ISO/TR 24371:2025
(Main)Financial services — Natural person identifier (NPI) — Natural person identifier lifecycle operation and management
Financial services — Natural person identifier (NPI) — Natural person identifier lifecycle operation and management
This document provides an overview of regulatory, business and best practice risk mitigation specifications that apply to the implementation, operation and governance of natural person identifier (NPI) policies, procedures and mechanisms necessary to support the lifecycle of all NPIs. The purpose of this document is to provide the basis for the development of one or more international standards related to the safe creation, use and management of NPIs with maximum global interoperability. For the structure of the NPI, see ISO 24366. For reference, ISO 24366 specifies a machine-readable, unambiguous NPI and the relevant reference data to uniquely identify the natural person relevant to any financial transaction rather than the personal identifying information.
Services financiers — Identifiant de personne physique — Fonctionnement et gestion du cycle de vie de l'identifiant de la personne physique
General Information
Standards Content (Sample)
Technical
Report
ISO/TR 24371
First edition
Financial services — Natural person
2025-09
identifier (NPI) — Natural person
identifier lifecycle operation and
management
Services financiers — Identifiant de personne physique —
Fonctionnement et gestion du cycle de vie de l'identifiant de la
personne physique
Reference number
© ISO 2025
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
or ISO’s member body in the country of the requester.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland
ii
Contents Page
Foreword .vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 8
5 NPI standard: ISO 24366 . 10
6 Overview of requirements .10
6.1 Introduction .10
6.2 Business requirements .10
6.3 Functional requirements . .11
7 Risk and risk mitigation considerations .11
7.1 General .11
7.1.1 Major types of risk .11
7.1.2 Compliance risk .11
7.1.3 Complexity risk . 12
7.1.4 IT/cybersecurity risk . 12
7.1.5 Fraud risk . 12
7.1.6 Identity management risks . 12
7.1.7 Data quality risk . 12
7.1.8 Opportunity risk . 12
7.1.9 Branding/reputation risk . 13
7.2 Scope of use and liability . 13
7.3 Risk mitigation policies . 13
7.4 Risk mitigation strategy . 13
7.4.1 General . 13
7.4.2 Identify .14
7.4.3 Protect . 15
7.4.4 Detect . 15
7.4.5 Respond . 15
7.4.6 Recover.16
8 Policy considerations . 16
8.1 Major policy considerations .16
8.1.1 General .16
8.1.2 Uniqueness .16
8.1.3 Scale .17
8.1.4 Performance .17
8.1.5 Extensibility .18
8.1.6 Interoperability .18
8.1.7 Realisation of potential benefits .18
8.2 Outline process: NPI lifecycle .18
8.3 User journey . 20
8.4 Main actors in the NPI lifecycle . 20
8.4.1 General . 20
8.4.2 Actor enrolment .21
9 Framework considerations: Entity Authentication Assurance Framework .22
9.1 General . 22
9.2 Phase 1: Enrolment . 23
9.2.1 General . 23
9.2.2 Application .24
9.2.3 Identity proofing .24
iii
9.2.4 Evidence of identity . 25
9.2.5 Process flow . 26
9.2.6 Identity-person binding . 28
9.2.7 Biometrics . 28
9.3 Phase 2: Provisioning and issuance . 29
9.3.1 General . 29
9.3.2 Account creation . 29
9.3.3 NPI creation . 29
9.3.4 NPI issuance . 29
9.4 Phase 3: Use . 30
9.4.1 NPI holder . 30
9.4.2 Relying parties . 30
9.4.3 NPI authorised entities . 30
9.4.4 NPI issuer .31
9.4.5 Links to other identifiers .32
9.5 Phase 4: Management of the NPI lifecycle .
...
FINAL DRAFT
Technical
Report
ISO/DTR 24371
ISO/TC 68/SC 8
Financial services — Natural person
Secretariat: SNV
identifier (NPI) — Natural person
Voting begins on:
identifier lifecycle operation and
2025-05-21
management
Voting terminates on:
2025-07-16
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
IN ADDITION TO THEIR EVALUATION AS
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
Reference number
ISO/DTR 24371:2025(en) © ISO 2025
FINAL DRAFT
ISO/DTR 24371:2025(en)
Technical
Report
ISO/DTR 24371
ISO/TC 68/SC 8
Financial services — Natural person
Secretariat: SNV
identifier (NPI) — Natural person
Voting begins on:
identifier lifecycle operation and
management
Voting terminates on:
2025-06-03
RECIPIENTS OF THIS DRAFT ARE INVITED TO SUBMIT,
WITH THEIR COMMENTS, NOTIFICATION OF ANY
RELEVANT PATENT RIGHTS OF WHICH THEY ARE AWARE
AND TO PROVIDE SUPPOR TING DOCUMENTATION.
© ISO 2025
IN ADDITION TO THEIR EVALUATION AS
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this publication may
BEING ACCEPTABLE FOR INDUSTRIAL, TECHNO
LOGICAL, COMMERCIAL AND USER PURPOSES, DRAFT
be reproduced or utilized otherwise in any form or by any means, electronic or mechanical, including photocopying, or posting on
INTERNATIONAL STANDARDS MAY ON OCCASION HAVE
the internet or an intranet, without prior written permission. Permission can be requested from either ISO at the address below
TO BE CONSIDERED IN THE LIGHT OF THEIR POTENTIAL
or ISO’s member body in the country of the requester.
TO BECOME STAN DARDS TO WHICH REFERENCE MAY BE
MADE IN NATIONAL REGULATIONS.
ISO copyright office
CP 401 • Ch. de Blandonnet 8
CH-1214 Vernier, Geneva
Phone: +41 22 749 01 11
Email: copyright@iso.org
Website: www.iso.org
Published in Switzerland Reference number
ISO/DTR 24371:2025(en) © ISO 2025
ii
ISO/DTR 24371:2025(en)
Contents Page
Foreword .vi
Introduction .vii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 8
5 NPI standard: ISO 24366 . 10
6 Overview of requirements .10
6.1 Introduction .10
6.2 Business requirements .10
6.3 Functional requirements . .11
7 Risk and risk mitigation considerations .11
7.1 General .11
7.1.1 Major types of risk .11
7.1.2 Compliance risk .11
7.1.3 Complexity risk . 12
7.1.4 IT/cybersecurity risk . 12
7.1.5 Fraud risk . 12
7.1.6 Identity management risks . 12
7.1.7 Data quality risk . 12
7.1.8 Opportunity risk . 12
7.1.9 Branding/reputation risk . 13
7.2 Scope of use and liability . 13
7.3 Risk mitigation policies . 13
7.4 Risk mitigation strategy . 13
7.4.1 General . 13
7.4.2 Identify .14
7.4.3 Protect . 15
7.4.4 Detect . 15
7.4.5 Respond . 15
7.4.6 Recover.16
8 Policy considerations . 16
8.1 Major policy considerations .16
8.1.1 General .16
8.1.2 Uniqueness .16
8.1.3 Scale .17
8.1.4 Performance .17
8.1.5 Extensibility .18
8.1.6 Interoperability .18
8.1.7 Realisation of potential benefits .18
8.2 Outline process: NPI lifecycle .18
8.3 User journey . 20
8.4 Main actors in the NPI lifecycle . 20
8.4.1 General . 20
8.4.2 Actor enrolment .21
9 Framework considerations: Entity Authentication Assurance Framework .22
9.1 General . 22
9.2 Phase 1: Enrolment . 23
9.2.1 General . 23
9.2.2 Application .24
9.2.3 Identity proofing .24
iii
ISO/DTR 24371:2025(en)
9.2.4 Evidence of identity . 25
9.2.5 Process flow . 26
9.2.6 Identity-person binding . 28
9.2.7 Biometrics . 28
9.3 Phase 2: Provisioning and issuance . 29
9.3.1 General . 29
9.3.2 Account creation . 29
9.3.3 NPI creation . 29
9.3.4 NPI issuance . 29
9.4 Phase 3: Use .
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
ISO TR/DTR 24371:2025 (E)
Style Definition
...
ISO /TC 68/SC 8/WG 7
Style Definition
...
Style Definition
...
First Edition
Style Definition
...
Secretariat: SNV
Style Definition
...
Style Definition
Date: 2025-03-0305-06 .
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Financial services — Natural person identifier (NPI) — Natural
Style Definition
...
person identifier lifecycle operation and management
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
DTR stage (Draft)
Style Definition
...
Style Definition
...
Style Definition
...
Warning for WDs and CDs
Style Definition
...
Style Definition
...
This document is not an ISO International Standard. It is distributed for review and comment. It is subject to
change without notice and may not be referred to as an International Standard.
Style Definition
...
Style Definition
...
Recipients of this draft are invited to submit, with their comments, notification of any relevant patent rights of
which they are aware and to provide supporting documentation. Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Style Definition
...
Formatted
...
Formatted
...
Formatted
...
Formatted
...
ISO #####-#:####(X)
2 © ISO #### – All rights reserved
SensiSensititivivity: Cty: C2 2 InterInternalnal
ISO TR 24371:2025 (E)
All rights reserved. Unless otherwise specified, or required in the context of its implementation, no part of this
Formatted: Indent: Left: 0 cm, Right: 0 cm, Adjust
publication may be reproduced or utilized otherwise in any form or by any means, electronic or mechanical,
space between Latin and Asian text, Adjust space
including photocopying, or posting on the internet or an intranet, without prior written permission. Permission can
between Asian text and numbers, Border: Left: (No
be requested from either ISO at the address below or ISO’s member body in the country of the requester.
border), Right: (No border)
ISO copyright office
Formatted: zzCopyright address, Indent: Left: 0 cm,
CP 401 • Ch. de Blandonnet 8
Right: 0 cm, Adjust space between Latin and Asian text,
CH-1214 Vernier, Geneva
Adjust space between Asian text and numbers, Border:
Phone: + 41 22 749 01 11
Left: (No border), Right: (No border)
Fax: + 41 22 749 09 47
EmailE-mail: copyright@iso.org
Formatted: Italian (Italy)
Website: www.iso.orgwww.iso.org
Formatted: zzCopyright address, Indent: Left: 0 cm,
First line: 0 cm, Right: 0 cm, Adjust space between Latin
Published in Switzerland
and Asian text, Adjust space between Asian text and
numbers, Border: Left: (No border), Right: (No border)
Formatted: Italian (Italy)
Formatted: German (Germany)
ISO TR 24371:2025 (E)
Contents
Foreword . xi
Introduction . xii
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms .10
5 NPI standard: ISO 24366 .13
6 Overview of requirements .14
6.1 Introduction .14
6.2 Business requirements .14
6.3 Functional requirements .14
7 Risk and risk mitigation considerations .15
7.1 General .15
7.2 Scope of use and liability .17
7.3 Risk mitigation policies .17
7.4 Risk mitigation strategy .18
8 Policy considerations.21
8.1 Major policy considerations .21
8.2 Outline process: NPI lifecycle .24
8.3 User journey .27
8.4 Main actors in the NPI lifecycle .28
9 Framework considerations: Entity Authentication Assurance Framework .31
9.1 General .31
9.2 Phase 1: Enrolment .33
9.3 Phase 2: Provisioning and issuance .40
9.4 Phase 3: Use .40
9.5 Phase 4: Management of the NPI lifecycle .43
10 NPI issuer operational considerations .44
10.1 General .44
10.2 Responsibility .44
10.3 NPI community architecture .45
10.4 Sizing and performance .45
10.5 Relying party operations .48
11 Technology considerations .48
11.1 General .48
11.2 NPI privacy preservation .49
11.3 NPI data security operations .49
11.4 Counter-fraud: Monitoring and anomaly detection .49
11.5 Cybersecurity .50
12 NPI governance .50
12.1 General .50
12.2 General governance principles .51
12.3 Evolving discussions and future directions in NPI governance .53
12.4 Inter-registry operations .53
12.5 Relying party operations .54
12.6 NPI community .54
iv © ISO 2025 – All rights reserved
ISO TR 24371:2025 (E)
12.7 Federation . 54
12.8 NPI governance structure . 55
Annex A (informative) NPI background . 57
Annex B (informative) Customer due diligence and enhanced due diligence . 59
Annex C (informative) Cybersecurity considerations . 61
Annex D (informative) Biometric considerations . 67
Annex E (informative) NPI data quality management considerations . 80
Annex F (informative) International organizations: the World Bank and the Organization
for Economic Co-operation and Development (OECD) . 82
Annex G (informative) NPI register operations: Challenges and best practices . 85
Annex H (informative) Aadhaar . 95
Annex I (informative) Use cases . 101
Annex J (informative) Business case for the NPI . 118
Annex K (informative) Overview of key documents . 122
Bibliography . 124
Foreword . ix
Introduction . x
1 Scope . 1
2 Normative references . 1
3 Terms and definitions . 1
4 Abbreviated terms . 10
5 NPI standard: ISO 24366 . 11
6 Overview of requirements . 12
6.1 Introduction . 12
6.2 Business requirements . 12
6.3 Functional requirements . 12
7 Risk and risk mitigation considerations . 13
7.1 General . 13
7.1.1 Major types of risk . 13
7.1.2 Compliance risk .
...
Questions, Comments and Discussion
Ask us and Technical Secretary will try to provide an answer. You can facilitate discussion about the standard in here.