Consortium's 'Fast' Move Aims To Solve E-Commerce Riddle

A banking industry interest group is getting ready to tackle one of the persisting perplexities of electronic commerce.

The Financial Services Technology Consortium, a mostly big-bank group that in recent years helped educate the industry about emerging on-line trends and business opportunities, wants to explore ways for banks to be "trust brokers" on the Internet.

Noting the considerable confusion surrounding digital certificates -- a method of authenticating buyers and sellers that is gaining acceptance in some parts of cyberspace -- the consortium is launching a research project that could help bankers make sense of the problems and perhaps seize control of a nascent market by vouching for the legitimacy of their customers.

The project, currently in its "call for participation" stage, is called Fast, an acronym for Financial Agent Secure Transaction.

The immediate aim is to study market needs and assess options through next April or May. Consortium leaders hesitate to say what would happen in the ensuing Phase Two because they do not want to jump to conclusions. Nor do they want to send the wrong messages to a market already crowded with competing digital certificate products and concepts.

"We are not trying to reinvent all the pieces that are out there, or (create) a whole new thing," said Parker Foley, a consortium executive committee member who is also vice president of electronic commerce at First Union Corp. in Charlotte, N.C. "We want to find a way to use what is in place, and where there may be blanks, fill them in."

"We want to take a hard look at what is out there, and see if we really have something here," Mr. Foley, representing the Fast steering committee, said in an interview.

"We do know that we have a problem," he added.

The initial committee membership suggests that they have struck a valid chord. It includes Adam Backenroth, the consortium's president and vice president of emerging technologies at Chase Manhattan Corp.; the group's principal organizer and chairman, Daniel Schutzer of Citigroup; acting project director Michael Versace of the Federal Reserve Bank of Boston; and Gary Grippo, a Treasury Department official known for pushing the envelope of electronic commerce capabilities and related security measures.

Mr. Backenroth said he has made contact in recent weeks with other organizations to stress the inclusive and complementary nature of Fast. These include Identrus, a multinational group of banks assembling a digital certificate infrastructure for business-to-business commerce; the National Automated Clearing House Association, which has been testing interoperability of certification systems; ABAecom, the digital trust spinoff of the American Bankers Association; and the Banking Industry Technology Secretariat, the division of the Financial Services Roundtable with which the consortium has a strategic relationship.

"We feel this needs to move," Mr. Backenroth said. "We have Canadian and U.S. banks interested."

The proposed Phase One budget of $150,000 would require 15 participants at the requested $10,000 each. The official start date is Nov. 1, but it might not happen if there is less than $100,000 in hand, and Mr. Backenroth acknowledged that he has a marketing challenge.

Though the Financial Services Technology Consortium, known as FSTC, has made at least one major splash in its six years -- the development of an Internet equivalent of the check, known as E-check -- its profile has been low of late.

In March it hired Debbie O'Dell as executive director, and she has set Fast and a few other potentially attention-grabbing projects in motion. They are in such areas as XML, the widely adopted eXtensible Markup Language for e-commerce, and automated teller machine connections to the Internet. In each case, the FSTC perceives a need to harness technology for industrywide benefit, perhaps through some degree of standardization, before an explosion of variations becomes counterproductive.

Formerly of the Department of Energy's Oak Ridge National Laboratory, Ms. O'Dell, who is based in Knoxville, Tenn., managed FSTC's Bank Internet Payments System project from 1996 to 1998. Mr. Backenroth said "BIPS" was a prime example of FSTC's contribution in "telling banks that the Internet is coming," albeit ahead of many senior bankers' thinking.

Mr. Backenroth, Ms. O'Dell, and like-minded others say Fast is strategically critical and timely, and they are hoping that with the priority chief executive officers are assigning to e-commerce, enough dollars will flow their way for the necessary flags -- cautionary or affirmative -- to be raised.

Because Fast is an "abstract concept," Ms. O'Dell said, "we have identified a need to come together for a short period, to work at understanding the issues, to better articulate the problem . . . We will produce a report with findings, and if there is a need to continue with projects or implementations, then we can decide to continue."

The American Bankers Association is supportive, and in fact is hosting the next project meeting, said Anne Livingston, associate director of electronic commerce policy.

"What is valuable about this effort is that it involves people actually involved" in system implementations, she said. "They are trying to step back and ask, 'What has been done? What is missing here? Who are the right people to have around the table?' These things won't work right unless everybody is at the table." She said one missing constituency in digital certificate discussions has been retailers.

Consortium documentation states the obvious: that it is difficult if not impossible for parties unknown to each other to ascertain and validate each other's identities electronically. One sure, universal solution would be for all entities to subscribe to the same certificate authority, the body issuing and managing the digital credentials exchanged in transactions. But even if that were practical, it would defeat the free choice and competition that are hallmarks of the wide-open Internet.

FSTC hypothesizes that banks could take advantage of all they know about their customers to create a framework -- call it Fast -- for exchanging and validating authentication data among themselves.

"This framework will not compete with existing authentication models," said a paper the consortium is circulating, "but rather provide an alternative authentication path when a common or interoperable system does not exist, or when additional verification attributes and functionality are required to securely complete a transaction."

An FSTC conference last week in San Antonio included a panel discussion that illustrated the rapid evolution of, and wide array of choices in, digital certificates and related public key infrastructure, or PKI, systems.

Steve Lloyd, senior consultant with the digital certificate leader Entrust Technologies Inc., and Jay Simmons, senior vice president of Certco Inc., which was a key organizer of Identrus, generally defended conventional PKIs and digital signatures based on the X.509 standard. But they allowed that there is room for alternatives, and Janelle Edgar, director of business development for Diversinet Inc. of Toronto, described its nonstandard approach designed for wireless communication devices with limited computing capacity.

Also on the panel was Lynn Wheeler of First Data Corp., who devised a controversial alternative to certificate authorities called AADS, for account authority digital signature. The concept, which has gained enough momentum to be proposed as X9.59 in the American National Standards Institute framework, revolves around financial institutions' relying on account records to certify customers' validity.

Mr. Wheeler says his system is privacy-friendly, in that it minimizes the amount of personal information flowing over open networks. And he leans heavily toward the elliptic curve method of cryptography -- also embraced by Diversinet -- as more efficient and easily processed than the more standard codes with longer encryption keys associated with RSA Security Inc.

Mr. Wheeler's definition of account authority is obviously compatible with the way the Fast proposal envisions banks as trust brokers. He said AADS with XML is ideally suited for Fast certificates. "Let's do this directly as a banking service," the computer scientist said.

"Lynn Wheeler seems to have figured this all out already," Mr. Backenroth joked. But the Chase Manhattan technologist conceded that AADS has efficiency and business-compatibility advantages that many bankers will find intriguing.

"AADS needs an umbrella to get going, and Fast could be synergistic," he said.

Mr. Foley, who as much as any bank officer has been wrestling with security technologies such as cryptography and authentication tokens and even smart cards, said Fast is "the most interesting project in my three and a half years with FSTC."

"PKI and other models will work, but they are not widespread today," Mr. Foley said. "If you are in a closed-loop model like credit cards, or like Identrus in business-to-business, you don't have a problem."

FSTC is looking for a way to authenticate any transaction at any time, regardless of the underlying certification method, and even when there may be a gap in the chain of certificate technology.

"All entities have a bank underneath, which will know the person, his age, how much money he has, and these can be confirmed to the other side" without divulging private information, Mr. Foley said. "Conversely, the consumer will want to know if a merchant is real, and the merchant will have a bank behind it."

Somewhere in these exchanges of data and assurances and customer attributes, Mr. Foley and others are convinced, there is money to be made by banks as trust brokers. But they suspect a party such as FSTC will have to lay some groundwork or set some ground rules.

"With Fast, we want to spend a little time to scope this out," he said, "and then we'll decide what to do next."

For reprint and licensing requests for this article, click here.
MORE FROM AMERICAN BANKER