Dictum meum pactum
“My word is my bond” was the motto for trading in London Stock Exchange since 18:th century. If you made a verbal agreement, you backed it up with your money.
Something similar is conveyed in the proclamation by Dave Birch, a well-known UK payments specialist, in his book “Identity is the new money”, published in 2014. He suggested that
”Identity and money are changing profoundly, because of technological change, and these two trends are converging so that all we will need for transacting will be our identities” continuing
”We all need to start planning for the transition to identity-based transactions”.
In 2014 this was visionary, at least to all of us working with digital identity and payments. But today, it is quickly becoming reality and mainstream. Digital identity services are scaling fast, payments are on the leading front of fintech revolution, banking
interfaces are becoming open and consumers expect instant and convenient online payments.
Internet was designed to connect machines, not people
Internet was designed for machines to exchange data, not for people to conduct business. Large part of today’s user pain and digital fraud is focused on how we authenticate and create trust between online counterparties. If you don’t know who is on the other
side, their word has no value as a bond.
There is a whole industry of fraudsters online. Every year 120M variants of malware are being developed[1],
much of it trying to capture our personal information. Stolen identity is valuable - and it can be used to defraud money in endless ways. The cost of identity theft is not limited to direct monetary losses. Privacy is being compromised, trust is being eroded
and the benefits of digitalization to society are diminished, all because of identity fraud.
Username and password (UN-PW) has for too long been the primary, if not only, choice we had to prove ourselves online. But it has obvious drawbacks both on convenience and security. Several billion data sets are breached per year.[2]
Our UN-PW’s are in the wrong hands, as is our personal information and payment credentials.
Digital identity solutions are good at solving many of these challenges. Having a high-security digital identity with 2-factor authentication overcomes most of the UN-PW problems. Mobile phone is the ideal platform for digital identity – it is always with
you, always connected to network and mobile number is the leading global identifier through which identification requests find you. Additionally, smart-phones have biometric sensors for convenient transactions and multiple other features that can be used to
improve security.
Digital identity has been slow to grow but is now going mainstream everywhere
First legally recognized digital identity solutions were launched in Finland more than 10 years ago. Since then Mobile Identity solutions have been scaling across multiple countries like in Nordics, Baltics, Switzerland, Austria and South Korea. Now they
are going mainstream across some of the largest markets globally like China, Germany, UK, Canada and many others. Driving this proliferation of Mobile ID solutions is the intersection of fast growth in internet commerce and biometrics on mobile.
Identity solutions come in many forms and shapes but each of them has four distinct functionalities to cover. First is user enrolment, where a person’s identity is verified (proofed), authentication credentials are issued, and the user’s identity profile
is established. Second is authentication - the action of verifying that the counterparty is in fact the correct, intended person. Increasingly this is done by entering PIN code or with biometric data – fingerprint, face recognition or iris scan are the most
common. If correct, the requesting counterparty (relying party) receives confirmation of your identity from the Identity Provider (IdP). Third step, transaction authorization, can be separate or combined with authentication. Fourth and final step is processing
the authorized transaction. Depending on the use case, processing can mean thigs like granting access, storing consent or transferring money.
Each of these four steps is currently undergoing rapid development. New regulations[3]
are setting standards for enrolling user identities remotely, i.e. online rather than through physical f2f meeting. Technologies for face recognition, document verification and identity attribute checks have matured to become usable for secure, fast and relatively
convenient and cheap electronic identity verification at scale across borders. In identity and banking jargon this is called eKYC (eKnowYourCustomer). After first establishment of strong digital identity, further enrolment is fast, cheap and secure with identity
switching.
Mobile phone -based authentication has traditionally used One Time Passwords (from SMS or security token) or SIM-based security keys. These are being pushed into history as high-security smart phone apps take their place with compelling benefits in user
experience, versatility, cost, distribution logistics through app stores and the ability to use mobile phone security capabilities like biometrics.
Development of high-security mobile app based biometric authentication has been boosted by the need for mobile banking and payments as well as new payments regulation like PSD2[4].
Currently, though, there are still only few app developers that have a market-proven level of high security and long-time customer references to back it up. Building a true high-security app is a considerable challenge and much out of the scope for most app
developers.
Combining secure authentication, transaction authorization and instant payment processing fulfils the promise of identity as proxy for money. A simple fingerprint confirmation sends funds to recipient, often using phone number as the account identifier.
Digital wallet services like PayPal, Apple Pay and AliPay confirm transfers immediately and even these are superseded by instant mobile payment services like Swish in Sweden, Venmo in USA and many others in which also the money arrives instantly.
Look into the future of identity and money
Payment is just one type of digital transaction. Most digital transactions do not involve direct money transfer at all - European Banking Authority (EBA) has estimated that only 20% do[5].
Therefore, identity is much bigger than just payments.
Traditionally payment systems integrate authentication and money processing into one service bundle - often with multiple middle-men involved each taking their cut from transaction value. Like in credit-card payments. But this is becoming dis-integrated.
Payment is authorized through identity solution and money transfer is processed separately through whichever payment rails are most efficient for the transaction at hand. The processing is just data transfer, albeit with high security requirements, between
user and merchant accounts. It will be commoditized and free. The value in payments migrates into the identity solution, which is better placed to manage the transaction risk. “Your identity is your bond” and it is backed up by your account balance or credit-line.
The Identity Provider guarantees that counterparties are correct and insures against identity fraud in transaction.
Looking much further into the future, there is a distinct likelihood that both identity and money itself will become “digitalized”. Distributed identity solutions have compelling advantages for privacy-by-design, but even more importantly third-party certification
of user attributes is both cheaper and more secure than using centralized attribute data services.
In a Bitcoin-type world, money could mean reliable stable-coin cryptocurrency holdings stored as security keys in your “identity wallet” that can be transferred as payment to any other recipient wallet with a secure authentication transaction – instantly
and for free. Transaction processing automation could be taken further with smart contracts, i.e. by adding executable code on top of digital money. Regulators combatting money laundering would have access to an immutable audit trail. Combining digital identity
with cryptocurrency provides the security layer - nobody else than the rightful owner can access or transfer money. My identity would become my money.
Janne Jutila
Espoo, Finland 10.2.2019
The writer has a long background on leading development of digital identity solutions on corporate, national and global level.
The opinions expressed in this text are the writers own and do not necessarily reflect those of the companies that he is affiliated with.
Comments and discussion are welcome – the challenge of progress is of such size and importance that we all need to contribute to achieve it
[1] McKinsey 2018
[2] McKinsey 2018
[3] Multiple new regulations, such as eIDAS, PSD2
and AMLD 4 & 5 within EU and NIST 800-63 in US. Payment Services Directive 2 (PSD2) mandating the use of strong 2-factor authentication in payments within EU in near future
[4] PSD2 = Payment Services Directive 2 has a requirement
of strong 2-factor authentication for most payment transactions above EUR 30 within EU.
[5] European Banking Authority paper ’From check-out
to check-in’ 2014