Stop treating identity as a compliance step. It’s infrastructure now

By Harry Varatharasan, Chief Product Officer, ComplyCube

The UK governmentʼs digital identity consultation is closing, and for most commentators, this represents just another milestone in a slow-moving legislative process. For companies building the systems that power digital identity at scale, it embodies the moment ID verification stops being a back-office compliance function and becomes infrastructure.

Across regulated sectors such as fintech, telecoms, insurance, digital assets, and government services, ID verification has become the primary mechanism through which organisations establish trust, grant access, and prevent fraud at scale.

It is no longer niche, and over the past year, weʼve seen a significant shift in how the industry deploys it. Businesses have stopped asking about verification accuracy in isolation and have started asking about orchestration, reuse, and interoperability. They are consolidating toward a single, reusable identity capability across products and user journeys rather than building separate verification processes for each service.

Identity is now embedded as a shared layer. It is no longer a compliance upgrade; it is the infrastructure that everything else sits on top of.

The policy conversation has not caught up. Regulated businesses are already designing onboarding flows, fraud controls, and customer journeys on the assumption that verification can be trusted, ported, and built upon. The consultation is one of the first chances for UK policy to meet that reality, and to set the terms on which the next decade of digital services gets built.

The starting point for getting it right is being honest about what infrastructure actually demands.

What ‘infrastructureʼ actually means in practice

ID verification has become a foundational layer on which other systems, services, and interactions depend. If it fails or fragments, the downstream effects are significant. Infrastructure-grade ID verification has three defining characteristics.

The first is reliability at scale – systems must perform consistently across high-volume, real-time environments – not as one-off checks but as continuous, automated processes. The second is interoperability: as public and private verification systems begin to converge, the ability to operate across frameworks, certifications, and jurisdictions becomes essential. The third is trust by design, where governance, audit trails, and certification are no longer optional extras but the foundation on which public and regulatory confidence rests.

Of these three, interoperability is the bottleneck. The industry has largely solved for point-in-time verification and is making progress on trust frameworks and governance – but identity still does not port well, especially across use cases. Businesses are being asked to treat identity as reusable infrastructure, yet the ecosystem is fragmented across standards, regulators, and geographies. Until identity can be reliably reused across contexts, it behaves like a series of siloed checks. And even where portability exists in theory, the burden of liability does not automatically transfer: an identity previously approved within one sector or geography can still be deemed too risky by a new business operating in a different context. Interoperability must solve for liability, not just technical compatibility.

What the UK consultation signals for regulated industries

The consultationʼs practical implications are already taking shape – regardless of what the final policy framework looks like. Three shifts are worth naming.

Assurance levels are becoming the unit of procurement. The DIATF framework is already pushing organisations to demonstrate not just that they verify identity, but at what level of confidence. That changes how verification is bought and evaluated – and the consequences will land hard once assurance levels get written into sector-specific regulation. To confidently stand behind a particular assurance level, that level must be considered equivalent across jurisdictions and regulators. It must also be practically attainable by the actual customer demographic a business serves. Raising the bar is only meaningful if the bar can be cleared.

‘Verify once, reuse’ is moving from principle to expectation. Across sectors from property to financial services, customers and regulators alike now expect that identity checks should not need to be repeated for the same individual at every touchpoint.

That expectation is colliding with an ecosystem not yet built to deliver it, and the compliance overhead falls on businesses operating across multiple product lines.

Private-sector verification systems are being asked to do more than the policy frameworks anticipate. Online safety legislation, age verification mandates, and AML requirements are all expanding the contexts in which verification is required – often faster than policy frameworks can formalise them. The regulated sector is not waiting for governments to catch up. It is building ahead of the curve.

Where public and private systems are already converging

The blurring line between government-led digital identity initiatives and private-sector verification infrastructure is not a future scenario. It is already underway.

Telecoms is one of the clearest examples. Onboarding is conducted through private deployments, yet those verified identities are increasingly used as a supporting signal in law enforcement and public sector investigations. When a number is linked to a criminal inquiry, disclosure processes draw on the identity infrastructure built and maintained by private operators. The boundary between public infrastructure and private verification has, in this context, already dissolved.

Certified identity service providers operating under DIATF frameworks, DVLA-connected driver entitlement verification, ACCS-approved age verification – these are not future convergence points. They are the present. The private sector is not waiting for governments to build digital identity infrastructure. It is already building the systems that national frameworks will depend on. The policy question is not whether to enable this convergence, but how to govern it.

The cost of fragmented standards

If trust infrastructure does not keep pace with adoption, specific things break. This is not a theoretical concern.

Fragmentation hits hardest where organisations operate across multiple regulatory environments at once. A fintech platform may need to meet AML/KYC requirements while aligning with fraud-prevention standards and, in some cases, age-verification or platform-safety obligations — each with different expectations of what “good” verification looks like. Telecoms companies conducting onboarding checks meet strict identity requirements, but those verified identities are not always portable to adjacent services such as banking, insurance, or employment checks. A group holding company director managing a portfolio of businesses across banking, property, and telecoms may need to repeat verification to varying levels across each: duplicated effort, with no shared benefit.

The consequences compound across three dimensions. Operationally, businesses absorb higher compliance costs and integration overhead as they scale across use cases. From a risk perspective, inconsistent assurance levels create exploitable gaps, particularly where lower-assurance checks in one context are wrongly relied on in higher-risk environments. And from the user’s perspective, fragmentation translates into friction: people encounter different verification processes and data requirements across what feels, to them, like a single connected journey.

From a risk perspective, inconsistent assurance levels across the sectors create exploitable gaps – particularly where lower-assurance checks in one context are incorrectly relied upon in higher-risk environments. From a user perspective, this fragmentation translates into friction and confusion: individuals encounter different verification processes and data requirements across what feels, to them, like a single connected journey.

Identity is being treated as reusable in theory. In practice, it remains siloed, with different industries interpreting, verifying, and trusting identity in inconsistent ways.

Policy must keep pace with practice

The digital identity consultation closing is not the end of a debate – it is the beginning of an implementation challenge. The systems being built now will determine how the UKʼs digital identity infrastructure actually functions in practice.

The question worth asking now is not whether identity verification is critical infrastructure. That argument is already won. The question is whether standards and governance being written today are being written for the industry that exists, or the one that existed five years ago.​

About the author

Harry Varatharasan is Chief Product Officer at global ID verification provider ComplyCube

Article Topics

ComplyCube  |  digital ID infrastructure  |  digital identity  |  digital trust  |  identity verification  |  reusable digital ID  |  trust framework  |  UK digital ID