New Regulation Governing the Services Related to Digital Identity Proofing and Authentication System
Most people nowadays conduct their transactions through electronic means. Before engaging in such electronic transactions, they must go through the process of verifying the person’s identity, which is currently supported by the digital system and is an important step in assisting the party to know their customers.
The Digital Identity Proofing and Authentication System is designed to provide a secure and efficient process for validating the identity of users who are attempting to access sensitive information. This system employs cutting-edge technology to ensure that only users with legitimate credentials can access the data they need. The system allows organizations to reliably authenticate user identities using a variety of methods such as biometrics, physical documents, government-issued IDs and other types of identification.
The Digital Identity Proofing and Authentication System also features robust data encryption techniques to protect the sensitive information from unauthorized access. This ensures that only users with appropriate credentials can access the data. Additionally, the system has been designed to be tamper-resistant and provide comprehensive reports that allow organizations to track user activity and access history.
In addition to security features, the system includes a range of tools for user management. Administrators can manage user roles, access rights, and account information quickly and easily. They can also enable or disable users in bulk and set temporary passwords for new users.
The main regulations on digital identification include the European eIDAS Regulation, the General Data Protection Regulation, the Identity Theft Prevention Act, the EU Payment Service Directive and the Anti-Money Laundering Directive. These regulations set out requirements for digital identities, such as customer authentication, data protection and fraud prevention. Companies providing digital identification services in EU must ensure compliance with these laws. Additionally, some countries have their own regulations in place that must be adhered to when offering such services.
The Digital Identity Proofing and Authentication System is an essential tool for any organization that needs to maintain accurate records and secure access to sensitive data. It provides a simple yet powerful solution for verifying user identities while also ensuring the security.
In this regard, the Royal Decree on Supervision of Services Related to Digital Identity Proofing and Authentication System B.E. 2565 (2022) (“Royal Degree“) was announced on 23 December 2022 and will be effective 180 days after the announcement (i.e. 21 June 2023) to govern an operation of a legal entity who provides services related to digital identity proofing and authentication systems.
The Royal Degree Decree specifies the characteristics of the service provider who must obtain a license to operate digital identity proofing and authentication, i.e. (1) Identity proofing services, (2) Authenticator, (3) Identity authentication services and (4) services of exchanging the digital proofing and authentication data through the network or system. Furthermore, applicants must be a limited company, public limited company or other legal entity that meets the qualifications defined by Electronic Transactions Development Agency (“ETDA“) by submitting all required documents and information to the ETDA, such as information about the system and technology used to provide services, a risk assessment and management plan, a personal data protection plan and security plans and measures for information systems.
The licensee has duties to report as follows:
- Submitting a Business Readiness Assessment Report to Electronic Transactions Development Agency (“ETDA”) within 180 days of receiving a license. Otherwise, EDTA may consider revoking the license.
- Notifying ETDA if a third party collects or retains Digital Identity Proofing and Authentication System Information on its behalf. Any changes to such third-party must be reported to EDTA within 15 days of the change.
- Notifying ETDA of any changes in registered capital, director, manager or person in charge of operating the services, as well as system and technology that may have an impact on service provision.
- Notifying ETDA if they receive a complaint or a lawsuit relating to the licensee’s business operations.
- Submitting an annual report to ETDA in the format, content and method prescribed by ETDA.
- Inspecting the digital identity proofing and authentication system and report the same to the ETDA.
- Notifying ETDA at least 60 days before the expected date of discontinuation of business.
The ETDA shall consider announcing the rules, procedures and conditions concerning the period for business termination, transfer of services to another Licensee, management and collection of information relating to digital identity proofing and authentication and any other matters that ETDA deems appropriate in order to prevent damage, protect service users and ensure that users can continue to use the services.
The service providers who require the license and have been in operation prior to the effective date of this Royal Decree may continue to do their businesses. However, they must apply for a license and submit a business readiness assessment report within 90 days of the Royal Decree’s effective date. Therefore, if you are required to obtain this license, please read this Royal Degree and begin preparing your application, as well as keep up to date on any new sub-regulations that may be announced.