This new standard – ISO 24366, Natural Person Identifier, Part I – provides the identifier code construction as well as the underlying reference data needed to identify a natural person for the purposes of provision of financial services.
Additional work is underway to focus on the authentication of the natural person, issuance and maintenance of the code and recommendations for the registration authority/maintenance agency.
The Natural Person Identifier (NPI) standard was developed to provide privacy protection benefits for both financial services employees as well as clients, allowing firms to respond to the requirements of regulation without exposing employees’ personal information, and to allow regulators a privacy protected way to identify counterparties, traders, and beneficial owners, amongst other use cases.
It is a complementary standard to the ISO 17442 Legal Entity Identification standard, which is widely used to identify corporate and commercial legal entities in financial transactions.
In developing the NPI standard, the ISO Working Group, consisting of subject matter experts from 15 participating member countries and 6 liaison organisations, were guided by key issues and use cases:
- Collecting, storing, and reporting personal information (PI) as required by multiple regulations across the globe creates data privacy, security, and maintenance challenges which can hinder transparency and data quality, and leave natural persons exposed to theft and misuse of their PI.
- The broad range of regulatory reporting obligations collecting PI impacts many stakeholders including regulators, buy-side, sell-side, market platforms and natural persons.
- Many regulations require the reporting of counterparty information, some of which are natural persons.
- A variety of regulations require collecting, storing and reporting of NPI about a firm’s traders, business and desk heads, investment managers, advisors and decision makers, some of which require the sharing of personal information that may include name, address, phone number, national ID number, etc. about those natural persons.
- Other regulatory rules require the disclosure of natural persons in a variety of roles including as counterparties, beneficial owners, or corporate insiders like directors, CEOs, CFO, etc.
- In the payments industry, the initiator and the beneficiary of payments transactions could be natural persons. To complete the picture of the parties responsible for roles within payment transactions, an international standard such as the natural person identifier would be tremendously useful.
- In anti-money laundering, there is a need to unambiguously identify parties engaged in financial transactions as part of monitoring for criminal activity. Having a validated, unique identifier for natural persons engaged in financial transactions would greatly facilitate such monitoring and information sharing.
The NPI Working Group’s efforts focus on the realization of key benefits, including straight through processing savings, ability to monitor systemic risk across jurisdictions and more importantly, creating the ability to protect citizens personal information during the provision of services and responding to regulatory requirements.
With respect to the security and privacy benefits, the need to protect the identity of the natural person is the pre-eminent goal. If unprotected PI is intercepted by non-authorized parties this leaves natural persons vulnerable to identity fraud, and data controllers could be liable. Using the NPI to safely identify natural persons rather than sharing their underlying PI could mitigate the impact of data breaches and ensure the underlying PI can only be accessed on a need‐to‐know basis.
While Part I of the standard provides the code and a comprehensive list of reference data attributes needed to identify the natural person, the upcoming Part II development, currently under ballot as a New Work Item Proposal will focus on how identifiers will be issued and reference data maintained and how privacy laws will be respected.