Governments and banks around the world are sponsoring a myriad of digital identity projects in an effort to make identity more convenient for consumers and businesses.
This digital approach — being touted as the future of identity — combines all an individual’s disparate identifying information into one account, or “digital wallet,” that the individual controls via a smartphone.
On the surface it seems logical for banks and credit unions to be involved in such digital identity programs because they are already required by law to collect enough information from their customers to verify who they are and clearly identify potential criminal activity, money laundering and tax evasion.
This know-your-customer (KYC) data is the most sensitive information that financial institutions possess. It must be secured and protected from malicious actors at all costs, and those costs can be significant. Just consider how much is spent to comply with banking regulations, let alone the rules around comprehensive digital personally identifiable information — or PII.
Taking the wrong approach to handling digital identity could make it easier for nonbank providers to expand further into financial services.
There is a better way forward for digital identity — and a less expensive, less risky role for banks and credit unions to play in this framework. In today’s highly regulated world, financial institutions should not be responsible for reporting on everything their customers do with their money and should not have to provide identity services that enable other parties to piggyback on their KYC processes, especially when those parties aim to link that identifying information to consumers’ behaviors and habits beyond what they do with their money.
When PII Becomes Too Much of a Risk for Banks
There is an important place for banks in the future of identity — just not the one that bankers have focused on so far.
One of the most well-known rules involving personally identifiable information is the General Data Protection Regulation (GDPR), which the European Union adopted in 2016 to protect online consumers. Similar regimes have been implemented elsewhere.
In post-GDPR cyberspace, banking KYC regulations are ironically at odds with what is best for consumers because the aggregation of so many digital identifiers make customer data an irresistible target for hackers. The more personally identifiable information a financial institution possesses, the more appealing target it becomes to those looking to commit identity fraud and ransomware attacks.
Taking on more personally identifiable information is a costly responsibility for banks and fraught with more risk.
To better understand the commitment banks make as an issuer of identity credentials — and the way banks might prefer to participate instead — it would be valuable to look at how digital identity actually works.
Explainer: Digital Identity in Banking
Digital identity is often called self-sovereign identity (SSI), because users control their digital wallets, so in theory, they also control their digital identities. As SSI has evolved, the general architecture adopted became something like this:
In this simplified SSI design, the issuer of digital credentials (a bank or a government), has an agreement with one or more validators (digital wallet providers). This digital wallet account collects the user’s physical identity information, sends the bank a digital credential request and validates the identity against existing records held by the bank.
Consumer use of digital wallets is rising — particularly with major tech companies launching branded versions like Apple Pay, Google Pay and Samsung Pay. Apps like these give people the ability to leave their physical wallet at home and go out with only their phone in their pocket.
To set up an account, a user uploads their physical identity information to their digital wallet, perhaps a picture of their passport or their bank account number. That identity information could be validated against the issuer’s own record, and if there’s a match, a digital copy of the passport or bank debit card would be added to the wallet. From that point forward, consumers could use the digital version of their identity credentials with any acceptor (merchant) to confirm their identity and make a purchase.
In this scenario, it’s important to note that the person with the identity is not attesting to their identity directly. As detailed in the above chart, the validation takes place in more of an indirect process, once the consumer takes the required steps: downloading a third-party digital wallet application, setting up an account by inputting their identity attributes and uploading pictures of their physical identity documents (passport, driver’s license, health card).
The basic risk of digital SSI systems is that a very complex architecture is in constant motion over the internet to guarantee trust and security. The more complex the system, the more places it can fail and expose banks and their customers to identity theft, or worse.
The Digital Dance Of Know-Your-Customer
In most digital identity systems designed today, banks play an important role as issuers of digital identity credentials because of all the KYC data they already hold. However, this makes the banks responsible for maintaining and securing far more PII than they already do as part of their regular KYC requirements.
Most often this means banks must partner with a host of different digital wallet vendors, many of whom may not have as robust data protection policies and practices as their heavily regulated banking partners.
Did You Know:
If a data breach includes PII data from a bank, the bank is legally responsible, even if the breach happens at one of their wallet partners.
Digital wallet providers provide the validation of bank-issued digital identities and they broker the connection to acceptors (merchants). They should not force the hands of banks, and they should also not try to be the hub that links together everything that bank customers do beyond their direct relationships with the bank.
Wallet providers make money by brokering transactions between digital identity wallet users and the businesses that accept them. Unlike already established bank identity-related services like credit cards, each of these relationships with an acceptor must be re-established one by one. This means that wallet providers’ prime motivation is profit, and they must sign up as many business “acceptor” customers as possible. Sometimes however, data security comes second, and that’s downright scary.
Furthermore, banks and credit unions in the United States and elsewhere are already filing class action lawsuits against Apple for taking a significant margin from all transactions processed via its proprietary iOS smartphone wallet. Apple restricts wallet use on iPhones so consumers are not able to use tap-to-pay services via apps from competitors like Google and Samsung, and then the tech giant takes a cut of every transaction.
Banking regulations are comprehensive and boring to the general public, and most violations or fines go unreported in mainstream media. This is definitely not the case for breaches involving PII, which are regularly front-page news.
The Case for Self-Attested Digital Identity
Wouldn’t it be more profitable to strengthen the direct relationship you already have with your customers?
To enable a customer to self-attest their identity, individual users must be empowered to be the issuer of their own un-linked identity attributes. In a self-attested digital identity (SADI) system, banks would be asked to validate a set of identity attributes shared directly with each person individually via a securely encrypted exchange, without collecting or tracking any additional PII. Merchants and banks would be able to accept individually validated digital credentials without collecting or tracking any additional PII.
Self-attested digital identity would look something like this:
In the SADI architecture, the user is the issuer of their own digital credentials, which are validated by banks and governments. Merchant, bank and government acceptors would be able to confirm digital credentials by scanning a QR code, or by tapping a payment terminal. The digital identity would be validated with the relevant bank or government directly.
SADI would empower individuals to create, assert and share their own identity in any form necessary to establish valid identity credentials with an acceptor.
It’s also a much simpler way for banks and governments to adopt digital identity while maintaining direct control over their role as validators of the minimum PII required, and nothing more. There is no need for complicated trust frameworks or regulations because each connection is one to one with an individual user and can be updated or revoked at any time.
Make Money the Old-Fashioned Way, Not Like Big Tech
Big Tech has perfected tracking users through cyberspace and making trillions of dollars by selling customer identity data. They’ve also perfected how to deflect attention when they suffer a data breach or are accused of using algorithms to manipulate their customers.
Bank regulators have had hundreds of years to understand the banking business and they’re more than capable of credibly delivering existential threats to a bank should it stray into unfamiliar territory. But regulators are not addressing the same abuses when they are carried out by nonbanks, even if they look a lot like financial services businesses, but are not classified as such in a traditional sense.
Banks make money by knowing their customers well enough to reliably loan money and profit by charging interest and fees. This is an honest business that banks have perfected. They should not succumb to the twinkling lights of PII data exploitation.
Banks used to be a more personal affair where people deposited money at a local branch and received loans from a bank manager they actually knew. Self-attested digital identity can strengthen this direct customer relationship banks have spent years building, dramatically reduce their PII exposure liability and protect their margins from incursions by third parties like Apple Pay.
About the Author:
Michael Cholod is dedicated to developing decentralized internet architectures and technologies that promote privacy and self-attested digital identity. The nonprofit Peer Social Foundation supports education and research and development of how digital identities connect people, businesses and governments.