A Finextra member 18 March, 2016, 23:40 1 like

PayPal have pulled out of GOV.UK Verify.

Verizon have been closed to new accounts for a fortnight now.

Barclays – like Morpho and Royal Mail – have applied for certification by tScheme but their services have not yet been approved. The Post Office's application lapsed a year ago without their service ever receiving approval.

Which leaves GB Group, who received low-grade approval, Digidentity, whose service is governed by Dutch law, and Experian.

The Royal Mail service is managed for them by GB Group.

The Post Office's service piggybacks on Digidentity.

Barclays relies on Verizon.

All these services collect a huge amount of personal information and share it widely with other organisations.

None of these services is needed as we have had the Government Gateway for the past 15 years.

A Finextra member 21 March, 2016, 09:31 0 likes

I disagree, not necessarily that  we dont need these services for Government but that we need these services for 'everything' including government.

I admire Barclays as they hang in there as the last wide spectrum payments and card services provider. They have often gone-it-alone, but in this case i believe that the Financial services industry and regultator should come in with a centrally managed ID database that locks to something we have, something we know  and the ability to make the something we have  a device or an Iris/face/fingerprint.   This could then be used for Banking, business ownership, and a host of third party applications where identity is key.  I am ex army and anti nanny-state/big government but we need to get this right, soon.....

Jan-Olof Brunila - Swedbank - Stockholm 21 March, 2016, 16:32 0 likes

Dear Finextra Member,

Look at www.bankid.com - the Swedish bank owned and managed strong electronic authentication service for both government web services use and financial industry use.  Operational for more than a decade and accepted for tax return filings, national health office finlings, municipality services, univ student allowance management and much more and also for login and transactions management in banking services. Four box model with issuer of ID, acquirer of ID, ID holder and ID relying party in order to simplify both issuance of electronic ID credentials and signing up of relying parties for all issued ID:s with a single agreement and one interface. Built in business model. In 2016 more than 2 billion verifications expected.

A Finextra member 21 March, 2016, 17:21 0 likes

Dear Finextra member

Beware of relying on biometrics like face recognition, irisprints, flat fingerprints, voiceprints, ... The false non-match rate is too high to make this flaky technology practical.

A Finextra member 21 March, 2016, 17:27 0 likes

Dear Jan-Olof Brunila

Can companies have BankID accounts? Not just individuals/natural persons but legal persons as well?

GOV.UK Verify cannot register companies, only individuals. And only those with adequate credit history.

Does registration for BankID rely on prior identification, e.g. ID cards? We don't have ID cards in the UK, as I'm sure you know. And we don't have those strong municipal links in the UK that continental countries have. Without that, do you think BankID would be feasible in the UK?

Jan-Olof Brunila - Swedbank - Stockholm 22 March, 2016, 08:14 0 likes

Dear David,

Only natural persons with social security numbers can have the BankID credentials but one can act with a power of attorney as a representative of the company. The company cannot do anything anyway since it is only a legal construction - a persin needs to act on its behalf... For instance one of the most common usage areas is the SME company tax filing which is done each month. Bank ID credentials are issued to you by your bank, normally through you ordering it in the logged in secure mode of the internet bank application. The issuer banks have already KYC:ed you when they issued to you the internet banking strong auth tools for the first time, for instance at the bank branch when you signed the agreement for banking services, showed a valid photo ID card and picked up the tools for remote banking. This has been the practice in Sweden since 1997 when internet banking rolled out. The Bank ID rolled out a few years later first on a file application for browsers, then on a smart card (photo ID card + electronis Bank ID) and card reader. Nowdays most of the bank IDs in use are mobile Bank ID:s - a secure pki application loaded onto your mobile phone, whereby the mobile phone has replaced any browser plug-ins and the need for card readers. The key issue is how do UK banks do KYC for their customers prior to opening up bank accounts and internet banking?  I am sure that banks in the UK have it well under control and could build a similar solution where banks can act as electronic ID credential issuers and relying party acquirers. Acquiring banks in Sweden charge relying parties a fee for each verification and a part of this is passed on to the ID credential issuer bank. The relying party gets access to millions of users from many banks through one technical interface - the acquiring connection. The users already know the usage interface since most use it for on-line banking as well. Normally the holders of bank ID credentials do not pay fees but nothing prohibits the issuers from charging their own customers. In the UK you also have companies like Voca/Link that could act as the verification hub procerssor on behalf of the electronic ID scheme. Not many other entities in society today have a reliable verification process for their customers - banks have a legal liability to do KYC and electronic ID issuance can be a good commercial value adding service on top of the efficiency increease in society. Banks in Norway have built a similar service.

A Finextra member 24 March, 2016, 10:48 0 likes

Dear Dear Jan-Olof

Thank you for your full reply.