provide FAQ that helps external parties understand the problems that eKYC solves
As requested at WG of 6/1, some initial questions (from someone coming ‘cold’ to the current draft) for consideration as FAQs:
What is the primary motivation behind the specification?
How does the terminology used in the specification (e.g. Identity Proofing / Verification / Assurance) relate to other commonly used terms, such as ‘customer due diligence’ and ‘know your customer’?
Is the specification limited to claims linked Identity Assurance (i.e. claims that identify a natural person)? Can it be used more broadly to support ‘know your customer’ use cases (e.g. source of wealth)?
Can the specification be used to assure claims about relationships between a natural person and other entities (e.g. legal entities, other natural persons)?
What is meant by a ‘level of assurance’ or ‘identity assurance level’?
Can you give an example of how an RP would use the data provided under the specification to conduct their own risk assessment, or map to laws relevant to them?
How does the specification support the separation of concerns between the verification process undertaken by an OP and the risk assessment undertaken by an RP?
How are granular details of the verification process for an id_document reflected in the specification? Example: Physical in-person proofing using biometric matching technology vs. physical in-person proofing based on manual assessment.
How are other aspects of the verification process for an id_document reflected in the specification? Example: checks that the document presented is valid and genuine (i.e. not counterfeit, not tampered with).
What details about the verification_process is the OP required to keep in case of disputes or audits?
What is the difference between the level of authentication attested in the acr Claim and the level of assurance attested in the trust_framework Claim?
What is the difference between the txn Claim and the verification_process Claim?
What is meant by an ‘external source' / ‘external claim’ / 'external claims source'?
I am conscious that the above both spans from high level to detailed, and ignores FAQs that are already well answered by the spec - these are simply what came to mind on reading!
One of the questions which came up in some discussions a few times for me was: How can this spec help to assess the credibility of a customer? The spec provides verified PII about a customer, but it does not say anything about their credit rating for example. How would an RP be able to decide if the customer can be allowed to order items from a shop for a specific amount of money without paying in advance?
@Torsten Lodderstedt You might want to set the share options of that doc to “comment” for everyone having the link.
give it a try
Here is Don Thibeau’s message about ‘purpose’ of FAQ and Roadmap pasted over from the mailing list…
The purpose of the requested FAQ and Roadmap is to provide an authoritative source ( owned by the Work Group ) for members and the community at large to provide a clear line of sight to 2021 plans and priorities.
Work Group members know all too well that the global identity ecosystems is noisy, crowed and "balkanized.” This is particularly true of the Know-Your-Customer space. The growing number of regulatory initiatives, the increased amount of investment and the overall volatility of markets has resulted in complexity, cost and confusion for all stakeholders. It has also resulted in the increased interest and inquiries to the OpenID Foundation about the eKYC Work Group.
OpenID Foundation Chairman Nat Sakimura has called 2021 the “Year of eKYC citing recent Financial Action Task Force recommendations among others ” I often cite the critical need for international interoperability, which can only be obtained when conformance to technical standards and compliance to legal and regulatory requirements are clear and certified. We have learned through the success of OpenID Connect, that adoption is not enough, that self-certification often required to so all may “trust but verify.”
While the OpenID Foundation reach and reputation among technologists is strong and its technical depth deep, it rely’s on a resource base that is the sum of volunteered human and financial capital of its members. In order to maximize the OpenID Foundation’s support for the Work Group’s effort, our strategy is to work “wholesale not retail.” That is to say answer as many common questions by providing links like this "How Do Working Groups Work” and focus “retail” efforts on adding diversity and depth to membership.
IMHO the distinguishing characteristics of the most successful Work Groups: one, they focused on a burning business problem, two, they kept the end user in mind; three, they had technology at their core; four, they were international; and five, they were open, transparent and trusted.
Thanks for your good work
Don Thibeau OpenID Foundation