The new Identity Verification Code of Practice 2026 marks an important moment for Aotearoa’s digital identity ecosystem.
Gazetted on 28 May 2026 and commencing on 1 July 2026, the Code replaces the Amended Identity Verification Code of Practice 2013. It is the first full rewrite in more than a decade and applies to reporting entities verifying the full name and date of birth of natural-person customers, beneficial owners and persons acting on behalf.
For DINZ members, the most significant change is the recognition of accredited Digital Identity Services Trust Framework (DISTF) services as a standalone pathway for identity verification.
This matters because it moves trusted digital identity from policy intent toward practical adoption. Accredited DISTF services are now recognised as a verification pathway that can be used online or in person, subject to defined assurance requirements.
The Code remains a voluntary “safe harbour”. Compliance is not mandatory, but a reporting entity that fully complies has met its verification obligations, and a court must have regard to the Code in any enforcement action. Entities can still verify by “some other equally effective means”, provided they give written notice to their supervisor.
The new Code sets out four verification pathways:
- Face-to-face verification with physical documents
- Verification through an accredited DISTF service
- Other electronic identity verification
- Certified copies
The assurance requirements for DISTF credentials are explicit. For online or in-person use, the credential must deliver name and date of birth to a Strong Plus level of both Information Assurance and Binding Assurance. For in-person use only, a lower Standard Plus level may be acceptable, where backed by a primary non-photographic document such as a birth or citizenship certificate.
Other changes are also worth noting. RealMe and e-passports are named in the electronic identity verification pathway. The DIA Confirmation Service is simplified. Risk-based verification of beneficial owners and persons acting on behalf is introduced. Certified copy rules are clarified, including expanded recognition of trusted referees such as Kaumātua, verified through a reputable source, and Māori Land Court officials.
The Code also sharpens the interface between identity verification and privacy. Several electronic identity verification linking mechanisms rely on biometric matching, including facial recognition with liveness. This brings the Code into conversation with the Office of the Privacy Commissioner’s Biometric Processing Privacy Code, particularly around necessity, proportionality and consent.
For DINZ, the wider significance is clear. The Code provides one of the most concrete regulatory endorsements to date of DISTF accreditation as a trusted verification rail. It shows how governance, assurance and legal recognition can support practical adoption.
It also reinforces why interoperability and privacy-enhancing design matter. As digital credentials become more widely used, the goal should not be to recreate physical identity documents in digital form. The goal should be safer, more efficient and more privacy-preserving verification.
This is a key step forward — and one the digital identity community should engage with closely.