To be certified against the UK digital identity and attributes trust framework as a holder service provider (HSP), you need to have a process in place to get in touch with users if:
- there’s a change to their holder service account
- you've received a request to close the account
This is a requirement for all HSPs and is outlined in rule 7.3.1a of the gamma (0.4) publication of the trust framework.
The purpose of the rule is to help prevent fraud, as the user can react appropriately if the request has happened without their knowledge.
Your process must be multi-channel
As stated in rule 7.3.1.a, the communication must be “multi-channel”, which means you must make more than one channel available to users. The process you put in place to notify them of changes to their holder service account, or of requests to close it, must take account of this.
Some examples of channels you might use to communicate to meet the requirements of 7.3.1 include:
- SMS text message
- physical letter
- social media message
- push notification to a user’s mobile phone
- pop-up messages in an app
- inbox message in an app
This is not an exhaustive list.
User-initiated channels could be considered in your processes too. For example, you may have an email or phone-based helpdesk, a web-based chat, or social channel through which users can initiate contact.
Proportionate and reasonable processes
The decision about which channels you use to notify users of any account changes or closure requests must be appropriate to the:
- design of the service you offer
- communication channels you have available to you
The conformity assessment body (CAB) certifying your service will make a judgement about whether the processes you have in place are proportionate and reasonable in the context of the service you offer.
Leave a comment