Dgwb blog white border

The real battle between MCX and Apple, between banks and Google, between retailers and telcos is not about your handset, your SIM (soft or otherwise) or your payments. It’s about your identity.

As has been remarked more than once, and in many contexts, if your wallet gets stolen then it’s your driving licence, social security card and Portugese fishing licence that are the problem, not your money. Remember your Shakespeare! “He who steals my purse steals trash” (Othello: Act 3, Scene 3). It’s your identity that is the valuable thing in your wallet, the thing you should leave locked up in the hotel room safe instead of being forced carry it around with you in case you want to buy something – as I am required to do in the US, where you often still have to sign your name when you use a payment card in a shop.

Untitled

If I’m right, then my identity should only be entrusted to organisations who understand security and privacy and, most importantly, actually know who I am.

Britain’s high street banks believe their future role will be as repositories of more than just money: they want to be the safe place where customers store their digital identities.

[From Banks want to keep your digital ID in their vaults – FT.com]

It’s natural to think of banks in this role and, despite the fact that I can’t use my bank identity to log in to anything other than my bank at the moment, reasonable to imagine that their plans for forming a trusted identity layer to underpin the new economy are well advanced.

Banks are well positioned as is explained in a recent white paper (link) of the European Banking Association (EBA).

[From Digital Identity: how banks can position themselves in their customer’s online lives | Innopay]

It is also natural for people (e.g., journalists) to see the identity issue in terms of payments, because payments are where we need most urgently need a solution. The myriad data breaches mean that efforts are focused on online purchases and the use of the decades-old PAN-centric card infrastructure in an environment it was never designed for.

Some suggest that digital identity verification by banks could ultimately end the need to type in a credit-card number on an ecommerce website

[From Banks want to keep your digital ID in their vaults – FT.com]

The FT are right. Identity could be a huge play for banks. Mind you, some others (uncharitable persons, of which I am not one) also suggest that banks will pratt about and muck this all up and hand digital identity verification to Apple, Facebook, Google, Amazon and Microsoft on a plate. Many years ago, I thought this wouldn’t happen because I thought that the banks would come to some arrangement with the mobile operators since (at the time) the mobile operators were the only providers of tamper-resistant hardware with a communications link: the SIM.

The Norwegian implementation is follows my favourite SimID model: the service providers use virtual IDs (public key certificates), the mobile operator provides the digital identity (the key pair) and the bank binds the digital identity to the real person.

[From Norwegians would – Tomorrow’s Transactions]

I rather liked the model that this suggested. Go to log on somewhere and have a message pop up on my phone, enter a local passcode on the phone, find myself logged in on the web. I was a strong advocate of a pseudonymous option around this, so that service providers would know that you have been authenticated, but not who you were (the bank could provide a unique and cryptographically-unlikable token to each service provider).

Now that my bank has an app on my mobile phone, you might imagine that they could perform this role (for a small fee) not only for payments but for more general cases. For example, suppose I need to log on to a gambling web site and prove that I am over 18? That’s exactly where this sort of bank recognition could work. I give the gambling web site my mobile phone number, they send it to a [currently nonexistent] bank directory service and moments later my mobile banking app pops up on my phone and asks me to log in.

In recent years, though, we don’t seem to have seen much progress in this field and now that Apple (and, inevitably, Google) have decided to bypass the operator SIM and use their own tamper-resistant hardware in the handset, surely the banks’ potential as key, trusted identity players is under threat. Maybe it’s time for them to take the whole ID thing seriously and start coming up with new ideas. More on this tomorrow.

4 comments

  1. The GSMA has a very impressive effort in it’s Mobile Connect for identity management. It’s early days, but it seems to address much of what you see as the opportunity for non-tech players to finally step up.

  2. In recent years, though, we don’t seem to have seen much progress in this field and now that Apple (and, inevitably, Google) have decided to bypass the operator SIM and use their own tamper-resistant hardware in the handset,…

    Do we all remember the year of the smartcard? How everyone figured out that the cost of smartcards was sooooo astronomical that it had to be done as a shared infrastructure with one big player providing the platform and the other players putting apps on the smart card?

    Didn’t work then. (Doesn’t work now.) But for institutional reasons, not technological reasons: Banks don’t trust telcos nor each other nor their customers nor in reverse. You simply can’t share that sort of data around in an open transparent fashion, and nobody believes you if you’ve come up with some super-secure way to do it.

    So, for it to work, we had to wait for Apple to come along and vertically integrate — do the whole stack. Google to follow once the lessons are learnt. But, vertical integration takes a long time.

    Where are banks in all this? They are bit-players. The sooner they realise they can’t play at this level, the better for them. The sooner they migrate to their new position as customers of the Apple/Google stack, the more they’ll survive the transition.

    1. Exactly. At a digital banking event the other day, the panellists bemoaned the lack of industry standard fingerprint readers, conveniently forgetting about the iPhone. They moved on to the lack of takeup for voice biometrics, again ignoring that the phone is the obvious home for this. Making the phone the ID hub shifts customers from a world where banks deign to grant access to banking to one where customers grant banks access to their ID. It’s classic disintermediation

  3. I can only suggest – and it is so easy to do! – that our established practice of free (of charge) deposit banking might be affecting the development of deposit products like payments and its integral – identity..

    We get charged for storing our possessions in a warehouse. The service rendered by a warehouse is justifiably priced at the level market clears – more or less. However, when we store our money assets at a warehouse called Bank we pay nothing. A bank renders a service of storing our monetary possessions. As a part of this service, a bank offers an access to our stored wealth. This access is provided in many ways – a banknote, a cheque, a PAN, a token, a BillPay web & mobile app,… We pay nothing for it. At least in the US, Demand Deposit (DDA) and Savings accounts are FREE. Why? Because banks perform another role of mapping savings to investments, allocate funds from savers to borrowers and make sufficient margins this way to cover the cost of deposit operations?

    There was a time and place (or rather different times at different places) when deposit banking was separate from lending banking. Evident enough that in the course of our banking evolution, the path to (and through) fractional reserve standard was uneven and marked by all sorts of investigations – theoretical and legal. In 19th century, in England, people were seriously debating the legality of fractional reserve banking within DDA space. 1811 Carr v. Carr, 1816 Devaynes v. Noble, 1848 Foley v. Hill – these were the cases to decide whether placing money for safekeeping constitutes an investment, whether bank current deposit is a debt contract. Can a bank lend money that depositors did not intend to invest/save but simply to keep – as a bailment – to facilitate their current operations? Similarly, – can a warehouse lend my furniture that I did not intend to be leased to someone else..?

    I might be frivolously connecting wrong dots here but I wonder whether fractional reserve practice so well established nowadays plays a role in the development of core deposit services like payments, beyond what it notoriously does to the ’shaky stability’ of our banking system. What if, – just what if, – deposit banking would be separated from lending banking and thus offered for a fee that market clears – more or less?

    Would this incentivize deposit banks to focus solely on its core deposit offerings like payments? Would this be THE ‘shift’ in a bank mentality to be that entity that spearheads innovation in the payments space? Would it develop itself (sooner) into that trusted enterprise that guards and manages our Identities? (May be in fractional reserve environment Trust is harder to earn?)

    Would we have NON Banking players in that same space that don’t look to operate on fractional reserve standard, like Google wallet, as a random example…? And how to understand a recent development of pre-paid businesses that do CHARGE a fee for loading funds into their issued general purpose visa/mc cards? (Don’t they resemble pure deposit banking and may be children with a strange DNA string inherited from distant and long abandoned tribe of predecessors of decoupled Deposit Banking?)

    Would it solve better for a social benefit of keeping money inside the banking system and reducing the amount of cash transactions?
    Mhh?

Leave a Reply


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.
%d bloggers like this: