Blog article
See all stories »

Don't you know who I am?!

No, this isn't a blog about that jobsworth bouncer at a Toronto bar who tried to stop me entering the Misys party at last year's Sibos (However, I did say 'I'm sooo Tweeting this!', before my colleague intervened - oh the shame....)

Anyway, I attended the always entertaining CSFI/Visa Europe roundtable last Thursday on digital identity. The meetings are under the Chatham House Rule, so I can't offer you lovely readers any juicy direct quotes, but I can blog away about what went on (that is fully within the spirit of the Rule, which was never meant to make a meeting private-if you don't believe me look it up) 

The roundtable focused on digital identity, and more specifically, how you identify yourself legally - such as when dealing with government agencies and your bank. 

Of course we all talked about dongles, two-factor identification, those little, bank-issued, password generator calculator things, what is not exactly happening with Project Gaia in the UK, as well as chatted about biometrics and "brain-wave identification". (That will be fun to see happen. I wonder how the public will react to a request from the likes of HSBC and Barclays to hook up with your cerebral cortex?)

The most vocal part of the roundtable came when people started discussing using third party systems or 'social sign-in', such as signing in via Amazon, or *gasp* Facebook, to gain access to pension information or your bank. 

Seriously, voices were raised, fists were pounded on the table, literally, and people barked back and forth saying things like: "There is a difference between soft identity and hard legal identity!", "You have no idea how banking really works!”, “I lock down my Facebook to the highest degree!"

...and my personal favourite:

"A terrorist could log into my bank!"

Which was met with a chorus of "That's not what we are saying AT ALL!"

To be fair no one was arguing that banks should allow (or even could allow) clients to log into their bank via Facebook and then be immediately approved for £500k mortgage on a house in Wandsworth-I mean, it's not 2005 anymore, people. 

But I was intrigued by the bank-side folks getting so worked up about 'hard identification' and dismissing 'soft and fluffy' identification coming in from the likes of Amazon and Facebook. I'll tell you why. 

I'm not native to these sceptre isles. I arrived in London on a cold wintery January in 1997, with three suitcases, a full-time job, and no bank account. (My pre-move conversation with Chase Manhattan Bank in New York about what they could offer a customer who was moving to London for 'one or two years' was met with a 'huh?').

So after two weeks working in London, I had:

  • A national insurance number
  • A full-time job
  • An address
  • A zone 1-3 travel card 
  • A paycheck

What I didn't have was:

  • Two utility bills for an address I'd lived in for over three months

Which meant I couldn't get a:

  • Bank account

Which means I couldn't (see where I'm going with this?):

  • Get paid

I went to several different high street banks eager to open a bank account, which would issue me with cheques, a debit card, an overdraft etc... so I could start buying rounds in the pub and basically contributing to the British economy. I was met with the same response at EVERY SINGLE BANK. "If you can't produce two utility bills, you can't open a bank account." 

I'm sorry, how is that 'hard' identification? How can that be better than doing an initial sign-in with something like Facebook? 

In 1997, the US-based financial director of my company had to call up the bank manager of the UK bank they did business with to beg them to give me a bank account. Seriously. Now, 15 years later, I am in full possession of a checking/savings account, ISAs, credit cards, child's trust fund and a mortgage (and a mobile phone). I thought, 'Today, in the 21st Century, UK banks couldn't possibly throw a young girl, looking to make it big in the world of journalism, out on the pavement without so much as a free pen anymore?'

But just a few months ago, I was talking with an American woman who had just transferred from her company's Los Angeles office to the London office. Practically, the first words out of her mouth to me about her first month in London were "I don't seem to be able to open a bank account..." This was 2011 - at least Facebook exists now.

For the record, personally, I'm not a big fan of signing in with Facebook - I'm hoping the issue of digital identity is solved by a digital wrap that is unique, and controlled, by each person-sort of a digital passport. But my point remains; a Facebook or Amazon sign-in is practically on par with "produce two utility bills" (and more likely to identify a newly arrived ex-pat) - so why all the big fuss?

Issues around digital identity will become increasingly urgent as the years move on and our already digitalised society continues its forward march towards a utopia ruled by robot overlords. Given the social, technical and political issues around identity - YOUR identity - I predict we shall see a lot more barking and fist slamming in rooms for some time to come. 


Comments: (12)

A Finextra member
A Finextra member 01 February, 2012, 23:05Be the first to give this comment the thumbs up 0 likes

Interesting post. I actually believe the Facebook login API is more secure than any bank login.  I would rather rely on the development of a login from one of the most talented technology businesses in the world than a bank. When I travel overseas and try to log into Facebook, it recognises that this might be dodgy and in some cases even blocks access.  Most banks could only dream of doing this. 

A Finextra member
A Finextra member 02 February, 2012, 08:55Be the first to give this comment the thumbs up 0 likes

Seriously? A quick round robin here (UK) produced about a third had had their facebook hacked, but not one their online bank accounts - and most people had more than one bank's account.

John Dring
John Dring - Intel Network Services - Swindon 02 February, 2012, 09:00Be the first to give this comment the thumbs up 0 likes

Great blog. Almost a rant, but with a purpose.  I also counted 4 direct quotes, unless they were there for artistic licence.  No organisation wants to trust identification to a third party which is why we all have so many passwords.  But Utility Bills are third party orgs, and they are no longer government ones either.  If you were to choose a third party to validate address - why not the Post Office.  Surely these days they could almost digitally know every name at every address for the past 5 years?  If they can scan post codes on every letter, why not the name.  Link it with some agreements with Billing organisations like your utilities, and it would be a great Trusted Third Party.

A Finextra member
A Finextra member 02 February, 2012, 09:31Be the first to give this comment the thumbs up 0 likes

You would be surprised how many online banking accounts get hacked. That is why there is a multi-billion dollar industry around reducing it. UK bank fraud losses continue to rise so whatever they are doing now isn’t working.

The other interesting component is the number of people who contact the bank due to a forgotten passcode incident. This costs money and is frustrating for the user. Most banks have in excess of 50,000 requests a month. Re-setting a passcode is also one of the more prevalent ways for a fraudster to hack an account. It’s a vicious cycle.

I would not propose a Facebook login as the sole means of authentication. Just as a part of it. It should obviously be combined with some other factors.  I think it is worth going for and will be interesting to see how Movenbank go with it in the US.

A Finextra member
A Finextra member 02 February, 2012, 10:02Be the first to give this comment the thumbs up 0 likes

Just a couple of thoughts.  What about those of us who care not a jot about Facebook or Paypal and can live happily without them?  Will we be forced to join these schemes?  Not likely.  I'd sooner revert to branch banking.   Now there's a thought, face to face banking with someone you know and trust.  Or isn't that the 21st century way of doing things?

A Finextra member
A Finextra member 02 February, 2012, 10:30Be the first to give this comment the thumbs up 0 likes

That assumes you 'trust' your bank, which increasingly these days people do not.  And that's not just populist anti-bank sentiment - its based on getting screwed over by 'faceless' bank organisations who do not want, and think they cannot afford, for you to talk to real people.

David Birch
David Birch - Tomorrow's Transactions - London 02 February, 2012, 12:13Be the first to give this comment the thumbs up 0 likes

Thanks for these reflections Liz. Just for clarification, the Chatham House rule is that you can say what as said, but not who said it. It's perfectly OK to say that someone said "X Y Z" at the meeting.

Look forward to seeing you at the final meeting in the series which will be on February 21st.

A Finextra member
A Finextra member 02 February, 2012, 13:31Be the first to give this comment the thumbs up 0 likes

Perhaps it's just UK banks?

Personally I've never had a problem is opening accounts in Germany, France or Switzerland a couple of weeks after arriving.

Someone else posted about using Facebook for authentication with the aim of doing online banking.  Interesting post, and interesting comments.

Personally I would not 'trust' Facebook, and in any case I do not have a FB login...

Elizabeth Lumley
Elizabeth Lumley - Girl, Disrupted - Crayford 02 February, 2012, 15:18Be the first to give this comment the thumbs up 0 likes

Wow, look at all the comments! I guess I was right, this topic can stir up a pasionate response. 

To be clear I not specifcally arguing *for* social sign in. But it instead it seems strange that so many within the banking world (OK, it may be UK only) who freak out when someone says 'Facebook sign in'. Especially since, 'produce two envolopes with someone's name and address' was a perfectly acceptable (and not very efficient for people in my sitiuation) form of identification. 

I've also never heard anyone in the 'pro-social sign in camp' argue that signing in to a bank via a third party site should be the only form of identification required. No one is arguing that.

And thanks Dave B for the clarification. Yes, I can use quotes from the CSFI/Visa Europe roundtable-I just can't attribute them to a specific person. See you on the 21st!  

A Finextra member
A Finextra member 02 February, 2012, 15:30Be the first to give this comment the thumbs up 0 likes

The point is that you can get a facebook identity with no requirements for any proof of ID at all. Using that to prove or log into anything is akin to writing on a piece of paper "my name is John Fraud at xxx address" and expecting the bank to accept it. With utility bills, you have actually to pay something to set them up, and this will be checked by the utility company who will know if an address is already using the utility - a disincentive for fraud - especially if you have to set up two of them.

A Finextra member
A Finextra member 02 February, 2012, 17:17Be the first to give this comment the thumbs up 0 likes

Great blog Elizabeth, and yes a lively CSFI Round Table- and in its own way definitely about "Innovation". Hopefully in the final RT we can move the debate on from the pure Identity /Utiltiy Bills aspects blah blah blah (which can get quite torrid) toward some real world liability aspects- and maybe focus a bit on the corporate/business/public sector aspects of assurance- specifically what happens when it all goes wrong, what if one relies upon a credential which it turns out was wrongly issued, it was bogus,it had expired or been revoked- where does the buck stop, how is liability managed ? If we can crack the interplay between the technical and legal, the operational and the "policy" dimensions of trusted electronic credentials, then (albeit maybe with some kickin'and screamin' from a few quarters), we can actually make progress along the road.

A Finextra member
A Finextra member 06 February, 2012, 13:50Be the first to give this comment the thumbs up 0 likes

Following up on the commentator who would be happy to go to his bank branch - I'm afraid that doesn't work in the 21st century - the staff in my branch change so often that they have no idea who I am. So when I go into my own branch to do something other than pay money in I still have to produce identification - passport or driving license, or - in the absence of those - the inevitable utility bill.

Is this just because the UK doesn't require identity cards? Do those European countries with ID cards (Germany, Portugal for example) avoid this problem?

Elizabeth Lumley

Elizabeth Lumley

Global FinTech Commentator

Girl, Disrupted

Member since

05 Nov 2007



Blog posts




More from Elizabeth

This post is from a series of posts in the group:

Finance 2.0

A community for discussing the application of Web 2.0 technologies to financial services.

See all