Banks as identity providers?

Last week I presented on why banks should or shouldn’t become identity providers. This was during a gathering of PIMN / ECP, a Dutch community on digital identity related matters. The subject was eID developments in the Netherlands, with also talks on a.o. Remote Document Authentication (by RDW, as step-up authentication for DigiD, together with DUO), IMRA (by Radboud University, applying Idemix in a mobile setting) and NotarisID (public notaries as identity providers). RDA we’re currenty involved in, IRMA and NotarisID we were in earlier stages, and it was interesting to see where these are heading.

Getting back to banks as identity providers, also known as BankID. This is again, or still, a hot subject in the Netherlands since the banking sector is considering this. Not for the first time. The first time I’m aware of was in 2004 (with SURFnet). And in 2010 I was heavily involved in the cidSafe project which tried to define a trust frameworks in which banks would offer their online banking identities to insurance companies (and others).

In my presentation I updated a previous overview on online banking fraud in the Netherlands (phishing, malware). Banks in the Netherlands have been able to reduce this very significantly after 2013, see the graphs below (based on numbers from the Dutch Banking Association). I think because banks were able to reduce the damage per incident, not the amount of incidents, but I do not have the data to prove this.

201504 - online banking fraud in NL

 

I focussed in my presentation on reasons a bank should become an identity provider and reasons why  not to, below the list:

Reasons for banks to become an identity provider:

  •  – share the costs of establishing and maintaining a digital identity with others
  • Trust – improve their trust relationship with their customers
  • USPs – especially coverage, 85% of Dutch consumers regularly use online banking and thus have a trustworthy digital identity (higher than most countries!)
  • Social responsibility – banks can help out here
  • Trend – it fits in the trend from online payment in webshops (iDeal) towards e-mandates and provide banking/payment data (Payment Services Directive 2, access to account, banks will likely have to do this).  This makes the step towards becoming a ‘official’ identity provider small.
  • Relying party  – banks can help create a market in which they will want to be relying party (redundancy, consumer onboarding etc)

Reasons for banks to not become an identity provider:

  • Liability – towards consumer and/or relying party
  • No room on their ICT roadmap – there are other innovations with impact the ICT roadmap, there are legacy issues etc
  • Availability requirements  – downtime for an identity provider is even worse than for an online payment provider
  • Risks for their reputation – incident can negatively impact their reputation, also for their current core banking services
  • Privacy – consumers may not understand, especially the privacy side
  • Additional rules and audits – banks are quite busy as it is with compliance, regulations etc, having to comply to even more trust frameworks will only add to this
  • More identity theft – online banking identity will become even more attractive for identity theft, i.e., more costs to stay ahead in the rat race and risks for their own online banking services

Overall my 2 cents is that the pro’s outweigh the con’s. Becoming an identity provider means investing in the trust relationship with their customers which is important to stay relevant with all the changes going on in the banking sector. Or put differently, banks may go down the same path as telco’s if the Apple’s and Google’s of the world start doing payments and identity.

My presentation (in Dutch) is on slideshare:

.

One Response to Banks as identity providers?

  1. Martijn Kaag says:

    To make a complete picture, you should also make a list of pro- and cons for banks to become a service provider that outsource their IdM to certified Identity Providers.
    In Estland, for example, where both banks and the government are issuing certified electronic identities, we see that banks now accept the online government ID and are happy to loose marketshare in the “identity market”.

    The advantages of outsourcing the online identities for banks are, among other things:

    – Liability is outsourced to a third party
    – Substantial cost reductions because the costs of idm are shared
    – Alignment with recent European guidelines for access to the account
    – Lower processing costs of all their customer on boarding procedures
    – Happier customers: single sign on with their preferred IdP
    – Room on their ICT roadmap because of outsourcing
    – Less identity theft

    Not sure about the cons, but I am quite sure the pro’s outweigh them!

    So banks: ditch your existing implementation and connect to Idensys.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s