A few months ago, the Australian banking consortium BPAY announced the cancellation of its promising and well funded account portabilty MAMBO. What does this mean for the even more audacious plans for federated identity in banking? The US government's National
Strategy for Trusted Identities in Cyberspace (NSTIC) envisions using university student cards to log onto banks; on Finextra's pages,
Brett King argues that social logon is inevitable in banking. The MAMBO experience suggests otherwise.
Project MAMBO ran for four years from 2007 and strived to leverage the hugely successful BPAY online billing infrastructure. With BPAY, tens of thousands of Australian businesses have unique Biller Numbers that are recognised by all institutions; it was
thought that individual customers could equally be given Biller Numbers independent from their home banks and through which they could receive funds from any other account. This would break the back of the account portability problem, providing life-long
Bank account numbers are classic examples of digital identities. They might look like simple numbers, but they're really proxies for the relationships that different customers have with their institution. If it seems intuitive that a number should be portable,
the intuition is simply wrong, for the relationships that stand behind each account are complex, amorphous, context-dependent and not intrinsically interoperable.
The real reason banks are uncomfortable allowing others to leverage their customer identification is that it would require them to warrant customer identity in transactions over which the bank has no control. This is an untenable risk management situation.
Existing identification protocols and contracts do not contemplate customers asserting their bona fides to third parties unrelated to the bank. To fill in the gaps, federated identity contracts have to join these extra parties somehow to the bank, and put
limits on exactly what the customers can do with the extended identities. The contracts become unusually complex compared with regular banking agreements.
So there is no theoretical barrier to federating identities but the legal arrangements become utterly unwieldy, as MAMBO evidently discovered.
Account portability and federating identities across governments, universities and social networks sounds straightforward but it actually entails re-engineering the ways that banks relate to their customers. The cost of creating a whole new customer management
paradigm is just not worth it.