EXCLUSIVE – GovTech shares how Singapore developed its first corporate digital identity for businesses to transact with the Government
In September 2016, the Singapore Government launched CorpPass, a corporate digital identity to facilitate businesses and other entities, such as non-profit organisation and associations, to transact with Government agencies online.
Managed by the Government Technology Agency (GovTech) and developed in consultation with industry partners and pilot users, CorpPass marks the first time that the Government is rolling out a corporate digital identity. Today, CorpPass is a one-stop portal to log in to more than 130 digital services managed by over 50 Government agencies.
Recently, OpenGov had the privilege to speak to the GovTech team about the CorpPass project.
Mr Fong Kok Khuan, Deputy Director, GDS Product Management and two of his managers Mr Poon Shou Xin and Ms Elita Lawalata shared with OpenGov their journey for developing and improving the CorpPass system, as well as their efforts in engaging government agencies and the business community.
Birth of the idea
“The concept of CorpPass arose from the fact that the use of individuals’ SingPass for corporate transactions resulted in concerns over data privacy,” said Mr Fong.
Before CorpPass, businesses transacted with the government using multiple digital identities, such as SingPass and EASY (e-Services Authorisation System). This meant that people were using their personal SingPass accounts to transact on behalf of a company.
The Singapore Government received feedback from the business community that the use of SingPass for corporate transactions raises privacy concerns, and that businesses have to constantly handle multiple login IDs.
Mr Fong highlighted the privacy concerns in using SingPass for corporate transactions, “Sometimes for the sake of convenience, the individuals will have to pass his or her personal credentials to colleagues, for corporate transactions with the Government to be completed in his or her absence.”
When a person uses SingPass to transact for a business, government agencies do not necessarily know which company the person is representing. While some government agencies require users to declare which businesses they are representing, agencies do not know for certain whether the person is authorised to carry out such transactions.
In the case of SingPass, an organisation may be requested to authorise a person to carry out transactions with government agencies on behalf of the organisation. Then supporting documents may have to submitted to prove that the person is from that organisation.
If the authorised person leaves the organisation, the authorisation with various government agencies would have to updated. If the organisation loses track of its list of authorised personnel and forgets to update the authorisation, this would pose a potential security loophole due to the organisation’s oversight.
Then a fundamental question arises: is it correct to carry out a business transaction with one’s personal credentials? If the answer is no, then there is a recognition for a clear separation between what is personal and what is for work, similar to how our work and personal email accounts are for very different purposes.
According to the team, this idea that business transactions should be separated from personal accounts forms the first principle of CorpPass.
The second principle behind CorpPass is for the public to see the Singapore Government as ‘One Government’.
CorpPass as a whole-of-government initiative
According to Mr Fong, there was early recognition that the CorpPass system is far more than just an IT project – it is a massive change management effort encompassing the entirety of the Singapore Government, as well as local businesses and other entities.
The project team works very closely across government agencies, to smoothen the transition process for both government agencies and businesses, helping them ease into the new system.
After developing the concept of CorpPass, the team at GovTech started engaging government agencies, which would be using CorpPass as a corporate digital identity.
Mr Poon Shou Xin, Manager, GDS Product Management is responsible for liaising with government agencies, to support them in adopting CorpPass as an authentication mechanism. He shared the process of engaging stakeholders within the Government and the considerations GovTech had to deal with.
Although all government agencies have been supportive of the CorpPass initiative, the process of prioritising functions, harmonising requirements and developing a common portal is a challenging task.
“CorpPass is a whole-of-government initiative involving all agencies. It is a massive effort to bring all agencies together and detail down each agency’s requirements,” said Mr Poon.
“With SingPass, each agency has their own specific systems that cater to specific requirements. One of the first steps GovTech took was to list down all these requirements of the different agencies, identify the key ones, and offer them as part of CorpPass,” Mr Poon shared.
The intent of the CorpPass portal is to provide a one-stop shop for all businesses to administer their access to different government agencies and services. As such, it has to be a portal with functions to create users and grant them access to different government agencies.
Mr Poon said that the prioritisation conducted through many workshops helped to identify the “must-haves” and the “good-to-haves”.
“In the process, there were many challenges and spirited debates, but it was a great learning process to help us understand where agencies are coming from and build better relationships,” Mr Poon recalled.
Engaging public users from the business community
At the same time, the CorpPass team also engages the users of CorpPass portal – the business community.
Helping businesses in their transition to the CorpPass project is a key concern for Ms Elita Lawalata, Manager, GDS Product Management. Requirements received from agencies are validated through focus group discussions with business representatives.
“To engage external stakeholders such as businesses, the CorpPass project team works with agencies to communicate to their customer base. Materials such as the user guides and frequently asked questions (FAQ) were also developed to address common queries raised by businesses, made available on the CorpPass website,” Ms Lawalata shared.
Public briefings are conducted every month which agencies help to publicise. The CorpPass Business Centre is also open for appointments for companies that need extra assistance.
According to Ms Lawalata, the CorpPass team at GovTech uses a data-driven approach to segment businesses into different sizes and types, so as to facilitate their on-boarding process and transition to CorpPass.
Design of CorpPass
The next step is the transition of technical interface. After prioritising the functionality of the CorpPass portal, agencies then have to offer CorpPass login for government-to-business (G2B) transactions, in a move to cease SingPass and other login methods for corporate transactions.
While SingPass identifies users by their username or NRIC number, CorpPass users need to provide the company’s Unique Entity Number (UEN) to indicate the company they are representing, for a transaction.
Other than authentication, CorpPass is also an authorisation platform which enables businesses to manage their access to government services. The agency admin module is designed to be flexible to allow agencies to define types of roles.
Businesses can appoint up to two CorpPass Administrators (Admin) to create and manage user accounts for the staff. Given this important responsibility, a CorpPass Admin should be of a certain level of seniority within the company.
In order to cater for companies of different sizes and structures, CorpPass allows for some flexibility in the eligibility of being a CorpPass Admin - if a company director wishes to be appointed as a CorpPass Admin, no further approval is required; for other employees to take the CorpPass Admin position, he/she will need the company director’s approval.
Based on user feedback that only 2 Admins might not be enough for larger businesses with more complex structure, CorpPass allows companies to create sub-Admin roles. The only difference between the two roles is that CorpPass sub-Admins cannot create other Admin user accounts for the company.
CorpPass as an ongoing learning journey: Key takeaways
As a whole-of-government initiative, can CorpPass cater to specific requirements of a handful of agencies? Some of these agencies might have a large user base, others might have fewer users but could be making significant financial contributions. Then there are others, where neither the size of the user base nor dollar considerations provide an appropriate parameter to quantify importance.
Similarly, on the user side, there are complex businesses that have a hierarchy of parent companies and subsidiaries. There are organisations with one UEN but having autonomously operating divisions, with their own HR and finance. Then there are corporate service providers and tax agents who transact on behalf of their clients.
As CorpPass is meant to be a system that serves everyone, it must have configurations that cater to complexity.
“We must not neglect users who might be small in number, but complex in nature,” Mr Fong emphasised.
Such minority users also include foreigners who are not SingPass users.
The project governance structure played an important role in dealing with these challenges.
“The governance structure of CorpPass was set up early in the process, helmed by senior decision-makers in the Government to make decisions that are less clear-cut,” Mr Fong shared.
Ms Lawalata emphasised the importance of public engagement and feedback gathering, for example through the ongoing monthly public briefing, the CorpPass Business Centre, and trade or industry associations.
Ms Lawalata shared examples of how public feedback helped to improve CorpPass, allowing the system to better accommodate organisations of different sizes and needs.
“Initially, there was no limit on the number of Sub-Admin accounts in CorpPass. However, due to concern of misuse and potential security risks, the maximum number of CorpPass Sub-Admin was capped at 10,” she said.
“Later, some large organisations such as hospitals and universities gave feedback that the quota of 10 is inadequate for the organisation to perform necessary transactions. As such, the cap has been revised again to 25.”
For organisations that request for more than 25 Sub-Admin roles in CorpPass, their request must be justified based on their actual registration number and needs.
Another feedback is that companies want to segregate responsibilities between sub-Admins. For example, Finance sub-Admins should only be allowed to transact finance-related matters on behalf of the company. This has led CorpPass to introduce the assignment profile for companies to restrict and assign functionalities based on their needs and operations.
GovTech introduced CorpPass progressively, through 4 major waves. The sequence for agencies and services to come on-board was designed to be in line with their business cycles.
The whole process of 4 major waves took close to 2 years to complete. Every 3 to 4 months, a number of agencies offered their services via CorpPass. All this while, in order not to disrupt business transactions, the option to use SingPass remains open, giving businesses time to register and get used to the new CorpPass system.
During the 4 waves of roll-out of CorpPass, the team has been constantly taking feedback from the business users, as well as the agencies to improve the system in subsequent stages.
Government agencies that came onboard early also shared issues that they encountered in the transition to CorpPass. The team then took those as learning points to smoothen the transition for government agencies that followed in subsequent waves.
“As the CorpPass system has been launched and improved through several iterations, the current version is already very usable and user-friendly,” Mr Fong said.
Mr Poon shared that one of the focus areas for CorpPass this year is to ensure that the Inland Revenue Authority of Singapore (IRAS) onboards the CorpPass system smoothly and according to the schedule, given its importance and unique requirements. It is expected to join by Q3 2018.
Mr Fong said that the development of CorpPass cannot be viewed in isolation under the country’s whole-of-government Smart Nation plan led by the Smart Nation and Digital Government Office (SNDGO) under the Prime Minister’s Office (PMO) of Singapore.
Mr Fong shared that in the Government’s Smart Nation initiatives, priority is given to projects that are citizen-centric i.e. have the most and widest impact on citizens who are end-users, for example, the SingPass.
The wide adoption of SingPass has laid good foundation for subsequent Smart Nation initiatives such as the National Digital ID Project and the CorpPass.
“As Singapore advances its Smart Nation plans, we are likely to see more integration between these projects over the next few years that improves the provision of public services, to both citizens and businesses,” Mr Fong predicted.
In the on-going journey, the CorpPass team will continue to be open to feedback and adhere to the data-driven approach, which has served it well in working with business users, government agencies and policy-makers.
 EASY is an online digital service authorisation system currently used by some agencies including the Inland Revenue Authority of Singapore (IRAS), JTC Corporation and the Immigration Checkpoints Authority of Singapore.