Paving the way to digital ID
A rundown of how the system works, what the process is, and why privacy concerns have arisen from the draft data collection bill.
published : 24 Sep 2018 at 04:30
newspaper section: Business
writer: Suchit Leesa-nguansuk, Komsan Tortermvasana & Somruedi Banchongduang
Although it could be a boon for Thailand's digital transformation, a draft law allowing government agencies to collect citizens' digital ID has provoked concerns over data security and personal privacy, suggesting the act may be more of a curse than a blessing.
The cabinet recently approved in principle a draft for digital ID, an endorsement that would facilitate online transactions and ensure security for users. The move is expected to help banks expand their account base through digital lending via the internet and smartphones at a rapid pace.
Under the proposed digital ID bill, a national digital ID company (NDID) will be set up to build a digital ID platform to identify and authenticate citizens' digital IDs.
With digital ID, banks can verify customer identity with greater convenience and security because of electronic Know-Your-Customer (e-KYC) technology, which will subsequently foster growth in digital loans and attractive interest rate offers, depending on borrowers' risk profile, which will be assessed using data analytics.
But personal privacy breaches and questions about service reliability and heavy-handed use of cybersecurity laws have raised alarms among some observers.
Weighing pros and cons
Under the digital ID platform, there are three core parties: ID provider (IDP), authoritative source (AS) and relaying party (RP).
The digital ID bill will allow an entity (for example, a bank as an RP) to electronically identify and authenticate an end-user by relying on another entity (a second bank as an IDP) that has already conducted e-KYC and confirmed the identity of the end-user and relies on a trusted source of information (such as the Credit Bureau as an AS) to release information about the end-user to the RP for further use.
The digital ID bill will help to simplify doing business by enabling the use of digital ID without the need to repeatedly go through traditional KYC processes that require numerous copies of an end-user's conventional ID card, said Dhiraphol Suwanprateep, a partner at Baker McKenzie.
This system could also serve as a platform to maximise the use of information readily available from other trusted sources of information, he said.
Mr Dhiraphol said that while Section 30 of the bill grants the digital economy and society minister the power to licence to a service provider who will operate the digital ID platform, Paragraph 3 thereof also allows the minister to issue future notifications on criteria, requirements and procedures regarding the licence, and relevant fees.
Every service provider who wishes to operate on the digital ID system must follow the same rules prescribed in the notification.
"Hopefully, [licence] notifications will be frequently reviewed and updated as digital environments rapidly evolve," Mr Dhiraphol said. "If rules and regulations are not kept up-to-date, they will have the effect of acting as a roadblock as opposed to an expressway."
Assurances that reliability is guaranteed, given how the NDID is the sole operator of the digital ID platform, are not compelling, said Prinya Hom-anek, secretary-general of the Thailand Information Security Association.
Essentially, public services need a high standard of reliable and secure services, Mr Prinya said.
There have been many lessons learned from having unreliable services operated by a private entity, such as the ATM pool and PromptPay money transfer services operated by National ITMX or sporadic disruptions in mass transit service -- instances where respective regulators were found to be reluctant to impose strong penalties when major systemic disruptions occurred.
Ensuring fairness of the NDID when connecting with other service providers is also another case-in-point, he said.
"A single NDID is not ready to be used on the global level," Mr Prinya said. "Only Estonia uses this concept."
Somwang Laungphaiboonsri, a committee member of the Thailand E-Payment Trade Association, said the NDID should ensure that its service standard creates good governance, transparency and protection of privacy.
"There should be a trusted global auditor to verify the system," Mr Somwang said. "This will increase confidence among other service providers and citizens."
"How we can enforce these foreign firms [to protect privacy], and how can we ensure that there is no abuse of power from government authorities?" asked Paiboon Amornpinyokiat, a legal expert. "There should be an external party for the auditing process."
Dealing with digital demand
There are several technologies and tools that enterprises and businesses use to verify customer identity, such as fingerprinting or even retina scans.
But these verification methods might not be suitable when operating online transactions and ensuring security for users across different digital platforms.
The government, through the Electronic Transactions Development Agency (ETDA), has been developing an open digital ID platform as a means to create digital infrastructure that facilitates identity verification, which directly paves the way for all digital transactions, especially e-payment in the public and private sectors.
Widespread verification of people's identity also secures and promotes e-commerce activity and reduces fraud by creating a standardised and secure online system.
The digital ID platform is an open and intermediary infrastructure that provides online service providers (RP) with a standard to identify and authenticate subscribers or customers using existing digital identification, enabling them to access a variety of services remotely.
Examples of these services include online user accounts of public services offered by the Revenue Department and the Business Development Department and internet banking accounts or e-wallet accounts.
The first eight institutions and groups set to be linked to provide services on the digital ID platform to users will be securities companies, banks, the Revenue Department, Thailand Securities Depository Co, the National Credit Bureau Co, the Student Loan Fund, the Thai Life Assurance Association and the Thai General Insurance Association.
"Existing consumer behaviour is always connected with mobile devices," said ETDA chief Surangkana Wayuparb. "The digital ID platform will serve growing demand [of digital needs], particularly in e-commerce."
More importantly, the value of e-commerce in Thailand reached 2.5 trillion last year and is expected to increase to 2.8 trillion this year, with an annual growth rate of at least 10%.
The ETDA initially allocated a budget of 20 million baht for platform development and aims for the sum to reach 100 million baht by year-end.
"The digital ID platform is aimed at helping not only to improve the daily [business] routines of large enterprises, but also to boost the level of assurance for all digital transactions, including the e-commerce market," Mrs Surangkana said.
The ETDA is responsible for the development and management of the federation proxy.
The federation proxy acts as a bridge connecting other components in the digital ID platform together with an interoperable authentication protocol designed to be open-standard and with utmost security for integration and communication among different components.
The agency is collaborating with the private sector to develop the digital ID platform in Thailand.
The ETDA recently signed a memorandum of understanding with Thailand-based Omise Co, a well-established player in online identification and e-payment service, to initiate this project. The ETDA is also considering adding another Thai company to collaborate on platform development.
The government through the Digital Economy and Society Ministry aims for at least 10,000 people to adopt the digital ID platform for digital transactions as a means for greater assurance of online activities.
Facial recognition technology detects customers' faces at a shop, letting the owners gather information and learn customer habits. SUCHIT LEESA-NGUANSUK
For banks, the digital ID platform greatly suits upcoming business models and facilitates greater efficiency in verification security.
Thakorn Piyapan, head of digital banking and innovation at Bank of Ayudhya (BAY), said the digital ID system will provide greater security compared with a paper-based system, given blended strengths in using both demographic and biometric authentications.
E-KYC requires users' passports, citizen ID cards and facial recognition using a multi-angle selfie for accurate verification of customers' identity, Mr Thakorn said.
BAY is one of at least five banks testing their e-KYC technology in the Bank of Thailand's regulatory sandbox.
Mr Thakorn expects that BAY's e-KYC to open new deposit accounts and digital lending services will exit the regulatory sandbox in October or November.
BAY, the country's fifth-largest lender by total assets, has been testing facial recognition technology in the regulatory sandbox for a while.
Initially there were some minor problems related to facial authentication, of the kind that usually occur when new technologies are tested out. But a long testing period under collaboration with both the central bank and other commercial banks has resulted in a stable system that users can trust, according to BAY.
"Under the regulatory sandbox and the central bank's supervision, e-KYC needs to be tested out until the central bank is fully certain about allowing the system to exit into the world," Mr Thakorn said. "The regulator also allows real technological adoption during the testing period to reaffirm systemic stability and security. It currently does not have any problem."
To use e-KYC facial recognition, customers need a passport, ID card and a multi-angle facial photo. These items can accurately verify a client's identity, Mr Thakorn said.
Customer verification via the facial recognition e-KYC technology is expected to ensure greater security compared with the existing paper-based data checks. Banks will also need to update customers' physical database and migrate them onto a digital platform.
Somkid Jiranuntarat, chairman of the Banking Information Technology Club under the Thai Bankers' Association, said no concerns have arisen about e-KYC adoption for opening new accounts, e-wallet applications and digital lending services. The technology will be used for existing bank clients, as each bank already has its own database.
Customer authentication on the digital ID platform under the NDID needs more time for adoption.
The customer verification process under the digital ID platform begins from enrolment and proof of identity, followed by authentication and life cycle management. For the enrolment stage, 1-2 years will be spent collecting sufficient data and building up database usage.
In later stages, it will take about five years to build up a comprehensive ecosystem of customer authentication entirely on a digital platform, Mr Somkid said.
The NDID is in the process of setting up terms and conditions governing both the public and private sectors.
The SCB Easy app uses e-KYC, allowing customers to open accounts on their smartphones.