A proposed guideline framework for assessing digital ID systems could bring order to chaos and set the global standard for integrity, says Trulioo COO Zac Cohen.
Exposed databases containing our most personal information – information that dark web dealers, security hackers and, by extension, money launderers, traffickers and terrorists – have been described as ‘the ugly elephant in the room that every security professional knows about, but doesn’t want to talk about’.
2019 wasn’t a good year for those security professionals. Worldwide, the total number of data breaches rose by a third, according to research from Risk Based Security, with records kept by medical services, retailers and public entities most affected. It added up to 7.9 billion records being put at risk – and potentially millions of convincing but fake identities being used to slip past the know-your-customer (KYC) and anti-money laundering (AML) sentry boxes erected by financial services.
It’s why digital ID systems are in the spotlight for 2020. There is already a lot of regulatory activity around identity and verification. Among other initiatives, the fifth AML Directive (AMLD 5) of the European Union (EU) will be implemented this month (January 2020), with AMLD 6 already on the table; the US Treasury will have international financial institutions around the world in its sights as it extends its counter-terrorism powers; and the UK is expanding the scope of its Money Laundering Act to the international affiliates of UK-based businesses.
But it’s the Financial Action Task Force (FATF), a global intergovernmental body drawing together ministers from currently 39 countries to defend the world’s financial services from bad actors by making recommendations to policymakers, that could have the most impact.
Because what its Draft Guidance On Digital Identity takes as its starting point, is that digital identity systems are a public good: they can extend financial services to people who find it difficult to access even basic banking; they save us all time and money in senseless duplication of information; and they transform the customer experience, especially around onboarding.
At the end of the day, however great the corresponding vulnerabilities inherent in vast databases containing biometric and other personal information, you can’t wish this digital genie back into the bottle. And trying to control it with layers of regulation could threaten to negate the advantages of having online ID in the first place as additional requirements for authentication frustrate consumer experience and add cost for providers.
So, the FATF is taking a different tack. While it acknowledges that breaches associated with digital ID systems ‘can be more devastating than breaches associated with traditional ID systems due to the potential scale of the attacks’, it’s recommending a risk-based – and, importantly, universal – approach to the use of digital ID for customer due diligence (CDD). Its proposed digital ID assurance framework and standards for establishing the required attributes, identity evidence and processes for proving the identity of a ‘natural person’ are based on the US National Institute of Standards and Technology and the EU’s e-IDAS (International Defence and Security) regulation.
The ultimate aim is for financial institutions and others to understand the assurance levels of a digital ID system technology’s main components, including its architecture and governance, in order to determine its reliability and independence. Companies can then make a broader, risk-based decision as to whether a particular digital ID system provides an appropriate level of reliability and independence in the face of the illicit financing risks an organisation faces.
Zac Cohen, chief operating officer at realtime, crossborder identity verification provider Trulioo, accepts that ‘there are risks specific to digital ID systems –particularly in relation to cyberattacks and potential large-scale identity theft’.
“On the other hand, digital ID systems that mitigate these risks in accordance with digital ID assurance frameworks and standards hold great promise for actually strengthening CDD, AML and combating the financing of terrorism (CFT) controls. Digital ID can cut down on fraud, improve customer experience and reduce costs for regulated entities.”
It’s to protect the credibility of such digital ID programs and instil trust that the FATF recommends policymakers ‘develop clear guidelines or regulations allowing the appropriate, risk-based use of reliable, independent digital ID systems’ by regulated entities. International bodies are continually developing technical standards for digital ID; the International Organization for Standardization and the International Electrotechnical Commission are both working on updating identity, IT security and privacy rules. While each country will determine its own path, at least the FATF’s guidance provides a mutual starting point.
“Assurance levels are key,” agrees Cohen, “and providing structure and flexibility in how we can manage assurance levels and still be in compliance opens the doors for access to financial services and opportunities online.”
Importantly, it could bring some order to the current chaos of standards and solutions facing financial providers.
“The digital identity and document verification market is forecast to grow to $15billion by 2024. There are numerous solutions from various vendors, with different jurisdictions specifying divergent requirements,” says Cohen.
“Digital identity is a complex proposition, so there will never be a one-size-fits-all solution. Instead, a holistic, global approach will help organisations optimise and synchronise their processes. The FATF’s guidance provides a high-level overview of how to coordinate standards and solutions for better digital identity for all.
“Trulioo looks forward to helping to create this flexible digital identity standard that grows the market, provides security and compliance and meets the needs of consumers, businesses and government. It’s a holistic look at how we can collaborate to a standard that makes sense, regardless of the use case or scenario. And it aligns with our vision, the consortium view of identity where different technologies and solutions work together to build a better world for us all.”
Financial Action Task Force’s key recommendations
- For authorities…
Adopt principles, performance and/or outcomes-based criteria when establishing the required attributes, identity evidence and processes for proving official identity for the purposes of CDD. Given the rapid evolution of digital ID technology, this will help promote responsible innovation and future-proof the regulatory requirements.
- Adopt policies, regulations and supervision and examination procedures that encourage regulated entities to develop an efficient, integrated approach to digital ID streaming-applicable digital processes across all relevant efforts.
For regulated entities…
- If, as a matter of internal policy or practice, non-face-to-face customer identification is always classified as high-risk, review and revise those policies to take into account that customer identification/verification that relies on reliable, independent digital ID systems, with strong risk-mitigation measures in place, may be standard risk, and may even be lower-risk.
- Have a process to enable authorities to obtain the underlying identity information, and evidence or digital information needed, for identification and verification of individuals.