As Verify concerns mount, is GDS about to lose control of digital identity policy?

There’s a growing body of opinion that the government’s flagship digital identity system, Verify, has now become a major hindrance to the development of the UK’s digital identity infrastructure.

The concerns about Verify have increased to the point where the Government Digital Service (GDS) could be about to lose control of government policy for digital identity.

Computer Weekly understands there’s a battle going on between the Cabinet Office, where GDS sits, and the Department for Digital, Culture, Media and Sport (DCMS), responsible for policy around the digital economy – within which the issue of identity is central.

Senior Cabinet Office civil servants are reluctant to let it go – but industry disenchantment with Verify is growing and DCMS thinks it needs to address the situation.

That same debate between the two departments is also set to see policy for data shifted to DCMS – the Cabinet Office has yet to recruit a chief data officer despite the post being announced a year ago.

But it’s Verify – and its intended role as the core of a UK-wide digital identity infrastructure – where concerns are greatest. Digital identity is core to the UK’s online future – the use of standard electronic IDs for transacting online with government, banks, retailers and other e-commerce providers is expected to deliver a significant economic boost.

As Computer Weekly reported in December, there are already moves afoot to make “ Verify” more of a brand and a set of standards, instead of a product that GDS will encourage the private sector to adopt.

This follows ongoing and extensive performance problems with Verify that even now sees barely half of all attempts to create a verified identity through the system being successful. Furthermore, GDS’s own research has shown that success rates for Universal Credit benefit claimants through the Department for Work and Pensions’ new digital service are even worse –only 30% of Universal Credit users have successfully created a Verify account.

But there’s another issue for companies wanting to be a part of a UK identity market. They feel they are being shut out by the commercial structure around Verify, with the existing independent identity providers (IDPs) recruited by GDS having a virtual monopoly.

Sources suggest that even senior figures in GDS acknowledge the current approach leans too far towards the existing IDPs.

The IDPs are protected by a contractual framework that means it will be about 18 months before new providers will have a chance to be approved for identity verification for government services.

The existing IDPs, which include Barclays, Experian and the Post Office, have exclusive access to the market for public sector users. They are protected by a period without competition that, in theory, was meant to allow them to be sure they would recoup their initial investments in developing Verify.

In reality, the roll-out of Verify has been so slow and with such poor performance that their expected financial returns are unlikely to have materialised.

Land Registry recently adopted Verify for its new digital mortgage service – an apparent boost for Verify. But the Department for Business, Energy and Industrial Strategy had to inform Parliament that being responsible for digital identity assurance meant Land Registry needed to take on an at least £300,000 in additional contingent liability in case a Verify user proved not to be who they say they are, meaning taxpayers would have to pay compensation.

Players in digital identity have been waiting for GDS to issue a commercial framework that explains how Verify can be used in the private sector – covering issues such as liability, and addressing questions such as who takes the blame if a Verify account created for government services proves to be fraudulent when used to transact with a bank, for example.

Sources suggest that the commercial framework is being blocked by the Treasury, until a plausible model has been created – this may be a contributory factor in the Land Registry liability commitment.

DCMS wants to accelerate the creation of a digital identity market in the private sector, and sees taking control of policy away from GDS as the way to make that happen. Some people see Whitehall politics in play by the omission of any reference to Verify in the DCMS green paper on internet safety strategy published in October last year.

The increasingly common theme among a growing number of identity experts is that Verify needs a major overhaul. They think it is blocking the creation of a much-needed UK digital identity ecosystem – and GDS is seen by many as the logjam in the middle.

If DCMS does gain control of digital identity policy, it is unlikely to be as stubbornly committed to the future of Verify as GDS and the Cabinet Office continue to be, even in the face of such growing concerns.

Data Center
Data Management