تجاوز إلى المحتوى الرئيسي

5.1. Understanding the System’s Assurance Levels

يسري تنفيذه من تاريخ 31/10/2022

Where UAE law, regulation, or supervisory guidance has not mandated or prohibited the use of a specific digital ID system for CDD, LFIs should first determine, for any digital ID system it is considering adopting, the system’s assurance levels.12 In determining the reliability and independence of a given system, LFIs may either:

 Perform the assurance assessment themselves; or
 Obtain audit or certification information on assurance levels from an expert body.
 

Where an LFI performs the assurance assessment itself, it should conduct appropriate due diligence on the digital ID system provider, including the governance systems in place, and exercise additional caution. An LFI should only use information from an expert body, including another member of the same financial group or an independent third party, if it has a reasonable basis for concluding that the entity accurately applies appropriate, publicly disclosed assurance frameworks and standards.

Digital ID assurance frameworks and technical standards are a set of open source, consensus-driven assurance guidelines and best practices for digital ID systems that have been developed in several jurisdictions and by international organizations and industry bodies, and provide a useful tool for informing an LFI’s or expert body’s assurance assessment.13 LFIs are encouraged to consider the reliability of each of the system’s main digital ID components separately, as the same degree of reliability may not be required for each component of the digital ID system (identity proofing/enrollment, authentication, or, if applicable, federation), depending on the relevant risk factors and mitigating measures in place.

Digital ID technology and architecture, and digital ID assurance frameworks and standards, are dynamic and evolving. The standards themselves are flexible and outcome-based in order to facilitate innovation. They permit different technologies and architectures to satisfy the requirements for different assurance levels and are framed in ways intended to help make them as future-proof as possible (e.g., by providing a floor, rather than a ceiling, for reliability).

Digital ID assurance frameworks and standards usually set out various, progressively more reliable assurance levels, with increasingly rigorous technical requirements, for each of the three main steps in a digital ID system. The technical standards provide ID reliability factors, in the form of assurance levels for the basic constituent processes of a digital ID system. Each assurance level reflects a specified level or certitude or confidence in the process at issue; a process with a higher assurance level is more reliable, while a process with a lower assurance level presents a greater risk of failure and is less reliable. This Guidance does not require or recommend any particular assurance level; rather, LFIs are expected to perform an assurance assessment and to determine what assurance levels for which processes are appropriate, given their ML, TF, fraud, and other illicit financing risks.

For illustrative purposes only, the following table summarizes and adapts some of the technical requirements from the NIST Digital ID Guidelines14 for the identity proofing and enrollment stage of a digital ID system, which LFIs might leverage in assessing the degree to which a digital ID system is reliable and independent.

Reliability FactorNo AssuranceHigh AssuranceVery High Assurance
PresenceNo requirementsIn-person or remote proofing is permittedEither in-person or supervised15 remote proofing is required
ResolutionNo requirementsCollection of as many identity attributes as necessary to achieve resolution into a single unique identity (i.e., to achieve de-duplication) is required; knowledge-based verification may be used for added confidenceSame as “High”
EvidenceNo identity evidence is collectedEvidence of identity attributes is collected based on the quality of the evidence (classified as weak, fair, strong, or superior) and the number of documents or quantity of digital information relied uponSame as “High,” albeit with higher thresholds for evidence quality and quantity; use of biometrics is mandatory (noted below)
ValidationNo validationEach piece of evidence is validated as genuine and accurate against independent and reliable sourcesSame as “High”
VerificationNo verificationThe identity evidence is verified, confirming that the validated identity relates to the individual applicant16Identity evidence is verified by an authorized and trained credential service provider (“CSP”) representative
Address ConfirmationNo requirements for address confirmationRequiredRequired
Biometric CollectionNoneOptionalMandatory
Security ControlsNot applicableModerate Baseline (per NIST Digital ID Guidelines)17 or equivalent jurisdictional or industry standardHigh Baseline (per NIST Digital ID Guidelines)18 or equivalent jurisdictional or industry standard

 

Likewise, the NIST Digital ID Guidelines set forth technical requirements for authentication protocols and processes (including credential and authenticator issuance and binding) and authenticator lifecycle management (including revocation in the event of loss or theft, and expiration/re-proofing and re-binding). For illustrative purposes only, the following table describes at a high level of generality some of the NIST requirements for authentication at various authentication assurance levels.19

Assurance LevelGeneral Requirements
Some Assurance
This assurance level can be achieved through a wide range of authentication technologies and authenticator types, and information security controls at a low baseline
 
Biometrics alone may be used as a single-factor authenticator at this level
High Assurance
MFA is required (i.e., either a multi-factor authenticator or two single-factor authenticators), using secure authentication protocols that incorporate specified approved cryptographic techniques, and information security controls at a moderate baseline
 
More stringent requirements are imposed on authenticator types at this level20
 
Biometrics may be used as one authentication factor (something you are), with the device authenticated as a second factor (something you have), but cannot serve as the only authenticator type
Very High Assurance
Requires MFA that uses both a hardware-based authenticator and an authenticator that provides verifier impersonation resistance, based on proof of possession of a key through an approved cryptographic protocol21
 
Claimants prove possession and control of two distinct authentication factors through secure authentication protocols, using approved cryptographic techniques
 
The authenticators are verifier impersonation resistant, replay resistant, and resist relevant side-channel attacks
 
When a biometric factor is used, the identity service provider (verifier) makes its own determination that the biometric sensor and subsequent processing meet specified performance requirements
 
The CSP employs appropriately tailored security controls at a high baseline

 


12 Where the government of the UAE has mandated a specific digital ID system for CDD, as in the case of verifying the Emirates ID card via the online validation gateway of the Federal Authority for Identity and Citizenship, LFIs may rely on the government’s assessment of such system’s assurance levels.
13 See, for example, FATF, Guidance on Digital Identity, Appendix D (Digital ID Assurance Framework and Technical Standard-Setting Bodies) and Appendix E (Overview of U.S. and EU Digital Assurance Frameworks and Technical Standards), available at: https://www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance-on-Digital-Identity.pdf.
14 The NIST 800-63 Digital Identity Guidelines consists of a suite of documents: NIST SP 800-63-3 Digital Identity Guidelines (Overview); NIST SP 800-63A: Digital Identity Guidelines: Enrollment and Identity Proofing; NIST SP 800-63B Digital Identity Guidelines: Authentication and Life Cycle Management; and NIST SP 800-63C, Digital Identity Guidelines: Federation and Assertions. For additional context, see Appendix E of the FATF Guidance on Digital Identity.
15 Supervised remote proofing involves a remote interaction with the applicant that is supervised by an operator in accordance with specified requirements so as to achieve comparable levels of confidence and security to in-person identity proofing. NIST comparability requirements, are provided in Box 19 of Appendix E of the FATF Guidance on Digital Identity, at 96.
16 As noted above, an LFI need not verify the accuracy of every element of identifying information obtained at the collection and resolution stage but should do so for enough information to form a reasonable belief it knows the true identity of the customer.
17 See FATF, Guidance on Digital Identity, pp. 97-98.
18 See FATF, Guidance on Digital Identity, pp. 97-98.
19 Appendix E of the FATF Guidance on Digital Identity also presents summary of authentication assurance levels under EU Regulation No. 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market.
20 Under NIST standards, a “High” assurance level permits the use of any of the following multi-factor authenticators: multi-factor OTP device; multi-factor cryptographic software; or multi-factor cryptographic device. When a combination of two single-factor authenticators is used, one authenticator must be a memorized secret authenticator and the other must be possession-based (i.e., “something you have”) and use any of the following: look-up secret; out-of-band device; single-factor OTP device; single-factor cryptographic software; or single-factor cryptographic device.
21 The claimant uses a private key stored on the authenticator to prove possession and control of the authenticator. An IDSP (verifier), knowing the claimant’s public key through some credential (typically, a public key certificate) uses an approved cryptographic authentication protocol to verify that the claimant has possession and control of the associated private key authenticator, and asserts the person’s verified identity to the RP.