The rules around digital identity verification have sharpened. HM Treasury and DSIT guidance published in February 2026 confirmed that only providers certified under the UK DVS Trust Framework can satisfy Regulation 28 of the Money Laundering Regulations. That is not a subtle shift – it’s a clear line between compliant digital identity verification and everything else.
Not all tools are created equal and not every tool offering identity checking is a certified provider. Some are workflow platforms or legal tech tools that happen to offer identity checking as a feature, often by reselling certified infrastructure under the hood. That distinction is now a compliance question, not just a procurement preference, and it is one that MLROs at regulated firms are increasingly being asked to answer.
Here’s four questions worth putting to any IDV provider before you sign, renew, or recommend.
- Are you on the DVS register as a certified provider?
Not “do you use certified technology.” Are you, the platform your firm has contracted with, listed on the Digital Verification Services (DVS) register? There is an important difference between a provider that is certified and one that routes checks through a certified third party. If your provider is not on the register, your firm may be relying on someone else’s certification to satisfy Reg 28. That’s a question worth being able to answer clearly if your supervisory body asks. - Which schemes does your certification cover?
DVS certification is scheme-specific. Right to Work, Right to Rent, and DBS each carry different requirements. A provider certified for one scheme is not automatically compliant for the others. If your firm uses digital identity verification across more than one context, check that your provider’s certification covers all of them. - Who are your sub-processors for identity verification, and how transparent are they about their supply chain?
Sub-processor lists are usually publicly available on a provider’s website. Knowing who sits behind your identity verification (IDV) provider, and how changes to that supply chain are communicated, is a reasonable question for any MLRO to ask. It speaks to the overall accountability and transparency of the service, not just the certification status of the provider itself. - How do you handle record retention for audit purposes?
The Money Laundering Regulations require firms to retain identity verification and CDD records for a minimum of five years from the end of a business relationship or transaction. Your IDV provider should make those records accessible, structured, and easy to produce on request. If the process for retrieving audit-ready records is not clearly documented, that is worth resolving before you need it under pressure.
Amiqus is certified under the UK DVS Trust Framework and listed on the register. We cover Right to Work, Right to Rent, and DBS. Our platform is built for regulated firms that need more than a tool. They need a provider they can point to with confidence.
You can verify our certification on the DVS register and find full details on our certifications and data practices in our Trust Centre.
If any of the above has raised questions about your current setup, we’re here to talk it through.
Already an Amiqus client?
Speak to your relationship manager or contact [email protected]
New to Amiqus?
Prepared by: Reza Karimi, Senior Relationship Manager, Amiqus
