Identify the required Fraud Controls that should be put in place by IdPs, RP, and the Digital ID Scheme / Broker itself in order to protect users and RPs against Identity Fraud.
Considerations:
- The workgroup should consider 3-4 different use cases. Suggested use cases are: government, finance, gambling, age verification, air travel?
- The workgroup is proposed to be run in partnership with the TISA Digital ID project, which will bring expertise on the Financial services on boarding use case.
- Common practise in fraud prevention and detection applied by financial services firms to combat ID theft should be considered. What RPs do today should not be unnecessarily duplicated by parties in the ID scheme. However as the responsibility for ID verification is shifted to the scheme then so will some of the fraud detection requirements. This will be necessary as only the scheme and its parties will have the necessary information in order to make a robust fraud assessment, for example: Device and IP fraud detection across the eco-system, PII used for ID validation and verification but not (necessarily) delivered to the RP for decisioning, a view of the eco-system that spans all RPs.
- The new AMLD5 regulation, and supporting JMLSG guidelines, state that when a Digital ID is used for KYC purposes then “firms should be satisfied that any process from which such information is obtained is secure from fraud and misuse“
- Any data sharing between parties in the scheme for fraud prevention purposes should be proportionate to the risk mitigated. This would include data shared from RPs into the scheme for frauds detected. ICO review should be undertaken.
- Fraud needs to government LoA Medium services should be considered.
Fraud Control Requirements for: IdPs, RPs, Scheme / ID Broker
Types of fraud: Identity Fraud - including ID theft, muling and synthetic IDs.
Points in process: Fraud at point of registration, Account takeover, Fraud at point of logon.
Data to be assessed: user provided PII, user provided data for ID validation and verification, ID Risk indicators, meta-data about the transaction.
This working group is run in collaboration with TISA
The following organisations are contributing to this working group:
Accenture, Barclays Plc, CIFAS, GDS, Folio, GBG Plc, HSBC, Inidsol Ltd, Lexis Nexis Risk Solutions, MIRACL, Mvine, NatWest Plc, Northern Trust, Octopus SH, Open Banking, RBS, TISA, Transunion, Women in Identity, Yoti