This week, LexisNexis® Risk Solutions and Finextra Research held Trust:Live 2023, the exclusive in-person event for all fraud and identity decision makers focusing on the latest challenges in establishing trust to protect customers, defend brands, or meet the needs of evolving business models.
Register your interest for our event in 2024.
Discussing the core elements of the evolution of trust: Identity, Intelligence, and Innovation, the agenda curated by Finextra explores real-life projects that banks, payments providers, fintech firms, governments and regulators are currently working on.
Steve Elliot, managing director, UK&I, LexisNexis Risk Solutions was welcomed to the stage by Gary Wright, head of research, Finextra, setting the scene for the day and exploring what will form the future of identity trust.
Kicking off the second Trust:Live event, Elliot explored how the event aims to challenge thinking and provide “real solutions to societal problems that exist today.” One such problem is the cost of compliance.
Elliot said: “We’re all busy trying to comply with regulations in the market. The cost of compliance for UK financial services companies at the moment is over £34 billion per year […] That’s money that could be better spent producing better products for consumers, could be better spent investing internally in the firm.”
Financial inclusion is another societal issue. Elliot called out that he estimates that “there are about seven million people that are financially excluded and those people can’t be credit scored effectively because they don’t have enough data. We don’t have any data at all appearing in their credit files. This is a real problem for society. That means they’re not getting access to affordable credit, instead they’re getting credit at a higher price than they should pay.”
Elliot concluded by stating that resolving the cost of fraud “is in the hands of the people in the room here today.” Further, “we’re at a turning point because data and technology allows us to actually target the criminals, allows us to drive down the cost of compliance, and allows us to include more people in the markets.”
How will identity trust evolve?
In the opening keynote, ‘Identity, Intelligence, and Innovation – the evolution of trust’ head of risk insights and advisory at Aite-Novarica Group, Julie Conroy, discussed how innovations in data technology and behavioural science are enabling trust. In the introduction to the event, Conroy explicated how financial organisations are navigating new customer relationships with increased factors.
Conroy opened with a powerful statement: “identity is fundamental to trusted commerce.” She continued that more technology is available to businesses than ever before, there are more tools at institutions’ disposal to combat fraud and keep up with the rapid pace of digital acceleration. However, due to the increased attack surface area, the number of fraudsters has also skyrocketed.
She touched on the challenges facing trust identity, “Regulation is driving investments in a myriad of ways around the globe. We have this patchwork of regulation that is completely non-standardised. Anybody with a global footprint is having to struggle to make sure that users are getting the right local friction in the EU versus a much less regulated friction in markets such as the US and Canada.”
Conroy said that there is a complacency with many consumers according to a survey conducted in 2018 and then again recently, having seen no development. Consumers consistently have bad password hygiene, in that they are reusing passwords and usernames, making it easier for scammers. A silver lining amongst all of this bad news is that the younger generation have less attachments to usernames and passwords and a preference to facial and fingerprint biometrics, making their accounts more secure and setting a hopeful path for the future of consumer accountability.
Conroy expressed that the fraud and AML space is exciting, as it is always progressing, but it can be incredibly frustrating, as “innovation precedes security.”
Conroy closed on where organisations need to focus their resources: “Effective identity controls are essential to that control framework. Truly understanding the customer base on a whole host of different data inputs, on their understanding and what behaviour is normal for them, is key. When we surveyed financial institutions about what their most pressing investments will be over the next year or two, identity controls topped that list.”
What is the future of identity trust?
On the first panel of Trust Live: ‘What is the future of identity trust?’, head of research at Finextra Gary Wright moderated a discussion on how different industries are participating in change in trust and identity and balancing consumer demand, with director of consumer financial crime policy at Paysafe Group Diana Zavoianu, head of fraud at Sky Andrew Mayo.
Mayo called digital data “the great equalizer”, explaining that “markets are a particular challenge. You get used to operating certain way with different systems and data when entering a new market with new conditions. I think adjusting to whatever is available locally is really important. Digital data is not necessarily reliant on having a credit bureau in a particular market, for example. Having a consistent set of tools to deploy wherever you go is a really useful bit of your arsenal to have when entering new territory.”
On how consumers can be better informed on their password hygiene and become better educated on being accountable when it comes to protecting their online accounts, Mayo touched on how there has been many campaigns in the effort, but there is still much to be accomplished. He explains that there is a large safety net with many banks where they will be willing to refund consumers when they make mistakes, but there is more to be taught on accountability.
Zavoianu commented on rethinking the customer journey and implementing it in an effective way: “I think in the space of digital wallets, we have a broad range of industries that we are going to be working in, covering from e-cash and digital wallets payment processing. We have a focus on identity device fingerprint and a suite of tools that allow us to either split the controls into directions, which are the controls that allow us to trust our existing user base and gain trust at the onboarding phase or the customer that we have never seen before, and how to identify fraud there.”
Mayo stated that the maturity of Sky looking at behavioural techniques is growing, and that there are new ways of thinking that are being developed when considering differing forms of fraud and how to approach them using new technology in a way that makes a difference.
Commenting on the legacy aspect and regulatory demands impacting financial organisations, Mayo stated that “Frictionless is the wrong goal. More savvy consumers won’t necessarily want frictionless, there is a right level of friction that they need to hit or want to have. Knowing the processes undertaken by companies are secure and protected makes sense to them, and there is a level of reassurance there. I think that given enough information, consumers will trust that you can make an informed decision on their needs. I think there is an element of getting the balance right, rather than getting it so far to the extreme where it's frictionless that it becomes a problem.”
Zavoianu agreed that there is no perfect scenario in which a frictionless architecture will take form, but a fine balance needs to be found, and therein lies the challenge; to develop services that will make customers comfortable and ensure that their experiences are optimised as much as possible.
“The biggest challenge faced by fraud managers is the global nature of it,” said Mayo, explaining that in tackling fraud in a national way, from a UK perspective, there is a question of oversight in strategic plans and operating at a global level.
Zavoianu concluded: “From our perspective, definitely making sure that the controls that we put in place and the friction that we do create is following the right batch of transactions, the batch of customers that should pay more attention, whether real-time or exposed monitoring. We need to balance what do we want to real-time controlling what we pushed into a later verification? I think this also is the typology that will lead to the assessment, of true positives, false positives, and how do we enable more markets knowing that we have the capacity to set controls in advance or if something occurs and the need arises.”
Who are the guardians of identity and how can we protect the next generation of digital citizens?
There have been various attempts to create digital identity trust frameworks around the world. However, when these frameworks are created, we must consider who consumers trust when it comes to controlling access to their identity credentials and how this differs by age and background.
Conroy returned to the stage and was joined by Seema Khinda Johnson, COO and co-founder, Nuggets and Nick Mothershaw, chief identity strategist, Open Identity Exchange (OIX) for a panel moderated by Anna Milne, senior editor, Finextra.
Mothershaw started by exploring how one of the galvanisers of digital identity progress was the Covid-19 pandemic, which proved that many transactions could be done remotely. This accelerated the market by five to 10 years as digital identity credentials such as Covid passports and vaccine certificates paved the way. However, as Mothershaw mentioned, the UK has been working on trust frameworks for the last decade.
The OIX vision is one where “we can have all have a digital identity, or identities and personas, that we can use anywhere on the globe to prove who we are.” He added that he wished for digital identity to operate in the same way a payment card worked when going abroad.
Society is moving in the right direction, and individual governments are now making big moves to establish trust frameworks, namely the EU, UK, and US, but also countries like Canada, Singapore, and Australia. Progress needs to be made across certain countries before a global identity framework is achieved. He added that building a “global open policy rules exchange framework, will help smart wallets of the future will read policy and adapt when going to a new country.”
Looking to the future, Mothershaw sees more regulatory tweaks in our future and posited that progress across digital identity will result in the reduction of friction within the onboarding process with the removal of passwords and the replacement of them with biometrics.
Conroy responded and was sceptical about the removal of passwords. While she approves of OIX’s vision and a collaborative approach, “getting to that global interoperability is going to be challenging because you have such different identity constructs, market by market. And your approach to identity proofing varies wildly based on whether you’re in the UK, or you’re in Southeast Asia.”
She added that while the journey ahead of us is long, local markets have had great success with federated digital identity in regions such as the Nordics. In Conroy’s view, “using digital metadata combined with local PII is going to be the approach that we’re going to see for the foreseeable future.” However, this will be difficult to enact in countries which have dysfunctional legislative bodies.
Further, in response to Mothershaw’s comments around friction and consumer behaviour, Conroy had a slightly alternative view and explained that while there is a “security conscious subset of consumers that do want that sovereign control, I think the majority of consumers value convenience. They want to feel secure, they want to know that somebody’s got their backs, but in this age of zero liability, any overt actions that they have to take will be to proactively manage their identity.”
One solution would be to decentralise digital identity data. Mothershaw believes that distributing data removes vulnerabilities and the user has greater control over their data and consent around what is used. Conroy referenced the 2018 Aadhar breach and agreed that is a good plan to not place all identity data in one place.
Khinda Johnson explored her perspective and while she agreed that there is a great reliance on passwords, email addresses, mobile numbers and device IDs, the focus is still not on our identity. She believes that digital identity must be tied to a reusable identity that works with federated identities and with Web 3.0 – the latter being a topic that was mentioned numerous times throughout the event.
“The million-dollar question is that as technologists that work for businesses, how can we create products that have real utility that makes sese within our users’ everyday lives? I think that needs to be cracked rather than technology first. We can all agree that digital identity is the only way that we can really go about reducing fraud in a meaningful way,” Khinda Johnson said.
How can we solve digital identity exclusion and the identification gap?
For online identity trust to be successful it needs to work for all, and to be inclusive. The financial services industry must ensure the identities of the vulnerable are protected, despite the online world changing the concept of who is vulnerable.
Further, genuine digital identities must be distinguishable from synthetic ones and in preparation for a metaverse where avatars, data doubles and data twins are the norm, we must consider how challenging traditional notions of what constitutes a real identity is making it harder to assess which digital identities can be trusted.
Discussing this topic were Arif Khan, global head of GTM and strategy for innovation and ventures, HSBC; Nina Mohanty, co-founder, Bloom Money; Shahad Choudhury, founder and chief innovation officer, OpenBrix; and Richard Peers, founder, ResponsibleRisk and contributing editor, Finextra, who moderated the session.
Choudhury explained the premise of OpenBrix and stated that “self-sovereign identity is a misnomer. If you want to be truly self-sovereign, you need to create the identity yourself.” He went on to say that society as it exists today, individuals require a sovereign-based identity that is issued by the government to access certain rights. However, this is not possible for certain vulnerable groups – they are not given access if they do not have an address, for example.
Mohanty took a broad view and explained that “one of the things that we have to think about in everything that we do and in all of our industries is who holds the power in each of these solutions that we’re using, who wants to know what information and for what reason?”
Using the example of a passport being a viable form of identity documentation, Mohanty questioned why that amount of data is ever required or requested, especially in an age where identity fraud is rampant. “I'm very wary of the fact that oftentimes it's governments that are asking for information. Oftentimes, it's financial institutions that are asking for information. And we often we just give it over because we want access to things. What we have to start thinking about is: is it worth it?
Following on from these conversations around the need for identity verification and providing a banking perspective, Khan stated that there are two factors that HSBC is looking at when considering digital identity. “One is trust. And the other is validation. You have to trust the bank to be able to hold all of your data securely and you should be able to validate who you are, when and where you are in order to execute upon a transaction.”
Khan also pointed to the need to offer a seamless experience to customers, but this requires a balance with security and privacy. He also agreed that trust frameworks need to “come from the government. We can be interoperable across the entire technological infrastructure that exists today, but we cannot follow the single framework that’s in place.”
Considering Web 3.0, he alluded to the fact digital identities on the metaverse can give consumers control over their data with a tokenised ID. This would also alleviate the issue with onboarding and application abandonment.
What are the challenges to online identity trust?
In the post-coffee panel, ‘Challenges to online identity trust – taking the pulse of industry’, associate partner – risk and resilience practice at McKinsey & Company Shreyash Rajdev, chief security advisor at Microsoft Sarah Armstrong-Smith, co-director at the centre for cybercrime and economic crime at the University of Portsmouth Professor Mark Button, and director of financial crime operations at Ziglu Claire Maillet, discussed threats and concerns in online identity trust, moderated by Finextra reporter Debi Bell-Hosking.
Professor Button commented on the poll asking the audience on their biggest challenge in maintaining identity trust, in which 50% responded that they find issues with opening new accounts and onboarding, “I don’t work in the data analytics industry but one thing I do pick up is the problems in cross-checking data in different data sets. Data is seen as the panacea for all of these problems related to fraud. The hype around artificial intelligence, big data, and such often papers over some of those significant challenges.”
“Fraudsters and organised crime groups will often share information, demos, data, and typologies with each other to help them perpetrate. So why aren't we doing the same?” asked Maillet.
Armstrong-Smith stated that Microsoft blocks 77,000 password attacks per minute every day, and the most targeted entity is education. She outlines the line of attack for fraudsters: “They are trying to get as many credentials as possible and then they move up the food chain. In retail, people are creatures of habit when it comes to utilising the same password over and over again. Once they get into the retail account, they get access to even more information when it comes to your address, bank accounts, or credit card information.”
Armstrong-Smith continued to explain how credentials are sold on the dark web for as low as $1, but even more worryingly, the credentials of children are being targeted and sold as nobody is looking for them. Using the identities of children, fraudsters are able to open bank accounts and make passports, which will only be found when the child turns 18 and start to build their own credit. “It's really the attackers paradise in essence so that they can kind of touch as many as much information as possible,” she remarks.
Rajdev noted the geographical bias in different types of identity fraud typologies that concern various organisations, such as in the US where third party application is becoming more prevalent, and a great deal of economic crime is anchored in organised crime.
“When I look particularly in the UK, there is a strong nexus of third party application for turning into an industrialised sophisticated operation. This is the third party application fraud where someone you knew, or someone who broadly knew of your concerns, was able to actually open a new account or open a new service in your name. This is an industrialised operation really aimed at opening up application fraud across all numerous services across a number of different institutions, whether in financial spheres or in other sectors. It is not so much opportunistic crime anymore, it is targeted based on the harvesting of credentials.”
50% of crime in the UK is cybercrime and fraud related, but only 1% of the police force is allocated to combatting it, according to Armstrong-Smith. She continued that business email compromise is the most common form of fraud.
On the rise of first-party application fraud, Professor Button commented that the UK is in a space of financial crisis that provides more reason for fraudsters to target people. Maillet agreed and added that insider fraud is becoming more prevalent as people feel like they have no other option rather than resort to fraud due to external factors such as the pandemic, economic crises, and other redundancies that leads them to perpetuate fraud against another business or possibly their own employer.
The third poll of the session reveals that most of the audience’s organisations are concerned about balancing customer experience with risk and authentication mitigation. Rajdev stated that institutions should prioritise targeted friction and realise the nuance of various liabilities, including regulatory expectations and consumer demand.
On key takeaways, Professor Button observed: “The key challenge is about partnerships in data sharing. There is so much information lurking in different government and private organisations and there is so much more that can be done in that area. On an organisational level, I think that needs to be championed more and lobbied more by the government to enable key solutions.”
What is the citizen-first perspective of digital trust?
In the second keynote of the day, Louise French, strategy director at the Future Laboratory talks ‘The Authentaverse & The Breakers of Trust – A citizen-first perspective on digital trust’. French discussed the research collaboration with LexisNexis on the Authentaverse, a digital trust eco-system defined to ensure seamless authentication across the digital world to facilitate password integration and identity verification across all platforms.
The metaverse needs to be seamless to succeed, French said, and to do so a level of digital trust needs to be built that is engaging, free-flowing, and synergetic – unlike anything that has come before it. The Authentaverse should eliminate unwelcome friction like passwords and identity verification, and this research collaboration should provide a holistic view of the future. French highlights the value that people will hold in shared eco-systems and the value that they will get from participating in them, which will aim to bring new perspectives and create a fair and equal space for all members.
Building trust has focused on functional opportunities and thinking about what is needed by organisations within the industry, however the industry-first mindset needs to be rethought as new complexities emerge.
French noted that there is a demand for more transparency and assurances for trust when it comes to Web 3.0 as it remains an unregulated landscape, making it difficult for customers to move forward and maintain confidence in the technology.
On the evolution of trust, French remarked: “We have been through a lot in the last five years society, and those tensions are becoming even more stark. As a result of that, trust has become this precious commodity. What we are seeing is the giving and receiving of trust between citizens, businesses, governments and institutions in the digital realm especially, has become very unbalanced and inward looking. From an industry point of view, what is happening due to that defensive focus, is that the friction and complexity are increasing, making things more difficult and stifling. The seamlessness and ease that will be expected as we move into the new frontiers of our digital society will be powered by new technologies like AI and disruptive systems.”
French closed that the industry must start looking at trust more than a one-dimensional transaction and more like an adaptable organism, rather than a commodity; to think of it as a relationship built between people.
Next up was a lunchtime session hosted by Rob Woods, international director fraud and identity and Neil Costigan, chief architect behavioural biometrics and former CEO of BehavioSec, who explored the wider benefits of genuine customer trust over just fraud reduction and myth busting what constitutes quality behavioural biometrics.
Following this session, all attendees returned to the main conference room for an immersive session where a scam was brought to life with an acting troupe. Tom Garner, head of engagement, LexisNexis Risk Solutions and Jason Lane-Sellers, director, market planning, LexisNexis Risk Solutions also explored how innovative combinations of data and insight can be modelled using advanced analytics and converted into intelligence to detect these situations in real-time so that the fraud can be prevented.
What is the role of AI in protecting trusted identities?
In the next session, ‘The role of AI in protecting trusted identities’ senior reporter at Finextra Paige McNamee moderated a discussion on AI and preventative methods undertaken in security measures. The panel of experts includes CTO of LexisNexis Risk Solutions Matthias Baumhof and Dr. Shweta Singh of the Gilmore Centre for Financial Technology at the University of Warwick.
Dr. Singh expressed that there is a risk level associated with how biometric data connected to facial identity, commonly used in airports, is used and protected. She then explains that deep learning models are a subset to machine learning models that use neural nets to make accurate predictions.
Baumhof remarked that linear models are weak and cannot model more complex concepts, but with more effective models there are issues with clear text reason codes.
Dr. Singh discussed explainability in AI: “The idea is that you are using these deep learning models who have been known to have a dilemma between accuracy and scalability. You can achieve highly accurate models who can say that a customer should not be given a credit but you cannot explain why, that is a challenge. The reason I think is the fact that the current AI what we have kind of suffers from two main drawbacks or, or challenges, one of explainability and the second is bias. That bias is deep rooted in society and reflected in the training data and that actually is amplified through these machine learning and deep learning models.”
Vendors need to adhere to evolving regulation to be able to sell to banks. Dr. Singh remarks that she would like to see a clear set of guidelines from regulators on human bias and removing those biases, and to outline the differences between explainability and accuracy.
Baumhof stated that challenger and digital banks are often more AI driven, and there is likely more innovation in bias testing and they have a better handle on AI biases and controlling that.
Hidden discriminations that are within how people grow up, how they view the world, said Dr. Singh, and AI can amplify those inherent biases. Expounding on her research at Warwick, she says that current developments are looking to ensure that credit scoring will be bias free.
On her research, Dr. Singh explained their focus: “There are two interesting pieces of research we are doing. One is actually how to make sure that the credit scoring is bias free and that will be applicable to across all financial institution. The second kind of inclusion we are doing is to help explain terms and agreement in financial documents. How we can make these terms and conditions in a way which an average customer can understand and focus on the key points.”
Baumhof added that the models need to be advanced and performing at a high-level to enable financial inclusion. “To make financial inclusion a reality, you need to make good models. The more you know about the person about the transaction about how it's been done, the more you can enable people to get credit because you are only excluding those who want to steal money. That is an odd way real world behaviour in ultimately enables financial institutions. It is almost like two sides of a coin. Of course, the bias is there, but to enable financial exclusion, you need advanced models.”
Both experts agreed on a final statement, that despite developments in AI, the sector is still far off from achieving complete removal of bias in AI models and applications.
What can Web 3.0, DLT and the metaverse teach us about innovation?
In the final panel of the day, ‘What can Web 3.0, DLT, and the metaverse teach us about innovation?’, a group of experts discussed their perspectives on recent advancements in the trust space and innovative ways in which they are paving towards a new future of digital identity and trust. Moderated by Niamh Curran, reporter at Finextra, our experts were editor of Immersive Wire, Tom Ffiske, policy consultant of legal identity at the UN Development Programme Niall McCann, and founder of Women of Web3 Lauren Ingram.
Ingram described Web 3.0 as the “next major iteration of the internet, like the metaverse, we are decentralising power away from the big banks and institutions or the central social media players. What Is exciting for me with regard to innovation is the creation of new ideas and business models from scratch, applying this philosophy of democratising the internet with ownership into the hands of people and then employment in different fields.”
On the necessities for ID systems and key criteria from a legislative background, McCann stated that there are clear regulations on legal identity, such as registration of birth and certificates. However, there are other forms of legal identities such as digital ID systems and national ID cards due to persecution, colonialism, rejection of their birth certificate, among other reasons. He underlines that there is no requirement for nations to enter digital ID, but digital ID systems need to be connected with their legal IDs to ensure that they are who they say they are.
He emphasised the needs for IDs to be holistic to birth and death and be traceable, the state needs to be able to trace a human being from their life to death journey: “There are many reasons why identity variables will change throughout somebody's life, but the state simply has to know and has to be able to follow that human being from birth to death. It matters in terms of the ability to calculate our demographic statistics, our census, our rates like fertility rate, birth rate, mortality rates; everyone needs to be included in those statistics.
People cannot go off the grid or suddenly self-declare a digital ID later in life and have it separated out from state databases, particularly the ones that are core, politically important, state databases like a voter register. I don't think it's realistic to build infrastructures in identity databases that allow people to pick and choose identity systems and register different identities in different places. I think that the state, on behalf of the citizen, has to make sure that the social security system, taxation, passports, driving licence, photos, and more, are secure across all of systems, and only the state can do that. I don't think the private sector can or should be able to do that.”
Ffiske predicted the conflict between decentralised entities and centralised agencies: “I completely agree with Niall that I think digital IDs cannot be solved within the purview of private sector companies. There are examples like gaming, which are exploring creating digital identities when it comes to the metaverse and more public sector examples which is seen from time to time. I do not think there should be decentralised currencies and digital identities. I've seen plenty of cases where people lose their assets or get frauded and it's very difficult to trace them.”
Storing identity on blockchain is not an option yet, says Ffiske, but there are developments in process.
The lack of women within technology sector has created inequality in various spheres, such as biases within AI against women. Ingram says that getting more women to join the industry is an easy fix once the intimidation of acronyms and cryptic language is removed, as there is no shortage of female talent in tech and finance.
McCann expressed a fear over the policy implications for allowing people to edit, change, or delete their own identity, “I worry that if we focus an awful lot on our identity rights, then we don't focus enough on our identity responsibilities and obligations; for example, to turn up to vote with the name recorded in the voter register as per the legal identity issued by the government.”
McCann stated that independent national identity authorities should be empowered to manage identity systems, and that being managed by an independent body can reassure and assuage individuals who are worried about the government having control over their identity and privacy data.
Conroy returned to the stage to close the event, highlighting the key takeaways and insights from the day’s sessions, and considering the power of bringing together experts from across disciplines, industries, and other areas of expertise to shed new light on the evolution of identity trust. She explored the extent of innovation and complexity around the subject of identity and welcomed PaySafe’s Zavoianu and Sky’s Mayo back to the stage to answer questions that had come through on Slido.
Discussing their most memorable or innovative fraud attempt that they intercepted in their experience and what they have learnt from it, Zavoianu stated that while there have been a number of incidents throughout the years, “we have never had to stop business.” She continued: “We’ve always had the technology and the proper integration to take measures when the situation required it and I think that’s the most important thing: to be able to react fast.
“We want to see how the situation evolves and if something happens, we need to make sure that we can react quickly and make rules immediately. We also have had situations where machine learning models have been developed in a couple of days.”
Mayo also shared his experience and said that while working at a previous employer, a fraud attempt was made on a joint venture company, rather than the business itself. He said that this was an important point because while you may think that fraud is managed in the same way across the business, other associated businesses may be tackling threats in a different way and operating to different standards.
• Deciphering identity and intent is a challenge on a global basis.
• Keep an eye on the trust frameworks.
• Collaboration is a key opportunity, but challenging in the face of data privacy regulations.
• The Scamdemic: coming soon to a market near you – but there’s hope on the horizon.
• Web 3.0: the wave of the future.
Elliot concluded by saying that while he was “frustrated because fraudsters still get away with the acts that they perpetrate, frustrated because they harm the good in society, but inspired because I can see the solutions that are starting to turn the table.”