|General AreaGeneral area|
Digital Identity is often touted as a solution to identity fraud, which may be true versus many IDs issued directly by online organisations today. This is due to the improved multifactor authentication approach and user centric device centric delivery models used for Digital IDs.
However, if the Digital ID is the key to many different organisational doors, then possession of the Digital ID will be of great value to the fraudster.
Fraudsters will therefore try and create IDs using stolen or synthetic identity information or will try and take over the IDs to legitimate users. The Digital ID ecosystem becomes a “honeypot” for fraudsters.
Thus, any digital ID ecosystem must have robust fraud controls.
This is not just a recommendation; it is often a regulatory fact. The anti-money laundering regulation in the UK for instance demands that when a Digital ID is used, the “process is secure from fraud and misuse” (2019 No. 1511 FINANCIAL SERVICES The Money Laundering and Terrorist Financing (Amendment) Regulations 2019).
This guide explores what fraud controls might be applicable when implementing Digital ID ecosystems, and who should implement them. It also explores what actions to take to manage potentials frauds: who should assess them, what is the decision process, and should information on frauds be shared with other participants in the ecosystem.
The whole process needs to be protected from fraud. Internal risk needs to be considered, in particular where agents are dealing directly with the public and could be manipulated by a fraudster.
At the end of the day, the end user is the fraud victim in the case of identity theft. The guide also looks at how users should be informed in the event they become a victim.
All of this needs to be undertaken within a legal context of the ID ecosystem.
This guide covers consideration in all of these areas.
It is also important to consider fraud controls alongside ID proofing and authentication controls used within the ID ecosystem, as the overall “trust decision” or “status assessment” for a user is usually made using a combination of all of the information generated from these controls in unison.
This document was produced by a working group formed in order to explore the fraud controls required in a Digital ID ecosystem by the Open Identity Exchange and The Savings and Investment Alliance (TISA).
The working group comprised fraud experts from various different organisations.
Particular credit is acknowledged to:
- Cifas for the sections on Information Sharing and Internal Risk Procedures
- YOTI for the Legal Considerations section
- Cifas, Experian and TransUnion definitions of the fraud control techniques matrices.
THIS IS A CONTROLLED ACCESS DOCUMENT
IF YOU WISH TO REQUEST A WATER MARKED COPY PLEASE CONTACT firstname.lastname@example.org