I always get International Identity Day and Groundhog Day mixed up.
I got an e-mail to remind me to pay my credit card bill, so I went to log in to pay it. The browser filled in my username, I entered the missing digits from my PIN and I opened 1Password to get the password and typed it in, but it was rejected.
I thought maybe I typed it wrong, so I typed it again. Nope. So I clicked on “lost password” and got taken to another page where I had to enter all sorts of personal details, including my credit limit. Catch 22. I need the credit limit to reset the password but I don’t know what my credit limit is without the password.
I give up on the web and open the app on the phone. It lets me log in without having to remember a password, so I select pay. My credit card provider likes a heritage approach to payments, so instead of an xPay option it presents me with a web screen from the 1990s and I have to get out my debit card and type in the details.
I then get redirected to my bank app and I have to enter my PIN number, OK the transaction, enter my PIN number again (I don’t know why) and then get a message saying that the transaction has been declined.
Oh well. That’s 2021 for you.
What should have happened, of course, is that I go to my credit card provider, enter my username, authenticate the log in from my bank app using my fingerprint. Then I select pay, approve the transaction from my bank app and go about my business.
Why am I telling you this? Because it’s September 16th, which is International Identity Day (IID).
MORE FOR YOU
(In case you are wondering why, the choice of the date is in recognition of the United Nations Sustainable Development Goal 16.9 which calls for legal identity for all, including birth registration, by 2030.)
Anyway, another IID is upon us and nothing has changed. We still waste billions of man hours navigating ridiculous identity roadblocks while the criminals skip over the sleeping policemen to loot with impunity.
Change. Yes.
Identity Day may as well be Groundhog Day. Except that… There has been a change in the environment around digital identity over the past year. The coronavirus catastrophe has required many individuals, companies and organisations, who never had to do business online before, to shift to the new normal in double-quick time. This has in turn meant that the ability to create digital identities, to bind those identities to real-world legal entities and to use those digital identities to support online persona with the necessary collection of credentials to enable online transactions has become central to business and government.
There has also been a change of attitude toward the business of identity and the perception of digital identity as a fundamental rather than as a “nice to have”. I have sat through countless meetings trying to work out business models around digital identity in my time. I have often been met with the kind of natural resistance that you expect in the corporate world. Thus, when someone from the Department of Whatever asks me to project the value of new revenue streams and the associated costs of delivering them for the year 2033 or 2097 or something, I am stuck. I can say that there will be winners and losers in the digital identity game, but being an honest sort of person I have had to admit that the magnitude of gains and losses contain guesswork. And there we get stuck.
Now, however, while we may be no nearer calculating the costs of having a digital identity infrastructure we now have some very accurate figures for the costs of not having a digital identity infrastructure. This is because the escalation of fraud through the pandemic has been staggering.
According to Aite Group, almost half of all Americans experienced financial identity theft last year. That is not a misprint: Almost half. Aite estimate losses from identity theft cases cost half a trillion dollars in 2019 and increased three quarters of a trillion dollars last year. That’s serious money and it was, as you would suspect, fueled by the high rate of unemployment identity theft during the pandemic, since increased and extended unemployment benefits made the sector an attractive target for fraudsters.
Pandemic Panic
The pandemic caused a noticeable effect on the scams that transpired in 2020. Unsolicited calls, robocalls, and phishing emails saw dramatic increases during the period in question due to lockdown. Something over 70% of COVID scams include identity theft or fraud. These identity theft scams, including the theft of social security numbers, were used as an attack vector to steal personal data and contributed to a dramatic increase in false claims for support by both individuals and businesses.
I couldn’t help but notice a Javelin Strategy report on this that picked up on an interesting factor: individuals who have an active social media presence had a third higher risk of being a fraud victim than those who weren’t active with people who use Facebook, Instagram, and Snapchat being particularly vulnerable. Users on those sites have a 46% higher risk of account takeovers and fraud than those not active on any social media networks! Since people are sitting at home with nothing else to do except waste time on social media, it’s no surprise to see the fraud figures climb this way.
(Additionally, Javelin Strategy found that children are increasingly the victims of identity fraud. While children have long been a target for Social Security Number misuse and credit card fraud, it appears the impact is growing.)
According to the FTC, overall identity fraud incidents increased around 45% in 2020, incurring financial losses for many.
It’s not just about personal identity, it’s also about organisational identities. In an impersonation scam, a criminal pretends to be from a trusted organisation such as a bank, the police, a government department or a service provider in order to trick their victim into transferring money using a range of cover stories. The latest figures from UK Finance show the number of such scam cases and the money lost to them more than doubled in the first half of 2021 to 33,115.
Also in the UK, recent estimates from the Treasury and others indicate that losses to fraud in the disbursement of government COVID support and aid to both individuals and businesses could be in the region of £50 billion and upwards. This might be a fraction of the problem in the USA, where the Department of Justice has already charged 474 defendants with criminal offences relating to pandemic frauds that involve attempts to obtain over $569 million from the U.S. government.
We could have had a fully developed, global, privacy-enhancing, innovation-enabling digital identity platform for a fraction of the costs of pandemic fraud. Perhaps now is the time to bang a few heads together, starting with the banking industry, and start work on the digital identity framework that the British government’s “Future of Finance” review identified as a cornerstone of future jurisdictional competition.
Why Banks?
Why do I single out the banking industry? Well, in the past two years, 37% of American consumers have been victims of application fraud and slightly more have experienced account takeovers. Since financial institutions are on the front line, surely we should look to them for some co-ordinated action to bring the problem back under control? Where is the “bank identity”? The “financial services passport”? The “money monicker” or whatever we choose to label it?
Many countries already have some form of bank ID. Norway, for example, where the pandemic experience was utterly different from that of the USA or the UK. In Norway, the Ministry of Finance and stakeholders delivered the SME loan guarantee scheme within three weeks and the first loan was granted and on account one hour after the scheme was authorised. The pandemic compensation scheme was similarly developed within three weeks. They were able to do this because they decided to create wholly digital schemes to process applications and deliver automated payments.
Now, apart from the Scandinavian predilection for co-operation between public and private sectors, key to this success was the existence of the necessary building blocks for a modern economy. There is the Bank ID, the financial sector digital identity schemes, an authorisation scheme to control who can act of behalf of companies and standard authentication for government and private services. They had digital identity, and it delivered.
These national schemes show us a way forward. I don’t think the answer for us is to build a centralised identity service (such as Aadhar in India) or a centralised reputation management system (such as China’s social credit score). I think we need to think about more sophisticated and more flexible options to create an identity infrastructure for the modern world.
Citi put out a paper about this a couple of years ago. It was called “The Age of Consent” and it discussed the idea of a federated financial sector solution, something along the lines of the Scandinavian bank ID services but in an global and interoperable framework. You can see report’s author, Tony McLaughlin of Citi, talking about it here on Finextra TV saying that “if we fix digital identity, we fix payments”, and had strong point.
It seems to me that banks should create this new infrastructure because it’s not only a way for banks to save money, it’s also a way for banks to create new products and services that mean new revenue streams. In fact, it could be that digital identity is not simply an additional revenue stream in the future but that identity is bigger than payments to banks. You can watch Alessandro Baroni, CMO of equensWorldline, saying just this here in another Finextra TV interview.
GAIN
There have been a great many other people who think, similarly, that banks should grasp this opportunity. Well, this 16th September there is cause for optimism. Earlier this week, a group of more than 150 people from around the world (including this author) published a paper called “GAIN Digital Trust: how Financial Institutions are taking a leadership role in the Digital Economy by establishing a Global Assured Identity Network”. It’s an important initiative. As Diginomica said about the launch, GAIN could become for global digital trust what VISA and MasterCard
The paper calls on the world’s financial institutions to provide the digital identity services that are the bedrock of a successful digital economy. As one of the paper’s lead editors, Elizabeth Garber , told me when we were discussing the pressure for progress, banks are well-positioned to offer this service because of their investments in know-your-customer (KYC) processes, strong authentication technology and data security.
She is spot on. In my opinion, banks have no choice but to do this. They must address the reality of strategic disintermediation and create a value-adding role that keeps them in the transactional loop. Banks should be the place where we put our identities for safekeeping.
The GAIN authors argue that banks need to think globally about this because, while domestic solutions might alleviate crisis, the banks and others will find commercial viability from global interoperability. This level of scale is what will enable them to compete with Big Tech across a range of use cases and remain integral to financial transactions. They have a point.
You can download the white paper and find out more about the proof of concept that they are orchestrating by visiting the Institute of International Finance (IIF). I hope that a great many more financial institutions and other stakeholders join with them in the proof of concept they are assembling right now.
A year from now, when I go to pay my credit card bill, I should not be thinking about usernames, passwords and PIN numbers. I should be using secure, privacy-enhancing identity information from my bank together with the verifiable credentials stored in my Apple
Thank you for your feedback!