Digital identity services in Bermuda
There is steep demand for the ability to authenticate a person’s identity through the use of a trusted repository of their digital information.
In response to that growing demand, the Bermuda Monetary Authority has taken a first and vital step towards the regulation of digital identity service provider businesses in Bermuda.
On November 22, the island’s financial services regulator published proposals and a request for feedback on this topic titled Consultation Paper: Regulation of Digital Identity Service Provider Business.
The DISP consultation provides an extremely conscientious and thoughtful proposal for a DISP licensing regime and discussion of many of the issues that other regulators of DISP businesses must grapple with.
These include qualifying technical service standards, cybersecurity risk management, compliance with privacy law, the complications for DISP outsourcing and related authority for continuing oversight and enforcement.
In a concerted effort to seek the guidance and advice of all potential stakeholders and the public the BMA seeks to protect, the DISP consultation asks 18 specific and probative questions that focus on some of the more challenging aspects of its regulatory proposals.
Some of those questions assume a detailed knowledge of how digital ID systems work across multiple participants.
For example, question 11: “Do you think (regulated financial institutions) should adapt their online services to accept digital ID logins to access their proprietary systems, thus unlocking the convenience of ‘single sign-on’ for digital ID users?”
The more feedback and advice that the BMA can receive on this much needed initiative, the better and faster the solution will arrive to cure the present quagmire of incessant and time-consuming demand for “know your customer” personal information and related manual identity verification materials.
Moves in the direction of digital identity verification by governments, inter-governmental bodies and the private sector have been going on for about 35 years.
In 1989, the G-7 created the Financial Action Task Force as an independent inter-governmental body to promote countermeasures and policies necessary to address the growing global concern about money laundering, terrorist financing and the proliferation of weapons of mass destruction.
In the decades that followed, many governments around the world ventured into the realm of identity verification, including early attempts in Canada to merge driving licences and health ID cards into “smart cards” that would allow biometric access to a consolidated database for ease of online access and identity verification.
In March 2020, as a reflection of IT advances in data management, FATF published its Guidance on Digital Identity to promote the creation, adoption and regulation of digital ID systems that can be used and relied upon to securely, quickly and efficiently identify persons who are low-risk participants in global finance, investment and corporate management.
One of the most important recommendations of the GDI was for governments to create a “digital ID assurance framework” for the assessment, certification and continuing regulatory oversight of reliable digital identification service providers.
Certainly, the demand for one-stop identity verification services is rapidly increasing because regulators, regulated entities, individuals and corporations must constantly spend huge amounts of management time and expense verifying either their own identity to others or verifying the identity of those with whom they wish to do business or regulate.
The GDI was generally agnostic about how any combination of digital identity services might be configured to achieve those ends, and many jurisdictions around the world have (before and after the GDI) launched a wide range of digital ID systems.
Some are governmental, some are offered as public-private sector partnerships, and other jurisdictions have created regulatory regimes for the certification of trusted, private sector DISPs.
In 2022, Britain launched its own GDI initiative called the UK Digital Identity & Attributes Trust Framework, which seeks to encourage the launch of private sector digital identity solutions to meet those market demands.
Under the supervision of an Office for Digital Identities and Attributes, the UK DIATF defines the rules, standards and governance oversight for all DISPs.
The UK DIATF includes a certification regime to provide the public with assurance that the digital identity services they subscribe to will be secure, reliable and will be administered under the watchful eye of the Office for Digital Identities.
Kudos to the BMA for this recent initiative, and I hope that all other public policy and regulatory reform in Bermuda will follow the BMA’s thoughtful consultative lead.
First Published in The Royal Gazette, Legally Speaking column, December 2024
