Digital Identity: Key Concepts
Total Page:16
File Type:pdf, Size:1020Kb
July 2019 DIGITAL IDENTITY: KEY CONCEPTS Leveraging technology to strengthen the financial system is a focus point of the IIF’s work on Digital Finance. As current developments show, Digital Identities hold great promise to contribute to a more inclusive financial system which is also more resilient in terms of preventing financial crime. Over the coming months, the IIF will publish a 3-part series of papers on Digital Identities. The first paper will highlight central considerations with respect to Anti-Money Laundering (AML) frameworks; the second opportunities to promote financial inclusion; and the third new business opportunities for financial institutions in an increasingly competitive market. In approaching these issues, we have identified that many use the term Digital Identity (or its abbreviation “Digital ID”) with quite different meanings. This paper sets out the key items and variances of this terminology, for clarification on how they will be applied in our upcoming series. A Digital Identity can best be described as a compilation of electronically captured and stored attributes of a uniquely identifiable persona that can be linked to a physical person. As opposed to a simple record of this information, a Digital Identity constitutes the identity of an individual, which can subsequently be used as a building block for further interactions (i.e. with public sector bodies or private entities such as financial institutions). The focus of our work will lie on this concept. The scope of information needed for a Digital Identity is of course debatable. While traditional attributes such as a person’s name, date and place of birth or nationality are straightforward, to what extent other attributes should be part of one’s identity is not always clear. This starts with the current discussions around an individual’s (physical or perceived) gender, but could also include further information generated online which can change dynamically and increase in volume over time. Finding a definition of “identity” in this context goes beyond the scope of financial services, but should aim at as much global harmonization as possible to ensure recognition between countries and interoperability of Digital ID solutions. The current AML frameworks contain a list of information to be collected before engaging in a business relationship, in order to gain assurance of a person’s identity and determine money laundering risk factors (which frequently include a person’s occupation and the source of funds). Therefore, any work by international standard setters on incorporating Digital Identities into an AML framework should include a clarification of the personal information a Digital Identity should contain about an individual.1 On the other hand, the concept behind Digital Identification (aka Digital Identity Proofing) should be understood as a process. Put simply, the current work undertaken by a number of regulators and standard setters focusses on digitizing the process a person goes through to have their identity established and validated. 1 A case could be made to tailor the amount of information that is subsequently disclosed to various actors based on the purpose of their interaction with the individual (government business, banking relationship etc.) to ensure privacy. This will be explored further in our upcoming first paper on Digital Identities and their implementation in AML frameworks. An example of those are the “Know-Your-Customer” processes implemented in financial institutions in accordance with applicable AML rules. Traditionally, these entail gathering a set of information about a person’s identity first and validating if this information is true by using appropriate evidence, such as an identity card (usually government issued) or a passport. Many of these still require both parties to be physically present or face the risk of being submitted to stricter requirements (such as higher customer risk ratings). Efforts are underway to build solutions which would be equivalent or quasi-equivalent to a physical interaction in terms of comfort about a person’s identity but can be managed online. An example from the financial services industry is the VideoIdent process implemented in Germany2, under which the Know-You-Customer process can be performed via video chat in accordance with specific standards. The European eIDAS initiative3 is another, broader and technologically agnostic step in this direction, determining the conditions under which interactions with the public sector can occur without physical presence, based on standards set up to determine a person’s identity. eIDAS also leads us to the last puzzle piece in this broader context. As a last step within the identification process, the collected datasets need to be tied to a person, which usually occurs through some form of verification processes (aka authentication processes in some jurisdictions), which are increasingly digitized (e.g. through using biometrics data instead of relying on the comparison between a person and a picture). At the same time, these can also help reconfirm information on record. For example, when interacting over a computer, sending text messages back and forth can help prove that (a) the person using the service through a computer is who they claim to be and (b) that the phone number / phone ID on record is correct and the person is indeed in possession and control of the device. This information can then be used to enroll in a service, usually by creating access credentials (authenticators) assigned to the person, as well as to give access to the services later in the business relationship lifecycle. While it is important to clearly separate these different elements, they can be treated as various steps of a singular process that feed off each other. A digital identity may be generated and assigned to a person by going through a “traditional” identification process, performed by a trusted party.4 The Digital Identity might be linked to biometric data, making sure that it is available only to the right person, who can then prove his/her identity by unlocking it.5 As the implications and challenges in implementing all of these steps are diverse, it is nevertheless important to distinguish between them. The IIF looks forward to exploring these topics further in the coming months and engaging with the financial industry and public sector on our various findings. For further questions and comments on the key concepts set out here, please contact Adrien Delle-Case ([email protected]). 2 BaFin Circular 3/2017 (GW) – Video Identification Procedures, english translation available at: https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Rundschreiben/2017/rs_1703_gw_videoident_en.html 3 Regulation (EU) 910/2014 4 See for example the Verified.Me initiative currently being implemented in Canada. 5 See for example the Bank Verification Number, a biometric identification system implemented by the Central Bank of Nigeria. 2 .