5. Assessing the Reliability and Independence of Digital ID Systems for CDD
Unless otherwise specified,10 the UAE permits LFIs to adopt digital ID systems of their choosing, provided that they “rely upon technology, adequate governance, processes, and procedures that provide appropriate levels of confidence that the system produces accurate results.”11 This means that there is an appropriate level of confidence (or “assurance,” in the FATF’s terminology) that the digital ID system works as it is supposed to and produces accurate results. The digital ID system should also be adequately protected against internal or external manipulation or falsification designed to fabricate and credential false identities or authenticate unauthorized users, including by cyberattack or insider malfeasance.
To this end, LFIs should conduct:
• An assurance level assessment, through which the LFI can understand the assurance levels that the digital ID system provides based on its technology, architecture, and governance and determine its reliability and independence; and
• An appropriateness assessment, through which the LFI can make a risk-based determination— given the digital ID system’s assurance levels—of whether the digital ID system is appropriately reliable and independent for CDD in light of potential ML, TF, fraud, and other illicit financing risks.
As explained in greater detail below, these assessments should be performed sequentially. If an LFI cannot assess a digital ID system’s assurance level or determines that it is not sufficiently reliable and independent for its purposes, it should not proceed with using the system for CDD unless it can be adequately strengthened or supplemented; in such a case, it is therefore not necessary to perform an appropriateness assessment until assurance concerns have been resolved.
Both an LFI’s assurance assessment of a digital ID system and its determination of the system’s appropriateness for CDD given its business and risk profile should be documented—whether as part of the institution’s enterprise risk assessment or through a separate process—and updated on a periodic and event-driven basis. LFIs may determine which functional unit or team within the institution is best suited to carry out the assurance and appropriateness assessments; there is no requirement that these assessments be performed by a specific unit, such as an internal audit department.
10 For example, as noted above, when verifying the Emirates ID card, LFIs should use the online validation gateway of the Federal Authority for Identity and Citizenship and keep a copy of the Emirates ID and its digital verification in their records; see
https://ica.gov.ae/en/ica-validation-gateway/ .
11 Available athttps://www.centralbank.ae/en/cbuae-amlcft ; see p. 49.5.1. Understanding the System’s Assurance Levels
Where UAE law, regulation, or supervisory guidance has not mandated or prohibited the use of a specific digital ID system for CDD, LFIs should first determine, for any digital ID system it is considering adopting, the system’s assurance levels.12 In determining the reliability and independence of a given system, LFIs may either:
• Perform the assurance assessment themselves; or • Obtain audit or certification information on assurance levels from an expert body.
Where an LFI performs the assurance assessment itself, it should conduct appropriate due diligence on the digital ID system provider, including the governance systems in place, and exercise additional caution. An LFI should only use information from an expert body, including another member of the same financial group or an independent third party, if it has a reasonable basis for concluding that the entity accurately applies appropriate, publicly disclosed assurance frameworks and standards.
Digital ID assurance frameworks and technical standards are a set of open source, consensus-driven assurance guidelines and best practices for digital ID systems that have been developed in several jurisdictions and by international organizations and industry bodies, and provide a useful tool for informing an LFI’s or expert body’s assurance assessment.13 LFIs are encouraged to consider the reliability of each of the system’s main digital ID components separately, as the same degree of reliability may not be required for each component of the digital ID system (identity proofing/enrollment, authentication, or, if applicable, federation), depending on the relevant risk factors and mitigating measures in place.
Digital ID technology and architecture, and digital ID assurance frameworks and standards, are dynamic and evolving. The standards themselves are flexible and outcome-based in order to facilitate innovation. They permit different technologies and architectures to satisfy the requirements for different assurance levels and are framed in ways intended to help make them as future-proof as possible (e.g., by providing a floor, rather than a ceiling, for reliability).
Digital ID assurance frameworks and standards usually set out various, progressively more reliable assurance levels, with increasingly rigorous technical requirements, for each of the three main steps in a digital ID system. The technical standards provide ID reliability factors, in the form of assurance levels for the basic constituent processes of a digital ID system. Each assurance level reflects a specified level or certitude or confidence in the process at issue; a process with a higher assurance level is more reliable, while a process with a lower assurance level presents a greater risk of failure and is less reliable. This Guidance does not require or recommend any particular assurance level; rather, LFIs are expected to perform an assurance assessment and to determine what assurance levels for which processes are appropriate, given their ML, TF, fraud, and other illicit financing risks.
For illustrative purposes only, the following table summarizes and adapts some of the technical requirements from the NIST Digital ID Guidelines14 for the identity proofing and enrollment stage of a digital ID system, which LFIs might leverage in assessing the degree to which a digital ID system is reliable and independent.
Reliability Factor No Assurance High Assurance Very High Assurance Presence No requirements In-person or remote proofing is permitted Either in-person or supervised15 remote proofing is required Resolution No requirements Collection of as many identity attributes as necessary to achieve resolution into a single unique identity (i.e., to achieve de-duplication) is required; knowledge-based verification may be used for added confidence Same as “High” Evidence No identity evidence is collected Evidence of identity attributes is collected based on the quality of the evidence (classified as weak, fair, strong, or superior) and the number of documents or quantity of digital information relied upon Same as “High,” albeit with higher thresholds for evidence quality and quantity; use of biometrics is mandatory (noted below) Validation No validation Each piece of evidence is validated as genuine and accurate against independent and reliable sources Same as “High” Verification No verification The identity evidence is verified, confirming that the validated identity relates to the individual applicant16 Identity evidence is verified by an authorized and trained credential service provider (“CSP”) representative Address Confirmation No requirements for address confirmation Required Required Biometric Collection None Optional Mandatory Security Controls Not applicable Moderate Baseline (per NIST Digital ID Guidelines)17 or equivalent jurisdictional or industry standard High Baseline (per NIST Digital ID Guidelines)18 or equivalent jurisdictional or industry standard Likewise, the NIST Digital ID Guidelines set forth technical requirements for authentication protocols and processes (including credential and authenticator issuance and binding) and authenticator lifecycle management (including revocation in the event of loss or theft, and expiration/re-proofing and re-binding). For illustrative purposes only, the following table describes at a high level of generality some of the NIST requirements for authentication at various authentication assurance levels.19
Assurance Level General Requirements Some Assurance • This assurance level can be achieved through a wide range of authentication technologies and authenticator types, and information security controls at a low baseline
• Biometrics alone may be used as a single-factor authenticator at this level High Assurance • MFA is required (i.e., either a multi-factor authenticator or two single-factor authenticators), using secure authentication protocols that incorporate specified approved cryptographic techniques, and information security controls at a moderate baseline
• More stringent requirements are imposed on authenticator types at this level20
• Biometrics may be used as one authentication factor (something you are), with the device authenticated as a second factor (something you have), but cannot serve as the only authenticator type Very High Assurance • Requires MFA that uses both a hardware-based authenticator and an authenticator that provides verifier impersonation resistance, based on proof of possession of a key through an approved cryptographic protocol21
• Claimants prove possession and control of two distinct authentication factors through secure authentication protocols, using approved cryptographic techniques
• The authenticators are verifier impersonation resistant, replay resistant, and resist relevant side-channel attacks
• When a biometric factor is used, the identity service provider (verifier) makes its own determination that the biometric sensor and subsequent processing meet specified performance requirements
• The CSP employs appropriately tailored security controls at a high baseline 12 Where the government of the UAE has mandated a specific digital ID system for CDD, as in the case of verifying the Emirates ID card via the online validation gateway of the Federal Authority for Identity and Citizenship, LFIs may rely on the government’s assessment of such system’s assurance levels.
13 See, for example, FATF, Guidance on Digital Identity, Appendix D (Digital ID Assurance Framework and Technical Standard-Setting Bodies) and Appendix E (Overview of U.S. and EU Digital Assurance Frameworks and Technical Standards), available at:https://www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance-on-Digital-Identity.pdf .
14 The NIST 800-63 Digital Identity Guidelines consists of a suite of documents: NIST SP 800-63-3 Digital Identity Guidelines (Overview); NIST SP 800-63A: Digital Identity Guidelines: Enrollment and Identity Proofing; NIST SP 800-63B Digital Identity Guidelines: Authentication and Life Cycle Management; and NIST SP 800-63C, Digital Identity Guidelines: Federation and Assertions. For additional context, see Appendix E of the FATF Guidance on Digital Identity.
15 Supervised remote proofing involves a remote interaction with the applicant that is supervised by an operator in accordance with specified requirements so as to achieve comparable levels of confidence and security to in-person identity proofing. NIST comparability requirements, are provided in Box 19 of Appendix E of the FATF Guidance on Digital Identity, at 96.
16 As noted above, an LFI need not verify the accuracy of every element of identifying information obtained at the collection and resolution stage but should do so for enough information to form a reasonable belief it knows the true identity of the customer.
17 See FATF, Guidance on Digital Identity, pp. 97-98.
18 See FATF, Guidance on Digital Identity, pp. 97-98.
19 Appendix E of the FATF Guidance on Digital Identity also presents summary of authentication assurance levels under EU Regulation No. 910/2014 on Electronic Identification and Trust Services for Electronic Transactions in the Internal Market.
20 Under NIST standards, a “High” assurance level permits the use of any of the following multi-factor authenticators: multi-factor OTP device; multi-factor cryptographic software; or multi-factor cryptographic device. When a combination of two single-factor authenticators is used, one authenticator must be a memorized secret authenticator and the other must be possession-based (i.e., “something you have”) and use any of the following: look-up secret; out-of-band device; single-factor OTP device; single-factor cryptographic software; or single-factor cryptographic device.
21 The claimant uses a private key stored on the authenticator to prove possession and control of the authenticator. An IDSP (verifier), knowing the claimant’s public key through some credential (typically, a public key certificate) uses an approved cryptographic authentication protocol to verify that the claimant has possession and control of the associated private key authenticator, and asserts the person’s verified identity to the RP.5.2. Determining Appropriate Usage in Context of Risk
Once the LFI is satisfied that it knows the assurance levels of the digital ID system, it should analyze whether the digital ID system is adequate for the purposes of performing CDD in the context of the relevant illicit financing risks associated with the LFI’s customers, products and services, geographic areas of operations, and other relevant factors. Depending on the availability of digital ID systems, LFIs may have the option to select from multiple digital ID systems that have different assurance levels for identity proofing and authentication. In such circumstances, LFIs should match the robustness of the system’s identity proofing and/or authentication processes to the type of potential illicit activities and level of ML/TF risks.
In choosing among digital ID systems providing the same assurance level, or selecting among varying levels of identity proofing and/or particular credentials and authenticators offered by a single system, LFIs should consider their specific ML/TF risks as they relate to identity proofing and authentication in selecting an option. LFIs may also have the option to choose appropriate digital ID systems for lower-risk scenarios.