On the 11th July 2019, the British Standards Institute (BSI) published PAS 499, a code of practice for digital identification and strong customer authentication.
PAS 499 is a set of recommendations that will help firms meet security, regulatory, and usability requirements in the provision of digital services. Most notably, it helps firms:
- Understand evolving threats and adapt their security practices accordingly
- Secure their systems to prevent fraudulent misrepresentation of a natural or legal person
In layman’s terms, its purpose is to ensure that any firm that supports digital identity or authentication services, does so in a robust and secure manner.
The code of practice comes at a very important time, not just in the world of payments, but for other industries involved in customer verification and due diligence. While PSD2 Strong Customer Authentication (SCA) has been a hot topic recently, there are use-cases outside of payments where customer due diligence is required, such where a firm may need to age-check their customers to restrict products, services or advertising.
With a growing industry need and ongoing government plans for digital identity services, a standard that meets the various legislative requirements is welcome.
Development of the PAS
The PAS (Publicly Available Specification) was developed from several public meetings involving hundreds of stakeholders and supplemented through small committees within the rules of the BSI. These included senior stakeholder representatives from across the government, payment, technology and consumer sectors. Leading a group of authors in the development of the PAS was Huntswood’s Advisory Board member, Andrew Churchill.
What does it cover?
The code of practice is designed to encompass all aspects of a business involved in the provision or support of an identity or authentication solution. This includes not only the customer-facing part, but also third-party services that the product may be reliant on. As an example, consider a product that verifies against a national database of information like passport / driver’s license data – that external service will come into scope, albeit through a subset of the code.
Technical aspects, such as defining acceptable user sessions, recognising specific device vulnerabilities and insisting on “liveness” tests, all help to minimise the risks of potential threats that have emerged from advances in AI technology. Weak systems are now easily exploited by such software.
While the AI technology is not necessarily new, what is new are the opportunities for its application. For example firms are scrambling to find biometric solutions to payments authentication, especially considering the EBA’s opinion that card details should not count as a “knowledge factor” for SCA purposes.
Assisting firms in increasing financial inclusion, the code also features use-cases that offer greater degrees of confidence for vulnerable customers or those with restricted characteristics, such as those with disabilities, the unbanked, or homeless people.
From an operational perspective, the PAS also includes recommendations for the organisational structure of a firm, recommending that committees and procedures must be in place to ensure that cyber threats are continually assessed and mitigated. Regulated firms should already be used to this, seeing as there is already a requirement to have operational and security risk frameworks in place.
The PAS has industry-wide support, having been developed and signed off by firms in the payments and utilities sectors, as well as receiving approval from notable legislative and regulatory bodies.
With UK Finance endorsing the text, and with Open Banking’s threat assessments citing its value, adoption of the PAS is going to form part of any acceptable migration plan for firms seeking to request an extension to the 14th September Regulatory Technical Standard deadline as permitted by the FCA.
When factoring in the support it has received from the National Cyber Security Centre and the Cabinet Office, the PAS will no doubt play a key role in any further digital identity initiatives from the government.
Considerations for firms
Firms should keep a close eye on further developments in regard to their respective regulators and trade associations. They should also seek advice on adherence to the code of practice if they are involved in the provision or use of any of the following identity or authentication services:
- Identity validation
- Identity verification
- Delegated authority and authorisation
- Security and usability
- Risk models for authentication
Thanks to our participation in the steering group and role in co-authorship of the PAS, Huntswood is well-placed to assist firms in their journey towards accreditation. We can also provide advice to those wishing to seek the exemptions needed to satisfy the FCA in the lead up to the PSD2 SCA transition period.