Banking on Identity

Abstract

Over the last few years policy makers, service providers and software vendors have come to realise that data is a business asset that would not be out of place on a company balance sheet. It is also becoming apparent to many individuals that the data held about them by governments and businesses has both value and is increasingly at risk from being mishandled, deliberately or otherwise. Ironically, as the volume of online social and commercial transactions increases exponentially day by day, the level of trust in sharing personal data online is falling equally fast due to concerns about privacy intrusions and the potential consequences of identity theft.

With the emergence of data protection, privacy and related regulations, opportunities will arise for trustworthy organizations to act as identity service providers or identity brokers. Banks are already custodians of sensitive personal data, have established processes for validating customer identities and are – arguably – trusted: so why not make a business out of managing these identities and protecting that personal data? Could this fuel the next generation of banking services; or is it more likely to be a regulatory nightmare?

This document looks at the confluence of the new slew of regulations as they impact the banking community from a holistic perspective and demonstrates how this can be transformed into a new set of business opportunities as well as what the next steps for TechVision Research clients should be.

The report covers:

The emerging regulatory landscape as it impacts the banks
The opportunities for banks to become identity service providers
Six steps a bank should take to best leverage this potential

Authors:

David Goodman, D. Phil Rhomaios Ram

Principal Consulting Analyst Principal Consulting Analyst

[email protected] [email protected]

Executive Summary

To the identity cognoscenti, the desirability of having a workable, scalable and secure mechanism for providing personal identity credentials under the control of consumers, citizens and users themselves has been a given for many years. It was always ‘simply’ a question of when, rather than if, this would become apparent to a wider audience such that it became more than a nice-to-have but a business necessity, with the intrigue of speculating which players would seize the opportunity to enter the market for providing identity services and eventually dominate it. There is plenty of reason – and evidence – to suggest that the requirement for providing personal identity services is upon us, but it is still early days to know who will deliver them.

Looking at the possibilities by sector, there are no shortage of options:

Sector	IDP Qualifications
Government	Unique identities for use with governmental and other applications.
Retail	Detailed records of interests, buying preferences and credit card information.
Social Media	Key personal information on a variety of devices
Telecom	Most people keep a treasure trove of personal data on their cell/mobile.
Postal Services	The Post Office knows where everyone lives and how to reach them.
Banks	Most people store their most vital assets – money, house mortgages – in banks.

Figure 1: Potential identity service providers by vertical sector (for full table – see Introduction)

Banks have a strong claim to become one of the dominant players in this market. To achieve that would not require them to provide much more than they do today to comply with KYC (know your customer) and other regulations. Added to which is the opportunity to strengthen customer relationships and encourage customer loyalty.

So what is missing—why are banks not moving faster? Firstly, banks are already under tremendous regulatory pressure, have significant accountability responsibilities and are innately risk averse—for good reason. Secondly, there are many moving parts to consider before becoming a trusted identity provider and it takes not inconsiderable planning to get it right. Building the foundation for the development of banking-based identity services is the focus of this paper.

In some countries, banks have already actively started looking at becoming identity service providers: in fact, there are credible working examples in Scandinavia and we are seeing pilot projects emerging elsewhere in Europe, North America and Asia Pacific, not least in conjunction with blockchain technologies. For those banks not already engaged in planning such an initiative, this document highlights the business benefits and outlines a business model that could act as a real driver in getting an identity project approved by senior executives. Of equal importance is the choice of the various commercial/technology solutions available that would also help determine the level of risk and commitment the bank would wish to take.

Getting the green light to proceed by management requires reaching consensus amongst the relevant stakeholders both within and outwith the bank. Then comes the technical task of assessing and where possible co-ordinating the bank’s existing customer data sources, while ensuring compliance with data protection and privacy legislation. Whether the service will be made available by the bank alone or in collaboration with partners, either way there will still be considerable work involved in publicising the availability of personal identity credentials to both potential relying partners as well as customers themselves.

For further help with providing identity service to your bank’s customers and the six steps from start to rollout, TechVision Research offers strategic and practical support through its consulting services.

Identity in a Banking Context

Just by observing the supernormal profits made by companies like Google, or the enormous valuations for companies like Facebook, Snapchat and others, we know that personal data has huge value, even if we are not certain how to quantify its worth. The digital data that represents and, for most intents and purposes, defines us has become one of the most valuable commodities in the context of today’s online world.

Its value for these companies comes from what it allows them to understand about the context and emotions of individuals and to provide those customers with the products and services that will give them what they want or need in the moment they want or need them. And this is just a part of the commercial angle. In a general sense, data about a person’s past behavior has also been used for many years to establish trust for transactions where there is a time lag between the delivery of the service and the corresponding final settlement of that service. More behavioral data can mean more (or less) basis for trust. And of course, Companies and governments also want to use our data to correctly establish our entitlements and rights, such as access to a computer system or to healthcare.

From a business perspective, data is fast becoming an asset to be quantified on a company balance sheet. Just like money. Data needs to be protected, understood (classified or tagged) and its owners and users identified. In a very broad sense all this aggregated data is referred to under the umbrella term ‘identity data’. It encompasses not just the intrinsic things that define us, such as our biometrics (i.e. fingerprints, iris scans et al.), or the formal set of identity attributes contained in passports, driving licenses, health records et al; but also the wider collection of personal data derived from online commercial, mobile phone and social media transactions that paint a much more complete and diverse picture of who we are, what we do and with whom we interact. Significantly this aggregation of personal data creates a portfolio of reputations and claims that impact the way that an individual is appraised for all manner of future transactions, both personal and professional.

But this portfolio can be both beneficial and detrimental to the individual according to the way in which it’s used. In the non-digital world, everyone has multiple identities, and the lines of distinction are considered sacrosanct: most people would not be amenable to having their employment record mixed with, say, their personal retail habits, their membership of a sports club or their participation in a religious activity. Indeed many aspects of a person’s identity profile taken in isolation may be of little significance; but when combined or contextualized with other attributes become much richer in meaning – and much more valuable to those seeking to exploit it for good or ill.

The conundrum is that this merging of identity profiles from a wide range of divergent sources is potentially a massive infringement of a person’s privacy but from a commercial perspective is an immensely valuable and powerful tool to many businesses and indeed, the consumer. Such is the case with financial institutions seeking to assess a person’s credit worthiness or investigating the risk involved in making an investment. It is also the case when a comprehensive identity profile is leveraged as a sales and marketing tool to better target a marketing (or political) message or to improve the overall customer experience. Getting the balance right between knowing your customers better and flagrant infringements of privacy regulations (such as denying people services based on attributes like postcodes) is going to be one of the defining global challenges of the coming years. Context-based identity and identity relationship management are core elements supporting the next big evolution in identity access management (IAM) as described in TechVision Research’s Putting Identity into Context and Getting to Know Your Customers – The Emergence of CIAM.

As people have realized the enormous benefit they can derive from having their data analyzed, they become more willing to share it. The ‘privacy paradox’ is that, for the most part, they either don’t think about their privacy issues, feel helpless in the face of forced terms and conditions that demand data in return for access to services, or expect legislation to ensure they are protected. Companies can also benefit from sharing data, (think about Google Maps) enhancing the services they are capable of providing in isolation. Nevertheless, as well as having to protect the privacy of their customers, guarding against the loss and abuse of their data, they may face additional competitive concerns that will challenge them to consider whether or not they gain sufficient advantage from sharing. As with investment portfolios and similar, consider a service that helps manage the distribution of identity in a way that protects individuals and benefits society as a whole: surely that would be sufficiently appreciated by both individuals and corporates to overcome these issues?

Despite the challenges, identity data in all its forms is going to fuel the global economy of the future and will become increasingly highly prized and sought after. Services that help manage the safekeeping and distribution of identity data could help fuel that future. Several types of institution could fulfil this role for individuals, or indeed individuals could try and manage this themselves with the right tools. For example, telecoms and retail companies have been discussing this possibility for years. But banks have a history of performing the role by keeping valuable assets safe. So, why wouldn’t banks help people and businesses secure this precious commodity?

Looking at the possibilities by sector, there are no shortage of potential players:

Sector	Advantages	Disadvantages
Government	Almost all countries ‘own’ vital pieces of lifecycle documentation and are best positioned to provide a unique identity for use with governmental and other applications.	National authorities tend not to be sufficiently flexible to make the most of the opportunities and open up to third parties. In many (Western) countries, governments are not trusted with managing more personal data than is absolutely necessary.
Retail	Everyone shops and most people have preferred retail outlets, say from Amazon to Tesco, all of whom have a detailed record of interests, buying preferences and credit card information.	Most people’s attachment to their retail outlets is usually only predicated on convenience which can easily be influenced to change.
Social Media	A significant number of people share key personal information through social media sites and, significantly, are used to accessing those sites several times a day, on a variety of devices	With a few exceptions there is no financial relationship; and there are a lot of people who view social media sites with distaste and avoid them
Telecom	Today the majority of people have a mobile/cell phone, even if they also have a landline, and generally tend not to leave home without it. Most people with a cell/mobile have a contractual billing relationship with a provider.	Service provider loyalty is often undermined by poor customer care. When users come to the end of their contract, they will look for the handset they want – then the best deal that goes with it.
Postal Services	The Post Office knows where everyone lives, how to reach them and usually has a local – and trusted – presence.	Lack of ambition?
Banks	Most people store their most vital assets –money, house mortgages – with banks and, despite all the really bad press over the last ten years, are trusted. Access to a personal bank account through mobile apps has never been easier, or as popular as it is today. In addition, banks have stringent requirements to adhere to a comprehensive set of regulations, particularly with regard to personal data – far more than the other players listed.	Many of the older banks lack the flexibility, agility and ambition to tackle what is required despite being better qualified than many if not all of the others.

Figure 2: Potential identity service providers by vertical sector

It should be clear that the banks have a strong claim to become at least one of the dominant players in this market. And for banks to pro-actively create a new set of identity services would not be that far removed from what they are required to provide today to comply with KYC (know your customer) and other regulations, both in Europe and the rest of the world. It would also offer a welcome opportunity to strengthen customer relationships and encourage customer loyalty at a time when other aspects of banking business are being disrupted.

The Regulatory Landscape for Banks

Banks the world over are regulated by governments which seek to subject banks to a clear set of requirements, restrictions and guidelines, which are designed to create transparency between the banking institutions and the individuals and organizations with whom they conduct business. Needless to say, with the well-publicized events of the last ten to fifteen years, the volume of controls and regulations are constantly increasing.

One reason that bankers may hesitate to branch out into identity management business is the associated regulatory burden. While these could be seen as yet another compliance nightmare, they also – potentially – provide opportunities and benefits to forward-looking banks. There is a slew of new and/or updated regulations that have recently been enacted or are about to come into force that will significantly, directly and indirectly, impact the way that financial institutions and other businesses perceive and manage their customers’ personal data. The following two tables describe key banking identity-related regulations including privacy provisions

Acronym	Directive	Applied	Description
2EMD	eMoney Directive	2011	Lays down the rules for the pursuit of the activity of issuing electronic money in the EU and the taking up, pursuit and prudential supervision of the business of electronic money institutions.
AMLD4 (and AMLD5)	Anti-Money Laundering Directive	2017	Aims to prevent the use of the EU’s financial system for the purposes of money laundering and terrorist financing, tightening due diligence requirements. Also provides for the possible use of notified eID means under eIDAS for fully digital on-boarding activity
PSD2	Payment Services Directive	2018	Enables bank customers, both consumers and businesses, to use third-party providers to access Bank account information and execute transactions from those accounts. For example, they may use Facebook or Google to pay their bills, make person-to-person transfers and analyze their spending while still having their money safely placed in their current bank account. Banks are obliged to provide these third party providers access to their customers’ accounts through open APIs which will enable third parties to build financial services on top of a bank’s data and infrastructure.
eIDAS	Electronic Identity and Trust Services	2016-18	Interoperable national eID and trust schemes across the EU available to the private sector enabling seamless cross-border identity and eSignature validation.
ePrivacy	ePrivacy Regulation	2018	Ensures privacy and data protection rules for all electronic communication; increasingly aligned with GDPR
GDPR	General Data Protection Regulation	2018	A comprehensive re-appraisal of the data protection that applies across all EU Member States providing greater protection of individuals’ rights to their personal data including the ‘right to erasure’ and data portability

Figure 3: Some of the new financial EU directives directly impacting banks

A more comprehensive list of the new EU regulations that could have an impact on the banking community is provided at Annex B.

Other significant regulations with respect to banks include:

KYC (Know Your Customer): Originally defined in the US Patriot Act, KYC requires businesses to check out who its clients are and specifically determine that they are neither laundering money nor engaged in fraud, not involved in terrorist activities or any form of illicit trafficking and are anti-bribery compliant. Although KYC is mandated for the banking and finance community, enterprises of all sizes engaged in any financial transaction have a need to know that their customers are bona fide; in other words, ‘real,’ not on any transactional blacklist, and of low risk.

ISO / IEC 27001: This represents the mandatory aspect of the ISO 27K set of standards. Compliance with this information security management system (ISMS) provides banks with a framework for securing and protecting confidential and sensitive data, offering precautionary measures and best practices concerning the management of information security risks.

In addition each nation has its own financial regulatory environment, many of which are the national or central reserve bank, but elsewhere may be independent authorities that in some, but not all, cases fall under the jurisdiction of the national government.

Country	Key Authority	Date	Description
Europe	European Banking Authority (EBA)	2011	Based in London, the EBA’s activities include conducting stress tests on European banks to increase transparency in the European financial system and identifying weaknesses in banks’ capital structures. The EBA has the power to overrule national regulators if they fail to properly regulate their banks and is able to prevent regulatory arbitrage, allowing banks to compete fairly throughout the EU, having to comply with the higher pan-European standard irrespective of any advantageous regulatory environment pertaining in any one jurisdiction.
Germany	BaFin (Federal Financial Supervisory Authority)	2002	BaFin is the financial regulatory authority for Germany. It is an independent federal institution with headquarters in Bonn and Frankfurt and falls under the supervision of the Federal Ministry of Finance. BaFin supervises about 2,700 banks, 800 financial services institutions and over 700 insurance undertakings.
United Kingdom	FCA (Financial Conduct Authority)	2013	An independent UK financial regulatory body financed by charging fees to members of the financial services industry that provides access control regulations to manage risk exposure for the banks particular for investors. Works in conjunction with the Prudential Regulation Authority (PRA).
United States	“Fed” (Federal Reserve System)	1913	The Fed’s key objectives for monetary policy are to maximize employment, stabilize prices, and moderate long-term interest rates. Since 2009 its duties also include supervising and regulating banks, maintaining the stability of the financial system and providing financial services to depository institutions, the US government, and foreign official institutions. Other regulatory authorities include SEC (Securities & Exchange Commission), FinCEN (Financial Crimes Enforcement Network) ad FINRA (Financial Industry Regulatory Authority)

Figure 4: Examples of national financial regulatory authorities

On surveying the above, it is clear that these regulations and directives are driven by different policy objectives. Regulations such as GDPR and policies like ISO27001 are designed to protect individuals from loss or abuse of their data when held inside companies. Other regulations such as PSD2 or eIDAS are moving in an opposite direction, driven by a desire to ensure that there is greater competition through the opening up of data exchange via more standardized data and data exchange methodologies.

A third objective of some of these regulations is for governments to put more of the onus for enforcing societal laws on to individual firms (like AML in banking). For example, landlords/employers/real estate agents in the UK also need to do KYC provably. In effect, the corporations are being asked to play the role of policeman as a result of providing and benefiting from the service that needs to be policed. It’s conceivable that many, previously physical, services will require identity credentials to ensure appropriate use and this will open new issues around the security of data; for example,

how long will it be before you are required to present ID credentials at entertainment events?
how safe will individuals IDs be if copies are continually being left with every commercial counterparty?
how effective will these IDs be at preventing misbehavior if they are simply copied and filed in isolation?

IDs managed by banks could be safer both for the individual, and also to society, as more counterparties attest and add to the user’s profile.

An unintended consequence of the multiple regulations with multiple objectives has been that each regulation or requirement has been complied with in isolation. This, in turn has led to multiple systems and processes and, ultimately, enormous cost and risk of non-compliance. If, however, a bank considered the management of identity as a core competency, or indeed as a business line, the bank would conceivably be better able to identify and exploit overlaps (and expose potential conflicts) in these regulations. For example, it is clear that KYC is fundamental to all of the rulings listed; what is less clear is whether their interpretation of the requirements for KYC are the same and that ‘by getting it right’ a bank could be compliant with the major portion of them in a safer way and at a lower cost point.

Banks deal with so much regulation and must take the risk for any data being incorrect, lost or stolen already. Therefore building a business around such data likely does not add substantially to the risk profile and may improve revenues (from new types of business) and reduce cost by forcing a more holistic adherence to all the regulation. In addition, from a societal perspective, identity management services could improve security for users and improve risk management for their counterparties as users build their profiles – a role very similar to taking deposits and making loans. Thus, banks might in fact become the most natural entity to assuage people’s concerns and worries about the risk of accepting an identity management service proposal.

Why Now And How

After the cataclysmic events of 2008 in banking and financial services, many people spent a lot of time thinking and talking about whether there was a business model for banking that did not rely on balance sheets or transaction fees. The rationale was that the regulation introduced in the wake of the financial crisis would effectively make competitive returns for investors very hard to generate from balance sheet utilization and public acceptance of fees for services – that are roughly equivalent to sending emails – would decline rapidly. One of the possible solutions hit upon by the more forward-thinking people in banks was that banks could become repositories for digital identities.

There are a number of business and societal trends driving the requirement for a more effective approach to managing digital identities today. Purely from an operational perspective, the volume and complexity of transactions that are dependent on identities is increasing exponentially. As a result, many companies are incurring greater and greater costs associated with collecting, verifying and securing identity data. In addition, getting the regulatory compliance wrong or suffering a data breach can often have a devastating effect on a company’s brand and reputation leading to serious financial damage.

The new regulatory environment is demanding a greater degree of transparency and accuracy in relation to all aspects of transactions. What appear to be divergent drivers are sometimes a help and sometimes a hindrance: some are associated with protecting consumers’ personal data, others with creating more competition through data standardization, as well as those ensuring consumers are not engaged in illegal behavior.

As if this were not enough, consumers/customers are become far more discerning about what they expect from the services they receive – not just online and not just in banking but across all vertical sectors; as well as how they expect the businesses they deal with to respond and manage their overall interaction and experience with them.

A service that is able to provide these services and potentially reduce or at least mitigate the regulatory burden could be very valuable. From the above it should be reasonably clear that the impetus is now, so the question is: who should do what and how?

Identifying The Problem Of Identity

The simplest example of the identity problem is the process involved in purchasing a house where one has to physically produce proof of ID (passport/utility bill. It’s neither particularly secure nor suited to the digital age. Nor does it take advantage of the trust inherent in any history of attestations that have already occurred.

Consumers are irritated by having to physically present their credentials and worry (if they think about it!) about whether their data is stored safely and securely by the receiving party. On the flipside, the receiving party worries about the veracity of the credentials: is this person who they say they are and even if they are, what does that say about them? There is also the worry about the cost of keeping the data secure and ensuring no regulations are breached: wanting to maintain privacy and yet keep detailed data records.

In this simple example, a bank could easily provide some sort of authentication service, where the bank “verifies” the data on behalf of the consumer and maintains the data acknowledgement on behalf the receiving service. And as the consumer uses more services that acknowledge their credentials, the picture of the consumer gets better, improving the risk around verifying the customer. This type of authentication service is also well suited to maintaining things like entitlements for governments and companies; for example, someone eligible for social security benefits would no longer be provided access when they got a job, or a developer would no longer be able to access software when they move to a different department.

Of course, this quickly becomes much more complex when one moves beyond simple authentication where the problem is mainly about security and trustworthiness. Once people gain access to services to which they are entitled, they do things. And that history is valuable; either intrinsically because it says something about them or as proof of what they did when accessing their services in case of dispute. Moreover, the user wants to be sure that the data is only used for the purposes for which is was explicitly acquired. For example, if you own a health monitor, you might have done so in the expectation that it would be used to help you get fitter and you might be unhappy if your health data generated by the monitor was sold to a health insurance provider without your consent. So the company that facilitates the creation of the data and the consumer want the data to be used to provide a better service, but also want to make sure that it is retained in a tamper proof way to prove what was done and is tracked to demonstrate that it was not misused.

Right now, we get the “benefit” of our data from single companies able to aggregate it to improve user experience and create valuable services. But we have very little ability to either directly monetize that data ourselves (rather than indirectly through things like free email); or to use the data collected by one entity to enhance our experience in others. For example, could we have a service that coordinated holidays such that all forms of transportation and hotels were synched up so we didn’t have to worry about the knock-on effect of delays?

Using or sharing data between several services raises questions around data ownership rights. Currently, if a company collects, for example, loan repayment data, both the company and the borrower have some (different) rights over the data. This situation has not yet been clarified for other data such as transaction data or social media data, but there is unlikely to be a clear cut answer that one or other party owns the data outright and can use it as they wish. While most modern companies understand that their value is more and more derived from the information they gather about their customers, they will want to retain some rights over that data after spending so much resource getting it.

The Identity Service

Consumers obviously want to ensure that their data cannot be stolen and used for nefarious purposes – identity theft has been around for quite a long time. Additionally they would want to ensure that the people their data is given to only use it for the purposes it was explicitly acquired for. Finding institutions that can be trusted in this way depends in large part on perception, and, like it or not, banks have many people’s trust.

One of the original purposes of banks was to keep people’s valuables safe. This started with money, but eventually led to other types of storage services, like safety deposit boxes. Therefore banks have a tradition of being entrusted to keep safe the things that people value most and transferring those valuable items safely to other unknown counterparties. And it is not just consumers that could benefit: as has sadly been demonstrated on numerous occasions, breaches in security can have a massive negative impact on a company’s bottom line – not only its finances but also its brand, reputation and above all its trustworthiness.

Banks are used to handling significant regulations and ensuring compliance and cannot outsource their identity checks to other parties: they can outsource the work, but not the risk if it goes wrong. Therefore, if they are already good at handling the risk AND they have to do it anyway, they are natural entities to safe keep personal data.

So, what would a service that helped people manage their identity look like? Any type of service related to identity has to:

Provide robust authentication
Give full and granular set of permissions to its users
Allow for each piece of data to be permissioned by more than one user or entity
Allow for attestation by third parties and implement and maintain the rules by which those attestations could be updated
Provide an audit trail of what data has been shared with whom and when it was permissioned
Be portable so users can change providers
Develop a business model that benefits all the parties

The sharing economy provides useful examples of the controlled exchange of trust and reputation. The value provided by companies such as Airbnb and Uber is in building trust between suppliers (drivers offering riders/home owners offering accommodation) and consumers (people seeking rides/people seeking accommodation) by allowing stored data to be shared as appropriate and building up a pair-wise reputation system based on ratings. Could this model be adapted and used by banks?

The Business Model

For banks to even consider becoming identity providers (IdPs), there has to be a credible business model that makes mid- to long term sense. And given that most consumers expect every service on the Internet to be free, this has to be a model in which, at least initially, the consumer does not pay directly.

Luckily, bankers already have services that have the same constraints: most retail customers in Europe expect banking services to be free! For simple cases of identity authentication a model would be similar to payment services that are currently offered. For example, when I buy something on my credit card, the merchant typically pays the bank a percentage of the cost of goods: let’s say 1%. The reason for doing this is the bank at that point is guaranteeing the merchant that he will get the money and that the transfer of value will happen safely and securely. In an analogous identity use case, an employer could require a check on a prospective employee’s identity and pay the bank for that data – with the consent of the candidate of course. In fact, the bank could assume the risk for having the wrong identity in this case, much as they would if the customer had no money in the case of the credit card. And presumably that would be worth much more than pure data storage, no matter how secure. In fact, there is a reason these models seem so similar: if you really think about it card payments are simply another form of identity verification.

The level of payment would depend on the complexity of the service provided. The least costly case would be where people stored and distributed their own data (self-sovereign identity) banks could play a role in managing the keys to the data.

If these people wanted bank verification on top of that, that could be another level of charging. If the customers wanted to Banks to store the data securely and facilitate the management of that data, perhaps another level of fees might be possible.

The banks could compete on how convenient they made it for the customer and companies, and how granular they were about the data they allowed to be seen. For example, when you present a driver’s license to prove you are over the age of 18 (or 21) in a bar, you are giving away far more than is necessary or required. The barkeeper doesn’t actually need to know your date of birth and home address. So, if a bank could simply verify that you were old enough to buy a drink, it would serve the purpose of both the customer and the barkeeper – and prevent any possible misuse of your personal data. If the bank was also able to build a network of attestations, that the identity credentials matched the physical person presenting at each company, then the bank could improve its levels of certainty over the ID and either reduce ongoing costs or have services pay for additional updates.

If the banks were able to establish a market price for other types of identity data, then other opportunities would become available. Among the many ways that banks make money today is by intermediating between their depositors and borrowers[1].

A similar paradigm could exist for banking where individuals who deposit their personal identity data and wish to get paid for their data could receive varying amounts of “interest” depending on the level of granularity which they are prepared to allow to be applied to the use of their data. For example:

no data sharing – 0%
aggregated at the level of two attributes (say, sex or nationality) – 0.1%;
aggregated at the level of three attributes (say, age, education, income) – 0.5%

Depending on what the value to consumers of the identity data (advertisers etc), banks could take a spread.

A final method for the banks to provide value is by providing a tracking of the flow of data as they do for money now. It is hard to imagine banks displacing pure storage vendors like Amazon, Google or Dropbox, but perhaps the banks could provide a service that shows customers what data moved between which services. This could be of benefit to customers who wish to understand how and where their data is being used as well as society at large when there is a need to prove that data is being used for its intended purposes. And it could be paid for by the underlying services who need to be able to show what data they consumed and for what purpose.

Who Benefits?

There are several stakeholders potentially affected by an identity service: the underlying consumer or entity to whom the data relates; the relying parties who need the data; the banks who provide the identity data management services and possibly other entities that also accumulate identity data. The beauty of what is being proposed is that benefits accrue to all of them.

Consumers

From a consumer perspective, the major initial attraction will be convenience. Not having to repeatedly undergo the tiresome process of producing hard copy documentation verifying identity as well as proof of residence will be very attractive and remove an irritating barrier to getting business started as quickly as possible. Being able to use the trusted services of a bank will, in the majority of cases, likely be far more attractive than using the services of a social media or any other company.

In addition, consumers are likely to value the ability to maintain and observe permissions over their own data. They will want to reconcile who has access to their data and its agreed uses versus. In addition, this ability to manage their identity will start to make the data itself more valuable, both through the history of who they have interacted with and via resulting attestations of its use and validation.

Finally, in the future, consumers may be able to use this repository of their data to start to monetize it more directly. Either by being able to “sell” it for other reduced rate service (similar to loans) or directly for fees.

Relying Parties

At the moment, the entities that would become relying parties accrue costs associated with the collection, storage and safekeeping, and risk of fraud associated with identity. Typically none of these things are core to the business of these relying parties.

The main benefit for relying parties will be around cost. They currently have to pay for all the collection, storage, and recordkeeping associated with their customers data. A service that could leverage providing that service to many customers would almost certainly be substantially be much cheaper than the existing model. In addition, using a third party service provider would allow for a more streamlined and convenient service that could happen completely electronically.

A second benefit would be the potential ability to mitigate the risk associated with identifying consumers correctly. The first way this can happen is by having the provider of the service agree to take more of the risk for getting the identity wrong. The second way is through using identities that have built up an observable trusted history.

Last, the use of a third party should make it easier to prove compliance with all the various regulations as every interaction and associated permission with the ID service will be recorded.

Banks as Identity Providers

For the banks, the principal advantage of becoming identity providers is about cost mitigation . Banks are already spending large amounts on KYC and other identity related issues. Any opportunity to begin to monetize that sunk cost would provide a welcome additional income stream.

First, as an identity provider a bank would be in a position to offer identity-as-a-service (IDaaS) to relying parties, such as lawyers, accountants, insurance companies etc, who did not wish to collect and store customer information. And looking beyond those relying parties with a formal requirement to perform KYC checks on their customers, a bank could develop the opportunity to attract new business by offering identity services to customers who do not have any other relationship with the bank.

A second way for banks to benefit is from rethinking the compliance obligations in a business context. This perspective more than likely improve existing operational processes as the business sought to provide a coherent service.

In addition, from a pro-active perspective, having an improved, consolidated identity profile of a customer provides the opportunity to address more personalized products and services, which will in turn undoubtedly improve the customer’s overall experience. Turning that around, knowing a customer better also improves the bank’s monitoring of any potential risk, suspicious behavior or fraudulent activity all of which is required for compliance purposes – just as it does for the relying parties.

It’s also possible that banks could position themselves as data brokers to facilitate “data markets”. In this model businesses that collected data could have a different way to monetize that data by selling it to other companies with the appropriate consent of the customers and brokered by the banks.

Data Providers

Many modern startups are built with the express purpose of collecting customer data in order to provide better, more useful and more profitable services. Given this model, where the data can actually be the most valuable intellectual property of the company it might be hard to imagine how sharing data with other companies might be a wise idea.

However, unless one is already one of the largest “FANG”[2] companies, the chances are that one will struggle to monetize your data beyond your core service. Therefore, it could make sense, with chosen partners, to monetize ones’ data further by selling it (assuming your customers consented). This is especially true as data is “non-rivalrous”; that is letting someone else have the same data does not reduce the value of the data to the providing party. Besides the revenue potential, ones’ customers could potentially benefit from improved services that jumped company boundaries and may appreciate this open ecosystem.

Banks could provide the infrastructure, rules and trusted oversight to grow these types of market. And assuming this all happened, data providers would benefit from many of the same security and compliance services the banks off to the relying parties.

Finding the Right Solution

Although all banks and financial institutions have a wealth of database and data storage systems at their disposal, it is very likely that for the purposes of providing an IdP service a new architectural and/or technology approach will be necessary.

Model Choices

There are several high level approaches that a bank can make in seeking to provide an IdP service, either in isolation or as part of a network or consortium:

Model	Description	Evaluation
A single identity repository	A bank acts as a customer’s principal IdP and is responsible for collecting and storing all the attributes the customer wishes to have held.	Clear lines of responsibility for support or other issues. Customers might then be at their mercy in terms of quality of service provision but might be prepared to accept that for convenience of a single provider. Other companies may not be excited about having the customer “take” all of their data.
Distributed identity repositories	A bank holds a customer’s key attribute, say, for KYC purposes, but any relying party wishing access to other attributes or other purposes would have to revert to other IdPs	Lessens the role of the bank but in many cases that might be considered enough. Although there is the advantage that no attributes are transferred but for the customer there is a greater inconvenience, not least it becomes complex to grant permissions and keep track of who has what data
Federated identity repositories	A bank acting as a customer’s principal IdP is the initial point of contact for a relying party. The bank holds a customer’s key attributes but then enables access to additional attributes from other IdPs that the customer has permissioned it to utilize.	This reduces the responsibility of the bank in terms of collection and storage in that no attributes are transferred. But it has the distinct advantage of appearing to the customer as a one-stop service.
Distributed IdPs	A similar model to federation (above) but one in which a customer elects to have more than one principal IdP.	This works for customers who do not want to rely on one IdP but inevitably at a cost. As above, granting permissions and keeping track of who has what data becomes complex.

Figure 5: A selection of IdP models

Each of these models have their pros and cons, but in our view, the most likely outcome from a consumer perspective will be the last model: Distributed IdP’s. Our reasons for selecting this model is that it provides the benefit and flexibility to all participants in the network. For customers, it provides the greatest flexibility, safety and ability to guard against a single point of failure. For banks, it provides a model where they can still be at the heart of the customer experience, holding critical customer information and providing a governance role for other data. And, of course, other participants are not restricted to accepting the service of only one provider.

The key change to existing bank operations to enable this model will be the seamless exchange and updating of attributes between disparate applications (entities). Currently banks struggle to share information across divisions inside their own institutions for a combination of reasons: legacy systems; different types of identity data required for different purposes; and regulations concerning privacy and protection of customer data. So although the technological elements of the identity service are fairly basic (storage, transfer, entitlements), banks will have to develop a new architecture.

Currently bank data models are based on “account no.” as the most atomic element. In a new model, a different attribute representing a unique identity would be the most atomic element and, from that, all other data, such as KYC attributes and bank accounts, would be linked.

With identity as the key attribute, banks would then need to build sophisticated permissioning/entitlements services associated with those identities. The reason for this is to ensure that all the requisite permissions to share any particular piece of data are granted by the appropriate authorities. For example, suppose a customer in Singapore wanted to open a US bank account at the same bank, at least two sets of permissions would have to be granted. First the customer themselves would have to authorize the use of their own data by the US entity; and second, a Singaporean compliance officer would have to sign off that the data could leave the country.

Finally, the relying party could choose to copy the data over to their database or choose to request the data every time they needed to use it. Each of these decisions has pros and cons (how do you ensure the database is up to date if it is copied versus how many read requests could the providing database realistically respond to). And, naturally, the data exchange will probably need to be two-way – what if the customer updates their address at the relying party rather than at the bank?

There are many other factors that will have to be considered from a data privacy perspective, such as creating an audit trail of access and updates, developing a data lineage and so on. Although the technological elements of any identity service are fairly basic, the combination of service model, security and control will require a new approach. At their heart, an identity service provider will need to provide data storage capabilities, data transfer capabilities and atomic data permissioning capabilities.

Blockchain Options

One new technology that embeds features that could provide this functionality natively is blockchain. So far blockchain has generated tremendous interest in the banking community around improving the settlement and clearing of various financial instruments. However, blockchain also has the potential to facilitate the provision of identities. Again there are several implementations to consider:

Model	Description	Evaluation
Private	A bank runs its own blockchain solely for the benefit of its own customers	This model could work for the single repository model, but it is not clear that the native advantages of blockchain are completely necessary and would outweigh other methodologies
Public	The bank would effectively relinquish overall ownership of its key customer data	In addition to competitive issues, it is difficult to see banks and indeed regulators allowing a system to develop for which no-one was responsible in the event that something went wrong.
Self-sovereign	Controlled and run by user who have direct control of their own data and are responsible for filling out their data profile	It would difficult for a user to incent corporations to add to their profile as it would imply handing over control. Key management could also be an issue, as well as untangling the mess if something goes wrong.
Permissioning between existing (or new databases)	Blockchain “links” different databases, managing the permissioning and maintaining an audit trail of data transfer	Few changes for individual companies Complex to grant permissions and keep track of who has what data

Figure 6: Blockchain models and their applicability to banks

Due to the success and media interest that Bitcoin and other crypto-currencies have generated, most banks and financial institutions have looked at the possibilities associated with blockchain, although it remains to be seen what if anything will come of it.

Real World Examples

Although the concepts introduced in this document will for many financial institutions appear to present a new and novel direction, several banks have been providing an identity service to their customers for a number of years. It is probably of no coincidence that over the same period many European countries have issued electronic identity cards that have had varying degrees of take-up beyond mandatory governmental requirements. This is quite marked in the Scandinavian countries, where the use of a bank-issued identity for non-banking applications has been, in some cases, common practice for over ten years, particularly in conjunction with government services, such as filing a tax return. There is a similar system emerging in the Netherlands, where the banks issuance of IDs is in parallel to that of the government.

A spur for both governments and banks is the coming into force of the identity services aspect of the eIDAS regulation in September 2018, which will facilitate the much-needed interoperability of identity services between EU Member States, as described in TechVision Research’s Opportunities in Europe with Electronic Identity and Trust Services.

There are also a number of experimental pilots and projects emerging in Europe, North America and throughout Asia Pacific, some of which are leveraging blockchain technology.

Listed at Annex A are some examples of how some banks, primarily in Europe, are starting to explore the provision of identity services.

Corporate Readiness & First Steps

The opportunity to develop a new line of business is generally attractive to any successful company, particularly one which offers to cement a long term relationship with its customers, retain their loyalty and outsmart the competition. The challenge is moving from a well-articulated vision and ambition with the reality of existing processes and procedures, internal divisions and a reluctance to change, particularly when existing and long-established lines of business are still producing a handsome return on investment. Before a decision to move ahead is made, there will inevitably be protests that the new idea can wait behind other, higher priority claims. Even if the first attempt to promote an identity service stumbles, eventually, we believe, it will meet with success.

There are six steps that banks can take to provide an identity service, not only to their existing customers but with the potential to grow and expand into a separate business line that aligns with what we believe is a credible and viable future direction for the financial community. The steps outlined below will vary based on the size and complexity of each organization, its legacy systems and the overall readiness of senior management to embrace change.

Step 1: Winning The Argument

This is going to be a significant strategic move for any bank, large or small, and the first step is convincing senior executives that not only is this a ‘nice idea’ but in fact a necessary one from a mid- to long term perspective. Amongst the myriad other changes and disruptions in the financial world, a bank’s relationship with its customers will remain paramount and, if anything, will become even more significant than it is today. The changes in legislation, in particular the introduction of GDPR in May 2018, will change customer attitudes to who they share their data with. This will create a very competitive environment introducing new players for new types of services – and will be customer-driven. The key message then is to keep ahead of the competition.

Step 2: Building The Business Case

The next step is to build a business case to transform the bank’s relationship with its customers or more specifically their data. The discussion should address scope along the lines of the options outlined above, determine priorities, outline budget availability and desired timelines with a set of outputs resulting in a clear, high-level strategy that addresses all the external-facing demands and expectations.

Step 3: Getting Consensus

In most banks, customer data is held in a variety of distinct silos and not shared between departments. So the next stage involves bringing the high level strategy to a wider group of internal stakeholders to agree in principle what data is going to be shared, what business model to adopt and which external partners – if any – to collaborate with.

It’s vitally important throughout the planning and execution to keep the following involved:

Representatives – decision-makers – from relevant LOBs
The CPO or data protection officer to ensure that what is planned is aligned with privacy legislation and best practices
Potential external stakeholders, from relying partners to other identity providers, should also be consulted at this stage about how they would like to integrate with the proposed new system. Adopting an outward-facing approach particularly if it brings with it IDaaS experience can ensure greater mutual success for all concerned – a definite win-win.
The CISO to assess potential areas of security concerns from data breaches and cyber-attacks.
The CIO to understand the potential infrastructure implications and requirements for hardware and software

It should be assumed that the various policies that have been put in place should be reviewed at least every three months.

Step 4: Review Of Internal Systems

Once agreement has been reached as to which departments are going to participate in the identity initiative, the next step is to review the data assets available: how and where they’re kept and how they should be federated or at least managed together.

It’s reasonably likely that for historical reasons there will be a hotch-potch of systems that use different data models and storage technologies. It would be fortuitous if one is appropriate for the task of providing an IDaaS, but more probable that a new system will be required that is cloud-based, demonstrates better performance and scalability and is user-friendly.

Step 5: Designing The Model

Despite the compromises that were made in reaching a consensus in Step 2, the time has come to agree how the new system is going to work, which identity model to utilize and how that generates the proposed business model.

Identity structures are universal across the IDaaS system but at the same time provide enough scope for different stakeholder LOBs to make their own choices.

An additional option would be to provide customers easy access to their personal data, either to review or to submit new information or attributes to their profile through a self-service portal that will then require some degree of post-validation on the submitted data, either against a fixed set of criteria or in real-time using context-based analytics.

Step 6: Creating Awareness, Generating Noise

Once the service is ready to go live, it is important to keep all the stakeholders who were consulted at the earlier stages briefed on timelines and precisely what service is going to offered. This is a really new departure for the bank and a potential indicator of wider changes and new directions to come. Given that it will change public and professional perceptions of the bank and what it stands for, letting news of the new service, the benefits and early successes, be known far and wide will position the bank well, especially in a new competitive environment.

Conclusion

It is apparent that there is a great opportunity for banks to leverage the information that they already possess about their customers as part of their normal retail or trading business. Unlike virtually any other vertical sector that is in a position to offer identity services, banks are highly regulated and are trusted to handle their customers most valuable assets – despite, not because of, the disastrous stories associated with banks and bankers that have made headlines over the last ten to fifteen years.

The further advantage that banks have is that they are already obliged to carry out most of the work required to set up an identity service in order to comply with the growing number of security, identity and privacy regulations. One of the main challenges facing the larger banks is how to reconcile the information barriers that exist between different divisions, particularly investment. There is nevertheless plenty of scope to offer a comprehensive service to retail customers and to extend that service directly or indirectly to relying parties in a way that could make a credible business model and at the same time provide considerable convenience to both customers and the relying parties.

Until recently the requirement for a customer-centric identity service was the stuff of long term visions, and the idea that a bank would provide such a service would have been considered outlandish. But the demands of today’s heavy dependence on the Internet for every aspect of daily life has made the absence of safe, secure and reliable personal credentials one of the barriers to the growth of the digital economy.

The challenges facing the banking community come from a reluctance to introduce new business models, as well as having to adapt legacy systems to ones that might accrue regulatory risk. We believe that the risks involved are not as significant as not grasping the opportunity to diversify and provide what would be a very welcome service to both business and personal customers.

TechVision Research has both the banking and identity experience to provide assistance in making such a project work, and we would be delighted to hear from you.

Glossary

2EMD Second E-Money Directive

AMLD4 Anti-Money Laundering 4

CIAM Customer Identity and Access Management

CRM Customer Relationship Management

EIAM Enterprise Identity and Access Management

EU European Union

GDPR General Data Protection Regulation

IdP Identity Provider

KYC Know Your Customer

LOB Line of Business

PSD2 Payment Services Directive 2

About TechVision

World-class research requires world-class consulting analysts and our team is just that. Gaining value from research also means having access to research. All TechVision Research licenses are enterprise licenses; this means everyone that needs access to content can have it. We know major technology initiatives involve many different skill sets across an organization and limiting content to a few can compromise the effectiveness of the team and the success of the initiative. Our research leverages our team’s in-depth knowledge as well as their real-world consulting experience. We combine great analyst skills with real world client experiences to provide a deep and balanced perspective.

TechVision Consulting builds off our research with specific projects to help organizations better understand, architect, select, build, and deploy infrastructure technologies. Our well-rounded experience and strong analytical skills help us separate the hype from the reality. This provides organizations with a deeper understanding of the full scope of vendor capabilities, product life cycles, and a basis for making more informed decisions. We also support vendors when they carry out a product and strategy review and assessment, a requirement analysis, a target market assessment, a technology trend analysis, a go-to-market plan assessment, or a gap analysis.

TechVision Updates will provide regular updates on the latest developments with respect to the issues addressed in this report.

About the Authors

David Goodman has over 25 years of experience in senior identity management positions in Europe and the US. He led two prominent pioneering EC-funded projects then worked for IBM, first with Lotus and later Tivoli. He has led several start-ups in the identity space and spent eight years in senior product management roles for telecom providers Apertio, Nokia Siemens Networks and Ericsson. He has worked as a technology analyst and consulted with some of the largest companies in Europe and the US. He has broad insights across the European privacy/ regulatory environment, European clients and vendors..

Rhomaios Ram is a former Banking Executive with 22+ years of experience at Deutsche Bank. He has worked across a wide variety of wholesale banking businesses and held several leadership positions including European

Head of FX, Global Head of Markets Electronic Distribution, Global Head of Product Management for Transaction Banking and European Head of Transaction Banking. Most recently, Rhom was Founding Partner of Deutsche Digital Bank. Most his experience has been developing businesses where the product is at the intersection of finance and technology. He has a BSc. from Imperial College London and a MBA from Columbia Business School.

Annex A – Real World Examples

BankID in Sweden[3]

First issued in 2003, the Swedish BankID was developed by a network of banks[4] and is the leading electronic identification in Sweden used by 7.5 million people on a regular basis for a wide variety of private and public services. It provides a citizen authentication solution that allows companies, banks and government agencies to authenticate and conclude agreements with individuals.

BankID can be used by citizens for many services, from online and mobile banking, e-trade to tax declaration, provided by government, municipality, banks and companies. BankID is used for digital identification as well as signing transactions and documents. According to Swedish law, and within the EU, BankID is an advanced signature and a signature made with a BankID is legally binding.

The customer’s identification is guaranteed by the bank issuing the BankID. Authorities, companies and other organizations must check the validity of the customer’s identity and signature. BankID is available on a smart card, soft certificate as well as mobile devices.

Companies wishing to use BankID as part of their services have to sign an agreement with a BankID-issuing bank which provides access to all clients holding a BankID, irrespective of which bank issued it.

Barclays and GOV.UK Verify

The GOV.UK Verify program provides a way for UK citizens to identify themselves online, in order to securely use government services such as a self-assessment tax return, by registering and verifying themselves with one of eight certified companies. Barclays Identity Service, which is available to all UK citizens and residents irrespective of whether they are a customer or client of Barclays, is the first bank to be chosen as one of these certified identity providers.

To register on the Barclays Identity Service, users go through a one-off registration process that requires them to provide a UK passport, UK driving license and bank account, which Barclays checks with third party sources. Users will also be asked questions from their credit file, which only they should be able to answer. Once registration is complete, they will then be able to log on to any government service displaying the GOV.UK Verify logo using just a username, password and their mobile phone.

According to Catherine McGrath, Managing Director, Transactional Products and Payments for Barclays UK,

“We’re at an inflection point in banking. Our moment of transformation is coming up pretty soon. We at Barclays recognise that there’s a significant transition and the way we’ve done things for the last 300 years might not be the way we do things for the next ten. Part of the transformation means recognising that as a customer you’ll be able to get all your information about your finances from somewhere other than a bank, so banks have a couple of choices. We can either become that place and use your information in a way that’s insightful and can make a difference for you, or we can become a faceless entity at the back. I think Barclays is at a fantastic place to do really well through this transition, and develop even stronger, more trusted relationships with our customers.”

“ The way I look at it is that in the past, we trusted banks with looking after our money. As we go forward, in addition to our money, our data becomes something that’s incredibly valuable and important and can be used for our customers’ benefit or harm. All the skillsets and characteristics that banks have in looking after money can allow a customer to trust them with their data as well.’”

McGrath believes that banks can become “trusted stores of data as well as of money”, an area that puts them in competition with newer fintech companies

“We are this large-scale organisation with thousands of colleagues who talk to customers daily. If you take that alongside digital data and information, and different processes we’re building around that, I think we can serve and support customers in ways we’ve never been able to before. And with that extra personal interface, we can do it better than any of the fintechs do.”

“You’re likely to trust a highly regulated, established, listed company with big security firewalls more than you do a new company. Banks haven’t been thinking of themselves as being custodians of data as much as money, but as we move into an age where data is more and more important and consumers become aware that data is precious, there’s a role for the bank to help the consumer protect that and make better decisions about what they want to share, and how frequently.”

“But the regulations present significant opportunities for banks if we choose to embrace them. With the opportunities that both tech and the regulations present, Barclays has to ask itself what role it chooses to play in that and how that changes what we can offer customers.”

Deutsche Bank, PostBank and German consortium

Below is an extract from a media release issued on May 8, 2017 from Frankfurt am Main[5]:

Allianz, Axel Springer, Daimler, Deutsche Bank with Postbank, Core, and Here to launch joint platform for online registration, e-identity and data services

Leading German and European companies have stated their intention to cooperate more closely to establish a joint, pan-industry platform for online registration, e-identity and data services. The aim is to make online registration simpler and more secure for clients. The participating companies have signed a corresponding declaration of intent. The initiative was set up by Allianz, Axel Springer, Daimler and Deutsche Bank with Postbank as well as the technology think-tank Core, and Here Technologies, the location services provider.

At the heart of this new, standard access procedure for online activities is a so-called master key. Clients can use this key for registration and identification purposes across a number of industries. It is not only more convenient, but also more secure and aims to guarantee the highest standards in data security and data protection. Not only does the platform comply with EU data protection reforms, it also adheres to the provisions of the eIDAS regulation, which governs trust services for the electronic identification (eID) function.

What is more, the platform is designed to be open and compatible with ongoing projects managed by authorities under the German government and German federal states, even at local government level, for example, for citizen portals. Additional functions may follow, for instance, digital access to public authorities (e-government). Moreover, developing digital payment services and digital financial services is also possible on the platform.

Instead of focusing on individual integration solutions, the initiators are keen to use a common infrastructure, which will allow networking across businesses, as well as broader market coverage in keeping with Industry 4.0. The initiators are looking to gain more partners from a number of different sectors in the short term, including aviation companies, e-commerce agents, retailers and telecommunications companies. Preliminary negotiations are already under way with several companies that have shown interest in the platform. Among others, talks with Deutsche Telekom about joining the project have commenced recently.

The idea behind the cooperation is to provide a competitive, European response to the platform economy’s main players. The initiative is in an ongoing dialogue with a number of federal ministries – notably the Federal Ministry for Economic Affairs and Energy welcomes the initiative. The Fraunhofer Institute for Open Communication Systems (FOKUS), the European School of Management and Technology (ESMT) are also lending scientific support to the project.

Christian Sewing, Deputy CEO of Deutsche Bank, says: “We Europeans must at last fully play out our strengths in digitalisation. The time is ripe for a platform initiative of this kind. It will increase legal certainty for clients and boost the European digital economy’s growth.”

Frank Strauss, CEO of Postbank, says: “In the digital era more than ever, banks have a key role and are responsible for supporting their clients as they make their way into the digital future. That is why Postbank – one of the first online banks – is happy to join this pioneering initiative in order to ensure that its 14 million clients can place their trust in a secure and reliable digital world.”

iDIN – A Dutch Bank ID

The Dutch Payments Association (Betaalvereniging Nederland) in partnership with the Dutch government have jointly developed an online identification service called iDIN (identificatie inloggen), which is currently being piloted by a number of banks[6]. The identity scheme is designed to repeat the success of the Nordic BankID system by providing digital identities with multiple use cases for use by companies and organisations with online services in order to identify users online.

Instead of providing identity credentials when signing up to a new service, customers can be authenticated through their bank – a process that is convenient for the customer and more secure for the service provider. iDIN will work alongside DigiD, a government-issued digital identity which can be accepted by any Dutch organisation with the authority to use a customer’s social security number, or BSN. iDIN was intended to provide a digital ID for financial services, whereas DigiD can be used for a range of public services.

Rabobank

Rabobank’s digital identity service, Rabo eBusiness, is intended to help businesses’ on-board customers more easily and digitize their operations, invoicing and supply chains.

The new Digital Identity Service Provider (DISP) in the Netherlands will offer a range of online log-in, identity, electronic e-signature and archiving services.

The Rabo eBusiness Digital Identity Service Provider (DISP) is initially targeted at Dutch insurers, telcos, healthcare providers, energy firms and other financial services providers, offering a range of online log-in, identity, electronic e-signature and archiving services.. The platform is claimed to be easy to integrate into any existing business process through its APIs.

Annex B: Upcoming EU Regulations

Finance-related

Below is a list of new or recent regulations pertaining to the financial world:

2EMD (Second e-Money Directive): Directive 2009/110/EC of the European Parliament and of the Council of 16 September 2009 on the taking up, pursuit and prudential supervision of the business of electronic money institutions amending Directives 2005/60/EC and 2006/48/EC and repealing Directive 2000/46/EC

AMLD4 (Anti-Money Laundering Directive 4): Directive (EU) 2015/849 of the European Parliament and of the Council of 20 May 2015 on the prevention of the use of the financial system for the purposes of money laundering or terrorist financing, amending Regulation (EU) No 648/2012 of the European Parliament and of the Council, and repealing Directive 2005/60/EC of the European Parliament and of the Council and Commission Directive 2006/70/EC

CSDR (Central Securities Depositories Regulation): Regulation (EU) No 909/2014 of the European Parliament and of the Council of 23 July 2014 on improving securities settlement in the European Union and on central securities depositories and amending Directives 98/26/EC and 2014/65/EU and Regulation (EU) No 236/2012

EMIR (European Market Infrastructure Regulation): Regulation (EU) No 648/2012 of the European Parliament and of the Council of 4 July 2012 on OTC derivatives, central counterparties and trade repositories

MiFID2 (Markets in Financial Instruments Directive 2): Directive 2014/65/EU of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Directive 2002/92/EC and Directive 2011/61/EU

MiFIR (Markets in Financial Instruments Regulation): Regulation (EU) No 600/2014 of the European Parliament and of the Council of 15 May 2014 on markets in financial instruments and amending Regulation (EU) No 648/2012

PSD2 (Payment Services Directive 2): Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC

SFD (Settlement Finality Directive): Directive 98/26/EC of the European Parliament and of the Council of 19 May 1998 on settlement finality in payment and securities settlement systems.

UCITS (Undertakings for Collective Investment in Transferable Securities): Directive 2014/91/EU of the European Parliament and of the Council of 23 July 2014 amending Directive 2009/65/EC on the coordination of laws, regulations and administrative provisions relating to undertakings for collective investment in transferable securities (UCITS) as regards depositary functions, remuneration policies and sanctions

Identity and privacy-related

Below is a list of new or recent identity and privacy regulations:

eIDAS (Electronic Identification and Trust Services): Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC

GDPR (General Data Protection Regulation): Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC

References

[1] This is the apocryphal 3-6-3 rule where the banks borrow at 3% (from their customers), lend at 6% and are on the golf course by 3 PM.

[2] Facebook, Amazon, Netflix and Google

[3] Although this use cases is about the Swedish BankID specifically, a similar system is employed in the other Scandinavian countries notably Norway

[4] The network of companies that developed BankID includes Danske Bank, ICA Banken, Ikano Bank, Länsförsäkringar Bank, Nordea, SEB, Skandiabanken, Sparbanken Syd, Svenska Handelsbanken, Swedbank and Ålandsbanken.

[5] https://www.db.com/newsroom_news/2017/medien/allianz-axel-springer-daimler-deutsche-bank-with-postbank-core-and-here-to-launch-joint-platform-for-online-regi-en-11533.htm

[6] iDIN is offered by the following banks; ABN AMRO, ASN, ING, Rabobank, RegioBank, SNS and Triodus

Tags: