-
Banks have to know a lot about their customers, who generally trust them to keep personal information secure. Who better to serve as digital identity providers in a post-password world?
March 27 -
Though the use of a digital identity may take years to go mainstream with consumers, BBVA Compass is thinking about the role that banks should play and taking steps toward being part of the solution.
March 27 -
Asking for static information like a mother's maiden name seems increasingly passé, since shared "secrets" can be stolen or gleaned from the Internet. But without a brilliant alternative, and done with care, knowledge-based authentication still has value.
March 24
I don't normally buy $300 of pizza. But it's not as unusual as my credit card issuer might think.
Once a year I throw an event for about 500 people. I don't know who all of them are, or when or where the guests will show up. For the most part, they are responsible for themselves, but I often throw in special surprises.
Last year, I spontaneously decided to send 15 pizzas to the local bar where we gathered. I placed the order over the phone, but my credit card was declined, even though my account was in good standing. Since I was a few blocks from the shop, I went over in person. I tried three credit cards – each of them declined in turn. My friends tried their credit cards and after several tries found one that worked.
Apparently, buying 15 pizzas was outside our normal purchase activity. Twenty minutes after my attempted purchase, I received a bank alert for possible fraud.
Predictive analytics are useful, but there are valid outliers. And fraudulent activities are more likely to fit into the bell curve of typical activity. I was delighted my bank was looking out for me – but there was no user-friendly way to confirm the pizzas were an authentic outlier purchase. We're going to hit the limit of predictive analytics eventually.
My pizza tale may be a First World problem, but it's just one example of where our legacy identity system gets it wrong.
In the legal and banking worlds, the concept of identity is tied to our hand musculature (signature), our homes (address confirmation), our biometric outputs (fingerprints) and our past behavior (reputation and credit score). However, when you go online, your identity is not confined to the physical world. It expands and is customized for specific activities and needs. Sometimes we need bank-grade security, such as when making purchases; other times a pseudonym suffices.
And a pseudonym can lend its reputation to and validate a traditional identity. For instance, a company called Karma calculates reputation scores for people based on data across multiple sites (Craigslist, Facebook, LinkedIn, etc.) but allows users to choose which of those sites are displayed on their profiles. So I could take advantage of the
We need to think about identity in new ways, such as:
- Platforms of trust. As the sharing economy matures, platforms like AirBnB are not merely an intermediary between guests and hosts; they have become platforms for verified trust.
- Group identity. The way we think about identity is antiquated. The future shouldn't limit identity to individuals only, for example.
- Smart software. Predictive analytics are useful, but as my experience shows, there are valid outliers.
- Portable, interoperable identity. Technology needs to bridge silos, not build more of them.
We are living through a time of rapid technology development. Most of the time, we focus on the technological aspects – developing new products to disrupt those of the previous epoch. However, by focusing on technology, we risk ignoring the concurrent social changes and value shifts. It would be a shame to implement new technology based on outdated social beliefs.
Facilitated Identity Verification
"I only rent my
As more peer-to-peer businesses develop, there's an increasing demand for trust. In 2013, AirBnB introduced
Today, AirBnB offers eight ways for members to verify aspects of their identity. These range from the basics, such as an email and phone number, to social media platform validations (Facebook, Google, LinkedIn) to traditional personal data (like the questions a credit card application asks) to previously verified identity – your American Express card, for example. AirBnB does the job of verifying the actual user data and then displays the verification token, so site users don't need access to one other's sensitive personal information. They only need to know the verification is valid.
The Digital Asset Grid, a research project led by Peter Vander Auwera at the Society for Worldwide Interbank Financial Telecommunication in 2012, pioneered a similar vision. (I worked on the project,
Outsourcing identity verification can reduce corporate data risk. When verifying identity using an external data set, a local copy isn't needed. You store the verifications, but not what was verified. This reduces the risk of a data breach, since you're not holding as much valuable information that a crook would want to steal.
Making identity verification available across AirBnB's platform reduces this risk for each host as well. Prior to the Verified ID program, hosts had to ask for personal ID directly from the guest. And who knows what data security practices hosts might have followed? It's safer for all parties to use a platformwide verification system.
AirBnB and the Digital Asset Grid are appropriate blueprints for future verified identity systems where it's necessary to share verified credentials while securing personal data. Verified identities increase the trust between transaction parties, leading to greater satisfaction.
Beyond Individuals: the Millennial Holy Grail
Banks are after the elusive millennial demographic. But if they are only going after individual millennials, they're chasing the wrong market.
Last year Brett King, the founder of Moven, described a hypothetical example of
There are many reasons individuals might want to share resources in a group. They might be producing an event, art project, a very-early-stage startup or living in a group arrangement. The project has costs, and they might accept sponsorship or sell tickets. There's money coming in and being spent.
In this scenario, someone is taking financial risk. This might be an individual using a personal bank account to receive funds and pay bills. In addition, that person takes on the tax risk as well. You might want different people authorized to make purchases. This situation calls for a combined identity with financial and legal protections – not as expensive an entity to set up as a corporation, easier to dissolve when the project is over, but designed to let multiple parties take responsibility.
Beyond people, you might want to authorize software to make a purchase on your behalf. Who authorizes the transaction when you push the Amazon
Smart objects able to make purchases will arrive sooner rather than later. Some objects will have identities of their own, while others may be nested as part of a set of identities with specific functionalities that might include financial responsibility and automated transaction activities. Simple bill-pay activities might evolve into self-executing
We're jury-rigging these situations today, passing the risk to individuals. But how long will this last? Legal systems don't have the structures to allow these kinds of complex identities. We need to develop structures that allow risk to be shared across multiple individuals in a lightweight way without the overhead of legal incorporation.
With such structures in place, banks could develop a hybrid account that combines business and individual functionalities. Imagine a house account that is set up to automatically pay rent and bills, and might even schedule and pay for grocery deliveries. Income into this account might come from regular habitants (roommates), selling solar energy back into the grid or even by renting a room on AirBnB. Today, this is normally handled by an individual or a legal corporate structure. But that's an awful lot of overhead in terms of costs and tax liabilities.
Portable, Interoperable Identity
Identity is not just an issue for those of us fortunate enough to have spare rooms to rent on AirBnB or Amazon gizmos in our bathroom. Without an accepted way to prove you are who you say you are (a legal identity and address confirmation) banks are unable to give you an account due to know-your-customer regulations. According to the World Bank's
India is trying to solve this problem with the Aadhaar card, the world's largest national ID project. Interestingly, the Aadhaar card offers an electronic KYC
Then there are those looking to solve the global identity problem through the
Four Recommendations
Identity is about context. I like the AirBnB model that leverages verifications (like the Amex card) to create a comprehensive identity from many pieces of data. The more verifications, the more complete a picture that can be created.
If you want meet the future head-on, rather than respond to the inevitable disruption, consider these four recommendations.
- Smarter software: Make financial intelligence more human-friendly. Leverage technology for fraud prevention while creating a user-friendly purchase authorization, so valid outlier purchases, like my pizza order, can be confirmed in real time to complete the transaction.
- Identity as a service: Use diverse methods to verify identity. Outsource your identity verification with diverse modules. Don't rely on one component, and select modes that are already familiar to your customers, as AirBnB does.
- Agile identities: Develop a legal framework for ad-hoc group and machine identities with financial functionality, and develop products for lightweight combined group identities, such as housemates or startup founders.
- Interoperable identity: Develop an
OAuth -like solution for banking and an e-KYC API like the Aadhaar card. Impress upon regulators the need to expand the set of accepted documents for KYC to reflect changing times and to promote financial inclusion while preventing illicit activity. Things like verified social media accounts or, in the case of immigrants or refugees, foreign national IDs (even ones that have expired) may work as well as a utility bill.
Working together, banks, technologists and other stakeholders can build the future of identity – a future that leverages the best technology has to offer and keeps sensitive data secure while enabling portability and just as easily interfaces with human as well as machine intelligences.
Heather Schlegel is a