Who controls your identity?

I was privileged to be part of a debate amongst some of our industry experts in Identity and Authentication techniques.

It was clear from the debate that there’s a deal of concern about the issue of ID verification especially.

Technology is again, driving innovation in ID verification caused by a number of issues:

• The proliferation of ID theft,
• The rising cost of payment-related fraud, and
• The fact that hackers are almost one step ahead as a result of ‘open’ technology.

New products and services whilst answering some of these concerns, also attract new concerns:

• Behavioural patterns are changing because technology has allowed a new way of looking at payments especially. We’re no longer bound by the constrictions that used to exist, cash or card, and now with Apple Pay especially; consumers expect to be able to pay how they want and when they want.
• Mobile technology with the introduction of so-called wearable’s has expanded the market somewhat for payments and ID verification. An individual now has choices how they pay and that increases their chances of being hacked.
• A by-product of these innovations is now the proliferation of devices that can store data which can be used to ease the ID verification and payment issues, but gives the bad guys more opportunities to spot our weaknesses.

The old methodology of password and key generation are passé now as new technology surpasses old.

The concern amongst the group was that if the industry doesn’t solve the problems the regulator will, and the result may not be what the industry wants.

What are the main problems that the industry is concerned?

• How do I know you are who you say you are?
• How can I protect your assets?
• How can I minimise risk for all parties?

How can we fix them?

• We need to work collaboratively,
• There is a need for a central repository for ID registrations, that can store:
  • Passport data,
  • DVLA data,
  • NHS data,
  • Residence data,
  • Employment data,
  • Benefits data, and
  • Other personal data that is already in the public domain.

The group then discussed some of the barriers to improved ID verification.

It was clear that the consensus was that banks don’t really trust their customers. The banks are seen as dictating to the consumer, whereas the consumer ‘owns’ the data. It’s not surprising they take this view when the ultimate liability for the risk sits with the bank. In fact, it was felt, many banks would prefer to go back to simple tokens like cash, cheque and bank cards as that way they have total control.

The group then turned its attention to ownership; who owns the data?

The overwhelming response was that technology and innovation had moved the ownership from the banks to the consumer, you own your data and you should have control over it.

The group felt that ownership didn’t necessarily mean that the data can only be revealed by the consumer, more which changes to the data needs consumer permission. At the moment too many organisations can affect your data unbeknownst to you. The CRA’s being a commonly cited example.

Overwhelmingly the group felt that the consumer is looking for convenience, not restriction. The consumer should be free to choose their method of payment backed by ID verification that is appropriate to the transaction.

There was consensus that the government should not ‘own’ your data, but they should contribute to your data. In fact the view was expressed that the access channels open to Credit Reference Agencies should be open and freely available to the consumer – it is their data.

An example of how perceptions about ownership are changing was the way that social media is beginning to adopt a single sign on approach; many sites will let you login with your LinkedIn or Facebook profiles.

Although many innovative payment solutions are emerging using a myriad of technology mixes – cards, mobiles, chips, wearable’s and more, the banks are not being disintermediated as was once feared, they are consolidating their position as a fortress. PSD2 calls for the usage of API’s to allow 3rd parties to access bank data, but the banks will fight tooth and nail to stop access to ‘real’ accounts whilst they are held liable for fraud. As we already see the banks are getting tougher on their customers protection of passwords and other ID tokens. Once the banks would reimburse fraud losses quickly, now more and more, they are challenging their customers to prove they are not at fault. In fact the question was posed by the moderator, were we right to shift fraud responsibility from the consumer to the banks.

Technology is driving innovation which is driving fraud and what can we do?

Although the industry at large agrees that there needs to be a solution and quickly before the regulators get involved, there are significant barriers to change:

• Customers need convenience; they need to have a seamless customer experience.
• A single authentication model needs to be adopted; consumers need to be familiar with the process no matter they bank with or pay through.
• The lack of a central ID repository where data is stored and access and updates are recorded.
• Risk mitigation needs to be looked at to apportion responsibility to the right party.
• How do you protect your brand at the same time as helping consumers carry on their daily business?

The jury’s still out on many of these but they need to be addressed by the industry.

Inevitably the question of a national ID card came up for discussion and surprisingly there was consensus that the time was right for the introduction of some form of ID Card. After all, the ID card identifies the good guys, the absence and forgery alerts us to the bad guys. After all, most of us have a passport, NHS Card and Driving Licence – the mobile phone is the ideal place to store the data.

Finally the moderator summed up:

• Only innovation that gives the customer the experience they are looking for will work.
• Any solutions need to be standard across the board and understood properly, the old power plug issue.
• Risk needs to be shared properly between all the parties in the payment chain.