FATF guidelines create expectations for digital ID service providers

Terry Brenner

In this blog series, we have been looking at the regulatory digital identification projects in motion that are taking place around the world. One of the most notable is the EU Digital Identity Wallet.

We have seen a shift to using digital ID technologies to embrace and meet AML regulations, which are mostly technology-agnostic and risk-based. Global or intergovernmental bodies, such as the Financial Action Task Force (FATF), set standards to help countries develop and update these laws in their locale.

This blog is part two of a four-part series looking at the FATF Digital Identity guidelines (released in 2020) and how they will impact different entities going forward.

Introducing the FATF guidelines

The FATF guidelines were introduced with the intention “to assist governments, regulated entities and other relevant stakeholders in determining how digital ID systems can be used to conduct certain elements of customer due diligence (CDD)”. It is a baseline for governments, regulated entities, and ID service providers to line up at the same starting point.

The FATF digital identity guidelines for government entities

The FATF recommends that government entities understand the digital ID systems that are available in the jurisdiction and how they fit into existing requirements/guidance on customer identification and verification.

Government entities should assess whether existing regulations and guidance on CDD across all relevant authorities accommodate digital ID systems, and revise, as appropriate (with an example given that non-face-to-face onboarding may be standard risk, or low-risk, depending on if digital ID systems with appropriate assurance levels are used in the jurisdiction for remote customer identification/verification and authentication).

Government entities should also:

  • Adopt principles, performance, and/or outcomes-based criteria when establishing the required attributes, evidence and processes.
  • Adopt policies, regulations, and supervision and examination procedures that enable regulated entities to develop an effective, integrated “risk- based” approach. Take into account data flows, technology architecture and processes across all relevant digital ID, AML/CFT, anti-fraud and general risk management activities.
  • Develop an integrated multi-stakeholder approach to understanding opportunities and risks. Develop relevant regulations and guidance to mitigate the risks.
  • Enhance dialogue and cooperation with relevant private sector stakeholders, including regulated entities and digital ID service providers, to help identify key identity-related opportunities, risks and mitigation measures. For example, a regulatory ‘sandbox’ approach to provide a supervised environment to test how digital ID systems interact with national AML/CFT laws and regulations.

Auditing your digital ID systems

It will be necessary to audit and certify digital ID systems against transparent digital ID assurance frameworks and technical standards, or by approving expert bodies to perform these functions.

This means:

  • Apply appropriate digital ID assurance frameworks and technical standards when developing and implementing government-provided digital ID.
  • Achieve transparency on how the jurisdiction’s digital ID system works and its assurance levels.
  • Encourage a flexible, risk-based approach to using digital ID systems for CDD that supports financial inclusion.

The guidelines will also impact regulated entities and digital identity service providers.

What the regulation means for service providers

OCR Labs is the only private company that has achieved Identity Proofing Level 3 conformance with the Australian Trusted Digital Identity Framework (TDIF), which is commonly regarded as the pioneering digital framework globally and a model for subsequent frameworks that have followed. These include the UK Digital Identity & Attributes Trust Framework, for which OCR Labs has achieved certification against 7 Medium and 4 Strong identity proofing profiles.

We are in conversation with multiple government authorities to advise on our experience with TDIF and other digital frameworks, and are also participating in sandbox initiatives to help governments understand our approach to raising the tech bar as a counter to money laundering (ML), terrorist financing (TF) and fraud efforts.

OCR Labs works with selected NIST accredited laboratories to test our conformance with global framework and ISO standards. We encourage using best-in-class laboratories and certifications to mitigate “lab shopping” where ID providers may opt for standards that pursue only a lower bar.

Download the AML Whitepaper.

x  Powerful Protection for WordPress, from Shield Security
This Site Is Protected By
Shield Security