Copyright © 2023 Named editors. Contributors to the Open Credentialing Initiative.
This section describes the status of this document at the time of its publication. Other documents may supersede this document.
This is a living OCI Document developed by OCI Members with input from relevant interested parties. It is anticipated that the contents of this document will be reviewed and updated to address any applicable feedback. A list of current public OCI Documents, including Conformance Criteria, can be found in OCI's GitHub repositories.
This document lays out OCI’s expectations of ecosystem participants and conformance auditors with respect to OCI Conformance Criteria.
OCI sets Conformance Criteria for participant groups within the OCI ecosystem. This Conformance Program lays out the framework for OCI’s monitoring of participants’ adherence to these criteria.
This Program sets OCI’s expectations of ecosystem participants and conformance auditors, the scope of OCI’s involvement in the conformance audit process as well as expectations about audit outcome and processes in reaction to possible audit results.
Operationally, OCI’s goal is to achieve service reliability and true interoperability among service providers. Overall, this Conformance Program is to provide assurance to industry users within the wider OCI ecosystem that they will be in compliance with the letter and intent of FDA and DSCSA if they participate in this ecosystem.
Good standing: An organization in good standing is regarded as having complied with all their explicit legal obligations, be financially sound, while not being subject to any form of sanction, suspension or disciplinary censure. A business entity that is in good standing has unabated powers to conduct its activities, which can include business endeavors.
The following OCI Participants SHALL provide self-attestation using the latest applicable version of the OCI-provided template that they are in compliance with the respective published Conformance Criteria:
The following OCI Service Providers SHALL undergo a formal third-party audit to assert their compliance with the respective published Conformance Criteria:
Further, where self-attestation is deemed a more useful proof of compliance for certain individual conformance requirements of OCI Service Providers undergoing formal third-party audit, these service providers SHALL also provide self-attestations in the applicable format (refer to Test of Controls).
Once an OCI Service Provider is approved as a result of a successful audit and self-attestation (as applicable), they are considered a valid OCI Service Provider until one of the following events triggers another audit (re-audit) and/or self-attestation:
The OCI Steering Committee SHALL agree on a suitable specification release process with the OCI Service Providers to allow for realistic deadlines to compliance. This process SHOULD include considerations regarding audit requirements, time to audit, and any other necessary arrangements. Where these considerations allow for a grace period between the trigger of a new audit or self-attestation and the execution of those, the affected OCI Service Providers SHALL continue to be considered as valid OCI Service Providers for that period.
The formal audit SHALL address all compliance criteria in the OCI Credential Issuer Conformance Criteria as it relates to the specific Credential Type(s) the Credential Issuer offers. The OCI Credential Issuer Conformance Criteria document can be found at the following public location: OCI GitHub - Credential Issuer Conformance Criteria.
Digital Wallet ProvidersThe formal audit of a Digital Wallet provider SHALL address all compliance criteria as set out in the published OCI Digital Wallet Conformance Criteria document found at the following public location: OCI GitHub - Digital Wallet Conformance Criteria.
Since the nature of the various conformance criteria differs, auditors SHOULD distinguish between Test of Details and Test of Controls as applicable to individual criteria or groups of criteria.
To the extent that OCI conformance criteria are covered by another audit, auditors MAY rely on audit work performed by other trustworthy entities to avoid duplication of work, for example in the context of a SOC2 or ISO audit.
OCI defines Test of Details as any audit method that assesses factual evidence of whether the required conformance criteria have been met as stated.
This is a direct testing approach and may involve methods such as sampling, reperformance, or analytical review.
OCI defines Test of Controls as any audit method that assesses whether operational controls and practices put in place by the auditee are sufficiently documented, functional and adhered to as intended by systems and staff of the auditee.
This is an indirect testing approach based on the assumption that adequate controls lead to compliance with stated conformance criteria. Test of Controls may involve methods such as enquiry, inspection of documentation, or observation of the auditee’s staff. Test of Controls methods SHOULD be applied by the auditor in cases where Test of Details is deemed neither feasible nor informative.
Where the auditor applies a Test of Controls approach, Service Providers are required to produce audit-independent self-attestation reports or statements publicly available to the OCI ecosystem demonstrating their performance. OCI SHALL maintain a public repository for such documentation. It is then the responsibility of OCI members and service users to assess whether such performance is acceptable for continued collaboration.
The auditor SHALL apply the Test of Controls approach to the following specific conformance criteria.
Digital Wallet Conformance Criteria:
Auditors SHALL inspect and the auditee SHALL make available as much sensitive or confidential data as needed for the auditor to come to a reliable conclusion. Such data or information about the data SHALL be shared securely only between auditor and auditee. Auditors SHALL store only as much sensitive or confidential data as needed for audit completion and potential re-use or reference in future audits.
The auditor SHALL express the overall audit conclusion in the form of a written and signed audit opinion or certificate issued to the auditee stating the auditee’s compliance or failure to comply with the applicable published OCI Conformance Criteria.
The auditor SHOULD highlight to the auditee any suggestions for improvement and other professional feedback in separate communication.
As soon as the auditee has successfully passed the audit, they SHALL inform the OCI Steering Committee and make a copy of the auditor’s conclusion document publicly available either on their own website or other online repository or by submitting it to the OCI Steering Committee. Regardless of the means by which the auditee submits the information, OCI will publish all auditor’s conclusions in a single OCI-managed repository. Where a link to an external location is provided, the auditee agrees to allow OCI hyperlinks to that online location from the OCI repository. The auditee SHALL alert the OCI Steering Committee in a timely manner if the link needs to be changed.
The auditor SHOULD also publish limited audit results, such as the signed audit opinion or certificate, on their public website. It is assumed that the auditor agrees to allow OCI hyperlinks to their online location from the applicable OCI registry or repository.
OCI SHALL update the applicable public registry of trusted service providers to add or update the successful auditee’s details.
The auditor’s conclusion SHALL be valid starting on the signing date of the conclusion until one of the triggering events stated earlier or the end of an agreed grace period following the triggering event (refer to Compliance Monitoring).
In the case of a re-audit, the auditee SHALL submit a copy of the auditor’s conclusion of failure to the OCI Steering Committee on the day of receiving the final audit report or the day after if the report is received outside the auditee’s business hours.
The OCI Steering Committee SHALL inform all other valid OCI Service Providers of the auditee’s negative audit conclusion.
OCI SHALL update the applicable public registry of trusted valid Service Providers to remove the auditee’s details at the appropriate date if listed.
The auditee SHOULD inform their customers of the negative re-audit outcome in a timely manner.
OCI SHALL maintain up-to-date registries listing valid Service Providers that have passed the compliance audit, referred to as Trusted Service Providers.
Any listed valid OCI Service Provider who does not make a copy of the latest positive auditor’s conclusion available to OCI, will be removed from the registry. They will be added back to the registry upon submission of the positive audit conclusion.
Service Providers that have failed in the audit to prove their compliance with OCI Conformance Criteria will not be added or, if already listed, will be removed from the applicable registry.
OCI MAY take up to five (5) business days to add a new Trusted Service Provider to the respective registry and to update the status of an already listed Service Provider in the respective registry if required.
The registries can be found at the following public locations:
| Trusted Digital Wallet Provider registry | Coming soon |
| Trusted Credential Issuer registry | Coming soon |
Service Providers, who require a third-party audit to assert OCI conformance, MAY choose an audit firm themselves as long as the firm meets the set of minimum acceptance criteria detailed below.
The Service Provider SHALL prove to OCI that they have performed the required due diligence for auditor selection by submitting evidence to the OCI Steering Committee using the respective signed form provided by OCI.
OCI defines the minimum acceptance criteria for audit firms as follows.
The audit firm SHALL:
The OCI Steering Committee MAY inspect the auditor at any time, for example, by assessing audit practices or reputational standing. Since the Service Provider is the audit firm’s customer, the auditee SHALL make the auditor aware of OCI’s desire for an inspection, where direct contact with the auditor is required, and facilitate the contact.
Self-attestation refers to representations made by the Service Provider in reference to the relevant OCI Conformance Criteria as a whole or selected requirements therein. Such representations SHALL be signed by the Service Provider’s senior management and provided to the OCI Steering Committee for publication, either as a stand-alone document or as a statement of permission for OCI to hyperlink to the service provider’s own public storage location. Where OCI prescribes a template for such representations, the latest published version at the time of signing SHALL be used by the Service Provider.
At any time the OCI Steering Committee MAY challenge any Service Provider on the claims made. The Service Provider SHALL then address the points of concern raised by the OCI Steering Committee in a form and timeframe appropriate to the situation and as agreed with the OCI Steering Committee.
Where self-attestation is permissible or required as additional evidence on top of a third-party audit (refer to Test of Controls), the Service Provider SHALL make the necessary documentation available to OCI.
VRS providers SHALL self-attest that they are in compliance with all requirements within the OCI VRS Providers Conformance Criteria.