Yoti has released a brief primer about the UK’s Good Practice Guide 45 (GPG 45). The country’s Government Digital Services (GDS) drafted a series of GPG 45 revisions at the tail end of 2019, and is now preparing to publish the updated version of the standard.
GPG 45 is intended as a guide for organizations that need to verify the identities of customers, employees, and other parties. The document notes that every identity check begins with a claimed identity, and then walks readers through the five step process needed to verify the legitimacy of that ID.
To that end, an organization must first gather evidence to support the claim. That could include a driver’s license, or another document that contains personal information like name and date of birth. After that, the organization must confirm that the evidence itself is valid to make sure that the information has not been forged or falsified.
The organization should then check to see whether or not the claimed identity has existed over time, and whether or not there is a history associated with that name that would point to a high risk of fraud. Finally, the organization doing the ID check should make sure that the claimed identity does in fact belong to the person presenting it.
GPG 45 assigns scores during each step in the identity verification process, with higher scores correlating with a higher level of certainty about the authenticity of the identity. Some organizations have stricter identity requirements than others, which is why the document contains provisions for Low, Medium, and High levels of Assurance.
Yoti itself primarily seeks to deliver Low and Medium levels of Assurance, which is usually enough for retail outlets and other organizations that conduct frequent interactions with customers. Despite the name, a Low Assurance Score still indicates that the identity is legitimate and the evidence supporting it appears to be genuine. It can also include strong authentication factors like biometrics.
Yoti plans to submit its services for evaluation when GPG 45 is published. The company indicated that it does have the ability to deliver High Assurance Scores, and argued that a standardized ID checking process is important because it will reduce the number of gaps in the system and reduce the overall threat of identity fraud. As it stands, organizations with soft identity practices are easier targets for those engaging in that fraud.