Submission to the Financial Action Task Force Public consultation on its draft guidance on digital identity
Privacy International submits comments to the FATF consultation on its draft guidance on digital identity.
- The purpose of an identity system should be clearly defined, legitimate, and such systems should be deployed only if there is not another less intrusive way to achieve the same goals.
- ID systems can exclude, can exploit and can surveil.
- Not being able to provide an ID should never result to the denial of services such as health care, social protection and other essential benefits and services.
Privacy International welcomes this opportunity to submit comments to the FATF consultation. The draft recommendation is an improvement on existing guidance that we have reviewed.
We also welcome the calls of the FATF for accommodations that will relieve burdens upon individuals who are being excluded from the financial sector, as a result of the FATF’s prior recommendations.
PI believes that identity systems must empower people. The initial question surrounding the development of any identity system has to be one of its purpose and need, and it’s essential that the design of the system meets that need. At the same time, given the potential of an identity system to interfere with the fundamental right to privacy, the purpose should be clearly defined, legitimate, and such systems should be deployed only if there is not another less intrusive way to achieve the same goals.
Instead too often identity systems create risks for those who have access to an ID, as well as those who don’t. These systems can exclude: for all the claims of universality, there will be some people who do not have access to an ID, or those who cannot use their ID, and are denied access to goods and services. ID systems can exploit: they link together diverse sets of information about an individual, and allow tracking and profiling. ID systems can surveil: giving the state and private sector a 360-degree view of the person. All three of these are made worse by function creep - the spread of an identity system to more and more aspects of people’s lives.
Particularly as an ID system’s role is to enable people to authenticate their identity to access financial services, it is imperative that an ID system is as inclusive as possible, and mitigate exclusionary consequences, which might be caused by economic, cultural, geographical, physical ability, or other factors.
As highlighted in Privacy International’s research on identity and exclusion, mandating the need for identification - or one particular form of ID - to access services leads to social exclusion. Similarly, it has to be recognised that those who have difficulty getting the proof of identity are also those open to exploitation, as shown by Privacy International’s research into the fintech sector, and on the impact of financial regulations for example in the delivery of humanitarian assistance, emphasising the importance of protections to be placed in a system.
To broaden inclusion in the system, we need to make sure that a broad range of diverse ways for people to assert their identity are permitted, as well as measures to improve accessibility (like, for example, real-world help and support contact points). To lessen the risks of exclusion as a result of identity systems, the situations that need a form of identification must be minimised – in particular, the introduction of a digital ID system must be stopped from leading to new uses of ID where currently there is no such requirement. If it is the case that identity is required, there needs to be a breadth of options available, not limited to one particular system. And not being able to provide an ID should never result to the denial of services such as health care, social protection and other essential benefits and services.
Financial data is some of the most sensitive data about people, revealing not only their financial standing but also factors like family interactions, behaviours and habits, and the state of their health, including mental health. While monitoring and regulating financial transactions are important for preventing crime, it is essential that it is done in a way that does not endanger human rights.
This is why PI believes that one of the most important solutions is to find ways of removing ID requirements. The FATF has started to acknowledge that ID requirements are imposing burdens – and while digital ID could help alleviate some of the exclusion that is occurring, fundamentally the exclusion is solved by removing the burdensome requirements where they are not necessary. The draft guidance does not go far enough on clarifying previous recommendations by the FATF; and while it takes a relatively progressive view of digital ID, embedded throughout the recommendations are hints that more expansive uses are recommended, that could shape the structure of identity for years to come.