What Can Banks Offer in the Debate Over Digital Identity?
NEW ORLEANS — Most people, if they thought about it, would admit the way digital identity is managed in the U.S. is suboptimal. Those truly in the know find much stronger words.
"We've been using this cobbled-together identity system," Karen Gifford, special adviser to the payments tech provider Ripple and to the startup global ID, said Monday at American Banker's Digital Banking 2016 conference here.
"There needs to be a transition from what's happening now," said Gifford, a former counsel to the Federal Reserve Bank of New York. "Frankly everyone recognizes there's way too little cybersecurity around people's personal information, the regulatory community has been pushing for things to change, and consumers are impatient with how identity is being managed. So there's a lot of impetus from many different places to change."
Many financial criminals are switching to a more sophisticated kind of identity theft in which they open accounts based on stolen identities, or on composites of information stolen from different people.
Comments by JPMorgan Chase's Jamie Dimon have added fuel to the long-discussed idea of a national database that would make it easier for banks to vet customers for anti-money-laundering and other risks.
Airbnb, the company that disrupted the hospitality industry as Uber did to taxis, is sidling up to the fintech space.
But how identity should be managed, and who should manage it, are shaping up to be hotly debated questions.
The United Nations has set a goal of providing a legal identity to everyone on the planet by 2030. At a conference at the UN headquarters in New York last month organized by ID2020, a "startup NGO" seeking to further this goal, one of the most discussed concepts was "self-sovereign identity" — essentially, giving individuals control over their information and allowing them to transport it.
The Windhover Principles, a manifesto Gifford helped to write in 2014, similarly recommends a portable identity solution that could enable strong privacy protections for users.
"The person providing identity details would maintain ownership and control over them," Gifford said during Monday's panel discussion.
Some bankers and industry observers see a natural role for banks as the stewards of people's digital identities. One audience member suggested this could be an a la carte service banks could offer, unlinked to any financial account, for a small monthly fee.
Steve Ehrlich, lead analyst for emerging technologies at the research firm Spitzberg Partners, noted that many have lost faith in financial institutions since the financial crisis in 2008. "But people still trust financial institutions with their money much more than e-retailers and e-commerce sites and social media," he said. "And people are still willing to provide data to obtain value-added services like additional recommendations, discounts and cash-back bonuses. So people are still willing to trust banks with that type of information, so they have an opportunity here. There's a role to play."
However, Susan Joseph, the CEO of ID2020, told conferencegoers she sees banks as a "second layer," at least in the developing world, since not everyone will qualify for banking services.
Ehrlich also mentioned the concept of contextual integrity — not giving all your information to a third party, just the information relevant to the services that will be provided.
This is something Dominic Venturo, chief innovation officer at U.S. Bank, has been thinking about a lot lately.
"The proliferation of data that's happening online is highly problematic," he said in a recent interview (he will be addressing this topic at the conference on Wednesday). "If you have the ability to reduce the number of places that data are shared, you have the ability to improve security for the customer." Tokenization of card and account information is one example of this.
"One of the reasons tokenization has been so critical in relation to mobile and it will be important online, is the proliferation of data being everywhere creates a higher risk threat," Venturo said.
The common system of usernames and passwords, combined with the fact that consumers reuse that data all over the place, creates a problem, he said. Even when consumers don't reuse passwords, the passwords they choose "are human-friendly, which sometimes makes them insecure or easy to guess."
Too much data and weak passwords lead to phishing attacks, online banking fraud and other types of security breaches, he said.
Yet banks have to make their services easy and convenient to use. They can't be locking out their legitimate customers. "You could have the most secure system out there, but you certainly wouldn't want to use it," Venturo said. "You have to have that balance."
Tom Ridge, former head of the Department of Homeland Security, spoke of the challenge of combining convenience, access and security at the conference Tuesday morning.
"The ability to prove you are who you say you are is almost an international currency," he said. Frictionless authentication is probably the single biggest challenge banks have as they build out their digital banking platforms, he said.
What U.S. Bank and others are doing, Venturo pointed out, is validation behind the scenes. "Is the device a trusted device?" he said. "Is it something you've seen authenticated in your system over and over again and is the user behaving the way the user normally behaves?"
Venturo sees the bank's role in digital identity as providing tools that help customers protect their data.
In the future, states may issue digital versions of driver's licenses — Iowa is already doing this in pilot — and there could be a verification process that uses some, but not all of the data on that document.
"Say you want to go to a bar," Venturo said. "Why does the establishment need to know your address or even birth date if through a verified service they can see your photo to compare it to you and also a verification indicator that says this person is over 21?"
Other information on a license could be used to commit fraud, "which is horrible," Venturo said. "There's no real reason you would need to have that information if you're the establishment, as long as the law supported that. You would only need to prove that the human in front of you is of legal age."
In financial services, this might come down to providing only a tokenized payment credential to a payee, he said. "There's no need for the other information from a legal or risk or any other perspective."