For banking and financial services across the globe that embrace digital ID, the benefits will be vast. The digital ID ecosystem to enable this now exists and is rapidly expanding. Offerings are emerging around the globe that allow financial services firms
to access digital IDs from a range of suppliers – spearheaded in the UK, for example, by trade bodies like TISA and UK Finance. These offerings ensure that the digital ID ecosystem works well for all the parties involved - the banking and financial service
providers that will come to accept and rely on digital ID, their consumer and business customers, the trust framework creators and the growing market of digital ID providers.
Our in-depth work with these businesses, governments and trade bodies across various sectors, however, has shown that the same myths and questions constantly appear around digital ID. They are proving to be stubborn barriers for this sector in moving forward.
Below are some of the myths and issues that come up time and time again, and we have sought to provide clarity on them.
Will fraud be an issue? Will a reusable digital ID and the data it holds be as safe as methods used today? Where will liability lie if fraud takes place?
In many countries, a key approach to digital ID is decentralisation. This means the users data is not kept in one central database that may be vulnerable to attack. Instead, it’s a distributed approach to holding the user’s data, kept in a protected format
on the user's own device or in a user specific space in the cloud.
In general, however, it will be the role of a digital ID trust framework that will be vital here. The framework will ensure that ID providers are certified to global security standards for data access and management, which includes ensuring data is encrypted
in transit and, where appropriate, at rest. It also means that data will have to be protected by robust authenticators, such as biometrics, which are inherently difficult to copy or reproduce - face, fingerprint or iris are unique – so only the genuine user
can access their data.
These are key features of digital ID and mean that fraud will most certainly be reduced. However, fraudsters will continue to work to look for ways in and this has to remain firmly on the radar. In the event of data breach, the trust framework will require
the provider of the breached digital ID, or specifically breached credential, to suspend or close the user's ID. The ID provider will also be required to notify the real end user and all organisations impacted by the fraudulent use of the stolen ID. Additional
ID proofing or authentication may be put in place when the user next uses their ID.
ID providers who do not follow the trust framework rules, resulting in fraudsters gaining control of the digital ID, may be held liable. This liability position will depend on the rules of the specific trust framework or contractual position of the offering
the firm users to access digital ID.
Will access be an issue? Will digital ID be available to everyone, or work everywhere, or will it exacerbate existing access and inclusion challenges?
Significant work has, and still is, taking place to address these issues and ensure anyone can get a digital ID if they want one. Our own work on this through the OIX Inclusion Steering Group, which including representatives from across the public, private
and third sectors, has highlighted that there must be alternative methods for those who do not have digitally presentable evidence (ie a driver’s licence or passport). Equally, assisted digital capabilities must be available to ensure those who need help obtaining
or using a digital ID are able to access it.
Key initiatives are underway. For example, our proposal for a Digital Vouch with Photo capability shows how users with no documentation may be brought into the digital ID ecosystem by a voucher acting on their behalf.
There is also an incorrect belief that digital IDs won’t operate in areas where there is no network signal available. A robust trust framework will ensure that they hold local secure signed copies of credentials that can be presented without the need to
reference the issuer directly.
And finally, there is a concern that not everyone will want a digital ID. A good trust framework will ensure that users have alternative methods to access services. This may include other digital methods to access services, such as direct proofing and account
issue by service providers, as happens today. Or it may include the use of non-digital means of identification, such as traditional identity documents.
The issue of exploitation – will organisation with access to the data in a digital ID be able to exploit data?
The key here is that digital IDs will operate strictly within local data protection legislation, such as GDPR, so only the person whose data and digital ID it is will be able to access and manage it. They will control which third party the data can be released
to, permit the movement of their data from one identity provider to another and can ask for it to be deleted at any time.
If data within a digital ID is updated, it is validated and verified again, so that it can be trusted by those the user shares it with. Where information cannot be validated, this will be highlighted with each attribute having a validated
or un-validated status attached. The user will see a list of organisations with whom the data was previously shared and can choose who should receive an update. Organisations can choose to subscribe to these update services.
If a person loses their device, their digital ID is usually securely backed up in the cloud in a distributed way, so it can be easily recovered to a new device. However, it’s best for organisations to look for digital IDs that are not reliant on one device.
Seeking out clarification
The ability to establish trust has become far more complex than it’s ever been, but digital ID is proving far more effective in enabling it than the IDs issued directly by online organisations. In fact, digital ID will be a game changer for this industry,
but the many misconceptions that are still held about digital ID are holding the industry back.
Many of the perceived challenges either have or are currently being addressed. There are major initiatives underway, thanks to organisations like the OIX, trade bodies and governments, to move digital ID to a place that it works well for everyone. Banking
and financial services organisations that still have unanswered questions and unresolved concerns must reach out to any of these parties for clarification, or find themselves left behind as digital ID is adopted by other sectors at a faster pace.