Guidance

Using digital identities with the Money Laundering Regulations

Published 26 February 2026

© Crown copyright 2026

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/using-digital-identities-with-the-money-laundering-regulations/using-digital-identities-with-the-money-laundering-regulations

1. Purpose of guidance

This guidance has been created to provide information on how the UK digital identity and attributes trust framework and the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017 (MLRs) interact. It is approved guidance for the purposes of compliance with the MLRs. It begins with an overview of Digital Identities and the UK Digital Identity and Attributes Trust Framework. It then explores the intersection of the trust framework with the MLRs to help organisations covered by the MLRs understand how they can use digital identities to fulfil some of their obligations under the MLRs.

2. What is a Digital Identity?

A digital identity is a digital representation of a person acting as an individual or as a representative of an organisation. It enables them to prove who they are during interactions and transactions, without presenting physical documents. With an individual’s consent, it can be used to share information, or attributes, about them, such as age or an address, or biometric information, like a fingerprint or a face scan. They can use it online or in person, generally via a computer or a smartphone.

Digital identity services are offered by a range of digital identity and attribute providers, based in the private, public, and charity sectors. These providers verify identities and attributes, often using many of the same documents, such as passports and driving licenses, that are used in in-person settings.

3. UK digital identity and attributes trust framework

The UK digital identity and attributes trust framework, and its associated certification scheme, were first developed in 2020 to establish a set of clear standards and rules for the use of digital identities and attributes across the UK. These rules cover the roles, principles, policies, procedures, and standards that govern the use of digital identities. They draw on existing technical requirements, standards, best practice, guidance, and legislation. This includes the Good Practice Guide 45 (GPG 45) regarding proving and verifying someone’s identity. It supports, rather than supersedes, any relevant sector legislation. Combined with the requirements regarding privacy and security, the framework helps ensure organisations check identities and share attributes in a trusted and safe way.

The trust framework is technology-agnostic, allowing innovation to develop freely while it continues to deliver the outcomes required by the trust framework. The Office for Digital Identities and Attributes (OfDIA) does not prescribe or run any specific technology. Instead, it sets the requirements that digital verification services (DVS) must meet in order to be certified. Additionally, the trust framework is sector-agnostic, as it is anticipated that over time users may have a single digital identity that they use for different purposes in their lives.

Digital identity services can be independently certified against the trust framework to demonstrate that they meet its requirements. To achieve certification, organisations must demonstrate how their service meets the requirements outlined in the trust framework to an independent conformity assessment body overseen by the UK Accreditation Service, UKAS. Certified DVS providers agree to formal oversight and can apply to have their certified services listed on the DVS Register, a publicly available register of DVS providers established and maintained by OfDIA under the Data (Use and Access) Act 2025. These services can be removed from the register if they are found to be in breach of the trust framework or do not correct minor non-conformities in a timely manner.

Independent certification against the trust framework and presence on the DVS register provides confidence that the service is a reliable source and is providing information that is independent of the person whose identity is being verified. It also helps to provide assurance that the person claiming a particular identity is in fact that person.

4. Intersection with the Money Laundering Regulations

Under the MLRs, banks and other regulated entities must establish policies, controls and procedures to mitigate the risks of money laundering and terrorist financing. These include customer due diligence measures to verify the identity of customers and understand the purpose behind transactions.

Customer due diligence allows firms to obtain reasonable satisfaction that customers are who they say they are and that there are no legal barriers (such as government sanctions) to providing them with the product or service requested.

Digital identity services which are certified against the trust framework and on the DVS register are a reliable and independent source of information, with an appropriate level of anti-impersonation assurance, and can be used by regulated entities as part of their customer due diligence processes. Specifically, for individuals, entities are able to fulfil their obligations under Regulation 28 of the MLRs by verifying a customer’s identity using certified and registered digital identity services. Entities may also use certified and registered digital identity services to fulfil their obligations regarding the verification of company directors. Digital verification services which are not certified and therefore not on the DVS register cannot reliably be deemed suitable for identity verification in compliance with the MLRs.

Regulated entities should continue to make their own assessment of a customer’s risk and apply enhanced due diligence measures accordingly. They should note that while digital identities may be used for identification and verification purposes, they should not assume that digital identities fulfil all aspects of customer due diligence (such as to assess, and where appropriate maintain information on, the purpose and intended nature of the business relationship or occasional transaction). Regulated entities will also remain ultimately liable for any failures to apply customer due diligence measures appropriately when using digital identity services. Entities should ensure that services can meet the required record-retention requirements, as outlined in Regulation 40 of the MLRs.

Guidance for different sectors on how digital identities can be used as part of an entities’ customer due diligence processes can be found in publications by:

  • HMRC (High Value Dealers, Money Service Businesses, Trust and Company Service Providers, Estate and Letting Agent Businesses)
  • CCAB (Accountancy)
  • JMLSG (Financial Services)
  • LSAG (Legal)
  • Gambling Commission (Casinos and Gambling Operators)
Back to top