Regulatory Area
Digital Identity
Digital identity is the electronic representation of information used to establish and verify who a person or organisation is.
In this briefing
- What it is
- Key things to know
It can include traditional identity attributes such as name, date of birth, address and company details, as well as digital credentials, biometric data, device information, government-issued attestations and verified claims stored in digital wallets.
Modern digital identity systems are moving from repeated document collection toward reusable credentials and selective disclosure. This can allow users to prove a specific fact, such as age, residency, professional status or company authority, without sharing unnecessary personal information.
Key things to know
Identity and verification are not the same thing
Collecting identity data does not prove that it is accurate or that the person presenting it is the rightful holder. Firms need controls for verification, authenticity, liveness, fraud detection and account recovery.
Digital identity can reduce repeated onboarding
Reusable credentials can allow customers to present verified information across multiple services, potentially reducing friction and duplication. Firms still need to assess whether the credential is trusted, current and sufficient for the intended regulatory purpose.
Selective disclosure can improve privacy
Digital identity systems can allow users to prove individual attributes without revealing an entire identity record. This may reduce unnecessary data collection, but firms must ensure the approach still meets legal and evidential requirements.
Trust depends on the issuer and assurance level
Not all digital credentials carry the same weight. Firms need to understand who issued the credential, how identity was verified, whether it can be revoked and what level of assurance it provides.
Digital identity changes the onboarding architecture
KYC and KYB processes may increasingly rely on credentials, identity wallets, APIs and federated data rather than uploaded documents. This requires new controls around validation, consent, revocation, audit trails and exception handling.
Identity infrastructure creates new risk
Compromised credentials, synthetic identities, deepfakes, stolen devices and weak recovery processes can undermine otherwise robust systems. Strong governance, authentication and monitoring remain essential.
For general information only. Not legal, regulatory or compliance advice.
Working With This Regulation?
Cryptliance helps firms understand what applies, what it means for the business and what to do next — across strategy, controls, product and market execution.