Search

Business models

Identity-Authentication-and-Verification-Fees

Related to the roles and responsibilities of the ID authority are the business models it adopts. In many cases—particularly where ID authorities report to line ministries—ID systems will be financed out of the national budget. However, the digitization of ID systems in particular has created the potential for new business models, including generating own-revenue by charging fees for identity-related services, as well as public-private-partnership models. Each of these options, along with implications for inclusivity and sustainability are discussed below.

Generating own revenue by charging user fees

ID providers primarily generate revenue through two mechanisms:

  1. Charging public and/or private third parties (i.e., “relying parties”) for identity verification and authentication services

  2. Charging individuals for certain luxury services, such as expedited processing or optional, advanced credentials

Such fees can offer some level of autonomy and help isolate ID authorities from short-term fiscal pressures (see Gelb & Diofasi Metz 2018). However, while fees may help ensure fiscal independence, and financial sustainability setting them too high may suppress demand and increase exclusion.

Because identity services are a public good—particularly with respect to foundational ID systems—most services should be free or with highly minimized fees, including:

Book

  • Basic credential services for the population: Charging fees to people for basic identity credentials creates a barrier to adoption. As stated in Principle 2, first copies of birth and death certificates should be free of charge, as should the initial issue of any credential that is mandatory—in law or in practice—to possess for accessing basic rights and services. If fees are charged for certain additional services (such as reissuance of lost credentials), rates should be reasonable, proportional to costs incurred, and transparent to the public. If any fees are to be charged, consideration should be given to subsidizing or waiving them for poor and vulnerable persons.

  • Services for essential or mandatory functions: For essential government functions that rely on identity verification and authentication services, and/or for public and private sector use-cases where these are mandatory (e.g., for compliance with mandatory SIM registration regulations), the ID authority may hold a monopoly on identity verification and authentication services. In such cases, it is highly recommended that fees be free or minimized. In general, fees should be affordable both for large organizations and for smaller ones, particularly those that serve poor, rural, and other marginalized groups.

The primary users of authentication and verification services are other government agencies—e.g., service providers such as social protection programs, electoral commissions, justice departments, passport agencies, etc.—as well as banks, other financial service providers, mobile network operators, and other entities that need to fulfill KYC requirements. In some cases, these relying parties have dedicated secure connections to the central server and make queries in real time on an ongoing basis; in others, verification is done via web-based portals or APIs. Furthermore, some identity providers conduct large batches of verifications for specific purposes within a set time frame (e.g., periodic deduplication of a voter list before elections). Fees typically vary based on whether the relying party is a public or private entity, the type of data or query, and/or the volume of transactions.

Table 26. Example of fees for verification and authentication services

Country Public Sector Charge Private Sector Charge

Argentina

43.8m people

US$14,398 GDP/cap (PPP)

 Free

Per query fee:

  • USD 0.125 (basic)

  • USD 0.375 (fingerprint)

  • USD 2.5 (biometrics +)

Chile

Population: 18.2m

GDP/capita USD: 15,346

 Free

Per query fee:

  • USD 0.040 (basic)

  • USD 0.054 (photo)

  • USD 0.040 (signature)

  • USD 0.135 (biometric)

Colombia

Population: 49.9m

GDP/capita USD: 6,408

 Free

Fee based on volume of queries, e.g.:

  • USD 0.095/per query for up to 100k queries (biometric)

  • USD 0.014/per query for up to 12m queries

Ecuador

Population: 16.2m

GDP/capita USD: 6,273

 Free

Per query fee:

Webpage based:

  • USD 0.15 (biographic)

  • USD 0.30 (biometric)

Web service based:

  • USD 0.08 (biographic)

  • USD 0.30 (biometric)

CD or DVD based (biographic): USD 0.12

India

Population: 1.3bn

GDP/capita USD: 1,942

 Free

Per query fee:

  • USD 0.007 (Y/N authentication response)

  • USD 0.30 (e-KYC transactions)

Kenya

Population: 48.5m

GDP/capita USD: 1,595

 Free access to a biographic record and to verify the authenticity of a national ID card.

Malaysia

Population: 31.2m

GDP/capita USD: 9,952

USD 0.13 (biographic record)

USD 0.25 (biographic + biometric record)

Pakistan

Population: 193.2m

GDP/capita USD: 1,548

 USD 0.09 USD 0.29

Panama

Population: 4.1m

GDP/capita USD: 15,087

 Free

Fee based on volume of queries:

  • USD 1 for 1-10,000 queries

  • USD 0.75 for 10,001-30,000

  • USD 0.50 for 30,001-60,000

  • USD 0.10 for 60,001-more

Peru

Population: 31.8m

GDP/capita USD: 6,572

 Free

There are various ways to verify an identity. Wired connections, used by banks, has the following fees:

  • USD 0.026/per query for up to 200k queries

  • USD 0.06/per query for 800k or more

Tanzania

Population: 55.6m

GDP/capita USD: 936

Citizens: USD 0.22 for any query or authentication by government or private sector

Legal residents and refugees: USD 1 for any query or authentication

Thailand

Population: 68.9m

GDP/capita USD: 6,595

 Free access to biographic record in the database and to verify a national ID card Free access to read biographic data and facial image on the chip of the national ID card (no access to the database).

Source: Identity Authentication and Verification Fees: Overview of Current Practices. Note: Fees were converted from local currencies to USD using the applicable currency exchange rate on December 29, 2019 and are be subject to change.

Table 26 provides examples of different countries’ fee-charging policies and rates for verification and authentication services. These cases demonstrate that fees need not be uniform over time or across users or types of transactions—which can help reduce the burden for some users. Some options for price discrimination include:

  • Pricing based on the user. To harness the utility of identity services across the public sector, most countries have opted for lower pricing for government agencies than private-sector users, with many providing free services for the public sector.

  • Bulk pricing models. Identity providers, such as Peru, Panama, and Colombia, also offer bulk pricing discounts for frequent users of identity services. Argentina and Malaysia set different fees depending on the type of data requested, while Peru and Ecuador also vary fees based on whether authentication and verification services are performed online or via a hardwired database connection.

  • Phasing in fees. To ensure rapid up-take by relying parties, one option is to initially wave fees or set prices extremely low, and later increase them if demand is sufficient. In India, for example, UIDAI initially kept all authentication services free to lower the barrier to entry for relying parties and has only begun charging relying parties in 2019.

Other important safeguards against overcharging include consultation with a diverse array of potential users as well as independent oversight and regulation. Given that ID providers often have a monopoly on verification and authentication services, a strong regulatory and oversight framework is necessary to help ensure that rates remain affordable and transparent, and that the ability to generate profits does not create perverse incentives for identity agencies. In Peru, for example, RENIEC’s prices are set equal to the cost of the service, as determined by an independent regulatory body. This periodic review has allowed the agency to adjust its fee structure over time, helping to keep prices low and credible. Fees for services to poor individuals are also free of charge and are subsidized by the central government.

Figure 18. Key considerations for charging fees for ID services
Inclusion Data Protection Sustainability Responsiveness
Basic ID services for individuals (e.g., first credentials) should be free of charge, and other fees minimized; fees for authentication and verification should also be minimized to avoid these being pass on to users Relying party services that involve data processing must be governed by a comprehensive legal framework to protect personal data and provide the ability of people to see who has accessed their data Fees can help generate revenue for ID service providers as long as the prices are set at a low enough level to attract users The process of setting and revising fees should be transparent and involve public and stakeholder consultations

Public-private partnerships

While the public sector will nearly always play a large role in providing government-recognized ID, the scope and mode of private sector participation will depend on the context, needs, and financing constraints. Beyond its role as a user of ID credentials and services—e.g., to fulfill KYC requirements—and a supplier of inputs for ID systems, the private sector can also be a valuable partner for the government in implementing the ID system itself. For example, where the private sector has technical expertise and operational efficiency that government entities lack, governments may outsource certain roles within the ID lifecycle to the private sector in order to reduce ongoing costs—e.g., to provide cloud storage services or a managed call center to handle grievance redress.

However, not all PPPs have been successful, and such arrangements require sufficient oversight capacity, detailed planning, and safeguards to ensure that data collection and identity creation meets the standards set out by the ID authority, that personal data is secure and not misused, and that the system meets the overall goals and requirements set forth by stakeholders. This might include, for example:

  • A mandatory authorization process for any companies and their agents involved in the ID system

  • The requirement that private-sector provider be located within the country

  • Government-retained ownership and control over any data collected and stored by the private sector provider on behalf of the ID system

While there are potential benefits from PPPs to implement an ID system, there are considerable risks regarding their sustainability, unnecessary creation of fees that could lead to exclusion, and potential vendor or technology lock-in. These risks can be mitigated through careful design of the PPPs and transparent, competitive, and accountable procurement processes. Build-operate-transfer models, for example, may create a dependency on a particular vendor if knowledge and resources are not effectively transferred to the government. Likewise, consideration must be given to how the revenue stream for a private partner (e.g. fees for credentials or authentication) could lead to exclusion as discussed above, and the incentive of profits for such concessions could undermine the objectives of an ID system (i.e. to act as a public good to expand access to services).

As discussed more fully in Digital Identity: Public and Private Sector Cooperation, private-sector partnerships could take a number of forms, including but not limited to:

  • Service agreements. In the service agreement model, the government contracts with a private firm or firms to undertake a specific role in one or more stage of the digital identity lifecycle. In such cases, firms could receive revenue directly from users or from the government on a performance basis. Whether or not these agreements meet the common definition of a public-private partnership (PPP)—i.e., a “long-term contract between a private party and a government entity, for providing a public asset or service, in which the private party bears significant risk and management responsibility, and remuneration is linked to performance”—depends on the extent to which they are long-term partnerships that require significant investment on the part of the private actor.

  • Build-operate-transfer (BOT) and concessions. BOT and concession partnerships are ones in which the private sector is solely or primarily in charge of building and operating a project, usually for a fixed concession period. These are considered PPPs according to standard definitions, as the contracts bundle together many services and entail significant risk and financing on the part of the private party. In these cases, contracts are often awarded to a single contractor or consortium, project costs and outputs are predetermined, and payment is performance-based and can include a fixed set up cost. Revenue generated by the ID system is allocated between the private and public sectors according to the contract. In BOTs, for example, revenue may go to the government, who then pays the private partner. In concessions, the private partner collects revenue directly and then pays a portion of this to the government.

Box 25. PPP example in Moldova

Moldova’s Mobile eID (MeID, see Box 36)—which provides SIM card-based mobile authentication and document signing—was developed via a public-private partnership (PPP). The partnership involves an agreement between the e-Governance agency (the ID authority), the Center for Special Telecommunications (state-owned Certificate Authority that manages the country’s PKI), and two mobile network operators (MNOs) who register end-users in the system.

MNOs are responsible for registration and for providing the technical infrastructure for the MeID, including supplying additional hardware and increasing the network strength. The government was then responsible for integrating the MNO infrastructure with existing PKI infrastructure. Mobile ID implementation took roughly 18 months. The first 12 months were devoted to reaching out to mobile operators, building consensus around a possible PPP model and signing the PPP agreement. Technical implementation took another six months. Since most of the infrastructure investment was made by the private partners, the government did not need to conduct any procurement.

MNOs charge end-users a fee for the use of mobile signatures and the pricing structure can vary depending on specific contract and bundling models, much like air-time, data usage, or text messaging. For example, mobile subscribers who only need a few signatures can opt for a pay-per-use model, while frequent users can opt for bundles ranging from 10 to 1000 transactions. The revenue from mobile signature transactions is split with 85% of revenue going to MNOs, and 15% to the government for the maintenance of the PKI infrastructure.

Source: Moldova Mobile ID Case Study

For PPP schemes to attract private sector participation, good policy and credible incentives are needed to offer an enabling environment with a level playing field, a competitive marketplace, a deterministic model for the return of investment, and a system of mutual guarantees. Because each country context is unique, and a thorough analysis of this context is necessary before adopting a specific partnership model, including careful consideration of the following factors:

  • Government oversight capacity. All foundational ID systems require significant public sector capacity. Even where governments are not building and managing ID systems in-house, they must clearly define the roles and responsibilities of different actors and provide the legal and regulatory framework to establish trust and protect privacy and personal data. For partnerships, special legislation may be required—and strong governance practices are necessary—to oversee project implementation and enforce regulations. In contrast, traditional public procurement projects involve well-known and often simpler contracts. However, projects where government officials are involved in operating ID systems—such as in public procurement—may also require significant technical knowledge transfer.

  • Private sector capacity and activities. The extent to which digital ID and authentication services are already commercially available and interoperable will dictate potential public and private sector use cases and cooperation. The private sector must also have the capacity to provide trustworthy digital identity, offering the same standards of privacy and security protection as those provided by the state, for similar services and in compliance with national privacy regulations (along with international conventions, where applicable, national sovereignty and governance principles). For example, there is a difference between those companies that are bound by national legislation and privacy frameworks and companies that operate globally but are not obligated to adhere to local privacy laws.

  • Legal and ethical issues. There may be risks associated with transferring management of a national-level ID system to a private company under certain partnership arrangements. For example, private ownership of public data may not be legal, advisable or socially acceptable, particularly if stored outside the country. For liability reasons, for example, it is generally important for governments to lead the delivery of civil registration, even though these can be facilitated by private sector entities.

  • Sustainability and pricing. Practitioners should consider the overall estimated costs of the project, estimated volume and demand of digital public services, and the revenue-generating potential for participants. In addition, pay-per enrollment pricing schemes should be structured to incentivize universal coverage for the target population in order to avoid a scenario where certain groups are excluded because registration agents only have an incentive to cover easy-to-reach populations.

  • Vendor and technology lock-in. In any arrangement, practitioners should structure contracts to help leverage private sector expertise and innovation while enabling interoperability and the long-term flexibility of the system to change technologies and vendors.

Figure 19. Key considerations for private-sector partnerships in ID systems
Inclusion Reliability Data Protection Sustainability
Where registration is outsourced, fee structures should incentivize universal coverage, including of remote and hard-to-reach populations. Clear standards and oversight mechanisms must be in place to ensure quality in implementation. Private companies involved in the ID system must be trusted and subject to national laws regarding privacy and data protection. RFPs should be structured in a way that ensures competition and avoids vendor and technology lock-in.

Box 26. Additional resources on ID system administration

For more on institutional arrangements, governance, and partnerships, see: