GPG45 is the UK government’s good-practice guide for proving and verifying someone’s identity. If a framework, a regulator or a procurement team has told you the identity check you run must reach a medium or high level of confidence, GPG45 is where that requirement comes from. This page explains the four levels, the five elements that drive them, where each level is required, and how to choose a provider that reaches the level you need.
The person being verified experiences the level as effort. A medium check might be a short confirmation on their phone before they open an account. A high check asks for more: stronger evidence, and a check that the identity has existed over time and belongs to the person presenting it. The level you are held to shapes how much you ask of every customer, and how many of them finish.
GPG45, or Good Practice Guide 45, is the government guidance titled “How to prove and verify someone’s identity”, updated on 14 November 2024. It sets out a common way to check an identity and to describe how strong that check is. It breaks identity into parts you score and combines those scores into profiles, each reaching a stated level of confidence.
The value of GPG45 is that it gives a shared language. When a regulator, a bank or a public service says it needs a particular level of confidence, GPG45 defines what that means and what evidence gets you there. That makes checks comparable across providers and defensible when someone asks how you verified a customer.
GPG45 produces four levels of confidence: Low, Medium, High and Very High. The level describes how much assurance the completed check gives that the person is who they claim to be. As the risk of an identity being wrong rises, the level required rises with it.
Low suits low-risk services where a mistaken identity causes little harm. Medium is the common standard for everyday regulated checks, including many financial and public services. High applies where the consequences of a wrong identity are serious. Very High is reserved for the most sensitive cases, where you need near-certainty about who someone is.
GPG45 scores five elements of an identity, then combines the scores into a profile. The elements are not added into a single total. A profile is a specific combination of element scores that maps to a level of confidence, so a weak score in one element can hold back the whole result even where other elements are strong.
|
# |
Element |
What it checks |
|
1 |
Strength |
Get evidence of the claimed identity, and how strong that evidence is |
|
2 |
Validity |
Check the evidence is genuine or valid |
|
3 |
Activity history |
Check the claimed identity has existed over time |
|
4 |
Identity fraud |
Check the claimed identity is not at high risk of identity fraud |
|
5 |
Verification |
Check the identity belongs to the person claiming it |
The practical point for a buyer is that reaching medium or high depends on more than one strong check. It rests on evidence strength, on confirming the evidence is genuine, on activity history, on fraud checks, and on tying the identity to the real person behind the application. A provider that is strong on document validity but has no way to check activity history or bind the identity to the person will struggle to reach the higher levels reliably.
Medium is the level behind many mainstream identity checks. GOV.UK One Login’s identity checks currently provide a medium level of confidence as defined by GPG45. Companies House identity verification, including the Authorised Corporate Service Provider route, is built on GOV.UK One Login, which provides a medium level of confidence. Companies House requires ACSPs to meet the same standard as its direct checks.
Higher-risk services need high. Criminal record checks are a clean illustration of how the required level rises with risk. Under the Disclosure and Barring Service digital identity verification guidance, a medium level of confidence is the minimum for a Basic DBS check, while a high level of confidence is the minimum for Standard, Enhanced and Enhanced with Barred Lists checks. The more sensitive the outcome, the higher the bar the identity check has to clear.
For procurement, the takeaway is simple: confirm the exact level your obligation requires before you shop for a provider. Buying a medium-capable check for a service that needs high leaves you short of your requirement. Over-buying a very high check for a low-risk service loads friction onto every customer for no compliance gain.
The higher the level of confidence, the more the person being verified has to do. A medium check can often be completed in seconds through a single trusted source, for example confirming identity against bank-held data or presenting a valid document. The customer taps through a short, familiar flow and moves on.
Reaching high usually means combining sources and adding checks. Alongside strong, valid evidence, the check has to confirm the identity has existed over time and test it against fraud signals. It also binds the identity to the living person through a step such as a liveness check. Each added requirement is another moment where a customer can hesitate or drop out. This is why the level you are held to is a commercial decision as much as a compliance one: it sets how much you ask of every applicant, and how many complete.
Start by fixing the level your obligation requires, then judge each provider on whether it reaches that level reliably without collapsing completion. A provider that clears the bar for a small share of applicants and sends the rest to manual review has not fixed the problem. It has moved the cost into your operations team.
The criteria worth applying:
OneID is one provider built against these criteria. It is a certified digital verification services provider, listed on the government register and FCA regulated (FRN 928911), and it combines multiple authoritative data sources so a check can be configured to the level a service requires. Returning customers who hold a reusable, passkey-secured credential can verify in a tap, which keeps completion high even where the assurance bar is set higher. For the exact level OneID evidences for a specific check, and how to configure it, see the GPG45 service page.
What is GPG45? GPG45, or Good Practice Guide 45, is the UK government guidance “How to prove and verify someone’s identity”, updated on 14 November 2024. It sets out how to check an identity by scoring five elements, then combining those scores into identity profiles that reach a defined level of confidence: Low, Medium, High or Very High.
What are the four GPG45 levels of confidence? The four levels are Low, Medium, High and Very High. The level describes how much assurance a completed check gives that the person is who they claim to be. The required level rises with the risk of getting the identity wrong, so more sensitive services demand a higher level.
What are the five elements of a GPG45 identity check? The five elements are strength of the evidence, validity of the evidence, activity history, identity fraud checks, and verification that the identity belongs to the person claiming it. The scores are combined into a profile rather than added into a total, so a weak element can hold back the overall level of confidence.
What level of confidence does GOV.UK One Login provide? GOV.UK One Login’s identity checks currently provide a medium level of confidence as defined by GPG45. A number of government services rely on One Login for identity, so medium has become a common standard for many mainstream regulated checks.
Is medium level of assurance enough for a DBS check? It depends on the check. Under the DBS digital identity verification guidance, a medium level of confidence is the minimum for a Basic DBS check, while a high level of confidence is the minimum for Standard, Enhanced and Enhanced with Barred Lists checks. Confirm the level your specific obligation requires before choosing a provider.
How do I choose a provider that reaches medium or high confidence? Fix the level your obligation requires, then check the provider can evidence that level for your use case, covers all five GPG45 elements across multiple data sources, is certified under the UK trust framework, and still completes for most customers at the required level. Ask for a defensible evidence trail on every check.