To be certified against the UK digital identity and attributes trust framework as a holder service provider (HSP), you need to have a process in place to get in touch with users if:
there’s a change to their holder service account you've received a request to close the accountThis is a requirement for all HSPs and is outlined in rule 7.3.1a of the gamma (0.4) publication of the trust framework.
The purpose of the rule is to help prevent fraud, as the user can react appropriately if the request has happened without their knowledge.
Your process must be multi-channelAs stated in rule 7.3.1.a, the communication must be “multi-channel”, which means you must make more than one channel available to users. The process you put in place to notify them of changes to their holder service account, or of requests to close it, must take account of this.
Some examples of channels you might use to communicate to meet the requirements of 7.3.1 include:
email SMS text message physical letter social media message push notification to a user’s mobile phone pop-up messages in an app inbox message in an appThis is not an exhaustive list.
User-initiated channels could be considered in your processes too. For example, you may have an email or phone-based helpdesk, a web-based chat, or social channel through which users can initiate contact.
Proportionate and reasonable processesThe decision about which channels you use to notify users of any account changes or closure requests must be appropriate to the:
design of the service you offer communication channels you have available to youThe conformity assessment body (CAB) certifying your service will make a judgement about whether the processes you have in place are proportionate and reasonable in the context of the service you offer.
seen at 18:30, 18 November in Enabling digital identity.