Insight,

10 things you need to know about digital identity

HK | EN
Current site :    HK   |   EN
Australia
China
China Hong Kong SAR
Japan
Singapore
United States
Global

10 points on the what, how and why of digital identity

digital-identity

Click on image to download one-page PDF

1. A digital identity can arise in many ways…

At its core, a digital identity is a set of attributes that can allow an individual or entity to be represented in digital form in an online environment. It could even represent a thing.

2. …and take many forms…

A digital identity can take a myriad of forms, ranging government protocols to private solutions and "self-sovereign" products. Even a gaming "avatar" and a social media profile are forms of digital identity. Digital identity may be accessed via a card / device, username / password or via your biometric data – or a combination.

3. …with a variety of attributes.

The data may be verified by a government body, financial institution or other third party. Conversely, it may simply be self-certified, or even false. It may comprise basic details such as name, date of birth and identification number, or extend to much deeper information, such as medical history, preferences, behaviour and social graph data.

4. Creating a digital identity can be simple or complex…

A digital identity can arise organically from information provided and activities online or it can be purposefully produced.  Various technologies underpin these projects, including encryption, cloud, open API and/or blockchain.

5. …and it can be used in a variety of ways…

Digital identity can be used to facilitate identity authentication, digital signatures, rapid form-filling, regulatory compliance, data analytics and building cognitive systems. There are numerous current use cases, including Estonia's e-identity programme, India's "Aadhaar" scheme, and industry-specific applications such as Sweden's "BankID". The United Nations also deploys digital identity through the World Food Programme.

6. …including smart contracts and IoT.

Digital identities can help power smart contracts.  When attached to things, they are also especially useful for building the internet of things (IoT), and assisting with its effectiveness and systemic integrity.

7. It must meet legal and regulatory requirements.

Data privacy, cybersecurity, outsourcing, anti-discrimination laws and other local market expectations must be addressed. If digital identity has a "regtech" compliance aim, it must also be fit for that purpose.

For example, digital identity can only be used for AML/CTF purposes if it is accurate, reliable and up-to-date. Whether or not data meets these tests depends largely on its source. For example, if open API connects a digital identity with government-held data, it is far more reliable than self-certified information.

8. Digital identity does not come without risk…

The most significant risk is data breach, particularly where sensitive information is used. In particular, biometric data can make digital identity more secure, but if "stolen", it cannot be "reset" as with a username and password. An individual's fingerprint will always be their fingerprint.

9. …which can be mitigated but not eliminated…

Risk is minimised through proper design, diligence and documentation. Three-factor authentication, the use of open APIs to minimise the creation of "honey pots" of data, regulatory controls and well-drafted contracts are some of the key risk management tools.

Blockchain technology can also be useful, although one of its greatest advantages (immutability) can pose a barrier to privacy compliance if carelessly adopted. This means that legal and regulatory issues must be a part of its fundamental design.

10. …and responsibility must land somewhere.

The use of digital identity needs a robust statutory and/or contractual liability model to address complaints, civil claims and other consequences arising from the misuse, loss or unreliability of data.

Importantly, it is not always possible to contract out of all liability. Regulators also often take a dim view on exclusions that unfairly affect customers. Reputation risk is particularly critical to manage, as digital identity is fundamentally predicated upon trust.

LATEST THINKING
Insight
China’s key financial regulator, the National Financial Regulatory Administration (“NFRA”), has published its highly-anticipated uncleared margin rules. The NFRA’s uncleared margin rules impose initial margin (“IM”) and variation margin (“VM”) requirements on non-centrally cleared derivatives transactions entered into by Chinese banking and insurance sector financial institutions regulated by the NFRA. The new rules are broadly consistent with the global regulatory margin standards published by the Basel Committee on Banking Supervision and the International Organization of Securities Commissions (“Basel Margin Standards”).

10 January 2025

Publication
On 6 December 2024, the Hong Kong* Government published the highly anticipated Stablecoins Bill (Stablecoins Bill). On 18 December 2024, it was introduced into the Legislative Council of Hong Kong for First Reading.

23 December 2024

Insight
In July 2021, the European Commission presented “Fit for 55” package aimed at making the EU’s climate, energy, transport and taxation policies suitable for reducing net greenhouse gas (“GHG”) emissions by at least 55% by 2030 compared to 1990 levels, ultimately achieving climate neutrality by 2050.

19 December 2024