Identity Assurance

Identity assurance is the full process for assuring the identity of a person, which will involve validation, verification, authentication  and anti-impersonation. There are many different approaches however many follow a similar set of requirements. 

Step 1 – Identity Verification

An individual will provide their personal details, name, date of birth and address. This is generally referred as the identity the individual claims to be, their claimed identity. The identity verification stage will check the details against data sources to establish whether the identity the individual claims to be is that of a real person. It’s normal that multiple data sources are checked to verify a person, however the precise data that must be checked and the number of sources required will vary depending on the requirements of the relying party. The Joint Money Laundering Streering Group (JMLSG) guidelines state that the name and address and the name and dob must be verified and that multiple sources must be used. The minimum requirements are commonly interpreted to mean that you must have at least two sources of information and must verify name and address plus name and date of birth (DOB). As an example name and address can be verified using the Electoral Roll and name and DOB can be verified using a Passport document.

Step 2 – Identity Authentication

The information provided by the individual has been confirmed to be a real identity. This important second step is to ensure that the identity of the customer is that same individual. This step will use one or more of the following to authenticate the person.

  • Something you are
  • Something you have
  • Something you know

Something you are
A check such as comparing a photo within a document to a photo of yourself will confirm that it is you. The document must also match that of the claimed identity.

Something you have
Sending a one-time password to a mobile phone will confirm that the individual has in their possession the mobile phone. An association with the person and the phone must have been established before this is carried out.

Something you know
Asking questions that only the person would know will confirm that it this the claimed identity. A common way of doing this is to perform a knowledged based authentication (KBA). KBA will use data from the individual credit file to create questions that only the person would know. Upon providing the correct answer the person is authenticated. Multiple questions can’t asked to increase the level of assurance.

Step 3 – Risk Assessment

So far we have established that the individual is a real identity and that person being assured is that same person. The risk assessment stage will do two things. Firstly to establish whether this person is a good person, someone a business would want to trade with. Secondly will look for contra-indicators to show that steps 1 & 2 may not be accurate. The type of information that’s checked in this step is deceased registers, fraud databases or stolen document registers. For the purpose of illustration of the process risk assessment is described as a third step, however in reality can be performed alongside step 1 and 2.