The Australian Government Information Management Office Archive
The content on this page and other AGIMO archive pages is provided to assist research and may contain references to activities or policies that have no current application. See the full archive disclaimer.
Identification
It is generally accepted in Australia that in order to do business with an organisation an entity (individual or business) must first identify itself to that organisation. Most organisations, whether in the government or private sector, have established appropriate identification procedures which a new entity must satisfy to prove they are who they say they are.
3.1 Identity documents and value
To determine identity document types and the value or points associated with these documents, agencies can use the Financial Transaction Reports Act 1988 (FTR Act) Identification Record for a Signatory to an Account (AUSTRAC Form 201). Another example of identity document types and the value or points associated with documents can be found by visiting the Centrelink website.
The FTR Act 1988 identification record can be found at: http://www.austrac.gov.au/guidelines/forms/201.pdf
Centrelink's ID information can be found at: http://www.centrelink.gov.au/internet/internet.nsf/MultiFilestores/poi0110t/$File/poi0110en.pdf
An inter-agency Authentication of External Clients working group is moving towards standardising identity documents so that the documents used across agencies will be the same.
3.2 Levels of identification
Agencies usually require a certain level of identification for certain types of transaction. In some instances, no physical identification or associated identity points value are required, based on the type of transaction and associated risk assessment. In other instances, a particular identity 'point value' might be required.
The number of points required for various transactions is generally the result of a risk management decision. Agencies should discuss their requirements with other agencies to ensure a consistent approach.
The inter-agency Authentication of External Clients working group is working towards a whole-of-government approach to authentication processes for users of government services. It is hoped that a set of identification levels can be determined and applied consistently across the Commonwealth Government.
A whole-of-government approach will mean customers experience consistency when conducting transactions across government.
3.3 Identity fraud
In a report entitled The Changing Nature of Fraud in Australia (2000), the Office of Strategic Crime Assessments (OSCA) points out: 'Technology has weakened the integrity of many identifiers currently in use - birth certificates can be reproduced using desktop publishing software; counterfeit passports and counterfeit smart cards can be purchased over the Internet. Easier access to these false identifiers facilitates a range of fraudulent behaviour, including tax evasion, immigration malpractice, fraudulent claims against social security and health insurance companies. It also assists in hiding the proceeds of frauds.'
To view the report, visit: http://www.ag.gov.au/publications/fraudchange.pdf
Similarly, statistical evidence published in Numbers on the Run (2000), a report produced by the House of Representatives Standing Committee on Economics, Finance and Public Administration, supports these concerns:
- An estimated 25 per cent of reported frauds to the Australian Federal Police involve the assumption of false identities.
- A pilot of a certificate validation service conducted by Westpac and the NSW Registry of Births, Deaths and Marriages found 13 per cent of birth certificates to be false.
- Centrelink detected about $12 million worth of fraud involving false identity in 1999.
- A survey by KPMG of over 1,800 of Australia's largest businesses found 11.9 per cent of fraud committed by outsiders involved the use of false documents.
To view the report, visit: http://www.aph.gov.au/house/committee/efpa/tfnaudit/whole.pdf
There are significant issues associated with identity fraud. It is important that identity registering staff have the necessary education and skills so that they are aware of the existence of fraud, and that every effort is made to minimise this risk.
3.4 Registration fraud
Registration fraud is where agency staff approve fraudulent identities, either deliberately or through inattention to detail. To mitigate risks in these instances, staff must be appropriately skilled in registration procedures.
To reduce risks associated with both identity and registration fraud, agencies should seriously consider implementing additional background identity verification processes. These include verifying the validity of identity documents with issuing authorities (wherever possible) and checking telephone directories and other publicly available sources.
3.5 Validation
The identification processes employed by agencies are based on identifying documents presented by the entity (individual or business). However, confirmation of the authenticity of the identifying documents is difficult to substantiate with any certainty.
As mentioned above, the wide availability and simplicity of desktop publishing technology has increased the ability of a much greater proportion of the community to produce very good reproductions of genuine documents. It is therefore more difficult for an agency to identify forged identification documents. It is important to try to verify a document's details with the issuing authority as an assurance that the information it contains is accurate.
Document validation reduces the need to train customer service staff to visually appraise a document for particular security features and decide on its authenticity.
The ability to validate the accuracy of details recorded on identity documents will add significantly to the robustness of the identification process. Although document validation will not prevent all false identity fraud, it will provide a substantial impediment to the registration of false identities using forged or altered documents. Different processes are generally needed for individuals and businesses. These are discussed below.
3.6 Individual identification
When identifying individuals, different processes are needed for new and existing customers. Notably, when it comes to personal identification, driver's licences are currently the most pervasive items used by agencies.
New customers. Agencies need to ensure that new customers wishing to conduct transactions provide evidence of their identity. In instances where positive evidence of a customer's identity is required, the agency will need to:
- bind the physical person to the name of the individual on the identity document(s); and
- validate to the greatest extent possible the authenticity of the identity documents (confirming identity document details with the document issuing authority).
Agencies may choose to conduct transactions online (generally low-level transactions) without the requirement for a physical presence. In these cases, agencies will need to decide whether or not they require some other online authentication process, such as passwords and PIN/User IDs, one-time password generators or a challenge and response process.
Existing customers. Existing customers are those who have already been identified either through their physical presence at an agency or through an online process. Agencies need to ensure that the individual is in fact the same individual previously identified.
3.7 Business identification
The Australian Business Number (ABN) is the single business identifier for dealings with the Australian Taxation Office (ATO) and for dealings with other government departments and agencies. The Australian Business Registrar (ABR) records and issues ABNs.
New customers. Agencies wishing to authenticate a business should implement a process to confirm that the Business Entity exists. The agency may also need to authenticate the existence of the individual acting on behalf of the business. This may require a combination of individual and business identification processes.
An example of a combined process would be to:
- bind a business to a business name and to an Australian Business Number (ABN) (look up the ABR);
- bind the physical person to the name of the individual acting on behalf of the business (individual identification process);
- validate to the greatest extent possible the authenticity of the identity documents (confirm identity document details with the document issuing authority); and
- bind the person acting on behalf of the business to the business (letter of authority from the business).
Agencies may choose to conduct transactions online (generally low level transactions) without the requirement for a physical presence. In these cases, agencies will need to decide whether or not they require some other online authentication process, such as passwords and PIN/User IDs, one-time password generators or a challenge and response process.
Existing customers. Existing customers are those that have already been identified either through the physical presence at an agency of an individual acting on behalf of a business, or through an online process. Agencies need to ensure that the business and individual are in fact the same business and individual previously identified.