Identity Verification Policy

Reviewed: 29 January 2026

At a glance

  • We verify identities to comply with AML/CTF laws, prevent fraud, and protect our platform.
  • Checks may include document verification, biometric/liveness tests, address verification, sanctions/PEP screening, and soft‑search credit bureau checks (which do not affect your credit score).
  • We follow a risk‑based approach with alternatives where standard documents are not available.
  • KYC records are retained for 5 years after the relationship ends (or longer if legally required).
  • Personal data is processed in line with UK GDPR and our Data Protection Policy; KYC vendors act as processors.

Purpose

To explain how UK Postbox verifies customer identities and related information to meet legal obligations under the Money Laundering Regulations (MLR) and to manage fraud, sanctions and platform risk, while respecting privacy, accessibility and fairness.

Scope

This Policy applies to:

  • All customer types – including individuals, sole traders, partnerships, corporate or business entities, charities, trusts, non-profit organisations/groups and public sector organisations using any UK Postbox service (such as mail scanning, forwarding, registered office, or director’s service address).


  • Associated individuals – including beneficial owners, company directors, trustees, authorised representatives, and designated mail recipients linked to an account.


  • All verification and monitoring activities – covering customer onboarding, ongoing due diligence, and any reviews triggered by changes in risk or account activity.

Legal bases & roles

  • Controller/Processor: For identity verification, UK Postbox acts as controller; our KYC/biometric vendors act as processors per our Data Processing Agreement (DPA).
  • Lawful bases: Legal obligation (MLR) and legitimate interests (fraud and platform security). Marketing is separate and requires its own lawful basis.
  • Special category/biometric data: Biometric/liveness data used to verify identity is handled by vetted vendors with appropriate safeguards and data minimisation.

What we verify (and how)

Individuals / sole traders

  • Identity document: A valid, original, and unaltered passport, UK driving licence, national ID card, biometric residence permit (BRP), or other government-issued photo ID accepted within our verification system or by our approved KYC providers. Accepted document types may vary depending on country coverage, document standards, and technology compatibility.
  • Liveness & biometric match: a short self‑video or selfie check to confirm the person is present and matches the document photo.
  • Date of birth & name match: cross‑checked across documents and data sources.
  • Residential address: verified via recent (3 months) proof (utility bill, bank statement, council tax, HMRC letter) or electronic data sources.
  • Sanctions & PEP: screened at onboarding and continuously thereafter.
  • Soft‑search bureau checks: where permitted, to corroborate identity and address; this leaves a soft footprint and does not affect credit score.

Organisations (companies, partnerships, charities, trusts)

Organisations existence:

Verify legal existence via Companies House, Charities Commission or the relevant official registry for overseas entities. Obtain and retain formal proof such as a Certificate of Incorporation, registry extract, or other equivalent documentation confirming the organisation’s legal status.

Directors, beneficial owners and account holders:

Identify all Directors, Officers, Trustees, Responsible People and Beneficial Owners holding more than 25% ownership or control (or as otherwise defined by law) and verify each individual in line with – Individual Verification. This includes biometric ID, proof of residential address (dated within 3 months), and PEP/sanctions screening.

Control & authority:

Confirm that the person acting on behalf of the organisation is duly authorised to contract or manage the account. The person is required to complete verification and a signed Letter of Authority issued by an authorised officer, trustee, or partner.

Business profile:

Collect and record a summary of the organisation’s activities, registered and trading address(es), website or online presence, and expected use of UK Postbox services, including reason for wanting the service, mail volumes, nature of correspondence, and any relevant operating or shipping geographies.


Verification for organisations may involve providing some or all of the following documents:

  • Proof of your registered and trading addresses – separate proof is required for each, even if they are the same address (for example, a recent utility bill, lease agreement, bank statement, HMRC/Companies House notice, or insurance document).
  • Certificate of Incorporation or another official document confirming your organisation’s legal registration.
  • Governing document, partnership agreement, or trust deed, if this applies to your organisation type.
  • Letter of Authority confirming who is authorised to act or make decisions on behalf of the organisation.

Public sector (Healthcare Organisations, Regulators, Public Corporations, Education Institutions, Trade Unions, Embassies and Consulates, Government Departments, Agencies and Public Bodies)

Organisation existence:

Verify legal existence and status using official government or regulatory sources (for example, GOV.UK registers, NHS listings, Ofsted/Department for Education, official regulatory bodies, or embassy/government websites). Obtain and retain confirmation such as an official registry extract, government listing, or equivalent documentation confirming the organisation’s status.


Authorised individuals:

Identify and verify the individual(s) acting on behalf of the organisation (for example, Director, Head of Department, Practice Manager, Registrar, Consular Officer, or authorised employee). Each individual must be verified in line with – Individual Verification, including biometric ID, proof of residential address (dated within 3 months where applicable), and PEP/sanctions screening.


Authority & control:

Confirm that the individual acting on behalf of the organisation is authorised to do so. This may include verification via an official organisational email domain (for example *.gov.uk, *.nhs.uk, .ac.uk), a signed Letter of Authority on official letterhead, or confirmation via publicly available contact details. The individual is required to complete verification and provide evidence of their authority where requested.


Organisation profile:

Collect and record a summary of the organisation’s function, department or division using the service, official address, and expected use of UK Postbox services, including reason for use, mail volumes, nature of correspondence, and any relevant operating or geographic considerations.


Verification for public sector organisations may involve providing some or all of the following documents:

Official confirmation of organisation status (such as a government listing, registry extract, or equivalent).

Proof of the organisation’s official address where not publicly verifiable.

Letter of Authority or equivalent document confirming who is authorised to act on behalf of the organisation.

Departmental or internal confirmation for larger organisations where applicable.

Purchase order

Any additional documentation required to meet regulatory or AML obligations.

Risk‑based extras (EDD)

Applied where risk is higher (e.g., high‑risk geographies, complex ownership, PEPs, adverse media):

  • Additional documentary evidence and/or source of funds/wealth checks;
  • Senior management approval to onboard/continue;
  • Increased monitoring and shorter review cycles.

Alternatives & accessibility

We aim to make verification accessible and inclusive:

If you are unable to complete standard photo ID or biometric verification, the following options may apply:

  • Manual verification may be offered in exceptional circumstances and must be approved by the Compliance Team before your account can be activated.

  • You may be asked to provide certified physical documents to confirm your identity and address.

    Copies, scans, or screenshots are not accepted.

  • Customers who require assistance due to disability, accessibility needs, or safeguarding concerns can contact accessibility@ukpostbox.com to discuss reasonable adjustments.
  • All manual or alternative verifications are reviewed and approved by the Compliance Team, and complete records are retained for audit purposes

When we verify

  • Before activating services for new customers.
  • On material change: ownership/control, directors, service usage, geography, or risk profile.
  • Periodically: review cycles based on risk tier (e.g., High: 12 months, Standard: 24 months, Low: 36 months), aligned with our AML & KYC Policy.
  • Trigger events: sanctions/PEP updates, adverse media, suspicious or unusual activity, or at the request of law enforcement.

Verification outcomes

  • Pass: account proceeds.
  • Pending/More information required: we will request additional documents or repeat steps if images are unclear or expired.
  • Fail/Unable to verify: services may be refused, suspended or terminated. Where permitted, we will explain what was missing or why we could not verify. For sanctions/PEP concerns, we may be unable to share details.

Appeals: If you believe a decision is wrong, contact compliance@ukpostbox.com with new information. We aim to complete appeal reviews within 10 working days of receiving the required information. Note: we do not use automated decision‑making that produces legal or similarly significant effects without human review.

Fraud, sanctions & prohibited use

  • We monitor for impersonation, forged documents, synthetic identities and abuse of addresses.
  • Confirmed or suspected fraud or sanctions breaches may be reported to relevant authorities.
  • Use of our addresses must be lawful and transparent; see our Restricted Goods Policy, Acceptable Use Policy and Terms & Conditions.

Data protection & privacy

  • What we collect: ID document images/data, selfie/liveness recordings, address proofs, verification results, audit logs, sanctions/PEP match status.
  • Why we collect it: onboarding, legal obligations (MLR), fraud prevention, and service security.
  • Sharing: with vetted KYC/biometric vendors and, where required, regulators/law enforcement.
  • Retention: normally 5 years after the relationship ends (or longer if legally required). Biometric artefacts (raw captures and templates) are retained no longer than necessary to generate and store the verification result, and in any event no longer than 30 days unless required for an active dispute or investigation.
  • Security: encryption at rest/in transit; access control/MFA; audit logging; supplier due diligence; BS EN 15713 for paper destruction.
  • International transfers: if data is processed outside the UK, we use IDTA or the UK Addendum to SCCs with a TRA/TIA where required.
  • Your rights: access, rectification, erasure, restriction, portability and objection—see our Privacy Notice and SAR Procedure.
  • Contact: dpo@ukpostbox.com for privacy queries.

Staff responsibilities & training

  • Only trained, authorised staff may review KYC results or request additional information.
  • Staff must follow the AML & KYC Policy, this Policy, Data Protection Policy, and Incident Response & Breach Notification Policy.
  • Suspicions of fraud or money laundering are escalated to the MLRO (mlro@ukpostbox.com) using the internal SAR process. No tipping‑off.

Vendors & quality assurance

  • We use reputable KYC/biometric providers under DPA and security due diligence. Vendors must report incidents without undue delay.
  • We conduct periodic quality checks on KYC outcomes and maintain a decision log for accountability.
  • Changes to vendors or verification methods will be notified via our Trust Centre where material. We will notify customers if we change our primary KYC/biometric provider, given the sensitivity of the data involved.

Governance, review & contact

  • Owner: Compliance Lead / MLRO, with Privacy oversight by the DPO.
  • Review: annually or on legal/technology change.
  • Contact: onboarding and verification support via support@ukpostbox.com; complaints via our Complaints & Escalation Process; privacy matters via dpo@ukpostbox.com.

UK Postbox Limited

13 Freeland Park, Wareham Road, Lytchett Matravers, Poole, Dorset, BH16 6FH, United Kingdom


Support: support@ukpostbox.com

Security: security@ukpostbox.com

Legal notices: legal@ukpostbox.com

Data protection: dpo@ukpostbox.com

Complaints: complaints@ukpostbox.com

Accessibility: accessibility@ukpostbox.com

Website: www.ukpostbox.com


Registered in England and Wales Company Number: 06723381

MLR registration no: XLML00000192390

ICO registration no: ZA038907