Canadian banks will use blockchain technology to manage consumers’ digital identities.
The banks bought into the idea of managing digital identities for consumers five years ago. Initially they focused on authentication: letting customers maintain one username and password for multiple websites, mainly bank and government sites. The Concierge system, managed by SecureKey, was a way to simplify customers’ lives. The system stores 7 million Canadian consumers’ credentials currently with 250,000 added each month.
On Monday morning, the banks, which include Bank of Montreal, Canadian Imperial Bank of Commerce, Desjardins Group, Royal Bank of Canada, Scotiabank and TD Bank, along with IBM and SecureKey, announced they would build on the progress by making it a fuller identity solution running on IBM’s blockchain.
When the technology pieces are all in place, customers will be able to use an app to verify their identity to anyone, from an Airbnb owner to a bouncer at a bar, in such a way that the service provider sees only what it needs to see and all other personal information is private.
The companies are piloting the technology now and plan an official launch later this year. It’s a model from which U.S. banks could learn. While few, beyond U.S. Bank and BBVA Compass, have expressed much interest in managing their customers’ identities, the Canadian banks say they believe offering this service could be critical to survival in the fast-moving world of digital commerce and eventually a source of revenue.
“Increasingly the payment is the afterthought of the commerce transaction,” said Chuck Hounsell, senior vice president of payments at TD Bank. The bank providing the card or account the money is being drawn from is invisible.
“If we can add value by being part of more transactions or purchases, we’ll be able to be there to lend our payment capabilities to that transaction as well,” Hounsell said. “It will enhance our overall relationship with the customer.”
And over time, the banks in the program expect to receive revenue from other participants, say, telecommunications companies or landlords, who use their digital identity service to verify customers.
For the technology base of the expanded digital identity program, SecureKey chose IBM's blockchain-as-a-service offering, which is built on the Linux Foundation's open source Hyperledger Fabric v1.0. It’s a permissioned blockchain meant to provide privacy, security and the ability to put the consumer in control of their identity information. It also comes with a price of up to $10,000 per month for the banks running the service, depending on the volume of digital identity requests. For developers, it’s free.
Greg Wolfond, founder and CEO of SecureKey Technologies, said the company looked at digital identity models around the world and realized it didn’t want to have a broker-in-the-middle model.
“We didn’t want to have a piece of hardware or software in the middle where customers’ private data is running through,” he said. Hackers and snoopers would try to break into such a system. “We didn’t want to create honeypots of data where all the data went to one place,” Wolfond said. That would obviously be alluring to cybercriminals.
Another important consideration was how to share only the information the requester really needs. For instance, a landlord might not need the customer’s actual credit score, only the fact that it’s over 700.
“Right now I would argue a driver’s license shares too much,” Wolfond said. “A girl goes to a bar, and she has to share her name, address and weight with the bouncer. That’s crazy. All he needs to know is that she’s over 21. How to make this work electronically we couldn’t solve well until we saw it on Hyperledger.”
The consumer registers for the identity program at a bank using the bank’s normal routines related to Know Your Customer compliance. Through a mobile app the bank provides, customers choose which types of data they want to share with which types of providers.
“Then we’ll share it for you, but only with your explicit consent every time,” Wolfond said.
To commit account takeover, a fraudster would have to have the user’s online banking username and the SIM card from his phone, which would be invalid if the phone was reported lost or stolen.
SecureKey and IBM hope to take this offering global.