As almost one billion people lack a formal means of identification, and almost half of the entire global population have some form of ID but no digital trail, calls to rectify this situation are wide and intensifying. In addition to the humanitarian factor, opportunity for value creation through the development and delivery of digital identity platforms appears almost exponential.

As the technology required to deliver digital identity is ready, governments and consortiums are refining their strategy around implementation and carefully weighing the benefits alongside the risks that digital identity presents.

This is an excerpt from Finextra's Research report 'The Future of Payments 2021,' available for download via Finextra Research.

Who is leading the digital identity charge?

There is significant upside around adopting digital identity, which is expected to bear an impact not only on financial services – but across the entire economy. Mckinsey predicts that by extending full digital ID coverage, economic value that can be unlocked would be equivalent of three to 13% of GDP by 2030 – with just over half of the potential economic value potentially accruing to individuals.

Having announced its plans for a European Digital Identity and Wallet framework in early June 2021, the European Commission is showing strong interest in putting its strategy for a digital Europe in motion. Under the new regulations, public authorities or private entities in the EU will be able to offer digital wallets which link their national digital identities with proof of other personal attributes, such as a driving licence, diploma or bank account. In efforts to expedite the process the Commission invited Member States to establish a common toolbox by September 2022 and to commence the necessary preparatory work immediately.

Digital identity has shifted to the fore of conversation around innovation in finance services for multiple reasons. In the current data-driven economy where services can be accessed anywhere, any time and on any device, Teunis Brosens, head economist for digital finance and regulation, ING, explains that it is essential for both parties to identify themselves in an easy and reliable manner. At the basis of those online transactions lies the need for safe and efficient identification of remote counterparties to build trust and system resilience.

He continues that digital identity as an enabler for securely and seamlessly onboarding customers has the potential to remove some of the barriers not only to the access but also to the usage of financial services. By enabling customers to prove their identity in an easy and secure way, it can build trust, facilitate ease of use and contribute to a wider adoption of financial services.

A secure cross-border functioning digital identity is therefore crucial. Cross-border electronic identity (e-ID) solutions have been a missing link in developing the EU digital single market, but hopefully with the Commission's latest announcements, work on this front will intensify.

Correspondingly, Brosens furthers, data sharing and consent management have become more important in the digital economy for which digital identities can play an important facilitator.

“On top of this there are regulatory developments like PSD2, open finance, and the EU’s data strategy that uncover questions like how to ensure access to data, how to secure share data, how to authenticate customers, how to minimise fraud etc. that requires a closer look to digital identities. Also, the Covid-19 pandemic has shown the importance of having remote access to (banking) services.”

Consistency of adoption in individual European nations has to date proved to be quite varied, says Brosens. The Nordics currently demonstrate an impressive 90% of inhabitants having an electronic identity, since its introduction in the 2020s.

For example, BankID in Norway has become a de facto standard for identification, all financial services are using it, same as the government institutions. While on the other hand, in Germany or the Netherlands, there is a rather limited adoption.

The Mobile ID consortium is the solution being adopted in Belgium to bring together leading banks and mobile telecom providers, to create the Belgian reference in the fields of mobile identity and digital privacy. The itsme app is the result of their research.

The app allows all Belgian citizens with a smartphone and an identity card to log in securely to a number of sites and apps that require digital interaction. itsme provides each Belgian citizen with a unique and secure mobile identity, to remove doubt about the identity of the person trying to enter a secure site or sign a transaction or electronic document online.

Should we trust banks to be the guardians of digital identity?

Banks around the globe hold a high level of trust in the consumers eyes, particularly when compared with other players such as government institutions, retailors and social media platforms. They are also very well positioned to act as identification providers given their experience as custodians and verification capabilities for commercial and regulatory requirements.

Tony McLaughlin, managing director, emerging payments & business development, Citi, believes that the question of who precisely should provide digital identity – be it private banks, corporations or the government, it will vary from country to country. The Swedish scheme is offered by the banks, a consortium of banks leads the Belgium digital identity, while the government offers digital identity very effectively.

He continues: “the important thing for digital identity – whether it’s provided by government or banks or a wider consortium – is that it is decided at the country level. Switzerland for instance just held a public referendum on the subject, with citizens agreeing that the private sector should not provide its identity framework.”

Nico Strauss, Tribe lead B2B services, Rabobank, sets out that cause for concern around banks as the guardians of digital identity should not something to fear. If for no other reason, he explains that the banking industry is so heavily regulated, there really isn’t much it could get away with if it wanted to.

“Further, if banks don't step up to deliver digital identity, then big techs like Google or Facebook may pick up the mantle.”

Tying back to McLaughlin’s comments around factoring in regional or national decisions, John Pitts, head of policy, Plaid, underscores the role culture plays in how a population is going to respond to a relatively sensitive issue being digital identity.

“Americans are quite uncomfortable with the government telling them who they are. A third party controlling your digital identity is something that I think will be culturally quite difficult in the US. The difficult question comes down to which one of these parties will the consumer trust to own their digital identity and be in control of it?”

On top of this, Pitts notes that another factor weighing into the decision is around which entity is going to have the right incentives. Specifically, will a bank necessarily have the right incentives if digital identity is the means by which you access products and services from competitors of that bank?

“What concerns me is a non-market approach to creating a digital identity - where the government says, ‘You know what banks already have lots of information, we're going to say at the outset that the bank is the owner of digital identity’, and proceed to give banks monopoly on digital identity whether or not they do a good job.”

Digital identity for KYC and AML?

The European Commission’s plans to set out a digital identity framework comes after the 2020 consultation on plans to review the electronic identification and trust services (eIDAS) regulation. One of the biggest issues when it comes to digital identity and its corresponding regulatory framework eIDAS, Brosens argues, is the fact that it is not designed for the private sector and it lacks a real cross-border functioning throughout Europe due to local fragmentation. The recent European Commission proposal to introduce digital ID wallets, is a welcome step to improve on this situation.

The use of e-ID for onboarding purposes is currently not universally permitted across Europe, and one of the main reasons for this is the absence of a harmonised regulatory framework for AML.

Brosens elaborates: “As a result, there is a wide divergence across member states of the identity and KYC related attributes used by financial institutions for onboarding which should be harmonised and a common set of attributes should be defined for customary onboarding journeys, especially with a cross-border dimension. As businesses and services become operate more cross-border, it is important that issue will be solved. The interplay between eIDAS and AML is acknowledged and the importance of having a more harmonised framework as well.”

Approaching the KYC challenge from a practical perspective, McLaughlin observes that once a functional digital identity platform has been developed either by governments or banks or consortium, by relying on this abstracted service this burden is removed from each individual platform, assisting in standardisation and significantly shaving down costs.

How biometrics help firms meet SCA obligations

Like fingerprints, iris scan, and facial recognition, biometric data is one of the most secure sources to identify an individual. The use of biometrics as a means of verification strengthens security, while decreasing the risk of data breaches.

Brosens believes that in order to maintain trust in digital identities, clear rules on the handling and storage of biometric data are necessary. The downside of biometric data is that once it is breached, the data is compromised for life. Therefore biometric data deserves special attention when it comes to data storage and protection.

“Under the GDPR, biometric data is classified as sensitive data for which the collecting and processing is only permitted in limited circumstances. Therefore biometric data should only be stored by certain trusted parties under strict security requirements, this is also a role that banks can play. In our view the digital economy would benefit from a clear European regulatory framework to cater for the rising importance of this specific type of personal data,” explains Brosens.

For instance, ING has been using biometric technology available on endpoint devices like fingerprint capability on the mobile phone for authentication. ING was already using biometrics in such processes before SCA was required by law.

Building the right consent framework

Steering the conversation back toward digital identity, McLaughlin aptly observes that at the time of open banking’s launched in Europe, the necessary consent mechanisms were not in place, leading to a delay in enforcement of SCA. This provides the perfect example of the foundational role played by identity, states McLaughlin, as identity infrastructure is really a consent infrastructure.

“Whether you're making a payment, you're sharing data for open banking, or you're sharing data under GDPR, it all comes down to your ability to grant digital consent. So, effectively, you cannot have good payments or good open banking or good GDPR data sharing, unless you have a good consent framework. If there is one place where you're managing your consents, it’s a very powerful thing, and everyone can point towards that consent infrastructure.”

Unfortunately, he laments that in many countries it is not understood that consent must come first and that there is little point in building an elaborate open banking scheme if the consent mechanism has not yet been developed.

“Digital is a lot like building a house - you can only start on the foundations. You can't start by building the penthouse, you have to start laying the foundations. The trouble with digital is that there's nothing forcing you to start with the foundations - and so the temptation is to work on the penthouse before the foundations have been laid.”