Capital One Financial is trying to turn the expense of thoroughly vetting bank customers into a moneymaker with new digital identity products.
In so doing, Capital One is one of the first in the U.S. to test if businesses will pay banks to check users’ identities, and if consumers will sign into websites through their banks the way they use social media accounts. Since banks already have to collect and verify sensitive information, to comply with know-your-customer regulations and to prevent fraud, they theoretically could leverage this work and expertise for other businesses. Consumers, in turn, would have fewer passwords and usernames to remember and would not have to give out sensitive information such as Social Security numbers quite as often. Banks in Europe and Canada have begun to offer such services.
It remains to be seen whether one of the benefits of bank ID for businesses — that it spares them the burden of safeguarding customers’ information — can sway companies that currently view data as gold, not toxic waste. And banks themselves will have to understand the potential liability if they mistakenly issue incorrect credentials to someone who then harms the relying party.
The roughly $350 billion-asset Capital One has been quietly building this business for months; in September it hired Matt Thompson, an identity and security expert and a co-founder of ID.me. Speaking on a panel at the K(now) Identity conference in Washington on Monday, he said that the initiative, while business-to-business, would benefit consumers who bank at Capital One.
"One of the ways that we can expand the trust that we have with them is by providing them with trusted interactions with merchants in their digital life," he said.
Capital One’s site for business software developers describes the forthcoming services, delivered through application programming interfaces, and invites prospective clients to sign up for beta access.
One potential use is when consumers sign up online for gas or electric service. If required to upload a driver’s license, or type in a Social Security number, many people may abandon the process. The bank says it can remove the need for utilities to ask customers for such information. “Instead, the API instantly sends verified sensitive data directly from Capital One to the utilities to seamlessly set up an account,” the developer site says.
Sharing economy platforms could also use Capital One’s APIs to “add an additional layer of user verification for both sides of the transaction” and weed out scammers, the site says.
"Our focus is on use cases where trust matters and you need to have confidence in the person that you are interacting with," Thompson said on the panel.
Digital identity has become a hot area for investment, as rising and persistent data breaches, stiffening (and often conflicting) anti-money-laundering and privacy rules, and the growth of electronic commerce, especially mobile usage, drive demand for better services. According to research by venture capitalist Pascal Bouvier of Santander Innoventures and the strategy and research outfit One World Identity, there are more than 180 startups in this niche.
It is a market that several U.S. banks are dipping their toes into. One of the most prominent is USAA; in the past several years it has acquired multiple digital identity firms. This year it also granted development rights to some of its patented security technologies to Persistent Systems to create digital authentication tools. Moreover, USAA announced a project this year with the Department of Veterans Affairs and Department of Defense where members can access their health records digitally from those agencies when applying for life insurance at USAA, facilitating the exchange of records between the government and USAA by encrypting transmission and limiting access of electronic health records to only approved persons.
“Our focus in the short term is how we raise the level of authentication around identity,” said Gary McAlum, chief security officer for USAA. “Long term, this is a strategic question for the digital space. What’s the digital equivalent of a passport or driver’s license? That’s the million-dollar question.”
Another prominent bank experimenting in this area is BBVA Compass. In 2015, it began offering a service with the startup Dwolla that allows bank customers to send and receive real-time payments. The partnership uses a jointly developed authentication and tokenization process called FiSync that spares BBVA accountholders from having to provide sensitive bank account information or credentials to Dwolla or any other party.
BBVA this year also held an “open talent competition” to find the 10 best fintech identity products from around the globe, with the idea of potentially partnering with some as part of BBVA’s effort to address “the need for a digital identity solution from multiple angles,” a company spokeswoman said.
The Credit Union National Association over the past year has been experimenting with a distributed ledger system that would allow credit unions to give members a cryptographic, unfalsifiable digital identity.
In Canada, a broader effort is underway with the SecureKey initiative launched in 2012. In this model, banks manage their customers' digital identities for government websites. Tangerine Bank, Bank of Montreal, TD Bank and Scotiabank are all part of the program. The U.K. government also launched an identity verification platform in 2015 with Barclays as one of the partners. This month Deutsche Bank announced it was part of a consortium seeking to bring universal digital identity to Germany.