2.1. Terminology and Definitions

Effective from 31/10/2022

For the purposes of this Guidance, in relation to identifying and verifying the identity of a customer as part of the customer due diligence (“CDD”) process, identity (“ID”) refers to the specification of a unique natural person that is:

	•	Based on characteristics (attributes or identifiers) of the person that establish a person’s uniqueness in the population or particular context(s); and
	•	Recognized by the state for regulatory and other official purposes.

Proof of identity generally depends on some form of government-provided or issued registration, documentation, or certification (such as a birth certificate, identity card, or digital ID credential) that constitutes evidence of core attributes (such as name and date and place of birth) for establishing and verifying identity. Proof of identity may be provided through general-purpose ID systems (such as national ID and civil registration systems) or various limited-purpose ID systems (such as taxpayer identification numbers, driver’s licenses, passports, voter registration cards, social security numbers, and refugee identity documents).

Digital ID systems use electronic means to assert and prove a person’s identity online and/or in in-person environments, including through the use of:

	•	Electronic databases, including distributed databases and/or ledgers, to obtain, confirm, store, and/or manage identity evidence;
	•	Digital credentials to authenticate identity for accessing mobile, online, and offline applications;
	•	Biometrics to help identify and/or authenticate individuals; and
	•	Digital application program interfaces (“APIs”), platforms, and protocols that facilitate online identification and the verification and authentication of identity.

Identification Systems in the UAE

LFIs should understand and utilize national-level identification systems and processes currently in place or under development in the UAE, including but not limited to:

	•	UAE Pass, the UAE’s first national digital identity and signature solution that enables users to identify themselves to government service providers in all emirates through a smartphone-based authentication protocol and to sign documents digitally with a high level of security. The UAE Pass app uses biometric facial recognition software to verify and register users without requiring an in-person visit to a government services center. The UAE Pass also includes a “digital vault” for storing users’ digital documents and sharing them with government departments, as well as a “digital signature” function to complete official transactions without the need for paper documents or physical signatures.
	•	Emirates ID, the mandatory, government-issued identity card for all UAE citizens and residents. While issued as a physical card, the Emirates ID card uses public key infrastructure to attach individual identities to digital certificates that can be used to sign and encrypt data, as well as fingerprint biometrics. When verifying an Emirates ID card, LFIs should use the online validation gateway of the Federal Authority for Identity and Citizenship and should keep a copy of the Emirates ID and its digital verification in their records.
	•	Emirates Facial Recognition, an initiative launched by the UAE Ministry of Interior and Federal Authority for Identity, Citizenship, Customs & Port Security, together with private sector partners. The facial recognition initiative includes a “face fingerprint” system for digital verification of digital transactions and remote identities.

Digital ID systems involve two basic components and an optional third component:

	•	Identity proofing and enrollment answers the question: Who are you? It involves collecting, validating, and verifying identity evidence and information about a person, establishing an identity account, and binding the individual’s unique identity to authenticators possessed and controlled by this person.
	•	Authentication and identity lifecycle management answers the question: Are you the person who has been identified and verified? It establishes, based on possession and control of authenticators, that the person asserting the identity is the same person who was identity proofed and enrolled, and ensures that adequate controls are in place to manage events that can occur over the identity lifecycle that affect the use, security, and trustworthiness of authenticators.
	•	Portability and interoperability mechanisms, where used, enable proof of identity to be portable, so that an individual’s digital ID credentials can be used to prove identity for new customer relationships at unrelated private-sector or governmental entities, without their having to obtain and verify personal data and conduct customer identification and verification each time. Portability and interoperability are optional components of any digital ID system.

Not all elements of a digital ID system are necessarily digital. Some elements of identity proofing and enrollment can be either digital or physical, or a combination; however, binding, credentialing, authentication, and portability/federation (where applicable) are always and necessarily digital. These concepts are explained further in the following sections.

Digital ID systems can enable remote customer identification and verification, support remote financial transactions, and otherwise facilitate non-face-to-face business relationships and transactions, defined as interactions in which the parties are not in the same physical location and conduct activities by digital or other non-physically present means, such as mail or telephone. Under international standards, non-face-to-face business relationships and transactions are included as an example of a potentially higher-risk situation in undertaking CDD.³ However, given the evolution of digital ID technology, architecture, and processes, and the emergence of consensus-based open-source digital ID technical standards, non-face-to-face interactions that rely on reliable, independent digital ID systems with appropriate risk mitigation measures in place may present a standard level of risk, and may even present a lower level of risk where higher assurance levels are implemented and/or appropriate control measures are present.⁴ See section 4 below for specific risk mitigation measures and strategies that can help ensure that a digital ID system is suitably “reliable” and “independent” in this sense.

³ See The FATF Recommendations, Interpretive Note to Recommendation 10, at 68, available at: https://www.fatf- gafi.org/media/fatf/documents/recommendations/pdfs/FATF%20Recommendations%202012.pdf.
⁴ FATF, Guidance on Digital Identity, at 30, available at: https://www.fatf-gafi.org/media/fatf/documents/recommendations/Guidance- on-Digital-Identity.pdf.