What is Digital Identity Trust Services Framework Act (DITSFA)

DTISFA is an Act that will establish a Trust Framework for providing safe, secure and trusted digital identity services in New Zealand. The Act encourages businesses and consumers to use digital identities. The Act has passed all stages in preparation to come into force through royal assent on 1 July 2024.

New Zealand is currently limited in its ability to encourage the benefits of digital identity as only a single major player exists (RealMe), which is managed entirely by the central government. The adoption hasn’t been significant and only a handful of businesses have integrated Real Me in their customer onboarding journeys outside Govt organisations. The user experience is not where it should be.

The Act will foster a way for organisations to leverage Digitally Verifiable Credentials (DVC) for greater trust and better customer experience. It will also encourage organisations to produce DVCs, allowing seamless authentication and ultimately contributing to a much greater digital network.

This modern framework will reduce reliance on traditional centralised CIAM (Customer Identity & Access Management) systems and contribute immensely to reducing identity-related fraud. Once trust is established, the onerous task of having/protecting replicable Personal Identity Data (PID) can shift away from the organisation.

Challenges

Govt agencies will continue to be the trusted authority where high-trust digital credentials are issued, verified and revoked. This means there is an obligation for some of these agencies to take part in an identity management transformation. There will be a need for a government-issued DVC; however, it is not holding anyone back from taking advantage of this opportunity - as we’ve seen with many large organisations, trust can exist and be leveraged outside of the government.  
The other challenge is that no direct set of standards is available for this specific Act; however, work to date has been around the existing W3C Verifiable Credentials and Decentralised Identifiers (DIDs) global standards, which provide a foundation for developing alignment with the Act. These standards also have a tried-and-trusted history in other regions, e.g., Europe.

In the Meantime

The private sector has a greenfield opportunity to become the custodians of a new level of trust with people inside and outside the organisation. Any business can create DVC with an appetite for a new layer of trust and a willingness to replace old layers of risk, not to mention a significant uplift in user experience.

What do we want?

Consumers will choose their preferred digital identity provider to be the custodian of their personal information. And some credentials will have more weight with some suppliers than others. For this reason, we need to encourage a national ecosystem to consider the value of trusted digital identity practice—an introduction of new DVC providers specific to a service, industry, or customer touch frequency.

How to be ready?

The first step is to understand how the Act will affect your business. You can do that by asking several questions.

- How do your customers access services, and does the onboarding process leave room for fraud?

- Do you request and then store PID for any reason? Have you evaluated the associated cyber risk?

- Do you have a high trust level that can be converted into a DVC for use in a partner network or for competitive advantage?

If you answered yes to any of those questions, you should contact Sush Labs for a readiness assessment before the Act comes into play.