Why candidate-owned identity beats employer-owned verification.

Every incumbent verification tool operates on an employer-owned model. The employer pays for the check, the employer owns the record, and the record dies at the end of the hiring process. That model made structural sense in an era of on-site interviews, lifetime employers, and occasional job changes. It does not scale to a world of remote hiring, two-year median tenures, and candidates who apply to ten companies a quarter.

This article makes the case that candidate-owned, portable verification is not just better for candidates but better for employers, and explains why the network effect makes it the only durable model at current hiring volumes.

What does employer-owned verification look like today?

The employer-owned model is the default across the verification stack. An employer buys a product from a vendor (Sterling, Checkr, HireRight, or any of dozens of others). The employer triggers a verification run on a specific candidate for a specific role. The vendor runs the check, produces a report, and hands it to the employer. The report lives in the employer's ATS. It does not follow the candidate. If the candidate applies elsewhere next month, the next employer starts from zero.

The cost stack this produces is ugly at scale. A candidate applying to ten employers in a year gets verified ten times. The same identity, the same credentials, the same background information gets checked ten times. Each employer pays the full unit cost. The candidate loses time on repeat verification. The verification industry charges ten times for the same work.

Three structural weaknesses fall out of this model.

It is expensive at the margin. Every employer pays the full cost of a verification run. There is no amortisation across the candidate's multi-employer career. At current per-candidate verification prices (roughly $30 to $150 depending on scope), the aggregate spend across the verification industry is order-of-magnitude higher than it needs to be.

It is slow. The candidate goes through the same steps at every employer. For entry-level and mid-level roles where hiring cycles matter, repeat verification adds days to time-to-hire at every stage.

It locks data with the employer. Data-residency and GDPR obligations apply to every employer separately. If the candidate wants to revoke access, they have to go to each employer one at a time. If an employer has a breach, the candidate's verification data is exposed with no control on their end.

None of this is strategic on anyone's part. It is the leftover architecture of a pre-remote hiring era. It is also genuinely expensive and non-portable at the current pace of hiring.

What does candidate-owned mean in practice?

Candidate-owned verification flips the architecture. The candidate holds a persistent verified record. The candidate controls which employers can see it. The record is created once, updated when material facts change, and re-used across every employer on the network.

Concretely, the candidate-owned model works like this.

The candidate's first Veref employer runs a full verification: government ID scan, selfie liveness, biometric template creation, and structured reference checks if the role includes them. The result lives in the candidate's Veref Passport, associated with the candidate's own Veref account.

When the candidate applies at a second Veref employer, they approve a share. The second employer sees the verified claims (identity verified on date X, references verified in month Y, no failed checks) without re-running the verification flow. The underlying data (biometric templates, raw ID images) does not transfer; the verified claim does.

At any point, the candidate can revoke an employer's access. The employer loses the ability to view the Passport. The employer's local copy of whatever claim they received remains (they are the controller of that record now) but the live Passport linkage is gone.

If the candidate wants to delete their Passport entirely, they can. The record is removed from Veref's systems. Employers who previously had access lose it. The candidate can re-verify from scratch if they later want to.

Consent is explicit and revocable

Every share is a deliberate act. The candidate sees a specific prompt (Company X is requesting view of your Passport for a Senior Engineer role; approve or decline) and approves or declines each one. The audit log records every share, every view, and every revocation, timestamped and visible to the candidate.

This is not a novel model. It is how Plaid works for financial identity, how Apple Wallet works for boarding passes, and how every well-designed OAuth flow works for third-party app access. Each instance of a consent-based credential layer has been dominant in its category. Hiring verification has been slower to adopt the pattern, but the logic is the same.

The candidate experience is the product

Candidates verify once and skip re-verification at every other employer on the network. That is the headline benefit. The second-order effects are: faster time-to-interview at the fourth, fifth, and tenth employer; lower repeated cognitive load for the candidate; and a sense that the process is working for them instead of extracting labour from them.

Candidate NPS data from pilots consistently shows a six-to-eight-point improvement on a ten-point scale after a candidate's second Veref employer. The reason is not any particular feature; it is that the candidate has the experience of verification helping them rather than being yet another task on the application checklist.

Why does the network effect matter?

The network effect is the economic argument. It is also the reason why a candidate-owned model dominates an employer-owned model over any reasonable time horizon.

The first employer to verify a given candidate on the Veref network pays the full unit cost of that verification. The second employer, if the candidate has approved a share, pays a marginal cost (the platform fee; the verification itself is cached). The tenth employer pays close to zero incremental cost for a candidate who arrives pre-verified.

Over a candidate's career, the total verification cost paid by all employers combined drops from roughly $1,000 (ten employers × $100 each) to something closer to $150 (one employer pays full cost, nine pay a marginal fee). That surplus goes somewhere. Most of it stays in employer budgets as lower per-hire verification cost. Some of it flows back to candidates as faster hiring cycles.

The network effect also changes the vendor-customer relationship. An employer choosing Veref is not just choosing a vendor; they are joining a network whose value to them grows as other employers join. That is the same dynamic that made Stripe, Plaid, and LinkedIn the defaults in their categories.

What about data privacy and GDPR?

Candidate ownership dramatically simplifies the GDPR picture.

Under UK GDPR and GDPR, the primary data subject is the individual whose data is processed. For candidate-owned verification, the data subject is the controller of their own record. Export, deletion, and consent revocation are all native to the product, not bolt-ons required by regulation.

Employers using Veref are processors for the portion of the candidate's data they have been shared with, not controllers of the underlying Passport. This is the correct legal model and it is easier to document for DPO review than the alternative.

Data residency is a candidate preference on the Veref model: the candidate can choose UK, EU, or US residency, and employers adapt to where the candidate's data lives. Under the employer-owned model, data residency is an employer choice that often conflicts with where candidates actually live.

Biometric data specifically is handled at the template level, not the raw-image level. Raw ID images and selfie captures are deleted shortly after the biometric template is extracted. The template is what matches against future verification events. This is the pattern that passes a privacy review under Article 9 of GDPR (biometric data as a special category).

What does this look like five years out?

Three predictions, in declining order of confidence.

Candidate-owned verification becomes the default for knowledge work. By 2030, a Veref Passport (or a direct competitor on the same model) is as common in white-collar hiring as a LinkedIn profile. Candidates without one are at a disadvantage, not because employers require one, but because the hiring cycle is faster for candidates who have one. The flywheel is obvious in retrospect.

Employers who cannot plug into the network face a cost disadvantage on verified pipelines. Employer-owned verification continues to exist for legacy workflows, regulated cases, and holdouts. It gets more expensive per hire every year, because the comparable candidate-owned hires are getting cheaper per hire every year. By 2029, the cost delta is significant enough that the comparison becomes a procurement question, not a philosophical one.

Recruiting becomes about access to a verified graph rather than about one-off checks. The question an employer asks shifts from "can I verify this candidate?" to "what does my verified pipeline look like?" The answer lives in the network, not in the employer's individual verification spend. Vendors who build the network win the market; vendors who build individual-check tooling lose the market.

None of this is preordained. Network effects are fragile in the first 24 months and durable after. The employer-side chicken-and-egg problem (why join if no candidates are here?) is the hard part. The candidate-side problem (why bother verifying?) is solved by the candidate upside of portability.

Veref's bet is that both sides of the market are ready. Employer procurement budgets exist because current verification costs are material. Candidate willingness exists because the candidate-side benefit is real. The product is designed around the hypothesis that the two sides reinforce each other faster than incumbents can respond.

If you want to see how the Passport looks in practice on a candidate's account and an employer's dashboard, book a demo. We will walk through a real candidate journey from first verification through third-employer reuse.

Sources and further reading

1. [1]Self-sovereign identity frameworks · W3C, 2023
2. [2]Network effects in two-sided marketplaces · Harvard Business Review, 2022
3. [3]Candidate experience benchmarks · Talent Board, 2024
4. [4]Decentralised Identifiers (DIDs) v1.0 · W3C Recommendation, 2022

Frequently asked questions

Is candidate-owned the same as self-sovereign identity?+

The principles overlap heavily. Candidate-owned verification is a practical application of the same design philosophy: the individual holds the record, consent is explicit, and access is revocable.

Does candidate ownership introduce fraud risk?+

Less, not more. The record is cryptographically tied to the identity that was verified at issue time. Sharing the record does not expose the underlying biometric; it exposes a verified claim that the employer can check.

What happens if the candidate wants to delete their record?+

They can, at any time. The record is removed from our systems; employers who previously had access lose it. The candidate can then re-verify fresh if they choose.

Why would an employer pay for verification that benefits other employers?+

Because they inherit the same benefit. The first employer on the network pays the full verification cost for a given candidate. The fourth employer that hires the same candidate pays a marginal cost because the candidate arrives pre-verified. Over a portfolio of hires, every employer on the network is net-positive.

Is this the same as Plaid for banking?+

Structurally similar. Plaid is a consent-based, candidate-owned credential layer for financial identity. The Veref Passport is the same pattern for professional identity in hiring. Both work because the individual is in the driver's seat and both sides of the market benefit.