Building for the Future of Digital Identity and Payments
On Tuesday, December 3rd, the One World Identity (OWI) team and Uniken hosted a KNOW Identity Forum in London, Europe’s financial services center, to discuss the second Payment Services Directive (PSD2), strong authentication, and the future of open banking.
Over the past decade, we’ve experienced explosive innovation in the financial services market that have opened up new payment methods, approaches to finance, and digital lending. These platforms, however, rely heavily on the accessibility to consumer’s data and transaction history that is being held by traditional financial institutions. Understandably, banks have been less than excited to provide easy access to their customer’s data to the rest of the market.
In 2015, the European Parliament adopted PSD2 to promote a more pan-European financial services industry and stimulate the development and adoption of innovative payment solutions. PSD2 requires financial institutions to open their APIs to third party requests. The mandate also stipulates that banks must implement a Strong Customer Authentication (SCA) solution that must verify authentic authentication requests and securely transmit personal data.
PSD2 was set to go into full effect in September 2019. Over the summer, with the deadline fast approaching, regulators received tremendous feedback from the banks that the SCA component of the mandate would not be met by the deadline. The UK’s Financial Conduct Authority (FCA) eventually granted the 18-month extension, setting the new deadline for early 2021.
At the KNOW Identity Forum in London, we brought together industry professionals focused on building the next-generation of PSD2 compliant enterprise products. The Forum brought together an expert panel including Joacim Andersson, Consultant, Former Director of Risk & Data at iZettle, GDC Compliance Advisory Board member and Steve Pannifer, COO and digital identity lead at Consult Hyperion. There was also a LIVE State of Identity Podcast featuring Bimal Gandhi, CEO of Uniken, Sunil Gossain, VP of EMEA at Uniken, and Cameron D’Ambrosi, principal here at OWI.
Please visit here for the full State of Identity podcast recording and show notes.
PSD2, how did we get here?
The evening’s conversation started off with a head-first dive into one of the longest standing debates in the digital identity community - the pros and cons of a national identity scheme.
On the pro side, a national identity scheme would establish strong universal verified identity credentials, force the creation of interoperability standards, and facilitate centralized administration of government programs. Furthermore, supporters of a national identity scheme strongly believe successful coordination between private industry and the government could eliminate the risks associated with digital identity and free up companies to focus on product innovation.
Sweden, for example, launched BankID in 2014 as a joint infrastructure between consumers, the government, and private industries to facilitate the secure verification and authentication of digital credentials. BankID isn’t compulsory in Sweden but a 2019 report by Arkwright notes a 78% penetration rate. And similar to the UK, Sweden initialized BankID through the financial institutions, but has since expanded beyond that sector.
“This new business model is nowadays also used beyond the financial sector,” the report continues, “ The trust gained through this venture has enabled the collaborating banks to develop new solutions and products together, which can be implemented much faster in the market.”
On the opposing side, by consolidating all of the data in one location, you are creating a “honeypot” or a treasure trove of information. Over the past several years, it’s evident from Equifax, AshleyMadison, Verizon, among many others, that consumer's personal data is very valuable to state actors and criminal syndicates.
And criminals know there is no such thing as an impenetrable system; but rather they ask themselves the simple question of — is what the system is structured to protect valuable enough to justify the effort and risk of breaking into it?
Despite the drawbacks, PSD2 is the UK government's attempt to force financial services to participate in secure data sharing. However, some of the delays can be attributed to the hesitation parties have in opening up their data caches.
Will SCA damper innovation?
The next question posed to the panel, was whether or not they believed the SCA requirement has the potential to damper innovation.
The panel unanimously agreed this was a valid concern.
“In the U.K., we are much more competitive than collaborative… the big four banks are part of the PSD2 because they have to, not because they want to” said a panelist, and this a major hurdle we have to overcome to realize the potential value of a truly open ecosystem.
Collaboration is a key driver for innovation. Bringing together different perspectives and resources from a diverse set of stakeholders inevitably produces unique solutions to persistent challenges. Collaboration also diffuses decision making risks among network partners, allowing for more forward-thinking ideas to be introduced.
The main concern against PSD2 is that banks are going to try everything they can to prevent the growth of third party services. Specifically, the SCA requirement might introduce sufficient friction for users to prevent adoption. The panel continued that government-driven change rarely has the same market effect as organic industry growth. However, they did preface these arguments with an observation that PSD2 has forced banks to rethink their approach to identity, and this could have major benefits.
One of these major benefits is increased focus on digital identity more holistically. The panel outlined the digital identity building blocks — Creation, Verification, Authentication, Authorization, and Federation. These building blocks are married to one another like a linked chain. PSD2 forces companies to strengthen the authentication link of the chain and will have ripple effects into the other links. The panel was optimistic that strengthening one link is encouraging banks to bolster other processes.
Can the UK achieve identity federation at scale?
The conversation concluded with a question from the audience on whether the panel thought PSD2 would be successful in pushing the UK towards a more inclusive digital identity landscape.
The panel speculated a bleak future.
“In the UK, I am struggling to see how we will achieve identity federation at scale,” said a panelist.
The UK is very similar to the U.S., in that, companies still believe digital identity is a competitive advantage. Companies who’ve heavily invested in robust digital identity strategies are reluctant to concede this value to competitors who decided to prioritize other areas.
Until major institutions are convinced an expansive trust network between government and the private sector is a net positive, we should not expect any major disruptions.
And that’s a wrap for the KNOW Identity Forum 2019 Roadshow - What’s Next?
Many thanks to the speakers and attendees who participated in the London, and all of our KNOW Identity Forum! And a special thanks to our partner Uniken for their continued work in the digital identity and security space and all of their support in this forum series. At the front lines of innovation, they continue to push the conversation forward and provide the industry with best-in-class solutions. We will be announcing our KNOW Identity Forum 2020 schedule of events in early January of next year, so keep an eye on our social media channels! And the KNOW roadshow culminates in the annual KNOW Identity Conference in April 2020. We hope to see you there!