As adoption of digital verification services (DVS) grows, it’s important that certified DVS providers share clear, consistent and accurate information about what their certification means.
Some terminology can cause confusion - for example, where providers describe their service as being “certified for anti-money laundering checks” or certified to operate in other regulatory contexts for which no certifiable rules have been set in a supplementary code.
This blog post sets out how certified DVS providers can describe their certification and provides examples of misleading language. The aim is to help providers present their certification status clearly and avoid confusion for users, relying parties and Certification Assessment Bodies (CABs).
Certification is against the DVS trust framework and supplementary codesA DVS can only be certified against the DVS trust framework and supplementary codes published under the Data (Use and Access) Act 2025. A DVS cannot be certified against, for instance, a piece of legislation such as the Money Laundering Regulations, or a specific compliance regime, such as the anti-money laundering regime.
This means statements such as “certified for anti-money laundering (AML)”, “certified for checks under the Money Laundering Regulations (MLRs)” or “certified to do Know Your Customer and Due Diligence Checks” are not accurate and must not be used.
Supplementary codes contain rules which build on the trust framework rules to show how DVS can meet additional needs in specific use cases. Regulations, by contrast, are legislation that sets out the broader statutory framework. For example, the MLRs provide that certified DVS can be used for identity checks but do not prescribe specific technical requirements of certified DVS. These technical requirements fall within the scope of the DVS trust framework and supplementary codes, forming the basis for the certification.
Why this mattersClarity, consistency and accuracy in the description of certified DVS are essential to maintaining trust in the DVS ecosystem. The use of unsuitable terminology by certified DVS providers could:
mislead relying parties about what has been assessed as part of their certification; and weaken users’ confidence in the DVS certification scheme.As such, we’ve set specific trust framework rules in this regard, meaning that inaccurate or misleading claims about your service will put your certification at risk.
What you can sayThere are two key areas certified DVS providers should focus on when describing their certified service:
1. The supplementary codes your service/s are certified against:Your supplementary code certification may be relevant to those you work with. Where you’d like to tell them about it, you must clearly state which supplementary codes your service has been certified against. For example:
“This service is certified against [supplementary code X].”
2. The sectors or use cases your service supports:You can describe what use case or sector your service has been designed for, or is commonly used in, provided this does not contain any inaccurate or misleading statements, e.g. one implying that you’ve been assessed against a specific regulation for which a supplementary code does not exist. For example:
“Our product is designed for use in the property sector.”
“We provide services to estate agents and conveyancers.”
“Our solution helps streamline employee onboarding.”
You may also describe your product in general terms as supporting organisations operating in regulated sectors, so long as this statement is accurate (i.e. you do actually have a customer base in that sector). For example:
“This product supports organisations operating in the financial services sector.”
What you must not sayYou must not:
Claim that your service has been certified against a set of regulations (e.g. the MLRs); or Imply that trust framework certification alone demonstrates compliance with a specific regulatory framework. Putting this guidance into practiceA clear and compliant service description might look like:
“Our service is certified against [supplementary code X] and is used by organisations in the employment sector.”
This approach:
Accurately reflects what has been certified; Provides useful context for relying parties; and Avoids making misleading claims about your service’s certification. Supporting a trusted DVS ecosystemIf you are unsure how to describe your certification, please seek guidance from us at correspondence@dsit.gov.uk before publishing materials about your certified service(s).
OfDIA is also working on service provider application guidance for applying to a CAB to become certified, which will cover what a good service description should look like. We expect to publish this shortly, following this blog post.
seen at 18:30, 8 April in Enabling digital identity.