GUEST BLOGGERS
Lin Danwan, CFE
Xu Xiaoshan

Since the outbreak of COVID-19, daily life has significantly changed. Many in-person activities have been transferred online, and transactions are increasingly conducted solely through digital channels. But even before the pandemic, users were well-accustomed to identity verification and authorization in the digital format. The concept of digital identity is nothing new and was widely implemented at all levels of maturity.

In March 2020, the Financial Action Task Force, after a session of public consultation, released a guidance on digital identity, aiming to clarify how a digital identity system can be used to comply with Anti-Money Laundering and Countering the Financing of Terrorism (AML/CFT) requirements, recommendations to government agencies, regulated entities and digital ID service providers. The objective is largely twofold:

1. Facilitate customer due diligence and transaction monitoring requirements within AML/CFT framework.

2. Elevate customer experience and support financial inclusion.

Digital Identity System (DIS) logistics and application

A digital identity system (DIS) is an end-to-end program that covers identity proof/enrollment and authentication to assert and prove a person’s identity. It involves several different entities, such as technologies, processes and architectures.

Here’s a three-step overview of how the DIS process works:

1. A DIS collects identity-proofing materials from a user who is seeking services from the organization that owns and operates the DIS. We’ll call each of these users the “service applicant.” Identity-proofing materials can include items such as physical documents like ID cards, passports, driver’s licenses, as well as non-physical biometric attributes like fingerprint and facial recognition features.

2. After the validation and verification process, the DIS generates a unique identity account, and binds it with the identity of the service applicant, changing them from a service application to a subscriber.

3. The subscriber receives their authenticator, which is a cryptographic module, that can generate a one-time code or credentials issued by the DIS.

(Note: If DIS governance designs allow, Credential Service Provider, Identity Service Provider and Replying Party can be one entity if acknowledged by local jurisdiction.)

If DIS configuration is implemented well, subscribers are able to verify themselves as an identity-backed person. For instance, in the case where a DIS subscriber wishes to open a bank account remotely, the bank can verify their identity by prompting them to connect to the DIS authenticator on their mobile phone for authentication.

In other words, a DIS will act as an official identity verifier and provide authentication functions to other entities in need of identification assurance.

Risks and opportunities

 As with any type of tool or function, there are risks with using a DIS. Here are some points to consider:

• Data security and privacy: Weak passwords or social engineering are commonly seen at the root of data breach cases. With multiple parties involved in the digital identity ecosystem, and much of the communications by open internet networks, DISs are subject to cyberattacks and data leakage events.

• Fraud and impersonation: Building off the above-mentioned data leakage issue, fraudsters can fabricate a “synthetic identity” by incorporating real and fake bits of a personal identity. Hence, any identity enrolled into the DIS should be strictly examined, and exactly match against government or regulator proofed databases.

• Centralized vs. decentralized DISs: Some organizations already turn to technologies for DIS implementation. This is where public key infrastructure (PKI) and blockchain are usually debated. PKI is not as accepted because of its low speed of transaction. Leveraging its distributed ledger technology, blockchain is heatedly discussed and increasingly used by Identity Service Providers (IDSPs); whether to harness such decentralization in a DIS and construct a regulatorily compliant governance structure is at the same time uneasy.

• “Is that you?” vs. “Who are you?”: Authentication in DIS refers to the step after a user has announced their identity (for example, typing their username). It is the step where customers are prompted to scan fingerprints or key in passwords. It answers the question, “Is that you?” It is not uncommon to see people establish accounts with a real identity and then sell or give this identity to an organized crime group. Can DIS be developed to more thoroughly answer a different question: “Who are you?”

Although there remains uncertainty and risk behind DISs, the application of digital identities has already been in trial and executed. Many countries like South Africa and Singapore have developed and are evolving their national DISs. What’s also positive is that specialized institutions are joining forces. International Organization for Standardization (ISO), World Wide Web Consortium (W3C) and Fast Identity Online (FIDO) Alliance are involved in international digital ID assurance framework and technical standard development.

All in all, to identify and anchor a subject in the digital world has never been easier. The technology becomes more global and complex at the same time. Understanding the theoretical analysis and empirical knowledge can help clarify the materialization of a reliable DIS.

Lin Danwan, CFE, has experience in AML and fraud risk management. She currently works with the financial crime compliance department of a global bank. Her recent interests are on RegTech application and comparative study on AML governance of emerging countries. Based currently in Hong Kong, she is fluent in English, Mandarin, Cantonese and French.

Xu Xiaoshan currently works at a thriving virtual bank in Hong Kong with responsibilities covering real-time fraud detection, customer due diligence and anti-money laundering system design. She has been conducting researches on FinTech/RegTech in the innovation lab of a global bank for four years. She is also a certificate holder of FRM, AAMLP.