During Trustech, conferences covered various aspects of the complex relations between identity and banking services. During the conference titled “Banking IDs and Financial Authentication,” speakers from leading financial institutions, Société Générale and BBVA, gave their vison about the global needs for a smoother yet secure authentication process.
The ability to prove that you are who you say you are is a fundamental piece of economic, financial and social development; as of now, over 1.1 billion people in the world are still deprived from this right according to the World Bank.
While national IDs have exited for over a century, private sector IDs are more recent, and the essential evolution is towards federated IDs where a single authentication provides the user with a wide array of services. Customers require identity systems to be accessible 24/7, to use the latest technologies but remain user-friendly and to be extremely secure as cybersecurity awareness is growing.
As of now, the digital ID landscape remains extremely fragmented with Identity providers (including Facebook or LinkedIn), authentication providers (such as OpenID, One ID, etc.), companies involved in identity (Daon, Oracle, Centify and others) and identity applications (including Trulioo, Jumio, …).
Financial institutions are permanently exploring all the options for remote authentication, such as cross-channel journeys (combining remote and face to face identification), enhanced KYC (Know Your Customer) measures, video conferences, biometric identification, selfies, use of existing trust services, digital identity or even relying on e-merchants.
These process have to be evaluated in the context of the eIDAS (Electronic Identification, Authentication and Trust Services) standardization framework which defines three levels of confidence: low, substantial and high. As many situations require a sufficiently strong authentication, solution providers are evolving from the low or low-plus level to substantial, often thanks to a combination with an identity evidence provided by a government, the verification that an identity is genuine and the risks of duplication, forgery, theft, ... have been mitigated.
As both financial institutions and customers are asking for more online and less face to face interactions, the industry is evolving towards more KYC using remote online means. The banks’ expertise in risk management is essential for new steps in the authentication process taking into account multiple factors such as the circumstances of the business operation, risk factors associated with the usual place of residence of a given customer, cash-intensive activities, countries not belonging to the EU, transactions that favor anonymity, etc.
Financial institutions are meeting an opportunity to become trusted identity providers, as they have a long experience in validating identities, they are trusted by the general public, they are used to standardization and compliance, and they are supported by the regulatory environment.
Two-factor authentication is an accepted method for Strong Customer Authentication (SCA) as required by the PSD2 (Second Payment Services Directive), opening a trove of technology proliferation in the identity field.
However, separate initiatives may actually slow down the development of efficient ID systems. Only wide reach federated ID systems can achieve provide the required service while keeping users satisfied. As of now, an interesting example comes from Sweden, with BankID, created by a federation of banks, and widely used across services, event by government services. Bank ID is said to reach 80% of the Swedes!
If our industry is ready to set up efficient federated ID systems based on a combination of the expertise brought by technology providers and the background in risk management from the financial institutions, we will be setting up the identity framework that’s needed it eh beginning of this century. If not, as nature hates emptiness, other players, such as the Big Tech or GAFAs, will be ready to propose their vision of identity, which may not coincide with ours.