Enabling U.S. Identity Issuers

This article is part of SpruceID’s series on the future of digital identity in America. Start with the first installment here.

Digital identity in the United States is at a turning point. Wallets are maturing. Verifiers are eager for secure, privacy-preserving solutions. Policymakers are setting new guardrails. But none of this matters unless we enable the most fundamental part of the ecosystem: the issuers.

Issuers are the trusted entities that create and assign identity credentials. Without them, wallets are empty, verifiers have nothing to check, and regulators have nothing to certify. If we want practical digital identity in America, we must start by enabling issuers - clarifying their requirements, expanding their scope, and giving them the tools and certifications they need to operate with confidence.

Why Issuers Matter

Every identity transaction begins with an issuer. Today, the DMV is the workhorse of American identity. Driver’s licenses and state IDs are the primary form of government-issued identification, and DMVs are leading the rollout of mobile driver’s licenses (mDLs). In California alone, over 2 million mDLs have already been issued, with TSA now accepting them at checkpoints in over 250 airports.

But DMVs are not the whole story. Many Americans do not drive, and many others rely on different forms of foundational identity. These alternative issuers are just as critical:

• Vital records offices, which manage birth and marriage certificates—the very root of identity for most people.
• State-level Veterans Affairs departments, which issue veteran cards for millions who served.
• Municipal governments, which issue IDs for residents who may not otherwise qualify for state IDs, including immigrants and low-income communities.
• Libraries and other civic institutions, some of which have begun issuing enhanced cards that double as multi-use IDs.

If digital identity remains DMV-only, it will exclude millions. Enabling issuers means not just scaling DMVs, but empowering this broader set of agencies to participate in a trusted, interoperable ecosystem.

What Financial Institutions Want to Know

For digital identity to gain real traction in the financial system, issuers must answer the questions that banks and regulators ask every time. These questions are captured in places like the NIST NCCoE mDL FAQ, and they cut to the core of trust.

• How is identity created? What documents or checks are used to establish a person’s identity in the first place?
• How is it assigned? What processes bind the identity to an individual? Are biometrics or other unique identifiers used?
• How is it secured? What prevents tampering, duplication, or fraudulent issuance?
• How is it managed over time? What happens when an identity is updated, revoked, or expired?
• How is it used? Can the credential be presented consistently across different verifiers and jurisdictions?
• Is it compliant? Do regulators agree that accepting this credential satisfies Know Your Customer (KYC), Bank Secrecy Act (BSA), or sanctions compliance requirements?

Banks are cautious by design. Their regulatory exposure is enormous, and their tolerance for ambiguity is low. Until issuers can answer these questions consistently, and until regulators provide clear guidance that digital credentials are acceptable for compliance, financial institutions will remain hesitant.

The Compliance Lens

Compliance is the lens through which banks and other high-assurance verifiers evaluate digital identity. Two trends are sharpening this lens.

First, the Supreme Court’s ruling on age verification has increased scrutiny on how businesses verify the identity of users, especially minors. It’s no longer enough to assume an ID check is optional; regulators are beginning to demand digital verification at scale.

Second, sanctions enforcement has highlighted the national security stakes of identity. U.S. sanctions regimes are among the most effective tools in foreign policy, but they only work if businesses can reliably check identities against restricted lists. Weak or inconsistent identity systems create loopholes that adversaries can exploit.

In both cases, issuers hold the keys. If digital credentials are issued at high assurance levels, and if regulators explicitly endorse them, businesses can comply more efficiently and more effectively. If not, compliance remains risky, and adoption stalls.

Existing Foundations to Build On

The good news is that issuers don’t have to start from scratch. A robust set of standards and frameworks already exists.

• NIST SP 800-63-4: The latest update to NIST’s digital identity guidelines provides a foundation for assurance levels, proofing processes, and federation.
• mDL Final Rule: The federal rule governing mobile driver’s licenses, harmonized with international standards.
• ISO/IEC 18013-5: The global standard for mobile driver’s licenses, with an appendix for Virtual In-Car Licenses (VICAL).
• FIPS 140-2: Federal standards for cryptographic modules, ensuring that the systems behind credentials are secure.
• REAL ID: The longstanding federal framework that sets requirements for state-issued IDs.

Each of these frameworks addresses a piece of the puzzle. What’s missing is a way to bring them together into a coherent roadmap for issuers of digital identity.

The Challenges Issuers Face

Despite these foundations, issuers face significant challenges.

First, fragmentation. Each state has its own DMV, vital records office, or municipal ID program. Without federal alignment, issuers risk creating a patchwork of incompatible systems, undermining interoperability.

Second, resources. Many vital records offices and municipal agencies lack the budget and technical expertise to build digital credentialing systems. Without support, they cannot participate in the ecosystem.

Third, regulatory ambiguity. Issuers need clarity on what assurance levels are sufficient for compliance. If banks can’t accept credentials, issuers risk building systems that go unused.

Finally, trust. Public skepticism about government technology is real. People fear surveillance, lock-in, and exclusion. Issuers must not only build technically secure systems, but also demonstrate that privacy and choice are protected.

Recommendations for Enabling Issuers

To address these challenges and empower issuers, several steps are essential.

1. A New NIST Special Publication for Issuer Requirements

NIST’s SP 800-63-4 sets assurance levels for identity proofing and federation, but issuers need more detailed guidance. A new Special Publication should define requirements for issuing high-assurance digital credentials, covering processes for enrollment, cryptographic protections, lifecycle management, and revocation.

This would give DMVs, vital records offices, veterans’ agencies, and municipalities a clear benchmark to meet, while giving banks and regulators confidence that credentials are trustworthy.

2. Wallet Certification at FIDO

Wallets are the delivery mechanism for credentials. If issuers are to feel safe provisioning credentials into wallets, they must trust that wallets themselves are secure. FIDO already operates a global certification ecosystem for authenticators and passkeys. Extending this model to wallets would provide the assurance issuers need.

3. Certification Programs at Kantara and FIME

Issuers need independent certification to prove compliance with standards. Kantara, with its long history of running trust frameworks for identity providers, and FIME, which specializes in testing compliance for payment and identity systems, are natural candidates. Their programs could certify both issuers and wallets, ensuring interoperability and regulatory acceptance.

4. Governance for Cross-Jurisdictional Trust

Just as REAL ID aligned states on standards for driver’s licenses, digital identity needs a governance model for cross-jurisdictional trust. Without it, issuers will remain fragmented, and verifiers will hesitate to accept out-of-state credentials. Federal leadership, possibly through DHS or NIST, will be essential.

5. Expanding the Universe of Issuers

DMVs will remain central, but inclusivity demands more. Vital records, veterans’ agencies, municipal governments, and enhanced library card programs should all be empowered to issue digital credentials. This expansion requires not just technical tools, but funding, standards, and public education.

The Bigger Picture: Issuers and the Digital Identity Ecosystem

Issuers don’t operate in isolation. They are part of a broader ecosystem that includes holders (people carrying credentials in wallets) and verifiers (banks, employers, agencies that check them). If issuers are enabled effectively, the whole system benefits.

• For holders, it means a broader set of credentials they can carry, beyond just driver’s licenses.
• For verifiers, it means a richer set of credentials they can trust for compliance and service delivery.
• For regulators, it means more consistent oversight and assurance across states and sectors.

The ecosystem can only function if issuers are strong, standardized, and certified.

A Vision for the Future

If digital identity is the future of trust in America, issuers hold the keys. They determine the quality, inclusivity, and compliance of the system. Without them, wallets are empty and verifiers are skeptical. With them, the ecosystem flourishes.

Imagine a future where a veteran in Texas can receive a digital credential from the state Veterans Affairs department, store it in their wallet, and present it seamlessly at a VA hospital in another state. Or where a resident of New York City uses a municipal ID to open a bank account, with the bank confident that the credential meets federal compliance requirements. Or where a birth certificate issued in one state can be verified instantly by a school in another.

This vision is within reach. The technology exists. The standards are mature. The policy momentum is real. What remains is to enable issuers with the clarity, certifications, and governance they need.

The path forward is clear: define requirements, certify wallets and issuers, expand the universe of trusted issuers, and build governance for cross-jurisdictional trust. By doing so, we can create a system that is usable, secure, private, and decentralized - meeting the needs of financial institutions, regulators, and, most importantly, the people who depend on it.

Digital identity is no longer just a pilot project. It is infrastructure. And like all infrastructure, its strength depends on its foundations. Enabling issuers is the foundation on which America’s digital identity future must be built.

This article is part of SpruceID’s series on the future of digital identity in America. Read more in the series:

SpruceID Digital Identity in America Series

1. Foundations of Decentralized Identity
2. Digital Identity Policy Momentum
3. The Technology of Digital Identity
4. Privacy and User Control
5. Practical Digital Identity in America
6. Enabling U.S. Identity Issuers
7. Verifiers at the Point of Use
8. Holders and the User Experience

About SpruceID: SpruceID builds digital trust infrastructure for government. We help states and cities modernize identity, security, and service delivery — from digital wallets and SSO to fraud prevention and workflow optimization. Our standards-based technology and public-sector expertise ensure every project advances a more secure, interoperable, and citizen-centric digital future.