Interop Best Practice G
<< Back to Baseline Functional Requirements Index
INTEROP-BP-G. RECOMMENDED LEGAL COMPLIANCE
When conducting digital identity management functions, entities SHOULD comply in all substantial respects with all laws and regulations applicable to those relevant functions.
This best practice applies to digital identity management functions for entities that operate in a regulated industry or perform online transactions subject to specific statutory/regulatory requirements such as HIPPA and COPPA. Such regulated entities are responsible for determining themselves the laws and regulations that apply to their activities, but this requirement applies only to those laws and regulations that address identity management functions. This best practice only recommends that entities have assessed and confirm that they have made that determination, and are in compliance. Entities who conduct identity transactions with them simply ought to be able to rely on the assumption that their counterparty is operating in accordance with applicable laws. Absence of findings from examiners or other reviewers is an indication of compliance.
Some entities, and different classes of digital identity management transactions, may be subject to specialized or additional obligations by operation of law or regulation. Reference examples include:
- Know Your Customer Requirements, USA Patriots Act sec. 326
- Health Insurance Portability and Accountability Act (HIPAA) regulations for certain healthcare personal and payment information
- Children's Online Privacy Protection Act (COPPA) for entities whose transactions are governed by its requirements