Imagine, opening your wallet while you are with the cashier and instead of your debit card, 5-6 National IDs fall out. Isn’t it weird that we Filipinos will have only 1 (or none) debit card but at least 3 National ID cards?
This was the exact problem that the government set out to solve with the introduction of PhilSys. So, we decided that we should do a 3-part series to shed some light on PhilSys by analyzing its various aspects like history, legality, features and implications, adoption, and the future of the ID.
Welcome to the 3rd edition of the Fin-Sulat. Let’s get started…
The scene is set
On June 30, 2016, President Rodrigo Duterte assumed office. On the very same day, Senator Antonio Trillanes filed Senate Bill number 95, “SBN-95: Filipino Identification System Act – An Act Establishing the Filipino Identification System, and Appropriating Funds Therefor”.
This was possibly the strongest policy push from a government in establishing a formal legal framework for a nationwide identity policy that would holistically govern the entire system – from data collection, registration, and issuance of ID, to a mechanism for the private sector and government agencies to use the system.
The bill was decisive in nature and included a formal penal provision, which imposed a penalty on individuals who tried to circumvent the system by providing false personal information. It also recognized the challenges in ensuring adoption and categorically mentioned that the failure to present the Filipino ID should not be a ground to deny or limit basic government and public services, as long as those services qualified under existing laws.
The road to the future is through the past
As several Governments before this focused on governance efficiency and with every National ID initiative, the call for a unified national identification grew louder. The outcome was Executive Order number 420 issued by the then President, Gloria Macapagal Arroy, which institutionalized the Unified Multipurpose ID, or the UMID, that came into effect in April 2005.
The UMID was born out of the necessity to “streamline and integrate the process of issuance of identification cards in government…” and to “enhance the integrity and reliability of government-issued identification cards in private transactions, and prevent violation of laws involving false names and identities.”
However, it was not truly a new national identity system. Instead, it was meant to consolidate identities issued by several government agencies under one umbrella identity framework.
Why then, did the UMID fail?
The question of why this attempt to consolidate all national identities under one umbrella identity failed can be boiled down to two main reasons, adoption by users and adoption by businesses.
Adoption by users
When it comes to adoption by users, we have to look at it from their perspective. Why would you sign up for anything? Either it’s mandatory and you don’t have a choice or you get something in return when you sign up. IDs would have to follow the same principle.
Making the UMID mandatory would have meant that the government might infringe on the user’s freedom of choice or privacy. On the other hand, if the government would’ve given them the choice, they would’ve continued as before with existing IDs. Quite the conundrum.
So why should the user choose UMID, if it isn’t mandatory? It could probably have been solved if there was an incentive attached. For instance, if the government gave away benefits to bank accounts that are linked to UMID, (Which didn’t happen) citizens might have been persuaded to adopt.
Adoption by businesses
UMID is unverifiable through a database – in other words just like any other ID, its without a database that can be used for authentication. So why should businesses adopt it? For them, it’s just one of many identity options that they can choose while onboarding customers.
Another way to incentivise businesses to adopt the UMID would have been to provide them access to the underlying database through which they could verify individual identities. But the moment such access was opened up to businesses, it would become increasingly difficult to control access to what is essentially citizens’ personally identifiable data.
Let’s draw some parallels
Adoption by user
The government has been very careful in not violating the choice that resides with the people of the Philippines and hasn’t chosen the path of mandating the PhilSys for them. But they continue not to incentivize it either. So, this problem remains…
Adoption by business
The question of data privacy has been better answered in the case of PhilSys. There are multiple levels of access to data by businesses, starting from basic authentication by presenting the PhilSys Number to access varying degrees of personally identifiable data from the underlying PhilSys database
We now move on to the next question of how the government accesses the data and who supervises the government. This too is pretty well covered in the Act with masking and data protection practices in place.
Going beyond the parallels…
While the government has taken very good foundational steps in this direction, a few questions crop up. Let me illustrate this with an analogy. You go to a car dealer (for example) and for the registration process, he asks you to authenticate your PSN number via an OTP. But instead of you entering the OTP in the system, the dealer asks you to give him the OTP simply.
What will you do? Call the PSPCC (PhilSys Policy and Coordination Council)? Maybe lodge a complaint? What about those who don’t know about PSPCC? What about the case where you wouldn’t even know that your data might be getting misused?
The end-user cannot be expected to track and report misuses of PhilSys. A Regulator like BSP or PAGCOR has to do that. The implementation of policies and guidelines has to be with someone who already regulates the businesses that will be using PhilSys, only then can the interest of the common citizen be protected.
While we ask and answer these questions, a lot more come to mind like why didn’t they just enhance security and data protection within UMID? What about the businesses that will have to completely overhaul their current customer onboarding journey?
We will examine those and more in the next edition of this newsletter. Until then, stay tuned!
He said. She said.
BSP to monitor banks with cyber software
The Bangko Sentral ng Pilipinas (BSP) has announced the rollout of the unified regulatory and supervisory (RegTech and SupTech) software solution. The software solution is meant to be a part of the drive for enhancing the banking and financial sectors’ cybersecurity measures for selected BSP-supervised entities.
‘Advanced SupTech Engine for Risk-Based Compliance or ASTERisC*’ is the system that will automate regulatory supervision and compliance management of banks’ cybersecurity risk management. You can read about it here.
BSP raises rural bank’s minimum capital requirements
The Bangko Sentral ng Pilipinas (BSP) has hiked the minimum capital requirements for rural banks to at least P50 million to strengthen the country’s banking sector further.
BSP Governor Felipe Medalla said the increase in the minimum capitalization requirement is part of the initiatives of the central bank under the Rural Bank Strengthening Program (RBSP) which was developed to improve the operations, capacity, and competitiveness of small banks. You can read about it here.
