Thursday, 20 December 2018

The inevitability of digital identity

At this time of year, it’s a great opportunity to reflect.  Not only what we’ve achieved in our work life.  Also, what we’ve done with our family time too.  I am lucky to live in a small village on the outskirts of one of the greenest cities, Sheffield.  I enjoy, after a hard week at work, being able to leave my front door and step into the beautiful Moss Valley.  Whether it’s a stroll across the open fields, a trek through the ancient woodland, or meandering through the budding plantations.  Wandering aimlessly is a fantastic way to clear my mind, relieve the stresses of the working week, and get in some exercise.

And having expended plenty of energy, next is coming home to cook some fresh local produce.  As much as I enjoy cooking, what really motivates is my love of eating good food.  Knowing that a bunch of fresh ingredients have been used to create a meal, makes eating it all the more pleasurable. 

One of the other things I enjoy is watching movies.  I recently watched “28 Days Later”.  As with any good zombie movie, the plot follows a simple formula.  An infection causes people to be turned into the walking dead. The infection is spread by an ever-growing army of these zombies; biting and scratching the remaining humans to enlist them.  Large pockets of resistance eventually becoming small guerrilla groups, fighting for the survival of the human race.  Each being picked off, one by one, as they search for safe refuge.

Watching these zombies wandering aimlessly, eating the things that they found along the way, and even indulging in other activities that I’ll leave to your own imagination.  Then seeing the bunch of surviving humans, panic stricken, hiding, fighting for their lives.  And of course, along the way the humans would be picked off by the zombies.  Their last days being spent in fear, suffering and pain.  This made me think.  Being turned into a zombie, where I could indulge in favourites pastimes without needing to worry about work, would I fight or should I just submit to the inevitable?

So, back on the topic of work.  Digital Identity.  This week, Facebook are again in the news.  Allowing companies access to their user’s private messages, with the ability to read and even delete being granted contrary to their typical privacy rules.  Facebook relied upon the trust of the organisation whom they had a commercial relationship with not to do anything bad.  And whilst the intention of doing so may have been to create better user experiences, the lack of transparency is worrying.

In the UK, since 2016, landlords have had to confirm the “right to rent” of their tenants.  This involves ensuring tenants have the requisite immigration status.  With the risk of fines, the increased costs of checking, landlords are unsurprisingly resorting to the path of least resistance.  Those who hold a current British passport are fairly easily checked.  For those who don’t, being white and having an English accent provides another easy route.  The result of this is discrimination based on ethnicity and social status, leaving many people unable to access an already competitive market.

Technology for authentication and identification of users continues to evolve.  Artificial intelligence and machine learning are playing an increasingly important role.  Yet gender and racial bias are a known problem.  My paragraph above about the rental market may have just contributed to this bias.  Landlord?  Does that mean only men own property?  (this is the term used on the Government’s website by the way).  As the machines scour the internet for data, this becomes a logical conclusion based on the information available.  Whilst we need to embrace technology, we also need to recognise the bias and ensure that we don’t create discrimination.  Making a great experience for one group at the expense of another isn’t a sensible endeavour.

Digital identity can be a tool for good.  It can put data back in the control of the individual to whom it belongs.  It can ensure that transparency and consent are performed to the spirit of data protection, not just to the letter.  It can enable anyone to assert their credentials without undue friction and effort.  It has the ability to drive costs savings, efficiencies, and personalisation in user experiences.

In the next decade, how we identify ourselves today will change.  We’ll be more connected than ever before.  We’ll interact with more important, valuable, sensitive and trusted services through digital means that we do today.  Online and physical channels will homogenise because users will demand that they do; they will stop interacting with those that don’t.  Globalisation will remove national boarders in the digital market, driving a need for standards and interoperability.  Physical identity documents will become increasingly expensive, insecure and inconvenient.  Identity theft and fraud will be incredibly sophisticated. Digital means of identity will be prevalent.

It is inevitable that how we prove who we are will change.  Sitting back and waiting for the privacy trampling, exclusive, opaque, leaky solution to emerge may be the path of least resistance.  Though do we really want to be a zombie? 

Looking forward to 2019, I’ll continue accelerating the adoption of good digital identities that deliver on the benefits outlined above.  It may be painful, I may suffer a few blows along the way, though with a bit of luck I won’t be one of those picked off.  Next December, I hope to be writing about the new world.  Where good digital identity is making life better for society as a whole.  And maybe, next year’s festive theme won’t be about zombies.  Instead it will be something more fitting.  Like radioactive sheep.

Merry Christmas and a prosperous New Year to all. 

Read my other posts
Check out my other posts

About me
Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has over 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA

Connect with Bryn on Linked In: Bryn Robinson-Morgan

Tuesday, 20 November 2018

Should banks be identity providers?

The ability for citizens to use their digital identity in both public and private sector is paramount for a successful scheme.  A digital identity must become a necessary and valued commodity for the individual.  There are two sectors who can achieve this.  Government and Financial Services. 

Globally, Singapore and Estonia are two good examples of where governments have led on the creation of the scheme.  Norway and Sweden good examples of where the banks have been the catalyst.  Whether a government or bank led scheme, the identity provider being in the private sector has benefits.  Private sector identity providers drive a customer focussed scheme with a sound commercial basis.

When thinking about what makes a good identity provider, banks tick many of the boxes.  Systems underpinning our financial network may sometimes be viewed as legacy millstones.  Yet what they do well is to define the standard of trust. 

Banks may not necessarily be liked.  Though customers, consumers, government and other actors in the sector do trust them.  We know they can securely and accurately process hundreds of thousands of transactions per second.  

Other sectors battle publicly with data and security breaches.  Financial institutions quietly go about their business. Behind the scenes decades of protective monitoring, threat detection and active defence is being used to keep our money secure.  We all understand the term “bank grade security”.  Fraud continues to grow in scale and volume.  Though we know this due to the ability of banks to track it.  More often than not, fraudsters target the weak spot of the customer.

The days of the bank manager being on first name terms with each customer are a sepia-tinged memory.  Yet the process of proving a customer’s identity is stronger than ever.   Banks have migrated customers from physical branches to online and mobile interactions.  Their investment in remote identity verification has matched this shift to digital. 

To combat ever-growing threats, banks are increasingly regulated.  They need to prevent identity theft, terrorist financing and money-laundering.  Know Your Customer (KYC) obligations put identity at the core of what financial institutions do day-in, day-out.  Banks are full of clever people.  They are challenged with staying one step ahead of the bad guys.

This means that banks make ideal candidates to be an identity provider.  They have a unique combination of security, protection, trust, and performance.  Add in their customer digital experience, data management, and KYC.  They’re also part of the national infrastructure.  Surely it stands to reason that the future of identity provision will come from banks.

The challenge comes when identity and entitlement are more distinctly understood.  KYC and the required Customer Due Diligence (CDD) effectively breaks into three component parts:

  •       Who the customer is (identity)
  •       Can you do business with the customer (entitlement)
  •       Should you do business with the customer (entitlement)

For banks, a trustworthy identity is a means of establishing entitlement.  Banks operate to the same set of national regulations. Though their risk appetite and commercial imperatives drive their approach to identity.  This is much more nuanced than under a standards-based identity scheme.

Some start-up or challenger banks see their onboarding process as being a competitive advantage.  When you’re building a business converting every potential customer into an actual customer results in different priorities.  A layered approach to Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) controls can be taken.  This enables a weaker upfront identity checks.  Checks are strengthened on demand as risk markers are triggered.

There is also the product suitability dimension.  For a pre-payment card, the risk and controls for on-boarding a customer differ greatly from an unsecured loan.  And an unsecured loan for £500 similarly differs from one for £20,000.  A mortgage could be for £2m, though the risk is less because there are land, bricks and mortar to offset against.

Then there are those customers whose bank accounts were opened with nothing more than a handshake from their friendly local bank manager.  The standard of KYC across the bank’s customer base varies depending on the process at the time that they became a customer.  It varies with the products they’ve taken since.  And with the level of interaction they’ve had as banking has transformed.

Throw in a commercial opportunity and KYC becomes even more fragmented.  For example, in the UK market there is one High Street brand that foreign nationals go to ahead of the others.  Do they have the best product?  Probably not.  What they do have is the easiest on-boarding process for new to country customers.  Five or six years ago, another High Street giant dominated service for this demographic.  Their risk appetite changed and the commercial advantage was sacrificed in exchange for tighter controls. 

When the result of identity verification impacts on your commercial performance this changes your approach. Obviously skirting on the right side of the regulatory line.

There are also the 1.5 million people in the UK who are unbanked.  How do we ensure that as well as being financially excluded, these people don’t also become identity excluded?

With so many variables at play, the idea of a “portable KYC” is challenging to the point of being improbable.  There will be impacts on being able to leverage portability that can be used across sectors.  It will increase scrutiny, tighten regulations and impose new standards on banks.  Imagine the exercise required for a bank with millions of customers to bring all those accounts up to the same standard of identity verification.

Should banks be identity providers?  Absolutely.  If they wish to.  And if they understand what impact it will have on their business.  In a mature commercial environment for identity, some banks will play a valuable role as provider.  Others will input requirements, expertise and use case demand.  And that environment will be right for everyone.

Read my other posts
Check out my other posts

About me
Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has over 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA

Connect with Bryn on Linked In: Bryn Robinson-Morgan