Identity Verification and Authentication Recommendations for Digital Financial Services
The International Telecommunication Union (ITU) recently released a Digital Financial Services (DFS) Focus Group report: Identity and Authentication. The broad goal is “by 2030, provide legal identity for all, including birth registration. ” As the report notes, the best way to achieve this goal, “is through the creation and use of digital identities.”
In western societies, the ID process is systematic, with a full set of government regulations, standards and institutions. Unfortunately, in many countries this is not the case because original records are not created and there’s no official identification for many people. This makes participation in the economy more difficult, as well as making it difficult for governments to provide services. Even in countries that do have registration processes, there are issues with effective record keeping.
For these reasons, many governments are creating National ID systems, such as Aadhaar in India or NADRA in Pakistan. A significant advantage of creating these systems now is that they can use digital technologies and advances in biometrics to enable new services as well as provide better security.
While registration is necessary, creating digital identities provides a better path forward for citizens to attain financial inclusion. Using digital identities allows financial services providers with a quick and cost-effective way to verify individuals to satisfy financial regulations and international Know Your Customer (KYC) obligations. The ability to decrease counterfeiting, provide better coverage and lower the costs to deliver financial will have dramatic effects on the lives of the 2 billion people who are underbanked or unbanked.
Creating an effective digital identity regime is a three-step process:
Process of identifying an individual or organization, and formally establishing the veracity of that identity
Validating the assertion of an attribute associated with an identity previously established during identification
Determining what actions may be performed or services accessed/provided on the basis of the asserted and authenticated identity
The report distinguishes between two types of digital identity, static and dynamic. The static approach follows traditional techniques issuing a card. While it might be a smartcard, with a digital token on it, it still is a physical object, which requires keeping it with you and use of a physical reader.
The other model is dynamic identity, or online identity. Information gathered online is used to identify the individual. At first, the information can be self-reported, so the level of trust to that identity is at a relative low level.
However, the trustworthiness of the profile increases as identity information and sources are added. Consider Facebook Connect. At first, it’s using information that you supply. However, as you add friends and posts to your profile, there’s more social graph information to corroborate your input. If you add a phone number, or other tangible data point, your identity becomes more trusted and credible.
There are significant advantages to this model:
- Reduced onboarding friction (user enters their information)
- Users can build their profile, encouraging use and trust
- Easier for financial inclusion, as users don’t need initial ID
- Improving fraud prevention, as it relies on ongoing monitoring
- Syncs with risk-based approach
While there are advantages, at this point the lack of accepted dynamic identity standards makes compliance with strict AML (Anti-Money Laundering) and KYC laws difficult.
The gold standard of identity is to start with a verified digital identity. A that point, a DFS can use other data points for comparison before creating an account.
After that, authentication on a transactional basis is necessary. While Aadhaar and NADRA require using the National ID for this, it is possible for the DFS to use a created digital identity. Such an approach distributes the load away from central servers and might offer a way to preserver privacy, while still delivering compliance and fraud protection.
Verification and Authentication Recommendations
Here’s a list of recommendations from the report:
- At the time of registration, a DFS operator should create a digital identity for its customers, for use in both DFS transactions and (where relevant) in identity assertion with external service providers.
- Where a customer is unable to provide a foundational document of digital identity, consider the issuance of a dynamic, self-asserted digital identity, which may be ‘stepped up’ over time and as required.
- Regulators should standardize digital identity registration, and ensure interoperability between DFS operators and service providers relying on the digital identity.
- DFS operators should build in customer privacy measures, compliant with national legislation either current or anticipated.
There are many factors to consider; technology, ease of use, security, privacy, fraud protection, AML/KYC compliance, different national requirements/expectations/conventions. Everything from biometric to social and cultural impacts requires consideration. The document covers it all; it’s an important step in the UN’s Agenda for Sustainable Development and is a must read for all of us in the industry.