As knowing your customer (KYC) becomes more important, we are constantly seeing new approaches to how consumers’ identifications are managed and delivered as parts of key economic activities – account opening, check-out, payments, critical services, immigration/border control etc. As various countries from the UK, New Zealand to Italy and Nigeria work to create their own national identification schemes, consumers are challenged by questions such as, “Which document do I carry?” and “Which document will be most broadly accepted?”
Which Identifier Should We Use?
There are other types of organizations trying to unify national I.D.s into a singular, global standard, creating a one-stop I.D. card or online identity solution. The rise in biometric technologies is leading to the development of digital forms of identification, where personally identifiable attributes are considered such as fingerprint, voice, retinal, DNA etc.
There’s also the social media space; where some attest that we should rely on technology to track socialized identity metrics. Does a person’s verified Twitter account, or their 500 contacts and endorsements on LinkedIn or someone’s 1,500 Facebook friends count as reliable social metrics to verify identity?
Directly off the back of this – enter the blockchain activists who believe an identity ledger can be used built on a sequence of captured irrefutable identifiers. For instance, consumers’ doctors know them personally, and can thus verify identity; followed by a neighbor, then a local banker, etc. The argument being that as this chain lengthens it can be used to confirm identity
Not least of all are the more traditional validators, such as credit agency data for financial background and history. Financial institutions have always been the “gold standard” as they are regulated to not only perform Know Your Customer (KYC) – but also to screen customers against known offenders, money laundering lists, run risk rating and complex due diligence – all of which require physical documentation and occasionally, even an in-person meeting.
Challenges of Alternative Identification Options
The greatest challenge facing all of these proposed solutions is uniform acceptability. In any counterparty relationship, there are two parties who must work with each other to agree a common standard or protocol. For identification, one party (usually the customer) must possess a current and valid form of the required information, and then must provide it to the other counterparty (the vendor) who must equally accept and recognize it as a sufficient form and type of verification.
While one party might find its method to be a good standard, that isn’t enough if there is no agreed upon standard. For example – presenting a New Zealand ID card in a country or to a vendor which either does not honor it or know what it is. Another key challenge is portability – can the proposed solution be delivered both in instances where physical evidence is required (card, passport, etc) and in a virtual or digital fashion?
Equally as important – does the ID choice have a limited shelf life – and if so; is there a standard that can be agreed on the recency of the information? Traditional regulated entities look for 90 days in forms of address verification. In some countries, birth certificates and citizenship cards are acceptable – but many of these have your baby’s picture on them – so how can they be used as an adult? For social media – what does recent even mean? Is it 100 hits a day, 50 twitter or Facebook followers in the past month / year?
Does the system rely on 3rd parties to further validate? Copies of physical documents have long been required to be certified or notarized, at great expense and frustration to all parties. Blockchain solutions rely on appending 3rd party validators to the chain.
Social media relies on 3rd parties as well, but these systems can be spoofed and hacked. Recent headline cases showed instances of pay-to-play companies allegedly based in several Asian countries operating Facebook friend-factories; where for sums of money, you could literally “buy” thousands of followers.
Where Should ID Data Reside?
“A distributed ID system matches well with the above legislative mandate – as it would automatically recognize an individual’s role in the use of their Pii data – and provide them with the tools to subsequently manage it.”
— Stuart Lacey, Founder and CEO, Trunomi
The final topic to address here is where does this data reside, who “owns” it and who has access to it. Does some central repository permit you to access the data – and if so, who establishes what rights you have to access it, and for what fee?
There is a marked move away from centralized solutions to decentralized solutions – and it seems hard to believe that in the days of Snowden, the NSA data leaks and various Big Brothers, that the world’s population will choose to centralize such a service. But if it does– which centralized authority? Could all these various countries agree on one?
In this line of thinking – many of the G8 have recognized data sovereignty and the critical role that Personally Identifiable Information “Pii” plays (your ID is of course synonymous with Pii – no matter the format it takes). This is showing up in Right to be Forgotten legislation, Opt-In legislation in Canada and the UK, Consumer Bill of Rights in the US and most notably, the European Union General Data Protection Regulation.
The trend across all these initiatives is clear however, and that is recognition of an individual’s rights and interest in the data which they create, and more specifically – when that data is Pii – the necessary role they must play in consenting to how their Pii data is used, when it is used and by whom.
Data breaches remind us of the folly of massive centralized large data sets in the cloud. Take for example the recent massive hacking of 21.5 million records from the US Office of Personnel Management. One of the current truisms amongst those in the “black hat” world is that there are only two kinds of companies, those that have been hacked and know it, and those that have been hacked but just don’t know it yet.
As such, many newer technologies are trending towards distributed systems, with much lower systemic risk. A distributed ID system matches well with the above legislative mandate – as it would automatically recognize an individual’s role in the use of their Pii data – and provide them with the tools to subsequently manage it.
The Solution – Simpler Than You Think
Which type of data should be leveraged? Simple – All of it. This solution brings the rise of the ‘ID Superset’. The utility and power of the Superset solution is directly correlated to the variety and diversity of the data therein. Think of it as building a portfolio of various building blocks, each of which can be used uniquely and in various combinations to fit almost any outcome. In the rare instance that a new identifier is required or created, simply append it to your Superset – and you now have the utility of it in the future.
This solution also natively resolves the single biggest challenge – which was acceptability – as if there is no one single solution, then there can only be a collaborative or aggregate solution. The potential for adding verification ratings is another option for deploying or using a Superset.
This enables vendors to set rating thresholds – and then open a gateway for their customers to simply choose which set of acceptable identifiers are sufficient to meet the stated threshold. This allows for gamification, loyalty programs and other great incentives to empower customers to actively improve their Superset, which optimizes for responsibility and in turn enhances the utility of not just their Superset, but that of the whole system.
By establishing a level playing field with configurability and shared standards, the solution embraces open-source, which is increasingly becoming the accepted mechanism for technology deployment. This is a distributed solution, which solves the centralization challenge, and in turn significantly reduces risk of systemic data breach.
Conclusion
Providing Pii data to banks, doctors and countless other organizations has become notorious for being repetitive, inconvenient and insecure. Consumers no longer feel in control of their Pii data; because ultimately – they aren’t. If there is one thing all should agree upon, it is that now is the time to return the utility value of data to the true owners and creators of the data itself.
Most importantly, it is this proposed return of the value and utility of the Pii data back to the consumer which is so monumentally significant. It allows consumers to build a portfolio of identification across all areas of their lives, creating an identity rating for themselves of more utility than their credit rating (in fact, their credit rating becomes a subset of the Superset). Regardless of what piece of identification is required at any given time, a consumer has access to their own superset, and can go directly to that piece of data to present it.
Taken another way, the data you append to your Superset might well soon include healthcare data, shopping data, location data etc. This data, along with its root (your Pii) is positioned to become your single most valuable asset – and the gateway to a new world of on-demand services – in which you will even monetize your own data.