Thailand’s blockchain digital ID infrastructure – an ecosystem within an ID ecosystem

Thailand is moving rapidly with sign-ups to its blockchain-based biometric digital identity infrastructure operated by the National Digital ID Company Limited (NDID), with registrations up 50 percent since November to 9.2 million. Now half the population is eligible to be part of the system when it is ready to introduce verifiable identification and a digital wallet.

Various schemes and projects involving telecom services and convenience stores have been launched in the country with 70 million. NDID is not a digitized version of the national identity card or a digital identity in itself, so Biometric update spoke with CEO, Boonsun Prasitsumrit, in Bangkok to learn what it is and the role it plays in the identity ecosystem and financial sector.

The beginning of a public-private trusted ecosystem

Instead of the Thai government building a national digital ID system, it created a way to connect service providers and identity providers (IDPs) to allow the digital sector to flourish and innovate. It also decided not to be as directly involved, establishing a private company to oversee the project.

“NDID at the beginning, four years ago, we decided that IDPs should not only be banks,” says Boonsun Prasitsumrit at NDID headquarters, “it can be anything, anyone qualified to do it: bank, mobile network , fintech.”

In the beginning, the Ministry of Finance and the Ministry of Digital Economy and Society realized that they “shared the same pain point: the KYC process,” says Prasitsumrit. The ministries helped establish the Digital Identity Committee in 2017.

The country has the Thai national ID card, which has holder details embedded in a chip. There is almost universal coverage for citizens, but the smart card chip is rarely used to open new accounts or access new services, says Prasitsumrit, as the standards for how the chip should be used have not been clear. People generally still have to go to government offices and banks in person with their cards and often photocopies of their ID.

The Digital Identity Committee decided to develop the infrastructure to unlock identity for other areas via a trusted ecosystem. Health and education were part of the original discussion, but emphasis was placed on banking and then financial and insurance services. NDID was established as a public-private partnership that is 36 percent publicly owned.

“If it’s government, it will take some time,” notes Prasitsumrit. As it was for all things digital, it had to work faster than a public body can.

The majority of NDID’s sixty-plus shareholders are in the financial sector, such as the Thai Banking Association, along with the stock exchange and the post office. The Bank of Thailand developed a regulatory sandbox for the system and now eleven banks are part of it.

In 2018, the Electronic Transaction Development Agency (ETDA) also worked on national standards for security levels in line with NIST’s. Legislative changes in 2019 allowed the first use of the system by the end of that year.

More than nine million are now enrolled and 35 million (up from 30 million in November 2022) are now on the country’s highest insurance level, 2.3, which requires smart card ID, check against the government’s D.Dopa national IDP and facial biometrics.

With these, Thai people are ready to enroll in NDID the next time an opportunity presents itself online, such as wanting to open a new bank or securities account or take out a loan.

Both a blockchain and bypass

NDID is a “connecting platform,” says Prasitsumrit. As a decentralized ledger, NDID cannot see any of the information that passes across it between banks, users, IDPs and authoritative sources, but only a log of time-stamped access requests.

Users visit a bank in person in the first instance. People don’t go to the banks to get NDID, says Prasitsumrit, they have to carry out transactions. They hand over the smart card ID and undergo a biometric check, where bank staff or cameras compare the person to the image on the card – the trusted source. Banks can check fingerprints, but this is not popular. If there is no photo in the system, the bank can take a photo to register a person in the NDID.

“Thai people don’t know that their data in the bank is at the highest level,” says Prasitsumrit, “it’s ready to use [NDID].”

When they go through NDID registration, they won’t be aware of the company as a brand unless they read the full terms and conditions, says Prasitsumrit, explaining how the platform is very much in the background.

The millions of registered users “know there is a difference” even if they never have any interactions with NDID.

This is because they can now open any account or product with registered providers by selecting the bank where they completed KYC online, and therefore do not need to visit in person or prove ID again.

Dropout rates for new service registrations are falling.

When prompted during registration, a user selects the bank where they are already registered as an ID provider. The target bank – the trusted party – sends a request to the selected bank via the NDID ledger.

The bank acting as IDP then notifies the user that it has been selected for ID control and takes the user through verification in its own app on the phone using facial biometrics, PIN and registered mobile number.

Once the IDP bank has verified the ID, it notifies the relying party back through the NDID, with this logged in the blockchain. It then sends the user data to the new bank directly, outside the NDID platform. The user completes the registration by creating a new password.

ID has “nothing to do with NDID until there is a request from a trusted party through NDID for an identity provider,” explains Prasitsumrit, as the blockchain neither sees nor stores sensitive data.

A trusted party can verify across multiple IDPs, as well as multiple authoritative sources in the process, such as credit rating agencies.

People have to redo their KYC every two to three years or if they get a new ID card.

Fees are a cost saving

NDID’s business model charges a fee to connect dependent parties and IDPs.

“It’s like the credit card model, one hundred percent [of the bill] goes to the trusting parties, says Prasitsumrit. It is a fixed fee, not a percentage, and includes two prices: a fee to the IDP that makes up 98-99 percent of the price, with the remaining fraction going to the NDID.

As part of the structure of establishing the NDID, the Company does and cannot control the fees. The process is still a cost saving for the banks compared to having to take a new customer through KYC.

The NDID fee is discounted by eight percent to public departments that use the system.

Verifiable identification and a digital wallet

NDID is also launching a wallet for verifiable credentials. “For eKYC, we really need a high degree of security. The bank itself can verify opening the wallet using biometrics, so we can ensure that the owner of the wallet is really him or her,” says Prasitsumrit.

The company is working with a government department on a proof of concept for VCs for paperwork that a user can then share with their bank.

Universities are already in talks to provide certificates and transcripts as VCs to the wallet.

NDID and MNID: AIS, True and DTAC

Thailand has three telecommunications companies – AIS, DTAC and True – that are being internally displaced. Their scheme is Mobile Network ID (MNID). The process has been going on for a couple of years, but is proving slow as the telecoms regulator, the National Broadcasting and Telecommunications Commission, is the operator.

The MNID system serves its mobile customers rather than being a competitor to NDID, and the two systems will merge under ETDA. Its chairman wants NDID, MNID and public services (D.Dopa) to be interoperable.

Technical discussions are underway to determine how a trusted party in the NDID platform can request ID verification through AIS or DTAC and vice versa. Relying parties can choose to go via NDID or potentially MNID, but the hope is that a unified system will provide cost savings.

AIS has two ID functions while you are on the move. Together with DTAC, it can partly use NDID, make its own checks or use partner banks. The operator has around 20,000 service points throughout the country. A trusted party in NDID can ask a person to visit an AIS location to have their ID card read. In this case, AIS is a service provider to NDID – not an IDP. It makes biometric comparisons at its kiosks. The person does not have to be an AIS customer.

AIS is also working on its own digital ID for which users must be AIS subscribers.

The hope is that when the systems are fully integrated, Thais will effectively have mobile digital ID (rather than just eKYC).

Growing digital ID landscape

Alongside the NDID as the main infrastructure, and the MNID that will join it, there is a scheme for the digitization of national ID within the Thailand Digital ID Framework (2022-24). Citizens can take their cards to local government agencies for chip reading and biometric checks to generate the ID in an app.

The Digital Government Development Agency (DGA) also works with 7-Eleven whose stores are almost ubiquitous. Staff authenticate the user against their card details and chip content and send the data back to DGA who cross-checks with D.Dopa to create a digital ID.

A pilot system allows Thais to use mobile digital ID on domestic flights.

“The government does not have an application or a system similar to the banks’, they cannot offer non-face-to-face [ID], says the CEO. The national ID card issuer develops mobile applications similar to mobile banking, but with fewer than 50,000 users and few transactions.

Public services are starting to accept digital transactions such as paying basic taxes. In the future, public authorities will not be able to refuse the use of digital ID, nor will private providers.

The country is aiming for ten million mobile digitized ID holders by the end of the year.

The role of biometrics in banking is increasing. Bank of Thailand introduces new facial biometric authentication requirements for certain transfer thresholds.

The future: interoperability and regulation

The NDID system still operates within a regulatory sandbox.

“In the future, our concern is about laws and regulations because we already have an app, but we don’t have regulations,” says Prasitsumrit, “so now ETDA is going to issue a lot of regulations and we also have to apply for a license, not just NDID: the banks must apply for the license.”

NDID also hopes to test its services with other countries and has an agreement with Mastercard on international issues. The CEO hopes that Thai people will be able to use the mobile bank as proof of identity abroad in the future.

Whatever happens, he hopes to maintain high standards: “Digital ID proof is very important. When you relax or you’ve let go of that standard, any fraudulent transaction that were to happen — there’s no point in having the NDID.”

Article topics

biometrics | blockchain | digital ID | digital wallet | facial biometrics | interoperability | KYC | National Digital ID (NDID) | Thailand | verifiable identification

You may also like...

Leave a Reply

Your email address will not be published. Required fields are marked *