Can Banks Become Digital Identity Providers?
Although the topic of digital identity gets daily attention today in 2018, it’s hardly a new topic. In 1993, The New Yorker published what has become one of the most—if not the most—iconic cartoons about the Internet:
Despite a quarter century of technological advances that include e-commerce, social media, and the smartphone, there is still no easy way to prove online that you're not a dog, are over 18, live at a certain address, graduated from a certain school, work at a specific company, or own a specific asset.
The meteoric growth in smartphone adoption over the past 10 years outstripped any industry’s or government’s ability to address digital identity challenges. The emergence of distributed ledger technology (e.g., blockchain) promises new approaches to digital identity management, but is emerging relatively late to the game. And with the rise of the Internet of Things (IoT) comes a new reality in digital identity:
“On the Internet, no one knows you’re a refrigerator pretending to be a dog." --Dave Birch
While various "recognition" technologies--e.g., voice, face, fingerprint, iris, and vein--have emerged over the past few years, there is still no widely-accepted digital identity management scheme in the United States. Will something emerge here?
What's Going On in the Rest of the World?
Various governments around the world have launched identity initiatives including those in:
- Austria. Austria’s Citizen Card is designed to provide a secure and privacy-friendly form of identity management. Positive aspects of the approach include: 1) Comprehensive data protection law; 2) Independent data protection authority; 3) Limited data kept on the card; 4) Separation of identities by sector; and 5) Integration with 12 government services. Drawbacks, however, include concerns about the security of card readers.
- Estonia. The Estonian e-ID card includes an embedded PKI application that enables online authentication and digital signature with electronic certificates. Positive aspects of the system include: 1) Comprehensive data protection law; 2) Independent data protection authority; 3) Logging that enables auditing; and 4) Minimal data is provided to service providers. The drawback is that excessive data is held on the card.
- United Kingdom. GOV.UK Verify is an identity scheme that establishes a private sector marketplace for digital identity, with private sector organizations creating and managing digital identities on behalf of citizens. Positive aspects: 1) Comprehensive data protection law; 2) Independent data protection authority; 3) Decoupling of identity providers and service providers; 4) Minimization of data sharing; and 5) Focus on end-user experience. Drawbacks include the potential for tracking and surveillance to occur as a result of “matching data set” in all identity transactions.
Or more specifically…so what about the United States? The prospects for a digital identity scheme in the United States on par with what Austria, Estonia or the United Kingdom has done look slim for the short-term.
Today’s political climate will squelch any national identity effort, which will be seen by many (on one side of the political spectrum) as an attempt to limit immigration and identify (and remove) immigrants illegally in the United States. In addition, a government-driven identification system hardly seems to be a priority to the other side of the political spectrum).
As a result, the U.S. is destined to play catch-up with—and be impacted by—the rest of the world. European developments like GDPR impact U.S. banks and, in some cases, conflict with U.S.-based law—for example, the requirement to notify the government of a data breach within 72 hours of its discovery. According to Andy Roth, partner at law firm Cooley LLP:
“A European data subject can make requests on what data the bank has on it and can make changes and request deletion of the data. These require business practices that banks don’t have in the U.S.”
While the U.S. fiddles around with what to call the Consumer Financial Protection Bureau (the current director claims the legal name is Bureau of Consumer Financial Protection, and there’s a bill in the House to change the name to the Financial Product Safety Commission), Rome is burning—the U.S. banking system, that is. Meanwhile, digital identity issues go unaddressed.
Can Banks Be Digital ID Providers?
For all the good work going on to advance the concept of digital identity, there’s a missing component that is the main impediment to change: Trust. In his book Before Babylon, Beyond Bitcoin, Dave Birch wrote:
“Identity is changing profoundly, and money is changing equally profoundly because of the same technological change. What will link changing identities with changing money? Trust. In a world based on trust, it will be reputation rather than regulation that will animate trust in economic exchange. The ‘social graph’—the network of our social identities—will be the nexus of commerce, administration and interaction.”
Do consumers trust banks? It's debatable. But even if the answer is yes, the better question is whether or not the banks trust each other. Speaking on the prospects of using blockchain technology for digital identity management, one bank exec we talked to told us:
"Banks like Rabobank and RBS have done proof-of-concepts that address actions, consent, and decentralize commitment. But they haven’t stored the identities—that’s what needs to be solved. Blocks take time to create. The biggest barriers are liability and trust. Do banks trust each other? Can the first entity be trusted? Can we trust others to have the same stringent KYC policy that we do?"
Bank consortia don't exactly have a great track record. If you need proof, I have one word for you: ClearXchange.
US-based banks are deluding themselves into thinking they can be digital ID providers. At the recent Finovate conference, a panel discussion on digital identity moderated by Javelin Research's Al Pascual, included someone from Wells Fargo, and the Capital One executive in charge of its new digital ID service. One of my tweets from the session speaks volumes:
Al Pascual from Javelin asked a room with 60 bankers if they, as consumers, would sign up for a digital ID service from their bank
4 bankers raised their hand. #finovate
— Ron Shevlin (@rshevlin) May 10, 2018
As for my assertion that banks are deluding themselves, consider this.
Sat in on a session about digital identity at #Finovate. Guy from Wells Fargo talked about his firm’s efforts to combat the “bad guys.”
Dude, your firm created fictional accounts. You ARE the bad guys.
— Ron Shevlin (@rshevlin) May 10, 2018
Bottom line: The political situation in the United States points to a lack of trust in the government among consumers to come up with a digital identity solution, and I doubt there's enough trust between banks for them to come together. One-off efforts by banks may solve their own institution's needs, but hardly qualify as a digital identity scheme on a broader scale.
One ray of hope: credit union consortia like CU Ledger. But without a catalyst to improve the levels of trust, we’re pessimistic that much will change at the governmental or societal level in the United States regarding digital identity, leaving bank execs to fend for themselves for the next few years.
Interested in the topic of digital identity management? Check out myresearch report Digital Identity in Banking: What CEOs Need to Know About Best Practices and Future Directions which you can download here.
Director of Research