28 Questions Your Board of Directors Could Ask You About Identity Verification

Verifying that your applicants are who they say they are is one of the most fundamental checks a volunteer manager needs to carry out.

We take a look below at the concept of identity crime, why a volunteer organisation should be carrying out ID checks, how the UK Government Cabinet Office treats validation and verification of identity (and the difference between the two ideas); and in total review 28 of the most important questions that someone responsible for recruiting volunteers needs to understand.

In this article we're going to have a look at the following 28 questions:

1. WHAT IS IDENTITY CRIME?

Why can’t we take people at their word?

Why do we have to ask people to prove that they are who say they are?

The UK’s Serious Organised Crime Agency defines identity crime as

the creation of a false identity or the use of someone else’s identity in order to commit a criminal offence. It involves the unauthorised use of a variety of personal documents or data including passports, driving licences, national insurance numbers, birth certificates and bank accounts.

UK Serious Organised Crime Agency

2. SO WHY SHOULD YOUR VOLUNTARY ORGANISATION CONSIDER IDENTITY CHECKS?

Ensuring that someone is who they claim to be is arguably the most basic check you can carry out on anyone seeking to apply to be a part of your voluntary organization.

Why ‘the most basic’?

Because all the other steps in your recruitment process flow from the assumption that the person you are recruiting is, in fact, the person that they claim to be.

3. SURELY IDENTITY FRAUD IS INCREDIBLY RARE?

Guarding against identity fraud - someone pretending to be someone else (often through the theft of genuine documents), or using a false identity (through sophisticated counterfeiting) to gain access to an organisation – is on the increase.

The UK’s Serious Crime Agency (a cousin of the USA’s FBI) in its 2013 ‘Strategy’ document presented to the UK Parliament, identified identity fraud as costing the UK economy £3.3 billion p.a.

The UK government’s Annual Fraud Indicator report of 2013 found that of 1,599 charities with revenues in excess of £100K in the charity sector, who responded to a survey:

9.2% of UK charities that responded indicated they had identified fraud in the last financial year (2011/12).

Of the 9.2% of UK charities that admitted that they had fallen victim to fraud, the most common frauds committed were:

• Payment/bank fraud (47%) - 69 charities with a £100k+ turnover hit by payment/bank fraud
• Accounting fraud (14.8%) - 22 charities with a £100k+ turnover hit by accounting fraud
• Identity fraud (14.1%) - 21 charities with a £100K+ turnover hit by identity fraud

Digging into those stats in a bit more detail, we can extrapolate the following;

• 4.3% of the 1,599 charities in the survey were hit by payment/bank fraud (that's 69 charities with a combined turnover of a minimum of £6.9M)
• 1.37% of the 1,599 charities in the survey were hit by accounting fraud (that's 22 charities with a combined turnover of a minimum of £2.2M)
• 1.31% of the 1,599 charities in the survey were hit by identity fraud (that's 21 charities with a combined turnover of a minimum of £2.1M)

4. INTERNAL -V- EXTERNAL FRAUDS

It's worth noting that of the 1,599 charitable organisations (with £100K+ turnovers) that responded to the 2013 survey, 147 of these £100K organisations reported having been hit by fraud. Furthermore:

• 70.7% of the charity victims had been hit by an external fraud (that's 102 charities with a £100k+ turnover)
• 31.3% of the charity victims had been hit by an internal fraud (that's 46 charities with a £100k+ turnover)

5. STRENGTHENING SYSTEMS ~ DENYING OPPORTUNITIES FOR ID FRAUD

So seriously is identity fraud taken by the UK’s Serious Organised Crime Agency that the fight against it was embedded as the sixth strategic objective in the Agency’s 2013 strategy document (under the ‘Protect’ heading), that aims to increase protection against the effects of serious and organised crime. The purpose stated is to specifically deny opportunities to serious and organised criminals to be able to exploit false or stolen personal data.

6. IDENTITY FRAUD AS AN ENABLER TO HIDE OTHER CRIMES

Perhaps most illuminating is the Agency’s remark extracted here:

Identity crime is primarily an enabler of other crimes and is rarely committed for its own sake, although it can be used to hide criminal or suspicious activities committed under another name or identity

Paragraphs 6.46 & 6.47 of the Agency's 2013 'Strategy' document presented to the UK Parliament)

Serious Organised Crime Agency

Identity checks are designed therefore to:

• determine that the identity is genuine and relates to a real person establish that the individual owns
• and is rightfully using that identity.

7. SO WHAT ARE IDENTITY CHECKS?

The process involves checking two elements of a person’s identity:

1. Attributable – the evidence of a person’s identity that they are given at birth (including their name, date and place of birth) and any subsequent change(s) of name.

1. Biographical – a person’s personal history including education and qualifications, addresses, electoral register information and employment history.

8. HOW DO YOU CARRY OUT AN IDENTITY CHECK?

In order to complete an identity check, employers must endeavour to verify that the person is who they say they are:

• by seeing and reviewing original identity documents and
• validating the authenticity of the documentation obtained.

Conducting a face-to-face meeting plays an important and integral part of the identity checking process.

9. UK GOVERNMENT ADVICE ON ID CHECKS

In the UK Government Cabinet Offices’s document entitled Identity checks June 2013 (“HMG's Minimum Requirements for the Verification of the Identity of Individuals, e-Government Strategy Framework Policy and Guidelines, published 2003”), guidance was published around the process of verifying people’s identity. This article draws heavily on that advice.

10. SO WHAT MAKES UP SOMEONE'S IDENTITY, FOR ID PURPOSES?

According to the guidance from the UK Cabinet Office, ‘identity’ means a

​set of attributes that together uniquely identify a person.

UK Government Cabinet Office 

This is a beautifully bureacratic way of describing identity!

For many people, their ‘identity’ is wrapped up in where they’re from, their nationality, their faith, their likes and dislikes, their political views or a combination or lack of all or some of this list!

But for the purposes of this article, we’re looking at ‘identity’ in the sense of:

• Establishing that a particular person exists
• And that a person claiming to hold that identity, is the correct person

11. CALLING A SPADE, A 'SPADE'

Interestingly, the guidance points out that:

Wow. For a lot of people this will come as something of a surprise. Most people assume that their driver’s licence or passport are official or statutory documents that demonstrate their identity!

In other words, the way you establish someone’s identity is by accumulating a number of different ‘data points’ about a person, the most common of which is… someone’s name! For the UK government, the minimum requirement is:

12. VALIDATING IDENTITY - WHAT DOES IT MEAN?

Validating identity – demonstrating that a claimed identity exists (i.e. that a person, who has certain attributes (John Doe, 123 The Street, AnyTown, AnyWhere; born 17^th June 1972), exists).

So you can break it down into 4 parts:

13. VERIFYING IDENTITY - WHAT DOES IT MEAN?

Once you’ve validated that a claimed identity actually exists, you need to now verify that identity.

This is the process of verification of someone’s identity that proves that the registrant is who they claim to be (i.e. that the person purporting to hold these attributes is not impersonating the actual owner of the identity).

(In reality you usually end up validating and verifying identity at the same time).

14. THE MOST COMMON IDENTITY ATTRIBUTES USED

• Applicant’s name
• Applicant’s current residential address
• Applicant’s date of birth

When someone presents themselves claiming these attributes, you have to now verify that these attributes are owned by the person who claims that they’re theirs.

15. SO HOW DO YOU VERIFY SOMEONE'S IDENTITY ATTRIBUTES?

Simple! Ask for evidence to prove that these attributes belong to the person claiming that they do.

16. A CUMULATIVE PROCESS OF IDENTIFICATION

Combining ‘validation’ with ‘verification’

In short what you’re looking to do is establish the identity of your applicant by checking out the various bits of evidence that they present to you in support of the different attributes that they’ve submitted to you as their identity.

17. WHY SHOULD YOU LOOK FOR MORE THAN 1 PIECE OF SUPPORTING EVIDENCE?

You should look for more than simply one piece of supporting evidence basically to increase how certain you are that the person is who they say they are / claim to be. Just because someone gives you a document you shouldn’t automatically assume it’s genuine.

So it’s the accumulation of a number of different pieces of documentary evidence that, on their own are helpful towards establishing identity, but taken cumulatively give you a strong process of identification. Basically it’s harder – and takes a degree more sophistication – to produce a number of non-genuine documents that do not raise suspicion.

18. SO HOW CERTAIN DO YOU HAVE TO BE?

Certainty about the identity of any given individual is something that falls along a spectrum (where 1% certainty means you’re basically not certain at all; and 99% certainty means you’re pretty much as certain as you can humanly be).

19. IN THE UK THE GOVERNMENT HAS THREE PRIMARY DIFFERENT LEVELS OF IDENTITY VERIFICATION

Balance of probabilities

(This is the standard that a judge uses to decide a civil case e.g. a contract dispute. Is something ‘more probable than not’. 51% likelihood of something happening means that ‘on the balance of probablities’, the 51% case is more likely to be true.

a) Level One – on the balance of probabilities, the registrant’s real world identity is verified. An example of a transaction that might merit level 1 registration is the on-line ordering of a publication using a credit card, delivery of which is being made to the credit card account holder’s address. In this case failure of the registration process is likely to cause only inconvenience to the real world identity.

Substantial assurance

b) Level Two – there is substantial assurance that the registrant’s real world identity is verified. An example of a transaction that might merit level 2 registration is the submission of a VAT return or some other such government based service. There must be substantial assurance of real-world identity since the return is legally binding. This level of checking would be in line with the requirement for criminal record checking.

Beyond reasonable doubt

(This is the level that is required in a criminal case – that the question being asked has been answered beyond the doubt of what a reasonable person might have. It’s a very high bar).

c) Level Three – the registrant’s real world identity is verified beyond reasonable doubt. An example of a transaction that might require level 3 registration is the on-line application for a passport.

20. SO, ARE ALL DOCUMENTS CREATED EQUAL?

In 1776 in the U.S. Declaration of Independence Thomas Jefferson declared that ‘all men are created equal’.

But what about documents today? Are ‘all documents created equal’?

The UK Government recommends that the a document should:

21. BUT WHO CAN YOU TRUST TODAY?

Who can you trust today as a ‘trustworthy and reliable source’?

The UK Cabinet Office (paragraph 3.4.3. HMG's Minimum Requirements for the Verification of the Identity of Individuals), listed the following third party organisations that can provide useful corroboration of attributes claimed by a person in proving their identity:

• Government Departments and Agencies (e.g. Public Records Office)
• Police Force
• Utility companies regulated by one of the Regulators
• Banks or other financial organisations regulated by the FSA
• Medical practitioners with whom the registrant has a formal relationship (e.g. his/her GP)
• Practising solicitor or barrister with whom the registrant has a client relationship
• Practising magistrate or judge
• Company or organisation otherwise accredited to do so

22. REGULATORY OVERSIGHT SHOULD INCREASE TRUST IN SOURCE DOCUMENTS

It’s worth noting that bills issued by utility companies are one of the most common (and up to date) pieces of documentary evidence used to verify someone’s most common identity attributes precisely because they can be relied on as having been issed by a trustworthy and reliable source (i.e. a major utility company that has itself been required to submit its own processes and systems to the scrutiny of an independent regulatory body).

23. KNOW YOUR CLIENT (KYC) SUPPLIERS

The same applies for documentary evidence connected to positions of responsibility in society (solicitors, barristers, magistrates, judges, doctors – with whom the person has a client or patient relationship).

This is an important point: that the person providing the corroborating evidence is actively working in a position that requires licensing from their own professional regulator (thus providing an additional level of certainty as to the quality of the source).

24. MARKETPLACE SUPPLIERS TOO

There are also a number of private sector suppliers working in the industry around electronic identity services.

25. CAN YOU ACCEPT COPY DOCUMENTS IN YOUR VERIFICATION PROCESS?

As a general rule, no.

You should only accept copy documents if they have been certified by someone in a position of responsibility. In practice this is usually done by a solicitor, who writes on the copy document that it is a true copy of an original document that the person doing the certification has actually seen. Ideally you’re looking for the solicitor to have added their signature, company stamp and date of certification as well.

26. CAN YOU ACCEPT A COPY OF A CERTIFIED COPY?

A copy of a certified copy document is no longer a ‘certified copy’ document, as it’s a copy of a certified copy. If you were to speak to the solicitor who certified the copy of the original document, they would say that they can only ‘stand over’ the authenticity of the copy document to which they attached their certification of having viewed the original etc.

Documents can in theory be certified by other people in positions of responsibility (e.g. ministers of religions, doctors, teachers). In practice, lawyers (in the UK, solicitors) would be the most usual professional to engage in providing certified copies, as they are used to checking for the authenticy and genuineness of documentation in their day to day professional services.

27. WHAT IF YOU FIND DISCREPANCIES ON THE DOCUMENTS YOU'RE CHECKING?

In such cases it’s best to seek clarification from the person whose identity documents you’re checking, doing so sensitively and in a confidential setting.

28. WHAT IF YOU THINK YOU MIGHT HAVE BEEN GIVEN FRAUDULENT DOCUMENTS?

If despite seeking clarification from the person whose documents you’re reviewing you’re still not satisfied about the genuineness of the documents presented to you, follow your organisation’s internal procedures and consider reporting your concerns to the local anti-fraud agency in your jurisdiction.

For a more in-depth policy-driven look at the obstacles around identity verification/validation, see:

“Challenges and Opportunities in Identity Assurance, March 2008, Sir James Crosby” (http://www.eurim.org.uk/activities/ig/idg/ChallengesOpportunitiesIA.pdf - HM Treasury, UK Government)