Financial Action Task Force examines biometrics in draft guidance on digital ID
The Financial Action Task Force (FATF) has issued a draft Guidance Paper on digital identity, setting out a risk-based approach to help governments, financial institutions and other entities comply with Anti-Money Laundering (AML) and countering of financing of terrorism (CFT) requirements using digital ID systems, including biometrics.
FATF is an intergovernmental organization founded by the G7 in 1989 to combat money laundering.
The draft, published for public consultation, notes that digital payments are estimated to be growing at a rate of 12.7 percent annually, and that 70 percent of global GDP is forecast to be digitized by 2022. In noting that digital ID has reached an inflection point, and will or could soon be available at scale, the task force notes the emergence of “a range of biometric technology.”
The potential for distributed ledger technology (DLT) to promote the growth of digital ID use is also explored in the guidance.
“FATF’s official guidance on digital identity demonstrates the growing acceptance of digital payments. It also shows a realization that the use of digital payments will only increase exponentially and that processes need to be systemized,” comments Solve.Care Information Security Manager Richard Williams. “From our perspective, the security offered by blockchain technology exemplifies the digital ID assurance frameworks and standards that FATF outlines. Blockchain-based digital payments and the systems surrounding them provide the reliability and immutability, while significantly reducing the costs and the risk of fraud, among other benefits, that FATF recommends.”
The guidance contains two paragraphs on risks associated with biometric authenticators, and identifies the irrevocability of biometrics, the potential for them to be stolen in bulk from centralized databases or in various ways from individuals, and spoofing as potential issues. The lack of scalability of some types of biometric attacks is also noted, but so is the chance of reliability problems, likely due to data capture challenges.
Interestingly, the guidance recognizes not just biophysical and behavioral biometrics, but also categorizes keystroke dynamics among “biomechanical biometrics.”
The guidance provides details on how to apply customer due diligence to digital ID systems for customer verification onboarding and authentication for transactions, and how third-party reliance between regulated entities can be used to meet the requirements.
“The recommendations potentially have a massive impact,” according to Sibex CEO Daniel Haudenschild. “It binds VASPs to existing KYC and AML rules. The ‘Travel Rule’ may also require VASPs to include details in a crypto transactions, such as accurate originator and beneficiary information on transfers and related messages. Technology is not the issue, most VASPs already have a solution that works on major chains. What is unfortunate is that regulators push centralized control solutions for decentralized technology.”
Case studies of several systems used in countries around the world, most of which include biometrics, are presented, and the Principles on Identification for Sustainable Development from the World Bank’s ID4D Working Group are included, as well as overviews of digital ID assurance frameworks in the U.S. and EU.