Banks - ‘The UK can totally trust us to deliver digital IDs!’
A techUK roundtable on digital IDs in the banking sector – and beyond – seemed upbeat and innovative. But really, it revealed a massive cart being put before a small, mysterious horse.
The financial world is in turmoil once again, with memories of the 2008-09 crisis triggered this month by the collapse of both the Silicon Valley Bank (SVB) and crypto-focused Signature Bank. Meanwhile, scandal-magnet Credit Suisse is seeking a $54 billion lifeline from the Swiss National Bank, and US banks are partnering to prop up First Republic. A Guardian report this morning said that US banks have borrowed $300 billion from the Federal Reserve this week.
Contagion spreads in this nervous, interconnected world, with investors in all these institutions – Norway holds shares in both SVB and Credit Suisse, for example – facing big losses. The revelation that the CFO of SVB previously held the same position at Lehman Brothers has hardly helped consumers look to the future with a spring in their steps. And as if that wasn’t enough, the European Central Bank this week raised interest rates to their highest since… 2008.
Not the best time, then, for the banking industry to suggest that – because it is widely trusted, no less – it should be the arbiter, manager, and perhaps even provider of a citizens’ digital identity scheme in the UK.
Yet that was the message from a techUK roundtable this month, in the wake of former political adversaries Tony Blair and Lord Hague urging the nation to adopt digital IDs, linked to biometric data, in an article for The Times in February.
So, why does the finance sector believe a single digital ID is so important? Aren’t UK fintech and digital/mobile/open banking all booming without one? (Yes). And aren’t Brits living in the world’s third biggest ecommerce market, despite having a fraction of the population of numbers one and two, China and the US? (Yes).
So, in both the real and virtual worlds, what obstacle is the lack of a single digital ID really? Beyond being a minor, momentary inconvenience when setting up an online account? And if a digital token that both identifies and authenticates a user is introduced in Brexit UK – as the government tears up EU regulations, standards, and commonalities – what guarantee is there that it would be globally accepted, interoperable, trusted, and secure?
In short, what would the point be of a UK-only digital ID in a networked, cloud-based world? And what would it actually be for? [See our reports about Sir Tim Berners-Lee’s alternative approach, Solid, last year.]
But before answering any of those questions – or trying to – let’s acknowledge the elephant in the room. Why are banks laboring under the delusion that they are trusted by citizens to manage such a scheme?
This century alone, that industry has served up: subprime mortgages; the Big Short; the credit crunch; the Great Recession; a decade of austerity; market rigging and collusion (Libor, Forex); Russian money laundering; serial fraud; insider trading; IT failures that have shut customers out of their accounts; data hacks; bank collapses; PPI mis-selling; and colossal bankers’ bonuses on the back of a trillion dollars of tax-payer-funded bailouts. That hardly screams “trust us!” in the face of harried consumers.
This may be one reason why a 2022 international survey of banking customers by software company Netapp found that only 60% of UK account holders trust their own bank with their personal data: 18% fewer than the number who trust them not to lose their money.
Yet we can trust banks to manage the core identities we might soon need in every aspect of our lives, suggested the techUK event.
As Executive Director of JPMorgan Chase – currently the world’s largest bank by market capitalization ($377 billion) – Jennifer Jiang is leading the development of digital IDs, wallets, and connected finance for the company. She said:
I do feel like, collectively, we need to do more on the consumer engagement value proposition, really the implementation or adoption part.
If you look at the Nordics, right, how can we in the UK market achieve that level of success? There, 80 or more percent of the population is using the bank ID or the trusted ID in their daily lives.
We did some UK market analysis […] and what we found out is really they want transparency; they want control over sharing their data.
I was talking to a professor the other day about this general discontent over sharing data, even after three decades of tremendous success with the digital economy. And one of the reasons is the [lack of] symmetry in the value proposition. The consumer feels that by sharing their data, including sensitive data, they get too little in return.
The professor said ‘We [consumers] are treated almost like the entrée at a restaurant, we're like the steak. But there’s nothing wrong with the restaurant; the restaurant is not the problem here. But consumers want a different role: we want to be the diner. We want to be the chef. We want to be co-creating how our data is used, shared, and compiled in a way that we control.’
Introducing new problems
OK. Leaving aside metaphors and the vexed issues of a/ whether a single digital ID for citizens would in any way mandate sharing private data with the banking system, and b/ whether a single, verified ID for online transactions would have any value in the physical world, who would provide such a thing?
Jiang and other speakers appeared to believe that banks could supply a token and a portable, trusted repository of data that people could use throughout their digital and daily lives. Like Open Banking, but for everything, perhaps.
Even if that were true, claiming that an undercooked value proposition is the root cause of consumers’ lack of trust suggests a troubling lack of self-awareness in financial services. For many people still living with the hangover of the last recession, there is a problem with ‘the restaurant’ (to use that unnamed professor’s metaphor). And a big one at that.
The lack of trust and confidence that many people have when it comes to data-sharing, privacy, and security is not just to do with Big Tech and social platforms, but also with the banking sector. Don’t take my word for it: feel free to Google ‘JPMorgan’ plus a selection of terms that might include ‘fines’ and ‘lawsuits’… the choice is yours. Then repeat the exercise with every main street or high street bank and see what comes up. You’re likely to find reasons for a lot of stored-up citizen nerves and mistrust.
Of course, the wider issue is why the UK lacks a single government-issued ID in the first place. And why it relies, informally, on passports and driver’s licences – and sometimes utility bills that only constitute recent proof of address, not personal authentication. In 2023, citizens still find themselves scanning their passports or faces with their phones and emailing the jpegs to persons unknown.
In that context, a single digital ID becomes a lot more logical and attractive. Yet it may also introduce entirely new problems, especially for those who are already living in digital exclusion, or with long-term digital (and real) poverty.
One reason for the lack of a UK ID scheme in the physical world is cultural, alas: an over-bearing police force, and fears that – with a new ID system in place – stop-and-search campaigns might begin to impact on other areas of citizens’ lives, especially among ethnic minorities.
Meanwhile, the lack of clear public support for any compulsory national ID scheme arguably reflects falling trust in government, in the wake of multiple scandals this decade alone – not to mention multiple Prime Ministers.
That situation is hardly helped by, in upcoming UK local elections, elderly citizens’ bus passes, Freedom passes, and Oyster 60+ cards being accepted as mandatory proof of identity, but not Oyster 18+ cards, national railcards, or student IDs: an apparent attempt to disenfranchise younger voters. (What other explanation is there, beyond Whitehall’s implicit belief that old people can be trusted to be honest, and young people cannot?)
This is despite voter ID fraud being almost non-existent in the UK, which makes that disenfranchisement into a real national scandal. To quote the Electoral Commission, the national body that sets election standards and regulates party finances:
In the past five years, there is no evidence of large-scale electoral fraud. There were only 11 convictions and 16 cautions issued by police.
That’s 11 convictions out of the more than 46.5 million voters registered in national elections, and the 48.8 million in local ones (using 2021 figures from the Office for National Statistics). Taking the larger figure, that’s an ID fraud rate of 0.00002%. Practically zero.
A trust problem
Despite all this, Whitehall seems to be on a slow march towards introducing digital IDs, via development of the UK Digital Identity and Attributes Trust Framework, the revamped Data Protection and Digital Information Bill, and the newly created Department for Science, Innovation, and Technology (DSIT) – with the latter being a sensible move, at least.
So, how can trust be built into such a system? Seema Khinda Johnson is co-founder and CEO of decentralized ID and payments provider, Nuggets. She explained:
We set up Nuggets to solve that huge and growing trust problem. We all probably know that a trusted digital identity is almost considered like a silver bullet to solve fraud [we do?!].
When we're talking about things like verifiable credentials, one of the things we absolutely believe is that personal information should be owned and controlled by the person [the data subject]. But we need to create utility within that and have a big strategy on aligning identity and payments, and how that actually solves the fraud issue.
Granted, it might help prevent some frauds that make use of the banking sector, but would it solve financial crime by the banking sector? That aside, she continued:
We've had the UK trust framework as well. So, for the first time, a decentralized, self- sovereign identity got classified in terms of low, medium, and high [risk] for DBS checks [the Disclosure and Barring Service for criminal convictions]. Right to Work, Right to Rent, all these really useful things that end users have to do – and share lots of information to do it. Finally, we can do it in a self-sovereign, controlled way.
And the other thing is, the Tony Blair Institute has published a report calling for decentralized ID solutions and wallets. For us, that was another big tick for this, the momentum that's happening.
Well, if you can’t trust former UK Prime Minister Tony Blair, who can you trust! Then she added:
So, I love that we're talking about how we create this meaningful role in people’s everyday lives. As a movement, everything below the iceberg [not the best metaphor, Seema!] – whether it's the technology, the open standards – we're still not there. How that interoperability works, how does that standardization happen from one type of identity into a federated identity...
But it's brilliant that we're working across those working groups, to make that a reality.
An inflection point
All of which suggests an industry that is working towards solving hugely complex delivery and security problems that, once solved, will then solve unknown problems for UK citizens (beyond those caused by the momentary inconvenience of two-factor ID or card readers, perhaps).
Lewis Cannon is Principal at strategy advisors and management consultants Oliver Wyman. He said:
I think there needs to be a more nuanced conversation around what it actually means to own your own personal data. I do think that there is an opportunity for, if you like, people who don't want digital identity to have a digital identity. They want it for the benefits that it provides them, as a means to an end.
I feel we’re at an inflection point. The legislation is going to be settled by the end of the year, but what we’d like to see is a bit more collective action. What I mean is, we should think about the ecosystem as a playing field. And the DCMS [now DSIT] framework defines the different players on the pitch. But what we need to figure out is how those roles play together to create value for the customer.
Fascinating, because it suggests an industry that has identified what digital ID will do for the banking sector, but has yet to identify what problem it solves for citizens or consumers. Shouldn’t that have come first?!
And according to another speaker at the techUK event, the government hasn’t identified one either, beyond a general desire to introduce a digital identity scheme to appease authoritarian back benchers. Adrian Field, Director of Market Development for single-identity provider OneID, said:
I certainly think what we're missing in the UK is a joined-up vision. I’d like to see DSIT and the Cabinet Office working together to align on one framework for the UK. Let's simplify it for ourselves. It’s complex at the moment, so let's make it simpler. Let's have one framework we all agree on that works across all sectors. That’s everyone, one choice of identity provider that I can use in any sector.
And who could that be, Adrian? He continued:
As for the value proposition, let's give people the tools to affect and assert their data rights. So, how can I move my data? How can I delete my data? How can I port it from one place to another? Make that easy for me, just give me a screen and a button so I can do that.
The common framework is one thing. But we need some outcomes: what are the target outcomes that we're trying to achieve from this? The government seems to be shying away from setting any outcomes. But if you don't have outcomes, you're never going to achieve them.
To sum up: the government has no idea what it wants to achieve or why. Individual departments aren’t aligned, and in the isolated new case where ID is now mandatory in the UK – voting – it solves a problem that watchdogs say just doesn’t exist. A 0.00002% solution.
But the banking industry believes a single, portable digital ID would be a good idea, because of reasons that largely seem to benefit itself: innovation, income, new contracts, new deals.
And having reached that conclusion, that same industry is now sat around a table with itself, trying to work out how all this might actually benefit the customer – after the fact. Because guess what? Consumers really, really trust and have confidence in banks!
All together now: NO. THEY. DON’T.