On April 4, 2022, the FDIC and FinCEN Digital Identity Tech Sprint (Tech Sprint) concluded with a Demonstration Day where eight teams of participants demonstrated their solutions to an expert evaluation panel. Through the Tech Sprint, the FDIC and FinCEN challenged the teams to develop solutions to help measure the effectiveness of digital identity proofing—the first step in the creation and use of digital identity credentials. Identity proofing is a process used to collect, validate, and verify information to establish that the identity is unique, exists in real world, and is bound to an individual.
The teams’ solutions attempted to answer this Tech Sprint challenge question:
“What is a scalable, cost-efficient, risk-based solution to measure the effectiveness of digital identity proofing to ensure that individuals who remotely (i.e., not in person) present themselves for financial activities are who they claim to be?”
The Tech Sprint solution considerations included increasing efficiency and account security; reducing fraud and other forms of identity-related crime, money laundering, and terrorist financing; enabling technology accessibility; and fostering customer confidence in the digital banking environment. The Tech Sprint panel consisting of representatives from the FDIC and FinCEN publicly recognized three teams of participants, noted below, whose solutions displayed the greatest creativity, market readiness, or effectiveness and impact.
The presentation videos can be found at https://www.fdic.gov/fditech/techsprints/measuring-effectiveness.html.
The Tech Sprint teams proposed solutions that followed one of three distinct approaches: a) tools that would measure the effectiveness of identity proofing systems, b) development of a scoring methodology for remote identity proofing, and c) envisioning an identity provider consortium or platform. Several team solutions also attempted to combine more than one of the three elements, articulated roles for both the public and private sectors, called for partnerships, and identified funding mechanisms.
One proposed solution for measuring the effectiveness of identity proofing systems included a tool and analysis process to identify gaps in an organization’s existing digital identity proofing processes relative to known threat vectors; using that information, the tool would provide recommendations for the organization to address the identified gaps.
Proposed solutions with scoring methodologies for remote identity proofing varied by their focus and approach. Some included novel measurement matrices and checklists; others leveraged existing tools, products, and frameworks. There were proposals for new examination programs for digital identity proofing solutions, and new infrastructure, including an identity clearing house utility.
The proposed identity provider solutions encompassed development of a shared platform for proofing identities and assessing technologies, a trusted credential network, and a collaborative identity data sharing solution among the public and private sector similar to one that exists for cyber security.
The roles of the public and private sector varied in each of the eight proposed solutions, ranging from primarily public or private sector to public-private partnerships. The proposed public sector responsibilities ranged from the provision of ongoing or seed funding, to standard setting and regulatory guidance, to hosting technology pilots with safe harbor provisions to facilitate solutions (regulatory sandboxes).
Multiple participating teams referenced the use of source verification, interoperability, and emerging technologies such zero knowledge proofs and multi-party computation for secure, privacy-protecting data sharing. Several proposals recommended the use of emerging digital identity standards, including the Worldwide Web Consortium (W3C) Verifiable Credentials and ISO compliant mobile driver’s licenses.
Proposed solution summaries
Team 1: Identity Ninjas
Identity Ninjas proposed a free, open source identity-advisor tool to help financial institutions identify digital identity proofing process gaps and provide customized, actionable recommendations. The proposed conformance (or evaluation) tool intends to measure effectiveness of an organization’s identity proofing process against existing or known threat vectors. It would also intend to provide insight into how threats are ranked or measured, and circumstances under which mitigation would be required. A consortium – whose members would include financial institutions, regulators, solution/technology providers, and academia – would oversee and maintain the tool. A private sector trade group could create the governance and orchestrate the site, with academia weighing in. Regulators would contribute financially and provide content wise to the solution. In exchange, the proposal suggested regulators would benefit from the insights on emerging threats and technologies.
Team 2: Team Manatoko
Team Manatoko proposed a shared identity provider platform to orchestrate technologies and frameworks through enriched identity data obtained from multiple public and private sources shared across banks, money service businesses, and virtual asset service providers. It intends to also measure vulnerabilities in financial institutions’ technology and processes using established methodologies and provide peer benchmarks and recommended best practices. The Team maintained that, with regulatory support, the platform would enable the sharing of customer data and insights across financial institutions.
Team 3: Team DNS
Team DNS proposed establishing a trusted credential network with a shared governance model, overseen by a non-profit or a public-private partnership (PPP), and technical approach for pilot through a regulator-sponsored sandbox. The network participants would include data providers, credential issuers, identity providers, and relying parties operating under an accreditation agreement. The non-profit or PPP, with input from financial firms and regulators, would test and assess governance requirements, economic impact, and technical constraints.
Team 4: Team ConfIDence (Recognized in the Creativity category)
Team ConfIDence proposed a regulatory-sponsored identity verification scorecard and testing sandbox environment to drive innovation in effective and compliant identity proofing for remote onboarding over digital channels. The worksheet-based score card would encompass the digital identity proofing’s level of assurance in validation, verification, and authentication, regulatory compliance, inclusion, security, and adoptability for a given identity. The innovation sandbox, initially funded by regulators, intends to provide a safe harbor for participants to test solutions and drive adoption by solution providers. Under this proposal, the ecosystem participants would eventually fund the sandbox.
Team 5: Team This is Me
Team This is Me proposed a two-step approach with a measurement matrix and checklist to measure the effectiveness of identity proofing mechanisms and creation of an examination program to evaluate solutions. The solution would encompass decision trees to assess customer risk according to the NIST identity proofing levels, platforms for automating and storing of data, and functionality to capture customer interaction and satisfaction. Document exceptions discovered in the decision trees would be broadcast to the entire ecosystem, creating dynamic identities. The proposed regulatory mandates include financial institutions using multiple identity verification software mechanisms and periodic, on-going identity verification and transaction monitoring. Implementation, according to this proposal, would require integration into existing AML/KYC practices, legal review, and testing and training.
Team 6 (Recognized in the Market Readiness category)
Team 6 proposed an identity proofing solution scoring system based on various attributes, and encouraged financial institutions to use direct source verifiable credentials (VC) and fraud data in identity proofing processes. The scoring system attributes include the trustworthiness and verifiability of the identity source information, the collection method, the presentation quality or liveness, and the data type. The system would rate each attribute as weak, moderate, or strong. The scoring system results intend to indicate the sufficiency of existing processes and tools to verify the identity and prompt correction of highlighted weaknesses.
Team 7 proposed a risk-based, multi-variate digital identity proofing approach leveraging a shared collaborative framework with four components: 1) an onboarding questionnaire-based workflow to determine the customer’s risk rating; 2) a multi-variate/cross-validation measurement to determine the legitimacy of the digital identity; 3) collaborative confirmation via a central multitenant data clearinghouse for risk detection; and 4) perpetual improvement of the data set.
Team 8: Team Heimdall (Recognized in the Effectiveness/Impact Category)
Team Heimdall proposed a creation of a collaboration lab intended to allow institutions to collaborate and share threat and vulnerability information; validate data against fraudulent identities and suspicious behavior; and improve upon alerts, red flags, and indicators of compromise using decentralized data and distributed algorithms. This standards-based, real-time data-centric collaborative approach plans to follow existing models for sharing cybersecurity-related information such as Financial Services Information Sharing and Analysis Center (FS-ISAC) model and plans to mirror the National Institute of Standards and Technology’s Cybersecurity Framework. In the short-term, the team proposed collaboration using bank data, national networks, artificial intelligence and machine learning driven algorithms to identify false identities, using secure technologies to conduct multi-party computation. Over the longer term, the team recommended a secure feedback loop for current and future data sources. The team also proposed that FinCEN issue guidance to encourage industry collaboration to combat the pervasiveness of identity theft and related risks informed by the threat evolution and analysis of the bureau's data. The Team also asserted that regulatory support was required for its identity provider solution.