Summary: FATF Digital Identity Guidance - Relevant Aspects

By: Ilian Vasco

The increasing volume of digital transactions, the ubiquity of the internet and the possibility of mass application of digital solutions prompted the FATF to provide guidance to better understand how individuals are being identified and verified in the digital financial services industry.

This article briefly presents the FATF's considerations regarding digital identification processes in its guidance issued in March and aimed at both the private and public sectors. It is essential that the reader is familiar with the FATF's 40 Recommendations, especially number 10.


Defining the concept of Identity

For FATF purposes, identity refers to official identity. This is one based on characteristics of the person that make him or her unique in a specific population group or context while being recognised by a state for regulatory and legal purposes.

The form of proof of official identity varies between jurisdictions but generally relies on the issuance of some record, certificate or document created by a government body, such as the Cédula de Ciudadanía (Colombia) or Documento Nacional de Identidad (Argentina, Peru), and which is widely accepted by different agencies.


Digital Identification Systems

Processing identity for due diligence purposes and subsequently for all kinds of electronic movements requires the use of Digital Identification Systems (DIS); these employ digital means to corroborate and prove the official identity of a person operating in an online environment, with certain levels of security.


SIDs involve two basic components and an optional third for their operation:


Component 1: Identity verification and enrolment (with initial linkage and credentialing).

Identity proofing answers the question "who are you?" and refers to the process by which an IDS provider collects, validates and verifies information about an individual to finally establish that he/she is a unique person within a specific population group or context. The following graphic illustrates the activities within this component, from the client being an applicant to becoming an active member of the entity (or subscriber):

Component 2: Authentication and identity lifecycle management.

It answers the question: are you the individual with the previously verified identity? In other words, it is about establishing whether the person who is asserting an identity is the same person who initially enrolled and was assigned certain credentials and authenticators.

Authenticators are factors that can be used to confirm an identity, are widely known in the fraud prevention industry and fall into three categories:

  1. Proprietary: cryptographic keys.
  2. Knowledge: passwords, key questions.
  3. Inherent: biometrics.

In practice it is known as "something the client has, knows and is".


Component 3: Interoperability and portability mechanisms.

Portable identity means that an individual's digital ID credential can be used to prove official identity to new sectors, private or governmental, to access new services without the latter having to subject the customer to a repetitive identification and verification process each time.

The FATF highlights that part of the first component (proof of identity and enrolment) can be digital or physical. However, the remaining components such as credentialisation, authentication and portability are always and necessarily digital for a SID.


FATF Standards and Due Diligence Processes

Recommendation 10 requires jurisdictions to impose obligations on entities to conduct due diligence using documents, data or information from independent and reliable sources. How does this relate in a digital identification environment and what role do the "independent and reliable" criteria play?

In the context of digital identification, being "trusted and independent" means that the Digital Identification System (DIS) used to conduct customer due diligence should be based on adequately governed technological processes and procedures, such that it provides accurate results with an appropriate level of confidence. On the other hand, it means that the SID has mitigating measures in place to prevent the types of risks discussed below.

Of course, the risk-based approach remains a guideline in the context of due diligence using digital identification, as it has been worked on for years, so the FATF is not proposing anything new.

One change noted relates to the Interpretative Note to Recommendation 10, which considered non-face-to-face transactions (including customer linkage) as an example of circumstances where the MLAT risk could potentially be higher. 

The FATF now clarifies that for identification and transactions relying on trusted and independent SIDs, with appropriate risk mitigation measures, a normal or even lower level of risk may be present. This is certainly a change of position on the use of digital technologies.

Regarding the outsourcing of processes, the FATF maintains what is set out in Recommendation 17, which indicates the conditions that a third party must fulfil in order to provide due diligence services to a regulated entity, transferring it almost entirely to the context of digital identification. This does not apply to outsourcing or agency relationships, where Recommendation 17 does not apply and the FATF makes this quite clear.


How to identify a reliable and independent SID under a risk-based approach applied to due diligence?

Regulated entities (banks, financial institutions, virtual asset providers, exchanges, others) that are considering undertaking a Digital Identification System for the engagement of their customers and the processing of existing customers should consider the following.

Benefits and disadvantages of digital identification

The benefits of the widespread use of digital identity have a broader scope than just the financial industry; they can be applicable to health services, governmental procedures, among others. Specifically in relation to the FATF standards:

  • Facilitating the identification and verification of customers in the on-boarding process (reduction of human error e.g. when comparing two photographs and reduction of value judgements that can lead to discrimination).
  • Supporting ongoing due diligence and transaction scrutiny during the bank-customer relationship: all while enhancing the customer experience and increasing customer retention.
  • Provide other customer due diligence measures.
  • Assist in the detection and reporting of suspicious transactions: the regulated entity can establish whether the person accessing an account and making transactions today is the same person who accessed the account previously. More importantly, it provides the regulated entity with additional information such as geolocation, IP address, device used, among others, allowing for more robust suspicious transaction reporting.


Risks of Digital Identification

Very cautiously, the FATF clarifies that the risks considered should be limited exclusively to SIDs in the framework of due diligence and that it is in no way intended to establish that these are greater or lesser than the benefits.

The discussion focuses on two of the components of SID: identity verification and authentication. The following chart synthesises the FATF's forecasts but also incorporates the author's own judgements.

In general, the threats facing digitalisation at the global level are considered. The guide includes connectivity obstacles, regulatory frictions in different countries, challenges in terms of data protection and privacy, as well as the possible exclusion of certain population groups from access to digital technology. It is noteworthy that the FATF leaves room for what they call "Unknown Risks", implying that further evolution of SIDs and the emergence of new actors that exploit vulnerabilities that do not yet exist are expected.