Why storing identity documents in software is a growing risk - and what DSPs can do instead
Identity verification is no longer optional.
From AML/CTF reforms to payroll onboarding, tax agent client verification and broader compliance obligations, organisations are increasingly required to confirm that people are who they say they are.
And in many cases, they turn to their software provider to help.
But here’s the problem:
When business software platforms allow passports, driver’s licences, or other identity documents to be uploaded and stored, they can
unintentionally become high-value targets for cybercriminals.
Most DSPs don’t need to carry this risk
Identity documents are fundamentally different from other data.
A breached email address can be changed.
A breached password can be reset.
A breached passport or driver’s licence creates long-term identity fraud risk.
When software platforms store copies of identity documents, they create a concentrated “honey pot” of personal information. In a breach scenario, the harm is magnified - for customers, end users, and the DSP itself.
That’s why DSPANZ developed the Privacy and Identity Verification Best Practice Guidance.
The core message is simple:
If you don’t store identity documents, you dramatically reduce your exposure to breaches.
What best practice looks like
The guidance sets out six practical principles, but the shift can be summarised in one concept: move from document storage to metadata-only verification.
Instead of storing copies of passports or licences, DSPs should:
- Enable digital identity verification solutions by default
- Block or prevent identity document uploads
- Automatically delete documents once verification is complete
- Retain only minimal metadata to demonstrate that verification occurred.
That metadata may include:
- The name of the individual verified
- The document type used
- The verification method (digital or visual)
- A verification reference number
- A timestamp.
Importantly, this allows customers to demonstrate compliance - without retaining sensitive identity images or document numbers.
What this means for your customers
For your customers - employers, tax agents, accountants, payroll administrators and more - this approach:
- Reduces their exposures in the event of a breach
- Supports compliance with privacy legislation
- Aligns with modern digital identity solutions
- Builds trust with employees and clients.
For individuals whose identities are being verified, it means:
- Their passport or licence is not sitting in a database indefinitely
- Their information is deleted once its purpose is complete
- Only proof that verification occurred is retained.
Why DSPANZ acted
DSPANZ’s Digital Identity Working Group developed this guidance in response to increasing identity verification requirements and the corresponding risk of unnecessary data retention.
As regulatory obligations expand, the role of software providers is becoming more central. With that centrality comes responsibility.
The industry has an opportunity to lead by designing systems that minimise risk rather than accumulate it.
A practical step forward
The guidance is not about restricting functionality. It is about:
- Designing smarter workflows
- Leveraging digital identity providers
- Updating data models to exclude document images
- Embedding automatic deletion and strong encryption controls.
It provides a practical blueprint DSPs can implement now.
For members looking to update their practices, the guidance can also be used to communicate proactively with customers:
- Explaining why identity documents are not stored
- Demonstrating commitment to privacy-centric design
- Positioning your platform as security-first.