A digital identity is essentially a digital representation of a person, enabling them to prove they are who they say they are, during interactions and transactions online. To ensure digital identities and identity attributes – individual pieces of identity information, for example age, occupation, marital status, are trusted by transacting parties, the UK Government has partnered with the private sector to develop a voluntary set of rules and standards called the ‘UK Digital Identity and Attribute Trust Framework’.
At the alpha stage of development, the trust framework is being led by the Department for Digital, Culture, Media and Sport (DCMS) and will be designed to help people benefit from a digital identity in a trustworthy and secure way.
Businesses that are trust-framework certified will be able to demonstrate their status via a new ‘trustmark’. Although the framework is still at the alpha stage, the trust framework rules could have significant implications for the pensions industry, affecting how providers verify and authenticate members and how they share identity data attributes through dashboards and elsewhere.
Pension providers will need to follow trust framework rules for ‘Attribute Service Providers’ (ASPs) – ‘Individuals or organisations that collect, create, check or share attributes’.
Keeping in contact with people where there are such long lifecycles is a perennial problem for the pensions industry, requiring significant resources to trace ‘lost’ members. However, tracing could prove impossible under the current wording of the framework, which requires schemes to get authorisation from the lost member to use their data to help trace them.
Maintaining up-to-date high-quality data attributes has been another persistent challenge for the industry. Fortunately, the trust framework recognises quality of identity data attributes is particularly important and has published an addendum – How to Score Attributes – to help with measuring quality and assurance. However, the trust framework also suggests ‘you could follow your own processes,’ but neglects to provide the rules against which these native processes would be certified. We look forward to these and other gaps in the rules being filled or clarified.
As well as needing to follow trust framework rules for relying parties, there could be implications for pension schemes in their other role as a service provider. In this scenario they become a ‘relying party’. This is industry parlance for organisations which draw on information from identity and attribute providers to verify individuals and give access to pension services.
On the upside, relying parties won’t need to be certified against the trust framework. On the downside pension schemes, as relying parties, may have to sign up to a set of ‘flow-down conditions’ included in the contracts of participating identity and attribute providers or the trust framework itself. Unfortunately, Government hasn’t yet released details of these flow-down conditions. This makes it difficult for the pensions industry to properly assess their impacts, although hints can be found in the framework, which state “the expectation is that trust framework participants will only share and receive identity and attribute data with other trust framework participants.” Although the trust framework is voluntary, it could become less so if this ‘expectation’ becomes a defacto rule, creating ongoing friction for participation in the framework. Such an outcome could cut across pension providers’ existing contracts and limit choice or competition.
But areas of the trust framework still require greater clarity. Government’s move to enable digital identities and identity attributes is positive. But the pensions industry will continue to work towards greater clarity of the rules, particularly around ‘user agreements’, ‘flow-down conditions’ and ‘attribute scoring’. Compliance with the government’s UK Digital Identity and Attributes Trust Framework is just one of the challenges. If pension providers decide to participate in the trust framework, they may also need to achieve certification against an industry level identity scheme, an additional set of voluntary sector-specific rules on top of the UK trust framework.
Continued engagement is critical to ensure the pension industry’s specific needs are met. PASA will continue to support the industry and its work with government in order to help clarify the rules and support the implementation of this much-needed UK framework.