Why make "identity is the new money" the manifesto for the CSFI's research into identity in financial services? It's because whereas some business functions historically associated with banks, such as market information provision and payment services are being commoditised and opened up to non-banks, identity is becoming more precious and more relevant at the same time. Anyone can handle payments, but not everyone can manage identity: perhaps the practices, infrastructure, regulation and, frankly, needs of the financial services sector can turn identity into a decent business for them.
Identity is in a mess. There is no pan-European, interoperable infrastructure for electronic identity, which means that a customer of Barclays cannot use his debit card and PINSentry to log in to their broker, or insurer or even another bank, even in the UK, much less in another European country. Some countries have ID cards, some don't. Some countries have electronic identities, some don't. In some countries, the government relies on electronic identity from banks whereas in other countries
The problem isn't confined to Europe. I was in the States recently, and had occasion to visit a number of banks. At some of these, in order to comply with security requirements, I was asked to provide “picture ID”. A couple of times, I produced my UK driving licence, which the guards looked at and then handed back, waving me through, despite the fact that they couldn’t possibly have known whether it was real or not. So what was the point? This is what is called “security theatre”, where the people involved (in this case, me and the guard) are both acting out our scripts to show security to the people around us. No actual security is involved. I’d lay a pound to a penny that I’d get in with Narnian driving licence.
How do we get from this situation to a real, functioning infrastructure that delivers some actual security while simultaneously enabling new business models? Here is a practical suggestion. The US Government's National Strategy for Trusted Identities in Cyberspace (NSTIC) plan has been out for comment. The document describes an identity ecosystem for use by individuals, business and government that attempts to balance the requirements for identification and “reputation” in a forward-looking manner. It talks about creating a user-centric identity ecosystem, which it defines as an ecosystem that will allow individuals to select the interoperable credential appropriate to a specific transaction. In other words, it lets people select between different virtual identities on a per transaction basis, something that we have long advocated. I think that not only is this a good basis for an identity infrastructure, but that it provides a tremendous opportunity for banks, insurance companies and others to simultaneously reduce their costs and open up new lines of business by making “their” identities desirable.
Now, obviously, the individual’s choice of credential cannot be entirely unconstrained. I can well imagine being allowed to log in to Citibank using a Barclay's Bank identity but not being allowed to log into Citibank using, say, my Twitter login. Similarly, I can well imagine using my Facebook identity to get access to some basic government information about benefits but having to use my mobile phone in some way to confirm my identity to log in to obtain, let’s say, the results of a medical test.
In some countries, the government is providing an electronic identity card-based infrastructure. In Germany, for example, customers will be given free USB smart card interfaces so that they can use their new national ID card to log on to their bank account, but such approaches are not universal and governments do not have a lot to money to spend on them right now. From the point of view of the UK, where the national identity card scheme has just been scrapped and there is no alternative identity infrastructure in place, there is much to be admired in the US approach. The idea of creating an ecosystem that is built around the idea of public and private sector co-operation, individual choice, opportunities for innovation and market-based practicality should be a matter of priority in Europe as well, where there is virtually no interoperability at all. Right now, I can’t even use the same login identity for the DVLA and HMRC (the only two online government transactions I ever do) let alone the Belgian police or the Greek health service. How would this actually work?
The structure envisaged in the US strategy is a four-party model much like the payment card model where there are consumers, relying parties (taking the role of the merchant in the payment card model) and the issuing and acquiring identity “banks” (which may well be, well, banks).
What should the financial sector do? We are heading into a transition period between the “old” world of electronic payments where we built dedicated networks to move money from account to account (the world of Visa and American Express, MasterCard and Diners) to a “new” world of electronic payments where there is a single network that all participants access. The money stays put in the “cloud” while we move our identity around across a variety access channels (the world of M-PESA, WebMoney and QQ Coins).
The dynamics are easy to understand. The downward pressure on the pricing of commodity payments because of the Single European Payment Area (SEPA) and the Payment Services Directive (PSD) leading to the entry of non-banks, the ubiquity of intelligent devices (of which the mobile is currently the most important) and the ease of connecting banks, retailers, processors and others, combine to create a new landscape, where most of the value of the payments layer comes from the ability to identify and authenticate the participants in the transaction.
I have long observed that in the long run digital identity will be more valuable than digital money. This is because authentication is difficult and expensive: if you break down the way that, say, your debit card works, and separate the authentication part (the chip and PIN) from the processing and settlement of the transaction (and all of the fraud management, customer support and so on) you can see the asymmetry between the money part -- a few bytes moving from bank to bank -- and the identity part.
There is an interesting area for speculation identified by this analysis. Who will provide the identity functions? Will it be the existing players who bundle identity as part of the payments business -- PayPal or Barclaycard -- or will it be players who deal with identity and reputation -- Experian or the Passport Services -- or will it be the players who with authentication and switching -- Vodafone or Google -- or will it be an entirely new class of organisation?
I have a suspicion that it will be the latter. Just as new economic environments have led to new kinds of organisations before, so they will again. New organisations will arise to create a digital identity infrastructure that creates new value for them and a new value network that banks can also benefit from. Personally, I think there is some logic to the proposition that it may be the mobile operators who in some way will give birth to this new organisation, not only because they know where you are but because they provide a device that can be a remote control for identity in a connected world.
As non-banks enter the payments market, as regulation and reporting mean that the utility, transaction business of moving money around opens up, as the payments infrastructure shifts from being controlled by banks to being controlled by stakeholders, perhaps the right response from already heavily-regulated financial organisations should be to invest in another infrastructure: that of identity. This is what will be explored in the CSFI's Research Fellowship in Identity and Financial Services for 2010/2011.