Financial Crime World

Digital Identity Systems: A Guide to Anti-Money Laundering and Combating the Financing of Terrorism

Introduction

In today’s digital age, ensuring the security and integrity of digital identity systems is crucial in preventing anti-money laundering (AML) and combating the financing of terrorism (CFT). This guide provides a comprehensive overview of key points to consider when implementing digital identity systems.

Biometric Factors: Enhancing Customer Authentication

  • Phishing-resistant authenticators: Regulated entities should employ phishing-resistant authenticators, where at least one factor relies on public key encryption to secure the customer authentication process.
  • Continuous authentication: Instead of traditional authentication methods, continuous authentication focuses on ensuring that data points collected throughout an online interaction match what should be expected during the session. This approach leverages biomechanical biometrics, behavioral biometrics, and dynamic transaction risk analysis.

Identity Lifecycle Management

Issuing and Recording Credentials

  • At customer onboarding, the IDSP issues the credential and records and maintains the credential and associated enrollment data in the subscriber’s identity account throughout the credential’s lifecycle.

Binding

  • Throughout the digital ID lifecycle, the IDSP should maintain a record of all authenticators that are, or have been, associated with the identity account of each of its subscribers.
  • When an IDSP binds a new authenticator to the subscriber’s account post-enrollment, it should require the subscriber to first authenticate at the assurance level (or higher) at which the new authenticator will be used.

Compromised Authenticators

  • If a subscriber loses or otherwise experiences compromise of all authenticators of a factor required for MFA, the subscriber should repeat the identity proofing process, confirming the binding of the authentication claimant to previously proofed evidence, before the IDSP binds a replacement for the lost authenticator to the subscriber’s identity account.

Expiration and Renewal

  • Where an IDSP has issued an authenticator that expires, the IDSP should bind an updated authenticator prior to expiration, using a process that conforms to the initial authenticator binding process and protocol, and then revoke the expiring authenticator.

Revocation or Termination

  • IDSPs should promptly revoke the binding of authenticators when an identity ceases to exist (e.g., because the subscriber has died or is discovered to be fraudulent); when requested by the subscriber; or when the IDSP determines that the subscriber no longer meets its eligibility requirements.

Portability and Interoperability

  • Digital ID systems can include a component that allows proof of identity to be portable, enabling individuals to use their digital ID credentials to prove identity for new customer relationships at unrelated private sector or government entities without having to obtain and verify personally identifiable information (PII) and conduct customer identification and verification each time.