DRCF: The Future of Digital Identity

In this guest insight from the DRCF, they describe how they're viewing trends and regulatory implications for the future of Digital Identity.

Digital Regulation Cooperation Forum

The Digital Regulation Cooperation Forum (DRCF) brings together four UK regulators, the Competition and Markets Authority (CMA), the Office of Communications (Ofcom), the Information Commissioner’s Office (ICO) and the Financial Conduct Authority (FCA) to deliver an agile and coherent approach to digital regulation for the benefit of people and businesses.  

Through the DRCF’s horizon scanning and emerging technology project (as laid out in our latest Workplan here), the DRCF takes a proactive approach to understanding the potential benefits, risks, and regulatory implications of emerging technologies. This has been evidenced through our previous work on Immersive Technologies, Quantum Computing, and Web3.  

The DRCF has recently explored the future of digital identity (also known as digital verification) and associated regulatory implications. We have set out initial findings in an article, published on the DRCF website here. These findings have been gathered from extensive engagement both internally and externally.  

Basing our definition of digital identity on the UK digital identity and attributes trust framework, we found that digital identity has potential to deliver a range of benefits, but also poses risks. Our findings cover topics including potential future development of technology and markets; trust, interoperability and standards; the ‘digital divide’/access; and competition and key players. To summarise some key findings: 

1. Future development of technology and markets 

AI already plays a role in digital identity, in areas such as facial recognition and biometric matching technologies - its role is likely to grow as it is implemented more widely. On the other hand, AI could be used by bad actors to circumvent authentication and cyber-security systems and commit fraud. 

2. Trust, interoperability and standards 

There was a lack of consensus over who the public might trust to operate digital identities. Many stakeholders suggested consumer technology organisations with large market shares and brand loyalty may be well placed to gain public trust. 

3. The ‘digital divide’/access 

Some examples of how digital identity could improve inclusion emerged through our research. For example, the due diligence process to access basic financial services could be streamlined. 

4. Competition and key players 

Many stakeholders made the case that the strong incumbent position of large technology companies (in particular those with a role in mobile operating systems and existing wallet services) would result in them taking a leading role. Some stakeholders noted UK focused start-ups may be better placed to adapt to the specifics of the UK market, relative to larger international companies. 

The responses to the DRCF’s 2024/25 workplan consultation highlighted the transformative potential of digital identity. Digital identity also has direct relevance to all four of the DRCF’s members regulatory remits, including cross-regulatory relevance. High level examples of this include:  

• CMA: Relevance for the provisions set out in the Digital Markets, Competition and Consumers Act 2024 (see here for the recent consultation on the guidance)  which seeks to address the far-reaching market power of a small number of technology firms. Understanding digital identity's role in markets will help the CMA to drive more dynamic digital markets while preventing harmful practices that hold back innovation and growth. 

• FCA: Digital identity could potentially be a valuable tool that enhances "know your customers" checks, which are crucial for combating financial crime and fraud. It could play a significant role in interactions with open data frameworks and promotes digital access and inclusion. However, while digital identities provide essential data and information, it is ultimately up to the firms to make informed decisions regarding a customer's risk level and comply with the relevant AML/CTF regulations based on this information. 

• ICO: A person's identity is composed of individual qualities and attributes. These might include a name, an identification number, location or address data, or even physical appearance. These are personal data, and the processing of them would be subject to data protection law.    

• Ofcom: The Online Safety Act (OSA) has requirements relating to digital identity and age assurance in a number of areas, such as age assurance for child protection and user verification for user empowerment. For example, as set out in its recent Consultation, Ofcom is interested in digital identity as it is a technology that could be highly effective at enabling age assurance. 

In addition to involving all four DRCF member regulators, our work on the future of digital identity has sought insight from experts in a variety of fields, including business, government, academia, and civil society. We would like to continue these conversations around digital identity as the market develops, and ask that you get in touch with us for further discussion. 

We also invite you to join our DRCF Newsletter mailing list where you can receive the latest news on DRCF outputs and activities by contacting us at [email protected]. 

As the UK’s largest trade association for technology, techUK includes many Digital ID companies as members, and acts as a leading voice in the sector. If you'd like to raise anything or discuss opportunities, please reach out to [email protected].

To find out more about our work, visit our Digital ID hub and sign up for our newsletter here.