On Wednesday (13 September), the federal government introduced the Identity Verification Services Bill, which aims to support the operation and security of identity verification services and protect the privacy of Australians while helping organisations securely verify a person’s identity.
If passed, the bill will also put in place greater safeguards and security measures to protect Australians online, which include:
- Secure systems that information must be encrypted and data breaches must be reported.
- Limits on access so that industry and most government agencies can only access identity verification services for one-to-one matching to verify identity, with the consent of the individual.
- Strong privacy protections, including consent requirements, privacy impact assessments, complaint handling and transparency about how information will be collected, used and disclosed.
The bill authorises one-to-one matching of identity through identity verification services, with the consent of the relevant individual by public and private sector entities – enabled by the Document Verification Service (DVS), the Face Verification Service (FVS) and National Driver Licence Facial Recognition Solution.
It also authorises the Attorney-General’s Department to develop and maintain the identity verification facilities that will be used to provide the identity verification services.
The bill will impact lenders, as many use both DVS and FVS when verifying the identity of their customers and to meet the “Know Your Customer” obligation within anti-money laundering and counter-terrorism laws.
In a joint statement regarding the introduction of the bill, Minister for Finance Katy Gallagher and Attorney-General Mark Dreyfus commented: “Identity verification enables Australians to conveniently and securely engage with the digital economy without exposing them to identity fraud and theft.
“MyGovID, the Australian [Taxation] Office, Centrelink, banks and telecommunications providers all use identity verification services to authenticate identity documents.
“Australians rightly expect greater protections, transparency and control over their personal information when they provide it to trusted organisations.”
‘Paves the way for there to be one central, secure repository of ID information’
Welcoming the introduction of the bill, the chief executive of the Australian Banking Association (ABA), Anna Bligh, highlighted the benefits the introduced bill could have in the finance space.
“This is a step in the right direction in the ongoing fight against scams and fraud. The proposed new laws are designed to help provide a safe and secure mechanism for banks to verify identity information provided by customers,” Ms Bligh stated.
“These new laws help pave the way for Facial Verification Service to be utilised, which will help ensure key steps such as opening new accounts have additional safeguards in place.
“As scams grow ever more complex and sophisticated, Australia needs all sectors to continue the fight against these financial crimes – this includes government, banks, telcos, social media, law enforcement, crypto platforms and individuals.”
The chief sales officer at digital mortgage law firm Galilee Solicitors (Galilee), Blake Albones, said the proposed framework was a welcomed addition to the identity information space as it “positions the government as the central aggregator of identity information”.
Mr Albones commented: “We’ve been watching with concern as big business – motivated by profit rather than privacy – have sought to turn Australians identities into the new oil.
“A current headache for the mortgage industry is that brokers, real estate agents and conveyancers are all required by their separate regulators to effectively maintain their own, duplicated ‘honeypots’ of their customer’s ID documents.
“This places an unfair burden on small business. The proposed new framework paves the way for there to be one central, secure repository of ID information. If – as we hope – this new framework is passed into law, we would like to see the dismantling of these separate retention requirements.”
He added that the firm believed the bill would mean biometric FVS, which he said was presently underutilised, would provide greater identity security – not just used to establish a MyGovID, as is currently the case, which can be hijacked by “any bad actor who controls the user’s device”.
Mr Albones stated: “Crucially, this new legislation appears to enable government and business to continually validate the person behind the device, using FVS, at each key point of the transaction.”
As part of the bill, there will also be stronger penalties for those government and industry organisations that do not comply with their obligations, including terminating access to identity verification services.
Those found guilty of recording, disclosing or wrongly accessing protected information could face imprisonment of up to two years.
[Related: Banks allowed to collaborate on standards: ACCC]