The UK bank ID scheme seeks to transform remote KYC, but who pays, and what happens when something goes wrong? PSE Consultingย Managing Directorย Chris Jonesย examines the issues in detail.
On 25th June 2026, UK Finance confirmed that major UK banks have completed proof-of-concept testing on a voluntary service that allows customers to verify their name, age or address straight from their banking app. This is a substantive achievement, and the model is proven in other regions: bank-led digital identity reaches around 99% of working-age adults in Sweden and 97% in Norway.
It also arrives precisely as document-and-selfie remote identity checks buckle under AI deepfake and injection attacks. If it scales, it would be a genuine leap forward for the UK and re-establish the UK as a leader in digital commerce. Three questions, however, remain conspicuously open: who carries liability, who pays when open banking data is already free, and who takes it to market.
A genuine step forward, on a model that already works
A consent-based service that allows a customer to prove their name, age or address directly from a banking app, without surrendering a passport or a utility bill, addresses a real and expensive friction. It leverages a data-set that is both highly trusted by consumers and corporates and near-ubiquitous. UK Finance reports the proof of concept complete and a live pilot scheduled for the coming months. This is concrete progress in a field with a well-populated graveyard of both political and commercial initiatives.
Other markets have had substantial success with similar bank-led initiatives: Swedenโs BankID is used by 99% of adults; Norwayโs BankID equivalent reaches c.97% of the adult population; and Belgiumโs bank-driven itsme has reached around 80%. Each of these has become a national standard not by government mandate but by embedding identity in the financial services layer, where trust and frequency of use already exist. However, adoption of these schemes has not always been quick, taking Norway roughly a decade to reach near ubiquity.
The timing is right: remote identity checks are under real strain
If the supply side is encouraging, the demand side is now urgent. The decade-old pattern of a document scan plus a selfie is failing in measurable ways. There is plenty of evidence that digital injection attacks against face checks are rising several hundred per cent annually, with real-time face-swap and camera-injection tools sold as a service for nominal sums.
In December 2025, the Financial Action Task Force explicitly identified deepfakes as a tool capable of bypassing customer due diligence and digital identity verification at onboarding. A recent survey of anti-fraud professionals found only 7% felt more than moderately prepared.
Against that backdrop, a credential anchored in an account that has been through regulated onboarding, and is accessible through the customerโs own authenticated banking app, is a fundamentally better option than traditional remote onboarding approaches. Bank-based identity services, which the payments industry and consumers already use almost every day, and has a basis in law through the PSD2โs Strong Customer Authentication, have a strong basis for success.
The unanswered question of liability
Here the open questions begin, and the first is one of the largest. When a relying party accepts a bank-verified attribute and it later proves wrong, spoofed or stale, who carries the risk? The progress report is clear that the commercial and governance model is still being designed in the pilot.
UK Financeโs own response to the governmentโs digital identity consultation flagged assurance levels, reliance and liability as design choices that must be settled early. The official guidance on the money laundering rules is blunter still: a regulated firm remains ultimately responsible for its customer due diligence even when it relies on a third-party service.
That matters because reliance without a clear liability model is a thin promise. A bank attesting that a customer is over 18 is useful for an age check. A bank attesting to identity for the purpose of opening a regulated account, where the relying institution still owns the regulatory obligation, is a different proposition entirely.
The value of the credential to a relying party rises or falls on how much regulatory comfort it actually transfers, and that is precisely the variable the scheme has not yet fixed. Until the liability allocation is explicit, the most demanding and most valuable use cases will adopt cautiously.
Cost, and the awkward comparison with free open banking data
The second open question is price, and this cannot be separated from what has already been adopted at scale in the UK. The awkwardness is that the United Kingdom already has a free rail into bank-held data. Account Information Services (AIS), the read-access half of UK Open Banking, are delivered through interfaces the largest banks are mandated to make free to access for regulated, authorised providers, and identity providers already use that rail to confirm name, age and account ownership today.
However, AIS contribute to identity verification without being sufficient for full know-your-customer on their own. They confirm that a person controls an account and can surface a name and transaction history, but they were not designed to deliver the assured, attribute-level identity that regulated onboarding demands. That gap is the new schemeโs raison d’รชtre, and it frames the commercial tension precisely.
The scheme must price a higher-assurance ID service against the current free-to-access, lower-assurance signal that may be good enough for a meaningful share of use cases. Where the line between these two use cases falls will determine how much of the addressable market a paid service can actually convert.
Who takes it to market, and who else gets to play?
The third open question is distribution. A bank-led credential must build reach both on the supply and the demand-side, and the Nordic experience shows that corporate demand, not customer enrolment, is the hardest to scale due to the number of users involved.
UK Finance has called for expressions of interest from retailers, platforms and other businesses, which is the right move, but the go-to-market engine and the commercial incentive for a relying party to switch are still to be built. One of the reasons that Open Banking took so long to emerge was because the Third Party Processors (TPPs) needed to build single, robust access points to the banks involved to reduce technical complexity.
This raises a genuinely open strategic question for the wider ecosystem. Does a new bank-led scheme crowd out the TPPs who have built identity propositions on the free to access AIS rails, or does it create a larger market that those same players can serve? It would seem natural that TPPs such as Truelayer or Yapily will leap at the chance of being the distribution layer for higher-assurance bank attestations, extending their offering rather than being displaced by it.
There is a less-credible reading in which a consortium of the largest banks reaches corporates and platforms directly and compresses the space those providers occupy. Ironically, the more technically complex the banks make their service offering, the more value TPPs will add, increasing their role in the value chain. However, which of these holds will shape the competitive structure of UK digital identity for a decade.
