The Financial Action Task Force (FATF) has published (March 2020) a guidance document on Digital Identity. At a time when many organisations are considering how best to comply with customer due diligence (CDD) requirements, with the guidance offers insight into what constitutes a digital ID system, the benefits arising and also the potential risks faced.
Digital ID systems are defined in the guidance as digital systems that are used to assert and prove a person’s identity online and/or in a face to face environment. These systems can involve different operational models and may rely on various entities and types of technology, processes and architecture.
Key Components of a Digital ID System
For Compliance Officers seeking to assess how a Digital ID system could assist in CDD, it is useful that the guidance sets out some examples of how a system could work. A robust system could include:
- A range of biometric technology such as fingerprint analysis;
- Smartphones with cameras and microphones;
- Digital device identifiers and related information eg IP addresses, geolocation;
- High definition scanners, for scanning ID cards and other documents;
- High resolution video transmission, for allowing remote identification;
- Artificial Intelligence/machine learning, for determining the validity of government issued ID.
The guidance also establishes that there are two key components of a Digital ID System and a third optional component:
- Identity proofing and enrolment (essential). This component answers the question “who are you”? It involves collecting, validating and verifying identity evidence and information. It also includes establishing an identity account and binding the identity to authenticators possessed and controlled by this person.
- Authentication and identity lifecycle management (essential). This answers the question “Are you the person who has been identified and verified”? It establishes that the person asserting the identity is the same person who was identity proofed and enrolled.
- Portability and inoperability mechanisms (optional). Some digital ID systems may include a component that enables proof of identity to be portable.
The essential elements (1) and (2) will, therefore, be useful for Compliance Officers in having discussions with providers in determining whether a given digital ID system is reliable and independent for AML/CFT purposes.
As with any new or emerging technology, there are risks involved and if a Digital ID system is to be used, there will be implications for the Business Risk Assessment and the Technology Risk Assessment required by the Anti-Money Laundering and Countering the Financing of Terrorism Code 2019 (the Code). There is an inherent money laundering and terrorist financing risk to any technology that needs to be understood and mitigated for. These risks include cybersecurity risks as well as privacy, fraud and other related financial crime risk. These risks are inherently related to the AML/CFT risks an organisation then faces, as the use of such technologies directly impacts the AML/CFT risks faced by the organisation. As with any AML/CFT risk faced, the risks posed by digital ID systems can be mitigated against with well-designed identity proofing, authentication processes and security protocols but it is important that these are properly understood by the business and documented in the risk management frameworks.
Other risks and challenges presented by digital ID systems include:
- Identity proofing and enrolment risks. Risks created by the loss of personal data or false impersonation. The risks also include compromise of broader digital ID infrastructure.
- Authentication risks. Risks created by stolen account credentials. Issues with the technology itself. When using biometrics, risks arise of the data, such as fingerprints, being read incorrectly. Other risk factors include facial recognition rendered unreliable from facial expressions, changes in facial hair/makeup or light conditions.
- Identity life cycle management risks. Poor management can compromise the integrity of authenticators and may enable unauthorised access.
- Unknown risks. As any technology develops and evolves, new risks may emerge. Technical design changes may introduce previously unknown vulnerabilities that are not apparent until exploited.
- Broader issues. Digital ID systems present broader issues and risks relating to connectivity issues or other technology based risks. As the technology involves personal data, data protection and privacy challenges may also arise.
The Recommendations for Regulated Entities
The Guidance usefully lays out recommendations for regulated entities. It is recommended that entities must understand the basic components of digital ID systems, such as identity proofing and authentication and how they may apply to required CDD elements. Entities are also advised to take an informed risk based approach to relying on digital ID systems for CDD, in line with the requirements of the Code. The risk based approach must consider the systems’ assurance levels and ensure these levels are appropriate for the associated ML/TF risk of the entity.
An entity using digital ID systems must also consider if systems with lower assurance levels are sufficient for simplified CDD in low risk cases. Alternatively, customers classed as high risk would require a system with a higher assurance level. It is also advised that anti-fraud and cyber security processes are utilised to support digital identity proofing and authentication for AML/CFT efforts. The example given in the guidance is for an entity to utilise safeguards built into digital ID systems to prevent fraud and to feed into systems to conduct ongoing due diligence. In addition, an entity must ensure they have access or a process for enabling authorities to obtain required information on the identification/verification of individuals which would be particularly important during supervisory visits or STR reporting. Entities are encouraged to engage with regulators on this matter in order to explore what can be accomplished in the digital environment.
It is clear in the developing digital environment that digital ID systems present a wide scope of use and the willingness of businesses to consider them has been escalated by the pandemic. While they inherently present risks, as any new technology does, the FATF guidance suggests how these risks may be mitigated against. Digital ID systems have a clear ability to change how future client on boarding is undertaken or how CDD is gathered with price and security implications. Given the current pandemic and state of the world, investing in such digital systems may prove useful for continuing business. After all, if staff can work from home using online systems, why can’t a customer be on boarded in the same way?
At DQ, we are experienced in undertaking technology risk assessments and wider AML assessments and reviews and would be pleased to assist with the various considerations, including those relating to privacy, which come into play when adopting a digital ID system.