Develop a national strategy for a federated-style model of trusted digital identities.
Government should, in consultation with the private sector, develop a national identity strategy based on a federated-style model in which public and private sector identity providers would compete to supply trusted digital identities to individuals and businesses.8
Government should identify a minister responsible for the strategy. The strategy should detail policy principles for the model (see below), intended outcomes, an implementation approach, and a high-level structure for the trust framework9 needed to implement the model. Consideration should also be given to initial seed funding if required; for example, for pilot projects.
The model should be:
- Voluntary, and enable consumer choice and convenience.
- Transparent and privacy enhancing.
- Cost effective, flexible and innovative, and enable the best use of technology.
- Secure, resilient and interoperable.
A joint public–private sector taskforce should be established to develop the detail of the trust framework and standards required to deliver the model. Standards would need to address identity proofing, authentication, sharing of legal liability, fraud, accreditation mechanisms for identity providers and the role of trust brokers.
- Articulate a strategic vision and coordinated approach to digital identity management in Australia that enables the development of a competitive, innovative and dynamic market for identity services and maximises network benefits.
- Improve the efficiency of digital identity processes in the financial system, minimise costs and regulatory burden for institutions, and draw on the respective strengths and expertise of the public and private sectors.
- Facilitate innovation by improving consumer choice and convenience, and reducing friction in the digital economy.
- Ensure digital identity management processes help to prevent crime, improve security and enhance privacy.
Box 8: The future of digital identity
Digital identity relates to how parties — whether individuals, businesses or government — confirm the identities of other parties for online financial transactions. Currently, this usually involves two main stages:
• Identity verification. For an individual, this is based on confirmation of attributes such as name, date of birth and address using government-issued, paper-based credentials like drivers’ licences and passports. Increasingly, these attributes are able to be verified via online mechanisms.
• Identity authentication. After identity verification, the individual will usually be issued with credentials they can use to authenticate they are the right person when attempting to access a service. These credentials often include a user name and password plus a token or e-certificate for additional security. Over time, other methods incorporating biometrics may become more common.
The Inquiry’s recommended strategy for a federated-style system of trusted digital identities would improve convenience and security for individuals by reducing reliance on paper-based mechanisms; enhance privacy and enable consumer choice in identity providers; improve efficiency by reducing repetitive processes undertaken by individuals, businesses and government, and reducing the number of credentials managed by each party; and facilitate innovation and best use of technology through the development of a competitive market for identity services.
Problem the recommendation seeks to address
Participants in Australia’s financial system have always needed, and continue to need, confidence in peoples’ identities. Australia’s current identity infrastructure is fragmented, consisting of a largely uncoordinated network of identity credentials.10 The system has developed organically, driven by different standards, policies and legislative requirements. Australia has no clear strategic vision for digital identity management and, consequently, little coordination and limited ability to attain potential network benefits that would lower costs and reduce duplicative processes. Many public sector stakeholders have interests in digital identity management and, although Government has some existing governance mechanisms, the lack of clear ownership of identity policy is impeding progress.
Previous industry attempts to coordinate on identity issues have been unsuccessful, such as the Trust Centre initiative announced in 2006 involving a number of the major banks. Despite the potential efficiency benefits, competing commercial interests have limited industry’s ability to collaborate.11
Consumers’ preferences for accessing financial services online are increasing the need for efficient and secure digital identity solutions. Australia’s current approach to identity management results in significant process duplication, as individuals apply to, and government and businesses undertake to, verify and re-verify identities at multiple points. Traditionally, identity verification has involved paper-based and face-to-face processes, which are slow and onerous for consumers, and costly and cumbersome for organisations.
Of eight major streams of regulatory reform since 2005, research by the Australian Bankers’ Association (ABA) shows industry project expenditure has been highest in relation to the Anti-Money Laundering and Counter-Terrorism Financing Act 2006, which includes Know Your Client (KYC) identification rules.12 Anti-money laundering (AML) projects have resulted in an estimated $725 million in expenditure (more than three times as much as the next highest expenditure) related to the United States’ Foreign Account Tax Compliance Act, highlighting the KYC regulatory burden and potential to reduce costs by improving identity processes.13
Fraud concerns are increasing, and the Australian Institute of Criminology observes that “Criminal misuse of identity not only impedes consumer activity and confidence in the financial system, but costs business and government substantial sums in responding to and preventing these crimes”.14 In 2011, Australians lost an estimated $1.4 billion through personal fraud incidents.15 Each year, an estimated 4–5 per cent of Australians experience identity crime resulting in financial loss.16 Identity theft and false identities are key enablers of superannuation fraud, and serious and organised crime.17 An enhanced digital identity infrastructure can help to reduce this risk.
Existing elements for a federated-style model
Australia already has a number of elements in place for a federated-style system of trusted digital identities, as set out in Table 7: Existing elements for a federated-style model.
|Document Verification Service||A secure online service that enables government agencies, financial institutions and other businesses to verify information on identity documents directly with the document issuing agency|
|Third Party Identity Services Assurance Framework||Framework and standards for accrediting commercial identity service providers, issued by the Department of Finance|
|National e-Authentication Framework||Framework and standards for authenticating the identity of another party to a desired level of assurance or confidence|
|National Identity Proofing Guidelines||A best-practice, risk-based approach for government to verify the identity of a person using evidence to meet the required level of assurance|
|Gatekeeper Public Key Infrastructure Framework||A framework that enables accredited third parties to provide digital certificates for verifying and authenticating identity when dealing with public sector agencies|
|myGov digital credentials||Provides secure single sign-on access to various government services including Medicare, Centrelink, electronic health records, the Australian Taxation Office, and a digital mailbox to receive government correspondence|
|VANguard||Delivered by the Department of Industry, VANguard acts as a ‘trust broker’ for business-to-government and government-to-government transactions. It provides authentication services that enable government agencies to accept a business user’s previously established digital credentials such as AUSkey, Medicare and Verisign|
|Australian Business Register||Provides business identification services for dealing online with government, including issuance of a unique identifier, known as an Australian Business Number (ABN)|
|AUSkey||Linked to the ABN, AUSkey is a secure digital credential that authenticates the identity of businesses for online transactions with Commonwealth, state, territory and local government agencies|
|Private sector digital identity credentials||Many private sector organisations, such as banks, already have high-quality and high-assurance digital credentials in place|
International and other developments
Other countries have adopted various approaches to digital identity. As noted in the Interim Report, the United States, the United Kingdom and Canada have adopted federated models. New Zealand, India and Estonia have syndicated models, with high-assurance, government-issued credentials incorporating biometrics designed to enable digital service delivery. Private sector initiatives include the work of organisations such as the FIDO Alliance, Open Identity Exchange and Edentiti.19
For entity identification, international developments include initiatives to develop a Global Legal Entity Identifier System to provide unique identifiers to companies participating in global financial markets.20 The aim is to create legal entity identifiers for each entity to enable improved efficiency in global transactions.
Developing a national identity strategy based on a federated-style model, with a framework and common standards, would support the growth of a competitive market in identity services that enables best use of technology and promotes innovation. A federated-style model suits the Australian context as Australia has not had a history of government-issued identity cards and has a strong privacy ethos compared to other jurisdictions. This model has the potential to provide consumers with choice and convenience while enhancing privacy. Australia already has in place many foundational elements for a federated-style system, and this model seeks to leverage and build on these existing effective elements.
The Inquiry considered different models as a basis for a national digital identity strategy:
- Recommended: Develop a national identity strategy based on a federated-style system in which public and private sector identity providers compete to supply trusted digital identities to individuals and businesses. Government (in consultation with the private sector) sets up a trust framework and standards to facilitate a competitive market in identity services, and enable consumer and business choice in credentials.
- Develop a national identity strategy based on a syndicated model in which a single government identity credential is issued to provide individuals (and businesses) with single sign-on access to public and private sector services.
Option costs and benefits
National strategy for a federated-style identity model
Developing a national strategy in consultation with the private sector would support both common understanding and stakeholder buy-in. Innovation would be enhanced by a competitive market for identity providers. Several submissions note the importance of enabling continuing innovation in identity solutions.21 One industry body has already indicated its willingness to help coordinate industry-wide views.22 Another stakeholder supports a decentralised model, as relying on multiple possible corroborating sources of identity may prove more secure over the long term.23
Currently, identity must be verified and authenticated at multiple points during the provision and consumption of financial services. A streamlined process would reduce the high compliance costs associated with AML KYC requirements. Within Government services, improvements in identity management are already delivering significant efficiency gains, as shown in Box 9: myGov case study — quantification of efficiency benefits below. The efficiency benefits of implementing coordinated digital identity management across the entire financial system are likely to be many multiples of the estimates shown below.
Box 9: myGov case study — quantification of efficiency benefits
myGov is an online gateway to multiple government services using a single set of digital credentials. Almost one in three adult Australians are now registered to access government services via myGov.24 The Department of Human Services conservatively estimates that myGov will generate around $547 million in efficiency savings and reduced red tape burden over 10 years, as shown in the table below.25
Considerable work is underway to simplify digital identity processes and expand the usage of myGov to other government agencies at both the Commonwealth and state/territory levels. myGov’s efficiency benefits indicate it has the potential to play an ongoing and significant role in Australia’s future identity model.
|myGov element||Efficiency improvements||Average annual savings|
|1. Account creation and linking||Time, cost and resource savings from reduced duplication in identity verification processes and creation of accounts||$1.7 million|
|2. Account management||Time, cost and resource savings from having a single account and set of credentials rather than multiple accounts||$28 million|
|3. Easy access to multiple services||Improved convenience and time savings to authenticate identity for linked services||$9 million|
|4. Easy access to digital mail||Improved convenience and time savings with single log‑in to one mailbox for all linked services||$2 million|
|5. Managing mail||Time savings from single mailbox and reduction in managing physical mail||$14 million|
Enhanced digital identity processes improve efficiency and security across the digital economy. Even in the current fragmented identity environment, one firm’s shift to electronic methods for identity verification has reduced costs by more than 30 per cent.26 This firm also observed that 86 per cent of fraud and suspected money laundering events occurred where accounts had been established using face-to-face document verification after initial electronic verification failed. In contrast, 14 per cent of fraud and suspected money laundering events occurred when accounts had been opened using electronic verification.27 A number of submissions note that increased access to government data would also improve data matching rates for identity verification.28
A federated-style identity model would involve implementation and set-up costs for both Government and the private sector. This would include the initial investment to develop a trust framework. Appropriate privacy protections and mechanisms would need to be considered to maintain consumer confidence and trust in the system. Mechanisms for ongoing public–private sector collaboration and review could also be required.
National strategy for a syndicated identity model
A syndicated (centralised) system of digital identity across public and private sector services has the potential to generate the most significant network benefits. One submission advocated developing a single database for KYC to meet all local and global identity requirements to maximise cost savings.29 However, a syndicated model with a high-assurance digital identity for use across the economy also involves significant costs for Government and potentially the private sector.
Public sector stakeholders indicate that current Government deployment of identity services could not be expanded simply. It would require significant further investment to ensure adequate assurance levels. For the private sector, a Government-operated system could present costs in terms of adapting to Government-issued credentials and future flexibility. It could impede the adoption of innovative solutions and deployment of the best available technology, reducing overall efficiency over time.
Many Australians may object to this option on the basis of privacy concerns. It could be viewed as a digital version of the unpopular Australia Card initiative, which was rejected in 1987, or the Access Card, which was terminated in 2007.30,31
A national strategy based on a federated-style model best balances the attainment of network benefits with ongoing innovation in digital identity solutions, contributing to overall financial system efficiency. It draws on the strengths of the public and private sectors and facilitates the best use of technology. It enhances consumer choice and convenience and, with appropriate design, could enhance privacy and security. A coordinated approach would also facilitate innovation across the broader economy by helping to reduce ‘e-friction’.
A syndicated model potentially presents significant network benefits. However, there would be a trade-off with ongoing innovation in digital identity solutions, as the Government-issued identity credential would be locked in as the single solution across the system and any innovative changes would need to be driven by Government. Maintaining such a solution would be at significant cost to Government, could produce less flexible outcomes and could impede the continued best use of technology. Over time, this could result in less efficient outcomes for the financial system compared with a federated-style model.
The Inquiry believes a federated-style model is preferable on the basis of cost, innovation and efficiency, and future flexibility for consumers, businesses and Government.
Public–private sector taskforce and timing
The Inquiry recommends establishing a joint public–private sector taskforce with a set operating time frame; for example, over a 12-month period concluding at the end of 2015. The taskforce should consist of public and private sector stakeholders and, where possible, be representative of multiple sectors and levels of government. Terms of reference should be published and include dates for major milestones.
The taskforce should select a small number of pilot programs to be completed over the next two years to inform its development of the trust framework. It should consider whether any interim steps are needed to prepare for implementing the digital identity model. Steps might include amending AML KYC requirements, expanding government datasets included in the Document Verification System (DVS), enabling broader access to DVS, and changing privacy requirements for access to, and use of, certain datasets.
The taskforce should also consider establishing a mechanism to enable private sector input into the ongoing review and maintenance of the trust framework to ensure it remains fit for purpose.
8 A federated model is a decentralised model where multiple identity credentials are produced by government and commercial providers to provide access to public and private sector services in a contestable market. In contrast, under a syndicated model, a single identity credential is issued, typically by government, providing single sign-on access to public and private sector services.
9 A trust framework is an agreed set of standards and rules that enables parties accepting digital identity credentials to trust the identity, security, and privacy policies of parties issuing credentials, and vice versa. OIX Open Identity Exchange 2014, Trust Frameworks, OIX Open Identity Exchange, viewed 19 November.
10 No single government identity credential exists; instead, approximately 20 government agencies manage more than 50 million core identity credentials. A comparable number of credentials are also issued by private sector and other organisations. Sourced from Attorney-General’s Department 2014, National Identity Proofing Guidelines, Draft Version 5.1, Commonwealth of Australia, Canberra, page 3. Refer also to the Interim Report for further discussion.
11 The 2006–07 Trust Centre was initiated by Westpac and involved St.George Bank, National Australia Bank and the Commonwealth Bank. Refer to Finextra 2006, ‘Westpac backs customer ID management initiative’, Finextra, 10 November, viewed 29 September 2014; Finextra 2007, ‘Westpac exits The Trust Centre’, Finextra, 27 November, viewed 29 September 2014.
12 Australian Bankers’ Association 2014, data provided to the Financial System Inquiry, 9 July 2014.
13 The other six streams were the ePayments Code, Financial Claims Scheme, Future of Financial Advice reforms, National Consumer Credit Protection Act 2009, over-the-counter derivatives reforms and privacy reforms.
14 Smith, R G and Hutchings, A 2014, Identity crime and misuse in Australia: Results of the 2013 online survey, Research and Public Policy Series 128, Australian Institute of Criminology, Canberra, page ix.
15 Australian Bureau of Statistics (ABS) 2012, Personal Fraud, 2010–2011, cat. no. 4528.0, ABS, Canberra.
16 Attorney-General’s Department 2014, National Identity Proofing Guidelines, Draft Version 5.1, Australian Government, Canberra, page 3.
17 Australian Crime Commission 2011, Organised Crime in Australia 2013, Australian Government, Canberra, pages 26, 43–45, 78.
18 Based on a number of Australian Government sources: Attorney-General’s Department (AGD) 2013, Documentation Verification Service — About DVS, Canberra; Australian Government Information Management Office (AGIMO) 2013, Third Party Identity Services Assurance Framework, Department of Finance, Canberra; AGIMO 2009, National e-Authentication Framework, Department of Finance and Deregulation, Canberra; AGD 2014, National Identity Proofing Guidelines, Draft Version 5.1, Canberra; AGIMO 2009, Gatekeeper Public Key Infrastructure Framework, Department of Finance and Deregulation, Canberra; Australian Government, About myGov, Canberra; Australian Government, VANguard Government Authentication Services: About us, Canberra; Australian Business Register 2014, Second round submission to the Financial System Inquiry.
19 FIDO Alliance 2014, About the FIDO Alliance, FIDO Alliance, viewed 1 October 2014; Open Identity Exchange (OIX) 2014, About, OIX, viewed 1 October 2014; Edentiti 2014, Home, Edentiti, viewed 1 October 2014.
20 Legal Entity Identifier Regulatory Oversight Committee (LEIROC), The Legal Entity Identifier Regulatory Oversight Committee — LEIROC, LEIROC, viewed 1 October 2014.
21 Refer, for example, to National Seniors Australia 2014, Second round submission to the Financial System Inquiry, page 30; Centre for Digital Business 2014, Second round submission to the Financial System Inquiry, page 24.
22 Australian Payments Clearing Association 2014, Second round submission to the Financial System Inquiry, page 17.
23 Centre for International Finance and Regulation 2014, Second round submission to the Financial System Inquiry, page 20.
25 Department of Human Services 2014, data provided to the Financial System Inquiry, 23 September 2014.
26 ING Bank Australia 2014, Second round submission to the Financial System Inquiry, page 1.
27 ING Bank Australia 2014, Second round submission to the Financial System Inquiry, page 1.
28 Refer, for example, to Association of Superannuation Funds of Australia 2014, Second round submission to the Financial System Inquiry, page 121; and ING Bank Australia 2014, Second round submission to the Financial System Inquiry, page 2.
29 Stockbrokers Association of Australia 2014, Second round submission to the Financial System Inquiry, page 11.
30 Fraser, A 2014, ‘MPs urged to spruik doomed Australia Card’, The Australian.
31 Centre for Digital Business 2014, Second round submission to the Financial System Inquiry, page 9.