On October 31, 2019, the Financial Action Task Force (“FATF”) released draft guidance on digital identity (the “FATF Guidance”) for public consultation. The FATF Guidance is intended to assist governments, financial institutions and other relevant entities apply a risk-based approach to the use of digital identity (“Digital ID”) systems for customer due diligence (“CDD”). The FATF Guidance details how, in a digital finance and Digital ID context, effective consumer identity authentication supports anti-money laundering (“AML”) and counter financing of terrorism (“CFT”) efforts. The deadline for comments on the FATF Guidance public consultation is November 29, 2019.
In Canada, the FATF Guidance comes in the context of: (i) FINTRAC’s release of its updated guidance on methods to verify the identity of an individual and confirm the existence of a corporation or an entity other than a corporation; and (ii) recent amendments to the Bank Act (and equivalent legislation in respect of federal insurance companies and federal loan and trust companies), federally regulated financial institutions to provide “identification, authentication or verification services”.
Technologies that can assist in authenticating identifies, including biometrics, digital ledger technologies and behavioural biometric patterns, can present significant potential in terms of assisting with Digital ID authentication processes for AML/CFT compliance purposes. However, organizations can also benefit from guidance on how to best leverage underlying Digital ID technologies, particularly in the context of AML/CFT compliance.
The FATF Guidance addresses: (i) terminology and key features of Digital ID; (ii) FATF Standards on CDD; (iii) benefits and risks of Digital ID systems for AML and CFT compliance and related issues; and (iv) the assessment of whether Digital ID systems are reliable and independent in line with a risk-based approach to CDD.
The FAFT raised the following questions for which it is seeking input in connection with its FATF Guidance consultations:
- Are there any specific money laundering/terrorist financing risks, that arise from the use of Digital ID systems for CDD, other than those already mentioned in the FATF Guidance?
- What is the role of Digital ID systems in ongoing due diligence or transaction monitoring?
- How can Digital ID systems support financial inclusion?
- Does the use of Digital ID systems for CDD raise distinct issues for implementing the FATF record-keeping requirements?
Terminology and Key Features of Digital ID
The FATF Guidance outlines relevant terminology and key features relating to Digital ID.
First, the FATF Guidance notes that when referring to “identity”, FATF is in fact only referring to the concept of “official identity”, which differs the broader concepts of personal and social identity. “Official identity” refers to “the specification of a unique natural person that: (a) is based on characteristics (identifiers or attributes) of the person that establish a person’s uniqueness in the population or particular context(s); and (b) is recognized by the state for regulatory and other official purposes.”
Second, the FATF Guidance refers to the concept of “proof of official identity”, which “generally depends on some form of government-provided or issued registration, documentation or certification… that constitutes evidence of core identifiers or attributes… for establishing and verifying official identity”. The FATF Guidance states that “Digital ID systems use electronic means to assert and prove a person’s official identity in online (digital) and/or in-person environments at various levels of assurance.”
The FATF Guidance focuses on end-to-end Digital ID systems. A Digital ID system need not be entirely digital, but “binding, credentialing, authentication, and portability/federation (where applicable) must be digital.” Specifically, Digital ID system contain the following components:
- Mandatory identity proofing and enrolment (with initial binding/credentialing);
- Mandatory authentication and identity lifecycle management; and
- Optional portability and interoperability mechanisms.
The Digital ID process begins by answering the question “Who are you?” by collecting, validating, and verifying information about a unique individual. The identity service provider then enrolls an applicant and establishes their identity account.
The identity account is then connected to authenticators controlled by the unique individual (binding) and the user is given credentials to access the Digital ID system. A unique individual can then use an authenticator they control (such as a password) which is used to confirm the identity claimant and to answer the question “Are you who you say you are?”
For sophisticated Digital ID systems, this authentication process can be ported to different applications as well, for example, logging into a government database with one’s online banking login.
A number of frameworks and technical standards for Digital ID systems have been or are in the process of being developed, including national or supranational standards (for example, the US National Institute of Standards and Technology (NIST) and eIDAS Regulation in Europe), standards put forward by standards organizations (for example, ISO, FIDO and OpenID standards) and industry-specific standards (for example, ITU standards).
The FATF Guidance sets out recommendations in respect of Digital ID applicable to: (i) government authorities; (ii) regulated entities who must complete CDD (such as banks, credit unions, etc.); and (iii) Digital ID service providers.
Risk Based Approach to Digital ID
The FATF Guidance suggests that government, regulated entities and other relevant parties apply a risk-based approach to using Digital ID systems for customer identification. According to the Guidance, this requires:
- Understanding the assurance levels of the Digital ID system’s technology main components to determine its reliability/independence; and
- Making a broader, risk-based determination of whether, given its assurance levels, the particular Digital ID system provides an appropriate level of reliability and independence in light of the potential AML, CTF, fraud, and other illicit financing risks at stake.
Recommendations for Government Authorities
The FATF Guidance includes a number of recommendations for government authorities, including the following:
- Clear regulation - The FATF Guidance recommends that government authorities develop clear guidelines or regulations that require regulated entities to adopt an appropriate and risk-based approach for their use of reliable, independent Digital ID systems.
- Cross-industry collaboration - The FATF Guidance recommends that government authorities consider developing mechanisms to promote cross-industry collaboration in identifying and addressing vulnerabilities in existing Digital ID systems
- Financial Inclusion – The FATF Guidance recommends that governmental authorities take measures to foster financial inclusion to remove obstacles linked to the verification of a customer’s identity and to ensure that financially excluded people can be captured under the identity proofing requirements. For example, governmental authorities could provide guidance to financial institutions on how to implement Digital ID systems with different assurance levels for identity proofing/enrolment and authentication for tiered CDD. One possible Digital ID implementation that the FATF Guidance suggests is system that uses a tiered CDD, which would allow individuals with lower levels of assurance to on-board, but would restricted their access to a limited set of financial services.
Recommendations for Digital ID Service Providers
The FATF Guidance includes a number of recommendations for Digital ID service providers, including the following:
- Understanding AML/CFT requirements - The FATF Guidance recommends Digital ID service providers understand the AML/CFT requirements for CDD (particularly customer identification/verification and ongoing due diligence) and other related regulations. Organizations should seek assurance testing and certification by governmental or other reputable bodies, and should provide transparent information to AML/CFT regulators and other regulated entities regarding Digital ID systems.
Recommendations for Regulated Entities
The FATF Guidance includes a number of recommendations for regulated entities that are subject to CDD requirements, including the following:
- Record-keeping requirements – The FATF Guidance recommends that regulated entities using Digital ID systems have access to, or have a process for enabling authorities to obtain, the underlying identity information and evidence (or digital information) needed for the identification and verification of individuals. As noted above, as a part of its consultation, the FATF is interested in better understanding what records organizations must keep when using Digital ID systems for CDD, as well as the challenges for meeting record-keeping requirements for both on-boarding and ongoing due diligence or transaction monitoring.
- Diligencing Digital ID Systems – The FATF Guidance suggests that regulated entities conduct careful due diligence when determining whether to use Digital ID to conduct CDD. Key considerations include:
- Is the Digital ID system authorized by government for use in CDD?
- Does the organization know the robustness and assurance levels of the Digital ID system?
- Does the Digital ID system provide a sufficient assurance level for the associated money laundering/terrorist financing risk situation?
The FATF Guidance notes that the ultimate decision on whether to use Digital ID systems will be contextual given the risk profile of the situation. Organizations may want to consider using Digital ID systems with lower assurance levels for simplified due diligence, where AML and CTF risks are low. For example, where permitted, it may be appropriate for organizations to adopt a tiered CDD approach that leverages Digital ID systems with various assurance levels to support financial inclusion.
Various stakeholders at both the domestic and global level continue to grapple with evolving digital identity technologies (see, for example, our prior blog posts on recent Canadian Developments in Digital Identity and US Developments in Digital Identity for more information). Interested parties should review the FATF Guidance and related consultation questions and consider submitting responses to the FATF’s consultation questions.