About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

« News from the bunker | Main | What do they want us to do? »

An idea for the Independent Commission on Banking

By Dave Birch posted May 23 2011 at 9:15 AM

The Independent Commission on Banking recently published an interim report on their Consultation on Reform Options. This interim report raises the subject of bank account number portability. Section 5.17, to be specific, says that:

Beyond improvements to the existing system, full account number portability would enable customers to change banking service providers without changing their bank account number. This would remove the need to transfer direct debits and standing orders, which remains the main area where problems may arise. In the past, portability has been rejected as overly costly, but if no other solutions appear effective and practicable, it should be reconsidered to see if this remains the case given improvements in IT and the payments system infrastructure.

It seems reasonable for the Commission to wonder why customers cannot port their account number from one bank to another the way that they can port their mobile phone number from one network to another. That seems a plausible request for 2011, but phone numbers and account numbers aren't quite the same thing. A phone number is an indirect reference to your phone (well, your SIM card actually) whereas the account number is the “target”. Thus, we shouldn’t really compare the account number to the phone number, but think of it more as the SIM. Each SIM card has a unique identifier, just as each bank account has an international bank account number (IBAN). When you turn on your phone, essentially, your SIM tells your mobile operator which phone it is in and then "registers" with a network. I am writing this in Singapore, where I just turned on my iPhone, so now my O2 SIM card is registered with Singtel. When you call my number, O2 will route the call to Singtel, who will then route it to my phone. But how does the call get to O2 in the first place?

In most developed nations there is what is called an "All Call Query" or ACQ system: there is a big database of mobile phone numbers that tells the operators which mobile network each number is routed by. In order to make call connections as fast as possible, each operator has their own copy of this database that is regularly updated. Note that for reasons that are too complicated (and boring) to go into there, in the UK there is a different scheme, known as indirect routing, whereby when you dial my phone number 07973 XXXXXX it is routed to Orange (because that’s where all 07973 numbers originated from) and then Orange looks XXXXXX number up in its own database to see where to route the call to (in this case to O2). This is why calls to ported numbers in the UK take longer to connect than they do in other countries.

It's entirely possible to envisage a similar system working for banks, whereby we separate the equivalent of the mobile phone number — let's call it the Current Account Number (CAN) — from the underlying bank account and have an industy database that maps CANs to IBANs. This database would be the equivalent of the ACQ database. (I rather like the branding too: if the banks decided to operate this cross-border, they could label it the international current account number, or iCan.) So the bank sends your salary via FPS to the iCan, and the database tells FPS which actual IBAN to route it to. No matter which bank accounts you use or change to throughout your employment, the employer always sends the salary to the iCan and thus reduces their own costs.

There is an analogy to this is in the way that some of the new contactless payment cards work. In the US, American Express credit cards give up what is called an "alias PAN". The PAN, or primary account number, is the 16-digit number on your credit card. When you use your Amex card via contactless, the 16-digit number it gives up is not the actual plan but an alias PAN. Only Amex know which actual PAN this alias PAN refers to. The advantage of doing this is that if criminals get hold of the alias PAN, they can't use it to make a counterfeit magnetic stripe card, because the alias PANs are only valid for the contactless cards (which they can't counterfeit, because the contactless cards have computer chips in them).

In the UK, we route by sort codes. Any account number beginning 20- is known to be Barclays, so a payment switch will send the payment through to Barclays. We might decide, say, that sort codes beginning with 00 are iCans. When you get your first bank account, the bank sets up the IBAN and iCan. For your salary, direct debits, standing orders and so forth, you give the iCan. BACS and FPS will be told about iCans, so when a payment to an IBAN beginning "UK00-" enters one of those systems, they go to a shared database and look up the IBAN to route the payment to.

The advantages of this are that banks would not have to do anything with their existing systems, because the iCans will always be translated into IBANs by the time they reach their systems.

The disadvantages are that the public might not understand what is going on and, since they don't change bank accounts that often, they might not bother to find their iCan and tell their employers, utility companies and others. It doesn't deliver enough value to them, so we need to find some way of bundling the iCan to find more ways to use it to the benefit of stakeholders. One idea might be to create some kind of Financial Services Identifier, or FSI, which is an index not only to the iCan but to other data as well. If this meant an increase in consumer convenience, then it would spread by itself and take the iCan with it.

To see how it might work, consider my household. I rather belatedly decided to remortgage in order to abandon my outrageous fixed rate and obtain a base rate plus variable rate mortgage just in time for interest rates to rise again (I know nothing about personal finance). I went along to Barclays, my bank of 33 years, to apply and they sent me a multi-page form to complete. I was unable to uncover a single question on this form that they didn't already know the answer to. Yet I had to fill it out and they had to type it in. What a waste of time and money.

Similarly, when I applied for the most middle-class of all financial instruments, the John Lewis MasterCard with cashback in the form of Waitrose vouchers, I went off to their web site and filled some stuff out and it said something like "congratulations, you're accepted". My happiness was short lived, as it soon became apparent that they weren't going to send me a card at all, but a form to fill out and sign. Whatever. When it turned up I signed it, my wife signed it and I sent it back, then went away on business.

My wife phoned me after a few days wondering where her new card was. When I got back, I discovered that my card had arrived but hers had not. So I gallantly gave her mine (one of the great advantages of PIN cards over signature or biometric cards), and started going through the rest of the backlog of mail. Eventually I came across a letter to me explaining that John Lewis could not send my wife her card without further proof of identity because of know-your-customer and anti-money laundering regulations. My wife has only lived in the UK since 1986 and has only had a Barclays account for 20 years, so you can see why they might be suspicious. She follows a pattern well-known to FATF investigators of international organised crime: live at the same address for the last 15 years, use your Barclaycard to buy food at the same Waitrose every week and work for Surrey County Council, presumably a known hot-bed for narco-terrorism.

In order to prove her identity, and therefore get her card, she had to (in hommage to the founding of the John Lewis partnership in 1929) post them her council tax bill and last month's bank statement, a handy identity theft kit all in one. Coincidentally, she also had to post off her driving licence because of a speed camera ticket, and it never came back. Foreign readers might be puzzled at this Victorian process, but it's because British driving licences have a paper supplement on which (I'm not making this up) the police write your speeding points. Such is the state of our identity infrastructure in 2011.

All of this is ridiculous in this day and age. Once someone is "known" to the British, or perhaps even European, financial services industry then there should be no need to go through all of this nonsense every single time they come into contact with the industry again.

In the world of payments, a related discussion has sprung up. This is the discussion about Legal Entity Identifiers (LEIs) that have been going on recently. Many interbank payment messages have account identifiers only and the some law enforcement agencies want to stop this and have banks validate the names as well (it will help to track funds to and from suspects I guess).

A global standardized Legal Entity Identifier (LEI) will help enable organizations to more effectively measure and manage counterparty exposure, while providing substantial operational efficiencies and customer service improvements to the industry ... The LEI Solution is a capability that will help global regulators and supervisors better measure and monitor systemic risk.

[From Legal Entity Identifiers: An Emerging Risk Management System]

I'm sure I'd heard somewhere before, possibly at the International Payment Summit, that the plan was to use the SWIFT business identifier codes (BICs), but apparently that's no longer the case. Fabian Vandenreydt, the new Head of Securities and Treasury Markets at SWFIT, recently said that the International Standardization Organization’s Technical Committee 68 (ISO TC68) has concluded that developing a new code would help avoid ambiguities that might be involved if existing codes are used. The BIC is made up of eight to 11 alphanumeric characters with four letters for the bank, two letters for the country, two digits for the location, and three digits for the specific branch but ISO TC68 want we we nerds call an MBUN (a "meaningless but unique number").

I don't think this is way forward for people, though. LEIs are unique corporate identifiers: a corporate identity has one, and only one, LEI. Fortunately, or unfortunately, depending on your view, there is no unique identifier for British persons (and nor is there likely to be under the present administration), nor Europeans, nor citzens of the world. And I don't think we would want the financial services industry to develop its own sort-of-identity card scheme. We just want a simple, portable, pointer to a person that can be used to index into their KYC'd persona.

The easiest way to do this would be to assign a unique financial services identifier (FSI) to a person or other legal entity the first time that they go through a KYC process. I might have the FSI "citizendave!barclays.co.uk", for example. One someone has one of these FSIs, then there would be no need to drag them through "know your customer" (KYC) again. This would greatly reduce industry costs and make the process of obtaining a new financial service — a new bank account, a new credit card, a new insurance policy, a new accountant — much simpler. Imagine the simplicity of applying for in-store credit for that new sofa by just giving them your FSI and watching the application form magically populate by itself on screen.

It doesn't matter if a person has multiple FSIs, because each FSI will have been obtained as the result of a KYC process. If the FSI Directory ends up with two "Dave Birch" entries, so what? It's not an ID card scheme, it's a "save money for the financial services sector and make life easier for consumers" scheme. And it wouldn't matter either if both of my FSIs point to different iCans: I might, for example, have a personal persona and a small business persona -- lets say citizendave!barclays.co.uk and citizendave!rbs.co.uk and that point to my personal and my small business accounts -- and I want to use them for different purposes.

Picture this. You are fed up with the appalling service you get from your bank, so you walk into a branch of New Bank. You ask to open an account, and are directed to the ATM in the lobby and asked to request a balance from your existing current account. You put in the card and enter the PIN. While the ATM is carrying out the balance enquiry, the FSI (obtained from your card) is sent to the Directory and within a couple of seconds both your account balance (from your bank) and your picture (from the FSI Directory) are on the screen. The New Bank agent presses a button and a pre-filled application form is printed out for you to sign and, once you have, the existing system for transferring accounts is triggered.

There might be another useful spin-off from the FSI as well. Suppose you could designate a default account against the FSI: generally speaking, your iCan, but it could also be a prepaid account somewhere, or your PayPal account or whatever. Then someone could send you money by giving your FSI: no need to type in names, sort codes, account numbers. Anyone could pay anyone by entering the FSI into the ATM, or their internet banking screen, or (most likely) their mobile. You might get used to storing FSIs in address books. There's nothing secret about them, and because every use of an FSI would require two-factor authentication, no-one can do anything with your FSI just by knowing it (except send you money).

For this to work, then, there needs to be some way for a customer to prove that they are, indeed, the person referenced by the FSI. There's no need to invent anything new for this: banks could use CAP/DPA, some third-party service (which in a rational world would be provided by mobile operators) or their own app to do the authorisation. We have everything we need to deliver the results that the Commission wants: step 1 create the iCan, step 2 create the FSI, step 3 operate a more efficient, more effective and more convenient banking system.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

TrackBack

TrackBack URL for this entry:
http://www.typepad.com/services/trackback/6a00d8341c4fd753ef01538ea78946970b

Listed below are links to weblogs that reference An idea for the Independent Commission on Banking:

Comments

The comments to this entry are closed.