On the go: The Pensions Administration Standards Association has objected to the proposal by the Pensions Dashboards Programme for a “central digital identity”, arguing that it would create a “single point of failure”.
The PDP requested feedback on its identity approach, in particular whether “finding pensions and viewing pension details via a pensions dashboard should include a central digital identity, asserted to an appropriate standard, in accordance with the [government’s Good Practice Guide 45]”.
GPG 45 is guidance from the Cabinet Office and the Government Digital Service on how public and private sector bodies should go about checking an individual’s identity.
In response to the PDP’s request, PASA said it agreed with the “to an appropriate standard” assertion, but rejected the central digital identity proposal “if by a ‘central digital identity’ we mean a single identity provider”.
“We are concerned such centralisation creates a single point of failure, a single point of attack, limited capacity and a commercial monopoly that will not enable the open market required to sustain the pensions dashboards ecosystem into the future,” PASA’s response stated.
Instead, it recommended an open market approach, as this would be “more sustainable and commercially viable”, and recommended the Money and Pensions Service “considers aligning with the government’s UK trust framework initiative designed to create an open identity market”.
Onboarding and identity verification processes should start with the dashboard provider being free to choose identity services of their choice, though this will require a high level of trust by users and so “an appropriate level of confidence in verification and authentication is essential”, PASA’s response continued.
The PDP has proposed a “medium” level of confidence, the standard achieved by GPG 45. However, while accepting that this would be sufficient for the “release of pension information” on a dashboard, PASA warned it would not be appropriate for dashboards offering transactions or the moving of funds.
“If, in future, functionality for transactions or movement of funds is provided by pensions dashboards, we recommend a ‘step-up’ authentication to a high level of confidence is necessary and will be expected by users,” its response stated.
