RegSol Blog

FATF Guidance on Digital Identity

May 2020

According to this new document published by the FATF in March 2020, digital payments are growing at an estimated 12.7% annually and are forecast to reach 726 billion transactions annually by 2020. By 2022, an estimated 60% of world GDP will be digitalised. 

The growth in digital financial transactions requires a better understanding of how individuals are being identified and verified in the world of digital financial services and how to risk assess their use. Digital identity (ID) technologies are evolving rapidly, giving rise to a variety of digital ID systems to allow for identity proofing and enrolment per the diagram below. 

Recommendation 10 permits financial institutions to use “documents” as well as “information or data,” when conducting customer identification and verification. Recommendation 10 does not impose any restrictions on the form (documentary/physical or digital) that identity evidence – “source documents, information or data” – can take. 

However it is essential that regulated entities apply a risk-based approach to using digital ID for CDD in order to:

  1. understand the assurance levels of the digital ID system and 
  2. assess whether, given the assurance levels, the ID system is appropriately reliable, independent in light of the ML/TF risks

Potential Risks

Large scale digital ID systems that do not meet appropriate assurance levels pose cybersecurity risks, including allowing cyberattacks aimed at disabling broad swaths of the financial sector, or at disabling the digital ID systems themselves. They also pose major privacy, fraud or other related financial crimes risks, because cybersecurity flaws can result in massive identity theft, compromising individuals’ personal data. 

Risks related to governance, data security and privacy also have an impact on AML/CFT measures. These risks vary in relation to the components of the digital ID system but can be more devastating than breaches associated with traditional ID systems due to the potential scale of the attacks. 

Advances in technology and well-designed identity proofing and authentication processes can help mitigate these risks.

Click HERE to view the document.

By Judy de Castro - Regulatory Consultant