What specific items do you think should be considered in writing a policy for identity verification?