Digital identity: Trust frameworks

As I wrote in my last blog on digital identity a few weeks ago, we are entering an exciting and fast-paced period of work in this important policy area.

If you are interested in digital identity, or even just the benefits it can bring, a phrase you are going to hear a lot of over the next few months is ?Trust Framework?. The benefits of a digital identity ecosystem are clear for consumers and businesses, and so it's easy to focus only on the outcome. However, the details of how we achieve an outcome is also important and a trust framework is one of those details.

In short, a trust framework is a shared set of ?definitions, requirements, standards, specifications, processes[1]? which acts like a Rosetta Stone for different processes or ways of describing things. One organisation might use a ranking of 1 (low) to 4 (high) to describe how confident they are that someone is who they say they are. Another organisation might use a ?low, medium, high, very high? ranking. Something is needed in the middle so that both organisations can know what the other means and have confidence in how it is converted from one ranking system to another. This can also apply to the processes and methodologies (or standards) used to reach the ranking system. This translation and conversion is what a trust framework does.

The Digital Transformation Agency in Australia has a clear way of describing it. A Trust Framework ?contains the tools, rules and accreditation criteria to govern an identity federation. It provides the required structure and controls to deliver confidence to participants that all accredited providers in an identity federation have met their accreditation obligations and as such may be considered trustworthy. These obligations cover privacy, protective security, accessibility and usability, risk management, records management, fraud control, technical integration, service operations, identity proofing and authentication credential management.?[2]

Why is it important? We all use our identity across organisations and sectors of the economy. For example, we use our passports to open a bank account. That means separate organisations (a financial institution and the government in this case) need to trust one another. In an increasingly digital economy we are doing this less in person and more often online. As such we need a way to translate these different systems from one organisation to another over the internet that everyone trusts. If we don't have a system in place, trust is hard to establish and the chain can't operate. A trust framework provides that clarity and trust to each of the organisations across the transaction online.

What's going on and why will we be hearing about this over the next few months? In September the Department for Digital, Culture, Media and Sport (DCMS) released its response to its 2019 Call for Input on Digital Identity, and outlined its workplan based on the feedback it received. One area it focused on as a specific point of work was the development of standards and rules for the use of digital identity in the UK. Through a questionnaire released in October and through listening sessions in November, DCMS has now announced that it will be working to incorporate those standards and rules into a draft trust framework. The Minister for Digital Infrastructure announced this will be released as an Alpha in the new year. From a financial services perspective it will be important that this trust framework enables key use cases such as onboarding (in line with Customer Due Diligence, Know Your Customer (KYC) and Anti Money Laundering (AML)), mortgages and payments. Getting it right will be vital if a digital identity ecosystem is to develop, so we look forward to working with DCMS on it.

Area of expertise: