Senior executives, commentators and analysts all agree – a workable digital identity is key to next-generation payments. Without functioning digital ID, the payments revolution will stall. But as state-sponsored national ID schemes, private sector schemes and hybrid public-private digital IDs proliferate, where is digital ID heading? PCM Managing Editor James Wood lines up on parade.
At the recent Money2020 Europe conference in Amsterdam, there was universal acknowledgement of the need for a comprehensive form of digital identity to enable digital payments. A functioning digital ID scheme in Western markets would also fight fraud and allow global players to overcome interoperability issues with national schemes, making real the payments dream of “anywhere, anytime, any place – over any device.”
In the anti-fraud arena, card-not-present fraud through contactless payments rose last year by 65 percent in the UK alone to £1.1 million. While still miniscule in the context of overall fraud, this is the fastest-growing fraud category, and likely to grow further as contactless payments proliferate. When it comes to contactless, digital ID could seamlessly confirm the identity of transacting parties, enhancing security.
Get on board
The digital ID challenge has two parts: so-called “onboarding”, or registering new customers, for your services – and then using digital ID to enable the transaction process. As The Battle to Onboard, a recent study by Norwegian eID firm Signicat demonstrates, nearly 40 percent of European customers have abandoned online registration processes because these processes were too arduous, or because they didn’t trust the company or service provider. As Signicat’s study shows, banks are by some distance the most trusted when it comes to protecting consumer data (see figure one).
Many European countries, and an increasing number of Asian and Latin American nations, have adopted national “bank ID” schemes that offer easy and secure access to government services as well as bank and payment services. In Sweden, BankID enables access to the popular SWISH instant payment application; in Canada, SecureKey ID is now fully partnered with Canada’s six leading banks – and also offers access to tax payments, utilities billing and other services. With the advent of PSD2, such national schemes offer the prospect of a single identity across a wide range of services, delivered via a banking platform.
However, such schemes provide only part of the answer – and at a national, rather than an international level. There is wide variation both in terms of what the schemes deliver, and how they are structured. What’s more, they do not engage with cross-border and international payments – although Mastercard recently announced a pan-Nordics partnership with the P27 Payments Platform to provide real-time and batch payments in multiple currencies across the region. When it comes to onboarding, current products are typically limited to individual countries, are widely diverse in their make-up, and are broadly very much still in development. That said, the situation is improving, as Janne Jutila, VP of Business Development at AllClear ID notes: “Market fragmentation is the main challenge in digital ID. However, enrollment and eKYC are becoming much more efficient thanks to efforts by the banks.”
Taking it personally
If banks and governments are making progress on the enrollment side, then a different, though related, challenge presents itself for using digital ID to secure payments. PSD2 offers many opportunities for European non-bank actors in payments, as well as banks: but the requirement for two-factor authentication under Secure Customer Authentication (SCA) is a real compliance challenge. Using a digital ID in the transaction process means combining a confirmed ID (such as a stored software “cookie” on a mobile device or PC) along with a second factor. This second factor could be anything from fingerprint or facial recognition through to passcodes or passwords; and thus a second layer of fragmentation and complexity enter the digital ID market. Put simply, there’s too much variation in the numerous digital ID schemes on offer at the moment.
In addition to meeting the regulatory challenge of SCA compliance, payments firms also have to deal with two fast-growing trends that are driving the push to create strong digital identity. These are the rise of mobile as the primary payments channel – and contactless as the preferred method of payment. According to data from CB Insights, mobile grew from 16 percent of all customer interactions for UK banks in 2011 to 56 percent by 2016 – a compound annual growth rate of forty-three percent.
At the same time, contactless transactions using mobile are now the fastest-growing payments segment, and are predicted to grow at 80 percent per year in the US to the end of 2020. Combine this data with the trend towards “neo-banking”, or pure-play digital banks (see Card Notes, p.11) and the need for a comprehensive, secure and easy-to-use digital ID is clear.
Shaping the future
If the need for strong digital ID is well established, then the form such ID will take is much less clear. Ben Goodman, SVP of Global Business Development at US digital ID provider ForgeRock, says there is a real danger of what he calls a “Nascar flag” situation developing for consumers, in which they are presented with too many choices in confirming their ID on-line. Part of the answer, according to Goodman, is to use AI to sift out some of these options, such as not showing Apple sign-in options to Android users, and others. Goodman says, “it’s a question of balancing user needs [for a low-friction solution] with security and levels of assurance.”
At present, the landscape is so opaque that competing claims proliferate as to the way forward. Mastercard recently published a positioning paper, Restoring Trust in a Digital World, that envisages a digital ID system based on “co-dependence, collaboration, partnership and orchestration”, with users in control of who gets their data, and what they do with it.
However, the industry is by no means convinced that giving users complete control over their data is the way forward. As John Erik Setsaas, VP of Innovation and Identity at Signicat puts it, “Users can sometimes struggle to manage their passwords. If that’s the case, why would they be able to manage their digital ID?”
In what has become something of an industry canard, a role is being now mooted for blockchain technology in Digital ID. As a pointer to this role, Brazil plans to introduce a blockchain-based digital ID system using Hyperledger Fabric to log in to its bank payments system. Proponents of blockchain-based digital ID argue that such systems would combine total user control with the speed and convenience consumers are looking for. Knowmenow, a Malta-based start-up, has launched a solution which creates both public and private security keys encrypted and distributed via the Ethereum blockchain.
One attraction of such blockchain-based digital ID systems for payments companies and consumers is the reuseable nature of this identity in different contexts once it’s been established. For instance, a strong ID developed using blockchain in a transaction could be transferred within a financial institution for Know Your Customer (KYC) and Anti-Money Laundering (AML) purposes. A further – and attractive to consumers – element of blockchain-based identity is that there’s no need to permission the ID via passwords or biometric elements, since these can be contained within the blockchain. This would potentially both speed up and simplify the identification process. Aside from the benefits for consumers, blockchain ID could also be easily transferred for access to health and welfare, education or employment services.
The usual doubts about blockchain’s capacity to scale, and its limitations as regards computing and power consumption, must be raised here: as must other problems the industry faces which have nothing to do with blockchain’s potential, but are all about privacy and security concerns – either on the blockchain, or using other systems.
There’s a rising tide of opinion which believes that GDPR rules are going to have to be reviewed if meaningful digital ID systems are to be effective. At present, GDPR is seen as relying too heavily on pop-ups and cookies for consent: it’s far better, some argue (and arguably more efficient) to establish a basis in law which clarifies what data consumers surrender by registering with a service provider, rather than repeatedly seeking consent. As Godwin Schembri, Co-Founder and CTO at Knowmenow puts it, “Consumers will end up rejecting GDPR in its current form, as it blocks too many appealing technological features. As things stand, GDPR is quickly becoming outdated, and we’ll see it relaxed according to the benefits of data-driven technologies in the future.”
So while there may be regulatory changes ahead, we can expect to see continued proliferation of national and private digital ID schemes in the future. However, most industry executives agree that a combination of a pre-authenticated, highly-secure mobile app with biometric factors for confirmation is most likely to succeed. As Janne Jutila from AllClear ID puts it, “The combination of highly secure SmartPhone Apps with confirmation factors based on biometrics is the most promising option out there right now.”
What’s more – while it may sound like something from a Philip K Dick novel – using risk engines to determine a consumer’s geospatial positioning patterns, their purchase habits and even how they hold their phone are seen as a rich seam for the development of future digital ID systems. Such systems would require less manual verification, but are more invasive of consumer privacy. Mastercard purchased NuData Security in mid-2018 to develop precisely this capability and, while such systems may be some way off, they could cut through the tangled web of digital identity systems currently available.
It’s also possible to see digital ID as being at the same stage as e-mail in the 1990s, with many different providers offering weak interoperability between their systems, and little user consensus as to which systems are preferred. Over time, some e-mail systems became dominant, and all became more interoperable with each other, which in turn made e-mail more popular and easier to use. Whichever future emerges for digital ID, there is an urgent need for further development in this space, what with rising fraud in mobile contactless payments, the advent of digital-only neo-banks and the transactional friction that Secure Customer Authentication promises to bring.