Can your bank prove it’s you – the treasurer – asking for an account to be opened or a high-value payment to be sent? How do they know it’s not a fraudster? Jonathan Williams - Principal Consultant at Mk2 Consulting Ltd explains the role of ‘identity’ in financial services, and highlights where banks are getting it wrong.
We keep being told by legislators that we need to know who we’re doing business with, whether that’s through PSD2, GDPR, MiFID II or 4MLD. Identity is somehow a silver bullet that is going to solve all of our problems, especially those related to financial crime. But, as with ‘mobile payments’, the term ‘identity’ is interpreted in a number of different ways by different parties.
In fact, ‘identity’ as a term is misused and misunderstood. In some cases what we mean is sameness: is this the same person who enrolled on the bank account? In others, it’s about trusting data attributes, for example are they an employee? Are they authorised to make this transaction? Normally the former is termed ‘authentication’ but PSD2 confuses this by defining it as “a procedure…to verify the identity of a payment service user or the validity of the use of a specific payment instrument”. The latter is about ‘authorisation’ and the former seems to be more onerous than just answering the question “is it them again?”. This question gets more complicated when discussing internet-connected devices.
In the world of payments, “Strong Customer Authentication” under PSD2 has been a point of debate, specifically as it applies to card payments. Scheme rules which have historically placed the onus on the merchant (payee) to verify the identity of the cardholder (payer), now have to cope with the issuer being accountable for the authentication of their customer; this has been further clarified in an opinion from the European Banking Authority on 13 June 2018. In my opinion, this places the accountability back on the only party that has a firm relationship with the cardholder. In the world of treasury, how can my bank prove it’s really the treasurer asking for an account to be opened or a high-value payment, and not a fraudster? This is why payment service providers will be asking for more information from staff members, including their biometric information.
4MLD emphasises the importance of Customer Due Diligence. This again places the obligation on financial services to check who their customer is and where money is coming from and going to. The guidelines on how to comply rely significantly on paper documentation and data held in government databases, although there is work under way to allow trust in this information to be distributed in some blockchain applications.
‘Identity’ is also unclear when used to refer to accounts at social media. Facebook or Twitter ‘identities’ say little about us and how we are officially known, but may be able to help confirm we are a specific user of social media.
This also comes to a head when we talk about data subject access requests under GDPR. How do we know it’s our customer who wants a copy of their personal data rather than a fraudster? This has led to some organisations asking for passport information, proof of address and other evidence, even if all the identifying data they originally held was an e-mail address and they can’t, therefore, match the identity to the person. And to spell out the potential consequences, this is an area that fraudsters will exploit. E-mails received under the banner of GDPR ‘consent’ – which aren’t generally required or legal – have already been used by criminals to obtain personal data, for further criminal activity.
All of these requirements have a direct impact on financial services firms, and specifically banks. So, it is surprising that they haven’t, as credit reference agencies have, leveraged the personal information they are legally bound to obtain, in order to help customers prove who they are and disclose verified attributes. As an example, Barclays is the only bank which is an Identity Provider to the UK government’s identity assurance scheme.
Ultimately, we need to define what we mean by the suite of ‘identity’ solutions and what use cases they solve. While weaknesses exist and assumptions on the strength of documentation and electronic verification lead to over-confidence, our business and personal accounts will be at risk. One thing is clear: identity starts when we are born and any solutions which don’t start from this point as well, will merely embed a weakness into the system.
by Jonathan Williams - Principal Consultant at Mk2 Consulting Ltd
Jonathan’s career has encompassed product roles in financial technology, telecoms and cybersecurity. Most recently leading payments products at Experian, he is now an independent advisor. He helped three start-ups (Virata, Content Technologies and Eiger Systems) to IPO/acquisition following a degree in physics and computing post-grad qualification at the University of Cambridge.