At the end of 2019, the GPG (Good Practice Guide) 45 was updated by the GDS (UK Government Digital Services). The guidance on how to check and verify someone’s identity now reflects new methods, such as reading the biochip in ID documents, such as an e-passport. The GPG 45 is also technology neutral as it is out-comes focused, rather than process-focused.
As a digital identity provider, we help organisations meet low and medium levels of assurance when checking identity, and we can also support organisations that need to meet a high level. We’re looking forward to the imminent publication of the new GPG 44 standard. We have seen a draft and we think it’s an excellent guide for the authentication of users.
How does the GPG 45 work?
The revised GPG 45 is a very useful practice guide in terms of enabling identity providers to check identity. An identity is a combination of characteristics that identifies a person. A single characteristic is not usually enough to tell one person apart from another, but a combination of characteristics might be. The GPG 45 guidance can help you check the identity of a customer, employee, or someone acting on behalf of a business. By successfully checking someone’s identity, you can be confident that you’ll give the right people access to the right things.
The number of synthetic (or made up) and stolen identities being used to commit identity fraud in the UK is growing every year. Some of the most common reasons people or criminal groups commit identity fraud are to access services or benefits they’re not entitled to, steal personal, medical or financial information from other identities, enable organised crime or avoid being detected by the police and other authorities.
Checking identities in a consistent way will reduce the chance that one person or service does less effective identity checks than others. This helps protect against identity fraud. It also means that there will be fewer people or services with less effective identity checks that could be targeted by identity fraud.
How to check someone’s identity
We need to know the ‘claimed identity’ of the person we’re checking. This is a combination of information (such as someone’s name, date of birth and address) that represents the characteristics of whoever a person is claiming to be. When we have this, we can find out if the person is who they say they are. The ‘identity checking’ process under GPG45 is made up of 5 parts:
- get evidence of the claimed identity;
- check the evidence is genuine or valid;
- check the claimed identity has existed over time;
- check if the claimed identity is at high risk of identity fraud;
- check that the identity belongs to the person who’s claiming it.
Building an identity profile
Doing different parts of the identity checking process helps us build up confidence in an identity so we can be sure someone is who they say they are. There’s a score for each part of the identity checking process. How much confidence we have in an identity depends on how many pieces of evidence we can collect, which parts of the identity checking process we do and the scores for each part of the identity checking process.
The different combinations of scores are known as ‘identity profiles’. Each identity profile relates to one of the following levels of confidence – low, medium, high or very high.
We aim to get a higher level of confidence in someone’s identity if your service is at high risk of identity-related crime. Our confidence in a person’s identity can increase over time if we do extra checks or collect more evidence.
Which profile to choose?
At Yoti, we focus primarily on low and medium confidence levels, as these are the profiles that most organisations ask for. However, we’re also happy to support organisations looking for high confidence.
1) Low confidence in the person’s identity
Compared to not doing any identity checks, having low confidence in the person’s identity will lower the risk of you accepting either synthetic identities or impostors who are not close friends or family of the identity they’re pretending to be.
By meeting this identity profile, we know each piece of evidence appears to be genuine, are confident that the claimed identity exists in the real world, have made sure your service has reduced the risks of any known identity fraud associated with the claimed identity and have checked the person going through the identity checking process matches the photo or biometric information that’s shown on the evidence.
2) Medium confidence in the person’s identity
Compared to low confidence, having medium confidence in the person’s identity will lower the risk of accepting synthetic identities or accepting impostors who are not close friends or family of the identity they’re pretending to be or who do not look like the identity they’re pretending to be.
By meeting this identity profile, we know that very strong evidence of the claimed identity exists, know the evidence is genuine and valid, have checked the claimed identity exists in the real world, have made sure we have reduced the risks of any known identity fraud associated with the claimed identity, be confident the person going through the identity checking process matches either the photo or biometric information that’s shown on the evidence.
The revised GPG 45 will accompany a new UK government-backed digital identity trust framework to be issued soon. Once published, we will engage a qualified auditor to assess our compliance.