News

Articles:

EXCLUSIVE – GovTech shares how Singapore developed its first corporate digital identity for businesses to transact with the Government

EXCLUSIVE – GovTech shares how Singapore developed its first corporate digital identity for businesses to transact with the Government

In
September 2016, the Singapore Government launched CorpPass, a corporate digital identity
to facilitate businesses and other entities, such as non-profit organisation
and associations, to transact with Government agencies online.

Managed
by the Government Technology Agency
(GovTech) and developed in consultation with industry partners and pilot users,
CorpPass marks the first time that the Government is rolling out a corporate digital identity. Today, CorpPass
is a one-stop portal to log in to more
than 130 digital services managed by over 50 Government agencies
.

Recently,
OpenGov had the privilege to speak to the GovTech team about the CorpPass
project.

Mr
Fong Kok Khuan, Deputy Director, GDS Product Management and two of his managers
Mr Poon Shou Xin and Ms Elita Lawalata shared with OpenGov their journey for
developing and improving the CorpPass system, as well as their efforts in
engaging government agencies and the business community.

Birth of the idea

“The
concept of CorpPass arose from the fact that the use of individuals’ SingPass for
corporate transactions resulted in concerns over data privacy,” said Mr Fong.

Before
CorpPass, businesses transacted with the government using multiple digital
identities, such as SingPass and EASY[1] (e-Services
Authorisation System). This meant that people were using their personal
SingPass accounts to transact on behalf of a company.

The
Singapore Government received feedback from the business community that the use
of SingPass for corporate transactions raises privacy concerns, and that
businesses have to constantly handle multiple login IDs.

Mr
Fong highlighted the privacy concerns in using SingPass for corporate
transactions, “Sometimes for the sake of convenience, the individuals will have
to pass his or her personal credentials to colleagues, for corporate
transactions with the Government to be completed in his or her absence.”

When
a person uses SingPass to transact for a business, government agencies do not
necessarily know which company the person is representing. While some
government agencies require users to declare which businesses they are
representing, agencies do not know for certain whether the person is authorised
to carry out such transactions.

In
the case of SingPass, an organisation may be requested to authorise a person to
carry out transactions with government agencies on behalf of the organisation. Then
supporting documents may have to submitted to prove that the person is from that
organisation.

If the
authorised person leaves the organisation, the authorisation with various
government agencies would have to updated. If the organisation loses track of its
list of authorised personnel and forgets to update the authorisation, this would
pose a potential security loophole due to the organisation’s oversight.

Then
a fundamental question arises: is it correct to carry out a business
transaction with one’s personal credentials? If the answer is no, then there is
a recognition for a clear separation between what is personal and what is for
work, similar to how our work and personal email accounts are for very
different purposes.

According
to the team, this idea that business transactions should be separated from
personal accounts forms the first principle of CorpPass.

The second
principle behind CorpPass is for the public to see the Singapore Government as ‘One
Government’.

Mr Poon Shou Xin, Manager, GDS Product Management at GovTech (Credit: GovTech)

 CorpPass
as a whole-of-government initiative

According
to Mr Fong, there was early recognition that the CorpPass system is far more
than just an IT project – it is a massive change management effort encompassing
the entirety of the Singapore Government, as well as local businesses and other
entities.

The
project team works very closely across government agencies, to smoothen the
transition process for both government agencies and businesses, helping them
ease into the new system.

After
developing the concept of CorpPass, the team at GovTech started engaging government
agencies, which would be using CorpPass as a corporate digital identity.

Mr Poon
Shou Xin, Manager, GDS Product Management is responsible for liaising with
government agencies, to support them in adopting CorpPass as an authentication
mechanism. He shared the process of engaging stakeholders within the Government
and the considerations GovTech had to deal with.

Although
all government agencies have been supportive of the CorpPass initiative, the process
of prioritising functions, harmonising requirements and developing a common
portal is a challenging task.

“CorpPass
is a whole-of-government initiative involving all agencies. It is a massive
effort to bring all agencies together and detail down each agency’s
requirements,” said Mr Poon.

 “With SingPass, each agency has their own
specific systems that cater to specific requirements. One of the first steps
GovTech took was to list down all these requirements of the different agencies,
identify the key ones, and offer them as part of CorpPass,” Mr Poon shared.

The
intent of the CorpPass portal is to provide a one-stop shop for all businesses
to administer their access to different government agencies and services. As
such, it has to be a portal with functions to create users and grant them
access to different government agencies.

Mr
Poon said that the prioritisation conducted through many workshops helped to
identify the “must-haves” and the “good-to-haves”.

“In
the process, there were many challenges and spirited debates, but it was a
great learning process to help us understand where agencies are coming from and
build better relationships,” Mr Poon recalled.

Ms Elita Lawalata, Manager, GDS Product Management at GovTech (Credit: GovTech)

Engaging public users from the business
community

At
the same time, the CorpPass team also engages the users of CorpPass portal –
the business community.

Helping
businesses in their transition to the CorpPass project is a key concern for Ms
Elita Lawalata, Manager, GDS Product Management. Requirements received from
agencies are validated through focus group discussions with business
representatives.

“To
engage external stakeholders such as businesses, the CorpPass project team works
with agencies to communicate to their customer base. Materials such as the user
guides and frequently asked questions (FAQ) were also developed to address
common queries raised by businesses, made
available on the CorpPass website,” Ms Lawalata shared.

Public
briefings are conducted every month which agencies help to publicise. The CorpPass
Business Centre is also open for appointments for companies that need extra
assistance.

According
to Ms Lawalata, the CorpPass team at GovTech uses a data-driven approach to
segment businesses into different sizes and types, so as to facilitate their on-boarding
process and transition to CorpPass.

Design of CorpPass

The
next step is the transition of technical interface. After prioritising the
functionality of the CorpPass portal, agencies then have to offer CorpPass
login for government-to-business (G2B) transactions, in a move to cease
SingPass and other login methods for corporate transactions.  

While
SingPass identifies users by their username or NRIC number, CorpPass users need
to provide the company’s Unique Entity Number (UEN) to indicate the company they
are representing, for a transaction.

Other
than authentication, CorpPass is also an authorisation platform which enables
businesses to manage their access to government services. The agency admin
module is designed to be flexible to allow agencies to define types of roles.

Businesses
can appoint up to two CorpPass Administrators (Admin) to create and manage user
accounts for the staff. Given this important responsibility, a CorpPass Admin
should be of a certain level of seniority within the company.

In
order to cater for companies of different sizes and structures, CorpPass allows
for some flexibility in the eligibility of being a CorpPass Admin – if a
company director wishes to be appointed as a CorpPass Admin, no further
approval is required; for other employees to take the CorpPass Admin position,
he/she will need the company
director’s approval.

Based
on user feedback that only 2 Admins might not be enough for larger businesses
with more complex structure, CorpPass allows companies to create sub-Admin
roles. The only difference between the two roles is that CorpPass sub-Admins
cannot create other Admin user accounts for the company.

Mr Fong Kok Khuan, Deputy Director, GDS Product Management (Credit: GovTech)

CorpPass as an ongoing learning journey:
Key takeaways

Inclusive
design

As a
whole-of-government initiative, can CorpPass cater to specific requirements of
a handful of agencies? Some of these agencies might have a large user base,
others might have fewer users but could be making significant financial
contributions. Then there are others, where neither the size of the user base
nor dollar considerations provide an appropriate parameter to quantify
importance.

Similarly,
on the user side, there are complex businesses that have a hierarchy of parent
companies and subsidiaries. There are organisations with one UEN but having
autonomously operating divisions, with their own HR and finance. Then there are
corporate service providers and tax agents who transact on behalf of their
clients.

As
CorpPass is meant to be a system that serves everyone, it must have
configurations that cater to complexity.

“We
must not neglect users who might be small in number, but complex in nature,” Mr
Fong emphasised. 

Such minority users also include foreigners who are not
SingPass users.

The
project governance structure played an important role in dealing with these
challenges.

“The
governance structure of CorpPass was set up early in the process, helmed by
senior decision-makers in the Government to make decisions that are less
clear-cut,” Mr Fong shared.

Stakeholder
engagement

Ms
Lawalata emphasised the importance of public engagement and feedback gathering,
for example through the ongoing monthly public briefing, the CorpPass Business
Centre, and trade or industry associations.

Ms
Lawalata shared examples of how public feedback helped to improve CorpPass,
allowing the system to better accommodate organisations of different sizes and
needs.

“Initially,
there was no limit on the number of Sub-Admin accounts in CorpPass. However,
due to concern of misuse and potential security risks, the maximum number of
CorpPass Sub-Admin was capped at 10,” she said.

“Later,
some large organisations such as hospitals and universities gave feedback that
the quota of 10 is inadequate for the organisation to perform necessary
transactions. As such, the cap has been revised again to 25.”

For
organisations that request for more than 25 Sub-Admin roles in CorpPass, their
request must be justified based on their actual registration number and needs.

Another
feedback is that companies want to segregate responsibilities between
sub-Admins. For example, Finance sub-Admins should only be allowed to transact
finance-related matters on behalf of the company. This has led CorpPass to
introduce the assignment profile for companies to restrict and assign
functionalities based on their needs and operations.

Constant
improvements

GovTech
introduced CorpPass progressively, through 4 major waves.  The sequence for agencies and services to
come on-board was designed to be in line with their business cycles.

The
whole process of 4 major waves took close to 2 years to complete.  Every 3 to 4 months, a number of agencies offered
their services via CorpPass. All this while, in order not to disrupt business
transactions, the option to use SingPass remains open, giving businesses time
to register and get used to the new CorpPass system.

During
the 4 waves of roll-out of CorpPass, the team has been constantly taking
feedback from the business users, as well as the agencies to improve the system
in subsequent stages.

Government
agencies that came onboard early also shared issues that they encountered in
the transition to CorpPass. The team then took those as learning points to
smoothen the transition for government agencies that followed in subsequent
waves.

Moving forward

“As
the CorpPass system has been launched and improved through several iterations,
the current version is already very usable and user-friendly,” Mr Fong said.

Mr
Poon shared that one of the focus areas for CorpPass this year is to ensure
that the Inland Revenue Authority of Singapore (IRAS) onboards the CorpPass
system smoothly and according to the schedule, given its importance and unique
requirements. It is expected to join by Q3 2018.

Mr Fong
said that the development of CorpPass cannot be viewed in isolation under the
country’s whole-of-government Smart Nation plan led by the Smart Nation and
Digital Government Office (SNDGO) under the Prime Minister’s Office (PMO) of
Singapore.

Mr
Fong shared that in the Government’s Smart Nation initiatives, priority is
given to projects that are citizen-centric i.e. have the most and widest impact
on citizens who are end-users, for example, the SingPass.

The
wide adoption of SingPass has laid good foundation for subsequent Smart Nation
initiatives such as the National Digital ID Project and the CorpPass.

“As
Singapore advances its Smart Nation plans, we are likely to see more
integration between these projects over the next few years that improves the
provision of public services, to both citizens and businesses,” Mr Fong
predicted.

In the on-going journey, the CorpPass team will
continue to be open to feedback and adhere to the data-driven approach, which
has served it well in working with business users, government agencies and
policy-makers. 

[1] EASY
is an online digital service authorisation system currently used by some
agencies including the Inland Revenue Authority of Singapore (IRAS), JTC
Corporation and the Immigration Checkpoints Authority of Singapore.