March 27, 2016

The Future of Digital Identity Is Up to Banks

The Future of Digital Identity Is Up to Banks

By Bryan Yurcan for The American Banker

It's been more than 20 years since the first e-commerce site appeared, yet today we still use the same username, password and security question combinations to log in online.

Human resources departments are still filled with paper files of photocopied passports and Social Security cards. And, just like more than half a century ago, someone going to a bar still has to show a stranger a driver's license full of personally identifiable information (name, address, date of birth) to prove he's old enough to drink.

In many ways, managing identities in this digital age is antiquated. At best, it's inefficient, as consumers and businesses constantly re-enter the same information to access any number of services. At worst, it's dangerous, as the many high-profile data breaches of the past several years show.

What if that same customer didn't need to show the bartender a document containing his home address, but instead took out a mobile phone and displayed a one-time numerical or QR code? When scanned, this code, known as a cryptographic token, would confirm that the person is over the legal drinking age, perhaps flashing a photo of the person on the bartender's device.

What if a consumer could log on to any website not by giving a username and password or by answering personal questions, but by granting that site limited access to some data? This data could be stored in a personal cloud or with a trusted provider that securely holds the consumer's digital identity.

This vision may seem very far off, but many different parties are working – often together – to solve the tricky problem of identity in a digital world. Some of them are even banks.

"There's a lot more happening in this space than most people realize," said Gary McAlum, chief security officer at USAA in San Antonio. "The world of user IDs, passwords and security answers is a failed model. It's not a matter of if, but when, that changes."

For banks, a single, federated digital identity would bring several benefits. It would be much easier for banks to know who they were dealing with if they could get quick access to a token or digital certificate that established the person's identity. As it stands, regulators are increasingly requiring banks to do greater due diligence on their customers in an effort to screen for money laundering. The pressures of keeping up with these high expectations means increased cost to banks, both in terms of money spent and internal resources dedicated to this task.

Another benefit would be greater security. If personal information weren't passed around like a casserole plate, criminals would have fewer opportunities to hack into customers' accounts. Banks spend time and money investigating fraud cases, and usually reimburse customers who have been victimized.

USAA is one of several financial institutions worldwide exploring the concept of digital identity. It is partnering with a government agency on a project that would involve allowing USAA's 10.7 million members (mostly military personnel and their families) to authenticate themselves using the same username and password as for online banking. The $70 billion-asset company said it could not give the agency's name.

In Canada, a broader effort is underway with the SecureKey initiative launched in 2012. In this model, banks manage their customers' digital identities for government websites. Tangerine Bank, Bank of Montreal, TD Bank and Scotiabank are all part of the program. The U.K. government also launched an identity verification platform last year with Barclays as one of the partners.

These are just small steps toward the universal federated identity model that technologists and privacy advocates pine for. But executives at several banks said that such a model is going to be the norm eventually and that banks are well positioned to serve as the trusted digital identity provider.

That's because people generally trust banks to keep their private information secure.

"This has to be a mutual-trust model for it to work," McAlum said. "The consumer has to trust the institution that is managing the digital identity."

Chad Ballard, director of mobility and new digital business technologies at BBVA Compass, agreed.

"There's not really a ubiquitous solution out there today" on managing digital identity, he said. "To get there, you'd have to address consumers' concerns about fraud and security. Outside of perhaps a government agency, consumers are used to banks playing that role of secure, trusted adviser."

Like USAA, BBVA Compass in Birmingham, Ala., has been trying out some new tactics in this area. Last year the U.S. unit of the Spanish banking giant BBVA began offering a service with the startup Dwolla that allows bank customers to send and receive real-time payments. The partnership uses a jointly developed authentication and tokenization process called FiSync that spares BBVA account holders from having to provide sensitive bank account information or credentials to Dwolla or any other party.

The learning curve is short.

"It's an easy thing to get customers to use, because all we're asking them to do is authenticate with their bank," Ballard said. "It's something they do every day; we're not asking them to do anything nonstandard or create a separate identity that they are not used to."

Ballard said the way BBVA's initiative with Dwolla works is a significant departure from how other payments platforms like Apple Pay, Stripe or PayPal operate. Although users of those services do not need to hand their payment credentials to every random merchant they buy from – an improvement on the traditional credit card model – they still have to share the data with the payment provider. FiSync removes that step. Only BBVA needs to be entrusted with the sensitive data.

The approach looks especially prudent in light of the Consumer Financial Protection Bureau's March order against Dwolla for misrepresenting its data security practices from 2010 through 2014. BBVA, which partnered with Dwolla after the period covered by the order, said it considers the startup's security practices "sound." But even if they weren't, BBVA customers who use FiSync wouldn't need to trust Dwolla to keep their data safe anyway.

Dave Birch, a London-based financial technology consultant and the author of the 2014 book "Identity Is the New Money," agrees that this is a natural line of business for banks to enter.

"Identity is so central to the future online world, and I want my identity managed by a regulated institution," he said. "If they lose my identity or give it away, then I expect them to do something about it. I would rather have a bank manage my identity than Facebook."

But the day when consumers have a universal digital identity is still far off, Birch said. And that's only partly because of the technological and practical considerations of which party will manage it; the biggest hurdle is the mindset of the general population.

"The complex issue to overcome is the social aspect of this. People have got a very rooted notion of identity and translating that into the digital space will be difficult," Birch said. "We'll have to construct a more digital notion of identity, where different attributes are used in different circumstances." Some websites might need to know your age but not your location, some vice versa, some neither.

This also would require people to think differently about what a bank is, shifting from "a place where you store your money to a place where you store your identity," Birch said.

Moreover, the notion of having all one's data stored in one place, no matter how well guarded or partitioned, may well spook some consumers who are already leery after a string of headlines about data breaches and government snooping.

And rightly so, said Françoise Gilbert, an attorney at Greenberg Traurig who specializes in data privacy and security. A digital identity is vulnerable to such problems as hacking, social engineering, and even basic errors, regardless of where that identity might be stored, she said. "I love the digital world, but errors happen just as frequently as in the paper world, and because they touch databases, the errors can be multiplied by 10,000 or 10 million."


And not everyone believes banks – or any third party for that matter – should be in the business of managing a consumer's digital identity. It should be the consumers themselves, argues James Varga, chief executive of miiCard, a startup in Edinburgh, Scotland.

"It has to start with the consumer; you own and manage the controls, and you take it with you wherever you go," Varga said. "And you can revoke access to that information as well."

MiiCard acts as a "digital passport" of sorts, wherein consumers apply online and miiCard verifies their identity and their assets, and issues them a miiCard with a unique number. They can then use it to log on to participating websites, which include marketplace lending platforms, digital currency exchanges and e-commerce sites. (A similar model is used by OneLogin, based in San Francisco.)

Varga said he came up with the idea in 2011 after reflecting on the "faulty" identity-management systems online that require people to share more information than is necessary just to prove who they are.

Even Varga agrees that using banks is an ideal way to authenticate identity, which is why miiCard does so by accessing data from the user's bank, using their online banking credentials. Moreover, miiCard regularly checks the user's connection to the bank account and makes sure that there is activity on the account to ensure the identity can be relied upon. If a user changes banks, or even changes the information used to access the bank account, the miiCard becomes invalid, and the user needs to reconnect using a new account or update the login credentials.

But, as useful as banks might be for validating someone's identity, Varga sees potential problems with having a bank as the owner of that identity. For one thing, there is no guarantee of cooperation between banks. So, would a consumer who has a digital identity stored with a bank be able to use it to get a mortgage from a different institution? Or as Varga put it, "Would I be able to log in to Bank of America with a Chase identity?"

This is why Varga believes a consumer-owned identity, which can travel anywhere, is better.

"When I go into a pub, I shouldn't have to show a driver's license. They don't need to see all that information," Varga said. "You should be able to walk into a pub, show them just the information they need, and then if you wish walk across the street into a mortgage office and give them whatever information they need."

John Light, a cryptocurrency consultant, shares Varga's belief that individuals should own their digital identity.

"The entity that data represents should own the data in question, unless they explicitly relinquish ownership to a third party when given a real choice to do so," Light said. "Most private data should be visible and accessible only to its owner, and where that data is hosted is largely irrelevant" if the data is encrypted from end to end (meaning whether it is in storage or in transit).

That's why he sees no special advantage for financial institutions as identity keepers. "Banks could certainly get into the cloud storage business if they want to," Light said. "The question is whether that's a logical move for them or not."

Varga said a new way of managing a digital identity will emerge soon, in part because having dozens of different logins is "impractical," but also because so many parties are working on this issue.

"It's the missing piece of the puzzle since the dawn of time in the world of the Internet," he said.

Even if banks don't hold the consumer's digital identity, a model where consumers have a verifiable digital identity is still valuable because it would be a big help to financial institutions for compliance and security functions, said Andrew Sloper, product lead in JPMorgan Chase's digital department.

"To be able to have a greater degree of digital assurance is extremely valuable," he said. "It would enable us to better meet clients' individual needs, benefit with things like compliance, and make applying for new products and services easier."


Regardless of who ultimately manages the digital identity, most agree it has to be a collaborative process.

"There would have to be universal standards and protocols," said USAA's McAlum. "We could create a digital identity here for our customers, but if they can't use it anywhere else, it's not very useful."

Achieving that goal would take cooperation among financial institutions, governments, technology startups and other parties, said Nick Williamson, co-founder of Credits.Vision, a technology startup based in London. And he believes this cooperation is starting to jell.

"We're working with a lot of different large organizations that are getting on board with this project," Williamson said.

Williamson's firm is one of several tech companies that are adapting the blockchain – the distributed-ledger technology behind the digital currency bitcoin – to solve the problems of mainstream financial institutions. Put simply, a blockchain allows entities that are independent of one another to rely on the same shared, secure, auditable source of information. In bitcoin, the information being shared is digital currency balances – but the potential applications go well beyond that.

"It's possible the blockchain could end up being the single, secure token element to certify the authenticity of everything," said BBVA's Ballard.

Credits.Vision is working on creating a blockchain that would connect other blockchains, both private ones being tested by banks and public ones like bitcoin's. One function of this chain-of-chains would be as a "golden record for identity." A person could upload their personal details (in encrypted form) once, whether with a bank, passport office, or telecom provider and the identity could then be used in any other context.

The company bills this as a solution to long-standing challenge for banks: know-your-customer compliance. The process of vetting customers' identities has long been unwieldy for banks, and many industry players have been trying to solve the problem of authenticating customer information.

"For many organizations, and especially banks, identity is such a big pain point," Williamson said. "So much of their operational costs go to combatting identity fraud." But the authentication process might not be so painful with a fraudproof set of identities available on a super-blockchain like the one proposed by Credits.

Aside from standards and interoperability, some believe that the change most needed to drive mainstream adoption is government policy.

"Governments and regulators will have to become just as comfortable accepting a cryptographic signature as proof of identity as they seemingly are with using personal trivia, JPEGs that look like ID documents, and nine-digit numbers as proofs of identity," said Light, the bitcoin consultant. "We'll probably see cryptographic identity technology take off first in areas that don't require permission from regulators. These are areas where proof of identity is important but the requester of proof has more flexibility in what kinds of proofs they are willing and able to accept."

Light said replacing passwords with a single login is probably the easiest to achieve, before moving on to areas like academic credentialing, marketplaces and possibly person-to-person lending – all areas where identity and reputation are important, but are largely unregulated in how identity is handled.

"Highly regulated activities like banking will probably be the last to adopt this kind of tech as a wholesale replacement for legacy identity verification methods," he said.

But BBVA, at least, is encouraged by the response so far to its digital identity pilot project.

"Customers are reacting positively," Ballard said, without providing any figures. "The solution has made us think more broadly" about similar opportunities.

Digital identity as a service "isn't just a future consideration for us. It's something we're working on now," Ballard said.