What’s meant by identity verification?

Identity verification sits at the heart of customer due diligence under the UK’s anti-money laundering framework. It’s the process of confirming that a client, beneficial owner or other relevant individual is genuinely the person they say they are, using reliable and independent evidence.

For accountants, legal professionals, TCSPs, property businesses and high-value dealers, regulated under the UK’s Money Laundering Regulations 2017 (as amended) (MLRs), identity verification is a legal requirement.

It must be applied before establishing a business relationship or carrying out an occasional transaction, subject to limited exceptions.

Identification and verification are not the same

The MLRs draw a clear distinction between identifying someone and verifying their identity.

Identification means obtaining information about who the legal or natural person is. For an individual, that usually includes their full name and date of birth.

For a company, it means understanding its name, registered number, registered office and legal form. For beneficial owners, it means understanding who ultimately owns or controls the entity.

Verification is the next step. It means confirming that the identity exists and confirming that the person claiming that identity has the right to that identity.

You must confirm that the information you have obtained is accurate, using documents or information from a source that is reliable and independent of the person being verified.

In simple terms:

• Identification answers: who is this?
• Verification answers: how do we prove and document that’s correct?

Supervisors regularly find files where identification has taken place but verification is weak or missing. Collecting information is not enough. The requirement is to evidence that the information is genuine and it is important to document who verified the information and how was verified.

What do the MLRs require?

Regulation 28 of the MLRs requires you to:

• identify the customer;
• verify the customer’s identity using documents or information from a reliable and independent source;
• identify any beneficial owner;
• take all reasonable measures to verify the identity of the beneficial owner;
• assess and, where appropriate, obtain information on the purpose and intended nature of the business relationship;
• conduct ongoing monitoring of the business relationship, including:
  • reviewing transactions to ensure they are consistent with your knowledge of the customer, their business and risk profile;
  • keeping customer due diligence information up to date.

The phrase “reliable and independent source” is key. It reflects the wider risk-based approach embedded in UK AML law and influenced by FATF (the Financial Action Task Force).

The MLRs don’t prescribe a fixed list of acceptable documents. Instead, they expect professional judgement. What is appropriate depends on the level of risk and the circumstances of the client.

What counts as identity verification?

For individuals, verification commonly involves photographic identification such as a passport or driving licence, combined with confirmation of address. Digital identity verification services can also be used, provided they meet the standard of being reliable and independent.

For corporate clients, verification may include checking:

• the company’s incorporation details against the public register at Companies House;
• the identities of directors and beneficial owners;
• the ownership and control structure.

For beneficial ownership, verification can involve documentary evidence, electronic checks and corroborating information from public sources. Where no individual meets the ownership threshold, you may need to verify the senior managing official as a fallback.

The common thread is that verification must give you confidence that the person exists and matches the identity presented.

Enhanced due diligence and deeper verification

Identity verification is not static. Where a client is assessed as higher risk, enhanced due diligence may require deeper or additional verification steps.

For example, where a client is linked to a high-risk jurisdiction, is a politically exposed person (PEP) or operates through a layered structure, you may need to:

• obtain additional identification documents;
• verify information through multiple independent sources;
• corroborate identity and control using open-source research;
• increase the frequency of review.

This reflects the principle set out by FATF and embedded in UK law: higher risk justifies stronger controls.

Identity verification and Companies House reform

Recent reforms at Companies House introduce mandatory identity verification for directors and Persons with Significant Control (PSCs). This strengthens the reliability of the public register.

However, Companies House verification does not replace your obligation under the MLRs. It confirms that an individual has verified their identity for company law purposes. Your duty is to verify identity in the context of your own risk assessment and client relationship.

Companies House data is a helpful source. It’s not the conclusion of your due diligence.

Final thoughts

Identity verification means more than collecting a passport copy. It’s the process of confirming that a person’s identity exists and they are who they claim to be, using reliable and independent evidence, and doing so in a way that reflects the level of risk involved.

When applied properly, it supports every other element of your AML framework. It strengthens your understanding of ownership and control, supports accurate risk assessment and underpins defensible decision-making.

If your current process feels like a routine document collection exercise, it’s worth stepping back and asking a simple question: does this verification genuinely evidence who I am dealing with, or does it just create a file note?