Yoti has very much welcomed the updating of GPG 45 (Good Practice Guide 45) by the GDS (UK Government Digital Services) team at the end of 2019. Yoti focuses on enabling most organisations to meet levels Low and Medium Scores of Assurance. However we are happy to support organisations who need to meet level High.
Yoti especially welcomes the new GPG 45’s focus on new ways of verifying identity, such as chip reading of ID documents such as passports, as well as the fact that GPG 45 is also technology neutral by being outcomes-focussed rather than process-focussed.
Yoti is looking forward to the imminent publication of the new GPG 44 standard. We have seen a draft and consider it an excellent guide for the authentication of users.
The revised GPG 45 is a very useful practice guide in terms of enabling identity providers to check identity. An identity is a combination of characteristics that identifies a person. A single characteristic is not usually enough to tell one person apart from another, but a combination of characteristics might be. The GPG 45 guidance can help you check the identity of a customer, employee, or someone acting on behalf of a business. By successfully checking someone’s identity, you can be confident that you’ll give the right people access to the right things.
The number of synthetic (or made up) and stolen identities being used to commit identity fraud in the UK is growing every year. Some of the most common reasons people or criminal groups commit identity fraud are to access services or benefits they’re not entitled to, steal personal, medical or financial information from other identities, enable organised crime or avoid being detected by the police and other authorities.
Checking identities in a consistent way will reduce the chance that one person or service does less effective identity checks than others. This helps protect against identity fraud. It also means that there will be fewer people or services with less effective identity checks that could be targeted by identity fraud.
We need to know the ‘claimed identity’ of the person we’re checking. This is a combination of information (such as someone’s name, date of birth and address) that represents the characteristics of whoever a person is claiming to be. When we have this, we can find out if the person is who they say they are. The ‘identity checking’ process under GPG45 is made up of 5 parts:
Doing different parts of the identity checking process helps us build up confidence in an identity so we can be sure someone is who they say they are. There is a score for each part of the identity checking process. How much confidence we have in an identity depends on how many pieces of evidence we can collect, which parts of the identity checking process we do and the scores for each part of the identity checking process. The different combinations of scores are known as ‘identity profiles’. Each identity profile relates to one of the following levels of confidence – low confidence, medium confidence, high or very high confidence.
We aim to get a higher level of confidence in someone’s identity if your service is at high risk of identity-related crime. Our confidence in a person’s identity can increase over time if we do extra checks or collect more evidence.
Yoti focuses on levels Low and Medium as these are the profiles that most organisations ask for; however, we are happy to support organisations looking for High confidence
1) Low confidence in the person’s identity
Compared to not doing any identity checks, having low confidence in the person’s identity will lower the risk of you accepting either synthetic identities or impostors who are not close friends or family of the identity they’re pretending to be.
By meeting this identity profile, we know each piece of evidence appears to be genuine, are confident that the claimed identity exists in the real world, have made sure your service has reduced the risks of any known identity fraud associated with the claimed identity and have checked the person going through the identity checking process matches the photo or biometric information that’s shown on the evidence.
2) Medium confidence in the person’s identity
Compared to low confidence, having medium confidence in the person’s identity will lower the risk of accepting synthetic identities or accepting impostors who are not close friends or family of the identity they’re pretending to be or who do not look like the identity they’re pretending to be.
By meeting this identity profile, we know that very strong evidence of the claimed identity exists, know the evidence is genuine and valid, have checked the claimed identity exists in the real world, have made sure we have reduced the risks of any known identity fraud associated with the claimed identity, be confident the person going through the identity checking process matches either the photo or biometric information that’s shown on the evidence.
The revised GPG 45 will accompany a new UK government-backed digital identity trust framework to be issued soon. Once published, we will engage a qualified auditor to assess our compliance.