Verifying that your applicants are who they say they are is one of the most fundamental checks a volunteer manager needs to carry out.
We take a look below at the concept of identity crime, why a volunteer organisation should be carrying out ID checks, how the UK Government Cabinet Office treats validation and verification of identity (and the difference between the two ideas); and in total review 28 of the most important questions that someone responsible for recruiting volunteers needs to understand.
In this article we're going to have a look at the following 28 questions:
1. WHAT IS IDENTITY CRIME?
Why can’t we take people at their word?
Why do we have to ask people to prove that they are who say they are?
The UK’s Serious Organised Crime Agency defines identity crime as
the creation of a false identity or the use of someone else’s identity in order to commit a criminal offence. It involves the unauthorised use of a variety of personal documents or data including passports, driving licences, national insurance numbers, birth certificates and bank accounts.UK Serious Organised Crime Agency
2. SO WHY SHOULD YOUR VOLUNTARY ORGANISATION CONSIDER IDENTITY CHECKS?
Ensuring that someone is who they claim to be is arguably the most basic check you can carry out on anyone seeking to apply to be a part of your voluntary organization.
Why ‘the most basic’?
Because all the other steps in your recruitment process flow from the assumption that the person you are recruiting is, in fact, the person that they claim to be.
3. SURELY IDENTITY FRAUD IS INCREDIBLY RARE?
Guarding against identity fraud - someone pretending to be someone else (often through the theft of genuine documents), or using a false identity (through sophisticated counterfeiting) to gain access to an organisation – is on the increase.
The UK’s Serious Crime Agency (a cousin of the USA’s FBI) in its 2013 ‘Strategy’ document presented to the UK Parliament, identified identity fraud as costing the UK economy £3.3 billion p.a.
The UK government’s Annual Fraud Indicator report of 2013 found that of 1,599 charities with revenues in excess of £100K in the charity sector, who responded to a survey:
9.2% of UK charities that responded indicated they had identified fraud in the last financial year (2011/12).
Of the 9.2% of UK charities that admitted that they had fallen victim to fraud, the most common frauds committed were:
- Payment/bank fraud (47%) - 69 charities with a £100k+ turnover hit by payment/bank fraud
- Accounting fraud (14.8%) - 22 charities with a £100k+ turnover hit by accounting fraud
- Identity fraud (14.1%) - 21 charities with a £100K+ turnover hit by identity fraud
Digging into those stats in a bit more detail, we can extrapolate the following;
- 4.3% of the 1,599 charities in the survey were hit by payment/bank fraud (that's 69 charities with a combined turnover of a minimum of £6.9M)
- 1.37% of the 1,599 charities in the survey were hit by accounting fraud (that's 22 charities with a combined turnover of a minimum of £2.2M)
- 1.31% of the 1,599 charities in the survey were hit by identity fraud (that's 21 charities with a combined turnover of a minimum of £2.1M)
4. INTERNAL -V- EXTERNAL FRAUDS
It's worth noting that of the 1,599 charitable organisations (with £100K+ turnovers) that responded to the 2013 survey, 147 of these £100K organisations reported having been hit by fraud. Furthermore:
- 70.7% of the charity victims had been hit by an external fraud (that's 102 charities with a £100k+ turnover)
- 31.3% of the charity victims had been hit by an internal fraud (that's 46 charities with a £100k+ turnover)
5. STRENGTHENING SYSTEMS ~ DENYING OPPORTUNITIES FOR ID FRAUD
So seriously is identity fraud taken by the UK’s Serious Organised Crime Agency that the fight against it was embedded as the sixth strategic objective in the Agency’s 2013 strategy document (under the ‘Protect’ heading), that aims to increase protection against the effects of serious and organised crime. The purpose stated is to specifically deny opportunities to serious and organised criminals to be able to exploit false or stolen personal data.
6. IDENTITY FRAUD AS AN ENABLER TO HIDE OTHER CRIMES
Perhaps most illuminating is the Agency’s remark extracted here:
Identity crime is primarily an enabler of other crimes and is rarely committed for its own sake, although it can be used to hide criminal or suspicious activities committed under another name or identityParagraphs 6.46 & 6.47 of the Agency's 2013 'Strategy' document presented to the UK Parliament)Serious Organised Crime Agency
Identity checks are designed therefore to:
- determine that the identity is genuine and relates to a real person establish that the individual owns
- and is rightfully using that identity.
7. SO WHAT ARE IDENTITY CHECKS?
The process involves checking two elements of a person’s identity:
- Attributable – the evidence of a person’s identity that they are given at birth (including their name, date and place of birth) and any subsequent change(s) of name.
- Biographical – a person’s personal history including education and qualifications, addresses, electoral register information and employment history.
8. HOW DO YOU CARRY OUT AN IDENTITY CHECK?
In order to complete an identity check, employers must endeavour to verify that the person is who they say they are:
- by seeing and reviewing original identity documents and
- validating the authenticity of the documentation obtained.
Conducting a face-to-face meeting plays an important and integral part of the identity checking process.
9. UK GOVERNMENT ADVICE ON ID CHECKS
In the UK Government Cabinet Offices’s document entitled Identity checks June 2013 (“HMG's Minimum Requirements for the Verification of the Identity of Individuals, e-Government Strategy Framework Policy and Guidelines, published 2003”), guidance was published around the process of verifying people’s identity. This article draws heavily on that advice.
10. SO WHAT MAKES UP SOMEONE'S IDENTITY, FOR ID PURPOSES?
According to the guidance from the UK Cabinet Office, ‘identity’ means a
set of attributes that together uniquely identify a person.UK Government Cabinet Office
This is a beautifully bureacratic way of describing identity!
For many people, their ‘identity’ is wrapped up in where they’re from, their nationality, their faith, their likes and dislikes, their political views or a combination or lack of all or some of this list!
But for the purposes of this article, we’re looking at ‘identity’ in the sense of:
- Establishing that a particular person exists
- And that a person claiming to hold that identity, is the correct person
11. CALLING A SPADE, A 'SPADE'
Interestingly, the guidance points out that:
However, in almost all cases, an individual will have a set of attributes, which uniquely identify that person across time to a wide range of parties, including Government.
The single attribute that is most often used in a range of contexts to identify an individual is the name(s) by which that person is known.
However other attributes are required to establish a unique identity with any certainty. This is best achieved using other attributes that are recorded and verifiable, not dependent on a specific role, and recognised by a wide range of third parties.
Within the UK there is no single "official" or statutory attribute or attributes that is used to uniquely identify individuals across the range of Government bodies.
Nor is there an "official" or statutory document or other credential to demonstrate that identity.
Wow. For a lot of people this will come as something of a surprise. Most people assume that their driver’s licence or passport are official or statutory documents that demonstrate their identity!
In other words, the way you establish someone’s identity is by accumulating a number of different ‘data points’ about a person, the most common of which is… someone’s name! For the UK government, the minimum requirement is:
- Full name of names by which a person is or has been known (including all other names used);
- Residential address at which he/she can be located;
- Date of birth
12. VALIDATING IDENTITY - WHAT DOES IT MEAN?
Validating identity – demonstrating that a claimed identity exists (i.e. that a person, who has certain attributes (John Doe, 123 The Street, AnyTown, AnyWhere; born 17th June 1972), exists).
So you can break it down into 4 parts:
- a claimed identity
- with certain attributes
- actually exists
13. VERIFYING IDENTITY - WHAT DOES IT MEAN?
Once you’ve validated that a claimed identity actually exists, you need to now verify that identity.
This is the process of verification of someone’s identity that proves that the registrant is who they claim to be (i.e. that the person purporting to hold these attributes is not impersonating the actual owner of the identity).
(In reality you usually end up validating and verifying identity at the same time).
14. THE MOST COMMON IDENTITY ATTRIBUTES USED
- Applicant’s name
- Applicant’s current residential address
- Applicant’s date of birth
When someone presents themselves claiming these attributes, you have to now verify that these attributes are owned by the person who claims that they’re theirs.
15. SO HOW DO YOU VERIFY SOMEONE'S IDENTITY ATTRIBUTES?
Simple! Ask for evidence to prove that these attributes belong to the person claiming that they do.
16. A CUMULATIVE PROCESS OF IDENTIFICATION
Combining ‘validation’ with ‘verification’
In short what you’re looking to do is establish the identity of your applicant by checking out the various bits of evidence that they present to you in support of the different attributes that they’ve submitted to you as their identity.
17. WHY SHOULD YOU LOOK FOR MORE THAN 1 PIECE OF SUPPORTING EVIDENCE?
You should look for more than simply one piece of supporting evidence basically to increase how certain you are that the person is who they say they are / claim to be. Just because someone gives you a document you shouldn’t automatically assume it’s genuine.
So it’s the accumulation of a number of different pieces of documentary evidence that, on their own are helpful towards establishing identity, but taken cumulatively give you a strong process of identification. Basically it’s harder – and takes a degree more sophistication – to produce a number of non-genuine documents that do not raise suspicion.
18. SO HOW CERTAIN DO YOU HAVE TO BE?
Certainty about the identity of any given individual is something that falls along a spectrum (where 1% certainty means you’re basically not certain at all; and 99% certainty means you’re pretty much as certain as you can humanly be).
19. IN THE UK THE GOVERNMENT HAS THREE PRIMARY DIFFERENT LEVELS OF IDENTITY VERIFICATION
Balance of probabilities
(This is the standard that a judge uses to decide a civil case e.g. a contract dispute. Is something ‘more probable than not’. 51% likelihood of something happening means that ‘on the balance of probablities’, the 51% case is more likely to be true.
a) Level One – on the balance of probabilities, the registrant’s real world identity is verified. An example of a transaction that might merit level 1 registration is the on-line ordering of a publication using a credit card, delivery of which is being made to the credit card account holder’s address. In this case failure of the registration process is likely to cause only inconvenience to the real world identity.
b) Level Two – there is substantial assurance that the registrant’s real world identity is verified. An example of a transaction that might merit level 2 registration is the submission of a VAT return or some other such government based service. There must be substantial assurance of real-world identity since the return is legally binding. This level of checking would be in line with the requirement for criminal record checking.
Beyond reasonable doubt
(This is the level that is required in a criminal case – that the question being asked has been answered beyond the doubt of what a reasonable person might have. It’s a very high bar).
c) Level Three – the registrant’s real world identity is verified beyond reasonable doubt. An example of a transaction that might require level 3 registration is the on-line application for a passport.
20. SO, ARE ALL DOCUMENTS CREATED EQUAL?
In 1776 in the U.S. Declaration of Independence Thomas Jefferson declared that ‘all men are created equal’.
But what about documents today? Are ‘all documents created equal’?
The UK Government recommends that the a document should:
- Be issued by a trustworthy and reliable source
- Be difficult to forge
- Be dated, and current
- Have the owner's name
- Have the owner's photograph
- Have the owner's signure
- And can only itself be issued having gone through a number of prior checks (e.g. a passport)
21. BUT WHO CAN YOU TRUST TODAY?
Who can you trust today as a ‘trustworthy and reliable source’?
The UK Cabinet Office (paragraph 3.4.3. HMG's Minimum Requirements for the Verification of the Identity of Individuals), listed the following third party organisations that can provide useful corroboration of attributes claimed by a person in proving their identity:
- Government Departments and Agencies (e.g. Public Records Office)
- Police Force
- Utility companies regulated by one of the Regulators
- Banks or other financial organisations regulated by the FSA
- Medical practitioners with whom the registrant has a formal relationship (e.g. his/her GP)
- Practising solicitor or barrister with whom the registrant has a client relationship
- Practising magistrate or judge
- Company or organisation otherwise accredited to do so
22. REGULATORY OVERSIGHT SHOULD INCREASE TRUST IN SOURCE DOCUMENTS
It’s worth noting that bills issued by utility companies are one of the most common (and up to date) pieces of documentary evidence used to verify someone’s most common identity attributes precisely because they can be relied on as having been issed by a trustworthy and reliable source (i.e. a major utility company that has itself been required to submit its own processes and systems to the scrutiny of an independent regulatory body).
23. KNOW YOUR CLIENT (KYC) SUPPLIERS
The same applies for documentary evidence connected to positions of responsibility in society (solicitors, barristers, magistrates, judges, doctors – with whom the person has a client or patient relationship).
This is an important point: that the person providing the corroborating evidence is actively working in a position that requires licensing from their own professional regulator (thus providing an additional level of certainty as to the quality of the source).
24. MARKETPLACE SUPPLIERS TOO
There are also a number of private sector suppliers working in the industry around electronic identity services.
25. CAN YOU ACCEPT COPY DOCUMENTS IN YOUR VERIFICATION PROCESS?
As a general rule, no.
You should only accept copy documents if they have been certified by someone in a position of responsibility. In practice this is usually done by a solicitor, who writes on the copy document that it is a true copy of an original document that the person doing the certification has actually seen. Ideally you’re looking for the solicitor to have added their signature, company stamp and date of certification as well.
26. CAN YOU ACCEPT A COPY OF A CERTIFIED COPY?
A copy of a certified copy document is no longer a ‘certified copy’ document, as it’s a copy of a certified copy. If you were to speak to the solicitor who certified the copy of the original document, they would say that they can only ‘stand over’ the authenticity of the copy document to which they attached their certification of having viewed the original etc.
Documents can in theory be certified by other people in positions of responsibility (e.g. ministers of religions, doctors, teachers). In practice, lawyers (in the UK, solicitors) would be the most usual professional to engage in providing certified copies, as they are used to checking for the authenticy and genuineness of documentation in their day to day professional services.
27. WHAT IF YOU FIND DISCREPANCIES ON THE DOCUMENTS YOU'RE CHECKING?
In such cases it’s best to seek clarification from the person whose identity documents you’re checking, doing so sensitively and in a confidential setting.
28. WHAT IF YOU THINK YOU MIGHT HAVE BEEN GIVEN FRAUDULENT DOCUMENTS?
If despite seeking clarification from the person whose documents you’re reviewing you’re still not satisfied about the genuineness of the documents presented to you, follow your organisation’s internal procedures and consider reporting your concerns to the local anti-fraud agency in your jurisdiction.
For a more in-depth policy-driven look at the obstacles around identity verification/validation, see:
“Challenges and Opportunities in Identity Assurance, March 2008, Sir James Crosby” (http://www.eurim.org.uk/activities/ig/idg/ChallengesOpportunitiesIA.pdf - HM Treasury, UK Government)
This essay is for general information purposes only and does not constitute legal or other professional advice.
Specific legal advice from a firm of solicitors should always be sought on the application of the law in any particular situation.
Whilst all reasonable endeavours have been made to ensure the accuracy of the content, no liability whatsoever is accepted for any omissions or errors or for any action taken in reliance of the information in this essay.