FATF Releases Guidance on Digital Identity

On 6 March 2020, the Financial Action Task Force (FATF) released its official Guidance on Digital Identity (Digital ID Guidance), replacing the previous draft version circulated for public consultation in 2019.

The FATF release, including the Digital ID Guidance itself, can be found on the FATF’s website.

Who needs to read it?  Why?

By contributing to the understanding of global standards, the Digital ID Guidance will primarily be of interest to the Ministry of Justice and the AML/CFT supervisors in relation to further developments within the AML/CFT regime.

In addition, the Digital ID Guidance will be of interest to any reporting entities that currently use, or are considering using, digital means to carry out or assist with their customer due diligence (CDD) procedures under the Anti-Money Laundering and Countering Financing of Terrorism Act 2009 (AML/CFT Act).  While guidance from the FATF does not have direct legal effect in New Zealand, it may assist with the interpretation of the AML/CFT Act and of guidance issued by the AML/CFT supervisors under that Act.

What does it cover?

The Digital ID Guidance is aimed at clarifying the way in which digital identity (Digital ID) can function in the context of the FATF’s International Standards on Combating Money Laundering and the Financing of Terrorism and Proliferation (FATF Recommendations).  It is intended to be both non-binding and technology-neutral.

The Digital ID Guidance leads with a number of recommendations to government authorities, regulated entities and service providers.

Recommendations for government authorities

  • Develop clear guidelines or regulations allowing the appropriate risk-based use of reliable and independent Digital ID systems.
  • Assess whether existing regulations and guidance on CDD accommodate Digital ID systems, and revise them as appropriate in the jurisdictional context.
  • Adopt principles, performance- and/or outcomes-based criteria when establishing the required attributes, evidence and processes for proving official identity.
  • Adopt policies, regulations and supervision and examination procedures that enable the development of an effective and integrated risk-based approach.
  • Develop an integrated multi-stakeholder approach to understanding opportunities and risks relevant to Digital ID, and develop relevant regulations and guidance to mitigate the risks.
  • Consider adopting mechanisms to enhance dialogue and cooperation with relevant private sector stakeholders to help identify key identity-related opportunities, risks and mitigation measures.
  • Consider supporting the development and implementation of reliable and independent Digital ID systems by auditing and certifying them (or approving expert bodies to do so).
  • Apply appropriate Digital ID assurance frameworks and technical standards when developing and implementing government-provided Digital ID.
  • Encourage a flexible risk-based approach to using Digital ID systems for CDD that supports financial inclusion, such as by providing guidance on how to use systems with different assurance levels.
  • Monitor developments in the Digital ID space with a view to sharing knowledge and best practices and establishing legal frameworks at the domestic and international levels promoting responsible innovation.

Recommendations for regulated entities

  • Understand the basic components of Digital ID systems.
  • Take an informed risk-based approach to relying on Digital ID systems for CDD.
  • Consider whether Digital ID systems with lower assurance levels may be sufficient for simplified CDD in cases of low risk.
  • If, as a matter of internal policy or practice, non-face-to-face business relationships or transactions are always classified as high-risk, consider reviewing and revising those policies to recognise that relying on reliable and independent Digital ID systems, with appropriate risk-management measures in place, may remain at standard, if not lower, risk.
  • Where relevant, utilise anti-fraud and cybersecurity processes to support Digital ID proofing and/or authentication.
  • Ensure access to, or have a process enabling authorities to obtain, the underlying identity information and evidence or digital information needed for the identification and verification of individuals.

Recommendations for service providers

  • Understand the AML/CFT requirements for CDD.
  • Seek assurance testing and certification by the government (or an approved expert body or, if necessary, an internationally-reputable expert body).
  • Provide transparent information to regulated entities about the assurance levels of Digital ID systems for each of the components of Digital ID.

While the Digital ID Guidance goes on to explore in some detail the underlying concepts of Digital ID, the real insights can be found in its discussion of the benefits and risks of using Digital ID systems for CDD purposes and how relevant parties can apply the FATF’s risk-based approach when doing so.

Potential benefits

  • Strengthen CDD by reducing the vulnerability to human error and the influence of subjective judgments, improving efficiency and the customer experience, and enhancing the ability to connect transactions to an established identity and robustly monitor them.
  • Improve financial inclusion by making the ability to establish identity more readily available, such as to the financially excluded that lack access to traditional official identity documents and are unserved or underserved as a result.

Potential risks and challenges

  • Risks to the proofing and enrolment of identity, such as the potential for greater scale that these systems allow for the impersonation of genuine identities or the use of synthetic identities.
  • Vulnerabilities of authentication factors, such as credential stuffing, phishing, credential interception or PIN code capture.
  • Distancing from customers that use of a Digital ID system for CDD may bring, limiting exposure to other information that would be important to ongoing monitoring of those customers.
  • Exposure to connectivity issues around the necessary digital infrastructure.
  • Triggering data protection and privacy laws.
  • Exacerbating financial exclusion, if the use of specific forms of Digital ID is prescribed.

Guidance for a risk-based approach

  • Where a Digital ID system is authorised (either allowed or mandated) by government for use for CDD purposes, it could be so used.
  • Where a Digital ID system is not authorised by government but its robustness and level of assurance is known and sufficient for the risk in question, it could be used for CDD.
  • Where a Digital ID system is not authorised by government, and the robustness and level of assurance is known but not sufficient for the risks in question, it should not be used for CDD.
  • Where a Digital ID system is not authorised by government and the robustness and level of assurance is not known, an assurance assessment should be performed or obtained so that it can be compared with the risks in question.

Our view

With society becoming increasingly digitised, the economic and commercial interactions that trigger CDD obligations are following suit.  If the AML/CFT regime is to remain effective, and avoid causing undue disruption to these interactions, it will need to adapt to this paradigm.

However, as the FATF makes clear, financial innovation must be “responsible”, aligning with and strengthening the implementation of AML/CFT standards and financial inclusion.  While the AML/CFT regime should not rigidly oppose these societal developments, it should also not concede too much to them.  Striking a balance between these pressures will be a contextual and involved exercise.

Given the centrality of the FATF in the global AML/CFT sphere, many jurisdictions and entities would likely have been reluctant to seriously pursue the use of Digital ID systems, and attempt to find this balance, without a clear indication of its views.  The Digital ID Guidance provides just that, as well as practical suggestions as to how to make it work.  Each jurisdiction, including New Zealand, will need to make its own decisions on precisely how to apply the suggestions in its local context, but the foundation provided by the Digital ID Guidance will allow it to do so from a much better position than it would otherwise be in.

What next?

If you have any questions in relation to what the Digital ID Guidance could mean for your business and its obligations, please contact one of our experts.

Who can help