Banks and digital IDs*

In CapGemini’s “Top 10 Trends in Retail Banking 2018”, they highlight “banks leveraging digital IDs beyond authentication” as their third most important trend. As it happens, I was talking about this earlier in the week in Trondheim at Betalingsformidling 2018, where I was asked to give a talk about the open banking era and the potential responses from incumbent banks.

Trondheim 2018

Photo: Betalingsformidling 2018 / Wil Lee-Wright Photography.

Now, I suppose that to a great many of you this really won’t be any surprise, since anybody who thinks about the mechanics of commerce in a connected age must already have come to the conclusion that digital identity is core to the new economy. That’s a superficial and almost trivial point to make, but it masks great complexity because choices that are being made right now about how digital identity is going to work in the future will have a profound impact on the shape and nature of all of society.

Of course, I don’t what identity is going to look like in the future any more than anybody else does (even if I do flatter myself that I’ve made some reasonably well-informed guesses on the topic) but I do think we ought to apply a kind of precautionary principle here. Since we don’t know how digital identity going to work, surely we should want it do develop under the auspices of institutions that society can constrain and influence. This is why I’m so convinced that banks should be the institutions to play the leading role as we evolve the tools, techniques and even the etiquette of a reputation economy.

An obvious first step, and one that has been apparent for many years, is to federate bank identity so that it can be used in multiple places. We have many years of experience now and have seen how schemes ranging from bank ID in the Nordics to Aadhar in India (and our own dear gov.verify) have performed in practice so we can make some informed decisions about how digital identity ought to work. We shouldn’t start from the technology, from blockchains and biometrics, and then work backwards to see what the technologists will allow us to have or what corporations will impose given the technological constraints of the day. Right now we should be discussing what society wants from a digital identities and then working out what the best way to implement them might be.

To do this, we need a model that can help banks, regulators, service providers and suppliers communicate and connect so that they can develop concepts and propositions to make some form of bank-centric, potentially cross-border, privacy-enhancing, secure “Financial ID” a reality.

3DID Basic Colour ID Taxnomy Picture

Let’s start with the basic “three domain identity” (3DID) model to create a straightforward framework for understanding and discussing digital identity. Now let’s look at a real example of bank doing some interesting work in this field. BBVA, for example, use this kind of model to map “real”, virtual and digital identities to identification, authentication and authorisation processes. BBVA describe the domains as follows (I’ve added my interpretation of what they mean with reference to a standard Public Key Cryprography, or PKC, implementation):

  • Identification: definition of the attributes that confirm, beyond any shadow of a doubt, that the user is who they say they are and not someone different pretending to be them. BBVA mean this in terms of Know-Your-Customer (KYC) of course, so what this means in practice is that the private key must be bound to the correct individual(s).

  • Authentication: verification through credentials that the user is the customer they say they are (username and password, OTP, digital certificates and others).  Obviously with PSD2 this means implementation of some form of 2FA to comply with the RTS on SCA.

  • Authorization: the financial service providers (TPP) with a license to operate must be given authorization by the customers before they can access their accounts. They need to have proof of consent, which can be obtained through access tokens. I would generalise this point away from banking, as per the CapGemini comments, to talk about tokens for access to a wider range of services than simply bank accounts.

Earlier this week I posted about digital identities (as opposed to digitised identities) and made the point that we are interested in electronic transactions, transactions that take place between virtual identities (that is, identities that exist only in the imagination of computers) we are primarily interested in the Authorisation Domain. I’ll come back to this in a moment, but for now let us assume that that Authentication Domain is essentially a solved problem and we don’t need to come back it in this discussion. My assumption is, that banks have strong authentication in place and that they use appropriate standards (eg, FIDO) so that they have device independence. In practical terms, in the world as it is now, this means that I can authenticate my bank Digital Identity (that is, I can demonstrate ownership of that private key) using any smartphone.

The problem then all comes to down standardisation and mutual recognition of credentials in the Authorisation Domain. Let’s take a simple example has been discussed many times recently: IS_OVER_18. Suppose I want to log on and join a Wine Club. The wine club needs to know that I am over 18, so it wants to see a virtual identity that includes the IS_OVER_18 credential (that is, an IS_OVER_18 attribute digitally-signed by someone that the Wine Club trusts – and by “trusts” I of course mean “can take legal action against and recover damages from if the credential is incorrect). The Wine Club would obviously trust banks, so this should be straightforward: provided that we have standardised the Virtual Identity (an X.509 certificate, for example, or an Evernym DID) and that we have standardised the attribute (let’s assume there is an XML dictionary somewhere that defines IS_OVER_18) and that can can recognise the digital signature from an organisation that is on our list of trusted organisations.

As I pointed out in Trondheim, this is a way for banks to participate in transactions, providing a useful service that is unrelated to payments or transaction fees. I, of course, understand that this means it will take sector-wide progress in the Identification Domain, practical implementation in the Authentication Domain and some commitment and co-ordination to get a working set of services in the Authorisation Domain. My question is why haven’t banks taken on board what Cap Gemini said in their report (and I’ve been saying with exhausting repetition for more than a decade) to come together to create the standards and definitions to move forward?

Or, to put it another way, where is the MasterCard or Visa for identity (and is it MasterCard or Visa?).

To the Mooooooooon!


I’ll be testing my assumptions and asking these kinds of questions in Singapore at Money2020 Asia, by the way, as I’m chairing the session on Exploring Digital Identities on 15th March and welcoming some old and very well-informed friends – including Victoria Richardson from AusPayNet, Shamir Karkal from Omidyar, Teppo Pavlova from BBVA and Andy Tobin from Evernym – who will help me open up the topic for the audience. Do come along to “The Moon” at 11am and join us.

* Again.

Tough on bankers, tough on the causes of bankers

I posted before about a great financial crisis, industry collapse and bailouts. Not the banks of today, but the railways of the Victorian age .

When the Directors of these gigantic enterprises that dominated the economy went to see the Prime Minister in 1867 to ask for the nationalisation of the railway companies to stop them from collapsing (with dread consequences for the whole British economy) because they couldn’t pay back their loans or attract new capital, they didn’t get the Gordon Brown, investment banker advisers, suspension of competition law and the tea and sympathy of today. Benjamin Disraeli told them to get stuffed: he didn’t see why the public should bail out badly run businesses.

[From Bailing out | 15Mb: yet another blog from Dave Birch]

Good man. And there’s another lesson worth learning from that crisis. Last year I read a paper from Andrew Odlyzko called “The Collapse of Railway Mania, the development of capital markets, and Robert Lucas Nash, a forgotten pioneer of accounting and financial analysis”. It talks about how many of the modern accounting methods that take for granted arose during that period.

The moral of the tale, such as it is, is that letting the railways collapse not only led to a stronger railway industry but it also helped other industries as well, because it meant that new standards for accounting and reporting were put into place. The banking crisis has followed an entirely different trajectory, where public money has been used to put things back exactly as they were before. Somehow, we were persuaded that the banks are a special case, not subject to the same rules of business, a point echoed by the noted economist John Kay.

We need to stop thinking of financial services as a unique business whose problems are sui generis, and whose economic role is one of special privilege. The historic deal, which limited competition in banking in return for an expectation of prudent behaviour, has been abrogated by the actions of banks and bankers. Today, both consumer protection and macroeconomic stability will be best served by the policies to promote competition which are rightly favoured in other sectors of the economy.

[From John Kay – Should We Have ‘Narrow Banking’?]

Hear hear. And surely one of the central policies to promote competition should be that people who make catastrophically bad decisions should go out of business. Another one might be to adopt a more robust approach to banking activities that turn out not be to strictly congruent with the letter (or spirit) of the law.

A $2.6 billion financial fraud that has shaken the government of Iranian President Mahmoud Ahmadinejad saw the heads of three of the country’s banks ousted on Tuesday as lawmakers threaten to impeach the economy minister. The biggest fraud in the 32-year history of the Islamic Republic could result in the death penalty for anyone found guilty of it and has become part of an increasingly ugly split in the conservative elite that runs Iran.

[From UPDATE 1-Iran bank chiefs ousted in $2.6 bln fraud fallout | Reuters]

Tough on bankers, tough on the causes of bankers. It’s the only language they understand.


In the future, everyone will be famous for fifteen megabytes

Business banking

[Dave Birch] I see that Essex council has abandoned its plans to start its own bank to fund local businesses and the First Bank of Billericay, or whatever they were going to call it, will now never get off the drawing board. How this insane plan ever got to the drawing board in the first place is a complete mystery. Or, at least, it was until I read that the council spent £372,000 on management consultants

In the future, everyone will be famous for fifteen megabytes