A new OIX White Paper explores the degree of interoperability and alignment between the Government’s recently updated Digital Identity Standards – Good Practice Guide 45 (GPG45) – and industry’s own guidance regarding the way that banks and other financial institutions should undertake customer due diligence – the Joint Money Laundering Steering Group (JMLSG) Guidance.
Having come from the finance sector and having buzzed in and around digital identity for a few years, it has always surprised me that there hasn’t ever been a really definitive attempt to answer the question – how interoperable are the Government’s digital identity standards with the UK’s money laundering rules?
There have been a few previous reviews – the work by BBA and PWC comes to mind – but there has been no definitive research to rely upon, or to guide the coming together of the two regimes. For OIX, this seems critical if an effective digital identity economy is to emerge.
A Complex Challenge
At least part of why it hadn’t been done previously was the inherent complexity.
JMLSG Guidance stretches across three lengthy, highly detailed documents, while GPG45 is a very different type of document; each has been shaped by different evolutionary forces. This is reflected in a mis-alignment of key terms and definitions identified in the course of our research –GPG45 and JMLSG often speak very different languages, shaped by their very different origins and intended readerships.
A second complexity was the divergent nature of concepts at the heart of the two frameworks. JMLSG Guidance is deeply steeped in the risk-based customer due diligence approach required by the international and national anti-money laundering regime. Here banks decide on a case by case basis what level of risk a customer presents. The level of evidence gathering and checking they have to undertake to be sufficiently sure of a person’s identity (amongst other factors) is therefore dynamic, changing between the individual, where they are, and what service they wish to access.
GPG45 on the other hand ‘pre-determines’ the level of confidence associated with an individual’s identity to 4 distinct levels of confidence. It does this in a clever and balanced way – different distinct sets of evidence, verification, fraud and activity checks and validation are balanced to meet the four confidence levels. Where one element is stronger, a weaker element may exist in the Identity Profile elsewhere.
Aligning a dynamic risk-based case-by-case assessment with the standardised, pre-determined levels of confidence presented in GPG45 was a key challenge we faced in the research. However, a dual approach, analysing the two frameworks by a clause-by-clause gap analysis, as well as a more holistic assessment of equivalency, led us to the answers we had set out to discover.
Ultimately, there is a great deal of alignment, and some clear areas that need addressing. Key findings included:
- The vast majority of types of identity evidence, and the weighting given to them, are analogous. However, there are some misalignments – the weighting given to private sector vs public sector identity evidence differs – and this may need to be addressed.
- The introduction of a wider range of Identity Profiles – specific mixes of scores across the 5 elements that result in common levels of confidence – is helpful and enables different industries some flexibility in reaching their specific requirements.
- Identities with a Low level of confidence provide too low a level of assurance to be compatible with most regulated identity uses. Identities with High or Very High confidence levels meet or exceed almost all requirements.
- The question marks persist around Medium level identities – some of the elements that may be included do not match the requirements of the Money Laundering regime and JMLSG. This requires action to align the two frameworks.
- The Scoring Framework that underpins how the Identity Profiles are expressed is the really valuable part. It provides a consistent, relatively detailed way to describe the elements that went into creating and verifying an identity, and the level of confidence relying parties can therefore have in it; crucially, even if it doesn’t conform to one of the 4 ‘set’ levels of confidence.
- It provides a means for competent authorities to formally recognise the standards under the forthcoming 5th Money Laundering Directive.
- It also provides potential for individual industries to express their needs in a common, understandable way – perhaps by developing an ‘Industry Identity Profile’ specific to the customer due diligence needs of that sector.
In conclusion, the new version of GPG45 is more accessible and more flexible than previous reincarnations, and can already interoperate with JMLSG Guidance in a substantial way. However, there are some clear areas where the alignment could be further improved.
Our research also identified a number of areas for further consideration, and the implications for implementation of the 5th Money Laundering Directive. These will be explored in more depth in the next blog in this series.
Author: Ewan Willars
Ewan is a Senior Associate of Innovate Identity, and author of the White Paper.