Page 64 - ITU-T Focus Group Digital Financial Services – Technology, innovation and competition
P. 64
ITU-T Focus Group Digital Financial Services
Technology, Innovation and Competition
be identified across financial service providers, thus significantly simplifying the account opening KYC process
and regulatory compliance, to the benefit of both the banks and their customers. It is expected that the BVN
programme will be extended to the DFS sector in the coming months.
There are moves to ‘harmonise’ BVNs and the national identity numbers (NINs) issued by NIMC, with the NIN
being the primary identifier and the BVN being a secondary field. However, given the relative ubiquity of BVNs
when compared to NINs (and NIMC cards), this process may take some time.
7.3.2 Liability
The gap between consumer awareness and industry use of personal data defines a requirement for consumer
protection beyond the realms of consent.
Consent legislation is becoming increasingly undermined by unrealistic expectations placed on the consumer
to understand what they are consenting to. As this trend develops, there is a need to establish regulation
(where there are deficiencies) defining standards of conduct between consumers and the entities which use
their data; to establish best practice guidelines; and to promote their adoption.
8 Recommendations
Recommendation 1: At the time of registration, a DFS operator should create a digital identity for their
customers, for use in both DFS transactions and (where relevant) in identity assertion with external service
providers:
• This transactional identity should be derived from a state-issued foundational identity to ensure reliability,
flexibility, and control.
• Clearly this is not possible if there is no state-issued foundational identity service that can support the
validation of a foundational ID against the national identity service in quasi-real time. In this case, see
Recommendation 2, below;
• Ensure that the transactional eID is authenticated locally, not remotely, to ensure maximum security;
• Ensure authentication (local) is separate from authorisation (centralised);
• Make provision for periodic re-verification of identity attributes.
Recommendation 2: Where a customer is unable to provide a foundational document of digital identity,
consider the issuance of a dynamic, self-asserted digital identity, which may be ‘stepped up’ over time and
as required.
• The LoA of this digital identity should be developed over time, as required to access new services, by
measures such as:
• Associating a strong form of authentication such as biometrics (see the limitations of biometrics
described in Section 3.2.3) with the identity, so that the service provider can be assured that the
same person is accessing the service on each occasion;
• Attaching an attribute - noting sponsorship/endorsement from someone who does have the necessary
documentation/state-issued digital identity;
• Verifying the 2FA opportunity presented by a self-asserted mobile phone number, backed by SIM
registration;
• Adding additional attributes as further documentation, which may be subject to validation, becomes
available;
• Noting repeated/consistent usage of the digital identity over a period of months.
50