Cross-border digital identity and onboarding

Countries all over the world are working on or implementing digital identity systems. Almost always these identity systems are specific to the nation sponsoring its creation based on national laws, cultural preferences, and local requirements. But identity in general is something that we use everywhere not just in our home country – thus, in the same way that people are mobile, so should be their ability to assert identity in a digital context. 

Identity is also an enabler, a building block of digital economies, and a means of service transformation, as it makes services easier to access particularly for those who most need to transact whether that be financial, access to education or to healthcare.

Understanding digital identity in different contexts 

When we consider cross-border use of digital identity, what we really mean is recognition of digital identity in other contexts i.e. an identity from one country being used to access services in another country, not because it is the same type of identity as in the second country but because it can be understood and can be trusted. The European Union created a law defining such a system, the eIDAS Regulation, which enables compliant EU member state digital identities to be used in any EU country for access to public services, and in time, private sector services. This is achieved though the creation of a trust framework that supports the concept of mutual recognition of digital identities. 

One of the key aspects of eIDAS is that it does not insist on the harmonisation of identity systems. Instead it provides a reference point, a set of outcome-based standards, to which each country can measure its digital identity system so that other countries can understand the level of trust conveyed when individuals authenticate with an identity obtained from their country of residence. In this model each country is free to implement the digital identity systems most appropriate for their internal needs, but can still enable their citizens and residents to use their identities to access services in other countries. 

The concepts behind eIDAS, particularly that of mutual recognition, are being actively explored in other jurisdictions and geographic areas. For international trade law purposes the UN is working on a means of enabling a trust scheme allowing public and private sector digital identities to be recognised at potentially global scale. There is also increasing interest in countries with highly mobile populations as seen in many African states. Recognition of schemes and identities holds many advantages in these situations such as making it easier to trade, cross-borders, and prove eligibility to access services as citizens’ go about their daily lives.

Equivalence, interoperability, and liability: a constant quest 

So how do we create the right conditions for mutual recognition and enable people to use their digital identities in another country or jurisdiction? The three largest problems to solve are equivalence (of identity), interoperability (between the underlying systems and services), and liability (who is responsible when something bad happens such as eID being used to enable fraud).

The answer is to seek outcome-based equivalence to a reference standard that all participants can accept, thereby creating a common language that describes the trust level for each digital identity regardless of which participant scheme created it. When we talk about equivalence we often speak in terms of levels of assurance and how we ‘map’ from one scheme to another. For example, the eIDAS Regulation defines a common set of levels of assurance (LoA) that all participating identity schemes measure their capability and issued identities against. Many potential reference points for LoA exist, such as those provided by NIST, ISO, and eIDAS, but schemes may also decide to create their own derivatives as long as all participants agree on a single reference point. 

How do we ensure that digital identities once created comply with these reference standards? Under eIDAS this is achieved through a mechanism of cooperation between countries which draws heavily on EU law. More practically, certification is a proven and well understood mechanism for gaining confidence in the compliance of a system to certain standards.

To achieve technical interoperability there needs to be means of transferring assertions containing the result of authentication and any required attribute data between the provider of identity and the consuming service (relying party). This can be achieved, as in eIDAS, with a common technical specification for these assertions and rules for the authentication process that each party understands.

Alongside these assertions there must be a conveyance of trust at the technical level usually provided through cryptographic means including digital signatures or public key encryption. Technically this interoperability could be implemented in many ways and supports self-sovereign as well as more traditional node infrastructures. 

We also need to know who takes responsibility when things go wrong. Defining liability in digital identity systems is vital, it engenders trust between those providing and those consuming digital identities, and it should show clearly who is responsible when incidents occur. The key is to ensure that the provider of identity is liable for damage caused due to intentional or negligent failure to comply with its obligations as defined by the cross-border identity scheme such as failing to verify the identity of individuals holding a digital identity, or failing to implement measures to guard against data breaches.

Finally, there is governance, a means of agreeing the rules and standards for equivalence, interoperability, and liability, and a mechanism that encourages those running compliant identity schemes to work together in an impartial forum.

The editorial was first published in the Digital Onboarding and KYC Report 2020, which offers insightful editorials on topics such as digital onboarding best practices and key challenges, financial crime and how to fight it, crypto, and more.

About Adam Cooper

Adam Cooper is a technical consultant to the World Bank ID4D programme, and an advisor to international initiatives such as the UN Commission for International Trade Law, the MOSIP Modular Open Source Identity platform, and the Scottish Online Identity Assurance Programme. 

About ID Crowd

ID Crowd specialises in mitigating business and technology risks relating to identity, helping clients understand how to better trust their customers and the businesses they transact with. We understand the critical and interrelated concepts of digital identity and trust together with the various threat vectors including cyber-attack, identity and eligibility fraud.