Banks as identity providers?

Last week I presented on why banks should or shouldn’t become identity providers. This was during a gathering of PIMN / ECP, a Dutch community on digital identity related matters. The subject was eID developments in the Netherlands, with also talks on a.o. Remote Document Authentication (by RDW, as step-up authentication for DigiD, together with DUO), IMRA (by Radboud University, applying Idemix in a mobile setting) and NotarisID (public notaries as identity providers). RDA we’re currenty involved in, IRMA and NotarisID we were in earlier stages, and it was interesting to see where these are heading.

Getting back to banks as identity providers, also known as BankID. This is again, or still, a hot subject in the Netherlands since the banking sector is considering this. Not for the first time. The first time I’m aware of was in 2004 (with SURFnet). And in 2010 I was heavily involved in the cidSafe project which tried to define a trust frameworks in which banks would offer their online banking identities to insurance companies (and others).

In my presentation I updated a previous overview on online banking fraud in the Netherlands (phishing, malware). Banks in the Netherlands have been able to reduce this very significantly after 2013, see the graphs below (based on numbers from the Dutch Banking Association). I think because banks were able to reduce the damage per incident, not the amount of incidents, but I do not have the data to prove this.

201504 - online banking fraud in NL

 

I focussed in my presentation on reasons a bank should become an identity provider and reasons why  not to, below the list:

Reasons for banks to become an identity provider:

  •  – share the costs of establishing and maintaining a digital identity with others
  • Trust – improve their trust relationship with their customers
  • USPs – especially coverage, 85% of Dutch consumers regularly use online banking and thus have a trustworthy digital identity (higher than most countries!)
  • Social responsibility – banks can help out here
  • Trend – it fits in the trend from online payment in webshops (iDeal) towards e-mandates and provide banking/payment data (Payment Services Directive 2, access to account, banks will likely have to do this).  This makes the step towards becoming a ‘official’ identity provider small.
  • Relying party  – banks can help create a market in which they will want to be relying party (redundancy, consumer onboarding etc)

Reasons for banks to not become an identity provider:

  • Liability – towards consumer and/or relying party
  • No room on their ICT roadmap – there are other innovations with impact the ICT roadmap, there are legacy issues etc
  • Availability requirements  – downtime for an identity provider is even worse than for an online payment provider
  • Risks for their reputation – incident can negatively impact their reputation, also for their current core banking services
  • Privacy – consumers may not understand, especially the privacy side
  • Additional rules and audits – banks are quite busy as it is with compliance, regulations etc, having to comply to even more trust frameworks will only add to this
  • More identity theft – online banking identity will become even more attractive for identity theft, i.e., more costs to stay ahead in the rat race and risks for their own online banking services

Overall my 2 cents is that the pro’s outweigh the con’s. Becoming an identity provider means investing in the trust relationship with their customers which is important to stay relevant with all the changes going on in the banking sector. Or put differently, banks may go down the same path as telco’s if the Apple’s and Google’s of the world start doing payments and identity.

My presentation (in Dutch) is on slideshare:

.

2 Responses to Banks as identity providers?

  1. Martijn Kaag says:

    To make a complete picture, you should also make a list of pro- and cons for banks to become a service provider that outsource their IdM to certified Identity Providers.
    In Estland, for example, where both banks and the government are issuing certified electronic identities, we see that banks now accept the online government ID and are happy to loose marketshare in the “identity market”.

    The advantages of outsourcing the online identities for banks are, among other things:

    – Liability is outsourced to a third party
    – Substantial cost reductions because the costs of idm are shared
    – Alignment with recent European guidelines for access to the account
    – Lower processing costs of all their customer on boarding procedures
    – Happier customers: single sign on with their preferred IdP
    – Room on their ICT roadmap because of outsourcing
    – Less identity theft

    Not sure about the cons, but I am quite sure the pro’s outweigh them!

    So banks: ditch your existing implementation and connect to Idensys.

  2. Chris Drake says:

    Liability can be eradicated if banks provide attestation instead of releasing credentials – so they just need to adopt a suitable identity solution and that negative problem goes away.

    identity-theft can likewise be eradicated if they select a mutual-authentication solution for their customers: you can’t steal something when it’s impossible for that “something” to be released to the wrong place!!

    Privacy issues are likewise removed through permission-based attestation – for example – if I want to prove to a nightclub bouncer that I’m old enough to drink, the bouncers system queries the bank, the bank requests my permission, I grant it, then the bank replies “yes”. No birthday leakage etc takes place.

    Availability is a pretty weak negative; we’re talking regular 21st century servers – up-time is *going* to be reliable – a customer has a better chance of their wallet getting stolen than their bank’s ID system being down, that’s for SURE.

    Reputation risk – this gets eradicated along with the above

    Additional rules: this is basically the only “problem” left, except those “rules” are themselves going to be weak ones – this is new territory – it will not be official regulations, just informal low-risk stuff, and the costs of any compliance can easily be passed on.

    Or in other words… there are not really many negatives at all.

    Here’s a list from a quick search I did today proving that banks are not too worried about any negatives.

    *. UK: Barclays Bank participates in GOV.UK Verify
    *. Netherlands. Multiple Dutch banks now share the “interbank digital identity service”.
    *. Canada: Tangerine Bank, Bank of Montreal, TD Bank and Scotiabank participate in their “SecureKey” identity service.
    *. America: PayPal and others run Connect.GOV identity service, and USAA bank also runs it’s own Identity services (mostly for their armed-forces customers)
    *. Spain: Banco Bilbao Vizcaya Argentaria run their FiSync service, and are investing heavily in Fintech Identity
    *. Norway, Sweden: Multiple banks participate in BankID
    *. Finland: Banks (all) operate the Tupas identity system, shared and also used by govt and all tax admin systems
    *. Israel – coming too!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

w

Connecting to %s