About The Blog

Debate at the intersection of business, technology and culture in the world of digital identity, both commercial and government, a blog born from the Digital Identity Forum in London and sponsored by Consult Hyperion

Advertisers

Technorati

  • Add to
Technorati Favorites

License

  • Creative Commons

    Attribution Non-Commercial Share Alike

    This work is licensed under a Creative Commons Attribution - Noncommercial - Share Alike 2.0 UK: England & Wales License.

    Please note that by replying in this Forum you agree to license your comments in the same way. Your comments may be edited and used but will always be attributed.

5 posts categorized "Banking & Finance"

An idea for the Independent Commission on Banking

By Dave Birch posted May 23 2011 at 9:15 AM

The Independent Commission on Banking recently published an interim report on their Consultation on Reform Options. This interim report raises the subject of bank account number portability. Section 5.17, to be specific, says that:

Beyond improvements to the existing system, full account number portability would enable customers to change banking service providers without changing their bank account number. This would remove the need to transfer direct debits and standing orders, which remains the main area where problems may arise. In the past, portability has been rejected as overly costly, but if no other solutions appear effective and practicable, it should be reconsidered to see if this remains the case given improvements in IT and the payments system infrastructure.

It seems reasonable for the Commission to wonder why customers cannot port their account number from one bank to another the way that they can port their mobile phone number from one network to another. That seems a plausible request for 2011, but phone numbers and account numbers aren't quite the same thing. A phone number is an indirect reference to your phone (well, your SIM card actually) whereas the account number is the “target”. Thus, we shouldn’t really compare the account number to the phone number, but think of it more as the SIM. Each SIM card has a unique identifier, just as each bank account has an international bank account number (IBAN). When you turn on your phone, essentially, your SIM tells your mobile operator which phone it is in and then "registers" with a network. I am writing this in Singapore, where I just turned on my iPhone, so now my O2 SIM card is registered with Singtel. When you call my number, O2 will route the call to Singtel, who will then route it to my phone. But how does the call get to O2 in the first place?

In most developed nations there is what is called an "All Call Query" or ACQ system: there is a big database of mobile phone numbers that tells the operators which mobile network each number is routed by. In order to make call connections as fast as possible, each operator has their own copy of this database that is regularly updated. Note that for reasons that are too complicated (and boring) to go into there, in the UK there is a different scheme, known as indirect routing, whereby when you dial my phone number 07973 XXXXXX it is routed to Orange (because that’s where all 07973 numbers originated from) and then Orange looks XXXXXX number up in its own database to see where to route the call to (in this case to O2). This is why calls to ported numbers in the UK take longer to connect than they do in other countries.

It's entirely possible to envisage a similar system working for banks, whereby we separate the equivalent of the mobile phone number — let's call it the Current Account Number (CAN) — from the underlying bank account and have an industy database that maps CANs to IBANs. This database would be the equivalent of the ACQ database. (I rather like the branding too: if the banks decided to operate this cross-border, they could label it the international current account number, or iCan.) So the bank sends your salary via FPS to the iCan, and the database tells FPS which actual IBAN to route it to. No matter which bank accounts you use or change to throughout your employment, the employer always sends the salary to the iCan and thus reduces their own costs.

There is an analogy to this is in the way that some of the new contactless payment cards work. In the US, American Express credit cards give up what is called an "alias PAN". The PAN, or primary account number, is the 16-digit number on your credit card. When you use your Amex card via contactless, the 16-digit number it gives up is not the actual plan but an alias PAN. Only Amex know which actual PAN this alias PAN refers to. The advantage of doing this is that if criminals get hold of the alias PAN, they can't use it to make a counterfeit magnetic stripe card, because the alias PANs are only valid for the contactless cards (which they can't counterfeit, because the contactless cards have computer chips in them).

In the UK, we route by sort codes. Any account number beginning 20- is known to be Barclays, so a payment switch will send the payment through to Barclays. We might decide, say, that sort codes beginning with 00 are iCans. When you get your first bank account, the bank sets up the IBAN and iCan. For your salary, direct debits, standing orders and so forth, you give the iCan. BACS and FPS will be told about iCans, so when a payment to an IBAN beginning "UK00-" enters one of those systems, they go to a shared database and look up the IBAN to route the payment to.

The advantages of this are that banks would not have to do anything with their existing systems, because the iCans will always be translated into IBANs by the time they reach their systems.

The disadvantages are that the public might not understand what is going on and, since they don't change bank accounts that often, they might not bother to find their iCan and tell their employers, utility companies and others. It doesn't deliver enough value to them, so we need to find some way of bundling the iCan to find more ways to use it to the benefit of stakeholders. One idea might be to create some kind of Financial Services Identifier, or FSI, which is an index not only to the iCan but to other data as well. If this meant an increase in consumer convenience, then it would spread by itself and take the iCan with it.

To see how it might work, consider my household. I rather belatedly decided to remortgage in order to abandon my outrageous fixed rate and obtain a base rate plus variable rate mortgage just in time for interest rates to rise again (I know nothing about personal finance). I went along to Barclays, my bank of 33 years, to apply and they sent me a multi-page form to complete. I was unable to uncover a single question on this form that they didn't already know the answer to. Yet I had to fill it out and they had to type it in. What a waste of time and money.

Similarly, when I applied for the most middle-class of all financial instruments, the John Lewis MasterCard with cashback in the form of Waitrose vouchers, I went off to their web site and filled some stuff out and it said something like "congratulations, you're accepted". My happiness was short lived, as it soon became apparent that they weren't going to send me a card at all, but a form to fill out and sign. Whatever. When it turned up I signed it, my wife signed it and I sent it back, then went away on business.

My wife phoned me after a few days wondering where her new card was. When I got back, I discovered that my card had arrived but hers had not. So I gallantly gave her mine (one of the great advantages of PIN cards over signature or biometric cards), and started going through the rest of the backlog of mail. Eventually I came across a letter to me explaining that John Lewis could not send my wife her card without further proof of identity because of know-your-customer and anti-money laundering regulations. My wife has only lived in the UK since 1986 and has only had a Barclays account for 20 years, so you can see why they might be suspicious. She follows a pattern well-known to FATF investigators of international organised crime: live at the same address for the last 15 years, use your Barclaycard to buy food at the same Waitrose every week and work for Surrey County Council, presumably a known hot-bed for narco-terrorism.

In order to prove her identity, and therefore get her card, she had to (in hommage to the founding of the John Lewis partnership in 1929) post them her council tax bill and last month's bank statement, a handy identity theft kit all in one. Coincidentally, she also had to post off her driving licence because of a speed camera ticket, and it never came back. Foreign readers might be puzzled at this Victorian process, but it's because British driving licences have a paper supplement on which (I'm not making this up) the police write your speeding points. Such is the state of our identity infrastructure in 2011.

All of this is ridiculous in this day and age. Once someone is "known" to the British, or perhaps even European, financial services industry then there should be no need to go through all of this nonsense every single time they come into contact with the industry again.

In the world of payments, a related discussion has sprung up. This is the discussion about Legal Entity Identifiers (LEIs) that have been going on recently. Many interbank payment messages have account identifiers only and the some law enforcement agencies want to stop this and have banks validate the names as well (it will help to track funds to and from suspects I guess).

A global standardized Legal Entity Identifier (LEI) will help enable organizations to more effectively measure and manage counterparty exposure, while providing substantial operational efficiencies and customer service improvements to the industry ... The LEI Solution is a capability that will help global regulators and supervisors better measure and monitor systemic risk.

[From Legal Entity Identifiers: An Emerging Risk Management System]

I'm sure I'd heard somewhere before, possibly at the International Payment Summit, that the plan was to use the SWIFT business identifier codes (BICs), but apparently that's no longer the case. Fabian Vandenreydt, the new Head of Securities and Treasury Markets at SWFIT, recently said that the International Standardization Organization’s Technical Committee 68 (ISO TC68) has concluded that developing a new code would help avoid ambiguities that might be involved if existing codes are used. The BIC is made up of eight to 11 alphanumeric characters with four letters for the bank, two letters for the country, two digits for the location, and three digits for the specific branch but ISO TC68 want we we nerds call an MBUN (a "meaningless but unique number").

I don't think this is way forward for people, though. LEIs are unique corporate identifiers: a corporate identity has one, and only one, LEI. Fortunately, or unfortunately, depending on your view, there is no unique identifier for British persons (and nor is there likely to be under the present administration), nor Europeans, nor citzens of the world. And I don't think we would want the financial services industry to develop its own sort-of-identity card scheme. We just want a simple, portable, pointer to a person that can be used to index into their KYC'd persona.

The easiest way to do this would be to assign a unique financial services identifier (FSI) to a person or other legal entity the first time that they go through a KYC process. I might have the FSI "citizendave!barclays.co.uk", for example. One someone has one of these FSIs, then there would be no need to drag them through "know your customer" (KYC) again. This would greatly reduce industry costs and make the process of obtaining a new financial service — a new bank account, a new credit card, a new insurance policy, a new accountant — much simpler. Imagine the simplicity of applying for in-store credit for that new sofa by just giving them your FSI and watching the application form magically populate by itself on screen.

It doesn't matter if a person has multiple FSIs, because each FSI will have been obtained as the result of a KYC process. If the FSI Directory ends up with two "Dave Birch" entries, so what? It's not an ID card scheme, it's a "save money for the financial services sector and make life easier for consumers" scheme. And it wouldn't matter either if both of my FSIs point to different iCans: I might, for example, have a personal persona and a small business persona -- lets say citizendave!barclays.co.uk and citizendave!rbs.co.uk and that point to my personal and my small business accounts -- and I want to use them for different purposes.

Picture this. You are fed up with the appalling service you get from your bank, so you walk into a branch of New Bank. You ask to open an account, and are directed to the ATM in the lobby and asked to request a balance from your existing current account. You put in the card and enter the PIN. While the ATM is carrying out the balance enquiry, the FSI (obtained from your card) is sent to the Directory and within a couple of seconds both your account balance (from your bank) and your picture (from the FSI Directory) are on the screen. The New Bank agent presses a button and a pre-filled application form is printed out for you to sign and, once you have, the existing system for transferring accounts is triggered.

There might be another useful spin-off from the FSI as well. Suppose you could designate a default account against the FSI: generally speaking, your iCan, but it could also be a prepaid account somewhere, or your PayPal account or whatever. Then someone could send you money by giving your FSI: no need to type in names, sort codes, account numbers. Anyone could pay anyone by entering the FSI into the ATM, or their internet banking screen, or (most likely) their mobile. You might get used to storing FSIs in address books. There's nothing secret about them, and because every use of an FSI would require two-factor authentication, no-one can do anything with your FSI just by knowing it (except send you money).

For this to work, then, there needs to be some way for a customer to prove that they are, indeed, the person referenced by the FSI. There's no need to invent anything new for this: banks could use CAP/DPA, some third-party service (which in a rational world would be provided by mobile operators) or their own app to do the authorisation. We have everything we need to deliver the results that the Commission wants: step 1 create the iCan, step 2 create the FSI, step 3 operate a more efficient, more effective and more convenient banking system.

These opinions are my own (I think) and presented solely in my capacity as an interested member of the general public [posted with ecto]

Who thinks pseudonymity isn't important?

By Dave Birch posted Apr 12 2011 at 3:13 AM

OK, at the extreme risk of boring everyone to tears, let's ask the same old question again: should you be allowed to do things on the Internet without giving away your "real" identity? Remember this was something that was discussed here a little while back, using the simple case of newspaper comments as an example. Someone has come up with an interesting way of solving for two problems simultaneously: paying for news online and making people responsible for their comments...

However, he recently went back and was surprised that, in order to comment you need to hand over your credit card, and the paper will charge you $0.99. Obviously, this is more to prove that you are who you say you are, but it does seem a bit distorted when the newspaper wants to charge people just to comment. Also, once charged, your name and hometown are automatically associated with your comments.

[From Newspaper Wants You To Pay To Comment | Techdirt]

Interesting. I think the idea of paying to comment is very interesting. I might be tempted to do that in some cases. But paying to give up your real name? I'm not so sure. I might well want to comment on something without that kind of disclosure. Back to "real names" again. The discussion goes on and on.

Why does a comment with a real name have so much more value?

[From The Real “Authenticity Killer” (and an aside about how bad the Yahoo brand has gotten) — Scobleizer]

This isn't always true. A nurse at a hospital, forced to comment with her real name, is highly unlikely to post anything critical of a doctor. There's a difference between an authenticated persona (so that the web site can be sure she really is a nurse at the hospital) that may be based on a pseduonym (or even a cryptographically strong unconditionally unlinkable anonym) and an authenticated identity. There may be many reasons why the latter is undesirable.

Mexico announced a plan Monday to reward people who report suspected money laundering, under a program that will allow them to get up to one-quarter of any illicit funds or property seized. Under the new plan, people can file reports in person, by telephone or by e-mail. The exact percentage of individual rewards will be determined case by case by a special committee.

[From Mexico sets rewards for reporting money laundering | ajc.com]

Would you e-mail in a tip about a suspected money launderer and expect to pick up the reward? It seems to me that this is a good example of system that demands real names for integrity but real names mean it can never work. (Although, and it's outside the scope of this piece, it is entirely cryptographically possible to enable the payment of rewards to anonymous people).

Public servants, law enforcement and banking system employees will not be eligible for the rewards, in part because it is already their duty to report suspicious transactions.

[From Mexico sets rewards for reporting money laundering | ajc.com]

Good luck to anyone who decides to report in person, or by telephone. SIM registration is mandatory in Mexico, which means that the money launderers will find you before the police do -- don't forget, they have more money than the police do. Come to that, they have more money than anyone does.

More shocking, and more important, the bank was sanctioned for failing to apply the proper anti-laundering strictures to the transfer of $378.4bn – a sum equivalent to one-third of Mexico's gross national product – into dollar accounts from so-called casas de cambio (CDCs) in Mexico, currency exchange houses with which the bank did business.

[From How a big US bank laundered billions from Mexico's murderous drug gangs | World news | The Observer]

Given the stringent anti-money laundering (AML) regulations in place around the globe -- which meant it took me 15 minutes to put a few quid on my Travelex prepaid card at Heathrow, something I will never do again -- I'm surprised that this could have happened, but there you go. Perhaps instead of hassling people trying to load low-value prepaid payment accounts, the authorities could focus on the counterparties in larger electronic transfers. Hence the discussions about Legal Entity Identifiers (LEIs) that have been going on recently. Many interbank payment messages have account identifiers only -- you could send money to my account with the name Carlos Tevez and it would still get to me because it's only the account stuff that matters -- and the some law enforcement agencies want to stop this and have banks validate the names as well (it will help to track funds to and from suspects I guess).

LEI will be assigned at the over all corporate entity level and also at subsidiary levels. Its usage will be standardized Internationally. My immediate thought was, never mind systemic risk, this is the perfect means to route B2B transactions across a myriad of financial systems and payment schemes worldwide!

[From Reflections on NACHA Payments 2011 — Payments Views from Glenbrook Partners]

I'm sure I'd heard somewhere before, possibly at IPS 2010, that the plan was to use the SWIFT business identifier codes (BICs), but apparently that's no longer the case.

Vandenreydt said SWIFT is changing its tune due to a recent meeting of the International Standardization Organization’s Technical Committee 68, where SWIFT has a seat. At the meeting, participants concluded that developing a new code would help avoid ambiguities that might be involved if existing codes are used. “[The committee] wants a pure number without country or other information,” Vandenreydt added. The BIC is made up of eight to 11 alphanumeric characters with four letters for the bank, two letters for the country, two digits for the location, and three digits for the specific branch.

The utility is still working with ISO on what the identifier would look like. Vandenreydt said that process could take up to three months, though he expects a decision to be made sooner. He noted the proposal also depends on other details about the initiative that haven’t been specified by OFR, such as how long the registration authority would have to ramp up the system, whether IDs will be assigned or requested, and how many codes are expected.

[From SWIFT Retools Legal Entity Identifier Proposal]

So here's a positive suggestion. Forget about the 1960s notion of an identifier as a unique alphanumeric code and instead make the identifier a pseudonym attested by a bank. So we become consult.hyperion!barclays.co.uk or something similar. It doesn't matter whether the sender, or anyone else, knows who Consult Hyperon is, because the identifier tells them that Barclays does. And for 99% of real-world transactions, that's enough. What's important is that we are always consult.hyperion!barclays.co.uk in all relevant linked transactions. Then, if consult.hyperion!barclays.co.uk is found to be sending money to Osama bin Laden on a regular basis, the appropriate law enforcement agencies can provide Barclays with a warrant and Barclays will disclose. For general commerce, the persistence is the critical foundation. The always-accurate Eve Maler pointed this out a while back:

The neat thing is, we do this all the time already. When you meet someone face-to-face and they say their Skype handle is KoolDood, and later a KoolDood asks to connect with you on Skype and describes the circumstances of your meeting, you have a reasonable expectation it’s the right guy ever after. And it’s precisely the way persistent pseudonyms work in federated identity: as I’ve pointed out before, a relying-party website might not know you’re a dog, but it usually needs to know you’re the same dog as last time.

[From Tofu, online trust, and spiritual wisdom | Pushing String]

Quite. But there's another point. You don't need to be a "real" persistent identity to have a reputation, as should be obvious. A useful reminder of this came at the end of 2010, when an anonymous critic was named the Village Voice's "Music Critic of the Year".

Twitter spokesperson Matt Graves called it a "milestone"; whether he's serious or not, ("dead serious," he later said) @discographies certainly carries a certain seriousness throughout today's interview in the Village Voice. "Twitter," the account holder says, "may be the first mass communications system that also functions as a meritocracy: it actively promotes good ideas and good content, regardless of where they come from."

[From Anonymous Twitter Account Named Music Critic of Year by Village Voice]

I'm not sure that meritocracy is the right word, but I think the sentiment is accurate: you have to earn reputation to attach to your identifier, and once it's been earned it's hard to replicate (unlike intellectual property). So I might want to send money to @discographies without knowing or caring whether @discographies is a roomful of students or an internationally-known music critic. (And, over on Digital Money, I will point out that I want to send money to @dgwbirch -- which is an entirely unique Twitter identifier -- by MasterCard, PayPal, WebMoney, M-PESA or anything else, but that's another point entirely.) Why can't @discographies be mutated into discographics!wellsfargo.com or whatever?

It's an entirely plausible model: banks managing reputation, because it's more important than money. The presence of banks legitimises the market, so knowing that a bank has carried out some KYC on @discographies means that other players can treat the reputation attached to it seriously without being concerned about the "real" identity.

Identity is the new money

By Dave Birch posted May 20 2010 at 2:34 PM
[Dave Birch] There's a lot going in the world of identity, as anyone following this weeks Internet Identity Workshop will attest to. A decade after the web went mass market, we still have no mass market identity infrastructure in place, despite all of the efforts made by a wide variety of suppliers, standards bodies, open source groups and governments. It's not because there aren't technologies that can help -- there are plenty -- but because the technology is only part of the problem. The key technologies, in fact, are pretty well understood and in "closed" systems such as the DoD they are already deployed on a large scale (and here there has already been some progress on interconnection).

For example, Northrop Grumman is preparing to issue its new OneBadge identification cards to thousands of employees. The OneBadge card design and policies meet federal and DOD standards, said Keith Ward, director of enterprise security and identity management at Northrop Grumman. The company expects to be one of the first federal contractors to use a centralized public-key infrastructure as part of its identity management program, Ward said. The company participates in CertiPath, an entity created by several defense contracting firms that is part of the federal government’s trust network through a bridge relationship with the Federal Bridge Certification Authority.

[From Contractors prep interoperable identity management systems]

Look at all of the technologies that are in place here: PKI, smart cards, certification, federation and so on. Nevertheless technology is an important part of the equation, and we need to pay attention to the emerging technologies, because it will take some real effort by a coordinated industry grouping in order to get worthwhile (ie, involving tamper-resistant hardware) authentication deployed and this will need to be linked to a framework (such as the new OpenID Connect) that can easily be adopted by web sites, mobile services and across other channels.

One such grouping is obviously banks and payment schemes. And here, I think, there is a growing recognition that identity and authentication need new thinking.

The Visa card with one-time code offers banks an innovative solution to authenticate consumers through an alpha-numeric display and a 12-button keypad built into a conventional credit, debit or prepaid card. It is a neat solution for consumers to use and also contains a battery designed to last three years. The product has been developed in conjunction with EMUE technologies.

[From Leading banks join pilots of the innovative Visa card with one-time code]

Over on the Digital Money blog, we're always very interested in developments in identification and authentication. Why are these these so important in the payments world? I think that the dynamic is this: if there is an infrastructure in place to manage identity, and that infrastructure includes clear division of responsibilities and clear assignment of legal liabilities, then it takes a big chunk of the costs out of building and running a new payment system. A general trend in the next phase of electronic payment evolution will be the unbundling of the payment, the identification and other services (such as fraud management).

There are different opinions about how the unbundled identification part might be implemented. I've written before that I think that a mobile, SIM-based approach might be the best way forward. The SIM provides the tamper-resistant hardware that we need to store the keys, the mobile phone provides the connectivity and interfaces and mobile operator provides the business model. There has to be a business to make identity work.

So what is the business model? For the operator, it’s incremental messaging revenue; in the first deployment, with Turkcell, the identifications were charged at the same rate as text messaging. According to Turkcell, this resulted in an average of 21 extra messages a month for each user who signed up for Mobile Signature; as a typical user sent 95 messages a month, that amounts to a 20% boost to messaging ARPU.

[From Case Study: Mobile Signature solution approaches key growth milestone - Convergence Conversation]

There are plenty of other possibilities, and if anyone tells you they know how this will work out, they're wrong. But if they tell you that identity and authentication technologies will shape future payment strategies, they're right. As I heard someone remark in a meeting a few months ago, if I were a bank, I'd want to be part of the identity value chain rather than a commoditised and low-margin payments value chain.

Continue reading "Identity is the new money" »

Practical identity

By Dave Birch posted Apr 7 2010 at 12:19 PM
[Dave Birch] It's all very well people like me going on about keys, certificates and zero-knowledge proofs but what are the problems that an identity infrastructure has to solve down at the coal face, so to speak. Here's an example from a newspaper I happened to be reading (The Daily Telegraph "Money" section, 13th March 2010). I won't repeat the entire story, which concerns an elderly, partially-disabled woman who had UKP500 stolen from her bank account at Santander. The bank discovered the fraud, to their credit, and asked the women to come to the branch so that they could sort things out. However, they demanded that she product either a valid passport, a valid driving licence with a picture on it or a birth certificate. She (along with countless other people) had none of these. Despite the fact that she had had an account with them for many, many years, the process derailed The charity Age Concern, quoted in the article, noted the expense of obtaining new passports for people who have no intention of travelling anywhere and also noted that elderly people are sometimes asked to produce utility bills (to get a mobile phone contract, say) that they do not have because they live in care homes or with relatives and that there is a further serious problem where they ask family members to deal with financial services, government and other organisations on their behalf. If you can't prove who you are to the bank where you have had an account for decades, how on earth is your daughter supposed to deal with the bank on your behalf?

One practical suggestion might be for Age Concern to operate a service to provide fake passports to its members. It could do this at low cost, and since fake British passports do not have to be particularly high quality to suffice (the bank just photocopies them anyway), this could provide a simple and cost-effective means to help their members.

Dubai airport is not just a two bit arrival and departure lounge for a small Arab country. It is a veritable cross roads for global airline traffic – one of the 10 most important international hubs in the world. Yet its passport scanning machines failed to recognise that all 11 passports were not just fakes but quite awful fakes.

[From Snowblog - What the Dubai murder says about airport security]

I doubt the elderly lady's local bank branch has "passport scanning machines" of any description, so my suggestion is entirely practical. On the other hand, if we decide to opt for legal solutions, what should we do? If we are going to have a shot at improving the identity infrastructure to the benefit of society, then it has to work in these cases, which are hardly rare or extreme. This simple, practical case should serve as a benchmark: how can an older person use whatever system is proposed in order to ring up a bank and get something done with their own money.

In this light, how does the banking industry manage identity in the future... Would you have predicted 15 years ago that we’d still be using IDs and Passwords today? Will we still be using them 15 years from now?

[From Predicting the Future of Identity | Future Banking Blog]

Actually fifteen years ago I did predict, more than once, that we wouldn't be using passwords by now. I thought then, and I still think now, that passwords aren't really security of any kind. Never mind elderly people trying to remember passwords on the phone, I can't remember passwords on the phone. I was speaking one of my card providers recently, having called to query a declined transaction, and was genuinely shocked to be asked for my password. I had no memory of having set a password on this account at any time in the past, so had to go through the whole set-up all over again. (Which was pretty annoying, but not as annoying as being asked for my card number yet again, ten seconds after I had punched all sixteen digits into the keypad!!).

As I sat down to write the rest of this post, the combination of prosaic, archaic and potentially catastrophic palaver that is the process of opening an account in modern Britain was once again raising blood pressure in our household. Having got annoyed with the poor customer service from one of our credit card issuers, I cancelled the card (a card, incidentally, that I spend around £3,000 per month on, since I travel a lot for business) and appealed to the twitterverse for suggestions as to alternatives. A testament to my middle class status, the most popular suggestion was the John Lewis Partnership Card that delivers shopping vouchers for Waitrose and John Lewis, so I went off to their web site and immediately applied. Hurrah! It said something like "congratulations, you're accepted". My happiness was short lived, as it soon became apparent that they weren't going to send me a card at all, but a form to fill out and sign. Whatever. When it turned up I signed it, my wife signed it and I sent it back, then went away on business.

My wife phoned me after a few days wondering where her new card was. When I got back, I discovered that my card had arrived but hers had not. So I gallantly gave her mine (one of the great advantages of PIN cards over signature or biometric cards), and started going through the rest of the backlog of mail. Eventually I came across a letter to me explaining that John Lewis could not send my wife her card without further proof of identity because of know-your-customer and anti-money laundering regulations. My wife has only lived in the UK since 1986 and has only had a Barclays account for 20 years, so you can see why they might be suspicious. She follows a pattern well-known to FATF investigators of international organised crime: live at the same address for the last 15 years, use your Barclaycard to buy food at the same Waitrose every week and work for Surrey County Council, presumably a known hot-bed for narco-terrorism.

In order to prove her identity, and therefore get her card, she had to (in hommage to the founding of the John Lewis partnership in 1929) post them her council tax bill and last month's bank statement. International terrorists would find these completely impossible to forge <sarcasm="on"> as they contain advanced anti-counterfeiting watermarks, holograms and embossing </sarcasm="off">. Of course, this being 2010, you might have thought that my wife would merely have to log in to John Lewis using her Barclays' dongle and Barclays would federate her identity (which they must have already established to the satisfaction of financial regulators) but I'm afraid even these rudimentary steps toward an identity infrastructure have yet to be taken.

In summary: everyone's time and money continues to be wasted and we are no closer to having an identity infrastructure for the 21st century than we were at the dawn of the web.

Continue reading "Practical identity" »

Bank account antics

By Dave Birch posted Mar 24 2010 at 3:48 PM

[Dave Birch] The relationship between identity and money is so interesting, so fractal and so crucial to the evolution of society that I can't resist returning to it again, especially because it's in the news today. The government has just announced yet another initiative to make it easier for poor people to get bank accounts.

Banks will be legally obliged to provide a basic bank account to all UK citizens under plans to be announced in tomorrow's budget. Under the rules designed to reduce financial exclusion, banks would be forced to offer accounts to all applicants, and those who did have problems accessing an account could be offered the right to appeal.

[From 2010 budget: Banks 'to be forced' to provide accounts for all | Money | guardian.co.uk]

If legislation is introduced it could (but won't) benefit some of the 1.75 million adults who, according to the Treasury, have no access to a transactional bank account. Basic bank accounts have been around for years but I guess that banks are still allowed to say no to you if you want one but clearly have no money. A basic bank account is just a very expensive version of a prepaid account.

Basic bank account – for managing day-to-day money. It doesn't usually allow you to go overdrawn by more than £10, if at all. We outline the basics here but if you’d like more information see our Basic bank accounts printed guide. You can download it or order a free copy online – see Free printed guides.

[From What is a bank account : FSA Money made clear - products explained]

Robert Peston, the BBC business correspondent who is believed to be closely linked to the government, commented that

The chancellor, Alistair Darling, is convinced that gaining access to a bank account enhances an individual's ability to find permanent employment – although the connection is not straightforwardly obvious.

[From 2010 budget: Banks 'to be forced' to provide accounts for all | Money | guardian.co.uk]

Since the Treasury notes that four out of five of individuals without access to transactional bank accounts are either retired or too young to pay national insurance, Peston is surely correct in this general point although we'll come back to a specific case where the connection does matter below. But for the moment note that, as the government has identified, people who are forced to live in a cash economy are at significant disadvantage: irrespective of the impact on employment, we can improve the lot of the poor by bringing them in to the system. Peston said research for the government's Digital Inclusion taskforce suggested that poorer households could be missing out on savings of £560 a year available to those who are able to shop online.

Financial inclusion efforts need to be made to bring them into the system. I may disagree with the government about the solution -- because I favour basic payment accounts as the first rung on the ladder of financial inclusion, not expensive and heavily-regulated bank accounts -- but their point is valid. But what if you can't prove your citizenship (I couldn't figure out if this mean UK or EU citizenship but will try and find out) and provide a "provable residential address"? What if you don't have an identity that is deemed acceptable?

Continue reading "Bank account antics" »