Citi Aims to Build ID Management Business

As banks struggle to find new sources of revenue, Citigroup (NYSE:C) is starting to cash in on an area of expertise that most banks are yet to monetize: identity authorization.

In so doing, Citi, like other top banks, hopes to tap into what might become an extremely lucrative market, experts say, and one where banks are uniquely poised to deliver a valuable set of new products and services.

"We are talking about a multi-billion dollar business opportunity here," says Karen Wendel, chief operating officer of IdenTrust, a provider of digital authentication services and an organization that worked recently with Citigroup's Global Transaction Services unit in an important identity management pilot with the Department of Defense.

(IdenTrust was originally founded in the 1990s by Bank of America (BAC), Citigroup, JPMorgan Chase (JPM), and four European banks.)

Yet the opportunities with identity management are also fraught with enormous risks, experts say. Fraud committed with one bank's identity mechanism would likely be the responsibility of all the other banks too, particularly where the interlocking worlds of transactions are concerned. If a fraudulent transaction occurred between banks, there would be questions around who'd be liable. Such scenarios are particularly pronounced in the current security environment, where recent high-profile break-ins of computer systems have put the information of millions of consumer credit cards at risk.

"No one wants the liability and the banks have not figured out how to deal with that yet," says Avivah Litan, a vice president at research company Gartner Inc., of Stamford, Conn.

Still, banks are in a unique position to be identity managers because they already provide a host of identity authentication services, experts say. They are required to comply with "know your customer" laws, for example. And they also collect significant amounts of information from customers when they open accounts, as well as throughout the course of customers' transactional lives.

Citigroup has developed technology that supersedes these most basic building blocks of identity management.

(American Banker reached out to half-a-dozen of the top U.S. banks about identity authentication and management efforts, but only Citi agreed to speak.)

In late June, Citi began a program with the Department of Defense in which it issues physical access identity cards to contractors and subcontractors, including first responders to emergencies such as firemen and emergency technicians. Citi is using the IdenTrust Trust Source Infrastructure platform, which supports multiple different types of digital certificates, combined with a subordinate Citi certificate, also issued under the IdenTrust Trust Network, Wendel says.

The cards, which contractors use to access DOD facilities, are chip-enabled and perform under a standard called PIV-I, which means the federal government has endorsed them for use by non-federal employees, although the cards do not meet federal guidelines for top security clearance.

Shirley Inscoe, a senior analyst for Aite Group, says the cards could soon be equipped with a payments component.

"This could open a whole world of customers to Citi who don't need retail branches, and where Citi does not have to have a broad retail network," Inscoe says.

Citi, which declined to talk about its work on the Department of Defense project, made a representative available to talk about its other identity verification efforts, which don't entail using identity cards for physical access to buildings, as is the case with the Department of Defense project.

"Digital identity is a broad set of solutions depending on what type of application we are looking at and the type of transaction," says Sabine McIntosh, director and global head of eBAM (electronic bank account management) and identity management for Citi Transaction Services.

Citi, like every other bank, is required to verify the identities of its online banking customers under new guidelines from the Federal Financial Institutions Examination Council, which require multi-level authentication. That includes using device authentication, IP address verification, and anomaly detection.

But Citi is also experimenting with more proprietary forms of identity management, for example in its corporate treasury division, where it is allowing the multiple parties involved in corporate payments transactions to exchange digital signatures electronically to verify identities.

"The challenge on the corporate side is making sure that corporate governance is upheld across the board, and that [corporations] are in control of the accounts and who is authorized to do what," McIntosh says.

Corporate treasury processes also tend to be heavily paper-based, which often makes cash flow management between the business, the bank, and third parties paying or receiving payments from the businesses, difficult to reconcile for both the account holder and the bank.

"Typically a company needs to prove who they are, and then make sure that they can tell us who has authority on the account," McIntosh says.

While the move to digital signatures has reduced paperwork in many instances, the effectiveness of that solution is fragmented by the various policies governing use of digital signatures in different countries, as well as limits on the kinds of transactions that can be completed using them, McIntosh says.

Citi also struggles with a concept familiar to just about every company, bank or otherwise, working in the digital management space: How to give customers a range of choices in identifying themselves in electronic transactions, McIntosh says.

Maximizing consumer choice is one of the goals of National Strategy for Trusted Identities in Cyberspace, a government workgroup that aims to help provide a universal framework for businesses and consumers, allowing both parties to prove and verify identities in a digital environment. NSTIC wants private industry to drive the initiatives, and it says banks and others involved might monetize identity authorizations in a variety of ways.

For example, bank customers might get a virtual identity free of charge, but the party relying on the card or other mechanism might get charged a fee, similar to an interchange fee on credit and debit cards, by the issuing bank, says Jeremy Grant, senior executive advisor for identity management for NSTIC.

"We are trying to create something analogous to the bank card business with Visa and MasterCard," Grant says.

A universal identification mechanism — which could be card, token, smartphone or even biometrically based — might work much the same way the Visa and MasterCard cards do now, with their logos certifying that consumers can pay for products and services at merchant locations, while merchants and the banks share the risk and liability in the case of fraud.

But banks could easily squander the opportunities they have with identity management. Non-banks are already poised to develop identity management as a money maker. (In that regard, identity management resembles somewhat the current contest over the digital wallet, where entities like Google (GOOG), and the telecommunications companies, have already begun to create products and services.)

Telecommunications companies could just as easily provide identity management as an application on smartphones, Grant says.

Google and PayPal, a unit of eBay (EBAY), have already dipped their toes in the water. For the past two years, both have been certified for low-level government identity clearance, allowing users such as military veterans, to access government websites using either a Google or PayPal ID and password.

They've done this through Open Identity Exchange, or OIX, an identity authentication and standards organization, which the federal government has worked with to facilitate such low-level identity authorizations. Both Google and PayPal are members of OIX, as are Verizon (VZ), AT&T (NYSE:T) and the credit bureaus Experian (EXPGY) and Equifax (EFX).

(Neither Google nor PayPal made anyone available to comment. A representative from PayPal referred American Banker to OIX.)

Such companies, and the other information tech stalwarts like Facebook (FB), have taught the financial services world that consumer information is an extremely valuable commodity, says Don Thibeau, the chairman and at-large Director of OIX.

And the message hasn't been lost on banks, Thibeau says.

"Any bank that wants to add to its bottom line is looking how to do [identity authentication], and what the cost is of moving into this new sector," says Don Thibeau, chairman and at-large director of OIX.

Citibank agrees.

"We are in the early days of assessment, it is one of these new opportunities that we have to take through the various lengths to make sure there is a commercial business value," McIntosh says.

For reprint and licensing requests for this article, click here.
Bank technology
MORE FROM AMERICAN BANKER