5. Assessing the Reliability and Independence of Digital ID Systems for CDD

Effective from 31/10/2022

Unless otherwise specified,¹⁰ the UAE permits LFIs to adopt digital ID systems of their choosing, provided that they “rely upon technology, adequate governance, processes, and procedures that provide appropriate levels of confidence that the system produces accurate results.”¹¹ This means that there is an appropriate level of confidence (or “assurance,” in the FATF’s terminology) that the digital ID system works as it is supposed to and produces accurate results. The digital ID system should also be adequately protected against internal or external manipulation or falsification designed to fabricate and credential false identities or authenticate unauthorized users, including by cyberattack or insider malfeasance.

To this end, LFIs should conduct:

	•	An assurance level assessment, through which the LFI can understand the assurance levels that the digital ID system provides based on its technology, architecture, and governance and determine its reliability and independence; and
	•	An appropriateness assessment, through which the LFI can make a risk-based determination— given the digital ID system’s assurance levels—of whether the digital ID system is appropriately reliable and independent for CDD in light of potential ML, TF, fraud, and other illicit financing risks.

As explained in greater detail below, these assessments should be performed sequentially. If an LFI cannot assess a digital ID system’s assurance level or determines that it is not sufficiently reliable and independent for its purposes, it should not proceed with using the system for CDD unless it can be adequately strengthened or supplemented; in such a case, it is therefore not necessary to perform an appropriateness assessment until assurance concerns have been resolved.

Both an LFI’s assurance assessment of a digital ID system and its determination of the system’s appropriateness for CDD given its business and risk profile should be documented—whether as part of the institution’s enterprise risk assessment or through a separate process—and updated on a periodic and event-driven basis. LFIs may determine which functional unit or team within the institution is best suited to carry out the assurance and appropriateness assessments; there is no requirement that these assessments be performed by a specific unit, such as an internal audit department.

¹⁰ For example, as noted above, when verifying the Emirates ID card, LFIs should use the online validation gateway of the Federal Authority for Identity and Citizenship and keep a copy of the Emirates ID and its digital verification in their records; see https://ica.gov.ae/en/ica-validation-gateway/.
¹¹ Available at https://www.centralbank.ae/en/cbuae-amlcft; see p. 49.