Every time you open a bank account, log into a service or phone a company about your money, something has to happen first: the organisation has to be sure you are really you. That process — identity verification — can feel like a hurdle, but it exists to protect you. This guide explains the main ways companies confirm your identity, why they do it, and how your privacy is meant to be respected along the way. This is general information, not security or legal advice.

What identity verification is

Identity verification is the process of confirming that a person is who they claim to be before granting access to an account, service or information. It answers a simple but vital question: is the person on the other end genuinely the account holder, or someone pretending to be them?

It comes up in two broad situations:

  • At sign-up, when a company first needs to establish who you are — opening a bank account or taking out a loan, for example.
  • At access, each time you return — logging in, calling support, or making a change to your account.

The methods differ between these moments, but the goal is the same: to keep your account in your hands and out of a fraudster's.

How companies verify identity

There is no single method; firms usually combine several. The classic framework groups them into three "factors": something you know, something you have, and something you are.

FactorExamplesWhere you see it
Something you knowPassword, PIN, security questionsLogging in, phone support
Something you havePhone receiving a code, card reader, appTwo-factor authentication
Something you areFingerprint, face recognitionUnlocking apps and devices

In everyday use, the common methods are:

  1. Document checks. At sign-up, especially for financial services, you may be asked for proof of identity (such as a passport or driving licence) and proof of address. Increasingly this is done by photographing a document and sometimes a selfie, which software compares.
  2. Knowledge-based checks. Security questions or details only you should know, often used when you call a company. These confirm it is you before anything is discussed or changed.
  3. One-time passcodes (OTPs). A short code sent to your phone or email that you enter to prove you control that device or address.
  4. Two-factor authentication (2FA). Combining two different factors — typically a password plus a code or app approval — so a stolen password alone is not enough.
  5. Biometrics. A fingerprint or face scan, common for unlocking banking apps, where the biometric data usually stays on your device.

A crucial distinction: a genuine company may ask you to enter a one-time code into its app or website, but it will never ask you to read a code out, or to share your full password or PIN. That request is a hallmark of a scam — see our guide on staying safe online and avoiding impersonation scams.

Why companies verify your identity

Identity checks are not bureaucracy for its own sake. They exist for two connected reasons: protecting you, and meeting legal obligations.

Verification is the lock on your account. The minor inconvenience of proving who you are is what stops someone else doing it in your name.

Protecting you from fraud is the everyday purpose. Impersonation scams rely on someone convincing a company they are you. Robust verification — particularly two-factor authentication — is what defeats that, because a criminal with your password still cannot get past the second step.

Meeting regulatory requirements applies especially to banks, lenders and other financial firms, which must perform Know Your Customer (KYC) checks. KYC is a set of rules requiring regulated firms to confirm a customer's identity, partly to prevent money laundering, fraud and other financial crime. It is a legal duty, not an optional add-on, which is why opening a financial account involves more identity checks than signing up for, say, a newsletter. Firms also explain these steps to customers: UK lender Credicorp, for example, sets out how it verifies that it is really you before discussing an account — the kind of transparency that helps customers know which checks are genuine. If your verification relates to a loan, our overview of understanding your credit agreement covers what else to expect when you sign up.

Your privacy and your rights

Handing over identity details understandably raises privacy questions. The reassurance is that, in the UK, organisations handling your personal data must do so under data protection law, overseen by the Information Commissioner's Office.

In practice that means a legitimate firm should:

  • Collect only what it needs for a stated, legitimate purpose.
  • Tell you why your information is being collected and how it will be used.
  • Keep it secure, with appropriate technical and organisational protections.
  • Not keep it longer than necessary, and let you exercise your data rights.

You also have rights, including the right to be informed about how your data is used and, in many cases, to access the data an organisation holds about you. The principles behind responsible handling of personal information are covered further in our guides to cookie consent and PECR and the wider UK Online Safety Act.

A note of caution sits alongside these rights: scammers imitate legitimate verification to harvest your details. So before you send documents or answer security questions, make sure you are dealing with the real organisation — by contacting it through details you find yourself, not ones supplied in an unexpected message.

Getting verification right as a user

You can make verification both safer and smoother:

  • Turn on two-factor authentication wherever it is offered. It is one of the most effective protections you have.
  • Use strong, unique passwords, ideally with a password manager, so one breach does not expose everything.
  • Keep your contact details up to date with your bank and key providers, so codes and confirmations reach you.
  • Never share one-time codes or full passwords, however convincing the request.
  • Keep devices updated, since security fixes protect the apps that verify you.

These habits mean the genuine checks work for you, while the fake ones fall flat.

The bottom line

Identity verification is how companies confirm you are really you before granting access to an account or service, using a mix of document checks, security questions, one-time codes, two-factor authentication and biometrics. For banks and lenders it is also a legal requirement under Know Your Customer rules. Far from being a nuisance, it is the protection that keeps impostors out of your accounts — and your data is meant to be handled securely under data protection law. Embrace the strong methods, especially two-factor authentication, stay alert to scams that imitate them, and verification becomes a shield rather than a chore.