Thailand’s blockchain digital ID infrastructure – an ecosystem in an ID ecosystem
Thailand is progressing rapidly with enrollment into its blockchain-based biometric digital identity infrastructure operated by the National Digital ID Company Limited (NDID), with registration up by 50 percent since November at 9.2 million. Now half the population is eligible to be part of the system as it readies to introduce verifiable credentials and a digital wallet.
Various schemes and projects involving telcos and convenience stores have been launching in the country of 70 million. NDID is not a digitized version of the national identity card or even a digital identity in itself, so Biometric Update spoke to its CEO, Boonsun Prasitsumrit, in Bangkok to learn what it is and the role it plays in the identity ecosystem and financial sector.
The beginnings of a public-private trusted ecosystem
Rather than the Thai government building a national digital ID system, it created a way to link service providers and identity providers (IDPs) to allow the digital sector to flourish and innovate. It also decided not to be as directly involved, establishing a private company to oversee the project.
“NDID in the beginning, four years ago, we decided that IDPs were not only to be banks,” says Boonsun Prasitsumrit in the NDID HQ, “it could be anything, anyone who qualifies to do it: bank, mobile network, fintech.”
At the outset, the Ministry of Finance and the Ministry of Digital Economy and Society realized they were “sharing the same pain point: the KYC process,” says Prasitsumrit. The ministries helped establish the Digital Identity Committee in 2017.
The country has the Thai National ID Card, which has holder details embedded in a chip. There is near universal coverage for citizens, but the smart card chip is rarely used for opening new accounts or accessing new services, says Prasitsumrit, as the standards on how to use the chip have not been clear. People generally still have to attend government offices and banks in person with their cards and often photocopies of their ID.
The Digital Identity Committee decided to develop the infrastructure to unlock identity for other areas via a trusted ecosystem. Health and education were part of the original discussion, but emphasis was placed on banking then financial and insurance services. NDID was established as a public private partnership that is 36 percent publicly owned.
“If it’s government, it will take some time,” notes Prasitsumrit. As it was for all things digital, it needed to work faster than a government agency can.
The majority of NDID’s sixty-plus shareholders are in the financial sector, such as the Thai Banking Association, along with the stock exchange and Post Office. The Bank of Thailand developed a regulatory sandbox for the system and now eleven banks are part of it.
In 2018, the Electronic Transaction Development Agency (ETDA) likewise worked on national standards for levels of assurance aligned with those of NIST. Legislative changes in 2019 allowed the first use of the system by the end of that year.
More than nine million are now enrolled and 35 million (up from 30 million in November 2022) are now at the country’s highest assurance level, 2.3, which requires a smartcard ID, check against the government’s D.Dopa national IDP and face biometrics.
With these, Thai people are ready to enroll in NDID the next time an opportunity presents itself online, such as wanting to open a new bank or securities account or taking out a loan.
Both a blockchain and bypass
NDID is a “connecting platform,” says Prasitsumrit. As a decentralized ledger, NDID cannot see any of the information passing across it between banks, users, IDPs and authoritative sources, but simply a log of timestamped access requests.
Users visit a bank in person in the first instance. People are not going to banks to get NDID, says Prasitsumrit, they are going to conduct transactions. They hand over their smartcard ID and undergo a biometric check, where bank staff or cameras compare the person with the photo held in the card – the trusted source. Banks can check fingerprints, but this is not popular. If there is no photo in the system, the bank can take a photo to enroll a person into NDID.
When going through NDID enrollment, users must accept terms and conditions to use NDID before applying for the new service with relying party. They may not be aware of the company as a brand unless they read the full terms and conditions, says Prasitsumrit, explaining how the platform is very much in the background.
The millions of users enrolled “know there is a difference” even if they never have any interactions with NDID.
This is because they can now open any account or product with registered providers by selecting online the bank where they underwent the KYC and so do not need to visit in person or prove ID again.
Dropout rates for new service sign-ups are falling.
When prompted during sign up, a user selects the bank where they are already enrolled as their ID provider. The target bank – the relying party – sends a request to the selected bank via the NDID ledger.
The bank acting as IDP then notifies the user that it has been selected for ID proofing and takes the user through verification in its own app on their phone, using face biometrics, PIN and registered mobile number.
When the IDP bank has confirmed ID, it notifies the relying party bank back through NDID, with this logged in the blockchain. It then sends the user data to the new bank directly, outside the NDID platform. The user completes registration by creating a new password.
ID is “nothing to do with NDID until there’s a request from a relying party through NDID for an identity provider,” explains Prasitsumrit, as the blockchain neither sees nor stores sensitive data.
A relying party can verify across multiple IDPs as wells as multiple authoritative sources in the process, such as credit scoring agencies.
People have to redo KYC every two to three years, or if they get a new ID card.
Fees are a cost saving
NDID’s business model is taking a fee for connecting relying parties and IDPs.
“It’s like the credit card model, a hundred percent [of the bill] goes to the relying parties” says Prasitsumrit. It is a fixed fee, not a percentage and includes two prices: a fee to the IDP with the remaining fraction going to the NDID.
The NDID fee is discounted for government departments using the system.
Verifiable credentials and a digital wallet
NDID is also launching a wallet for verifiable credentials. “For eKYC, we really need a high level of assurance. The bank itself can confirm to open the wallet by using biometrics, so we can ensure the owner of the wallet is really him or her,” says Prasitsumrit.
The company is working with a government department on a proof of concept for VCs for paperwork which a user can then share with their bank.
Universities are already in talks about providing certificates and transcripts as VCs to the wallets.
NDID and MNID: AIS, True and DTAC
Thailand has three telcos – AIS, DTAC and True – which are becoming IDPs. Their scheme is Mobile Network ID (MNID).
The MNID system serves its mobile customers, which is different segment to NDID and the two systems may work together on an interoperability scheme along with government services such as D.Dopa.
Technical discussions are underway to determine how a relying party in the NDID platform can request ID proofing through AIS or DTAC and vice versa. Relying parties can choose to go via NDID or potentially MNID, but the hope is that a unified systems will offer cost savings.
Growing digital ID landscape
Alongside NDID as the main infrastructure, and MNID which will join it, there is a scheme for digitizing the national ID within the Thailand Digital ID Framework (2022-24). Citizens can take their cards to local government agencies for chip reading and biometric checks to generate the ID in an app.
The Digital Government Development Agency (DGA) is also working with 7-Eleven whose stores are near ubiquitous. Staff authenticate the user against their card details and chip content and send the data back to the DGA which cross-checks with D.Dopa to create a digital ID.
A pilot system is allowing Thais to use mobile digital ID on domestic flights.
Government services are beginning to accept digital transactions such as for paying land tax. In the future, government departments will not be able to refuse the use of digital ID, nor will private providers.
The country is aiming for ten million mobile digitalized ID holders by the end of the year.
The role of biometrics in banking is increasing. The Bank of Thailand is introducing new requirements for face biometrics authentication for certain transfer thresholds.
The future: interoperability and regulation
NDID is the first Digital ID Platform that entered and already exited ETDA Sandbox. Digital ID in Thailand is just the beginning. The Digital ID landscapes are facing many challenging such as adoptions and widespread use cases, new players, interoperability, and regulations. Soon digital id providers ie. Platforms, identity providers will need to prepare to get operator licenses from ETDA. The country is gearing toward high standards and promote digital transactions which is inline with the Thai government 4.0 policy.
The NDID system is still operating within a regulatory sandbox.
“In the future, our concern is about laws and regulations because we have an app already, but we don’t have regulations,” says Prasitsumrit.
NDID is also hoping to test its services with other countries and Mastercard on international issues. The CEO hopes that Thai people will be able to use their mobile banking as proof of identity abroad in the future.
Whatever happens, he hopes to maintain high standards: “Digital ID proving is very important. Once you relax or you loosen that standard, then any fraud transaction that should happen – there’s no point having NDID.”
This post was updated at 12:02pm Eastern on March 25, 2023 to clarify how user permission works and details of the Mobile Network ID.