What is the KYC 2+2 rule?
“2+2” is the industry convention for electronic identity verification under UK anti-money laundering rules. You match at least two identity attributes against at least two independent, reliable sources: name and address from two sources, or name and address from one and name and date of birth from another. It is a working standard, not a phrase named in law.
The term gets called a “rule” so often that people assume it appears in the statute book. The regulations do not name it. They set out the principle behind it instead.
Where does the 2+2 requirement come from?
The Money Laundering Regulations 2017 require firms to verify a customer’s identity using documents, data or information from a source that is reliable and independent of the customer. Regulation 28 sets that duty. It does not prescribe “two and two”. The 2+2 convention is how the industry shows it has met the reliable-independent-source test using electronic data alone.
Guidance from the Joint Money Laundering Steering Group and HMRC is the benchmark firms work to in practice. HMRC’s position is that an electronic check should draw on data from multiple sources, and that a single-source check is not normally enough on its own to confirm an identity. That guidance, rather than the bare wording of the regulation, is where the “two sources” expectation comes from.
So when a compliance team says a customer “passed 2+2”, they mean the electronic check matched enough attributes across enough independent sources to satisfy the regulator’s reliable-source standard.
How do you meet the 2+2 requirement?
You meet it by running a customer’s name, address and date of birth against independent data sources and confirming that the attributes match in enough places. The table below shows the two accepted patterns.
|
Pattern
|
What must match
|
Why it counts
|
|
Name + address from two sources
|
The same name and address confirmed across two independent datasets
|
Two attributes, two sources
|
|
Name + address from one source, name + DoB from another
|
Name and address from one dataset, name and date of birth from a second
|
Two attributes, two sources, broader attribute spread
|
The sources have to be independent of each other and independent of the customer. A check that leans on a single dataset, or on data the customer supplied and controls, does not clear the bar on its own.
Why do good customers fail 2+2?
Most electronic checks run against Credit Reference Agency data first. That works well for people with a long credit history. It misses people who do not have one.
Someone who has just turned 18, recently arrived in the UK, or runs their finances without credit products is a real, low-risk customer with a thin or empty footprint at a Credit Reference Agency. The check finds one source instead of two and returns a fail. Across UK adults, around 7.1 million, roughly one in seven, are financially excluded (gov.uk financial inclusion data). That is a meaningful slice of the market failing at the front door for the wrong reason.
From the customer’s side, the experience is blunt. They have entered their details, waited, and been told they cannot proceed, with no idea why. Many do not come back.
What happens when a customer fails the first check?
The usual next step is to escalate to a document scan and a selfie. That recovers some people, but it adds friction, drop-off and cost, and it punishes customers who did nothing wrong. The faster route is to widen the data first.
A second pass over the failed records, run against sources beyond the Credit Reference Agencies, finds many of the people the first check missed. Banks, mobile networks, insurance records, public sector data and finance applications all hold identity data that a CRA-only check never touches. Add those sources and a thin-file customer who failed on one match can clear 2+2 on the next pass.
How do you hit 2+2 on every customer?
You hit it by checking against more independent sources than a CRA-only product can reach, and by being able to see exactly how many matched. This is where KYC Match fits.
KYC Match is an optional add-on across OneID’s identity products. It matches name, address and date of birth across banks, mobile networks, insurance policy and claims data, public sector data, finance applications and Credit Reference Agencies. You choose which sources, in any configuration. It returns the count of matches for name and address, for name and date of birth, for all three together, and a distinct count across every source, so you can see at a glance whether a customer cleared 2+2 and by how much.
It runs alongside bank-based verification, or on customer data alone as a real-time API or a batch check over an existing dataset. A common use is a second pass on the records that failed a CRA-only check, recovering good customers without sending them to a document scan.
OneID is a digital verification services provider, certified under the UK’s Digital Verification Services Trust Framework. Certified providers count as a reliable, independent source for the identity-matching step.
Does meeting 2+2 cover all your KYC obligations?
Meeting 2+2 covers the identity-matching step. It does not cover the rest of your customer due diligence. Your firm still owns the customer risk assessment, source of funds checks where they apply, and ongoing monitoring. A certified provider can confirm the identity reliably, and your firm remains responsible for the wider due diligence and ultimately liable for it. KYC Match handles the matching, while your compliance programme stays your own.
Frequently asked questions
Is the 2+2 rule a legal requirement?
No. UK law requires verifying identity against a reliable source independent of the customer, under Regulation 28 of the Money Laundering Regulations 2017. “2+2” is the industry convention for meeting that standard with electronic data. The convention is shaped by JMLSG and HMRC guidance, not by the wording of the regulation.
What does 2+2 actually mean?
Two identity attributes matched against two independent, reliable sources. In practice that means name and address confirmed across two sources, or name and address from one source plus name and date of birth from another.
Why do thin-file customers fail 2+2?
Most checks run against Credit Reference Agency data, where thin-file and no-footprint customers have little or no record. The check finds one source instead of two and returns a fail, even for genuine low-risk people.
How can I recover customers who fail 2+2?
Run a second pass over the failed records against sources beyond the Credit Reference Agencies. Many failed customers carry identity data at banks, mobile networks and elsewhere, enough to clear 2+2 on the next attempt without a document scan.
Does passing 2+2 mean my KYC is complete?
No. It clears the identity-matching step. Customer risk assessment, source of funds where required, and ongoing monitoring remain your firm’s responsibility.
See how many of your failed customers you could recover
Run 1,000 records through KYC Match for free and compare the results against your existing provider. Send name, address and date of birth, and see how many of your failed checks would clear 2+2 against independent sources beyond the Credit Reference Agencies. Contact OneID to set up your comparison.
