Digital identity in the last few years has gotten a major boost — as of 2018, 60 nations worldwide have embraced some version of a digital identity scheme. But digital identity, and leveraging it properly, as Diebold Nixdorf’s Scott Anderson noted in a recent conversation with Karen Webster of PYMNTS and Diebold Nixdorf’s John Spenler, is rather easily misunderstood.
The goal, Anderson noted, shouldn’t be to create a digitized version of a driver’s license or passport to simply replace the physical artifact. Just scanning a government-issued ID into a computer isn’t making real progress.
“A digital copy of a physical identity isn’t a digital identity — and is a method that is fraught with problems,” Anderson said.
Problems, he noted, that mostly cluster around security and consumer privacy. If one thinks about any standard physical identifier in use today, it comes packed with information about its bearer, like age, birthdate, street address, city of birth, height, eye color and so on. Just taking that and scanning it into a digital ID, and then perhaps adding something like a biometric identifier, creates a very robust piece of identity, Anderson said — too robust, in fact, for most use cases.
In an era where cybersecurity is a constant uphill battle, one has very good reason to look at a piece of digital ID exchanging that much consumer data as a potentially risky move.
And an unnecessarily risky move, Spenler noted, if that whole range of information isn’t important in the context of whatever interaction the consumer is taking part in at the moment. Many transactions need to verify some element of consumer identity — age, specific address, insurance provider — but not every element. Building better digital identity, he said, isn’t about how to get more consumer information digitized, but about how to best use that data to verify ID in a variety of contexts, while keeping it securely protected going forward.
And that, both Anderson and Spenler told Webster, could be a job for banks and financial institutions, which have the data access and consumer trust necessary to lead that kind of changing paradigm.
Or at least could.
The Challenge of Building — and Using — Digital ID
Identity markers — physical or digital — are not easy to build or rebuild. That is observable on a macro scale in India and China, where governments are working overtime to construct digital ID schemes for billions of people. It is also observable on the micro-scale in the state of Massachusetts, where an attempt to get citizens to upgrade their drivers’ licenses to a verified “Real ID” by mid-2020 is generating very long lines and a lot of consumer friction in finding and producing the necessary documents.
And that project, Webster noted, is only to issue a new type of physical license — no fancy digitization is even considered. Given that even small upgrades are big projects — and big upgrades are endeavors that their host governments are planning as decade(s)-long events — isn’t it possible that the best thing anyone can hope for, when it comes to digital ID, is doing things like digitizing those physical credentials?
Anderson agreed that if digital identity is viewed as a ground-up construction project that is mainly the work of governments, we are definitely talking about taking a very long walk.
But there is no reason to assume that digital ID must be or even should be an ex nihilo governmental construction process. Financial institutions and banks can and should play a critical role in this market, Anderson said, because they already have both an established relationship of trust with the customer and a rigorous onboarding process for customers dictated by AML/KYC regulations.
That means all of the elements one would standardly consider as part of a consumer’s digital identity are already housed within the information banks, already gathered and authenticated by FIs. Using that robust data profile and gathering it into a digital identity for consumers, Anderson said, opens up the possibility of an entirely new role across industries — as a trusted authentication of identity in interactions where such verifications are necessary.
“Where the industry and even Diebold Nixdorf can play a role is as a broker of transactions with the ability to pass credentials,” Anderson explained.
Building a More Perfect World With Fewer Hand-Offs
Consumers don’t have a general rule about offering up their data, Spenler noted; it is very situational. They are typically fine with providing data that is necessary for a transaction, but don’t want to hand off more information about themselves to third parties than is necessary. A world that more efficiently leverages digital identification, he said, is one where that balance could be more cleanly struck, so consumers need only hand off that necessary data.
As an example, Anderson noted the relatively straightforward case of buying alcohol, which one must be 21 years old to do. Handing over a driver’s license gives the liquor store a lot more information than whether or not their buyer is of age — they also find out the buyer’s exact age, home address, height, weight and eye color, none of which they need.
“In a world where they can use banking information as a digital identifier, when the customer swipes their card, the bank as an issuer of identity can hand back an approval that confirms this person has funds available and that they are 21 or older — without passing the full credential back to the merchant,” he said.
That is a very simple example, Anderson noted, but the applications are myriad, across a variety of verticals like retail, healthcare and services, to name a few.
It’s also a more secure method of leveraging digital identity, Spenler noted, because it’s not taking fully-formed digital IDs and passing them back and forth across a variety of digital ecosystems. Given the large pool of cybercriminals whose sole area of interest is stealing consumer identities, these sorts of profiles would be an extremely high-value target. And over the course of hundreds of millions and billions of handoffs between entities, he said, the chances for theft are many.
Moreover, while getting consumers on board is far from a lock, working with an already trusted entity, like a bank, can do a lot to move the ball forward more quickly.
Getting Consumers on Board
The success of any digital identity plan will rise and fall on consumer adoption, according to Spenler, and that is no small challenge.
Working with banks as a locus of digital identity, Spenler noted, has the advantage of eliminating friction that exists around onboarding consumers. Because banks already have to gather and verify a fair amount of consumer information in the course of opening accounts, there really isn’t much in the way of additional onboarding to do.
“The bank already has a lot of friction pre-loaded into its process — they aren’t adding anything new,” he said. “That, from a consumer point of view, makes this kind of system a lot easier to adopt — and will never involve a multiple-hour wait to submit paperwork.”
And consumers are already comfortable with their banks having — and, to some extent, using — that data about them. That is important because consumers (and U.S. consumers, in particular) have “big brother” concerns, Anderson pointed out.
People are used to the government tracking certain information about them for things like taxation — but that is very different from the government announcing it will be actively assembling, tracking and monitoring all the things that “make you, you” and then offering a digital identity on the basis of it.
Their bank doing the same thing, and then offering services on the basis of it, feels quite a bit different, Spenler agreed. “The bank already knows your name, address and payments history — banks know their customers,” he said. “Banks and consumers already know that, and aren’t going to be shocked by it.”
Which isn’t to say there won’t still be a massive amount of work in getting the consumer on board. There will need to be a lot of education for consumers all over the world, particularly those who live outside the 60 or so locations where digital identity is in early development.
And regulators, Spenler noted, will play a very important role jurisdiction by jurisdiction, as they determine how and when these identity services can be used more broadly and in a wider context. “The question will be, how can I use this in a ‘verified by’ type concept, where third parties can plug in with APIs to say, ‘this is the credential I need — can you verify it for me?’”
The hows of that, Anderson noted, will vary widely from market to market, but the idea is the same: create a hub within financial services for all of the identity data a consumer would need, and then issue verifications of those credentials, without having to hand over the full credential itself.
Banks and FIs don’t have to do this, Anderson noted. And there are reasons not to, as there will be an awful lot of work involved.
Moreover, Webster added, the picture for banks and FIs as a central source of digital identity works better in some places than others, and better for some consumers than others. Consumers, she noted, have relationships with a variety of FIs: they may have a checking account with one bank, cards with a few others and investment accounts someplace else entirely.
In the EU, with open banking and PSD2, that is beginning to break down, Spenler noted, as consumers are increasingly able to see that data gathered in one place. “Here in the U.S., we don’t have that yet, but that is definitely where other parts of the world are moving.”
Whether consumers in the U.S. will want that, or will feel comfortable with the idea of that type of open, cross-platform access to their data, is still a bit up in the air, Webster noted.
But even with that being the case, Anderson pointed out, it is still in the best interest of banks to start thinking about their possible role as central digital identity keepers and verifiers now, while the opportunity is presenting itself.
Because the reality is, it probably won’t be forever. If financial services institutions don’t want to use their position to become trusted players at the center of digital identity, there are will be plenty of others ready to pick up that baton and run with it. Like players that don’t quite command the consumer trust that FIs and banks do today, but could conceivably hope to make a move on developing it, and by being a trusted provider of digital identity.
“Other players out there, like an Amazon or a Facebook, have all the same credentials for the most part, and could convince consumers to give them more than they need,” he said. “They could start acting like the custodians themselves.”
Some players will have an easier time developing that trust than others; Amazon’s odds are much better than Facebook’s, Webster noted. The best bet for banks, Anderson said, is to move while the window is most open.