Get started
Get started

Identity Verification Service in Australia: How It Works Now

Identity Verification Service in Australia: How It Works Now

An identity verification service confirms a person is who they claim by matching details from their ID against authoritative government records, sometimes with biometrics. In Australia, that usually means the federal Document Verification Service and, where needed, the Face Verification Service or an accredited Digital ID under Australia’s Digital ID system — letting organisations check identities without stockpiling copies of passports and licences.

This guide sets out how the Australian system works now: the government building blocks (DVS, FVS and Digital ID), how organisations access them, what documents are accepted and what the results mean, plus the rules and privacy safeguards. You’ll also get integration options, a simple compliance checklist, realistic costs and turnaround times, pitfalls to avoid, how to evaluate providers, and what’s changing next.

The government building blocks: DVS, Face Verification Service and Digital ID

Australia’s identity verification service stack rests on three federal components—collectively the Identity Verification Services—that let organisations check identities against authoritative records rather than hoard document copies. Available to government and, via approved channels, industry, they cover document data checks, face matching, and reusable Digital ID credentials.

  • Document Verification Service (DVS): Checks ID document details against issuing authority records (passports, driver licences).
  • Face Verification Service (FVS): Consent-based face match comparing a selfie to government-held reference images.
  • Digital ID: Accredited providers (e.g., myID) let people share only necessary attributes; participation is voluntary.

How the Document Verification Service (DVS) works for organisations

For organisations, the DVS is a fast, consent‑based way to check whether a customer’s ID document details match the records held by the issuing authority. Instead of storing copies of passports or driver licences, you submit key fields (for example, name, date of birth and document identifiers) and receive a result that indicates whether the data matches authoritative Australian records.

  1. Obtain consent: Tell the person what will be checked and why; record their agreement.
  2. Capture document details: Collect only what’s needed from accepted IDs (e.g., passports, driver licences).
  3. Send a DVS request: Submit via an approved integration or provider.
  4. Receive the result: Use the match response to approve, escalate, or re‑collect details.
  5. Handle data properly: Log outcomes, minimise retention, and align with privacy obligations.

Inside Australia’s Digital ID system: myID, accredited providers and identity strength

Australia’s Digital ID System is a reusable, consent‑based identity verification service that lets people prove who they are online without handing copies of documents to every organisation. Accredited providers (such as myID) check your details against existing government records and let you share only the attributes a relying organisation needs, not the underlying documents.

“Identity strength” describes how thoroughly a Digital ID has been proven. With myID, verifying your photo against records currently requires an Australian passport to achieve a Strong identity strength, with more document options planned. For organisations, this means faster onboarding and less sensitive data to hold.

  • Minimal data sharing: Exchange verified attributes, not document images.
  • Reusable credentials: Customers reuse their Digital ID across services.
  • Voluntary and consent‑based: Users choose what to share, each time.

Privacy and regulation: IVS Act 2023, Rules 2024 and the OAIC’s role

Australia’s Identity Verification Services are governed by the Identity Verification Services Act 2023 and the supporting Rules 2024. Together they set the legal and privacy framework for using the DVS, Face Verification Service and accredited Digital ID—centred on consent, purpose limitation, security and transparency. For organisations, that means having clear authority and consent to run checks, collecting only required fields, and controlling retention and access to results.

The Office of the Australian Information Commissioner (OAIC) is the privacy regulator for Australia’s Digital ID System and will enforce the system’s strong privacy safeguards. The OAIC has also signalled a whole‑of‑economy focus on discouraging unsafe identity practices and encouraging safer, accredited options, with priority areas including:

  • Biometric information
  • Law enforcement access
  • Express consent
  • Data retention
  • ID verification services and practices

Practical takeaway: stop emailing or stockpiling ID copies, obtain informed consent, minimise data, set short retention periods, and prefer accredited Digital ID or approved channels to reduce risk.

Who needs identity verification and why: common compliance drivers

Identity verification is required across regulated and high‑risk sectors to meet compliance obligations and reduce fraud. In practice, Australian accountants and tax agents (TPB), financial services and crypto (AUSTRAC AML/CTF), law and property (VOI), education and recruitment use it to onboard safely and protect data.

  • KYC/AML due diligence: AUSTRAC‑aligned customer checks.
  • TPB proof of identity: Verifying clients for engagements.
  • VOI for property: Conveyancing and real estate standards.
  • Risk controls: Age, entitlement and fraud prevention.

What documents are accepted and what the results mean

At minimum, the Document Verification Service supports Australian passports and state/territory driver licences, checking the key fields you submit against the issuing authorities’ records. Many identity verification services use these rails behind the scenes, and accredited Digital ID providers rely on them to confirm attributes without sharing document images. With Digital ID, relying organisations receive verified attributes and, where relevant, an identity strength—not copies of documents.

  • Match: Details align with the issuing record; proceed per policy.
  • No match: Details don’t align; check for typos, re‑collect or escalate.
  • Unable to check: Missing fields/format issues or temporary system limits; retry via an approved channel.

Access options: direct, gateway service providers and accredited Digital ID

Organisations can access Australia’s identity verification services three ways: via a direct connection to the government-run Identity Verification Services (DVS/FVS) where eligible and approved; through gateway service providers that broker DVS/FVS checks and manage compliance and uptime; or by accepting accredited Digital ID, where users share verified attributes and identity strength, reducing document handling and retention. Choose based on eligibility, control, effort, and customer experience.

Integration patterns: APIs, orchestration, and doing checks in your CRM

The right integration pattern balances speed, control and privacy. Common approaches are calling provider APIs directly, orchestrating multiple rails for step‑up assurance, and surfacing checks inside your CRM so staff stay in one system. The aim is to trigger the identity verification service at the right moment, capture consent, and write back a minimal, non‑PII outcome.

  • APIs: Use approved gateway/provider APIs with input validation, retries and idempotency; secure secrets; avoid storing images unless required by policy.
  • Orchestration: Run DVS first; step‑up to FVS or accredited Digital ID on no‑match or higher‑assurance needs; log consent and audit events; apply fail‑safe defaults.
  • In‑CRM: With StackGo IdentityCheck, run checks from HubSpot/Salesforce/Xero; outcomes write back to the record while PII stays behind a privacy layer, accessible only to MFA‑authenticated admins—reducing tab‑switching and error.

A step-by-step checklist to run a compliant identity check

Use this practical checklist to run a compliant, low‑friction identity check. Focus on consent, minimal data, approved rails, tight retention and access—delivering a yes/no decision and an auditable trail.

  1. Define purpose and consent: Set your purpose/legal basis; give notice and record express consent.
  2. Collect minimum data: Capture only required fields; validate; avoid storing images.
  3. Verify via approved rails: Run DVS; step‑up to FVS/Digital ID (explicit biometric consent).
  4. Follow a decision tree: Document actions for match, no‑match and unavailable responses.
  5. Write back minimal status: Store outcome/reason codes in your system; no raw PII.
  6. Secure access and encryption: Enforce MFA and roles; encrypt; segregate logs.
  7. Retention, deletion and audit: Set short retention; automate deletion; keep an audit trail; test incidents.

Costs, turnaround times and success rates: what to expect

In Australia, identity verification services built on the DVS, FVS and accredited Digital ID are designed to be fast, efficient and privacy‑protective. Expect usage‑based pricing (often per check), rapid responses for document data checks, and higher assurance options when you step up to face matching or a reusable Digital ID credential.

  • Costs: Commonly per‑check, with higher assurance (e.g., face matching) and orchestration adding to unit cost; factor in integration and support.
  • Turnaround: DVS responses are typically quick; adding FVS introduces a short selfie capture; Digital ID is usually same‑session and reusable.
  • Success rates: Most no‑matches stem from typos, name order, diacritics or expired documents; retry after correcting input before escalating.
  • Operational levers: Use input validation, clear capture guidance, mobile‑friendly flows and a decision tree for match, no‑match and unable‑to‑check outcomes.

Pitfalls to avoid: over-collection, retention, biometrics and consent

The quickest way to create risk in an identity verification service is to collect too much, keep it too long, or use biometrics without explicit permission. The IVS Act/Rules centre on consent, purpose limitation and security, and the OAIC has flagged biometrics, data retention and express consent as priority areas. Avoid these traps to stay safe and compliant.

  • Over‑collection: Don’t request document scans when a DVS check or verified Digital ID attribute is sufficient.
  • Excessive retention: Set short retention for inputs and images; keep audit outcomes, not raw PII.
  • Weak consent: Record explicit, informed consent; get separate, express consent for any face matching.
  • Shadow copies in CRMs: Store minimal outcomes only; restrict PII behind MFA and roles.
  • Defaulting to biometrics: Use DVS first; step‑up only when needed or policy requires.
  • Emailing IDs: Never accept IDs via email or insecure portals; use accredited/approved channels.
  • Ad‑hoc disclosures: Have a process for any lawful access requests; verify authority and log it.

How to evaluate providers: a practical criteria checklist

Choosing an identity verification service is about more than ticking KYC/AML boxes. You want approved access to DVS/FVS and accredited Digital ID, strong privacy controls, reliable integrations, and an auditable trail that satisfies the IVS Act/Rules and OAIC expectations without slowing onboarding.

  • Legal eligibility and purpose: Clear authority under IVS Act/Rules; explicit, recorded consent.
  • Approved rails: Brokered DVS/FVS access; support for accredited Digital ID (e.g., myID).
  • Privacy by design: Data minimisation, short retention, role-based access, MFA; no PII in your CRM.
  • Security: Encryption in transit/at rest, audit logging, incident response.
  • Reliability: SLAs, high uptime, retries/idempotency, sandbox for testing.
  • Integration fit: Clean APIs, orchestration, CRM write-back of minimal outcomes (e.g., StackGo IdentityCheck).
  • User experience: Mobile-friendly capture, clear error handling, accessibility.
  • Governance: OAIC-aligned notices, consent records, DPIAs, audit exports.
  • Reporting: Reason codes, dashboards, alerts.
  • Pricing clarity: Transparent per‑check rates and support terms.

What’s changing next: trends to watch in 2025 and beyond

In 2025, identity verification service use will shift from document uploads toward accredited Digital ID and verified attributes. The Digital ID System is expanding beyond government services, and the OAIC will actively enforce privacy safeguards, with sharper scrutiny on biometrics, consent and retention. Expect more organisations to accept reusable Digital ID credentials, tighter minimisation, and smoother, CRM‑native onboarding that orchestrates DVS first, with step‑up checks when needed.

Key takeaways

Australia now has a mature, privacy‑protective identity verification service: run DVS data checks first, step up with FVS or accredited Digital ID only when needed, and meet IVS Act/Rules with OAIC‑aligned consent, minimisation and short retention. High‑performing teams orchestrate these rails, write back minimal outcomes, and keep staff inside the CRM.

  • Start with DVS: Fix typos; escalate only when necessary.
  • Prefer accredited Digital ID: Share verified attributes, not document copies.
  • Minimise and time‑box data: Store outcomes, enforce MFA/roles.

Want compliant checks inside HubSpot, Salesforce or Xero with a privacy layer? See StackGo.

More Posts

Share:

Stay connected to StackGo

Related Posts