Can a BBVA spinoff crack the digital ID code?
Governments, banks and startups have been trying for years to solve the problems associated with identifying people in a digital world. The challenges are only getting harder thanks to identity thieves, data breaches that have exposed the personal information of hundreds of millions of consumers, and the fact that some folks want to avoid having to register face-to-face.
The latest entrant, a recent BBVA spinoff called Covault, is a bit different.
Its app lets consumers store their digital identity documents, passwords and (potentially) digital currency in a secure cloud, and then share pieces of that information with others as they see fit. It runs on iOS, Android and Windows phones and is unlocked with a combination of fingerprint and device ID (with support for facial recognition on the iPhone X). The company was nurtured in BBVA’s fintech-focused New Digital Business unit in Silicon Valley.
“The thinking is, a digital identity should be like real-life identities are today,” said Louie Gasparini, CEO of Covault. “You have your identity in your purse or wallet, you can pull it out and show it to somebody. Shouldn’t a digital identity be something the consumer can hold, own and control themselves, and share privately and selectively?” Until recently, Gasparini was an entrepreneur in residence at BBVA’s digital business unit.
The app could also be used by banks to sign up customers quickly or to become providers of digital identity services.
There’s always a chicken-and-egg situation with digital identities: If they’re not widely accepted them, then people won’t use them, and if not that many people use them, few establishments will go to the trouble of accepting them.
In an effort to break that impasse, Covault developed an app consumers could use right off the bat. They can scan and store their drivers’ licenses, passports, AAA cards, marriage licenses, insurance and health care cards, tax records and credit cards and then share those documents with others by emailing a link that expires within, say, 24 hours. They can store their website passwords and digital currency keys. The keys to the sensitive data are held in a secure element or a trusted enclave in the consumer’s phone.
“We created this secure locker in the sky,” Gasparini said. “You and only you have the keys, and you can share with others in such a way that it’s private between you and them. The service is blind.” There’s also a know-your-customer process built in, including a check of the Office of Foreign Assets Control’s sanctions list.
Gasparini considered and rejected the idea of using a blockchain for this. There were just too many considerations: Public or private blockchain? Which type of blockchain technology?
“Everybody’s got to agree to use the blockchain,” he said. “And when you get down to details, all the work is really off-chain, such as KYC and verification. This was designed originally for blockchain, so we’re keeping an eye on it, and as standards emerge or it makes sense or there’s a reason to pick one, it would be very simple to work with a blockchain.”
Ultimately, consumers should be able to prove their creditworthiness or identity directly to a lender using Covault, Gasparini said, without having to go through a third party. They could share identity and payroll documents and so forth.
Is now the time?
In 2008, Wells Fargo launched a virtual safe deposit box called vSafe that was, similarly, a place where consumers could store important documents online. Four years later, the bank shut it down due to lack of interest.
A few things are different for Covault today. For one thing, it’s a mobile app.
“With mobile apps, stronger authentication and encryption on your device, people can now securely and privately store and share sensitive documents and information,” said Jose Fernandez Da Ponte, head of business development and new ventures for BBVA's New Digital Business unit. “With Covault you can also store and share your verified digital identity for streamlined identification and on-boarding.”
And there’s the identity element, which Wells Fargo did not have.
“Covault’s goal is to put the identity owner back in control of their information,” Da Ponte said. “Covault empowers the user to take control of their identity just like they do with their wallet today. The identity owner can show their identity without having the issuer directly involved in the transaction — the issuer is blind to its usage.”
And the password management component also makes it more useful. Covault could also be used to store bitcoin, expanding its relevance to cryptocurrency devotees.
There are still hurdles for any digital identity service.
“While I feel there is so much to do in the identity space, becoming a standard that banks, financial technology providers, and consumers will adhere to will be very difficult,” noted Brad Leimer, managing director and head of fintech strategy at Explorer Advisory and Capital. “There are many companies working in this growing space, but the solutions are all based on similar technologies that have to be vetted against one another. Many financial institutions are holding on to existing identity technologies for KYC and [anti-money-laundering] because that's what they know, that's what has worked in the past.”
Leimer, who until recently was North American head of innovation at Santander Bank, said he likes the way BBVA has partnered with a team that makes consumers the custodian of their own identities.
“My primary question is, will consumers trust Covault to secure their documents, their very identity?” he said. “I have my doubts — until they become a standard accepted for multiple use cases across credit and payments. Identity is so much more than financial services, and until regulators co-develop those standards, I fear the industry will continue to fall back on existing platforms, like credit bureaus, state-driven government data repositories and industry-shared data.”
Covault’s first client is the online notary service Notarycam. Banks could be next.
David Birch, global ambassador at Consult Hyperion, has been using a similar product from Barclays for a couple of years and likes it.
“It’s actually pretty convenient to have everything from bank statements to copies of the kids’ Social Security cards all in one place,” Birch said. “Is it going to set the world on fire? Not really, but if it’s marketed right it could add to customer stickiness.”
And on the identity side, banks that partner with Covault could develop faster, safer processes for customer sign-ups and establish a new role as providers of verified identities, Da Ponte said.
“Banks have a right to play and are trusted by consumers in this space, as it has been already proven in the Nordic countries,” he said. “We believe the same case will be made for other markets, in the U.S. and internationally.”
Banks that want to take this path will have to do a really good job of confirming the identities of their customers, said Al Pascual, senior vice president of research and head of fraud and security at Javelin Strategy & Research.
“A bank that fails here could expose relying parties to unnecessary risk and potentially create reputational and financial problems for the bank,” Pascual said. “Banks do this better than most other types of organizations, but not all banks are equally adept at assessing the identities of their new customers. But if there was ever a time for better ways of identifying consumers online, that would be now. And banks are in a prime position to create and deliver digital solutions, leveraging their position of trust, technical capabilities, and knowledge of their customers to reduce the risk of fraud for digital businesses that need to better know who is signing up for a service or making an online purchase.”
Editor at Large Penny Crosman welcomes feedback at firstname.lastname@example.org.