On 26 February 2026, His Majesty’s Treasury and the Department for Science, Innovation and Technology published updated guidance on Using Digital Identities with the Money Laundering Regulations. The guidance clarifies how organisations subject to the Money Laundering Regulations (MLRs) can use digital identity services as part of their Customer Due Diligence (CDD) checks, and, crucially, what will satisfy regulatory requirements.
For conveyancers, estate agents, legal professionals and other regulated businesses, this is not a minor update. It provides long-awaited clarity on what constitutes compliant digital identity verification.
The biggest take away: Only certified IDSPs meet the standard
The most important takeaway from the guidance is clear is the fact that only certified IDSPs meet the standard to be fully compliant.
Digital identity providers must:
- Be certified against the UK Digital Identity and Attributes Trust Framework
- Be listed on the Government’s Digital Verification Services (DVS) Register
- Deliver identity verification at the appropriate level of assurance
In practice, this draws a line in the sand. Informal digital checks, unregulated platforms or in-house processes that do not align with the Trust Framework cannot provide the same level of regulatory assurance. Firms must be able to demonstrate that their digital identity verification provider meets the recognised government standard, and as of the latest guidance, this is only achievable through certification against the UK’s Government Digital Identity and Attributes Trust Framework.
For regulated businesses, this removes ambiguity. To meet the MLR identity verification requirement using digital methods, you should be using a certified IDSP. Credas operates within this framework and was one of the first UK providers to achieve this. We provide a compliant and auditable route to digital identity verification that aligns with government expectations.
Jon Parish, Compliance Manager at Credas commented: “The DUAA placed DIATF on a statutory footing in 2025 and this long-awaited guidance from DSIT and HM Treasury reinforces that.
The guidance promotes the use of certified digital verification services to help regulated firms effectively adhere to the MLRs and combat fraud and financial crime. This is important government guidance that regulated firms can turn to and to trust in the same way DIATF allows firms to trust in their DVS providers. It is all about trust”
Five year retention requirements remain critical
The guidance also reinforces the obligation under the Money Laundering Regulations to retain copies of identity documents and Customer Due Diligence information for at least five years from the end of a business relationship or transaction.
This is a statutory requirement and applies regardless of general data minimisation principles under data protection legislation.
For many firms, document retention introduces operational and compliance risk, particularly where records are stored manually or across fragmented systems. Credas automatically retains identity verification records for a minimum of five years within our digital platform, ensuring alignment with MLR requirements without placing additional administrative burden on firms.
Emailing ID documents is no longer defensible
A recent study we conducted among homebuyers highlights why the shift to certified digital identity services is so important. 58 percent of respondents reported sharing identity documents via email during the property transaction process.
Email is not a compliant identity verification solution and does not provide structured verification, defined assurance levels or a secure and auditable compliance trail. It increases exposure to fraud, identity theft and data breaches.
Now that government guidance clearly recognises certified digital identity services as a compliant route under the MLRs, continuing to rely on email or messaging apps for ID verification is increasingly difficult to justify from a regulatory perspective.
Firms must move from informal document exchange to structured, certified digital identity verification delivered through an approved IDSP.
What this means for regulated businesses
The updated guidance provides practical direction:
- Digital identity verification is permitted under the MLRs, but only where delivered by certified providers operating within the UK Trust Framework.
- Firms must retain identity and CDD records for at least five years (reg 40 of the MLRs).
- Informal or insecure methods of collecting ID documents do not meet the same regulatory standard and create unnecessary risk.
For conveyancers, estate agents, solicitors and other regulated professionals, the government’s guidance removes uncertainty. LSAG Guidance already states: “Electronic verification methods are becoming increasingly more secure and sophisticated and may in fact be lower risk than traditional means in some circumstances.” However, this new guidance from the government makes it clear that certified digital identity services are not just an option; they are the compliant way to conduct digital identity verification under the MLRs.
For firms seeking regulatory certainty, audit readiness and stronger client protection, working with a certified IDSP such as Credas ensures identity verification is carried out in line with government standards, supported by appropriate assurance levels and backed by compliant record retention.
If you are using digital identity verification to meet MLR requirements, it should be delivered through a certified Identity Service Provider.
