Tuesday 20 November 2018

Should banks be identity providers?


The ability for citizens to use their digital identity in both public and private sector is paramount for a successful scheme.  A digital identity must become a necessary and valued commodity for the individual.  There are two sectors who can achieve this.  Government and Financial Services. 

Globally, Singapore and Estonia are two good examples of where governments have led on the creation of the scheme.  Norway and Sweden good examples of where the banks have been the catalyst.  Whether a government or bank led scheme, the identity provider being in the private sector has benefits.  Private sector identity providers drive a customer focussed scheme with a sound commercial basis.

When thinking about what makes a good identity provider, banks tick many of the boxes.  Systems underpinning our financial network may sometimes be viewed as legacy millstones.  Yet what they do well is to define the standard of trust. 

Banks may not necessarily be liked.  Though customers, consumers, government and other actors in the sector do trust them.  We know they can securely and accurately process hundreds of thousands of transactions per second.  

Other sectors battle publicly with data and security breaches.  Financial institutions quietly go about their business. Behind the scenes decades of protective monitoring, threat detection and active defence is being used to keep our money secure.  We all understand the term “bank grade security”.  Fraud continues to grow in scale and volume.  Though we know this due to the ability of banks to track it.  More often than not, fraudsters target the weak spot of the customer.


The days of the bank manager being on first name terms with each customer are a sepia-tinged memory.  Yet the process of proving a customer’s identity is stronger than ever.   Banks have migrated customers from physical branches to online and mobile interactions.  Their investment in remote identity verification has matched this shift to digital. 

To combat ever-growing threats, banks are increasingly regulated.  They need to prevent identity theft, terrorist financing and money-laundering.  Know Your Customer (KYC) obligations put identity at the core of what financial institutions do day-in, day-out.  Banks are full of clever people.  They are challenged with staying one step ahead of the bad guys.

This means that banks make ideal candidates to be an identity provider.  They have a unique combination of security, protection, trust, and performance.  Add in their customer digital experience, data management, and KYC.  They’re also part of the national infrastructure.  Surely it stands to reason that the future of identity provision will come from banks.

The challenge comes when identity and entitlement are more distinctly understood.  KYC and the required Customer Due Diligence (CDD) effectively breaks into three component parts:

  •       Who the customer is (identity)
  •       Can you do business with the customer (entitlement)
  •       Should you do business with the customer (entitlement)

For banks, a trustworthy identity is a means of establishing entitlement.  Banks operate to the same set of national regulations. Though their risk appetite and commercial imperatives drive their approach to identity.  This is much more nuanced than under a standards-based identity scheme.

Some start-up or challenger banks see their onboarding process as being a competitive advantage.  When you’re building a business converting every potential customer into an actual customer results in different priorities.  A layered approach to Anti-Money Laundering (AML) and Counter-Terrorist Financing (CTF) controls can be taken.  This enables a weaker upfront identity checks.  Checks are strengthened on demand as risk markers are triggered.

There is also the product suitability dimension.  For a pre-payment card, the risk and controls for on-boarding a customer differ greatly from an unsecured loan.  And an unsecured loan for £500 similarly differs from one for £20,000.  A mortgage could be for £2m, though the risk is less because there are land, bricks and mortar to offset against.

Then there are those customers whose bank accounts were opened with nothing more than a handshake from their friendly local bank manager.  The standard of KYC across the bank’s customer base varies depending on the process at the time that they became a customer.  It varies with the products they’ve taken since.  And with the level of interaction they’ve had as banking has transformed.

Throw in a commercial opportunity and KYC becomes even more fragmented.  For example, in the UK market there is one High Street brand that foreign nationals go to ahead of the others.  Do they have the best product?  Probably not.  What they do have is the easiest on-boarding process for new to country customers.  Five or six years ago, another High Street giant dominated service for this demographic.  Their risk appetite changed and the commercial advantage was sacrificed in exchange for tighter controls. 

When the result of identity verification impacts on your commercial performance this changes your approach. Obviously skirting on the right side of the regulatory line.

There are also the 1.5 million people in the UK who are unbanked.  How do we ensure that as well as being financially excluded, these people don’t also become identity excluded?

With so many variables at play, the idea of a “portable KYC” is challenging to the point of being improbable.  There will be impacts on being able to leverage portability that can be used across sectors.  It will increase scrutiny, tighten regulations and impose new standards on banks.  Imagine the exercise required for a bank with millions of customers to bring all those accounts up to the same standard of identity verification.

Should banks be identity providers?  Absolutely.  If they wish to.  And if they understand what impact it will have on their business.  In a mature commercial environment for identity, some banks will play a valuable role as provider.  Others will input requirements, expertise and use case demand.  And that environment will be right for everyone.

Read my other posts
Check out my other posts https://no1ba.blogspot.com

About me
Bryn Robinson-Morgan is an independent Business Consultant with interests in Identity Assurance, Agile Organisational Design and Customer Centric Architecture.  Bryn has over 20 years experience working with some of the United Kingdom's leading brands and largest organisations.

Follow Bryn on Twitter: @No1_BA


Connect with Bryn on Linked In: Bryn Robinson-Morgan