Treefort Technologies has started the process of obtaining Voilà Certification through the Digital Identification and Authentication Council of Canada (“DIACC”)!
In this article we talk about the Voilà Certification program, what it is, why it is important, and why we have made the decision to obtain it.
WHAT IS THE VOILÀ CERTIFICATION PROGRAM?
The Voilà Certification program is offered by DIACC, which is a Canadian non-profit collation of public and private sector entities who have developed a framework for digital identification and authentication called the Pan-Canadian Trust Framework (the “PCTF”). The PCTF is basically a risk mitigation framework comprised of a set of rules, standards, specifications, regulations, and guidance that offers a defined code of practice for operating trustworthy and efficient digital identity, credential, and supporting services. Through the Voilà Certification Process, entities like Treefort Technologies can become certified through third-party audits that validate the entities’ conformance with the PCTF criteria and a subsequent independent review of the audit findings. By offering this third-party, impartial and competent assessment process, DIACC’s Voilà Certification enhances confidence and trust in digital identity services and solutions.
WHAT IS THE VOILÀ CERTIFICATION PROCESS?
The Voilà Certification Program consists of the following 5 steps:
-
- Pre-Engagement: At this stage there is an initial meeting, a fee quote is provided and if the quote is accepted a Certification Agreement is signed.
-
- Application: The entity applying for certification completes a self-attestation checklist and application form.
-
- Audit: An audit is conducted by a DIACC accredited auditor. This audit is a “point in time” audit and consists of document review and potentially an onsite visit.
-
- Final Review: After the audit has been completed a quality assurance review of the audit report is conducted by an independent committee.
-
- Trustmark Issuance: If the quality assurance review is successful, the entity is provided with certification documentation and it can then publish the “DIACC Certified” Trustmark. The entity is then subject to annual surveillance audits. After three years the entity must undergo a full audit again.
THE LAW SOCIETY PROFILE
Digital identity companies that offer their technologies to Canadian lawyers and notaries, such as Treefort Technologies, currently face a trust problem. All Canadian lawyers and notaries are required to follow client ID rules published by their regulators. Those rules require lawyers and notaries to verify the identity of their clients whenever the lawyer or notary assists the client with the receiving, paying or transferring of funds. Further, the client ID rules require the lawyer or notary to use one of the three prescribed identity verification methods: (a) the Government-Issued Photo Identification Method; (b) the Credit File Method; and, (c) the Credit File Method, when they verify the identity of their client.[1] While the client ID rules clearly state what a lawyer or notary must do to verify the identity of their client, they and the regulators who impose these rules do not provide any meaningful guidance on how the identity verification needs to be done. For instance, the client ID rules state the following about the Credit File Method:
(6) For the purposes of paragraph (1)(b), the client’s identity must be verified by referring to the following documents, which must be valid, authentic and current, or the following information, which must be valid and current:
(a) if the client or third party is an individual,
(ii) information that is in the individual’s credit file if that file is located in Canada and has been in existence for at least three years that is used to verify that the name, address and date of birth in the credit file are those of the individual;
While these sections clearly state what the lawyer or notary must do, there is nothing in this rule, or the guidance associated with this rule, that provides any meaningful guidance on how a lawyer or notary complies with this rule. As a result, a lawyer or notary looking to use this client identification method is left with a number of questions, including: how do they access the individual’s credit file? Does the lawyer or notary require a membership with Equifax and/or TransUnion? How do you get a membership – can a small law firm or notary office even get a membership? How do you confirm the credit file has been in existence for three years? How, exactly, do you match the name, e.g. if the name on the individual’s ID is “Robert Smith” and the name in the Credit File is “Bob Smith” is that a match? What happens if the person has changed their name recently and their ID has their old name but the credit file has their new name? If the date of birth on the individual’s ID is “01 March 2000” but the date of birth on the Credit File is 03/01/2000 (the day and month are reversed) is that a match? The questions go on and on.
Unfortunately, the regulators (Law Societies and Notarial Societies) are not in a position to answer these questions for two reasons. First, these regulators do not have the expertise on how digital identity technologies work or the reliability of the companies that sell these technologies to provide meaningful guidance to their licensees on how to comply with the client ID rules. This includes being unable to recommend or endorse vendors of digital identity platforms. Second, because these regulators are quasi-judicial bodies who conduct investigations and disciplinary hearings of their licensees, they must maintain their objectivity and providing substantive technical guidance on how to satisfy the three client identification methods could possibly jeopardize that objectivity. As a result, if a lawyer or notary contacts a Practice Advisor at their regulator and asks them how to comply with the client ID methods the Practice Advisor will basically tell them: “you have to figure this out yourself.”
Because regulators are not able to provide guidance on how to comply with the client ID rules, lawyers and notaries will contact digital identity companies like Treefort Technologies and ask us if our technology satisfies the client ID methods. We will tell them our technologies do satisfy the requirements of the client ID rules, but because the regulators do not endorse us and there are currently no other way to validate our digital ID products, lawyers and notaries are often skeptical about the veracity of our statements. This is a barrier to adoption of sophisticated digital ID technologies that can help lawyers and notaries take meaningful steps to reduce money laundering, fraud and terrorist financing.
The good news is that DIACC is currently working to develop a set of auditable criteria for the Government-Issued Photo Identification Method, the Credit File Method, and the Dual-Process Method. More specifically, a DIACC sub-committee consisting of digital identity product vendors, framework specialists, government officials and representatives from the regulators, and led by the writer, is reviewing drafts of these criteria. Once the criteria have been finalized, DIACC will develop them into what will be called the “Law Society Profile.” The end result of this process is that when a digital identity company like Treefort Technologies goes through the Voilà Certification audit we can be audited against the PCTF and the Law Society Profile. Once we have earned the Trustmark for the Law Society Profile, lawyers and notaries will have objective third-party confirmation that the Treefort identity verification platform satisfies the requirements of each of the three client ID methods, and this will certainly encourage adoption of robust digital identity technologies.
A QUICK WORD ABOUT MULTI-FACTOR AUTHENTICATION
One of the buzz-phrases currently circulating in the digital ID world is “Multi-Factor Authentication” or “MFA.” What this phrase means is an identity verification process should do more than the bare minimum the client ID Rules require to verify the identity of an individual. For example, the client ID rules allow a lawyer or notary to verify the identity of their client by only doing a credit file check to match the name, address and date of birth provided by the individual to the information held by a Credit Bureau. In other words, if a client tells a lawyer their name is Jay Krushell, their address is 123 Maple Street Edmonton, Alberta T3P 4SM and their date of birth is January 1, 1990, and a search of credit file records at Equifax locates a credit file associated with that name, address and date of birth, the requirements of the Credit File Method have been satisfied and, technically, that is all the lawyer needs to do to satisfy the requirements of the Client ID Rules.
The problem is that only confirming a match against credit bureau data does absolutely nothing to stop fraud, money-laundering or terrorist financing. The reason for this is if a bad actor has stolen my personal information, which has happened, they know my name, address and date of birth. Because I am a real person, when the lawyer queries the credit bureau data they will find a match for my name, address and date of birth but they will not know the individual who has given them that name, address and date of birth is not me. There are similar problems with the Government-Issued Photo Identification Method and the Dual-Process Method are used in isolation.
Because of this, some regulators, such as the Financial Services Regulatory Authority of Ontario, recommend that licensees do more than the bare minimum required by the client ID rules to verify the identity of their clients. Further, the four title insurance companies will all require MFA on certain real estate transactions. As the laws evolve to require regulated entities to do more to reduce the risk of fraud, money laundering and terrorist financing, MFA will almost certainly become the norm, and may even be required.
SUMMARY
DIACC’s Voilà Certification program is new and Treefort Technologies will be one of the first companies to obtain that certification. Further, Treefort Technologies will be one of the first companies to apply to be audited against the Law Society Profile. Once we have obtained the Voilà Trustmark and the Law Society Profile Trustmark Canadian lawyers and notaries will have further objective confirmation that the Treefort identity verification platform complies with the client ID rules.
Finally, Multi-Factor Authentication is currently a recommended practice when conducting an identity verification and it may become a requirement in the future. Because of that, it is recommended that Canadian lawyers and notaries should educate themselves on what Multi-Factor Authentication is and start implementing this practice now.
Jay Krushell
Co-Founder and Chief Legal Officer
[1] The Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations SOR/2002-184 s. 105(1)(b) allows reporting entities to use a fourth identity verification method using digital credentials issued by a federal or provincial government body. This method is not currently used and, because of that, it is not discussed in this article.