"Buddy-punching" is when one worker clocks in or out on behalf of another. On a busy temp desk it rarely looks like fraud. A picker is stuck in traffic, a mate taps their fob, and the shift starts on paper before the person is on the floor. It feels like a favour. Repeated across a week, a depot and a dozen agencies, it becomes one of the most expensive leaks in the staffing business.
For an agency, the damage is doubled. You pay a worker who was not there, and you invoice the client for hours that were never worked. When the client spot-checks the gate against your timesheet and the numbers do not line up, it is your margin and your reputation that take the hit — not the worker who tapped the fob.
Why PINs and fobs do not solve it
Most clocking systems try to fix attendance with something the worker knows or has. Both are trivially shareable:
- PIN codes get written on the back of a hand or shouted across the yard. A four-digit code is a favour anyone can do for anyone.
- Fobs and cards are designed to be portable, so they are easy to pass along. One worker can carry three.
- Fingerprint readers are slower in cold, wet or gloved conditions, and silicone spoofs are a known weakness — which is why many sites quietly fall back to a shared PIN.
The common thread is that none of these methods can answer the only question that matters: was this specific person actually here? They verify a token, not a human.
Tie every clock-in to a face and a place
The reliable fix is to verify something the worker is, and to record where they were when they did it. A face-verified clock-in matches the live camera against the enrolled worker and logs a confidence score on the timesheet. Pair that with a GPS check against the site boundary, and a clock-in stops being a tap and starts being evidence.
Done properly, that does not mean storing photos of your workforce. Faces should be converted into irreversible vector signatures that cannot be turned back into an image, processed on UK-hosted infrastructure, with a PIN fallback for anyone who cannot use the camera. Get the privacy design right and biometric clocking is fully workable under UK GDPR.
Make clocking in for someone else impossible
TempClock matches every clock-in against the enrolled worker in under two seconds and logs the match score on the timesheet — typically around 94%. No photos are stored, and there is a PIN fallback for edge cases.
What "good" looks like on the floor
A worker walks up to a tablet at the entrance, looks at the camera, and is clocked in before they have put their bag down. There is no code to remember and nothing to pass to a colleague. Behind the scenes, the match score and the distance from the site are stamped onto the record, so when a client questions an hour weeks later, you can show exactly who was verified, where, and how confidently.
The cultural effect matters as much as the technical one. Once the team understands that clock-ins are tied to a face and a location, the casual favours stop — not because anyone is being policed, but because there is nothing left to game.
A short checklist before you switch
- Confirm your method verifies the person, not a token they can hand over.
- Make sure a location is recorded with every clock event, so off-site taps are obvious.
- Check that faces are stored as irreversible signatures, never photos, on UK-hosted infrastructure.
- Keep a PIN fallback and a clear privacy notice so the rollout is fair and GDPR-ready.
- Pick a system where the proof lands on the timesheet, ready for a client query or an audit.
Buddy-punching is not a discipline problem you can train away — it is a design flaw in tools that check tokens instead of people. Close that gap and the leak closes with it.