Skip to main content

Good Practice Guide 45 (GPG 45) and its role in supporting digital identity check standards

ID Scanning

The challenge of validating and verifying identity for businesses continues, whether you are onboarding staff and customers remotely or face to face. Without a standard in identity verification, it’s down to individual firms to determine whether the tools and methods they choose are sufficient to protect their business, customers, and users from fraud. That’s where the Good Practice Guide 45 (GPG 45) comes in. This guidance is a UK Government document, designed to help organisations determine what checks they should carry out to mitigate the risk presented by fake documents. In this blog, we look at GPG 45, why we think it’s so important and what it might mean for you…

What is the Good Practice Guide 45 (GPG 45)?

GPG 45 is a guide for any organisation that needs to verify the identity of customers, employees, and other parties. It is issued by UK Government Digital Services and whilst it’s not law, it comprises guidance on how to prove and verify identity against a range of confidence levels: the higher the confidence level required, the more robust the checks need to be. An organisation can determine a confidence level following a risk assessment and then either introduce the required checks themselves or turn to third party identity document validation experts if high levels of validation are required.

More recently, GPG 45 is becoming the de facto standard for the evolving digital identity verification market. The guide acts as a foundation upon which any public body or organisation can build a digital identity scheme to ensure a set of verification standards. For example, if a digital identity scheme specifies that checks must provide a medium confidence level, anyone using that scheme can refer to GPG 45 to understand the different verification options to achieve that level of confidence.

Why is the GPG 45 important?

In the UK, the number of synthetic (or made up) and stolen identities being used to commit identity fraud is increasing every year. Imposters, fraudsters, and criminal groups commit identity fraud for a range of different reasons, including to attempt to gain access to services or benefits to which they’re not entitled, steal personal, medical or financial information from others, enable organised crime or to avoid being detected by the police and other authorities.

GPG 45 was therefore created to protect you when checking the identity of your employees, customers or someone acting on behalf of a business and help you to only allow access to services to those people who can prove who they are to the required confidence level. It creates the framework for consistent identity checking which is focused on outcomes rather than specific technologies and greatly improves protection against identity fraud.

This consistent and measured way to check identities means that fewer organisations and services could be targeted by identity fraud. It also means it’s easier to trust and reuse an identity that’s been checked by someone else.

How do you check someone’s identity in line with GPG 45?

An identity is a unique combination of ‘attributes’ (for example, a name, address and date of birth) that belong to a person. Whilst a single attribute may not be enough to tell one person apart from another, a combination of attributes might be. By confirming these attributes, you can find out if the person is who they say they are. The ‘identity checking’ process under GPG 45 is made up of 5 parts:

  • get evidence of the claimed identity
  • check the evidence is genuine or valid
  • check the claimed identity has existed over time
  • check if the claimed identity is at high risk of identity fraud
  • check that the identity belongs to the person who’s claiming it

By carrying out different parts of the identity checking process, the identity provider can build the necessary confidence that an identity is accurate

How do identity profiles work and which confidence level should I choose?

There is a score for each part of the identity checking process. These scores are transferred into an identity profile which then tie into 4 different levels of confidence – low, medium, high and very high.

Each confidence level tells you how well your organisation or service is protected against identity risks as well as helping other organisations and services to understand your identity checking process.

A risk assessment can help you to decide which level you need and those services at higher risk of fraud related crime should aim to get a higher level of confidence.

How can TrustID help?

As an identity service provider, we can help you manage different parts of the identity checking process, however you make identity checks. Our range of services can combine to provide different levels of confidence from medium to very high and can include remote technology to support digital checks, including RFID chip opening and face matching technology.

Want to find out more?

If you’re interested in finding out more about identity checks please get in touch today.

Click here to contact us!