FATF Digital Identity Guidance Skip to content
Home > FATF Digital Identity Guidance
FATF Digital Identity Guidance

Geolocation beyond simple IP as well as the discussion regarding increased measures for ID authentication are highlighted.

Get the Guide

Section 1: Introduction

32. The rapid pace of innovation in the digital identity (ID) space has reached an inflection point. Digital ID standards, technology and processes, have evolved to a point where digital ID systems are, or could soon be, available at scale. Some of these relevant technologies include: a range of biometric technology; the near-ubiquity of the Internet and mobile phones (including the rapid evolution and uptake of “smart phones” with cameras, microphones and other “smart phone” technology); digital device identifiers and related information (e.g., MAC and IP addresses; mobile phone numbers, SIM cards, global position system (GPS) geolocation); high-definition scanners (for scanning ID cards, drivers licenses and other documents); high-resolution video transmission (allowing for remote identification and verification and proof of “liveness”); artificial intelligence/machine learning (e.g., for determining validity of government-issued ID); and distributed ledger technology (DLT).

Section II: Digital ID Terminology and Key Features

What are the Key Components of a Digital ID System?
Component Two: Authentication and Identity Lifecycle Management (essential)

67. Authentication can rely on various types of authentication factors and protocols or processes. These authentication factors have different levels of security – see the discussion authentication risks in Section V. A single authentication factor is generally not considered sufficiently trustworthy. An authentication process is usually considered more robust and reliable when it employs multiple types of authentication factors (1).

(1) As digital ID systems evolve this understanding is becoming more nuanced. Where authentication is active and continuous, authentication strength is sometimes assessed, not in terms of the number of different authentication factors and types, but in terms of overall robustness resulting from the use of multiple sources of dynamic, digital customer data, including expected log-in channels, geolocation, frequency of usage, type of usage, IP addresses and biomechanical metric behavioural patterns.

Section III: FATF Standards on Customer Due Diligence

Ongoing Due Diligence on the Business Relationship

91. As explained in Section II, above, and in further detail in Appendix A, authentication using a digital ID system and establishes confidence that an individual is the person who was identity proofed and issued with the relevant credentials. Regulated entities that use digital ID systems to authenticate the identity of their existing customers as part of account authorisation are encouraged to leverage the data generated by authentication and related information (2), to support ongoing due diligence and transaction monitoring. This information is traditionally obtained for the purpose of protection the regulated entity from fraud. However, with the accelerating transition to digital financial systems and accompanying reliance on the use of digital ID authentication to authorise account access, it can also be relevant for AML/CFT purposes.

92. For regulated entities, ongoing authentication of an onboarded customer provides reasonable, risk-based assurance (i.e., confidence) that the person asserting identity today is the same person who previously opened the account or other financial service, and is in fact the same individual who underwent “reliable, independent” identification and verification at on-boarding. Ongoing digital authentication of the customer’s identity links that individual with their financial activity. It can therefore facilitate strengthen the ability to conduct meaningful ongoing due diligence and transaction monitoring pursuant to R.10(d).

(2) Authentication is one part of authorising account access. The regulated entity may also collect other complementary data (such as, geolocation, IP addresses, etc.) for the authorisation decisions.

Section IV: Benefits and Risks of Digital ID Systems For AML/CTF Compliance and Related Issues

Potential Benefits of Digital ID System

108. As noted above, robust digital authentication of customer ID for authorising ongoing account access may facilitate the identification and reporting of suspicious transactions, because it helps the regulated entity establish that the person accessing an account and conducting transactions today is the same person who accessed the account previously, and is in fact, the identified/verified customer who holds that account. In addition, depending on the operational model and other factors, such as user consent and data protection/privacy laws, digital ID authentication for authorising account access may enable regulated entities to capture additional information, such as geolocation, IP address, or the identity of the digital device used to conduct transactions. This information can help regulated entities develop a more detailed understanding of the client’s behaviour as a basis for determining when its financial transactions appear to be unusual or suspicious, and may assist law enforcement in investigating crimes. For example, complementary data where captured by regulated entities through different means and channels (including internet and mobile phone), in accordance with local regulations including data protection and privacy rules, may be very useful for determining who is controlling an account; whether they are controlling multiple accounts; and the network of individuals and entities involved in the financial transactions conducted, using those accounts.

Risks and Challenges Presented by Digital ID Systems

113. Like any ID system, reliability of digital ID systems depends on the strength of documents, processes, technologies, and security measures used for identity proofing, credentialing, and authentication, as well as ongoing identity management. In both documentary and digital ID systems, for example, reliability can be undermined by identity theft and source documents that can be easily forged or tampered with. Some types of fraud may be less likely to occur in-person or in processes requiring human intervention, including ‘massive attack frauds’ which are more likely to happen remotely. While digital ID systems provide security features—e.g., secure authentication—that mitigates some issues with paper-based systems, they also increase some risks, such as data loss, data corruption or misuse of data due to unauthorised access.

114. Digital ID systems present a variety of technical challenges and risks, because they often involve identity proofing and authenticating individuals over an open communications network (the Internet). As a result, the processes and technologies employed by digital ID systems present multiple opportunities for cyberattacks a between the parties (IDSP, customer and relying party). Without careful consideration of relevant risk factors and implementation of appropriate, technology based safeguards, as well as effective governance and accountability measures to address them, criminals, money launderers, terrorists, and other bad actors may be able to abuse digital ID systems to create false identities or exploit (hack or spoof) authenticators linked to a legitimate identity.

116. The discussion below covers both identity proofing/enrolment risks and authentication risks. Risks at the identity proofing stage may result in digital ID’s that are “fake” (i.e., obtained under false premises through an intentionally malicious act) and can be used to facilitate illicit activities. These risks are mitigated by having an appropriate identity assurance level. Identity proofing risks are distinguished from authentication risks, where a legitimately issued digital ID has been compromised and its credentials or authenticators are under the control of an unauthorised person. These risks are mitigated by having an appropriate authentication assurance level.

116. The discussion below covers both identity proofing/enrolment risks and authentication risks. Risks at the identity proofing stage may result in digital ID’s that are “fake” (i.e., obtained under false premises through an intentionally malicious act) and can be used to facilitate illicit activities. These risks are mitigated by having an appropriate identity assurance level. Identity proofing risks are distinguished from authentication risks, where a legitimately issued digital ID has been compromised and its credentials or authenticators are under the control of an unauthorised person. These risks are mitigated by having an appropriate authentication assurance level.

157. Digital ID technology and architecture, and digital ID assurance frameworks and standards, are dynamic and evolving (3). The standards themselves are flexible and outcome-based in order to facilitate innovation. They permit different technologies and architectures to satisfy the requirements for the distinct assurance levels at present, and are framed in ways intended to help make them as future-proof as possible. Jurisdictions should avoid adopting a fixed, prescriptive approach that locks in current assurance level requirements as a ceiling, rather than a floor, for reliability.

(3) It should be acknowledged that the digital ID standards have not always kept up with evolving technology. For example, at the time this Guidance was finalised, the digital ID assurance frameworks and standards did not yet address continuous authentication. Nor did they address the notion of progressive identity as it relates to ongoing, dynamic identity proofing.

Appendix A: Description of a Basic Digital Identity System and its Participants

(p. 64) Traditionally (and as reflected in the NIST digital ID standards), digital ID authentication is conducted at a particular point in time: when the claimant asserts the customer’s/subscriber’s identity and seeks authorisation to begin a digital (online session) or in-person interaction to access the customer’s account or other financial services or resources. Today, however, many regulated entities, particularly larger financial institutions in developed countries, augment traditional authentication at the beginning of an online interaction with “continuous authentication” solutions that leverage biomechanical biometrics, behavioural biometric patterns, and/or dynamic Transaction Risk Analysis. Instead of relying on a combination of something the claimant has/knows/is to establish at the beginning of the interaction that the claimant is the on-boarded customer and is in control of the authenticators/credentials issued to that customer, continuous authentication focuses on ensuring that certain data points collected throughout the course of an online interaction, such as geolocation, MAC and IP addresses, typing cadence and mobile device angle—match “what should be expected” during the entire session.

Biometrics

  • Biophysical biometrics: attributes, such as fingerprints, iris patterns, voiceprints, and facial recognition—all of which are static.
  • Biomechanical biometrics: attributes, such as keystroke mechanics, are the product of unique interactions of an individual’s muscles, skeletal system, and nervous system.
  • Behavioural biometric patterns: attributes, based on the new computational social science discipline of social physics, consist of an individual’s various patterns of movement and usage in geospatial temporal data streams, and include, e.g., an individual’s email or text message patterns, file access log, mobile phone usage, and geolocation patterns.

Continuous authentication is a dynamic form of authentication. It can leverage biomechanical biometrics, behavioural biometric patterns, and/or dynamic Transaction Risk Analysis to focus on ensuring that certain data points collected throughout the course of an online interaction with an individual (such as geolocation, MAC and IP addresses, typing cadence and mobile device angle) match “what should be expected” during the entire session.