Citigroup Inc., aiming to build on its existing role as a commercial customer authenticator, plans to begin offering a service in which it acts as verifier of customers' digital identities to third parties.
As more commercial transactions and personal correspondence are conducted electronically, there is increasing demand for identity management services, which among other things can be used to authenticate large payments, verify authorship of sensitive documents, and restrict access to confidential information, Citi said.
Paul Galant, the chief executive of Citi's global transaction services unit, said the banking company has been working with clients for more than a year to develop and refine these services.
Before the year is out it expects to formally introduce Citi Managed Identity Services. The package is to include digital credentials for corporate employees and systems to lock down data, such as payment files, to prevent unauthorized manipulation while they are still within the clients' computer systems.
Identity management services are an extension of banks' historic role as a trusted third party and is just as valid a business as cash management or trade finance, Mr. Galant said in an interview Monday.
"When we scale them to the 140 markets where we operate, it can be very lucrative for us."
Gary E. Greenwald, the global head of capabilities and information products in Citi's global transaction services unit, said banks such as Citi have put a lot of work into "know your customer" programs, but so far these efforts have produced "lazy assets," with little commercial value. "As the world evolves, banks have to ask, do we want to go into these adjacent spaces?"
Citi plans to offer identity services to its own corporate clients, which include some of the world's largest companies, and to correspondent banks on a white-label basis.
Susan Feinberg, the research director in the wholesale banking group of TowerGroup in Needham, Mass., an independent research group owned by MasterCard Inc., said banks are well positioned to offer identity management services, because they enjoy greater customer trust than technology vendors.
However, she also noted that in this nascent field, financial companies need to develop a critical mass of providers to make potential customers comfortable with the idea of using their banks to authenticate them to others. "There is more of a benefit if more banks do this. You don't want to be the only one," she said.
She said Citi is emerging as the leader in this market, though Royal Bank of Scotland Group PLC offers a comparable service in the United Kingdom and Wells Fargo & Co. has come out with several electronic signature services in recent months.
The core technology in Citi's initiative is PKI, or public key infrastructure, a widely used encryption format. Citi is offering to its customers the digital credential they need when using PKI to verify their identities; third parties, Citi said, will trust that the user is who they claim to be, because Citi is taking on the work of authenticating people before issuing the encryption credential.
The technology used to offer these credentials is available from numerous vendors. Citi is working with three: IdenTrust Inc., whose certificates are used primarily in financial applications; a Brazilian certificate authority; and SAFE-BioPharma Certificate Bridge Authority, which offers a Food and Drug Administration-accepted format that researchers use to file the results of clinical trials.
By offering digital credentials, Citi can enable its customers to authenticate end users to software applications, encrypt and lock down data, and replace traditional signatures with digital ones, without compromising legal enforceability.
Indeed, digital certificates can provide a better audit trail than traditional paper documents, Mr. Greenwald said.
The digital credentials can be stored on users' computers, or on smart cards, portable flash drives, or other devices. It is also possible to store multiple credentials on a single device, so a user does not have to juggle a variety of cards depending on the task, Mr. Green-wald said.
The smart card, with an embedded memory chip, is the favored device today, but the form factor is unimportant, compared to the security processes that the bank uses to know its customers, Mr. Greenwald said. "You can't talk about it from the card upward. You have to talk about it from the solution downwards."
In November Citi plans to roll out a bank account management service, based on digital credentials, that will allow corporate customers to keep track of the people who have permission to access accounts worldwide, and to manage this access as people leave and are hired. Three clients have been testing the technology since last year, Mr. Greenwald said.
Other areas also offer opportunities, he said. "Capital markets transactions have many aspects where this could be very useful."
Government agencies also could use bank-backed credentials to register companies to bid electronically on contracts, Mr. Greenwald said. "How do you credential hundreds or thousands of suppliers who may need to access your systems?"
And as more companies begin to use these services, "it's going to open up the floodgates for other corporate processes," he said.
The challenge, for Citi and the banking industry, is in demonstrating the value of the business, Mr. Greenwald said.
That will require the participation of a variety of banks, selling such services to companies large and small, Mr. Greenwald said, and Citi plans to white-label the services to banks around the world for their middle-market clients.
Citi expects to announce the first agreements with correspondent banks this quarter.
Until there is an established market for this kind of service, "it's like having a large card business with no merchant acceptance," Mr. Greenwald said.
