What is the "CDD Exchange Framework"? ~Developing digital identity solutions for the financial sector with a focus on eIDAS Trust Services

Nine key points

Last time, "Developing a Digital Identity Solution for Use by the Financial Sector Based Around eIDAS Trust Services(Developing digital identity solutions for the financial sector with a focus on eIDAS Trust Services")" I explained the key points of the following nine points.

• Regulatory environment
• Diversity of CDD (Customer Due Diligence) Data
• Managing CDD Data
• The role of financial institutions
• CDD Portability Solution Considerations
• Open EDIW proposal
• CDD Exchange Framework
• Sharing of responsibilities
• Practical implementation suggestions

Among these key points, the one that particularly caught my interest was the "CDD Exchange Framework." The outline is as follows:

The "CDD Exchange Framework" in this document

temporary contracts¹An exchange framework is a system or arrangement designed to facilitate the secure and efficient exchange of customer due diligence (CDD) data between financial institutions, and potentially other entities, while ensuring compliance with applicable regulatory requirements.

CDD Exchange Framework Types

This document envisions three typologies for CDD exchange frameworks:

1. Bilateral agreementEach participant enters into separate agreements with the other participants for CDD data exchange. This approach can be lengthy and complicated, requiring numerous customized agreements.
2. Scheme Model: A more integrated approach where a central scheme defines common guidelines and standards for CDD data exchange. The scheme would standardize processes, handle responsibility allocation and set pricing clauses similar to the models used by payment schemes like VISA and Mastercard.
3. KYC Utility ModelIn this model, a central KYC utility manages CDD data on behalf of participating financial institutions and acts as the counterparty for all data exchanges. The utility handles the processing and outsourcing of CDD data, simplifying compliance and operational efficiency for member institutions, but is not suited to facilitating widespread CDD data portability outside the utility.

Key Framework Considerations

The framework also lists three key considerations:

1. GovernanceEffective governance is important to ensure trust, transparency and fairness among participants. This includes setting clear criteria for participation, preventing conflicts of interest, and establishing processes for adopting rules and fee transparency.
2. Economic sustainability: The framework must provide a sustainable economic model, ensuring that service providers are appropriately remunerated and have clear financial incentives for participation.
3. Sharing of responsibilities: Clear rules on allocation of liability must be established to manage the risks associated with inaccurate or fraudulent data. Liability may be strict, fault-based, or a combination and must be clearly understood and agreed to by all parties.

Practical implementation in Europe

The need for standardization

On the other hand, there are also challenges to be faced when it comes to practical implementation.

• The framework will require a large-scale standardization effort, especially for attributes that go beyond core identity data.

Efforts to standardize customer due diligence (CDD) data attributes beyond core identity data include:

1. Use of EDIWs: European Digital Identity Wallets (EDIWs) will play a key role in standardising a range of electronic attributes and improving the interoperability of CDD data across the EU financial sector.
2. Harmonization effortsUnder the AMLR proposal, future AML authorities would have the power to specify the list of attributes required for standard, simplified and enhanced CDD processes, aiming to harmonize CDD data attributes across the EU.
3. Industry Initiatives: Various KYC sharing initiatives, such as the INVIDEM initiative in the Nordic region and the KUBE project in Belgium, are working on standardizing CDD data attributes to facilitate smoother CDD data exchange.

Collectively, these efforts aim to streamline the handling of both core identity and additional status or risk-related attributes required for comprehensive due diligence in the financial sector. I would also like to look into NVIDEM and KUBE.

Financial Institutions as CDD Data Custodians

It also notes a potential role for financial institutions to act as CDD data custodians, providing verified and attested attributes through a European Digital Identity Wallet (EDIW) and orchestrating a multi-party utility model to manage the broader CDD process.

The role of a CDD Data Administrator is multifaceted and can be summarised as follows:

1. Data Isolation: CDD Data Custodians must keep customer CDD data separate from their own data and avoid commingling.
2. Data security: CDD must ensure that data is kept secure and protected from loss, theft, or compromise.
3. Data Integrity and Consent: Custodians are tasked with keeping CDD data up to date, maintaining its integrity, and ensuring that it is used only for purposes agreed to by data owners.
4. Verification and source reliability: You must ensure that CDD data comes from trusted, independent sources, including a responsibility to continually monitor and verify the data in accordance with AML/CFT requirements.
5. Transfer Protocol: CDD Data Controllers must not transfer data to third parties without the data owner's explicit consent and must comply with GDPR and bank secrecy regulations.
6. Operational Responsibilities: These obligations include care in selecting sub-controllers, avoiding conflicts of interest, and ensuring that customers can exercise their rights over their data.

These roles broadly ensure that custodians manage CDD data responsibly, comply with regulatory requirements, and maintain the integrity and security of the data.

By taking these models and aspects into consideration, financial institutions can better handle the complexities involved in CDD data exchange while ensuring regulatory compliance and operational efficiency, the document states.

Data Transfer Protocol

This document was published in September 2021, three years ago. I'm a little curious as to what protocols were being considered at that stage. However, it seems that it was too early for the discussion to be finalized, and it is only mentioned briefly under the responsibility of the CDD data manager and in the context of overall data security and control mechanisms. However, even at this stage, it is still considered separately for offline proximity communication and other things.

1. NFC and Bluetooth (BLE): These protocols are used for secure electronic data exchange, especially in offline scenarios where no Internet connection is available (e.g. point-of-sale payments).
2. General secure communications: Specific mentions of other protocols are not detailed, but secure communication using SSL/TLS protocols conforming to X509 standard certificates suggests an underlying secure data exchange mechanism.

This is roughly the same as what was going on with EDIW at the time, so it appears that the two companies work closely together.

Series EU AMLRIn our next installment, we will look at the AML package adopted by the European Commission on May 5th.

1. Customer Due Diligence. Customer Management