Proof of address is nonsense
Many things require a ‘proof of address’, such as:
The kinds of documents that are treated as ‘proof of address’ often include:
- Bank account, mortgage, or credit card statements
- Utility or council tax bills (although often excluding mobile phone bills)
- A government-issued letter, often from HMRC or DWP
I almost created one myself, as I thought it would be a fun blog article embed to help prove the point further.
I ultimately decided that it could maybe fall under section 3A of the Computer Misuse Act 1990, which makes it a criminal offence to supply ‘any article believing that it is likely to [...] assist in the commission of, an offence under section 1, 3 or 3ZA’. This includes gaining unauthorised access to computer materials.
This does seem like a poorly written law. If strictly enforced would almost certainly ban phones altogether: any phone could assist someone to gain unauthorised access to computer materials. Perhaps it would be overturned by the European Court of Human Rights (ECtHR), under Article 10 of the Human Rights Act 1998 which upholds freedom of expression. While Article 10 does have an exception for crime prevention, presumably banning all phones is disproportionate.
A more mischievous part of me thought about what a private prosecution against someone like Apple would look like: it’s presumably foreseeable that an Apple product has or will be at some point used to help gain unauthorised access to a computer system. Apple then might have to spend the money on lawyers that would then make the case this law is unenforceable - in some weird roundabout form of impact litigation.
In the end, I decided not to file a court case against one of the richest multinational corporations in the world - at least not while I’m on holiday.
Most banks2Including all of the big four: HSBC, Barclays, Lloyds, and NatWest. Plus smaller ones like Starling and Monzo.
also allow customers to change addresses without verification, and then get a bank statement for that new address - defeating the point of using bank statements as proof of address.A few friends I’ve discussed this with thought there’s a nice system banks, governments or other respectable institutions have to verify these documents. Hence they can’t be trivially forged.
Unfortunately, this is not the case. There’s simply no way for most institutions to verify these statements. Even where it is possible (e.g. you apply for a loan from a bank, and you’ve given them a bank statement from themselves as proof of address) I’ve never seen this happen.
So yes, it’s up to someone eyeballing the documents and seeing if they look obviously fake.
This also often runs counter to the FCA’s existing guidance on customer due diligence checks (FCG 3.2.4), which highlights good practice as being able to ‘cater for customers who lack common forms of ID (such as the socially excluded, those in care, etc).’
Young people are often particularly let down here: they’re more likely to opt for digital-only banking so have no paper statements, and may only have utility bills in a landlord’s, parent’s or housemate’s name. Some more eccentric requirements like having to get statements stamped or signed by a bank manager (which is also pointless and easy to forge) are very difficult to satisfy: most banks no longer offer this.4See HSBC, Barclays, and Lloyds. NatWest sometimes does this, although it seems inconsistent.
Combined, this makes it easier to forge a ‘proof of address’ than to get a genuine copy. This is a broken system.
In 2024, we can do a lot better. We could have proof of address that is much more secure, cheaper and usually faster. (And don’t worry, I’m not trying to sell anything).
Footnotes
-
I almost created one myself, as I thought it would be a fun blog article embed to help prove the point further.
I ultimately decided that it could maybe fall under section 3A of the Computer Misuse Act 1990, which makes it a criminal offence to supply ‘any article believing that it is likely to [...] assist in the commission of, an offence under section 1, 3 or 3ZA’. This includes gaining unauthorised access to computer materials.
This does seem like a poorly written law. If strictly enforced would almost certainly ban phones altogether: any phone could assist someone to gain unauthorised access to computer materials. Perhaps it would be overturned by the European Court of Human Rights (ECtHR), under Article 10 of the Human Rights Act 1998 which upholds freedom of expression. While Article 10 does have an exception for crime prevention, presumably banning all phones is disproportionate.
A more mischievous part of me thought about what a private prosecution against someone like Apple would look like: it’s presumably foreseeable that an Apple product has or will be at some point used to help gain unauthorised access to a computer system. Apple then might have to spend the money on lawyers that would then make the case this law is unenforceable - in some weird roundabout form of impact litigation.
In the end, I decided not to file a court case against one of the richest multinational corporations in the world - at least not while I’m on holiday. ↩
-
Including all of the big four: HSBC, Barclays, Lloyds, and NatWest. Plus smaller ones like Starling and Monzo. ↩
-
This also often runs counter to the FCA’s existing guidance on customer due diligence checks (FCG 3.2.4), which highlights good practice as being able to ‘cater for customers who lack common forms of ID (such as the socially excluded, those in care, etc).’ ↩
-
See HSBC, Barclays, and Lloyds. NatWest sometimes does this, although it seems inconsistent. ↩