This article is part of our randomised, post-structural Let’s Build a Bank series of articles. In this article, we explore concepts of customer authentication and identity, arguing that in the ecosystem economy we need to take a fresh look at what we mean by a customer, break the traditional human-based paradigm and start adopting more community-based trust systems for validation and authentication.
Background to customer authentication and authorisation
Customer authentication is central to the trust that banks and other service providers maintain on your behalf. They need to know that you are who you say you are for their security, but primarily for yours. Authentication is your guarantee the bank or service isn’t going to give away your money, your data or your stuff, without your permission. Authentication processes check your credentials to ensure you’re the person who is authorised to access the service in question.
Regulators also require banks and other institutions not only to know who their customers are, but to ensure they’re the right sort of people, to be authorised to use appropriate services. KYC (know your customer) for banks includes credit checks for the bank’s security, and also nationality checks for individuals, background checks for officers of companies and so on, to ensure that the people they’re dealing with aren’t involved in fraud, terrorism or other criminal activities.
Who you are, where you come from and where you live will also affect not just authorisation levels but also how the bank treats you for some jurisdictions – for example, U.S. persons (which is a broad definition covering a lot of different scenarios) are subject to U.S. taxes regardless of where money is earned, and banks everywhere are obliged to withhold certain types of money, such as tax on interest on accounts, for these persons. Some people will also be subject to authorisation restrictions when registered as officers in a business, such as politically important people, who may put the bank at greater risk of exposure to scandal if there’s a fraud.
Typically, you will be subject to authorisation and authentication at two distinct points: one, where your relationship with the service provider is initiated, to validate that you’re a fit person to have that relationship and who you say you are, and two, when you transact with that service provider, to validate that you’re who you say you are. There may also be further checks as the status of your relationship or something about you changes – for example, you may have opened an account a long time ago, but subsequently moved to a country with different tax laws, or become an officer in a business, a politician, etc, which you may not have been when you opened your account in the first place.
As an individual, you have a one to one relationship with your bank, your telco, or your department store and these organisations see you as an individual human; today, each holds a copy of your personal data and uses this to determine your authorisation levels and to authenticate you. If you have a joint account, one of you will be the primary signatory, again as an individual human and both of you will be subject to validation based on who you are as people. Even if you have a business account or operate on behalf of your organisation, your bank will still authenticate you as an individual, while nearly all authentication systems today are based on validating that the individual accessing the service is definitely who they say they are.
This makes good sense: you can’t duplicate, distribute or corrupt the base unit of humanity, the individual person. It does cause some problems, of course, associated with individual humans. People forget what they’ve told the service (favourite pet, anyone?), they forget passwords, they wear chunky rings that confuse hand topography scanners, they get wet and can’t work their thumbprint authentication, they change status or location without telling the bank, they get hit on the head, and of course, they die. But it’s still the same base unit and services have developed to accommodate the fallibilities of humans.
The problem it has created today though, is that every individual has a proliferation of identities, with multiple organisations and platforms holding the same, or similar information about them, some of which is likely to be inaccurate or out of date. Multiple profiles mean multiple passwords and multiple points of failure, as well as multiple potential security vulnerabilities, with all these institutions holding raw personal data.
National ID systems are a good example of how to manage individuals’ authentication identity more effectively and reducing the risk of human fallibility in remembering passwords, by creating a convenient ID and single sign-on for everything from banking to health to tax payments and land registry – Denmark’s CPR number is so ubiquitous you can’t join a gym or sign up for electricity without one, and all services are managed with a single identity and single password. However, these are all currently restricted to individual nations and, as we explore below, many individuals have increasingly international profiles.
In today’s connected economy and the platform world, things are more complicated. There is now a proliferation of instances of personal data maintained by commercial institutions, platforms and communities still using personal data to create analogous identities for the same individual, with varying quality and a growing struggle to maintain data integrity. Individuals may be working in multiple countries or be part of distinct ecosystems in multiple countries, for example within a multinational organisation. And now as people and organisations increasingly become elements of the wider ecosystem, the very definition of identity is becoming less clear.
Who’s the customer?
Who are you?
We tend to think of our identity as just ourselves, stripped down to our basic humanity, but studies have shown that our concept of ourselves is heavily influenced by the stuff around us – obvious things like job, wealth and status, the tribes we belong to, etc, but also physical things like what we wear, where we live, and the things we have. You may identify as “an American”, “a scientist”, “a Chelsea fan”, or “an opera nut”, but you probably also identify as “an Apple person”, “an Android person” or “a Windows person”. You may also identify with brands such as clothing brands, car brands, etc. We explore this further in the branding article.
And as the things you own become smarter, some of them take on aspects of your identity including decision making; your personal identity is expanding. This isn’t new; hundreds of years ago people were delegating authority to act autonomously on their behalf to things they owned, but in the Middle Ages those things were people. A feudal overlord would have been quite comfortable with having autonomous economically active entities in his portfolio of serfs, because that’s what serfs were for. But in the modern age, people don’t own other people, so the concept of the individual human has become much more closely paired with identity and identity management. That’s changing now, as the things you own become more autonomous.
Your phone is already a critical part of your identity. You’re statistically more likely to be reading this article on your phone than any other device, but your route to accessing it was controlled by algorithms designed to feed you personalised news, delivered on your phone. Your decision to read it was made by you, but the experience that led you to make that decision was delivered to you on your phone (or, with decreasing likelihood, your PC). Your phone is independently shaping your behaviour. And in the not too distant future, your car, your fridge and other devices will be going further than this, becoming economically active on your behalf.
It’s 2021. Your self-driving car has dropped you off at work, taken the kids to school, then decides which gas station to go to fill itself up, based on relative prices and distance. Perhaps it chooses one that has a carwash because it’s a while since it had a shower. Filled up and shiny, it plugs itself into Uber or Lyft and starts earning money, until you need it again. It’s doing quite well via Uber, because you don’t really go to the office much, after all you’re working mostly via AR from your home office, and only go in because it’s nice to see people in the flesh occasionally. So the car suggests it’s time to rethink your economic strategy – should you be getting a new model that carries more passengers to capitalise on more ride sharing profits, or conversely move to a collective ownership model instead?
The fridge, meanwhile, is trawling the online grocery stores for better quality meat. It knows you don’t mind paying a bit more, but it needs to get a supplier who can guarantee decent shelf life, because you have a habit of letting things go off, even when it gives you relevant recipes – some aspects of your behaviour haven’t changed that much! It also knows if it clubs together with three of the other fridges in your road, you can get a pretty good quantity discount and it can organise the distribution logistics. It’s having a bit of an argument with the thermostat about the underfloor heating though, it’s using more power than it forecast in the cooling system and you don’t really need it to be that warm, so you will be asked to arbitrate.
These devices are making independent decisions and transactions, on your behalf. Needing a thumbprint or a PIN code to authorise transactions would add friction to your personal ecosystem, which by its very nature only works because you’re not intervening at a transactional level. So they have become economically active autonomous extensions of your identity, and need some other mechanism for telling the bank, the supermarket, the gas station and Uber, that they are part of you. IOT devices are already proving an achilles’ heel for hackers, so security and authentication both need to be robust, without recourse to traditional mechanisms.
Do you care if your customer is human?
This leads to an interesting challenge in traditional identity thinking. As we’ve said above, identity and humanity are currently tightly linked – every transaction that’s performed today has to be authorised by a human, either directly as in typical B2C transactions, or via a business rule that a real person has approved, such as a Direct Debit or a bulk ordering system for B2B. But our 2021 learning devices are building their own business rules, independently of you – you haven’t told the fridge directly that you’re comfortable paying a bit more buying better quality, it’s drawn this conclusion from observing your behaviour data. That means, as a retailer, you’re providing goods and services based on a decision made by a machine, independently of any explicit business rules or instruction from a human. And as a bank, you’re facilitating that transaction with no human authorisation.
At the other end of this equation, is the “I’m not a robot” challenge. As machines get smarter, it will become harder and harder to detect machines posing as humans. The two big headaches are in the traditional touchpoints – relationship initiation and transaction authorisation. Current barriers – typically pictures that humans can process and machines find more challenging – will cease to be effective as machines get better at picture recognition, and they’re creating additional friction for real people as they get more sophisticated. People will continue to design new checks as machines get more sophisticated, but there will be a tipping point when the additional friction becomes unacceptable for humans.
Banks, in particular, try to deal with this challenge by putting robust barriers to entry into their system, so that only real humans can transact with them and see their data. However the barriers tend to be at the peripheries of the system, leaving them open to massive attacks once that periphery has been breached. The operating model of most banking online services is still very close to that of the traditional bank with the iron grille and a vault with a big combination lock in the back – they’re hard to get through, but once you’re in, all the money (or data in this case) is wide open to attack.
Given that it’s now possible to apply business rules that can control access and authentication to services and products, while tracking behaviour for known and predictable patterns, banks can learn from platform approaches to matching customers with services or products, to apply appropriate access based on behaviours and apply authentication at the point appropriate to that service. More of this below.
Who is trust for?
As we’ve said above, trust is for the bank, institution or service giving you access to its services, and it’s for you. But consumers/customers of trust have different needs, which should lead to different rules for different consumers, although beyond strata of authentication, this is rarely the case today. Here are some examples:
Looking at these examples, the consumer of trust isn’t always that interested in who you are. Yes, if you’re the customer opening a bank account or the refugee, some of the guarantees are associated with who you are, but if you’re a service provider such as a restaurant, or even a small business borrower in the context scenarios we’ve given, nobody’s actually interested in whether you, John Smith, are or are not from a particular country, of a particular age or even what your credit history is; the important question for those trust consumers is, in the context in which they are supporting you, are you trustworthy?
The big identity question
Banks have always struggled with the problem of a “single view of the customer”. In short, the problem is that individuals can be customers, companies can be customers, and individuals can represent companies, charities, consortia, funds, etc etc. Organisations are the original distinct ecosystems in this sense: single entities made up of multiple actors, many of whom can represent the organisation. Again, this makes sense in the old world, because there’s always a human (or multiple humans) benefitting from the economic activity of a company (the beneficiaries). There are further complications for banks because they hold several different views of the customer – from a legal entity perspective, from a credit risk perspective, etc, all organised in different hierarchies, which exacerbates the problem.
Because the base unit is a human, though, this creates a fundamental challenge – an individual may be both a person (retail customer) and a company official (e.g. CFO of a company). As a bank, from a KYC perspective, you might be happy for them to be a retail customer but less happy about them being a CFO, because they’re married to a senior politician. And that’s before you even start looking at the problem of presenting a single view of the bank from the customer’s perspective. Today we manage this by granting different levels of authorisation to different individuals – as a departmental manager, I may have authority to sign off EUR 100,000 and as a sales rep, I have a company credit card with a EUR 3,000 limit; all of these authorisations need to be associated with individuals, and those individuals authenticated.
As we move into the ecosystem economy, it becomes even harder to maintain a single view of the entity. The top-down hierarchy, still embedded in companies, is becoming less clear as the edges of service, customer relationships, data ownership and data processing, traditionally ringfenced within organisations, start to crumble. Beneficiaries become members of a distinct ecosystem, benefiting from networks and platforms, more than from direct sales which can be neatly summed and divided into cost of goods sold vs revenues from sales.
By extension, communities have identities as economically active entities. Collectives and community organisations such as football clubs and choirs have been around for centuries, while crowd-funding and fractional ownership are growing the economic clout of communities and moving them closer to mainstream business paradigms. As these communities grow and collaborate further, more ecosystem-based economic entities emerge, with their own capacity for decisions being made by multiple, instead of individual humans, together with opportunities for the application of AI to those decision-making processes. A good example is the Danish banking organisation, SDC, which supplies core banking to its 120 customer-members. Those members collectively make decisions relating to its investment portfolio, and in turn fund the portfolio.
A consortium of small builders, who may have met over a trust platform such as hiveonline, will have no central leadership and be managed via the ecosystem platform, where decisions are made by consensus and business rules rather than individuals. For example, they may agree to set up a contract that executes only when seven teams have agreed that they can put the time and sufficient money into a particular project; on execution of the business rule, hiveonline presents evidence to the bank that they’re committed and gives the indelible trust record that demonstrates creditworthy behaviour for all members; the bank then decides to grant a loan based on its own business logic and hiveonline executes the setup of the job with no need for human intervention. This sort of conditional, collective decision-making that is traditionally corralled and managed by human representatives, is increasingly being facilitated by platforms and business logic.
The end of human-based identity?
The human-based identity paradigm makes sense only as long as individual humans are the only entities capable of making decisions; regulators will quickly need to decide how to handle this scenario, which equates to extending personal identity beyond humans, to the things that they own, or to the broader community, and agreeing protocols for security and authentication that can be used in practice by these things. Once we start developing paradigms of identity as a collective, non-human or distinct ecosystem based concept, we can also start applying authentication that is more robust, less subject to hacking, and more appropriate for the modern era.
To do this, several things need to change. First, how we manage authentication; taking the human out of the equation means using different approaches and technology and while biometric identification is likely to retain a key position in frictionless identification of a human individual, we think that cryptography will replace passwords and that behaviour signatures will start to replace biometrics, as the distinct ecosystem identity becomes the standard unit. We describe some emerging paradigms supporting this movement below. The fundamental change that’s needed, however, is in regulation and how regulators view identity, which in turn is tied up with legal concepts of possession, data protection and in particular, consumer protection. We we are already seeing regulators thinking about these identity challenges, but it’s very early days.
It’s likely that, as with most new paradigms, changes in practice in response to evolving customer needs will outpace the development of the regulations needed to govern them effectively. As with all emerging paradigms, this will leave early adopters exposed to poor practice and almost certainly, a lack of consensus on standards for addressing these concerns. RegTech is likely to lead the debate on many of these challenges and the answers may be driven more by the available solutions, than by the needs of customers and communities.
Barriers to entry in the ecosystem and platform world
of course Facebook, LinkedIn and Twitter, the megaplatforms, couldn’t go without a mention. They’re part of the losing battle to maintain relationships only with humans, and face the same challenges of customer identity as banks, which is already leading to some strange compromises. For example, all have some sort of facility for companies to set up versions of their platform offering as though they were individuals, however Twitter treats the company as a person, whereas LinkedIn and Facebook treat it as a company, allowing multiple administrators who are real people. None have really nailed what they mean by a company vs a person in the context of the page setup, while regardless of the paradigm, they require page owners to be real people, and spend a lot of money cleaning up the data.
To illustrate it’s still possible for an individual to set up multiple pages – all you need is an online identity, of which most people have several. Consequently people set up pages for their cats, infants, hobbies and so forth, and while Facebook is constantly cleaning up the data, the scale of the challenge is huge. The problem is that your Facebook credentials become an online identity, providing a level of authentication, which can be used to validate that you’re a person, even if you aren’t, and give access to further online services as though you are a person. We all know someone whose cat has a Facebook page, and as that identity ages, it wields quite a lot of online power. Let’s assume you wanted to set up an Airbnb account, which requires both national documentation and an online identity. The sockpuppet Facebook or LinkedIn page you set up 8 years ago gives a strong level of confidence that your fake ID belongs to a genuine person.
As with banks’ identity and authentication management, turning the problem round and assuming that an online identity does not necessarily equate to a real person, opens up a much more manageable scenario. The fact is, that there is no one to one relationship between people and online identities, any more than there is between people and bank accounts, or people and mobile phones. Accepting this as a starting point allows us to design authentication and service access to respond to this paradigm, and to apply adoption barriers where they are needed, at the point of service delivery, rather than as an entry point to online identities.
This then raises the question of where the barriers to entry to a system should lie; these platforms are fighting a losing battle trying to curate the quality of entrants. Instead, we think it’s time to move away from trying to make the periphery more robust, and rather to apply more robust authentication, in particular, cryptographic keys and behavioural authentication, to restricted services. to demonstrate true trust and use this as a quality filter, accepting that there will always be fake identities, robots, and genuine but non-human platform members.
Collective ownership identity challenges
Companies, charities, clubs, residents’ associations are all existing examples of communities which have a collective identity but individual officers with particular access rights (usually power of attorney on the bank account, or company issued credit cards). The trust that goes with this level of access is today tied to the level of trust that company or organisation has in the role that person fulfills.
Then there are communities with governance, shared goals and a shared trust authentication system operating as single entities in the distinct ecosystem based identity paradigm. But just like in companies, not all collective ownership systems will be amongst communities of members with equal trust or transparency. Fractional ownership is a particular challenge, because in many cases, the justification for fractional ownership is the low liquidity of the participants, which in turn means that trust history may be patchy.
Peer to Peer lending is another example of shared ownership where there may be a mismatch between the due diligence done on the lender, and the needs of the receiver. Peer to Peer lending platforms face challenges of quality curation vs. scale, and while this may be less of a problem for smaller, unregulated businesses, the greater the scale of the platform, the harder it is to manage the KYC on these small investors and the businesses they support.
Distinct ecosystems as trust consumers
We already see examples of distinct ecosystems where there is no individual responsibility for decision making – collectives that require a critical mass of members to approve before an action can be executed, and where there is no single figure of authority with power to press the button. Our collective of builders is a good example of this; but as well as making economic decisions about the priorities or behaviours of the collective, this also extends to decision making about the trust barriers for suppliers to that distinct ecosystem. For fractional ownership or peer to peer lending, what are the acceptable criteria and how can this be validated? Traditionally, trust based systems rely on third party authorities and brokers, who hold trust evidence for individuals and organisations. But with the availability of platforms and new approaches to behavioural based trust, is there an opportunity for communities to use trust records without recourse to the traditional means?
We’ve seen this in action to a large extent with platforms like AirBnB or Uber; in this case, reviews in sufficient volume provide a critical mass giving confidence, although it’s not infallible; while a large distribution regresses to the mean, platform reviews are subject to crowd dynamics including plebocracy and early adopter advantage. However, if we can reduce or remove the bias, assuming both supplier and customer have access to a trust-based system that can translate behaviour patterns to scoring for benchmarking and for validation, there’s an opportunity to move beyond traditional validation funnels towards a platform-based approach, with communities applying the same criteria they are expected to meet, protected by the protocols that guarantee veracity rather than by historical trust relationships with authoritative entities such as banks.
Borderless platforms and regulation
One of the most significant challenges facing regulators is the movement from national to cross-border value systems, such as multinational organisations and more recently, cryptocurrency. Regulations are, with very few exception, still defined by extensions of government within territories (national or bloc) and while compromises and workarounds have been developed such as passporting of licences and consensus agreements, even in today’s’ corporate culture, national differences create significant barriers to operating as global entities:
- Socio-economic differences between countries: for most developing countries, ultra-stringent regulations can strangle development, yet more developed countries are rightly wary of doing business because of the opportunities for fraud. Governments and regulators in developing countries struggle to find a balance between policies that allow for growth and restricting opportunities to trade with richer economies.
- Cultural differences between countries/regions: Western regulations in general are geared towards protecting consumers, whereas in APAC and China in particular, regulators take a more economically focused perspective on protecting markets. While these viewpoints are not incompatible (regulators should and do consider both), the different weighting of these considerations can lead to policy differences which may be hard to reconcile.
- Different approaches to taxation: the most obvious of these is the FATCA US tax withholding mentioned above; the USA taxes all US persons, regardless of where they are, whereas many other countries have reciprocal tax arrangements for nationals working abroad, or businesses with foreign branches. While this makes things very complicated for banks and tax authorities, these different approaches are also a significant barrier to true globalisation.
The ugly compromises that have developed are almost all bilateral deals between countries and/or blocs, specific to two or more regulatory regimes – for example, I pay tax in Sweden if I work there more than 20 days a year, while I get the equivalent break from my Danish payments. Banking regulations in Denmark are more or less the same as elsewhere in the EU, with some sovereign differences, and because I’m lucky enough to live and work in a region with a single central bank and more or less united rules this works pretty well until I need to buy services or set up a legal entity outside the EU, when different regulations apply again.
Currency without borders?
The Euro has had some pretty rocky times and bad press, trying to address the single currency/cross border issue – even with a single central bank and parliament, national economic differences have raised questions of whether cross-border currencies can survive. The US dollar is probably the most successful example of an unofficial global currency, historically valued because of its stability relative to local currencies in many countries, but it’s achieved this status without official policy to support it.
And despite growing acceptance in the mainstream and the emerging trend of central banks to propose issuing their own versions, cryptocurrencies are subject to significant uncertainty, as they don’t fit the traditional, country-based model. Governments and regulators are still unsure whether to treat them as currencies or as something else – tokens, or bonds, which as tradable digital assets, they could equally well be. Consequently there’s been a difference of opinion, and therefore level and type of regulation, from country to country and, in the US, from state to state. In fact, the same could be applied to any traded currency – or, in fact, any currency (the US dollar being the most obvious example) where supply and demand affect local value, but regulators have at least some clear definitions around what a currency means and it’s still not clear where crypto will finally land.
We think the consensus is likely to move towards the “currency” camp, in particular as central banks start issuing sovereign cryptocurrencies, so for practical purposes their cryptos have to be equated with fiat currencies. Adverse response from the business community to the FED’s restrictive regulation of cryptos in the early days has now resulted in a relaxation and even reversal of early Bitcoin classification there, but other markets, in particular in South America, are still slow to react. Meanwhile markets in Asia in particular are embracing and accelerating cryptocurrency adoption by reducing regulatory barriers, while in sub-Saharan Africa the relatively stability is an attractive reason to move away from local fiats and towards a more controllable crypto.
But this still doesn’t address the cross-border challenge, and one of the reasons Bitcoin’s value is so unstable is because of the lack of a single government/nation underpinning it. The value of sovereign fiat currencies is directly associated with the risk of that country defaulting, which is why central bank stability is so critical. Where there is no central bank, there’s no guarantee and no stability beyond the collective mood of the market. While central bank issued cryptos will not be subject to this instability (assuming they’re pinned to local fiats), they are also subject to cross border challenges.
Identity without borders
Similar challenges apply when we consider personal and organisational identity. While most people still live in a single country, possibly with occasional travel, and earn money in that same country, things are pretty simple; you pay tax to the local government, which supports you with the services paid for out of those taxes. You follow the local rules as they apply, whether regulatory, tax or social. The same applies to companies, which typically do business in small, local areas.
But that’s changing as people and, more significantly, businesses, do work, create value and spend money across multiple countries. From the small supplier selling goods, to the business employing a “gig” economy worker, the internet has broadened the reach of even tiny enterprises and individuals to become truly global. For direct sales, the rules are pretty straightforward, although far from consistent and usually not advantageous to either seller or customer, but for value creation and employment of people overseas, it becomes very complicated very quickly, as regulations are not designed to accommodate an increasingly flexible, global workforce. Many of the fundamental challenges are rooted in the fact that local services from schools and hospitals, to roads and infrastructure, are paid for by local taxes, so it’s reasonable for governments to expect rewards for work produced and people employed in their own jurisdiction, but as these rules create massive additional complexity for individuals and businesses, is there an opportunity to rethink them at a community level, leveraging the broad range of cross border services to allow business and worker communities to pool their contributions?
That sounds unduly restrictive, because we’re still tied to the idea of an individual being synonymous with an identity. But if we accept, as we’ve said above, that individuals already have multiple identities, it’s easier to visualise a scenario where any individual may belong to a number of different identity entities, with different roles. My identity as a parent would be firmly tied to my own family unit, while my identity as an employee of a global enterprise could be more sensibly associate with a community of Danish or Australian architects of global financial enterprises, for example. Similar to the approach of multi-entity distributed computing, this means that only necessary information need be exposed at the entity level, rather than every individual having to expose all their details, leading organisations to deal with the consequent complexity.
In effect we do this today, allowing organisations to treat us as more or less homogeneous groups when it comes to salaries and tax in different jurisdictions. The strength of extending and formalising the community based approach to communities and distinct ecosystems, is that it both reduces complexity and allows for additional richness to be associated with that identity (for example, certification, regulations) without having to manage these on an individual basis.
Evolving approaches to authentication
Most banks still perform their own checks, supported by agencies such as Experian and similar third party brokers who validate customer information to the banks, which they then hold on record as part of your customer data. This process is expensive and cumbersome, as several data sources need to be consulted for full checks, and can lead to long customer onboarding, especially where the customer is an organisation and checks have to be run against multiple individuals representing the organisation. It’s also highly duplicative, as each bank typically gathers and holds the same data about a customer, even if that authentication has already been done by a different bank, with brokers and banks holding customer information on file, at risk of exposure to an attack
Third party KYC has been available for many years, and while banks have been naturally reluctant to outsource such a critical business process, as the services offered have become more established, many are starting to use these services. The challenge for banks is often integrating these services into their often legacy systems used in the customer onboarding process, which typically spans many systems.
And the challenge for many individuals when facing these checks is that if you’re not in the system already, establishing an identity is hard to impossible, meaning access to financial services and utilities is beyond their reach. This applies to 2 billion of the world’s population, adults who are unable to prove their records to sufficient standards and of whom 1.5 billion have no official identity papers such as birth certificates, severely restricting their ability to participate in business and financial activities.
Blockchain based broker authentication
Moving into the world of distributed ledger based authentication, things are starting to change. Now broker services can offer cryptographic identity that build up a profile of the customer, based on traditional authentication data, creating a unique cryptographically encrypted token identifying, for example, whether an individual is credit worthy or meets other criteria. Banks and other interested parties can then compare encrypted data with the broker service’s version, and the broker can then confirm with the tokens that the data was correct, without either the broker of the bank exposing the original data.
This has two main impacts – one, that the checking only needs to be done once, and can be used by multiple service providers, and secondly that the data is not exposed, which will make the customer more comfortable – the #1 worry that customers have when being authenticated is who’s seeing their data. This clearly has advantages in protecting personal data, and reduces the duplication effort, but still requires banks and other businesses to hold some personal data, with consequent challenges of duplication and deterioration of data quality. There’s also the consideration that no encryption method yet invented has outlived the personal data it’s protecting, so storing of even encrypted data on a public network is highly inadvisable, which means the trust authorities still need to maintain the personal records.
And it doesn’t address the identity / financial inclusion challenge. The transparency and immutability of identification can, however, open up traditional records to individuals who may not have had access to them previously; land ownership recorded on the blockchain is an early use of trust records proving provenance, and the same can be achieved with personal records, supporting many of those without current certification.
Behaviour based personas and identity
Many fintechs and telcos are starting to address the financial inclusion problem with the development of behavioural profiling, typically using mobile phone records to demonstrate that a user is trustworthy. This is an extremely powerful method of identification; with the right algorithm, data such as geographical movements, phone calls, text messages and who your contacts are gives a much richer and more accurate confidence score than many traditional methods, and is far less open to fraud. Added to this, consider that 80% of the world’s population have a mobile phone, including 1 billion of the 2 billion unbanked mentioned above.
Behavioural based identity does present challenges, in much the same way that other personal identification methods do; your behaviour signature is as unique as your thumbprint, so questions of identity protection are extremely relevant and as the technology is emerging, regulations will struggle to keep pace. Behavioural identification of this sort, while extremely appealing to an unbanked person trying to establish trust, is likely to be regarded as personal intrusion to a typical German consumer, for example.
We see the future of behavioural based identity as one where the consumer, organisation or entity can choose different personae for different purposes, based on different types of behavioural identification data. For example, my “parent” persona, while also needing traditional “I’m a person” validation, could be linked to records of my children’s birth, schooling and health, while my “architect” persona, where my status as an individual isn’t relevant, would be linked to organisational designs, payments for such and press articles about the impact on the companies I’d designed, for example. As a member of the architecture consolidate, it could also include guild-style peer certifications and community endorsements. Similarly, my organisation can have multiple contextualised distinct ecosystem behaviour signatures based on the customer, government or investor segment relevant to that behaviour – my organisation as a provider of financial services, in collaboration with the partners who support the delivery, for example.
Trust record vs review record (facts vs plebocracy)
The first advantage of these behavioural signatures is that they are based on facts. Clearly, a credit history is also based on facts, but when individuals can have a proliferation of bank accounts with different lenders, even credit records aren’t as reliable as they were. Compared to other platform based trust systems, fact-based history can’t be swayed by first mover advantage, plebocracy or subjective reviews. When applied to multiple personas, it also has the advantage of using only relevant information, both zeroing in on the context so that users from the same context can be confident, and reducing the need for extraneous, potentially personal identity compromising information to be shared. The third advantage is that with these signatures built out of activities performed, you don’t need a trust authority to validate that you’re credit-worthy; the signature itself shows that your behaviour in context is desirable.
When we also accept that communities, including businesses and distinct ecosystems, build behavioural signatures in exactly the same way as individuals, this also gives us a richer and more context relevant view of the community’s reliability to us as consumers of the community’s service. Think about a builder with an impeccable credit history – that tells you he’s generally reliable, but does it tell you he delivers and employs trustworthy partners and merchants? And of course these trust signatures aren’t just relevant to you as a consumer of his services, they’re also relevant to partner organisations, who can see that he’s reliable and a good collaborator for their wider team.
By extension, communities can not only build, but also set parameters for the trust profiles they want to achieve and employ. I can give myself, my workers and collaborators a target and I can specify levels of acceptable behaviour for collaborators, customers and suppliers, creating partnerships only with trusted counterparties. As a collective of builders, as in our example above, we can collaboratively agree to these benchmarks, reducing the typical challenge of one or a small number of individuals being burdened with vetting and selecting suppliers. Taking community based, behavioural signatures as a standard leads to a huge reduction in uncertainty and friction. It also promotes good behaviour; as we’ve seen with platforms such as AirBnB, the very act of becoming a member means that you’re more likely to want good ratings, and adjust your behaviour accordingly.
People and organisations are evolving; every entity within an ecosystem may now be part of many distinct ecosystems. Meanwhile the difference between individuals, organisations and communities is dissolving, as restrictions associated with traditional national boundaries become increasingly burdensome and unrelated to evolving organisations and financial instruments. We need to move away from the old paradigm where the only valid identity belongs to a person, towards accepting and embracing distinct ecosystems as valid entities with identities of their own. People, organisations and the ecosystems that surround them have different, equally valid personas which, when subject to contextual validation, are of use to trust consumers with different objectives.
Traditional authentication protocols are being replaced by emerging opportunities both to apply new approaches to traditional data, and to develop behavioural based trust systems. Behavioural systems are more flexible, more context specific and more reliable than traditional systems. They can be built and used independently of, or in conjunction with, a traditional trust authority, allowing financial inclusion for the unbanked community and a focus on outcomes for trust customers.
Blockchain and cryptography, together with behavioural data, give us the opportunity to create and use different types of signatures as applied to individuals, organisations and communities, moving towards rich context-specific and peer authentication, coupled with factual records and immutability. There’s a growing number of platforms taking advantage of this paradigm change, presenting an answer to the challenge of platform bias in the “post-truth” age, however personal data remains vulnerable regardless of encryption standards.
While technology is creating opportunities, regulations also need to evolve and embrace the changes, accepting that the human based paradigm is no longer the only version of the truth and that national borders are blurring. We’ve seen some encouraging developments, and eagerly await further changes as behavioural based identities and validation become mainstream.