The Man Who Tokenised The World

David Bowie was a genius. That is a word that gets bandied around all too lightly these days, but in his case it is entirely justified. And not because of his music, as brilliant as it is. No. Bowie was a genius because he understood the future. When looking at how the internet was developing, he famously predicted the end game: streaming. Indeed, he said at the time that music would become “like water” piped into our homes.

(And his music was indeed brilliant: Aladdin Sane was the first album I ever bought with my own hard-earned cash, Ziggy Stardust was part of the soundtrack to my college years and “Heroes” is one of my all time favourite songs.)

Not only did Bowie predict the future, he monetised it. In what I am convinced that future economic historians will surely highlight as one of the weak signals for change to a post-industrial economy, he created the Bowie Bond. This was a 10 year, 7.9% self-liquidating bond backed by the revenues from all of his music prior to 1993. The value of this over a decade was estimated at $100 million and stamped as AAA by credit rating agencies. Then, in 1997, these bonds were sold to Wall Street. Whether Bowie knew that this valuation was nonsense or not I couldn’t say, but he made $55 million from the bond sale. A few years later, the bonds were trading as junk. Bowie, as it turned out, was smarter than the bond market.

Ten years ago I wrote about the Bowie Bonds when I was thinking a lot about private currencies and digital money. It had occurred to me that those $1,000 Bowie Bonds were a shade away from being a form of Bowie Bucks and that if they had been issued as some kind of digital bearer instrument (DBI, or what many people now call “tokens”) then would have been a form of repetitional currency. I said that while it might seem strange to imagine trading in Bowie Dollars that are simply units of Bowie bonds, why not? As I noted at the time, it would be no different to trading with Edward de Bono’s “IBM Dollar” (in that it’s a claim on some future asset) or a similar instruments.

At the time, of course, I did not know that the shared ledger revolution was around the corner, so I imagined that Bowie Bucks would be implemented either in decentralised hardware (a la Mondex) or centralised software (a la Digicash). Now we have another and more appealing alternative to deliver the currencies of the future: tokens trading on shared ledgers. If Bowie were here today, I’m sure he would be discussing a token sale rather than a bond sale. But on what platform? Do the permissionless public ledgers work as a platform? Or do we need institutions to create permissioned ledgers with service-level agreements? How exactly will the money of the future work?

Digital and Crypto Layers 

I’ll be talking about this world of cryptomarkets, cryptoassets and cryptocurrencies at the 3rd Nordic Blockchain Summit at Copenhagen Business School on Friday, so I look forward to seeing you all there. I’m genuinely keen to learn more in this space interested your spectrum of view on tokenisation and such like. Don’t be shy with the question.

Basically, nothing is happening in UK banking

The British newspapers all reported on the latest figures for current account switching. Here’s an example: “Branch closures, IT meltdowns and vanishing cash machines have forced nearly a million disgruntled savers to ditch their bank and move to a rival in the past 12 months”. Wow. Nearly a million. That sounds like a lot.

But I wonder how many disgruntled customers did that last year? Not so wow. Nearly a million. So, basically, nothing has changed.

In fact the number of people switching accounts, while slightly up on last year, is 9% down on 2016. And the number of people switching is still a fifth down on 2012, the year before the banks were forced to introduce the Current Account Switching Service (CASS, a system which cost hundreds of millions of pounds) to reduce the average time to change bank accounts from around 10 days to a week.

Yes, that right. There are still fewer people switching accounts now than there were before the convenient and user-friendly account switching service was introduced.

Frankly, you can understand why no-one bothers switching. Every bank delivers basically the same service as every other bank, so the number of people switching accounts remains at around 3% of the customer base. And in a sector that is so heavily regulated, the cost of innovation is so high that only the most mass market of new products or services can get into production – it is very difficult to go down a more agile, design-led path.

The headline should have been “Despite everything that banks can throw at them, British bank customers resolutely refuse to move accounts”. This more accurate description of the retail banking landscape appeared, as far as I could tell, only in the Pink ‘Un. In a lovely piece titled “What would it take for you to switch your bank account”, Clear Barrett highlights the specific example of TSB and notes that despite the catastrophic failure of their system and weeks of chaos, only a tiny fraction of the customer base blew them off and switched! They had a net loss of only 6,000 customers (26,000 customers left but – astonishingly – 20,000 joined).

What about the “challengers” you say? Well, first of all, “challengers” is a bad name for what are essentially niche banks. Second of all, what about them? According to the FT, when data analytics company Ogury carried out a study of just over 1.5m mobile users in the UK in the second quarter of this year, it discovered that all of the top ten most-used ‘banking’ apps were from the traditional high-street banks.

So, no-one changes their current accounts (or their savings accounts, which the FCA says gives the big banks a cheap way to fund lending and stifles the “challengers”). But in the future, this inertia will be overcome.

How? Well, as the FT noted, and as I have repeated ad nauseam, “UK bank executives probably aren’t losing too much sleep over fintechs just yet. More likely to have them reaching for the Zopiclone are the US tech giants moving into the payments sector who — somewhat perversely — could end up being the biggest beneficiaries of PSD2″.

What does this mean for account switching? I think it could be very significant indeed. Open banking means that banking services will be delivered by these tech giants acting as “third party providers” (TPPs). The TPPs will manage the relationship with the customer and interact with the banks through application programming interfaces (APIs). The banks will be the heavily regulated, low margin, high volume machines sitting behind those APIs, and the will be selected because of service level agreements and cost/capacity calculations, not because of adverts of spacemen floating down beaches while singing.

The account switching will be done by bots rather than by those customers, disgruntled or not. When I decide to open my Amazon savings account, I’ll never bother to read the small print and find out that the account is actually provided by Barclays. And when Barclays try to charge Amazon a penny more, Amazon will move the account to Goldman Sachs. I haven’t switched my main bank account for 41 years, but I can imagine algorithms changing it for me every 41 days to get the best possible deal on financial services at all times.

Signatures, Sergio and standardising the payment experience

According to The Daily Telegraph, “written signatures are dying out amid a digital revolution”. I’m going to miss them. Of course I know that when it comes to making a retail transaction, my signature is utterly unimportant. This is why transactions work perfectly well when I either do not give a signature (for contactless transactions up to £30 in the UK, for example, or for no-signature swipe transactions in the US) or give a completely pointless signature as I do for almost all US transactions.

“Fears are growing that this is potentially leaving people open to the risk of identity theft and fraud as their signatures are more easily imitated.”

From “Traditional signatures are dying out amid digital revolution”.

If I do have to provide a signature, then for security purposes I never give my own signature and for many years have always signed in the name of my favourite South American footballer who plays for Manchester City. Now it turns out that this is sound legal advice, since according to Gary Rycroft, a solicitor at  Joseph A. Jones & Co. it is an increasing problem that people people order things online but sometimes they do not show up so to acknowledge receiving something “I always sign my initials, for example, so I could prove if it wasn’t me” (because, presumably, a criminal would try to fake Gary’s signature).

Untitled

Now the issue of signatures and the general use of them to authenticate customers for credit card transactions in the US has long been a source of amusement and anecdote. I am as guilty as everybody else is using the US retail purchasing experience to poke fun at the infrastructure there (with some justification, since as everybody knows the US is responsible for about a quarter of the world’s card transactions but half of the world’s card fraud) but I’ve also used it to illustrate some more general points about identity and authentication. My old friend Brett King wrote a great piece about signatures a few years ago in which he also made a more general point about authentication mechanisms for the 21st-century, referring to a UN/ICAO commissioned survey on the use of signatures in passports. A number of countries (including the UK) recommended phasing out theme-honoured practice because it was no longer deemed of practical use.

Well, signatures have gone the way of all things. In April, the US schemes stopped requiring signatures.

They were sort of defunct anyway. According to the New York Times, Walmart considers signatures “worthless” and has already stopped recording them on most transactions. Target has stopped using them too. I completely understand why, but to be honest I think I’ll miss signing for purchases in America.

Money 2020 Signature

No more signing Sergio Aquero for US credit card transactions, hello to signing Sergio Aquero for the Amazon lady who calls at my house with monotonous regularity.

If you are interested in the topic of signatures at all, there was a brilliant NPR Planet Money Podcast (Episode number 564) on the topic of signatures for payment card transactions a couple of years ago, in which the presenters asked why were we still using this pointless authentication technique.

Ronald Mann (the Colombia law professor interviewed for the show) noted that card signatures are not really about security at all but about distributing liabilities for fraudulent transactions and called signatures “eccentric relics”, a phrase I love. His point was that the system doesn’t really care whether I sign my transaction Dave Birch or Sergio Aquero: all it cares is that it can send the chargeback the right way (bank or merchant, essentially) when it comes in.

In addition to the law professor, NPR also asked a Talmudic scholar about signatures.

(The Talmud is the written version of the Jewish oral law and the rabbinic commentary on it that was completed in its current form some time in the fifth century. There are two parts to it: the oral law itself, which is known as the Mishnah, and the record of the rabbis arguing about it and what it meant, which is known as the Gemara.)

The scholar made a very interesting point about the use of these eccentric relics when he was talking about the signatures that are attached to the Jewish marriage contract, the Ketubah. He pointed out that it is the signatures of the witnesses that have the critical function, not the signatures of the participants, because of their role in dispute resolution. In the event of dispute, the signatures were used to track down the witnesses so that they can attest as to the ceremony taking place and as to who the participants were. This is echoed in that Telegraph article, where it notes that the use of signatures will continue for important documents such as wills, where a witness is required.

(The NPR show narrator made a good point about this, which is that it might make more sense for the coffee shop to get the signature of the person behind you in the line than yours, since yours is essentially ceremonial whereas the one of the person behind you has that Talmudic forensic function.)

The Talmudic scholar also mentioned in passing that according to the commentaries on the text, the wise men from 20 centuries ago also decided that all transactions deserved the same protection. It doesn’t matter whether it’s a penny or £1000, the transaction should still be witnessed in such a way as to provide the appropriate levels of protection to the participants. Predating PSD2 by some time, the Talmud says that every purchase is important and requires strong authentication.

So, my interpretation of the Talmud is that it is goodbye to contactless and goodbye to stripe and goodbye to chip and PIN and hello to strong authentication (which may be passive or active) and secure elements: we have the prospect of a common payment experience in store, on the web and in-app: you click “pay” and if it’s for a couple of quid the phone will just figure hey it’s you and authenticate, if it’s for a few quid your phone will ask you to confirm and can use your finger or your face and then if it’s for a few million quid you’ll get a callback for voice recognition and a retinal scan. The same purchase experience for everything: the cup of coffee and the pair of shoes and the plane ticket. It turns out that once again we can go back to the future in the design of our next retail payments system.

Identity is money (your money)

As you may know, the United Kingdom leads the world in digital identity infrastructure and is a beacon to the nations when it comes to the use of new technology for identification, authentication and authorisation. Just kidding of course. Here’s the identity that I used at Money 2020 in Amsterdam last week when I was asked to prove who I was at the registration desk:

Money2020 Europe 

Yes, the gold standard for identity cards, the Southern Railway photocard, issued only to qualified commuters after rigorous KYC (you give them a photo and then write your name on the card yourself).

The truth is that we don’t have a digital identity infrastructure (or in fact any other form of identity infrastructure) and the shambolic approach to identity is manifest in a daily litany of frauds, frictions and fantasies (often from the government). Here is an absolutely typical example: a nightclub is issuing its own identity cards since it can no longer rely on any of the other forms of “identification” that are in use. The nightclub manager says that the number of people presenting fake IDs is  crazy, so the nightclub is going to issue its own identity cards with a picture on them. In order to get one of these cards, customers will need to present “two forms of up-to-date official ID” (not entirely sure what this means, since there is no “official ID” in the UK) and then in order to get into the club, customers will need either one of these club cards or a passport or a driving licence.

I’ve written about this at tedious length before, but the core of the issue is that the identification mechanisms that are in use (e.g., driving licences) are impossible to validate and requiring them to be used at all actually leads to more identity fraud because the analogue artefacts employed are stolen, forged and abused in a variety of different ways stop.

Before I continue with this specific example, let me make a general point about how I think these things should work in an always on, connected world. First of all, retailers and other service providers should all have their own virtual identity, or persona, for every customer because they need to be able to communicate and connect with those customers in order to deliver better services and products. In essence, every customer should have a loyalty card. The contents of that card should be unique to each service provider and any compromise of it should not lead to compromise with other service providers. In a digital identity world, this sort of thing is straightforward. You present a virtual identity from an organisation that is acceptable to the nightclub (e.g., a bank) and they send you back another virtual identity that contains things of relevance to the nightclub, such as your customer number and preferences.

In the virtual world, this makes sense because your mobile phone can store millions or billions of loyalty cards. In the “real” world, it will be really annoying to carry around thousands of loyalty cards with you wherever you go, but when those loyalty cards are (essentially) public key certificates then there is no problem.

So let’s go back to the nightclub and see how they might progress on a digital world, by creating a loyalty card based on digital identity infrastructure. Doing things this way has three distinct advantages. First of all, if you are a nightclub then your bar staff may well not be at MI5 levels when it comes to spotting a fake Romanian passport but they might be able to spot a fake version of your nightclub identity. (In practice, of course, they wouldn’t have to because the validity of the card will be checked by their phones). Secondly, by giving every customer loyalty card you are able to interact with them securely (in technical terms you can always send messages encrypted to that persona). Finally, as the nightclub manager himself notes, “we can also ban people and remove the card at our discretion, giving us more control and creating a safer environment”.

On a commercial note. you might wonder why organisations that already spend a lot of money on working out who people are (e.g., banks) don’t take this sunk cost and transform it into a revenue stream. I’ve more than once been told by a bank that there is no business for providing ID as a service to business customers, when clearly this nightclub (to pick just one example) is perfectly prepared to spend money on creating its own identity service when I’m sure the management would much rather that their efforts be directed towards running a nightclub.

Banks should be looking forwards by creating a digital identity infrastructure and then selling products and services based on the infrastructure to, for example, nightclubs. That way, the nightclubs could produce their own branded app (by adding a skin to a generic multi-bank identity app, for example) and pay the bank a pound to testify to the age of the holder rather than waste money having to do it for themselves.

Amazon bank no, Amazon neo-bank maybe

A while back, the Wall Street Journal ran a story about Amazon being in talks with major banks, including JP Morgan, about building what the Journal referred to as a “checking-account-like” product. This set off a storm of speculation about Amazon moving into the banking business, despite the obvious fact that you don’t need to be a bank to offer such a product.

One of the main reasons for the speculation growing was that consumers seem warm to the idea. Almost half of US consumers surveyed said that were “open” to the idea of Amazon as the provider of their primary bank account (according to LendEDU) which may seem surprising but I think is a reflection on consumer experiences of Amazon in practice. Yesterday I ordered some bottles of sparkling water and some bottles of Coke from Amazon, this morning they showed up. From the time I hit the “buy” button on Amazon I never gave the transactions a moment’s thought. It just works. Some commentators therefore began talking about Amazon becoming a bank. Any why not? They’ve become a book shop! I went into the Amazon store in Austin, Texas, just to buy a physical book from them because I could!

 Amazon

I don’t think they will, though. Why don’t I think Amazon will be a bank? Because, as was said in The Street, “I don’t think Amazon wants to be a bank in the way that JPMorgan is a bank”. Amazon just does not make money the way that banks make money. Look at their existing partnership with Bank of America to lend money to merchants. Amazon don’t care about making some small margin from interest payments, they care about helping merchants to increase Amazon’s overall sales.

If Amazon is going to distribute financial services but not be a bank, then what will it be? I think it’s time for another review of terminology and I’ve got a couple of suggestions. Let’s standardise this way: a “neo-bank” is something that looks like bank, but isn’t (eg, my Simple account when I first got it and before they were taken over by BBVA, which is an actual bank), whereas a “near-bank” is something that performs a function traditionally associated with banks but isn’t a bank and doesn’t look like a bank (eg, Transferwise). In this framework, Amazon would probably become a Neo-bank.

The neo-bank is not a new idea, by the way. In 1997, I wrote, with Consult Hyperion colleague Mike Young, an article for Internet Research (Volume 7, Number 2, p.120-128) called “Financial Services and the Internet”. In that article we wrote about the potential for the new technology to assemble a banking service depending on the customers’ needs explaining how the new infrastructure would allow customers to build their own financial services “with the underlying best-of-breed products originating from a wide range of suppliers” which the manufacturers of financial services (eg, banks) would “retreat to a small range of products that build on core competencies, but supplied to a global market”. Amazon is precisely the kind of organisation that can take these products (eg, unsecured personal credit) to that market.

In Europe, there is nothing that the banks can do to stop Amazon from becoming a neo-bank. PSD2 means that bank customers will give Amazon permission to access their bank accounts, at which point Amazon will become the interface between the customer and financial services. I’ve no reason to doubt Amazon’s potential for success if they go down this route. Time for some thought experiment scenario planning…

So…

If Amazon were to provide something that looks like a checking account but is actually a prepaid account of some kind (as my Simple account was), would people use it? I think the answer to this is a resounding yes, especially if Amazon offer the usual array of discounts or cashback to go with it. They have plenty of margin to trade for data. Look at their credit card that gives you 5% back at Whole Foods, for example. If Starbucks can sit on a a billion (plus) in float just from people buying coffee, imagine the float that Amazon could sit on from people buying… well, everything.

So…

If people begin holding $$$ in Amazon float that gives them a 2% discount on stuff instead of holding $$$ in a bank account that gives them a 0.2% interest rate, funds will begin to drain away from demand deposits pretty damn quickly. Now imagine how quickly that might happen in Europe, where Amazon can use PSD2 to get direct access to customer bank accounts in order to instruct credit transfers to load to Amazon accounts automatically, something like their US Amazon Cash service but using modern electronic instant payments transistors and laser beams instead of Federal Reserve bills. It could be seriously big business.

The token Saga

As I explained to the Financial Services Club in London recently, I have a theory that while Bitcoin isn’t the future of money, tokens might well be. In case you are interested, here’s the deck I presented to them: it’s in three parts, first of all a high-level explanation of what tokens are, then a discussion about using tokens to implement money and finally a model to help facilitate discussion around these topics.

 

Of course, I’m not the only one who thinks that the financial services mainstream should be developing their token strategies. At Money2020 Asia in Singapore I had the privilege of interviewing Jonathan Larsen, Corporate Venture Capital Manager at Ping An and CEO of their Global Voyager Fund (which has a $billion or so under management). Jonathan has already forgotten more than I will ever know about financial markets and as he is also Chief Innovation Officer at Ping An (and a very nice guy too), I take his views very seriously. When I put to him that the tokenisation of assets will be a revolution, he said that “tokenisation is a really massive trend… a much bigger story than cryptocurrencies, initial coin offerings (ICOs), and even blockchain”.

Dave Birch and Jonathan Larsen

 

Photo courtesy of Fintechcowboys.cz

He went on to say that he had no doubt about the potential for tokenisation to “reduce friction across every asset class and to create fractionalization of assets where it does not exist today”. In fact, and I paraphrase only slightly here, he said that when the token market is properly regulated and the technology is stable then everything will be tokenised.

Wow.

Why do people like Jonathan (as opposed to techno-deterministic utopians such as myself) think that tokens are such a big deal? I think it’s because tokens are the first viable implementation of the 1990s dream of digital bearer instruments with the “code is law” (sort of) management infrastructure. They allow for the exchange of assets in an auto-DvP (delivery versus payment) mode with no clearing or settlement which means for efficient, liquid markets.

Now, one of the first steps towards a regulated token market has come the Swiss regulators (who are important because of the Zug “crypto valley” that has become the home of many token plays). The regulator there, FINMA, has developed an approach based on the underlying purpose of the tokens that are created. FINMA categorises tokens into three types: Payment tokens (ie, money), Utility tokens (tokens which are intended to provide digital access to an application or service) and Asset tokens (which represent assets such as stakes in companies or an entitlement to dividends). Of course, hybrid forms are possible and in practice there are likely to be a few different configurations. One good way to think about this, I think, is to think in terms of combinations of these token types as a means to implement the “digital bearer instrument” (DBI) that has long been seen as the basis of the post-internet, post-crypto financial marketplace.

DBI Schema

 

 

This is a realistic vision of the future. DBIs as a synthetic instrument comprising regulated tokens, DBI trading that operates without clearing and settlement on shared ledgers and shared ledgers with ambient accountability to create marketplaces that are not only more efficient but better for society as a whole. I touched on this in my talk at the FS Club but then went on to focus on the specific implications for digital money, as it is interesting to speculate what digital money created this way might look like.

We might, for example, imagine that for tokens to be used as money in the mass market they should be much less volatile than cryptocurrencies have been to date. Hence the notion of “stablecoins” that are linked to something off-ledger. An example of this category is the “Saga” coin (SGA). SGA has some pretty heavyweight backers, including Jacob Frenkel, chairman of JPMorgan Chase International, Nobel prize winner Myron Scholes and Emin Gün Sirer, co-director at the Initiative for Cryptocurrencies and Smart Contracts at Cornell University, so it deserves a look. This is a non-anonymous payment token that is backed by a variable fractional reserve anchored in the IMF’s special drawing right (SDR) basket of currencies which, as the FT pointed out, is heavily weighted in US dollars. These reserves will be deposited with regulated banks through algorithms in the underlying smart contract system.

It seems to me that initiatives such as Saga are more representative of the future of money than cryptocurrencies such as Bitcoin, but even they represent only part of the spectrum of possibilities that will extend across many forms of tokens. As I wrote last year, in “Bitcoin isn’t the future of money, but tokens might well be”, tokens won’t only be issued by companies, of course. It seems to me that tokens that implement the values of communities (and, because they are “smart”, can enforce them) may come to dominate the transactional space (think of the Islamic e-Dinar and the London Groat). 

Banks and digital IDs*

In CapGemini’s “Top 10 Trends in Retail Banking 2018”, they highlight “banks leveraging digital IDs beyond authentication” as their third most important trend. As it happens, I was talking about this earlier in the week in Trondheim at Betalingsformidling 2018, where I was asked to give a talk about the open banking era and the potential responses from incumbent banks.

Trondheim 2018

Photo: Betalingsformidling 2018 / Wil Lee-Wright Photography.

Now, I suppose that to a great many of you this really won’t be any surprise, since anybody who thinks about the mechanics of commerce in a connected age must already have come to the conclusion that digital identity is core to the new economy. That’s a superficial and almost trivial point to make, but it masks great complexity because choices that are being made right now about how digital identity is going to work in the future will have a profound impact on the shape and nature of all of society.

Of course, I don’t what identity is going to look like in the future any more than anybody else does (even if I do flatter myself that I’ve made some reasonably well-informed guesses on the topic) but I do think we ought to apply a kind of precautionary principle here. Since we don’t know how digital identity going to work, surely we should want it do develop under the auspices of institutions that society can constrain and influence. This is why I’m so convinced that banks should be the institutions to play the leading role as we evolve the tools, techniques and even the etiquette of a reputation economy.

An obvious first step, and one that has been apparent for many years, is to federate bank identity so that it can be used in multiple places. We have many years of experience now and have seen how schemes ranging from bank ID in the Nordics to Aadhar in India (and our own dear gov.verify) have performed in practice so we can make some informed decisions about how digital identity ought to work. We shouldn’t start from the technology, from blockchains and biometrics, and then work backwards to see what the technologists will allow us to have or what corporations will impose given the technological constraints of the day. Right now we should be discussing what society wants from a digital identities and then working out what the best way to implement them might be.

To do this, we need a model that can help banks, regulators, service providers and suppliers communicate and connect so that they can develop concepts and propositions to make some form of bank-centric, potentially cross-border, privacy-enhancing, secure “Financial ID” a reality.

3DID Basic Colour ID Taxnomy Picture

Let’s start with the basic “three domain identity” (3DID) model to create a straightforward framework for understanding and discussing digital identity. Now let’s look at a real example of bank doing some interesting work in this field. BBVA, for example, use this kind of model to map “real”, virtual and digital identities to identification, authentication and authorisation processes. BBVA describe the domains as follows (I’ve added my interpretation of what they mean with reference to a standard Public Key Cryprography, or PKC, implementation):

  • Identification: definition of the attributes that confirm, beyond any shadow of a doubt, that the user is who they say they are and not someone different pretending to be them. BBVA mean this in terms of Know-Your-Customer (KYC) of course, so what this means in practice is that the private key must be bound to the correct individual(s).

  • Authentication: verification through credentials that the user is the customer they say they are (username and password, OTP, digital certificates and others).  Obviously with PSD2 this means implementation of some form of 2FA to comply with the RTS on SCA.

  • Authorization: the financial service providers (TPP) with a license to operate must be given authorization by the customers before they can access their accounts. They need to have proof of consent, which can be obtained through access tokens. I would generalise this point away from banking, as per the CapGemini comments, to talk about tokens for access to a wider range of services than simply bank accounts.

Earlier this week I posted about digital identities (as opposed to digitised identities) and made the point that we are interested in electronic transactions, transactions that take place between virtual identities (that is, identities that exist only in the imagination of computers) we are primarily interested in the Authorisation Domain. I’ll come back to this in a moment, but for now let us assume that that Authentication Domain is essentially a solved problem and we don’t need to come back it in this discussion. My assumption is, that banks have strong authentication in place and that they use appropriate standards (eg, FIDO) so that they have device independence. In practical terms, in the world as it is now, this means that I can authenticate my bank Digital Identity (that is, I can demonstrate ownership of that private key) using any smartphone.

The problem then all comes to down standardisation and mutual recognition of credentials in the Authorisation Domain. Let’s take a simple example has been discussed many times recently: IS_OVER_18. Suppose I want to log on and join a Wine Club. The wine club needs to know that I am over 18, so it wants to see a virtual identity that includes the IS_OVER_18 credential (that is, an IS_OVER_18 attribute digitally-signed by someone that the Wine Club trusts – and by “trusts” I of course mean “can take legal action against and recover damages from if the credential is incorrect). The Wine Club would obviously trust banks, so this should be straightforward: provided that we have standardised the Virtual Identity (an X.509 certificate, for example, or an Evernym DID) and that we have standardised the attribute (let’s assume there is an XML dictionary somewhere that defines IS_OVER_18) and that can can recognise the digital signature from an organisation that is on our list of trusted organisations.

As I pointed out in Trondheim, this is a way for banks to participate in transactions, providing a useful service that is unrelated to payments or transaction fees. I, of course, understand that this means it will take sector-wide progress in the Identification Domain, practical implementation in the Authentication Domain and some commitment and co-ordination to get a working set of services in the Authorisation Domain. My question is why haven’t banks taken on board what Cap Gemini said in their report (and I’ve been saying with exhausting repetition for more than a decade) to come together to create the standards and definitions to move forward?

Or, to put it another way, where is the MasterCard or Visa for identity (and is it MasterCard or Visa?).

To the Mooooooooon!

 

I’ll be testing my assumptions and asking these kinds of questions in Singapore at Money2020 Asia, by the way, as I’m chairing the session on Exploring Digital Identities on 15th March and welcoming some old and very well-informed friends – including Victoria Richardson from AusPayNet, Shamir Karkal from Omidyar, Teppo Pavlova from BBVA and Andy Tobin from Evernym – who will help me open up the topic for the audience. Do come along to “The Moon” at 11am and join us.

* Again.

Noted author talks fraud at Royal Institution

What a piece of luck! I was giving a talk at the CallCredit Fraud Summit at the Royal institution in London and I chose to talk about just how broken our identity infrastructure is. Hardly an original theme, but one that is worth amplifying. As Chris Green (CCO at Call Credit) noted in his introduction to the event, identity fraud is heading towards £200 billion per annum and identity theft is an epidemic.

Pretty bad. Worse still, it looks to me as if no one knows what to do about this, particularly the Government. Given that the Social Market Foundation (SMF) had just issued their report “A Verifiable Success — The future of identity in the UK” (August 2017) which noted that identity verification processes in the UK have not kept up with either technological or social change and says that “the case for change is founded on the dramatic increase in identity fraud, the inconvenience of identity verification and the correlation with social (and therefore financial) exclusion”, I thought I’d talk about how to actually do something about identity in the mass market.

RI

I illustrated the point about just how unsuited our ramshackle infrastructure is with the example of spies, referring to last year’s Financial Times interview with Alex Younger (“C”,  the head of MI6 which is James Bond’s department of the British intelligence services) who explained just how hard it is to be a spy these days. In the old days, it was easy. Just grab a fake passport out of the draw and off you go. But, as the chief spy pointed out, today social media means that it is far more difficult to create a plausible alter ego. Sure, it’s easy to create a fake social media account. It’s easy, but not very useful to a spy. To be plausible, a fake identity needs a reputation. Reputation, unlike identity, is hard to fake. It has a time component. It takes years to build up a reputation that will stand up to scrutiny! If you wanted to pretend to be someone now, you would have to have started building the fake LinkedIn profile a decade ago. The point is that it’s hard for James Bond to pretend to be me, but seemingly easy for me to pretend to be a James Bond on internet dating sites. This is a fun and interesting way to think about some of the issues around identity and I think the audience liked it!

So what was the piece of luck I referred to at the beginning? Well, I turned up at the event, along with the bestselling author (and former politician) Lord Jeffrey Archer. As we had some time spare, I thought I would be helpful and give Jeffrey a few tips on writing books, having just published one myself.

RI

 

 I think Jeffrey really appreciated my hints and suggestions but unfortunately had to leave for an urgent meeting so I wasn’t able to go into too much detail with him. Before my talk I went off to grab a cup of coffee and picked up the day’s Times to read. It had the very perfect story for me featured prominently. Hence I was able to whip out a copy of the day’s Times and wave it around to great effect at the appropriate point in my presentation!

RI

The point that I was making, of course, is that identity is not just broken but optimally broken, in that it helps the bad guys but not the good guys. We need someone to stop forward with a vision for a better identity future! Where is this person! I heard the Minister for Digital Stuff (this may not be his exact title) talking on BBC radio a few weeks ago in a report on the government’s introduction of mandatory age verification for adult sites. When asked how members of the public could gain access to adult services, the Minister said that people could use credit cards (which is a terrible idea, see for example Ashley Madison) or show their passport to adult sites (which is an even worse idea). I confidently predict that the widespread adoption of either of these solutions will push identity theft even higher.

So why is identity not fixed yet?

As I tried to persuade the audience, if we are going to make any progress we need to have a very different mental model of what identity is. Not some Victorian notion of identity as an index card in a filing cabinet but as the cornerstone of digital relationships and therefore reputation in an online world. We need to develop the strategy based on digital identity, the bridge between the real and virtual worlds. I explain this using the three domain model, as shown on the slide below, and hopefully demonstrated just how powerful this view of identity is.

3DID Basic Colour

 

We need to move our transactions into the authorisation domain as soon as possible. Let’s go back to example in the newspaper to see why. Imagine I go to the dating site and create an account. As part of this process, the dating site asks me to log in via my bank account. At this point it bounces me to my bank where I carry out the appropriate two factor authentication to establish my identity to the bank’s satisfaction. The bank then returns an appropriate cryptographic token to the Internet dating site, which tells them that I am over 18, resident in the UK and that I have funds available for them to bill against. In this example my real identity is safely locked up back in the bank vault but it has been bound to a virtual identity which I can use for online interactions. So my Internet dating persona contains no Personally Identifiable Information (PII), but if I use that persona to get up to no good then the dating sites can provide the token to the police, the police can see that the token comes from Barclays and Barclays will tell them that it belongs to Dave Birch. This seems to me a very appropriate distribution of responsibilities. When the Internet dating site gets hacked, as they inevitably do, all the criminals will obtain is a meaningless token: they have no idea who it belongs to and Barclays won’t tell them.

One of the key attractions of this architecture, and I’m sure that I am not the only person who thinks this, is that it gives an expectation of redress in the event of inevitable failure. Things always go wrong. What’s important is what the structures, mechanisms and processes for dealing with those failures is. If some fraudsters take over my bank account and use my identity to create a fake profile on a dating site, then I’d expect the bank to have mechanisms in place to revoke the tokens and inform both the dating site and me that such revocations have taken place without disclosing any PII.

This is important because PII is in essence a kind of toxic waste that no companies really want to deal with unless they absolutely have to. Under the new provisions of the General Data Protection Regulation (GDPR), the potential fines for disclosing personal information without the consent of the data subject are astronomical. Hence the complete cycle needs to be thought through because it will be crazy to have an infrastructure that protects my personal data when the system is operating normally but gives it up when the system fails, or when we attempt recovery from failure.

Digital identity gives us a vision of how to do this in our new online world. It is how we keep our real identity safe and sound while we explore the online world in safety using our virtual identities. A huge thank you to Call Credit for asking me along to share this vision with their audience.

The Taylor report is right: we should get cash out of the “gig economy”

The Taylor Report was released today. It’s a report about the “gig economy” and contains a number of proposals for reform in the labour market to modernise the various systems (e.g., tax and benefits) and improve the lot of workers. I don’t propose to comment on any of those proposals, also having recently entered the gig economy myself, I can attest to both benefits and annoyances, but I do want to comment on one point made by the report that was picked up in the media. 

Cash-in-hand payments to builders, window cleaners, plumbers and other trades people should be discouraged through a technology revolution to collect up to £6 billion more in tax, a Government-commissioned review urged today.

From Abolishing cash-in-hand jobs ‘would raise £6bn in tax and benefit workers’ | London Evening Standard

The report notes, entirely correctly, that allowing people to exist in a cash-in-hand economy is not only bad for them (because law-abiding employers get undercut) but that it is bad for the rest of us too. Here’s a short extract from my new book Before Babylon, Beyond Bitcoin on this point:

Professor Charles Goodhart (London School of Economics) and Jonathan Ashworth (UK economist at Morgan Stanley) have studied the subject in some detail. They note that the ratio of currency to GDP in the UK has been rising (as you will recall from Figure 7) and argue that the rapid growth in the shadow economy has been a key cause. In their detailed examination of the statistics, the authors make a clear distinction between the “black economy” (e.g., drug dealing and money laundering) and the “grey economy” of activities that are legal but unreported in order to evade taxation. When your builder offers you a discount for cash and you pay him, you are participating in the grey economy. When your builder offers you crystal meth and you pay him, you are participating in the black economy. They define a total “shadow economy” as the sum of the black and grey economies.

…Two rather obvious factors that do seem to support the shape of the Sterling cash curve are the increase in VAT to 20% and the continuing rise in self-employment, both of which serve to reinforce the contribution of cash to the shadow economy. The Bank say that there is “limited research to confirm the extent of cash held for use in the shadow economy”, but Charles and Jonathan make a reasonable estimate that the shadow economy in the UK could have expanded by around 3% of UK GDP since the beginning of the current financial crisis.

…According to Tax Justice UK, that expansion means that there were £100 billion in sales not declared to UK tax authorities that meant a tax loss of £40 billion in 2011/12 and that will rise to more than £47 billion this year. The IMF have noted that while Her Majesty’s Revenue and Customs (HMRC) is not good at estimating losses outside the declared tax system, which is why their latest estimates for the tax gap are low at £33 billion for 2011/12. And while we all read about Starbucks and Google and other large corporates engaging in (entirely legal) tax avoidance, half of all tax evasion is down to SMEs and a further quarter down to individuals (according to HMRC).  There are an awful lot of people not paying tax and simple calculations will show that the tax gap that can be attributed to cash is vastly greater than the seigniorage earned by the Bank on the note issue. Cash makes the government (i.e. us) considerably worse off.

The suggestion made in the Taylor report should be uncontroversial. However, there are people out there who think that forcing law-abiding persons such as myself to subsidise money launderers, drug dealers and corrupt politicians is a reasonable price to pay because the alternative is unpalatable.

In a world without cash, every payment you make will be traceable.

From Why we should fear a cashless world | Dominic Frisby | Opinion | The Guardian

My old friend Dominic Frisby is of course, completely mistaken about this.  Whether the electronic money in your pocket is completely traceable, completely untraceable, or somewhere in between, is a design decision. As I point out in my new book (did I mention that I had a new book out?) where exactly that dial is set between anarchy and totalitarianism is something that our elected representatives should decide and then ask technologists to deliver. This is subject that I know a rather a lot about and so I can assure you that the technology that we already have is perfectly capable of delivering electronic money anywhere on that spectrum.

My own prediction is based on William Gibson’s prediction in the pages of Count Zero. There, one of the characters in this future fiction notes in passing that “it wasn’t actually illegal to have [cash], it was just that nobody ever did anything legitimate with it”. Therefore I expect to see a variety of different kinds of anonymous electronic value transfer systems that are used to deliver pseudonymous electronic money systems and I expect some of those pseudonymous electronic money systems to be used by banks and others to deliver the special case of wholly traceable payment systems.

That, however, isn’t the point of this post. The point that I want to make is that we need an intelligent and informed debate on what we want to replace cash, since it’s going to happen. It should be society that determines how it wants electronic money to work. Whether cash is going to burn out or fade away, we should be planning its 21st-century replacement now. It’s an interesting question to ask whether that means Bank of England Bitcoins or not!

Csfi jun audience

On which topic I was invited along to take part in the CSFI roundtable on “‘Formal’ digital cash: The currencies of the future?” with Ben Dyson from the Bank of England and Hugh Halford-Thompson of BTL Group last month. The event, held at the London Capital Club, was hugely oversubscribed, which I took to be evidence of renewed City interest in the general topic of digital cash and the specific topic of digital currency.

My good friend Andrew Hilton, long-standing captain of the good ship CSFI, framed the discussion in his invitation ask the basic “what if”. “What if some central bank issued a digital coin that was as widely accepted as a bank note? Or, if not a central bank, what if a group of banks or payments operators issued a similar digital coin?”.

For me, the roundtable was both an opportunity to plug my new book (did I mention that I have a new book out by the way?) and an opportunity to learn in the best possible way: by answering hard questions from smart people. I won’t attempt to summarise the discussion here except to say that there seems to be a lot of confusion about what form a central bank currency might take and it wasn’t limited to the people in the room.

“Such risks could be reduced if central banks offer digital national currencies, which the IMF defines as a ‘widely available DLT-based representation of fiat money’.”

IMF urges central banks to study digital currencies | afr.com

Now, why the IMF would define digital national currencies this way is unclear. A national digital currency, or e-fiat for short, may be implemented in any number of different ways. A “widely-available DLT-based representation” would be only one such option and even then it is not entirely clear what “DLT-based” actually means in this context. For that matter, it is not entirely clear what “DLT” means in this context either.

It’s important to separate the topics to move the conversation along: do we need e-fiat and if we do, then how should it work? To the first point I think the answer is probably yes. To the second point, the answer is “well, it depends”. It depends on what we want the e-fiat to do. Should it deliver anonymity or privacy, for example. Should it work like M-PESA or Bitcoin? That’s a fun discussion. How much would it cost to set up “Bank of England PESA”? It wouldn’t even have 100m accounts and Facebook has a couple of billion. If they were to look at some form of shared ledger solution, where copies of the “national ledger” are maintain by regulated financial institutions (e.g., banks – whereby taking part in the consensus-forming process would be a condition of a banking licence) and the entries in those ledgers related to transfers between pseudonymous accounts (i.e., your bank would know who you are but the central bank, other banks and auditors would not) then it would be a permissioned ledger (without proof of work) that could work pretty efficiently. Either way, my point is that it’s doable, so we ought to do it. 

 

After the euro, the digital euro

Hello. It looks as if the number of currencies in the world is set to go up again. Across the English Channel, satisfaction with supra-national monetary arrangements is waning.

[Marine le Pen] said she could see the EU setting up another currency like the ECU, or European Currency Unit, which the bloc used for internal accounting purposes before the euro was introduced in 1999.

From China Media Warn Trump of ‘Big Sticks’ If He Seeks Trade War

Now, younger readers may be unfamiliar with the ECU, but I’ve written about it more than once on this blog. The idea of restoring the Franc while simultaneously creating a new pan-European currency actually makes sense and I’m rather in favour of it. Which makes we wonder how she got hold of the draft manuscript for my forthcoming book “Before Babylon, Beyond Bitcoin: From Money We Understand to Money That Understands Us” that the good people at the London Publishing Partnership have agreed to publish in June? Oh well, since the cat is out of the bag, I may as well give you a sneak preview…

I remember hearing the Chancellor of the Exchequer talking on the radio during the great financial crisis. He referred to the difficulties of currency union and spoke about the problems in Ireland, Greece, Portugal and Cyprus. He spoke about the problems of maintaining monetary policy across currency unions between economies with different fundamentals. All true. But he didn’t explain why this is different for the UK. How is the insanity of trying to maintain a currency union between Germany, Luxembourg and Greece any different to the insanity of trying to maintain a currency union between England, Wales and Scotland? The fact that they are in a political union does not alter the facts on the ground: they have fundamentally different economies. The Chancellor was arguing that if Scotland opted for independence, it would be impossible to maintain a currency union between England and Scotland. But surely that is true now! The best monetary policy for England is not necessarily the best monetary policy for Scotland, and technology means that what was optimal for commerce at the time of the Napoleonic Wars may no longer best for the modern economy.

If the argument for currency union is only about transaction costs within economic zones, then former Chancellor of the Exchequer John Major set out a potential way forward in 1990 (although the idea dates from 1983) with his alternative to the euro, which was at the time was labelled the “hard ECU”. The ECU was the “European Currency Unit”, a unit of account set using a basket of currencies, that was intended to help international business by minimising foreign exchange fluctuations. Major’s idea for the hard ECU was a fully-fledged currency with a “no devaluation” guarantee (Hasse and Koch 1991). Whereas the ECU reflected the weighted average of inflation rates in the countries concerned, the hard ECU would be linked to the strongest currency (which would have been the Deutschmark, of course). This guarantee would be backed by a commitment from participating central to buy back their own currency or make good exchange losses in the event of devaluations.

Imagine what that kind of parallel currency might look like today. It would be an electronic currency that would never exist in physical form but still be legal tender (put to one side what that means in practice) in all EU member states. Thus, businesses could keep accounts in hard ECUs, even in a post-EU England, and trade them cross-border with minimal transaction costs. Tourists could have hard ECU payment cards that they could use through the Union without penalty and so on. But each state would continue with its own national currency (you would still able use Sterling notes and coins in British shops) and the cost of replacing them would have been saved.

The reason for doing this is to minimise the costs of doing business across Europe while giving each country control over its own currency. But the more general point that I want to make is that the advance of technology gives us new choices in the way that money works. The way that money works now is not a law of physics: it is a set of institutional arrangements that could be changed at any time. Thus, if anything, Ms. le Pen is not being radical at all. Why have nation-state control over money? Why not allow regions to have their own currencies? Why not use Google Money? Or Islamic e-Dinars?

I’m not the only one who thinks this, by the way. Check this out from “The Futurist Magazine” in September 2012, where as part of a compilation of pieces envisioning life in 2100, the article asks if we will still have money in 2100, and speculates on what form it may take if we do:

It is quite likely that we will still have money in 2100, but it may not be issued by governments any longer.

[From European Futures Observatory]

I couldn’t agree more. But if not governments, then who? One of the things I discuss in my book is my “5Cs” model for thinking about future issuers: central banks, commercial banks, companies, cryptography and communities. My good friend Rob Allen from PwC was kind enough to use this model in Sydney this week and, frankly, if people like Rob are taking it seriously then I know I’m on the right track.

It’s time to start thinking about the future of money and not just because I have a book about it coming out in June (did I mention that before?) but because the current industrial age monetary arrangements do not support the post-industrial economy.