Code of Practice on Eligibility Verification Notices

Question 1

Disclaimer

Accepted Answer

This Code of Practice gives general guidance only and should not be regarded as a complete and authoritative statement of the law. If you do not understand any of the contents of the Code, the law, or any obligations or responsibilities you may have, you should seek independent advice.

Question 2

1. Introduction

Accepted Answer

About this Code of Practice

1.1. This Code of Practice (“Code”) is authorised under paragraph 17(1) of Schedule 3B to the Social Security Administration Act 1992 (“the Act”) which requires the Secretary of State to issue a code of practice about Eligibility Verification Notices (“EVNs”). The Secretary of State has the power to issue an EVN under paragraph 1(1) of Schedule 3B to the Act which underpins the delivery of the Department for Work and Pension’s (“DWP’s”) Eligibility Verification Measure (“EVM”).

1.2. Failure to observe the provisions of the Code does not, in itself, render parties liable to civil or criminal proceedings. The Code is, however, admissible as evidence in any proceedings if any provision of the Code is relevant in considering the exercise of the powers under Schedule 3B to the Act and the actions taken by financial institutions given an EVN.

1.3. This Code may be subject to further updates as necessary, including as the operational aspects of the measure evolve through the Test and Learn period (see paragraphs 2.10 to 2.16 of this Code).

1.4. In the event that the Code is substantively revised, DWP must hold a public consultation on the new draft and lay the new Code before Parliament (under paragraphs 17(3), 17(4), 18(1), and 18(2) of Schedule 3B to the Act).

Who is this Code for?

1.5. This Code is intended for:

(i) DWP staff (and the Secretary of State for Work and Pensions)

(ii) Organisations in receipt of an EVN (i.e. banks and other financial institutions (“financial institutions”), as defined in paragraph 2 of Schedule 3B to the Act)

(iii) Data subjects (the identified or identifiable individual to whom personal data relates)

(iv) The Code may also be of interest to members of the public who wish to know more about the power to issue an EVN

1.6. The exercise of the Secretary of State’s functions under Schedule 3B to the Act and this Code are kept under review by an independent person(s) or body appointed under s.121DC of the Act. Further details are in Chapter 4.

Question 3

2. Explanation of the power to issue an Eligibility Verification Notice

Accepted Answer

2.1. Benefit overpayments, in which individuals receive more benefits than the amount for which they are eligible, cost the government £9.5 billion in 2024 to 2025. In the approximately 5 years since the pandemic, some £45 billion was overpaid in the welfare system. EVM will improve DWP’s access to important data to help identify incorrect payments, verify benefit entitlements, ensure payments are correct, prevent the build-up of overpayments and prevent debt from accruing. This will help to reduce fraud and identify errors, including where claimants and/or DWP have made genuine mistakes and help to ensure that that claimants receive the correct amount of money that claimants are entitled to. This not only avoids claimants incurring large overpayments that must be repaid but also ensures that the people who are eligible for the support receive the correct amount of money at the right time.

2.2. Where possible, DWP uses different sources of data to verify the information provided by claimants to ensure their benefit entitlement is calculated correctly. For example, DWP uses data from HM Revenue and Customs to verify information about Pay As You Earn employment, and income that can affect benefit eligibility and entitlement. However, for other eligibility criteria – such as savings or investments held, or time spent abroad – such information is not readily available in a timely fashion. This can mean that benefits may be incorrectly paid due to either fraud or error, which can lead to the build-up of debt for the claimant and losses to the taxpayer.

2.3. Financial institutions hold information which can help DWP verify a person’s entitlement to benefit. This includes, for example, information relating to a person’s level of capital and information about periods of time a person spends abroad.

2.4. EVM enables the Secretary of State (DWP) to require financial institutions to look within their customer data and provide limited information to DWP which may indicate that a benefit is being incorrectly paid. DWP may require this information only where the Secretary of State considers that it is necessary and proportionate to do so (see Chapter 3 for more information).

2.5. DWP will request data by issuing an EVN to financial institutions. The data items that DWP will request will be set out in the EVN and will be related to the eligibility rules for a specific benefit. Financial institutions will be required to provide DWP only with the information it requests, and none in excess.

2.6. For the eligibility criteria of the benefits in scope of the Eligibility Verification Measure, see:

(i) Universal Credit eligibility

(ii) Pension Credit eligibility

(iii) Employment and Support Allowance eligibility

2.7. DWP is prohibited by law from sharing personal data with financial institutions under this power (paragraph 3(3) of Schedule 3B to the Act), and from requesting transaction information and special category data (paragraphs 1(5) and 1(6) of Schedule 3B to the Act). DWP is obliged to maintain the security and confidentiality of all information that it receives and must follow all of its existing data security policies. DWP must comply at all times with data protection legislation. See Chapter 4 for further detailed information on safeguards.

2.8. Given the prohibition on sharing personal data with financial institutions, an EVN cannot be used, in any circumstances, to require information about named claimants.

Who is authorised to request information?

2.9. To ensure appropriate safeguarding of data, data subjects, and data holders, only DWP staff who are authorised by the Secretary of State will exercise the power to issue an EVN, on behalf of the Secretary of State. These limited number of people who will be authorised to issue the EVN are known as “authorised persons.”

How will the power to issue an EVN come into force?

2.10. This Code must be in force before an EVN can be issued.

2.11. DWP will initially exercise the power with a small number of financial institutions to ensure that delivery is optimised before EVM is rolled out on a wider scale. This initial period will be known as the ‘Test and Learn’ period.

2.12. As per the overall purpose of EVM, DWP will use the information obtained during the Test and Learn period to help identify incorrect payments of benefits and take action to correct them.

2.13. The Test and Learn period helps to ensure the effective and controlled introduction of EVM, allowing processes to be evaluated and optimised before being rolled out more widely with more financial institutions. During the Test and Learn period, DWP will consider, for example:

(i) the eligibility indicators used to help DWP to identify incorrect payments of relevant benefits. This may involve, for example, refining the criteria used by financial institutions to identify relevant accounts to help DWP effectively find fraud and error and minimise false positives

(ii) the digital infrastructure, to ensure the process works for both financial institutions and DWP to transfer data efficiently and securely

(iii) the impact on DWP resources, to ensure that DWP has the right amount of resource in place for the wider rollout of EVM to allow the data received from financial institutions to be actioned in a timely and secure manner

(iv) whether financial institutions are providing accurate, timely and reliable information, and DWP’s engagement and processes with financial institutions are working effectively

(v) the application of appropriate safeguards. DWP will optimise processes so that safeguards to protect claimants and their data are fully effective

2.14. During this period, DWP may adopt a flexible approach to timescales and other aspects of compliance with an EVN, and the associated penalties regime described in Chapter 7. DWP recognises that financial institutions may raise questions during this period and will work closely with financial institutions to ensure that requests and associated deadlines are workable. All appropriate safeguards will be observed during this period, and the period will be reviewed by the independent reviewer (see Chapter 4).

2.15. During the Test and Learn phase, DWP will work closely with key stakeholders, including within the finance industry and across government. The aim is that once EVM is rolled out more widely, DWP will have optimised EVM to assist in identifying incorrect payments of relevant benefits.

2.16. Following the Test and Learn phase, the measure will be rolled out with further financial institutions in a controlled way.

Question 4

3. The Eligibility Verification Notice

Accepted Answer

What is an Eligibility Verification Notice?

3.1. An EVN is the means by which DWP asks financial institutions for information. An EVN is issued by authorised persons (on behalf of the Secretary of State) in accordance with Schedule 3B to the Act and requires a financial institution to look within its own datasets and provide data to help DWP identify where someone might not be receiving the correct amount of a relevant benefit. A relevant benefit payment is a payment of any of the following benefits specified in Schedule 3B to the Act: Universal Credit, State Pension Credit, and Employment and Support Allowance. No other benefits are currently in scope of EVM, but if deemed necessary the list of benefits in scope could be amended in the future using regulations subject to the affirmative procedure. This means that any changes to the benefits in scope must be actively approved by both Houses of Parliament.

3.2. An EVN will set out the specific information required by DWP, for example, specifying the eligibility indicators which must be used by financial institutions to determine whether information must be shared with DWP. An EVN must not require financial institutions to identify relevant accounts using personal information (under paragraph 3(3) of Schedule 3B to the Act). EVM can only be used to obtain information on accounts that receive a specified DWP benefit, and any accounts linked to that benefit receiving account where (alone or with other accounts) they match the eligibility indicators set by DWP (as set out in legislation).

3.3. The eligibility indicators in the EVN are the specific criteria that financial institutions will be asked to check relevant accounts against. They will be based on the eligibility rules for the specified benefits and therefore may differ for each benefit in scope.

3.4. In Universal Credit, an individual’s savings can affect how much they are paid. Consequently, for example, eligibility indicators in an EVN may be set such that financial institutions are required to return information about accounts which receive Universal Credit (or are linked to such accounts) and which have more than £16,000. This is the upper capital threshold for Universal Credit. In this example, the eligibility indicator is capital above £16,000.

3.5. The ask may vary: for example, it may be that information is only returned in cases where there is a specific amount above £16,000, or it may be that DWP lowers this amount to help verify the correctness of payments where a claimant has between the lower capital limit of £6,000 and the upper capital limit of £16,000. This is because a person’s Universal Credit award entitlement is tapered where they have capital between £6,000 and £16,000.

3.6. Likewise, the eligibility indicators may be set such that financial institutions are required to return information about accounts which receive payments of relevant benefits where there are indications that the account holder may have spent more time overseas than benefit eligibility rules allow. This is not an exhaustive list of possible eligibility indicators.

3.7. DWP must only request the minimum information to identify individuals who meet the eligibility indicators, and relevant details related to how the indicators have been met, and financial institutions must only provide minimal information to DWP. For examples of the types of information that an EVN may require, see paragraphs 3.27 to 3.29.

3.8. Where information is shared with DWP, it is not shared on the assumption that the person to whom the information relates is guilty of any wrongdoing. Any accounts identified will be considered by DWP for further inquiry. No decisions about benefit entitlement will be made automatically on this information alone.

3.9. The EVN can request information about any account into which a relevant DWP benefit payment is made which meets the criteria set out in that EVN, as well as any accounts linked to that account (see paragraph 3.22 to paragraph 3.26 below about accounts in scope).

3.10. An EVN must not request data which is more than one year old ending with the day on which the EVN was sent. However, it may request the date on which the account(s) first began to meet the eligibility indicator(s) set out in the EVN, even if this date is from a period prior to one year ending on the day on which the EVN was sent. For example, a financial institution may be required to provide the date on which an account in receipt of a relevant benefit first held capital in excess of the amount specified in the EVN. If, over a period of time, an account (and any linked accounts) fluctuates in its meeting of an eligibility indicator, then the financial institution must share the date on which the account(s) in question most recently began to meet the eligibility indicator.

Necessity and proportionality

3.11. Before issuing an EVN, the Secretary of State must consider that it is necessary and proportionate to do so (as per paragraph 1(2) of Schedule 3B to the Act), and must assess and record this, including an EVN’s compliance with Article 8 of the European Convention on Human Rights (“ECHR”) every time an EVN is issued.

3.12. ‘Necessary’ means that the information is needed for the purpose for which it is requested, and ‘proportionate’ means that any interference caused by obtaining the information is balanced against the importance of the aim, and that no more information is requested than is needed.

3.13. DWP has already undertaken an assessment of the power as a whole and considers that it is compatible with the right to private life under Article 8 ECHR and that this measure is justified, in accordance with the law, and proportionate. This assessment can be viewed in the following memorandum: Public Authorities (Fraud, Error and Recovery) Act 2025 publications - Parliamentary Bills - UK Parliament (scroll down to ‘Human rights memorandum’ to find relevant document - ‘Human Rights Memorandum for the Bill as brought from the House of Commons’).

3.14. DWP will record each assessment of necessity and proportionality, and compliance with Article 8 of the ECHR, prior to issuing an EVN. These assessments, and each EVN, will be approved by a senior civil servant.

3.15. To assess whether it is necessary and proportionate to issue an EVN, DWP may consider:

(i) the prevalence of overpayments due to fraud and error in particular benefits

(ii) the prevalence of the type of fraud and error in a benefit to which the eligibility indicators in the EVN relate

(iii) the anticipated results of issuing an EVN

(iv) the extent to which the expected burden on the financial institution in complying with the EVN is proportionate to the anticipated results

(v) the frequency of DWP’s requests for information from financial institutions using an EVN

(vi) the effectiveness of previous EVNs in helping to identify incorrect payments of relevant benefits

(vii) reports produced by the Independent Reviewer of EVM

(viii) feedback from financial institutions, including the outcome of any review of an EVN

(ix) the outcome of any appeals to the First Tier Tribunal

(x) whether there are other possible methods of obtaining the data required by an EVN

(xi) whether there are other possible methods of addressing the aim pursued by an EVN

(xii) any other relevant considerations

3.16. In relation to Article 8 assessments, this must also include assessments of how the proposed EVN:

(i) is issued in accordance with Schedule 3B to the Act

(ii) pursues a legitimate aim

(iii) is necessary and proportionate

3.17. As part of the Article 8 assessment, DWP may consider:

(i) the anticipated results of issuing an EVN

(ii) the level of detail required by an EVN about relevant accounts

(iii) the amount and types of information about individuals that will be shared

(iv) whether there are other possible methods of obtaining the data required by an EVN

(v) whether there are other possible methods of addressing the aim pursued by an EVN

(vi) any other relevant considerations

Compliance with Article 14 of the ECHR

3.18. DWP considers that EVM is compatible with Article 14 of the ECHR, which provides a right to non-discrimination in the enjoyment of other ECHR rights. For EVM, the other applicable ECHR right is Article 8 (right to privacy). This means that DWP does not consider that EVM engages people’s right to privacy in a way which discriminates against them on any ground such as race, sex, colour, language, or belief.

Who is liable to comply with an EVN?

3.19. Schedule 3B to the Act enables the Secretary of State (DWP) to require information from financial institutions where accounts they provide meet the criteria set out in an EVN. Schedule 3B to the Act describes financial institutions as organisations that are authorised to accept deposits or issue electronic money and, in the course of doing so, provide relevant accounts into which a relevant benefit may be paid. This means that an EVN may be issued to any financial institution which meets these criteria. Further types of financial institution may be added using regulations if they fall outside of the current definition but are relevant to the exercise of the power. Any organisation which does not meet these criteria must not be issued with an EVN.

3.20. DWP recognises that operating models may differ from financial institution to financial institution, and that where a financial institution operates as part of a group, there may be a certain organisation within that group which is better suited than others to receive an EVN. DWP will therefore work with financial institutions to ensure that EVNs are issued to the most appropriate organisation within a banking group.

3.21. Before issuing an EVN to a financial institution, DWP will discuss the requirements of complying with it with the institution in order to help them prepare for the formal ask, including ensuring a suitable digital solution is in place to allow the secure transfer of the data. DWP will not issue an EVN before this preparatory engagement has been offered.

Scope of the Eligibility Verification Measure

Accounts in scope

3.22. Accounts in scope are those that are in receipt of a relevant benefit payment (or are linked accounts), and which (whether on their own or together) meet the conditions set out in the EVN. Linked accounts are any other accounts which are held by the same person who holds the account into which the relevant benefit payment is paid. Accounts which are in scope are called “relevant accounts”.

3.23. Paragraph 20 of Schedule 3B to the Act clearly sets out accounts which are in and out of scope of the measure. Types of account which are in scope are:

(i) current accounts

(ii) savings accounts

(iii) investment accounts

(iv) In line with benefit eligibility rules for the benefits in scope of EVM, some children’s accounts may be in scope where they are held on trust by one of the account holders of the account into which the relevant benefit is paid, or if they receive the relevant benefit payment

3.24. Types of account which are out of scope are:

(i) credit card accounts

(ii) current account mortgages

(iii) accounts held outside of the United Kingdom

(iv) accounts which are not personal accounts

3.25. Accounts which are not personal accounts (such as business accounts or charities) are not in scope for the measure. This is in line with the eligibility criteria of the benefits that EVM will require information about.

3.26. In some cases, an account that matches the criteria set out in the EVN may not belong to a benefit claimant. In the case of personal appointee accounts, for example, the benefit-receiving account is held by a person other than the benefit claimant. In this case, information about identified accounts will be shared with DWP if the conditions of the EVN are met. This is because the legislation prohibits DWP from sharing personal information (under paragraph 3(3) of Schedule 3B to the Act), and so all accounts which meet the criteria set out in the EVN will have their information shared. However, the appointee’s information may not be relevant to the benefit claim. Once DWP has established such cases, the information will not be shared further and will not be used by any DWP operational team. More detailed information can be found in paragraphs 3.32 to 3.37.

What type of information could an EVN request?

3.27. The EVN will require a financial institution to only provide the minimum information related to matched accounts to identify a benefit recipient within DWP’s own database. While DWP must not share personal data in an EVN, the information that is returned by financial institutions will include personal data, and the types of information that will be shared are detailed below.

3.28. The EVN will outline the specific data points that must be disclosed. The types of data that an EVN may require a financial institution to share with DWP are defined in paragraph 1(3) of Schedule 3B to the Act. These are:

(i) details of relevant accounts (for example, sort code and account number)

(ii) details about account holders (for example, their names and dates of birth) to enable identification of the benefit recipient

(iii) details about how the accounts meet the eligibility indicators specified within the EVN (for example, this may be to indicate that the total capital held across accounts is greater than the amount specified in the EVN or dates that the account has been consecutively used outside of the UK)

3.29. The eligibility indicators specified in the EVN will be linked to the eligibility criteria for the specified benefits. As such, if the eligibility criteria for the benefits in scope of EVM change over time, then the eligibility indicators specified in an EVN may change as well.

Information DWP must not require in an EVN

3.30. To ensure proportionality, compliance with Article 8 of the ECHR, and in compliance with data protection legislation, there are clear limits to the scope of an EVN. This means that some information must not be requested. An EVN must not require:

(i) information relating to any person or account (including any linked accounts) which does not match the eligibility indicators provided in the EVN

(ii) information which is not relevant to helping identify potentially incorrect relevant benefit payments

(iii) information which is more than one year old ending with the day on which the EVN is given, except to provide the date on which an account most recently began to meet the eligibility indicator where requested

(iv) financial statements or transaction information (as defined in paragraph 22 of Schedule 3B to the Act). Financial institutions are also specifically prohibited from sending transaction information under the legislation. A financial institution is liable to receive a penalty if it shares such information (see Chapter 7)

(v) special category data, as defined in paragraph 22 of Schedule 3B to the Act. Financial institutions are also specifically prohibited from sharing special category data. A financial institution is liable to receive a penalty if it shares such information (see Chapter 7). Special category data is sensitive, personal data, such as information about an individual’s racial or ethnic origin, political opinions or religious or philosophical beliefs. For the definition of special category data, see Article 9 of UK GDPR. This restriction does not, however, prevent DWP from requiring or financial institutions from confirming that individuals are in receipt of the benefit specified in the EVN as set out in paragraph 1(6) of Schedule 3B to the Act

Frequency of a request for data

3.31. An EVN will specify whether data must be provided only on one occasion, or whether the data must be provided at a specific frequency for a period of time. In the case of the latter, the EVN is known as a periodic EVN. A periodic EVN may be issued to a financial institution to require information to be shared on a regular basis for up to one year. DWP will work with financial institutions to give them sufficient notice of any changes made to a periodic EVN. An EVN may only be issued or amended where the Secretary of State is satisfied that doing so is necessary and proportionate.

Whose information may be shared with DWP under the Eligibility Verification Measure?

3.32. Information about an account will only be returned to DWP if the account (and any linked accounts) matches the strict criteria set out in the EVN.

3.33. If information returned to DWP is not directly relevant to a benefit claimant (e.g. in the case of appointees, where information is returned about accounts which receive the benefit payment, but which do not belong to the relevant benefit claimant), it will not be shared further and will not be used by any DWP operational team. Once DWP determines that the information no longer serves a purpose (e.g. after having confirmed the information is not relevant), it will be destroyed in line with DWP’s Information Management Policy.

3.34. Similarly, information on joint account holders may be shared with DWP in certain circumstances. If the relevant benefit is paid into a joint account, for instance, details about all accounts held by both individuals will be shared with DWP by the financial institution. This is because DWP is not sharing claimant information with any external body and so the financial institution will not know which of the account holders, if either, is the benefit claimant. Where the benefit is a household benefit, such as Universal Credit, the capital held by both individuals may be relevant to eligibility for the benefit where those individuals are part of the same household.

3.35. If the person who holds a benefit-receiving account also holds a linked joint account, then the details of that account may be shared with DWP by the financial institution. No information about any other accounts held by the other account holder would be shared in this circumstance as these accounts would not be classed as a linked account. Linked accounts must be held by the same person who holds the benefit-receiving account.

3.36. On receipt of the information from the financial institution, DWP will analyse the information, and information which is not relevant to eligibility for benefits will not be shared further or used by any DWP operational team. Once DWP determines that the information no longer serves a purpose (e.g. after having confirmed the information is not relevant), it must be securely destroyed in line with DWP’s Information Management Policy.

3.37. For this reason, all those who hold an account into which a specified DWP benefit is paid should be aware that their account and any linked accounts may be considered by financial institutions as part of the measure. DWP will make claimants aware of this through various means, including through this Code and by updating DWP’s Personal Information Charter^{[footnote 1]}. Relevant GOV.UK webpages will also be updated as appropriate.

Processing of appointee information

3.38. Information which is returned to DWP, but which is not relevant to a benefit claim, will not be shared further or used for any operational processes. This includes information about appointees that are not a benefit claimant. An appointee is a person who is responsible for making and maintaining benefit claims on someone else’s behalf.

3.39. On receipt of EVM information, DWP will use a matching process to identify whether the account holder identified by the financial institution and the benefit claimant in question are the same person. If DWP identifies that the data received from the financial institution does not directly relate to the claimant, the information will not be shared further and will not be used by DWP operational teams. Once DWP determines that the information no longer serves a purpose (e.g. after having confirmed the information is not relevant), it must be securely destroyed in line with DWP’s Information Management Policy.

3.40. Some appointees may independently claim a benefit specified in the EVN. In cases where an appointee is also a claimant of a benefit specified in the EVN, DWP will use the information received to help verify their eligibility for the benefits that they receive.

3.41. DWP will not receive any information from financial institutions about corporate appointees or businesses that receive DWP payments into business accounts. This is because financial institutions must not share any information with DWP about business accounts, (paragraph 20(1) and (2) of Schedule 3B to the Act).

Processing of landlord information

3.42. There are certain circumstances where private landlords may receive payments directly from DWP on behalf of tenants who receive benefits, for example, where a claimant has asked DWP for help managing their money, and payments to meet housing costs are made directly to a landlord. In these circumstances, if part of the benefit payment is paid into a landlord’s personal account rather than a business account, it is possible that information may be shared with DWP by the financial institution about the account into which the payment is made, and any linked accounts. The same process will be used to identify accounts held by a landlord as will be used to identify accounts held by an appointee. Namely, DWP will use a matching process to identify whether the account holder identified by the financial institution and the benefit claimant in question are the same person. If DWP identifies that the data received from the financial institution does not directly relate to the claimant, the information will not be shared further and will not be used by any DWP operational team. Once DWP determines that the information no longer serves a purpose (e.g. after having confirmed the information is not relevant), it must be securely destroyed in line with DWP’s Information Management Policy.

3.43. Some landlords may also independently claim a benefit specified in the EVN. In cases where a landlord is also a claimant of a benefit specified in the EVN, DWP will use the information to verify their eligibility for the benefits that they receive.

Complying with an EVN

Circumstances in which the Secretary of State will consider a financial institution as having complied with an EVN

3.44. An EVN will set out what a financial institution must do to comply with its requirements and specify the timeframe within which the financial institution must comply.

3.45. The Secretary of State will consider that a financial institution has complied with an EVN if it has:

(i) provided the information requested in the EVN

(ii) the information provided is accurate

(iii) in accordance with the criteria of the EVN

(iv) in the requested format

(v) within the timeframe specified

3.46. Where DWP considers that a financial institution has not complied with an EVN, the aim will always be to engage with the financial institution in the first instance to understand any issues, with a view to resolving them without resorting to the application of penalties permitted by the legislation.

3.47. In this situation, DWP will contact the financial institution to ask why the EVN has not been complied with.

3.48. If DWP considers that a financial institution has failed to comply with an EVN and engagement with the financial institution has not been effective, DWP has the power to issue a penalty to a financial institution as laid out in Chapter 7.

3.49. The EVN may require:

(i) the data to be presented in a specific way

(ii) the data to be provided to DWP in a specific way, including electronic communication services

(iii) the data to be provided using a specified address or portal set out in the EVN

Issues complying with an EVN

3.50. In addition to the reviews and appeals procedures described in Chapter 5 and Chapter 6 respectively, financial institutions which experience technical difficulties while complying with an EVN may contact DWP using its Incident Management process. Details about how to contact DWP for this purpose will be communicated to financial institutions during the onboarding process.

3.51. The Incident Management process allows financial institutions to flag technical issues with DWP at any time. This constructive dialogue allows for technical issues to be addressed quickly and aids timely compliance.

In what format will the EVN be delivered?

3.52. The EVN will primarily be delivered electronically to financial institutions. All EVNs will be transferred securely and in line with DWP’s security policies.

Could there be any changes to the EVN once it has been issued to a financial institution?

3.53. Once an EVN has been issued, DWP may change or cancel it by notifying the financial institution. Such changes may include, for instance, corrections of minor clerical errors in an EVN. The financial institution will be notified of the change in writing. DWP will engage with financial institutions to ensure that sufficient notice is given to enable compliance with an EVN. DWP will aim to keep any changes to an EVN (post-issue) to a minimum following the Test and Learn phase.

3.54. Substantial changes to an EVN may require DWP to reassess the EVN’s necessity and proportionality, in the same way as when the EVN is first issued. Any substantial changes must also be signed off by an appropriate senior civil servant.

How DWP will use data received in response to an EVN

3.55. DWP will use the data received from financial institutions to assist in identifying incorrect benefit payments, and to help verify a claimant’s eligibility for a specified benefit. This information received will initially be used to identify the claimant within DWP’s own systems, before it is then used to determine whether DWP must take any further action by looking into the claim in more detail. This will help to ensure that claimants are paid correctly and help prevent debt building up for individuals.

3.56. DWP may use some data received for research, analysis and evaluation to assess whether EVM is working as intended by helping to identify incorrect payments of benefits.

3.57. DWP will always aim to act on the data received promptly, for example within one month. Acting on the data may involve routing the information to the relevant area and making an initial attempt to contact the claimant to begin establishing whether an incorrect payment may have been made.

3.58. Where information is shared with DWP, it is not shared on the assumption that the person to whom the information relates is guilty of any wrongdoing, and a financial institution must not assume this. This is because it is not possible for the financial institution to ascertain from the sending of the information alone that a claimant may be receiving an incorrect amount of benefit. This is for DWP to determine through its business-as-usual processes. The information received simply indicates to DWP that further enquiry may be necessary to verify a claimant’s eligibility for the benefit payments they are receiving.

3.59. For this reason, DWP must not use its investigative powers under section 109BZA of the Act to require information about suspected DWP offences, when EVM information is relevant to that consideration, without also looking at other information it holds which is relevant to deciding whether to exercise these powers. This is as set out in paragraph 5 of Schedule 3B to the Act. For example, DWP may use capital declarations made by the claimant to establish whether there is a large discrepancy between this and the EVM information and will determine any further action accordingly.

3.60. Similarly, where EVM information may be relevant to a potential decision to suspend benefit payments or to change a benefit entitlement decision, DWP must consider all information it holds which is relevant to that decision. This is as set out in paragraph 5 of Schedule 3B to the Act.

3.61. Examples of further relevant information that DWP may consider before determining whether to take further action could include:

(i) the information the claimant has previously told DWP about how much capital they have

(ii) the presence or absence of a capital disregard

(iii) whether the claimant has informed DWP of relevant overseas travel

This is not an exhaustive list and will vary depending on the circumstances of each individual claim.

3.62. Where DWP receives data that is not relevant, it will not share that information further and it will not be used by any DWP operational team. Once DWP determines that the information no longer serves a purpose (e.g. after having confirmed the information is not relevant), it must be securely destroyed in line with DWP’s Information Management Policy.

3.63. Any further enquiries which may take place following receipt of EVM information may lead DWP to correct the benefit claim if necessary, or, if fraudulent behaviour is suspected, DWP may use the relevant powers for obtaining information in investigations under Part 6 of the Act. DWP staff will always take the decision on any further enquiries or investigations, and on any outcomes which may affect benefit awards or eligibility.

3.64. For the Code of Practice on the exercising of DWP’s powers for obtaining information under Part 6 of the Act, visit: Social security fraud: code of practice on obtaining information - GOV.UK.

3.65. If the data received indicate that a claimant has received an incorrect payment of one of the benefits set out in the EVN and they are also in receipt of a different benefit, then DWP may use the information received to re-assess the claimant’s eligibility for the second benefit, in conjunction with other relevant information held by DWP. Certain benefits allow claimants to be automatically entitled to other benefits. For example, in some cases a claimant who is eligible for Pension Credit may be entitled to Housing Benefit, and where information received leads DWP to establish that a customer has received an incorrect Pension Credit payment, DWP may also notify the local authority which issues the Housing Benefit accordingly.

3.66. If enquiries lead DWP to establish that a benefit has been underpaid for any reason, then it will follow business-as-usual processes to correct this. This might be, for instance, if a claimant has received a compensation payment (certain compensation payments are disregarded^{[footnote 2]}) which does not count towards the calculation of their total capital balance for a benefit, but which they may have failed to inform DWP about. In such cases if an underpayment is found DWP would correct the claim to ensure the claimant receives what they are entitled to.

3.67. The processing and use of data by financial institutions will be subject to both DWP and independent oversight. Additional information on oversight of EVM is found in Chapter 4.

3.68. All data will be processed in accordance with relevant data protection legislation.

Question 5

4. Safeguarding

Accepted Answer

4.1. The legislation is intentionally limited and contains a number of clear and vital safeguards. These safeguards aim to protect those whose data is shared under EVM, and their data, as well as the financial institutions which are required to provide information. This chapter sets out those safeguards.

Independent oversight of the Eligibility Verification Measure

4.2. The Secretary of State will appoint an independent person to oversee the use of the power to issue an EVN. The appointment will be listed on the Public Appointments Order in Council and carried out using an open, fair recruitment process, following the principles laid out in the Governance Code on Public Appointments. The Commissioner for Public Appointments will provide independent assurance that the appointment is made in accordance with these principles.

4.3. The remit of the independent oversight is to complete a retrospective review of delivery relating to the 12 months beginning with the measure’s coming into force date and every 12-month period subsequently. The scope of the review is detailed in section 121DC of the Act. The review must consider:

(i) the extent to which DWP, and persons given an EVN, have complied with Schedule 3B to the Act

(ii) the extent to which DWP has complied with this Code of Practice

(iii) the extent to which the power has been effective in assisting in identifying incorrect payments of relevant benefits during the period covered by the review

4.4. The independent reviewer may, at their discretion, consider other matters in their review.

4.5. The independent reviewer may choose to meet with key stakeholders to inform their work, including the finance industry, benefit claimants, charities, members of Parliament and specialist organisations, such as the Information Commissioner’s Office.

4.6. The independent reviewer may, in their report, make recommendations for the Secretary of State to consider in relation to EVM.

4.7. The independent reviewer will help to monitor whether data is handled responsibly and in compliance with data protection legislation and human rights considerations. Other organisations, such as the Information Commissioner’s Office and the Financial Conduct Authority, will also provide regulatory functions as a result of their existing remits in the areas in which EVM will operate.

4.8. The independent reviewer will be provided with appropriate secretariat support and may request further specialist advice, as required, in discussion with the Secretary of State.

4.9. The independent reviewer will produce a report for the Secretary of State on the use of the power to issue an EVN relating to successive periods of 12 months. This report must be published and laid before Parliament. As such, the independent reviewer may be called upon to give evidence to Parliamentary committees which will further aid transparency and understanding of the Department’s delivery of EVM.

4.10. DWP must give the independent reviewer any requested information which is relevant for the purposes of carrying out the review. The independent reviewer will not, however, be given uncontrolled access to DWP’s systems or its data in order to maintain security of the information that DWP holds.

4.11. The appointment of an independent reviewer ensures the measure is exercised in a responsible and effective manner, and in accordance with the legal framework. The requirement to publish findings and present them to Parliament supports transparency and facilitates scrutiny of whether the power is being used legally and proportionately and is effective in assisting in identifying incorrect payments of benefits, by both the public and Parliament.

Safeguarding the rights of individuals

Notice to data subjects

4.12. DWP has a Personal Information Charter (PIC) which is publicly available and details how DWP uses personal data. This includes general information about how DWP uses personal information shared with it and information about how DWP will use personal information shared with it under EVM. The PIC also lists the rights of data subjects and how they can exercise them, along with details of personal information collected.

4.13. Alongside this Code and the PIC, DWP will aim to inform data subjects about EVM through other channels. This will include, for example, updates to relevant GOV.UK webpages for the benefits in scope of the measure.

4.14. Nothing in this measure will adversely affect the rights of data subjects under data protection laws, including the data subject’s right to access their own data via a Subject Access Request following existing guidance on how to do this. As such, data subjects retain the right to file a Subject Access Request with either DWP, the financial institution, or both. DWP will not inform account holders every time that a financial institution shares information with DWP. However, DWP will make contact with claimants as necessary where action is needed to verify entitlements and ensure payments are correct. In such cases, DWP will inform claimants about the information which has led to their being contacted. For some claimants, this contact may not be necessary, for example because DWP may already hold information about their claim and is satisfied the payments made are accurate and correct Data minimisation.

4.15. An EVN must not share any personal information with a financial institution and must only request limited information from a financial institution about accounts which meet the criteria set out. As set out in Schedule 3B to the Act (paragraph 1(4)), an EVN may only require specified information: the minimum information necessary for the DWP to be able to carry out further enquiries. This is in line with the requirement that the Secretary of State must consider it necessary and proportionate to issue an EVN before doing so.

Disregards

4.16. DWP must act in accordance with its existing policies. This includes complying with DWP policies about disregards.

4.17. Some claimants have a disregard in place which may in effect mean that they remain eligible for a specified benefit payment in circumstances which would otherwise make them ineligible. This might be, for example, if a claimant has received a relevant compensation payment which causes them to have more money than is usually allowed under benefit eligibility rules. A claimant in this situation may remain eligible for the benefit because the compensation payment is subject to a ‘disregard’ under DWP’s benefit eligibility rules.

4.18. DWP will identify claims with known disregards to ensure that these are taken into account.

Supporting vulnerable claimants

4.19. EVM is a data-requiring power. The process of a financial institution sharing data with DWP will not affect vulnerable claimants any differently to all other claimants.

4.20. EVM information will be fed into DWP’s established business-as-usual processes which are regularly and routinely used to help ensure payments are accurate. This means that DWP’s existing processes to identify and support claimants who are vulnerable and have complex needs will continue to be followed whenever any action is taken following receipt of EVM information.

4.21. DWP will take all reasonable steps to identify vulnerable individuals using information it already holds. All DWP staff who will be responsible for following up potentially incorrect benefit claims will receive training and support so that they can identify and manage complex cases, and handle sensitive situations appropriately.

4.22. DWP seeks to identify individuals who have complex user needs and/or require additional support to enable them to access DWP benefits and services. We recognise that vulnerability is not always apparent and may emerge or change at any point during a claimant’s journey.

4.23. DWP knows that claimants do not always tell DWP, or be aware, that they need additional support, DWP staff will encourage claimants, or their representative or advocate, to make DWP aware of their situation, or changes to their situation, as early as possible so that appropriate support and adjustments can be considered.

4.24. DWP staff are trained to put in place the right support for vulnerable people, with further specialist help available for the most complex cases. DWP has a network of Advanced Customer Support Senior Leaders, who can provide tailored support, guidance, and coaching within DWP.

4.25. For further information about how DWP supports claimants with additional support needs, visit: Delivering support and transformation to help DWP customers with additional support needs - GOV.UK.

Mandatory reconsideration

4.26. If a benefit claimant disagrees with a benefit decision, they have a right to request that the decision be reviewed. This is known as a Mandatory Reconsideration. EVM does not affect a claimant’s right to request a mandatory reconsideration of a benefit decision.

4.27. Mandatory reconsiderations can be requested if any of the following apply:

(i) it is believed that the office dealing with the claim has made an error or missed important evidence

(ii) claimants disagree with the reasons for the decision

(iii) claimants wish to have the decision looked at again

4.28. Mandatory reconsiderations must normally be requested within one month of the date of the decision.

4.29. All benefits in scope of EVM are covered by the mandatory reconsideration process.

4.30. For further information about mandatory reconsideration, visit Challenge a benefit decision (mandatory reconsideration): Eligibility - GOV.UK.

Safeguards for financial institutions

4.31. EVM contains measures which safeguard financial institutions for the purposes of the measure. These include:

(i) DWP must only require information from financial institutions which hold the necessary information

(ii) Schedule 3B to the Act is clear on information which must and must not be shared, and which accounts are in scope and out of scope

(iii) Schedule 3B to the Act sets the legal basis for sharing information as specified

(iv) a financial institution may contact DWP for further clarity about the EVN or the eligibility indicators specified in the EVN to ensure that they can comply

4.32. Financial institutions have the right to request a review of the decision to issue an EVN as well as the right to appeal against all or part of an EVN. This is embedded in the legislation and forms an important safeguard against the misuse or disproportionate use of this measure. Further information on appeals and internal reviews can be found in Chapter 5 and Chapter 6.

4.33. If DWP or anyone acting on behalf of DWP makes an unauthorised request for information, they may be liable to civil or criminal proceedings before the courts and subject to disciplinary action by DWP. If these individuals unlawfully disclose information acquired in the course of their employment, they may also be liable to prosecution.

4.34. For information about how EVM interacts with a financial institution’s financial legal obligations, see Chapter 8.

Safeguarding of data

Storage and retention of data

4.35. DWP continuously handles large volumes of data and has robust security processes in place to manage the data it will receive from financial institutions. Data must only be kept as long as necessary and in accordance with DWP’s Information Management Policy. At all times, data must be kept securely in line with DWP’s existing data storage processes while actively being used and must be destroyed safely and securely after use. DWP is transparent in how long it keeps data; further information can be found here: DWP: Information Management Policies.

4.36. Data must also be transferred in securely, and DWP will work with financial institutions to ensure that this is the case.

Destruction of data

4.37. When data no longer serves an operational purpose, it must be securely destroyed in line with DWP’s existing Information Management Policy. Visit DWP: information management policies - GOV.UK for more information.

4.38. Where DWP receives data that is not relevant, it must not share this information further and must not use the data for any further operational purposes. DWP has robust existing processes in place for safely and securely destroying information of this nature, in accordance with its Information Management Policy.

Treatment and handling of Data

4.39. DWP must not share any personal data under this measure with financial institutions. Financial institutions must identify accounts about which to share information based on data that they already hold.

4.40. DWP and financial institutions are required by law to comply with rules and provisions set out in the Data Protection Act 2018 and the UK GDPR.

4.41. DWP must ensure that once data have been received, decisions about further enquiries or investigations, and about any outcomes which may affect benefit awards or eligibility will be made by DWP staff. No data source is perfect or infallible. That is why in fraud and error cases, a human will make any final decisions that affect benefit entitlement, and any indications of potential fraud or error will be looked at comprehensively.

4.42. The Financial Conduct Authority (FCA) has a responsibility to oversee the conduct of financial institutions in the United Kingdom. One of the authority’s operational objectives is to “use its powers over firms and markets to protect consumers”^{[footnote 3]}. If a financial institution breaches the standards expected by the FCA, then the FCA may take action against the financial institution.

4.43. Schedule 3B to the Act expressly prohibits financial institutions from sharing transaction information and special category data with DWP in response to an EVN (although the legislation does allow the sharing of special category data if it is to confirm that a person is in receipt of a specified benefit, such as Employment and Support Allowance (ESA)). In order to ensure that financial institutions comply with this prohibition, the legislation provides that penalties may be issued in circumstances where a financial institution shares this information.

DWP’s lawful bases for processing the personal data

4.44. DWP will process the personal data for EVM purposes using the ‘Public Task’ lawful basis from the UK GDPR, Article 6 (1(e). That is because processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.

4.45. The processing is necessary so that DWP can carry out its statutory functions, which are set out in Schedule 3B to the Act.

4.46. Personal data obtained by DWP will be processed under the general processing regime set out in the UK GDPR and Part 2 of the Data Protection Act 2018.

Data protection requirements

4.47. On receipt of EVM information, DWP will become an independent data controller. Consequently, DWP will ensure that all relevant data protection legislation is complied with, following DWP’s protocols on retention and deletion. For information about DWP’s Information Management Policy, visit DWP Information Management Policy - GOV.UK.

4.48. Financial institutions in receipt of an EVN should be aware that data protection obligations apply alongside the requirements stipulated in the EVN and any other requirements which govern the ways in which financial institutions operate.

4.49. At all times, DWP and financial institutions must abide by data protection legislation, including the 7 key data protection principles, as set out in the UK GDPR. For further information about these, see A guide to the data protection principles - ICO.

4.50. In compliance with the data protection principle of accuracy, data shared and processed under EVM must be accurate, and there are also penalties for financial institutions which share inaccurate information with DWP (see Chapter 7).

4.51. Financial institutions are prohibited from sharing transaction information and special category data with DWP, and there are penalties for financial institutions which do so (see Chapter 7). As the sharing of such information is prohibited by this legislation, financial institutions which breach this prohibition would not have a legal basis for this processing. This could therefore be a personal data breach. Information Commissioner’s Office (ICO) guidance makes clear that when a personal data breach has occurred, data controllers must establish the likelihood of the risk to people’s rights and freedoms, and if a risk is likely, then the ICO must be notified. For further information about personal data breaches, see Personal data breaches: a guide - ICO.

4.52. In the event of a personal data breach, DWP will work with any other involved party to determine an appropriate course of action, including notifying the Information Commissioner’s Office if necessary.

Data Subject Complaints

Introduction

4.53.This section contains information for data subjects who wish to make a complaint. For information about the appeals process which financial institutions should use if they wish to make a complaint, see Chapter 5. This section contains information for data subjects who wish to make a complaint. For information about the appeals process which financial institutions should use if they wish to make a complaint, see Chapter 5.

Complaints to DWP

4.54. DWP takes complaints very seriously and will seek to address any complaints, incidents or allegations of improper use of EVM via its normal complaints processes. Further details are available here: Complaints procedure - Department for Work and Pensions - GOV.UK.

4.55. Any concerns or complaints regarding this or any DWP policy should be directed via DWP’s Ministerial Correspondence Team. Further details are available here: Contact the Department for Work and Pensions about its policies - GOV.UK.

Complaints to the Information Commissioner’s Office

4.56. The Information Commissioner’s Office is the regulator for data protection matters in the UK and is responsible for the promotion of good practice regarding the processing of personal data. It may take action in the case of a breach of data protection legislation.

4.57. Complaints about data protection should initially be directed to DWP using the route described above. Should the matter remain unresolved following this, a complaint may be made to the Information Commissioner’s Office. DWP may also refer itself for any violation of this Code or any applicable law.

Parliamentary and Health Service Ombudsman

4.58. The Parliamentary and Health Service Ombudsman carries out independent investigations into complaints about unfair or improper actions or poor service by UK government departments and their agencies.

4.59. Any complaint must be made to a Member of Parliament who will then decide whether to pass the complaint to the Ombudsman. The Ombudsman seeks to establish whether public bodies have acted correctly and fairly in discharging their duties.

4.60. Further information can be found on the Parliamentary and Health Service Ombudsman website.

Question 6

5. Internal Reviews

Accepted Answer

Introduction to the internal review process

5.1. A financial institution which is in receipt of an EVN may request that DWP review the decision to issue it with an EVN. Where this is the case, a review of the decision to issue an EVN will be carried out by DWP. This is known as an internal review.

5.2. There are a number of circumstances where a financial institution may request that DWP review its decision to issue an EVN. For example, it may be that the financial institution considers that they have received the EVN in error. Schedule 3B to the Act does not set out the circumstances in which a review may be requested or provide any restrictions in respect of reasons for requesting that DWP review the decision to issue the EVN. Technical issues which affect whether a financial institution can comply with an EVN should be dealt with using the Incident Management process described in Chapter 3.

5.3. The internal review process is designed to offer a faster and more cost-efficient alternative to the formal appeals procedure, for financial institutions that wish to address issues with DWP. It allows financial institutions to engage directly with DWP to resolve issues. This is in contrast to the appeals process, where appeals are made to the First-tier Tribunal. The appeals process for financial institutions is explained in Chapter 6.

5.4.Financial institutions are encouraged to use the internal review process as their first port of call where there may be questions or disputes about the issuing of an EVN. DWP will always aim to resolve any issues during the internal review. However, a financial institution retains the right to use the appeals process, which is carried out by the First-tier Tribunal. Further details on this are found in Chapter 6.

How does a financial institution request a review?

5.5. Each EVN will provide full details about the right to seek a review of the EVN, and how to do so.

5.6. A financial institution wishing to request a review of the decision to issue an EVN must ensure that the request is made within 14 calendar days, beginning with the day on which DWP issued the EVN.

5.7. Requests for a review should be made via email to the address included on the EVN. On receipt of a request, DWP will work to resolve the concerns raised as quickly as possible and will aim to formally resolve within 14 days following receipt. Outcomes will be notified in writing via email.

Factors DWP may consider when carrying out a review

5.8. There are several reasons for which a financial institution may apply for a review, and DWP will act fairly and proportionately when deciding the outcome of the process.

5.9. DWP will consider relevant factors when undertaking an internal review, which may include whether:

(i) the EVN has been given to the wrong person

(ii) the EVN does not comply with Schedule 3B to the Act

(iii) it is unduly onerous to comply with the EVN

(iv) there was any late receipt of an EVN

(v) the financial institution encountered any technical issues

5.10. DWP will consider any representations made by a financial institution which makes a request for a review of the decision to issue an EVN, as well as any other factors relevant to the individual request.

What are the possible outcomes of a review?

5.11. Having considered the representations made by a financial institution, following a review DWP may:

(i) revoke the EVN

(ii) uphold the EVN

(iii) vary the EVN

5.12. While DWP is carrying out a review, the financial institution is not under any obligation to comply with the requirements of the EVN to which the review relates.

5.13. If the review determines that the EVN is to be upheld or varied, the period for compliance with the EVN begins with the day on which the outcome of the review is notified to the financial institution to whom the EVN was issued.

5.14. Notification of internal review outcomes will be by email.

Question 7

6. Appeals against an Eligibility Verification Notice

Accepted Answer

6.1. Each EVN issued must provide details regarding both the right to seek a review of the EVN and the right to appeal against it.

6.2. DWP encourages financial institutions to seek an internal review before any appeal is made and would hope to resolve most concerns via this route. However, a financial institution is not obliged to request an internal review before making an appeal.

6.3. If, in such cases, a financial institution does not agree with the findings of a DWP internal review, or does not choose to follow the review procedure, they may appeal against the EVN.

6.4. This Chapter sets out the details of the appeals process. For information regarding appeals of penalties, see Chapter 7.

Process for appealing against an EVN

6.5. Financial institutions have the right to appeal to the First-tier Tribunal (“Tribunal”) against an EVN, or any subsequent penalty incurred under the grounds covered below.

6.6. Any appeal must be made within either 14 days beginning with the day on which the EVN was given, or if an internal review has been carried out, within 14 days of the day on which the financial institution was notified of the review outcome. The Tribunal also has the discretion to consider appeals brought against an EVN after this period has passed, if it considers it reasonable to do so.

6.7. Appealing against an EVN will result in the EVN being either confirmed, amended or revoked by the Tribunal.

6.8. Legislation sets out the only grounds for which an appeal to the Tribunal against an EVN can be made, which are the following:

(i) the recipient is not a person to whom an EVN should have been issued (i.e. they are not an eligible type of financial institution)

(ii) the EVN is not in accordance with Schedule 3B to the Act

(iii) the EVN is unduly onerous to comply with

6.9. Once an appeal has been brought, the financial institution is not under any obligation to comply with the requirements of the EVN until the outcome of the appeal has been decided, unless the Tribunal decides otherwise. Equally, no daily penalty rate can be charged by DWP whilst the appeals process is being carried out.

The Tribunal decision

6.10. The Tribunal will consider the information presented to it by both the financial institution and DWP before reaching a decision. Following an appeal, the Tribunal may:

(i) amend the EVN

(ii) revoke the EVN

(iii) dismiss the appeal

6.11. Amending the EVN means the Tribunal could change the requirements within the EVN. For example, it could include changing the period for which information is to be provided, or the frequency with which information is to be provided. This may result, for example, in the financial institution (the appellant) receiving extra time to respond to an EVN than was initially set out.

6.12. If the Tribunal dismisses the appeal or amends the EVN, the financial institution must comply with it within the period specified by the Tribunal. If the Tribunal does not specify a period within which the financial institution must comply with the EVN, then DWP may specify this period.

Question 8

7. Penalties

Accepted Answer

How penalties could be used under EVM

7.1. An EVN must set out exactly what a financial institution must do to comply with its requirements and specify the timeframe within which the financial institution must comply.

7.2. If there are any concerns, the aim will always be to engage with financial institutions to understand those concerns, with a view to resolving them without resorting to the application of penalties permitted by the legislation.

7.3. If, however, any of the following situations occur, then DWP has the power to issue a penalty to a financial institution in certain circumstances:

(i) if DWP considers that a financial institution has failed to comply with an EVN within the specified period

(ii) if a financial institution shares information with DWP which is inaccurate^{[footnote 4]}

(iii) if a financial institution shares information with DWP which is prohibited by the legislation – namely, transaction information or special category data^{[footnote 5]}

Penalty for failure to comply with an EVN

7.4. If DWP considers that a financial institution has not complied with the requirements of an EVN within the period specified, and no reasonable excuse has been provided, then the financial institution may be issued with a fixed penalty up to a maximum of £1,000.

7.5. Before a fixed penalty can be issued, DWP must give the financial institution the opportunity to make representations about its compliance. This means that DWP will contact the financial institution to ask them why the EVN has not been complied with.

7.6. DWP will provide a clear explanation of the reasons why it considers that a financial institution has not complied with the EVN, with a clear timeframe for the financial institution to respond.

7.7. After considering any representations made by the financial institution, DWP will determine whether it is appropriate to issue a penalty.

7.8. DWP may consider that the financial institution has provided a reasonable excuse for the failure to comply. It is not possible to provide a comprehensive list of reasonable excuses, but these might include that the institution did not receive the EVN or that they encountered an IT issue of which the institution was previously unaware. In this situation, DWP will notify the financial institution that a penalty will not be issued.

7.9. Penalty notices will state the fixed penalty that applies and reason(s) for the penalty and provide details of how the penalty can be paid as well as how an appeal can be brought against the penalty.

7.10. Only one penalty may be imposed in relation to an EVN, except in the case of periodic EVNs. DWP may impose a penalty in relation to each specified interval of a periodic EVN.

What happens if a financial institution continues to fail to comply with an EVN?

7.11. Where a financial institution has received a fixed penalty for failure to comply with the requirements of an EVN, and they continue to fail to comply without a reasonable explanation, DWP may issue an additional penalty for each day for which their non-compliance continues.

7.12. The maximum daily rate penalty that can be imposed by DWP is £40 per day for an ongoing failure to comply. DWP may not impose more than one daily rate penalty in respect of an EVN, except in the case of a periodic EVN (see 3.31 for an explanation of what constitutes a periodic EVN).

7.13. If a financial institution fails to comply with a periodic EVN, then a daily penalty may be applied in relation to the required return date for each period of that EVN. For example, if a periodic EVN requires a financial institution to provide information to the DWP on a monthly basis by a certain date each month, then a daily rate penalty may be imposed for every individual return date as if each return date were a separate EVN.

Situations where the daily rate penalty for failure to comply with an EVN may be increased

7.14. In the event that DWP and the financial institution have not been able to resolve an issue even after the application of a daily rate penalty, DWP may seek to increase the daily rate penalty. To do this, DWP must apply to the Tribunal. This is to enable an impartial judgement and to ensure both DWP and the financial institution have the opportunity to make their case before a court.

7.15. The circumstances where DWP can apply to the Tribunal are limited. These are only where a financial institution has already been issued with a daily rate penalty which relates to a failure which has continued more than 30 days beginning with the day on which the initial daily rate penalty became payable.

7.16. If the Tribunal determines that a further penalty is appropriate, it will determine the value of the additional daily rate penalty which can be up to a maximum of £1,000 per day, as well as the date from which it becomes payable.

7.17. Financial institutions must share correct and accurate information in line with the criteria set out in the EVN and Schedule 3B to the Act (see Chapter 3 for further details). This is to ensure that information is only shared in situations where a relevant benefit may have been incorrectly paid. A penalty for sharing inaccurate information is known as an “inaccurate information penalty”.

7.18. If DWP considers that a financial institution has shared inaccurate information with DWP in response to an EVN, then a penalty may be issued to the financial institution.

7.19. For DWP to issue a financial institution with a penalty for sharing inaccurate information, any one of the following 3 conditions must be met, as set out in Schedule 3B to the Act. In each case, a penalty will not be issued if the financial institution has a reasonable excuse for providing the inaccurate information. The conditions are:

(i) the inaccuracy of the information given to DWP was deliberate or due to the financial institution’s failure to take reasonable care

(ii) the financial institution knew at the time that it gave the information that it was inaccurate, but did not inform DWP at that time

(iii) the financial institution discovers at some point after giving DWP the information that it is inaccurate but does not take reasonable steps to inform DWP

7.20. In addition to their obligation to provide DWP with accurate information, financial institutions are also obliged to only share certain types of information with DWP. There are certain types of information that a financial institution is specifically prohibited from sharing with DWP (detailed below). If a financial institution shares prohibited information, then DWP may issue the financial institution with a “prohibited information penalty.”

7.21. The types of information which a financial institution must not share are:

(i) transaction information

(ii) special category data

7.22. Transaction information refers to information which may enable a person to identify what an account holder has bought, the amount of a transaction, or the person or body with which the transaction was carried out (other than the account holder).

7.23. Special category data refers to data about a person which is particularly sensitive. Examples include information about a person’s racial or ethnic origin, their political opinions, or their religious beliefs. For a detailed overview of special category data, visit What is special category data? - ICO.

7.24. The prohibition against the sharing of special category data with DWP does not, however, prohibit the sharing of data to establish that an individual is in receipt of the specified relevant benefit in the EVN.

7.25. Financial institutions should put in place robust safeguards to mitigate the risk of these types of information being shared. The ability to impose a penalty on a financial institution that provides prohibited or inaccurate information without a reasonable excuse acts as a deterrent to help stop this happening.

7.26. DWP issues a financial institution with an inaccurate information penalty or a prohibited information penalty by giving them an “information penalty notice”. A penalty can only be issued after the financial institution has had the opportunity to make representations about:

(i) in the case of an inaccurate information penalty, whether or not the information is inaccurate and any of the conditions set out in paragraph 7.19 above are met, or

(ii) in the case of a prohibited information penalty, whether or not the financial institution has provided prohibited information without reasonable excuse.

7.27. As above, before a penalty is issued, DWP will give the financial institution the opportunity to make representations about its compliance. This means that DWP will contact the financial institution and ask them to provide an explanation for the information that DWP considers to be inaccurate or prohibited.

7.28. This communication will provide a clear explanation of the reasons DWP considers that a financial institution has sent inaccurate or prohibited information and a clear timeframe for the financial institution to respond.

7.29. DWP may consider that the financial institution has provided a reasonable explanation for the information provided. This might include further context that demonstrates that the information is accurate or an explanation, such as an unknown IT failure, and agreement to resend accurate data. In this situation, DWP will notify the financial institution that a penalty will not be issued.

7.30. If a penalty notice is issued, it will be sent to the same address or email address as the EVN unless another method has been agreed with the financial institution.

7.31. An information penalty notice must provide the reason for the penalty, including the amount of the penalty, and the period within which it must be paid. A penalty notice can also be varied or revoked by DWP.

7.32. See 7.41 below for a flowchart which sets out possible timeframes for the various penalties that may be applicable.

Appeals against a penalty notice

7.33. If, after the issuing of a penalty notice, a financial institution disputes the issuing of said penalty notice, they may appeal to the Tribunal. An appeal must be brought within 30 days of the date the penalty notice was given.

7.34. If a financial institution appeals against a penalty notice, the penalty in question is not payable until the appeal is determined or withdrawn.

7.35. Full details of how to appeal against a penalty notice will be contained within the penalty notice itself.

7.36. The financial institution has the right to appeal only against:

(i) The fact it has been issued with a penalty

(ii) The amount of the penalty and/or

(iii) If relating to the daily rate penalty, the period during which the daily amounts are payable

7.37. A financial institution cannot, however, appeal against a decision of the Tribunal to increase a daily rate penalty.

7.38. Any appeals brought regarding a penalty notice can result in the Tribunal:

(i) revoking the decision to impose the penalty

(ii) amending the amount of the penalty

(iii) amending the period in within which all or part of the penalty is to be paid

(iv) dismissing the appeal

7.39. If a financial institution appeals against a penalty and the Tribunal dismisses that appeal, amends the amount of the penalty, or amends the period within which the penalty must be paid, the financial institution must pay the penalty within the period specified by the Tribunal, or the period specified by DWP if the Tribunal does not do so.

7.40. The decision of the Tribunal will be final, meaning there is no further right of appeal.

7.41. The flowchart below sets out the detail of various processes that may be followed after an EVN is issued to a financial institution. Note that the 14 days quoted here is the minimum period that may be given to comply with an EVN.

Question 9

8. Interaction with financial crime obligations

Accepted Answer

8.1. The Eligibility Verification Measure is a data-requiring measure. It does not by itself make or imply any judgement as to whether someone may or may not be meeting the eligibility criteria for the benefit that is being received. EVNs and the data returned in compliance with them do not in themselves suggest any suspicion of fraud, wrongdoing or that an error has occurred. Receipt of an EVN does not provide a financial institution any indication of benefit fraud. The sole purpose of EVNs is for financial institutions to send information to DWP to help DWP find potentially incorrect benefit payments, such as the recipient not meeting the eligibility criteria for the amount of benefit they are being paid. EVNs cannot be issued as part of an investigation into an individual, because EVNs do not contain any personal data and their sole purpose is to require data from financial institutions to help DWP find potential incorrect payments.

8.2. EVNs require financial institutions to objectively apply criteria specified in the EVN and return the required data to DWP. DWP cannot make any determinations or judgements based solely on the EVN data that is returned. DWP will need to undertake further checks, prompted by the returned data alongside other data held or obtained, about relevant individuals and their benefit claims to determine whether any potential incorrect payments may have been made or may be made and whether that was because of errors or fraud. For example, some DWP claimants will legitimately have more capital than is normally allowed under benefit rules if they meet exemptions set out in legislation, such as certain compensation payments.

8.3. EVNs do not require financial institutions to assess whether an incorrect payment may be or may have been made. Financial institutions have no access to DWP data that may indicate whether fraud or error has occurred. For these reasons, it is DWP’s view that information shared solely in response to an EVN should not trigger any financial crime obligations for the bank or financial institution sharing that data. If a financial institution identifies or already holds information in the course of its business that, in combination with a EVN return, might indicate fraud, they should consider their existing financial crime obligations (e.g. the Proceeds of Crime Act 2002 (POCA) and the Money Laundering Regulations 2017).

8.4. Once EVM is fully rolled out and reporting periodically, incorrect payments will be found by DWP quickly, limiting the value of overpayments made. The vast majority of any overpayments identified by DWP would therefore be expected to be treated as error cases, through established compliance processes, and only very small numbers of cases would be expected to be identified by DWP as being due to fraud.

Suspicious Activity Reports and EVM

8.5. Suspicious Activity Reports (SARs) alert the UK Financial Intelligence Unit which is housed within the National Crime Agency’s National Economic Crime Centre to potential instances of reporters’ knowledge or suspicion of money laundering or terrorist financing.

8.6. Persons working in the regulated sector are required under legislation, in particular Part 7 of POCA, to submit a SAR in respect of information that comes to them in the course of their business if they know or suspect, or have reasonable grounds for knowing or suspecting, that a person is engaged in money laundering.

8.7. Sections 330 and 331, Part 7 of POCA are specific to money laundering. They provide that a person in the regulated sector commits an offence if they fail to disclose information that comes to them in the course of their business if they know, suspect or have reasonable grounds for knowing or suspecting, that a person is engaged in money laundering. In such cases they are required to submit a SAR.

8.8. The provision in Part 2 of Schedule 3 to the Public Authorities (Fraud, Error and Recovery) Act 2025, which makes amendments to POCA, provides that a person does not commit an offence of failure to disclose (under s.330 and s.331 POCA) by failing to submit a “Suspicious Activity Report” if the information was obtained only as a result of complying with an EVN and they have no other knowledge or suspicion (or reasonable grounds for knowing or suspecting).

8.9. The amendment in Part 2 of Schedule 3 to the Public Authorities (Fraud, Error and Recovery) Act 2025 does not exempt institutions and individuals from their ongoing obligations to detect and prevent money laundering (including reporting knowledge or suspicion of money laundering under POCA), that might arise independently of receiving an EVN or returning the required data to DWP.

Personal information charter - Department for Work and Pensions - GOV.UK. ↩
Universal Credit: money, savings and investments - GOV.UK. ↩
Protecting consumers - FCA. ↩
See Chapter 4 for further information about the data protection implications of sharing inaccurate data. ↩
See Chapter 4 for further information about the implications of a financial institution’s sharing of prohibited information, including information about processes to be followed in case of potential personal data breaches. ↩

Cookies on GOV.UK