July 2019

DIGITAL IDENTITY: KEY CONCEPTS

Leveraging technology to strengthen the financial system is a focus point of the IIF’s work on Digital
Finance. As current developments show, Digital Identities hold great promise to contribute to a more
inclusive financial system which is also more resilient in terms of preventing financial crime.

Over the coming months, the IIF will publish a 3-part series of papers on Digital Identities. The first
paper will highlight central considerations with respect to Anti-Money Laundering (AML) frameworks; the
second opportunities to promote financial inclusion; and the third new business opportunities for financial
institutions in an increasingly competitive market.

In approaching these issues, we have identified that many use the term Digital Identity (or its abbreviation
“Digital ID”) with quite different meanings. This paper sets out the key items and variances of this
terminology, for clarification on how they will be applied in our upcoming series.

A Digital Identity can best be described as a compilation of electronically captured and stored attributes of a
uniquely identifiable persona that can be linked to a physical person. As opposed to a simple record of this
information, a Digital Identity constitutes the identity of an individual, which can subsequently be used as a
building block for further interactions (i.e. with public sector bodies or private entities such as financial
institutions). The focus of our work will lie on this concept.

The scope of information needed for a Digital Identity is of course debatable. While traditional attributes such
as a person’s name, date and place of birth or nationality are straightforward, to what extent other attributes
should be part of one’s identity is not always clear. This starts with the current discussions around an
individual’s (physical or perceived) gender, but could also include further information generated online which
can change dynamically and increase in volume over time. Finding a definition of “identity” in this context goes
beyond the scope of financial services, but should aim at as much global harmonization as possible to ensure
recognition between countries and interoperability of Digital ID solutions.

The current AML frameworks contain a list of information to be collected before engaging in a business
relationship, in order to gain assurance of a person’s identity and determine money laundering risk factors
(which frequently include a person’s occupation and the source of funds). Therefore, any work by international
standard setters on incorporating Digital Identities into an AML framework should include a clarification of the
personal information a Digital Identity should contain about an individual. 1

On the other hand, the concept behind Digital Identification (aka Digital Identity Proofing) should be
understood as a process. Put simply, the current work undertaken by a number of regulators and standard
setters focusses on digitizing the process a person goes through to have their identity established and
validated.

1
A case could be made to tailor the amount of information that is subsequently disclosed to various actors based on the purpose
of their interaction with the individual (government business, banking relationship etc.) to ensure privacy. This will be explored
further in our upcoming first paper on Digital Identities and their implementation in AML frameworks.
An example of those are the “Know-Your-Customer” processes implemented in financial institutions in
accordance with applicable AML rules. Traditionally, these entail gathering a set of information about a
person’s identity first and validating if this information is true by using appropriate evidence, such as an
identity card (usually government issued) or a passport. Many of these still require both parties to be
physically present or face the risk of being submitted to stricter requirements (such as higher customer risk
ratings). Efforts are underway to build solutions which would be equivalent or quasi-equivalent to a physical
interaction in terms of comfort about a person’s identity but can be managed online. An example from the
financial services industry is the VideoIdent process implemented in Germany 2, under which the Know-You-
Customer process can be performed via video chat in accordance with specific standards.

The European eIDAS initiative 3 is another, broader and technologically agnostic step in this direction,
determining the conditions under which interactions with the public sector can occur without physical
presence, based on standards set up to determine a person’s identity.

eIDAS also leads us to the last puzzle piece in this broader context. As a last step within the identification
process, the collected datasets need to be tied to a person, which usually occurs through some form of
verification processes (aka authentication processes in some jurisdictions), which are increasingly
digitized (e.g. through using biometrics data instead of relying on the comparison between a person and
a picture). At the same time, these can also help reconfirm information on record. For example, when
interacting over a computer, sending text messages back and forth can help prove that (a) the person
using the service through a computer is who they claim to be and (b) that the phone number / phone ID
on record is correct and the person is indeed in possession and control of the device. This information
can then be used to enroll in a service, usually by creating access credentials (authenticators) assigned to
the person, as well as to give access to the services later in the business relationship lifecycle.

While it is important to clearly separate these different elements, they can be treated as various steps of
a singular process that feed off each other. A digital identity may be generated and assigned to a person
by going through a “traditional” identification process, performed by a trusted party.4 The Digital Identity
might be linked to biometric data, making sure that it is available only to the right person, who can then
prove his/her identity by unlocking it.5 As the implications and challenges in implementing all of these
steps are diverse, it is nevertheless important to distinguish between them.

The IIF looks forward to exploring these topics further in the coming months and engaging with the financial
industry and public sector on our various findings.

For further questions and comments on the key concepts set out here, please contact Adrien Delle-Case
(adellecase@iif.com).

2
BaFin Circular 3/2017 (GW) – Video Identification Procedures, english translation available at:
https://www.bafin.de/SharedDocs/Veroeffentlichungen/EN/Rundschreiben/2017/rs_1703_gw_videoident_en.html
3
Regulation (EU) 910/2014
4
See for example the Verified.Me initiative currently being implemented in Canada.
5
See for example the Bank Verification Number, a biometric identification system implemented by the Central Bank of Nigeria.
2