Unleashing the potential of digital identity: a sandbox observation

In the online age, establishing reliable, secure and portable systems of digital ID could unlock significant gains for both consumers and firms. It has huge potential for improving choice and competition and streamlining processes. But the growth of digital ID is not without risks and challenges. To unlock that potential, industry, regulators and government need to work together to get it right.

The use of digital transactions has been growing rapidly for several years, but the advent of Covid-19 has given this trend a fresh impetus in both the public and private sector. In this age of digital interaction, the ability to prove identity digitally has also become more urgent and more valuable.

The potential economic value is significant. A 2019 study by the McKinsey Global Institute calculated that by increasing access to services and easing transactions, digital IDs could unlock economic value equivalent to 3- 13% of GDP.

In the field of financial services and markets, secure and reliable digital ID will be a key part of the infrastructure that allows truly Open Finance, with consumers able to share their data with third party providers smoothly and securely, fuelling choice and competition in the market. It could help enable more efficient SME lending and even play a role in the use of digital currency by central banks.

It’s little wonder that solutions to digital ID are one of the growth areas in innovation.

New and maturing technologies, such as biometrics, Distributed Ledger Technology and privacy enhancing technologies, have enabled the market to develop reliable and easy to use digital ID tools.

Since its first cohort in 2016, the Regulatory Sandbox in the FCA’s Innovation Division has supported 14 digital ID models. Sandbox cohort 5 alone saw 6 different propositions. There have been 15 applications for Direct Support to the FCA Innovation Hub and 6 of these are now receiving that support. Many other digital ID providers have engaged with the FCA through various channels such as the Anti-Money Laundering TechSprints. The FCA, in collaboration with The City of London, has also recently completed a pilot ‘Digital Sandbox’, which provides data access and a digital testing environment to help innovative businesses develop proof of concept. Two digital ID propositions participated in the pilot.

Digital ID tools are not regulated, but the FCA’s interest in this technology lies in the systems and controls put in place by firms who provide and use digital ID due to its impact on the market. The growth in digital financial transitions requires a better understanding of how individuals are being identified and verified to ensure secure transactions and prevent financial crime activities.

In 2019, there were 223,163 instances of identity theft, almost exclusively online, according to the fraud prevention service Cifas. The financial loss and the cost of reclaiming a stolen identity can be as much as £10,000. Digital ID systems with privacy enhancing technologies and improved security could help to fight against this problem.

In the FCA’s Financial Lives research published last week, it was estimated that 1.2 million UK adults are ‘unbanked’ as of February 2020, meaning they do not have a bank account or an alternative e-money account. One of the key reasons behind this issue is those consumers may have difficulty proving their identity, for example, those with no permanent address or who move often, those who do not have a passport or driving licence or UK paper utility bills in their name. Digital ID system can help financially excluded people establish digital IDs based on alternative identity evidence (e.g. geolocation data or registration trusted referees such as a charity).

The development of digital ID technology is closely aligned with FCA’s objectives to protect market integrity, protect consumers, as well as one of its key priorities of fostering competition and delivering fair value in a digital age.

What is a digital ID system?

In its Digital ID final guidance published in March 2020, the Financial Action Task Force (FATF) defined digital ID systems as the “use of electronic means to assert and prove a person’s official identity in online (digital) and/or in-person environments at various levels of assurance”.

The Financial Action Task Force made reference to the digital ID guidelines set out by the US National Institute of Standards and Technology, who described two basic components and a third optional component of a digital ID process:

“Who are you?” (essential) – This involves collecting, validating and verifying identity evidence and information about a person; establishing an identity account and binding the individual’s unique identity to authenticators possessed and controlled by this person;

“You are you” (essential) – It establishes, based on possession and control of authenticators, that the person is indeed who he or she claims to be; and

Portability and interoperability mechanisms (optional) – Portability, in simple terms, means that a digital ID, once verified, can be re-used by the individual for a new transaction. Portability requires developing interoperable standards so that different systems and organisations can exchange data that are compatible with one another.

Overseeing digital ID live tests in the Regulatory Sandbox has provided the FCA with unique insight of their business models and the underlying technology in real life, beyond what was described on paper. These Regulatory Sandbox digital ID models vary in the type of technology, process and architecture used, the sectors targeted and revenue model. However, there are several common themes that cut across nearly all of them. This article cannot cover them all, but it can identify a number of the core opportunities and challenges for consumers and firms.

Opportunities and challenges – consumers

There have been a number of proven benefits from a consumer’s perspective:

Better customer experience. Digital ID makes customer onboarding so much faster and more convenient compared to traditional face-to-face onboarding. There is no need for a customer to visit a branch of the financial institution when opening a new account or applying for a new service. Customers can securely store their personal information on their mobile phone and have it available whenever and wherever they need it. The time needed for customer due diligence, therefore, can be reduced from days to minutes. Also, digital ID systems that use biometric verification means that there is no need to remember another complex password.

Enhanced privacy protection. Digital ID allows proof of identity without sharing unnecessary information, though the use of new privacy enhancing technologies known as zero knowledge proof. For example, your digital ID can share an assertion ‘yes, this person is above an age of 18’ rather than the full detail of your date of birth, which can reduce the risk for identity theft or function creep (e.g. data collected for identity check may also be useful for marketing). In short, digital ID enables more ownership and control of personal information.

Ability to re-use. A pre-verified digital ID wallet could be used across a number of financial institutions thus reducing the need to go through the same proof of identity process repeatedly.

Greener and paperless processes. Many customers have gone paperless with their bank statements and utility bills – a welcome reduction in paper use and people’s carbon footprint. But traditional proof of identity often required reverting to printing out these documents or making photo copies of their passports or driving licenses for the purpose of a face-to-face verification. Digital ID could help eliminate that printing.

Despite these clear consumer benefits, digital ID struggles to attract customers for a number of reasons, all of which are interlinked.

Lack of trust. Consumers may be reluctant to hand over personal information to a new and unknown digital ID provider.

Lack of awareness. There may be a lack of understanding of the technologies involved and of the concept of portable digital ID as well as its capabilities and potential benefits.

Complexity of the flow. The initial establishment of a digital ID may involve multiple steps and services that a user may be required to go. The lack of trust and awareness outlined above may mean a process of multiple tools and apps does ‘not seem worth the effort’.

Opportunities and challenges – financial institutions

Financial institutions use digital ID tools to verify and onboard new customers. Digital ID providers in the Regulatory Sandbox often partner with a financial institution to test how their technology solution integrate with the financial institution’s systems and processes and how it interacts with real customers. A number of benefits have been observed for the financial institutions in adopting digital ID:

Reducing human error. Digital ID systems that use advanced technical tools and multi-factor authentication can reliably detect fraudulent and stolen ID documents and verify with high accuracy that the customers are indeed who they claim to be. Where human judgement is still needed, frontline staff benefit from richer information and robust analysis of the customer’s identity, which can significantly reduce the risk of human errors.

Improving audit trail. Securing proof of identity digitally could provide of the full history of the customer due diligence and onboarding processes and data for compliance review.

Lowering costs. Digital ID could cut the resources required for the identity verification of customers who currently fall under manual verification.

Reducing friction points. When customers sign up for new products or services, traditional identity verification can create friction points, slowing down or even deterring customers altogether. Digital ID can reduce these friction points and so leading to an increase rate of approved customers. Ease of use for customers can make switching to a new financial product less burdensome.

To maximise the benefits of digital ID tools, financial institutions need to address several key challenges: 

Lack of interoperability standards for digital ID systems. Currently the industry suffers from too much noise and too few common standards. For digital ID to become truly scalable and maximise value adding, there needs to be interoperable digital identification systems, protocols and processes across different organisations and jurisdictions.

Concerns about liability when complying with Anti-money laundering (AML) obligations. One of the key reasons for checking identity is to meet the customer due diligence (CDD) obligations set out under the UK’s AML rules. Firms are permitted to rely on the checks that have already been undertaken by others subject to these rules including banks, accountants or lawyers. Equally they are allowed to outsource the delivery of some or all of these CDD checks to a third party who isn’t subject to the AML rules such as a digital ID provider. However, despite these options, final liability for CDD will always lie with the firm itself rather than the other party. As a result, firms are reluctant to adopt new approaches that they fear could bring civil or even criminal liability. Since these issues were identified in the FCA’s sandbox tests, the AML rules have changed to explicitly recognise that firms could use electronic identification processes, including digital ID solutions where these are independent of the person whose identity is being verified; secure from fraud and misuse; and capable of providing an appropriate level of assurance that the person claiming a particular identity is in fact the person with that identity.

Insufficient management buy-in to prioritise the adoption digital ID tools. Many financial institutions lack the buy-in from management, and therefore the developer and frontline staff resources to implement digital ID infrastructure.

Risks in the digital ID ecosystem

There are a few additional areas that are relevant to the wider participants in the digital ID ecosystem which will be of particular concern to regulators. These are areas where a significant failure, to either avoid risks or overcome challenges, could be a major set-back for digital ID. 

First among these is operational resilience. Like any IT system, digital ID systems are not immune to cyber attacks and they have high stakes in building robust systems and controls to prevent the risk of data breach. Systems will need robust reporting process to ensure they can detect and notify a breach within the legal timeframe and to provide the necessary details to the Information Commissioner’s Office.

Less dramatic than a cyber attack, but potential almost as damaging, would be the failure of particular systems due to an unsustainable operating or business models. Many digital ID solutions are driven by the goals and perspectives of a single organisation, and therefore, are designed to serve the needs of particular transactions rather the broader needs of users. Without overarching interoperable standards aligning different organisations and sectors, digital ID providers would struggle to attract the critical mass of commercial and retail customers to make it a viable business.

Identifying and mitigating risks that exist in outsourcing partners is a significant challenge for firms in the financial services market and will be an important challenge for digital ID systems involving multiple stakeholders. Firms will need to maintain and assess programmes to understand risks and controls for critical elements within their operating models, and to ensure this activity is designed in the context of the end-to-end service being supported.

Financial inclusion vs. exclusion

When it comes to the important issue of financial exclusion, Digital ID can cut both ways.

On the one hand, there is the potential for digital ID to be an inclusive development. Many vulnerable and financially excluded people may not have access to evidence documents, such as passports and driving licences and, in a world of traditional identity verification this is often a significant obstacle to accessing financial services. In 2011 – when the last UK census took place – 17% of people in England and Wales had no passport at all. From this point of view digital ID may provide solutions. A robust digital ID system could provide proof of identity based not on traditional documentation, but on a collection of secondary evidence as well as a guarantee from trusted bodies in the public or third sector organisations (e.g. charities) who already have established relationships with these individuals.

On the other hand of course, digital ID requires the customer to be tech savvy, to have a smart phone and/or internet access to set up and use digital ID. A lack of access to these products or a lack of confidence in using them is itself a form of exclusion and the advance of digital ID may for some people turn out to be another service from which they are excluded. However, digital ID is not here to replace traditional ID, but rather to increase the options available to serve diversified needs.

Ways ahead for digital ID

Most people in the UK are dependent on digital services to organise their lives and stay connected. Digital ID has the potential to unlock the end-to-end digital experience of a wide range of public and private sector services, increasing efficiency, improving customer engagement, facilitating new products and enhancing financial inclusion. However, delivering the value of digital ID is by no means certain or automatic.

What’s missing so far for digital ID to flourish? Consumers want to know that their data is safe, their privacy is protected from abuse or surveillance, and that they have control over who and what to share and have transparency on how their data will be used. Businesses want to know that digital ID systems can achieve a good level of identity assurance and meet security and technical requirements, and have a clear understanding who will take liability in the event of compliance failure. Digital ID is a broker of trust between invisible disparate parties in digital transactions. Trust in paper-based identities has been built on endorsement from the government or the underlying authority; whilst trust in digital ID will need to be built on security and privacy frameworks and interoperable standards.

In September 2020, the Department for Digital, Culture, Media & Sport (DCMS) and the Cabinet Office published their response to the 2019 Call for Evidence on Digital Identity based on 148 feedback they received, and outlined their vision for a digital ID ‘Trust Framework’. On 11 February 2021, DCMS launched an alpha version of the Trust Framework comprised of rules, standards and best practices for all participants that want to be part of the framework. The Government will bring the Trust Framework into law to enable the use of secure digital IDs and set provisions for consumer protection. The Trust Framework will bring greater clarity and consistency to the development of digital ID, in order that these systems – and the service they offer – can be trusted, and ultimately, mass adopted.

The Government’s announcements, together with the developments in the market and the demands from consumers, indicate that digital ID is finally gaining momentum in the UK. A public-private partnership is instrumental for the success of digital ID.   

The Regulatory Sandbox at the FCA has been, and continues to be, supportive of genuine innovation to promote competition for the interest of consumers. Digital ID propositions tested in the sandbox have demonstrated how they have placed consumer at the heart of innovation. The knowledge and experience gained from overseeing digital ID tests in the sandbox and engaging with the wider digital ID ecosystem have helped the FCA keep abreast of the market trends and play a key role in enabling change for the public interest.

Reliable and secure digital ID systems are stepping stones to a vibrant digital economy, where individuals and organisations can trust each other in the growing volume of digital transitions. To maximise the value digital ID could bring, industry, regulators and government need to work together to get it right.

By Special Correspodent

Leave a Reply

Your email address will not be published. Required fields are marked *