New FATF Guidelines Overview

November 2019
The FATF released their draft guidelines for digital identity for public consultation recently and the main highlight for many was the positivity in which the FATF seems to view digital identity providers.

On the whole, the report hugely supported the development and use of digital identity verification, in some places even going as far as to say it would be preferable or an improvement to alternatives. Whilst the benefits of digital identity are numerous and have been touted by many (including Blockpass), it is encouraging to see a body such as the FATF endorse the same sentiments. Interestingly, Distributed Ledger Technology was one of the new technologies specifically called out as being a potential scalable solution for digital identity  verification. 

Beyond highlighting the growing use of digital transactions and the resultant necessity for digital identity, and how digital identity solutions support FATF standards and requirements, the report also looked at precisely how digital identity systems work; however, the main points of interest in the report concerned the primary requirements for customer identification and ongoing due diligence, as well as guidance for governments, regulated entities and others on integrating digital identity for customer verification and ongoing due diligence.

Section III of the report covered FATF standards on customer due diligence. The main aspect of the regulations noted here was that regulated entities need to identify customers and perform due diligence “using reliable, independent source documents, data or information”. The regulations were specifically pointed out as not mandating whether identity evidence used for this purpose (and the identity verification solution used) is physical or digital - both options are equally viable avenues. The report went on to specify its terms for providing reliable and independent documentation.

For digital identity systems, the guidelines went on to point out risks and drawbacks that were present for online systems which would not be present for more traditional alternatives; cyberattacks and connectivity issues for example, but noted some of the manifold benefits, with examples of where digital identity systems had been used to reduce fraud, increase efficiency, and other use-cases. But before a digital identity system could be described as ‘reliable and independent’, the FATF noted that there had to be mitigations to the unique vulnerabilities, with enhanced measures to be taken in high-risk situations (and simpler measures in low-risk situations).

One situation that is highlighted as traditionally having higher-risk factors is ‘non-face-to-face business relationships or transactions’; however, the guidelines note that, using appropriate security levels, digital identity verification could provide standard or even lower-risk non-face-to-face interactions.

Another potential strength of utilising a digital identity system was noted to be the requirement to conduct ongoing customer due diligence, using technology with digital identity verification to make the whole process more efficient. In addition, the potential of having variable levels of authentication (single factor, two factor or multi-factor) could tailor the system to the use case.

In order to support ongoing AML, it was stated that regulated entities could have an additional role to play. When using the credentials of an identity system for verification purposes, the regulated entity has the opportunity to issue their own authentication, which can be used to strengthen and support ongoing AML (provided the appropriate documentation is available on demand). 

Many points in these draft guidelines include determining risk and ensuring that existing recommendations, which detail customer due diligence and other regulatory requirements, are applied regardless of the compliance methods used. To this end, the guidelines also covered how to determine whether digital identity systems were suitable and complied with the regulations. The highest level for this was having a solution authorised by a government, but the document went into further detail to cover solutions that didn’t have government-approval but could still be valid options. There were a number of considerations for companies looking to employ such solutions, including ‘Do you know the relevant assurance level/s of the digital identity system?’ and ‘Is the digital ID system appropriate for the ML/TF risk situation?’.

The information in these guidelines looks very promising for Blockpass as we provide the benefits described whilst mitigating the risks that are highlighted. Many of the options such as allowing regulated entities to issue their own certification, and having multi-factor authentication, are already built into the Blockpass Mobile App, and ongoing AML is a recent milestone we have achieved. 

In all, the document had recommendations for authorities making regulatory decisions, companies looking to employ digital identity solutions, and companies providing digital identity solutions. It covered benefits and potential drawbacks and threats, and it went into detail on the terminology used. Despite this, these are not yet rules, only guidelines; feedback has been requested by the end of November (29th November 2019 at 18:00 UTC) so if you want to have the chance to influence future recommendations, make sure to read the document and give your feedback by then! Blockpass certainly will be as we do our part to ensure the highest of identity verification standards are met.