). Improving how people access public services requires the government to redesign those services. No private company can do either of these things.
There are three other roles that government wants to play that could be played by public or private sector:
The digital identity strategy for the UK should include rationale for which roles the government plays, and if it plays the same roles as the private sector, why it needs to play those roles, and what the costs, benefits and risks are of that service provision. The consultation calls out the clear risk to the UK’s private sector growth and jobs of government building ID services.
A competitive market of providers on the DVS register is already operating at scale. Each has been independently assessed for reliability, security, and resistance to impersonation. They serve financial services, gambling, telecommunications, online platforms, and other regulated industries; many of the use cases that the government is also targeting for its own digital wallet service.
OneID provides services to all of these sectors; businesses integrate once and gain access to multiple verification methods. We route each person to the method most likely to succeed based on what they have available: a bank account, a mobile phone contract, a government-issued document, or an international credential. They complete a consent-based process in seconds, and we return a verified result. OneID enables the secure transfer of verified data, but does not store the actual personal data once the transaction completes.
This easy to use model is why we see 80-90% of people complete bank-based and digital wallet verification, compared to 50-60% for document scanning processes. The method that works for the person is the method that works for the business, increasing revenues. That has held true in every sector we have operated in.
The foundations are strong. The decisions taken in the next twelve months will determine whether the UK scales what it already has, creating more economic growth and jobs, or whether the government duplicates services by reaching further into the private sector, putting growth at risk.
Some functions belong with the government - things that ONLY the government can do: improving public services, issuing government credentials, governing the framework. Some roles are better played by the private sector - with a track record of technology delivery at scale and pace: verifying identity for commercial transactions (and possibly public ones in the future), orchestrating across data sources, building the verification journeys that people actually complete, adding a privacy layer.
There should be informed decisions on the key questions; Can citizens choose which DVS to access public services or which wallet to store their government-issued digital credentials? Does it make sense for government to target private-sector use cases and compete against its own private sector? What is the best mix of services and players to maximise adoption, privacy and the overall return for the UK, whilst minimising taxpayer costs?
Three risks follow if these questions are not addressed:
If the government builds verification and wallet services that replicate what DVS providers already deliver, the taxpayer funds something that already exists and the citizen sees no improvement. Two parallel systems serve the same function, funded differently, competing for the same users. The cost goes up. Coverage does not.
The UK's DVS sector has attracted significant private investment on the basis that the government would set standards and the market would deliver services. If that boundary shifts, investment stalls and the companies best positioned to scale adoption pull back. This leaves gaps that the government cannot fill, impacting digital adoption and productivity. The UK cannot afford to undermine its own ecosystem at the point where adoption is accelerating.
Nearly three million people signed a parliamentary petition opposing mandatory digital ID. Independent polling suggests a majority of the public does not trust the government to keep digital identity data secure. Meanwhile, millions of people already use private sector identity services voluntarily, because those services are consent-based, proportionate, and do not involve handing data to the state. Clarity on who provides which services, and on what basis, is a trust question before it is a technical one. Citizen choice is a pre-requisite for trust.
The EU provides a useful reference point. Under the European digital identity framework, public and private sector providers operate under the same rules. Digital wallets are equivalent regardless of who supplies them. Credentials issued by the government are portable across providers, not locked to a single application.
A similar approach for the UK would rest on five fundamental principles.
Public and private sector services should play by the same rules, certified to the same standards. The DVS trust framework already provides this. Extending it consistently is more efficient than creating parallel governance and rules that prefer a government-provided solution over others.
Citizens should be able to choose any certified wallet and store government credentials in it. Without choice, a 2-tier system emerges where the government wallet is preferred over others.
Improving public services, issuing official credentials, and governing the framework require the authority of the state. Where the private sector has already funded, built, and certified services that meet the DVS standards, the government should be the provider of last resort, not a direct competitor. Focus on inclusion rather than a market that is already well-served by others.
Policy makers and the public should be able to see how decisions about One Login scope, the GOV.UK Wallet, and any future government-delivered services are being evaluated. One Login continues to expand; Pensions Dashboard, Companies House, Wallet and Checker app without a robust justification process. The need, the scope, the cost, and how each compares to what already exists on the DVS register.
People should choose which provider they use to access services, including public services. A government monopoly on digital identity access concentrates risk, reduces resilience and privacy, and contradicts the principles of the trust framework. Choice is not a concession. It is how the framework was built to work.
These are not abstract principles. They reflect what we have learned building and scaling identity verification across the UK’s regulated industries. The sections that follow explore each in detail.
The trust framework rests on six principles: privacy, transparency, inclusivity, interoperability, proportionality, and good governance. Every certified provider is assessed against them. Any new national identity components should be held to the same standard.
Control at the point of transaction
People already verify themselves dozens of times a day. Banking apps, contactless payments, biometric device access. They do not object to verification. They object to verification that takes more data than it needs, shares it without clear consent, or holds on to it after the fact. Citizens are concerned about government over-reach and a big brother approach; private sector DVS adds a privacy layer that protects citizens.
Good infrastructure puts control where it belongs: with the person being verified. They initiate the process. They consent to what is shared. They can see what went where. Open banking already works this way, and DVS digital identity has the same approach.
The danger is infrastructure designed without these controls. Systems that collect by default, retain indefinitely, or pass data between government departments without per-transaction consent are exactly what has driven public opposition to digital identity in the UK. Getting privacy right is not a communications challenge. It is a design decision that has to be made before the first line of code is written. The concerns about a single identifier that links services and a citizen registry come with a national ID programme; but these things are separate components to a digital ID credential, and the issues need to be dealt with separately.
OneID was built around a strong privacy model. We store consent, not data. We minimise who knows what about each transaction, known as a ‘double-blind’ approach. When we verify someone, we draw from authoritative sources, banks, mobile operators, government departments, at the point of need and return a result. We do not copy personal data into another database. Every check is initiated by the user, consented and authorised for a specific purpose. The output is an outcome, not a dataset.
This is not just better for the person being verified. It is structurally safer for everyone involved. Less data held means a smaller breach surface that only exposes encrypted tokens not usable data, simpler compliance, and higher trust. People finish verification when they trust the process. They walk away when they do not.
Knowing who you are dealing with
Trust requires visibility. People need to know which provider is handling their data, what standards that provider meets, and how to check those claims independently.
The DVS register already does this. It is a public, government-maintained list of providers that have passed independent certification. The 1.0 framework introduces the UK CertifID trust mark, a government-endorsed signal that a service meets the required standard. GDPR compliance, clear privacy notices, and defined data rights sit alongside the certification.
This infrastructure exists. It gives people a simple way to verify whether a service has been assessed to the standard the government has set. Any new national identity credential should build on this transparency.
Reaching everyone, not just most people
No single verification method works for the entire population. Passports exclude the 12 per cent of UK adults who do not hold one. Facial age estimation excludes those who cannot or will not use a biometric scan. Even bank-based verification, which has the highest ID coverage of 90% of UK adults, misses those who don’t use online banking.
Real inclusivity means orchestration: routing each person to the method that works for them, drawing on the widest possible range of trusted sources. 98% of adults have a bank account, with 90% online. 96% have a mobile contract. 88% have a passport. 75% have a driving licence. None of these covers everyone alone. Through a single integration, OneID approaches universal coverage of UK adults.
A business connects once. We handle the routing. If someone does not have a passport, they verify through their bank. If they do not have a UK bank account, they use an international credential. If one data source is temporarily unavailable, the system falls back to another. The person does not need to know or care how it works. They just complete the check.
Our services are also aligned with Ofcom's highly effective age assurance standards. The principle is simple: the first option presented should be the one most likely to be completed, not the cheapest to implement.
Distributed resilience
Identity infrastructure that depends on a single provider creates concentration risk. One outage stops the system. One breach exposes the population. One price increase has no competitive check.
Resilient infrastructure is distributed. Multiple providers operate against a common standard, competing on quality and value. Businesses choose the provider that fits. Users are not locked into a single app. The DVS trust framework already supports this. It is the same model that delivers banking and telecommunications in the UK: the government sets the rules, the market delivers the services, and competition drives improvement.
OneID operates as an orchestrator within this ecosystem. We connect businesses to the most appropriate verification method for each transaction, drawing on multiple data sources through a single integration. We are not trying to be the only provider (and integrate with many others). We are trying to be the one that most people finish.
collecting only what is needed
A pub confirming someone is over 18 should not need their passport number or home address. A financial services firm running Customer Due Diligence should only retain personal data to meet record keeping regulation. An employer confirming right to work should not have to keep a database containing image copies of everyone’s passports (although Home Office rules currently require this).
The principle is straightforward: collect only what the task requires. This reduces breach risk, simplifies compliance, and makes people more willing to complete the process. Selective disclosure is technically achievable now; customers only share data they want to.
The safest identity system is the one that holds the least data. Every additional data point collected is a liability, not an asset.
We confirm the outcome, verified person and verified data, without storing the underlying evidence. The banks, mobile operators, and government departments that hold the source records retain them under their own regulatory obligations. We do not duplicate them.
Accountability with consequences
Governance is what separates a trustworthy system from a branded one. The standards need to be rigorous. The certification needs to be independent. And the consequences for failure need to be real.
The UK has all three. The trust framework sets the rules. UKAS accredits the auditors. The auditors assess providers. DSIT conducts national security checks. OfDIA maintains the register under statutory authority. If a provider falls short, its certification is withdrawn and its listing removed. There is no grey area.
GPG45 defines four levels of confidence for identity proofing: low, medium, high, and very high. This lets regulated firms match assurance to risk. A right to work check may require a different confidence level than an age check at a supermarket self-checkout. The framework accommodates this without imposing a single standard on every transaction.
OneID verifies identities up to "very high" confidence under GPG45 and has been independently assessed for reliability and security since the framework's early days, and also certified to meet all of the requirements under the UK’s Money Laundering Regulations and JMLSG guidance. This, combined with the February 2026 HM Treasury guidance for firms in scope for AML, gives confidence to MLROs that DVS solutions can both enable customer service improvements AND compliance at the same time.
Principles matter when they survive contact with actual requirements. These three use cases sit where regulatory obligation and commercial demand meet.
Employers have a statutory duty to prevent illegal working. A compliant check, completed before employment starts, provides a statutory excuse against civil penalties that can reach £45,000 per worker for a first breach.
Since April 2022, employers have been able to use providers on the DVS register to conduct digital right to work checks for British and Irish citizens with valid passports. The Home Office recommends using a provider certified against the trust framework and the supplementary code for digital right to work. The check authenticates the passport and confirms the holder's identity, removing the need for the employer to inspect the original document in person.
This works today. Businesses across the UK are already running digital right to work checks through DVS. The process is faster, more reliable, and produces a stronger audit trail than manual inspection.
The government wants to mandate employers to do digital checks by 2029. They could instead make this mandate now, as the digital checks are already possible and used via DVS. Providers could supply aggregated, anonymised data on employer checking activity, giving government better enforcement intelligence without processing every jobseeker's personal data. The government would not need to build a right to work verification service for five million UK businesses. These services already exist on the register. This would accelerate enforcement and disincentivise illegal immigration.
OneID conducts right to work checks using allowed identity evidence, to the confidence level the Home Office requires, with a clear audit trail. The employee initiates the check and consents to the data share. The employer gets the evidence they need for their statutory excuse, in seconds.
Research from Signicat found that 68 per cent of consumers abandoned a digital application in the past year. The identity check is where most of them leave. For regulated firms, every abandoned application is lost revenue and a compliance blind spot. The firm cannot know whether the person who walked away was a legitimate customer or a risk.
The February 2026 HM Treasury guidance confirmed that providers on the register can satisfy CDD requirements under Regulation 28 of the Money Laundering Regulations. For the first time, the government formally endorsed the DVS framework as a valid compliance pathway for AML. That removed the uncertainty that had held back adoption across financial services, property, legal, and accounting.
Providers on the register meet the requirements in the Joint Money Laundering Steering Group guidance, including liveness detection and multiple independent data sources for enhanced due diligence. Firms can use the GPG45 level of assurance as an indicator within their risk profile for the product being offered.
OneID verifies up to a "very high" confidence, drawing on multiple data sources through a single integration. For financial services firms, that means an onboarding process that satisfies the regulator without driving away the customer. Our approach matches each person to the ID method they are most likely to complete, and we provide the audit trail that supervisors expect. Firms can run digital identity alongside their existing processes, compare the results, and simplify processes at their own pace.
The UK Online Safety Act requires platforms to implement age assurance. Ofcom's guidance identifies seven methods that meet the "highly effective" standard, including open banking, mobile network operator checks, photo ID matching, facial age estimation, digital identity services, credit card checks, and email-based age estimation.
What has happened in practice is instructive. When platforms relied solely on face scans or document uploads, some users circumvented the process by using VPNs. The regulatory objective was not met, and the firm in scope remained at risk of a regulatory fine.
VPN circumvention does not remove the compliance obligation. Technology exists to detect VPN traffic and apply age checks accordingly. But the lesson is hard to miss: the age verification method matters, and the order in which options are presented determines whether people finish the check or leave.
Someone with a UK bank account can verify their age through open banking in seconds, with no document or face scan required. Someone without a bank account can use a mobile operator check. Someone without either falls back to a document-based method. The first option should be the one most likely to be completed.
OneID routes people to the method that works for them. Our services meet Ofcom's highly effective standard, and our orchestration means people are not pushed down a single path that may not suit them. Higher completion, lower abandonment. That is what the regulator, business and customer needs.
The UK has the legislation, the certification infrastructure, regulatory guidance that is expanding into new sectors, and a competitive market of providers that are already delivering at scale. What it needs now is adoption. And adoption runs on trust.
Trust is built via choice, and delivered one interaction at a time. Every check that respects the person's data, gives them control, and finishes in seconds reinforces it. Every check that over-collects, confuses, or fails erodes it. Good governance matters. The experience matters even more.
For businesses, the priorities are clear. Use a provider on the register. Make sure they can verify to the confidence level your obligations require. Choose one that gives your customers more than one way to complete the check, because the method with the highest completion rate is the one that matches what the person already has. And look for a provider that can grow with you: from identity verification through age assurance to the emerging requirements of agentic commerce, where verified identity and delegated authority become the infrastructure for AI-powered transactions.
Verification your customers will actually complete. That is the standard any identity system should be measured against.
We built OneID to meet that standard. If you are a regulated business, a platform, or a policymaker working on what comes next for digital identity in the UK, we would welcome the conversation.
OneID is a UK-based digital verification services company. We were the first orchestration service provider, the first holder/wallet provider, and one of the first identity service providers certified under the UK's trust framework.
We provide identity verification, age verification, and agentic verification services to regulated businesses and platforms across the UK and internationally. Our approach is built on simplicity, inclusivity, and the principle that verification should confirm the minimum data necessary for the task.
Verified person, verified data.
Verified person, verified data.
© 2026 OneID. All rights reserved.
