Banks and Digital Privacy: Monetizing “Know Your Customer”
In this article, Shivani Raghav, Jari Koivisto, and Frank Michaud raise the digital privacy stakes as they explore how banks could become “identity trust anchors” — and increase revenue as part of the process. Technologies like self-sovereign identity can help with the identity and privacy problem that is ubiquitous on the Web. In fact, KYCaaS (“know your customer” as a service) is a proposed new business model enabled as a new revenue-generating service. This is an interesting look at how fintech technologies, products, and services provide opportunities for companies to profitably commercialize transaction processing.
Recent data nightmares, such as the one involving Cambridge Analytica, and new regulations like the General Data Protection Regulation (GDPR) from the European Union (EU) are showing the limits of current digital identity methods to preserve our digital privacy. In this article, we describe the current situation in this area and discuss innovative solutions for self-sovereign identity. We also explore how banks can be key actors in digital privacy evolution by leveraging their KYC (”know your customer”) know-how to become identity trust anchors. Finally, we show how, by extending their capacity for trust, banks can transform KYC from a cost to a revenue source.
Today’s reality is that to obtain a service, especially via the Internet, we must give up personal data. Consequently, our personal data is replicated in so many places that it is no longer under our control. Instead, service providers control our data and oversee our digital life, which they ultimately see as the new oil.
On top of that, Edward Snowden’s revelation of the PRISM surveillance program, the Equifax data breach, or the more recent scandals around the misuse of data by Cambridge Analytica and Facebook illustrate the extent of the threat to our personal data.
So how did we get to a place where so much of our personal data is disseminated across the digital world? One response is that the Internet just wasn’t built to handle our identities on the Web and all the associated data of our lives. According to Kim Cameron, chief architect of identity for Microsoft, “The Internet was built without a way to know who and what you are connecting to.” This “hole” has moved the management of user identity up the Open Systems Interconnection stack to the application layer, resulting in the dissemination of personal data, since the service provider manages and operates the application layer. Because each service provider tries to monetize that data, providers do not share data and thus create silos.
Eventually, politicians had to react and enact protections for citizens to help safeguard and control their data. The EU’s GDPR is one example (in addition to other regulations already in place, such as those in Germany and Singapore). As a result of the GDPR, service providers dealing with EU citizens, in addition to other requirements, must explain how they will use those citizens’ personal data and must ask for their consent to use it.
In the financial industry, regulators in many countries have already established rules on how service providers must manage customer data. One example is the Swiss Financial Market Supervisory Authority (FINMA), with its Annex 3 of the circular on “Operational Risks at Banks,” which provides rules for handling electronic client data.
But these rules and regulations don’t solve the whole problem. Service providers not directly covered by such rules and regulations continue to host personal data far outside the control of the data’s real owners. In the next section, we introduce a technical response that can transform the way banks operate their KYC operations by offering new services to other industry verticals.
A Technical View of Digital Privacy
A digital identity is composed of an identifier and the data associated with that identifier. It is important to understand that in the digital world, an individual can have as many digital identities, of any kind, as he or she wants. For example, an individual’s username is the digital identifier for a Facebook account, and all the information that individual shares on that account is the data associated with that identifier. Private data makes up part of this information. Bringing control of that private data back to the individual requires that identifiers and data cross service providers, while staying under the control of the individual and being attested to by specialized parties.
Regaining control of private data starts with standards-defined universally unique identifiers (UUIDs) to access services and manage data across service providers. UUIDs will greatly simplify the current user experience and will allow individuals to interact with service providers in ways that were previously unimaginable. In addition, attestable data enables a trusted third party to cryptographically verify user information in real time, limiting dissemination of data. To understand how UUIDs can impact current customer requirements regarding privacy, let’s look at the evolution of digital identities and the current landscape.
Centralized and Federated Identity Systems
The identity industry is migrating from authentication based on the current client-server model (aka the siloed model introduced above) toward a peer-to-peer (P2P) relationship model based on a private encrypted connection. Federated identity systems brought convenience to business customers, as they allow users to log in from their corporate network to Internet services with their own (business) IDs or with credentials they already possess, like a social media login, bank IDs, or digital identities issued by mobile network operators. These federated systems are replacing the siloed database access system that has existed for years. However, as discussed previously, there are several disadvantages with the siloed model, such as data breaches, distributed denial-of-service attacks, data replication, and so on. With the centralized model, the identity provider has full control over the user’s data.
Advances in passwordless authentication, such as OpenID or WebID, have solved the problem of multiple identities with multiple providers to some extent by providing a UUID under user control. The problem with data silos and data breaches remains, however; the only difference is that identity data is centralized with an identity provider instead of with multiple service providers. In addition, using the same identifier across sites allows the central mediator (e.g., an OpenID provider or certificate authorities issuing public keys) to trace information about users’ online activities, leading to concerns related to privacy and identity theft.
Three primary concepts (all of which exist in theory and implementation but are not yet widely used) are needed to implement a new generation of decentralized identity solutions:
An identity needs to be unique and universal for a particular entity (e.g., person, organization, or thing).
Different entities should be able to make claims or assertions about themselves or about a third party, and these claims should be verified by attested authorities or third-party verification proofs.
There should be a method for locating and verifying a claim about a specific identity.
A new movement, commonly known as self-sovereign identity (SSI), is taking shape. Diverse communities are coming together to build an open, interoperable, and standards-based decentralized identity solution that will address some concerns with the centralized business model. Blockchain technology promises to revolutionize digital identity by returning ownership of personal data from centralized organizations to individuals, who can choose to share their data with others and revoke that sharing as they please.
In this decentralized solution for digital identities, users create a global universal identifier that is stored in a distributed ledger. The ledger technology allows the creation of an immutable record for a UUID and all events associated with it. This decentralized ID (commonly known as a DID) links to decentralized public key infrastructure metadata that contains public key material, authentication descriptors, and service end points. This is analogous to the global domain name system (DNS), which maps domain names to the numerical IP addresses needed for locating and identifying computers, services, or other connected devices. Similarly, an SSI solution based on DID allows the mapping of UUIDs to an entity — a person, organization, or connected device.
In addition, for most digital transactions and interactions (e.g., an application for a bank loan), it is essential to have end-user data (e.g., address, income, passport number) verified by an authoritative source, the validator. Mortgage brokers and loan officers, to cite only two types of digital transaction gatekeepers, do not just accept an information claim provided by an end user; they insist on proof of that information’s veracity. The validator’s role is to attest to the authenticity of certain user claims. These digital online verified claims are associated with an individual’s DID and are signed and verified by authorities/validators. Because this new model requires validators, banks that leverage their KYC process, as we will see below, have the opportunity for a new revenue source.
Verifiable credentials that are linked to an entity’s DID and associated personally identifiable information (PII) are never placed on a public ledger. A verifiable credential is cryptographically shared between peers at the edges of the network. The recipient of a verifiable credential (known as a verifier) in a P2P connection would use the associated DID as a resource locator for the sender’s public verification key so that the data in the verifiable credentials can be decoded and validated. To verify the source of the signed information, anyone can look up the corresponding public key. After authenticating the user with the authentication method presented in the ledger, the claim itself can be verified and accepted or rejected by the requester. Information requesters, in accordance with their security and compliance needs, can choose to trust only credentials that certain attested validators have issued.
Fortunately, open standards are being developed to facilitate these SSI concepts. The Decentralized Identity Foundation (DIF) and the W3C Credentials Community Group are leading this open source work, with participation from the wider identity community. Based on these common standards, many platforms are being developed today that use blockchains (e.g., Ethereum and Hyperledger). Notably, several industrial organizations (e.g., Sovrin and uPort) are coming together to provide a common framework for creating claims linked to an identity using different kinds of decentralized technologies. And DIF is developing a universal resolver to allow interoperability among various DID implementations present today. With an implemented driver, the resolver can support Sovrin, uPort, Blockstack, Bitcoin, Interplanetary Identifiers (IPIDs), and Veres One.
Leveraging KYC and Verifiable Credentials in Banks
KYC, a key process for banks today, remains, in most cases, a very costly and long process. Most challenges lie in the efficiency of verifying customer-provided information. With digitally verified claims, verification can be improved, accelerated, and replicated on a large scale. KYC and digitally verified claims open new business opportunities for banks to act as validators for other organizations. Thus, a process that today is mostly considered a cost for banks could be monetized. If a bank can issue uniformly recognized and trusted verification of identity claims, a second bank that might have the same customer could use some of the KYC verification done by the first bank for that customer’s information, accelerating its own KYC. This would start to establish a market for KYC as a service (KYCaaS). It is important to note that KYCaaS would work only if the regulations defining the required checks around the verification of identity claims were openly established and uniformly shared. It is not totally futuristic thinking to consider KYCaaS as a reality. We are already seeing it implemented today, as illustrated in the examples below.
KYC for Banks in Finland
At some banks in Finland, you can easily open a new bank account online, provided you already have a bank account at another Finnish bank and have the online banking codes for that bank. For example, at Nordea in Finland, you can open an account with online banking codes from another bank operating in Finland, including Danske Bank, Osuuspankki, Aktia Bank, S-Bank, Ålandsbanken, Handelsbanken, OmaSP, or POP Pankki. To do so, you identify yourself with an existing online banking code and provide Nordea permission to handle your personal data and check your credit history. For new customer identification, your existing online banking codes are sufficient, although the bank may want to run its own credit history checks as well.
Finland’s Osuuspankki has a similar process to Nordea’s for onboarding a new customer. To open a new account online at Osuuspankki, you can use online banking codes from Handelsbanken, Nordea, OmaSP, Aktia, Danske Bank, or S-Pankki. You enter a personal ID code, select the bank you would like to use for identification, accept that Osuuspankki will handle your personal data and may run credit checks, and then the bank authenticates the data using the existing online banking codes. Within two days, new customers receive an SMS message that the application has been approved and the final paperwork is sent via post.
E-Identification in Finland
Many public programs in Finland, such as for filing taxes or applying for unemployment benefits, use banks’ online identification services to identify the customer. The e-identification service offers 10 different banks’ identification options plus a possibility to use a certificate card or mobile certificate. A mobile certificate is in the SIM card of the mobile phone, and mobile operators DNA, Elisa, and Telia offer the service.
The exact amount that each bank charges to identify an individual for a public or other service provider has been difficult to determine. The numbers are between each bank and service provider and can vary depending on the frequency of the identification service used. In 2017, a new law limited the maximum price per identification to 10 euro cents; earlier, the price was 50 euro cents on average.
You trust your bank with your money, would you trust it with your data? By extending KYCaaS, banks or any other institution to which you give your trust could start to be your partner in protecting your privacy in the digital world. Extending the concept of KYCaaS and considering the trust people have in their financial institutions, banks could start to deliver services that would make them the guardians of PII. The combination of customers’ trust and close supervision from regulators puts banks and other financial institutions in a favorable position to provide those services.
With the current fast pace of digitalization in our world, financial institutions, especially banks, have the opportunity to evolve their KYC process to start to monetize it. New technologies like SSI enable this evolution by introducing a new way to manage the identity and privacy of end users, solving the missing identity layer problem on the Internet.
Verification of identity claims can be an enabler for banks to optimize their KYC process and even start to monetize it through KYCaaS. By extending KYCaaS, banks or any other institution that you trust with your money could become your partner in protecting your privacy in the digital world.
Citizens and politicians are becoming increasingly frustrated with the lack of privacy protection on the Internet. Regulations can be implemented to attempt to fill the gap, but regulations alone will never be able to fully address the issue. New technologies such as decentralized identities, digital claim verification, and blockchain enable new ways of managing identities and privacy. Today, banks have an opportunity to embrace this new model and be a vital part of the coming transformation.
More Articles Like This
- How Banks Are Leveraging "Know Your Customer": 2 Case Studies
- Panama Papers, Cognitive Systems, and Risk Assessment in Banking and Finance
- Customer and Partner Identity and Privacy
- Cognitive Computing, Part II: Commercial Cognitive Platforms and Services
- Cognitive Computing, Part II: Commercial Cognitive Platforms and Services — Executive Summary