Version 1
Last updated: 31 May, 2024

Identity Verification Services within the UK Digital Identity and Attribute Trust Framework Notice ("Notice")

(Medium and High levels)

1. Introduction

1.1. This Notice serves to inform you, as an Applicant, that Sum and Substance Ltd., a company incorporated and registered in England with company number 09688671 and address at 30 St. Mary Axe, London, United Kingdom, EC3A 8BF (“Sumsub”), acts as an Identity Service Provider (“IDSP”) as specified in the Department for Culture, Media and Sport’s UK Digital Identity and Attributes Trust Framework (“UK DIATF”), and provides RTW and/or RTR checks under the instructions of its Customers (employers, landlords, etc.).

1.2 This Notice is intended to provide a description of the Sumsub identity verification solution used for Right to Work (“RTW”) and/or Right to Rent (“RTR”) checks carried out under the UK Digital Identity and Attribute Trust Framework, and inform individuals undergoing such checks about the terms governing their access thereto.

2. Definitions

2.1. Applicant – a natural person intending to pass, under the direction or instruction of a Customer, any of Right to Work (RTW) and/or Right to Rent (RTR) checks (the “Checks”) powered by Sumsub.

2.2. Customer – (i) a legal entity that purchases Sumsub’s products and services under a direct commercial agreement with Sumsub or one of Sumsub’s affiliates or (ii) an affiliate of such a legal entity that is authorized to access Sumsub’s products and services, in the interests of which Sumsub provides its Applicants with Checks as described below.

2.3. Identity Profile – the combination of scores an Applicant gets for each part of the identity verification process as per clause 4 below.

3. Description of Checks

3.1. Sumsub provides the following Check(s), as specified below:

  • Right to Work (“RTW”) Check. In the UK, companies may have to check candidates' right to work before hiring them under the Immigration, Asylum and Nationality Act 2006 (“Immigration Act”). Sumsub RTW Check means verification of whether an individual intending to work for a UK-based employer is eligible to do so based on their work permit.
  • Right to Rent (“RTR”) Check. Under the Immigration Act, it may be required to check that a tenant or lodger can legally rent residential property in England. Sumsub's RTR is aimed at helping landlords and agents to carry out these checks.

Particular requirements and conditions for passing each Check are described in Section 4 below.

3.2. Services provided by Sumsub to Customers beyond the scope of the Checks (e.g., KYC procedures as may be necessary for such Customers under the applicable AML/CFT regulations) are not covered by this Notice.

4. Identity verification procedures

As part of carrying out any Check, Sumsub conducts identity verification based on the UK DIATF.

4.1. Information and documents collected

4.1.1. For RTW and RTR Checks, Sumsub collects the following information from the Applicants:

  • Forename;
  • Middle names, if any;
  • Current surname;
  • Date of birth;
  • Image of the main page of the identity document, showing: the individual’s name, data or birth, nationality, and photograph; and the document’s expiry date;
  • Facial image via Liveness check (as specified in section 4.2. below)

4.1.2. The following documents can be accepted for the purposes of verification for RTW and/or RTR*

*The particular types and number of acceptable / required documents will depend on the verification profile and conformity level (Medium or High level) required by the Customer.

The following documents may be presented by Applicants**:

  • valid British or Irish passports;
  • valid Irish passport cards.

**As a certified IDSP, Sumsub may only carry out Checks in relation to UK and Irish citizens for the purposes of RTW and/or RTR.

Expired documents are not accepted.

4.2. Procedures performed

Sumsub carries out the following identity verification procedures for RTW and/or RTR Checks based on the UK Guidance requirements:

  • Validation of identity evidence (ID document). Sumsub subjects personal data from photos and scanned copies of documents to automated reading and verification of authenticity by conducting different checks, such as completeness of records, screenshots detection, or cross-checking of all data from all submitted documents.
  • Checking the identity evidence is genuine. Sumsub checks the document's security features, including the embedded security chip (NFC) (if required), machine-readable zone (MRZ), barcodes, QR codes (if any) and other security components used for genuine data validation. Sumsub then analyses the results of the above to make an inference regarding the document’s trustworthiness.
  • Activity history check (when required by the Customerbased on a certain verification profile requirements). Sumsub checks if there are records that show the person has regularly interacted with pre-determined types of organisations or people as described by UK DIATF (e.g., educational organisations, financial organisations, travel companies or border or immigration authorities, utility services, etc.)
  • Fraud detection check. Sumsub checks that the documents provided are not counterfeit and that the person who provided them is their legitimate owner. Sumsub also checks if the claimed identity has had its details stolen, has been reported as stolen or is suspected to be a synthetic identity.
  • Cifas fraud risk database checks (when required by the Customerbased on a certain verification profile requirements). The Applicant’s data is checked against the Cifas fraud risk database to protect against the risks of fraud.
  • AML/PEP checks (when required by the Customer based on a certain verification profile requirements). The Applicant’s data is checked against the ComplyAdvantage datasets to check whether the person is PEP or not.
  • Databases check (when required by the Customerbased on a certain verification profile requirements). Sumsub may use different databases to check if the person is still alive, is known by an organisation that should and others.
  • Checking that the identity belongs to the person who is claiming it (via Liveness check). To confirm that, Sumsub processes the person’s biometric data (facial image) to verify whether it is likely to match the one in the document, and whether the person is alive and genuine. The processing of biometric data here means extracting facial features from images of the Applicant or the documents they have submitted and comparing them. During such checks, Sumsub may also detect signs of fraud or other spoofing attacks by comparing the Applicant's facial features to those of known masks.

Please note that the identity verification for the purposes of RTW/RTR can be carried out at two levels of confidence (medium and/or high) and based on the Identity Profile (e.g., M1A, M1B,M1C, M1D, H1A, H1B, etc.) determined by the Customer. The identity verification procedures outlined above, when combined, may constitute a specific Identity Profile.

5. Limitations of use

5.1.Please note that, as an Applicant, you are required to:

  • submit correct and complete information to Sumsub for the purposes of identity verification as described above (including identity documents or other identification data);
  • not falsely claim an identity other than your own/impersonate another person;
  • not use misleading information, including counterfeit, forged, camouflaged or stolen documents;
  • not use synthetic identity;
  • not use an account that belongs to another Applicant;
  • not attempt to circumvent the requirements for identity verification as described above;
  • not transmit messages that are offensive, threatening, abusive, defamatory, ageist, sexist or racist;
  • not send photos of pornographic or otherwise indecent content;
  • not use the Checks or their results for any purposes beyond the scope of these Notice (in particular, for non-personal, commercial purposes, in an unlawful or harmful manner; to resell Sumsub’s services; or to infringe Sumsub`s or any other third party’s intellectual property rights).

5.2. If Sumsub suspects an Applicant may have committed or attempted to commit identity fraud or another criminal offence when passing any Check, Sumsub reserves the right to:

  • refuse to provide any Check to such Applicant without giving a reason;
  • retain the information about the Applicant’s actions and assign them a risk score available to other Customers; and/or
  • share such information, including all relevant evidence, with the competent authorities, fraud prevention agencies, or law enforcement agencies.

5.3. The minimum age from which an Applicant may access the Checks is 16 years old. However, any Customer may have its own preferences regarding the age allowed.

6. Fees and Sumsub business monetisation statement

6.1. All the terms and conditions applicable to the provision of Checks by Sumsub are clearly stated in the commercial agreements with the Customers. The Customer notifies the Applicant about the terms and conditions if it is obligatory for the Applicant's awareness.

Sumsub does not charge Applicants for the Checks. Instead, any Customer accessing the Checks is charged as defined in the respective commercial agreement with Sumsub.

6.2. Sumsub's business monetization model is based on per unit service charges in case of different types of verifications (biometric, document-based services like ID document verification and address verification, AML screening, verification using official databases) and subscription-type charges for additional features inside our platform. Sumsub normally does not require additional payments for technical support or data storage. Installation fee may be applied for some services due to technical integration complexity.

7. Complaint handling procedures

7.1. Each Applicant or any other person (“Third Parties”) may submit a complaint in relation to any issue pertaining to any Check insofar as they are directly affected by it.

7.2. Applicants and Third Parties can forward their complaints to [email protected] for privacy matters or[email protected] for other questions.

Sumsub has a special formal process for dealing with complaints. Each inquiry is logged in the internal register and processed by the relevant department. Sumsub will use reasonable endeavours to respond to each complaint within 30 calendar days, depending on the type and nature of the complaint. The reply is archived after being sent to the Applicant or Third Party.

8. Accessibility and inclusion

8.1. Sumsub is committed to ensuring digital accessibility to identity verification services for people with disabilities. Sumsub also strives to make its identity verification solutions as accessible and inclusive as possible for everyone, only if exclusion is not required by applicable law (for example, due to age restrictions).

Sumsub is also committed to equality and non-discrimination principles in relation to any person, irrespective of race, nationality, religion, and other characteristics.

8.2. Sumsub can ensure accessibility and inclusion to its product by the following means:

  • Sumsub's software has been tested on a variety of users from different demographics; so the identity verification solution can easily verify a person of any race. Sumsub was assessed and found to meet the e-IDVT Technical Requirements for Identity Document Validation Technology (scope of certification criteria defined under the UK Home Office Guidance Document for Identity Document Validation Technology requirements 2018). The conformity assessment testing of the Sumsub biometric system against the following standards was conducted during the e-IDVT audit:
    • SO/IEC 30107:2016 – Information Technology – Biometric presentation attack detection;
    • ISO/IEC 19794-5:2011 + A2:2015 – Information technology – Biometric data interchange formats – part 5: face image data.
    The Sumsub liveness detection module was tested by iBeta according to the ISO 30107-3 Biometric Presentation Attack Detection Standard and was found to be in compliance with Level 1 (March 2021).
  • Sumsub can also give an opportunity to retake an identity check, if the check failed due to the following reasons, provided that there is no suspicion of fraud:
    • A transposition error — for example, dates might appear in different formats;
    • A failure in technology — for example, there might be an issue with readings from the near-field communication (NFC) chips in passports, resulting in a false-negative result;
    • Any other similar reasons.
    If that check still fails, Sumsub can (if possible):
    • verify the Applicant’s identity using a different identity profile for the same level of confidence as when the Applicant first set up the digital identity account;
    • verify the Applicant’s identity using the same identity profile but alternative data sources;
    • verify the Applicant’s identity using the same identity profile but a different process.

9. Data Protection

9.1. Sumsub processes Applicants’ personal data in accordance with the applicable data protection laws and regulations (e.g., UK GDPR). As per these laws and regulations, Sumsub takes all necessary technical and organisational measures to ensure the protection of personal data, prevention of their disclosure and unauthorised access to them, including the safe storage of received data in accordance with security standards.

9.2. The rules for processing Applicants’ personal data are available in the Sumsub Privacy Notice available at https://sumsub.com/privacy-notice-service/.

Additionally, each Applicant signs a user agreement / consent to personal data processing before accessing any Check for the first time.

10. Changes to the Notice

10.1. Sumsub reserves the right to amend or otherwise change this Notice at any time and for any reason. Any amendments will be effective immediately. Applicants waive the right to receive specific notice about such amendments.