THE PROMISE AND THE POWER OF DIGITAL IDENTITY
Banks, asset managers and insurance companies and their corporate clients are spending tens of billions of dollars a year conducting Know Your Client (KYC), Anti Money Laundering (AML), Countering the Financing of Terrorism (CFT) and sanctions screening checks as they on-board new clients and re-run checks on existing clients. In 2019 Lexis Nexis put the total cost of AML compliance in the financial services industry of the United States at US$26.4 billion and in Canada at a further $5.1 billion. In 2017 the company estimated the equivalent figure for just five countries in Europe at $83.5 billion a year.
KYC, AML, CFT and sanctions checks are expensive but necessary
They have no choice but to spend this money, since a mounting burden of national and international regulatory obligations dating back to the 1970s, insist they verify the identity of both individual and corporate customers. Since much of the work is duplicated – even within the same firm, the same client is often checked separately by different business divisions – the solution has always seemed obvious. This is for firms in the same industry to pool their data, either via a jointly owned and controlled utility, or through a neutral third-party vendor.
Dozens of industry alliances, established vendors and FinTech start-ups are offering to pool data on behalf of financial services firms. Yet repeated attempts to build KYC, AML, CFT and sanctions screening solutions on the basis of pooled data have ended in partial success at best, and often complete failure.
Attempts to share the burden through industry utilities are not working
The lack of success of data pooling reflects incentive problems (the industry as a whole gains a great deal but no single firm gains enough to invest); inequity in contributions (large firms have more data than small ones); limited coverage; data confidentiality and security concerns; incompatible data formats; difficulty in getting customer consent to share data; a reluctance to rely on the work of others; and, above all, uncertainty about who will bear the risk in a field where compliance failures can result in massive regulatory fines and serious reputational damage.
Which is why there is a growing level of interest in the more progressive quarters of the financial services industry in an entirely new approach to identification and verification of customers – namely, digital identity (digital ID), and in particular digital IDs that rely not on service providers but on consumers and corporates.
Digital IDs put the burden of compliance on the customer
If consumers and companies submitted themselves to KYC, AML, CFT and sanctions screening checks once, took ownership of their own digital ID in the form of a unique, hashed alphanumeric string based on the documentation they shared, and then took responsibility for updating the underlying documentation whenever something changed, the solution to the identity problem would be shifted from the providers of services to their customers.
Service providers would simply ask their customers to give them access to their digital ID, or at least to those parts of it which they need to do business with each customer. In extremis, they could even be granted access to the underlying documentation.
Consumers and companies would not lack incentive to acquire digital IDs. A digital ID would simplify the process of being on-boarded with multiple service providers while the lack of a digital ID would make it hard for them to purchase certain products and services at all.
The barrier erected by the need to obtain consumer consent to share data would disappear, because the consumer would always decide who saw their data, and control which parts of their data they saw. Likewise, corporate digital IDs (which can incorporate authorised signatories) could release companies from constant demands for proof of identity from banks and other counterparts they engage with in the normal course of business.
In both cases, liability for the accuracy of the data would also rest squarely with the consumer or company which submitted it, just as it does in a tax return. And there is no need to resolve the cat-herding problems which arise when trying to persuade multiple organisations of different sizes to agree to pool and standardise their KYC, AML, CFT and sanctions screening data.
Instead, companies and consumers would choose a digital ID vendor and submit their documents to it. Each digital ID vendor would then complete the checks according to the standards set by the jurisdiction in which they are based.
FATF, the international regulator of AML rules, favours digital IDs
More than 200 countries base those national standards on the international standards on AML and CFT published by the Financial Action Task Force (FATF), the global AML and CFT watchdog set up by the G-7 in 1989, so a framework for a genuinely global standard is in place already – creating the possibility of digital IDs portable across international borders. The 40 regularly updated FATF Recommendations on AML and CFT have since their first publication in 1990 become the global standard for AML and CFT compliance.
As it happens, FATF itself declared earlier this year that digital ID has now “reached an inflection point.” In Digital Identity, a paper published in March, FATF set out how digital IDs can be used to complete the KYC, AML, CFT and sanctions screening checks set by its own Recommendation 10. This is the crucial Recommendation where FATF insists that financial services firm verify the identity of any individual or company they do business with, using reliable and independent documents, and repeat the checks regularly.
FATF has outlined a three-stage process for manufacturing digital IDs once the initial collection of data is complete and even has a term for digital ID vendors, of which they are likely to be many in each country, let alone across the world. The term is Identity Service Provider (IDSP).
International digital ID standards and assurance frameworks are being built
IDSPs manufacturing digital IDs to an international standard set by FATF will not solve the problem that source documents or data are neither reliable nor independent. Documents such as passports or drivers’ licences (in the case of an individual) or tax codes or entries in a commercial register (in the case of companies) can be faked. Sources can be compromised.
However, as FATF points out, these risks can be managed by the adoption of risk-based assurance frameworks that measure the level of confidence that can be placed in the reliability and independence of documents and their sources. The established statistical technique of confidence intervals and levels will allow digital ID issuers to state that the identification process using a particular set of documents is, say, 95 per cent reliable.
The National Institute of Standards and Technology (NIST) in the United States, whose work is widely followed in the global financial services industry, has already developed standards for a digital ID assurance framework. The International Organisation for Standardisation (ISO, which develops and publishes international standards in consultation with 165 national standards bodies) and the International Electrotechnical Commission (IEC, the international standards body for electronic or digital technologies) published a technical standard for identification of natural person in 2018, and they are now preparing digital ID assurance frameworks.
Governments can make digital IDs happen but not by doing it themselves
The puzzle that is still to be explained is why, given the lack of success with data pooling, so many participants in the financial services industry continue to believe that a centralized, supplier-driven solution to the high costs of KYC, AML, CFT and sanctions checks is superior to a consumer-led, market-based solution.
One explanation that attempts to universalise digital IDs are not always successful. When the United Kingdom government launched the UKVerify scheme in 2015, for example, it predicted 25 million citizens would be using digital IDs to access 46 government services by 2020. In fact, only 5.3 million registered, and it was useable for only 16 services.
But the real lesson of the UKVerify fiasco is that government services are not the right place to start. In Norway, by contrast, it was the banks which popularised digital IDs with BankID, which the government then allowed consumers to use in their interactions with the State. Norway now has a choice of five digital IDs, only one issued by the State. It is curious that banks and asset managers and their service providers in other jurisdictions have not absorbed the lesson that they are better placed to make digital IDs happen than the government.
However, that “market failure” does suggest there is one useful role governments could play. Official authorisation of digital ID issuers, and certification of the digital IDs they issue as adequate to access government services, would raise the status of digital IDs to the point at which consumers and companies could buy with confidence and service providers accept them without fear of breaching their KYC, AML, CFT and sanctions screening compliance obligations.
FATF Recommendation 10, the FATF guidance on digital IDs and the work of ISO and IEC provide a globally acceptable basis on which to assess the processes used by the issuers, and open the possibility of digital IDs becoming portable across borders. In other words, governments do not need to issue digital IDs themselves. But they do need to give consumers and corporates a sufficient degree of regulatory certainty to adopt them, confident that they will save time and money when accessing a wide range of products and services across the public and the private sectors.
Digital IDs could trigger a redress of the balance of power and wealth in data markets
Digital IDs could also mark the beginning of a complete inversion of the balance of wealth and power in the markets for data. Instead of large corporations exchanging free services for access to the data of consumers, consumers would take ownership of all their data, store it securely themselves or with third parties, and sell it or use it to purchase services or switch providers seamlessly.
Written by Dominic Hobson, Co-Founder of Future of Finance