Last week I presented on why banks should or shouldn’t become identity providers. This was during a gathering of PIMN / ECP, a Dutch community on digital identity related matters. The subject was eID developments in the Netherlands, with also talks on a.o. Remote Document Authentication (by RDW, as step-up authentication for DigiD, together with DUO), IMRA (by Radboud University, applying Idemix in a mobile setting) and NotarisID (public notaries as identity providers). RDA we’re currenty involved in, IRMA and NotarisID we were in earlier stages, and it was interesting to see where these are heading.
Getting back to banks as identity providers, also known as BankID. This is again, or still, a hot subject in the Netherlands since the banking sector is considering this. Not for the first time. The first time I’m aware of was in 2004 (with SURFnet). And in 2010 I was heavily involved in the cidSafe project which tried to define a trust frameworks in which banks would offer their online banking identities to insurance companies (and others).
In my presentation I updated a previous overview on online banking fraud in the Netherlands (phishing, malware). Banks in the Netherlands have been able to reduce this very significantly after 2013, see the graphs below (based on numbers from the Dutch Banking Association). I think because banks were able to reduce the damage per incident, not the amount of incidents, but I do not have the data to prove this.
I focussed in my presentation on reasons a bank should become an identity provider and reasons why not to, below the list:
Reasons for banks to become an identity provider:
- € – share the costs of establishing and maintaining a digital identity with others
- Trust – improve their trust relationship with their customers
- USPs – especially coverage, 85% of Dutch consumers regularly use online banking and thus have a trustworthy digital identity (higher than most countries!)
- Social responsibility – banks can help out here
- Trend – it fits in the trend from online payment in webshops (iDeal) towards e-mandates and provide banking/payment data (Payment Services Directive 2, access to account, banks will likely have to do this). This makes the step towards becoming a ‘official’ identity provider small.
- Relying party – banks can help create a market in which they will want to be relying party (redundancy, consumer onboarding etc)
Reasons for banks to not become an identity provider:
- Liability – towards consumer and/or relying party
- No room on their ICT roadmap – there are other innovations with impact the ICT roadmap, there are legacy issues etc
- Availability requirements – downtime for an identity provider is even worse than for an online payment provider
- Risks for their reputation – incident can negatively impact their reputation, also for their current core banking services
- Privacy – consumers may not understand, especially the privacy side
- Additional rules and audits – banks are quite busy as it is with compliance, regulations etc, having to comply to even more trust frameworks will only add to this
- More identity theft – online banking identity will become even more attractive for identity theft, i.e., more costs to stay ahead in the rat race and risks for their own online banking services
Overall my 2 cents is that the pro’s outweigh the con’s. Becoming an identity provider means investing in the trust relationship with their customers which is important to stay relevant with all the changes going on in the banking sector. Or put differently, banks may go down the same path as telco’s if the Apple’s and Google’s of the world start doing payments and identity.
My presentation (in Dutch) is on slideshare: