Horizon Brief

I had the pleasure of attending a “Horizon Brief” organised by the Centre for the Study of Financial Innovation for Dentons. The well-informed speakers, ably chaired by Andrew Hilton (Director of the CSFI), were lawyer Dominic Grieve (previously the Attorney General and, until last week, Chair of Parliament’s Intelligence and Security Committee), lawyer Anton Moiseienko from Royal United Services Institute Centre for Financial Crime and Security, lawyer Richard Parlour (Chairman of the EU Task Force on Cybersecurity Policy for the Financial Sector) and lawyer Antonis Patrikos from Dentons’ Privacy and Cybersecurity Practice.

Margot James, the Minister for Digital was quoted in The Daily Telegraph that the UK must “get over” privacy and cyber security fears and adopt technology such as online identities. While this Minister was advocating online identities, another Minister was ending government funding for the government’s own Verify digital identity service. And more recently another Minister has scrapped the online age verification plan that would have at least bootstrapped digital identity into the mass market.

During the questions, I noted it might seem that the government has no actual strategy. As Mr. Grieve pointed out in response to my question, there is a tension at the heart of government strategy. I will paraphrase, but the issue is that the government wants to accumulate data but the accumulation of data raises the likelihood of cyberattack. How do we deal with this tension and make progress? This point was illustrated rather well later in the week, when the Parliament’s Joint Human Rights Committee recommended that The Government should “explore the practicality and usefulness of creating a single online registry that would allow people to see, in real time, all the companies that hold personal data on them and what data they hold.”

The Chair of the Committee, the lawyer Harriet Harman, said “It should be simple to know what data is shared about individuals and it must be equally easy to correct or delete data held about us as it was to us to sign up to the service in the first place”. As far as I can see, this completely impractical, expensive and pointless mechanism for logging in to some government website to find out if you signed up for the Wetherspoons loyalty scheme will be of no benefit whatsoever. The vast majority of the population neither know nor care what the Tesco Clubcard database holds about them so long as they get money off vouchers now and then. The Committee’s concerns about privacy are real and valid (and at Consult Hyperion we share them) but their proposed solution will not address them. Apart from anything else, what will stop hackers from getting into the database, finding out that you have an account at Barclays and then using this to phone you up and asking you to transfer your money into a safe account?

I wonder if the lawyers are aware that technologists can help resolve this fundamental paradox. Having had a few years’ experience in delivering highly secure systems to the financial sector, my colleagues at Consult Hyperion are familiar with a number of cryptographic techniques – such as homomorphic encryption, cryptographic blinding, zero-knowledge proofs and verifiable credentials – that can deliver apparently paradoxical results. It is possible to store data and perform computations on it without reading it, it is possible to determine that someone is over 18 without seeing their age and it is possible to find out whether you ate at a certain restaurant without disclosing your name.

Right now, the use of these technologies is nothing more than a hygiene factor for the companies involved. But as legislation (and social pressure) steadily converts personal information into toxic waste, more and more companies will want to avoid it. Privacy will become part of the overall package that a company offers to its customers and we understand the technologies that can deliver it and how to deploy them at population scale. Give us a call – our number’s not a secret.

Technology and Trust @ Money2020

Online trust is a pretty serious issue, but it’s not alway easy to quantify. We all understand that it is important, but what exactly is the value in pounds, shillings and pence (or whatever we will be using after Brexit) and how can we use that value to develop some business cases? It’s one thing to say (as you will often hear at conferences) that some technology or other can increase trust, but how do we know whether that means it is worth spending the money on it? At Consult Hyperion we have a very well-developed methodology, known as Structured Risk Analysis (SRA), for managing risk and directing countermeasure expenditures, but we need reasonable, informed estimates to make it work.

The specific case of online reviews might be one area where trust technologies can be assessed in a practical way. In the UK, the Competition and Markets Authority (CMA) estimates that a staggering £23bn a year of UK consumer spending is now influenced by online customer reviews and the consumer organisation Which has begun a campaign to stop fake reviews from misdirecting this spending. According to their press office, with “https://press.which.co.uk/whichpressreleases/revealed-amazon-plagued-with-thousands-of-fake-five-star-reviews/“, fake reviews are a very serious problem.

Unscrupulous businesses undoubtedly find fake reviews an incredibly useful tool. There are millions of examples we could use to illustrate this, but here is just one.”Asad Malik, 38, used fake reviews and photographs of secure car parks hundreds of miles away to trick customers into leaving their vehicles with him when they flew from Gatwick [Airport parking boss jailed for dumping cars in muddy fields].

So how can we use technology to make a difference here? When you read a review of an airport parking service, or a restaurant or a Bluetooth speaker, how can you even be sure (to choose the simplest example) that the reviewer purchased the product? Well, one possibility might be to co-opt the payment system: and this can be done in a privacy-enhancing way. Suppose when you pay the bill at a restaurant, and you have told your credit card provider that you are happy to be a reviewer, your credit card company sends you an unforgeable cryptographic token that proves you ate at the restaurant. Then, when you go to Tripadvisor or wherever, if you want to post a review of the restaurant, you have to provide such a token. The token would be cryptographically-blinded so that the restaurant and review-readers would not know who you are, so you could be honest, but they could be sure that you’ve eaten there.

Such “review tokens” are an obvious thing to store in digital wallets. You could easily imagine Calibra, to choose an obvious case study, storing these tokens and automatically presenting them when you log in to review sites. This would be a simple first step toward a reputation economy that would benefit consumers and honest service providers alike.

This is one of the cross-overs between payments and identity that we expect to be much discussed at Money20/20 in Las Vegas this week. I’ll be there with the rest of the Consult Hyperion team, so do come along to the great, great Digital Trust Track on Tuesday 29th and join in the discussions.

SRC enters the secure digital commerce arena

Secure Remote Commerce (SRC) officially launched in the US last week,
supported by a limited set of merchants, with more to launch by year-end and into early 2020. We’ve been tracking SRC for some time now as it moved through the specification development process within EMVCo. It has emerged at launch as a customer-facing brand called “Click-to-Pay,” unless you’re using an Amex card, where it’s also called “Online Checkout” in confirmation emails received after registering a card.

So now we know SRC has launched as Click-to-Pay, but what is it? As the card brands have positioned it, Click-to-Pay is intended to solve the challenges that come with guest checkout (i.e. the first time a customer shops with a merchant, or when a customer prefers not to let the merchant store their payment details). SRC itself is a specification that acts behind the scenes to provide a secure and interoperable card acceptance environment
and covers both web-based and native app-based transactions. EMVCo has suggested that by having a simpler integration for merchants to access a consolidated brand wallet through a single buy button, it can enable a smoother process for consumers to access their payment cards and shipping details without having to manually fill out payment details for these types of transactions. This is not the first attempt by the brands to solve this problem (e.g. Visa Checkout, Masterpass, and Amex Express Checkout), but previous attempts struggled with adoption by both consumers and merchants. This new iteration under SRC has all the brands working together under EMVCo to coordinate efforts, so if implemented correctly, and if it does simplify the process for merchants and consumers, the momentum of this joint effort might help enable broad adoption.

Naturally, as all intrepid payment consultants are inclined to do, we went out and tested SRC with the launch merchants to see how it’s working and what we could learn for our clients. We bought some chocolate, movie tickets and also donated to the Movember charity. Based on these payments we found a few peculiarities to note so far:

• The checkout experience across the three launch merchants varies quite a bit, which can be expected for different types of goods or services (i.e. donations vs. goods that need to ship). However, even the experience after returning to the merchant checkout from the SRC checkout varied. Sometimes there was a “Payment Review” screen before confirming payment, and others the payment was submitted immediately after clicking a button to “Confirm” payment on the SRC screens.
• The flows for desktop web and mobile web varied slightly as well when returning to the merchant checkout. Interestingly, there were more steps to complete on a mobile browser after returning from the SRC checkout.
• On subsequent payment attempts after initial registration, more cards appeared without needing to register each one. It’s not entirely clear how these were loaded or where they came from, though we believe it could be due to past use of Visa Checkout, or registration of cards within Apple Pay using the same email address. Even though these cards appeared, they still needed to be authenticated (with a card security code or a one-time passcode) before use.
• While a registered SRC profile contains the customer’s shipping address, the merchant checkout flow forced manual entry of shipping information since payment method selection comes after entering shipping details. As solutions mature, this flow may shift to bring Click-to-Pay earlier in the flow.
• There is a trusted device process, but it doesn’t appear to be recognized by subsequent attempts as even after using Click-to-Pay as a “Returning User”, we were forced to enter a one-time passcode sent via email.

Some of these variations can be expected in early iterations of SRC, and some of them are by design. Jess Turner, executive vice president of digital payments and labs of North America at Mastercard told PYMNTS.com,
“…the way a merchant deploys SRC will depend on their chosen verticals, consumer bases, and how large or small the merchant may be.” This flexibility, in the long run, should actually provide merchants with more choice about how they implement SRC, and which features are most important to them. At this time, the only thing that SRC seems to save for a customer is entering their card details. As adoption expands, we expect to see the checkout experience optimized and simplified for everyone involved.

Speaking of merchants, what’s in it for them? If a consumer is going to enroll any payment cards into a wallet, historically, merchants have preferred this be in a merchant wallet under their control, rather than a scheme wallet. However with SRC there is no merchant card on file “honey pot” to be breached, so for many merchants this is an appealing security feature that reduces their risk of becoming the next credit card data breach in the news like Home Depot, Target, TJX, Marriott, British Airways, Macy’s, Lord & Taylor or Saks Fifth Avenue. For consumers who do not regularly shop with certain merchants, SRC could help reduce the checkout friction while also simultaneously securing the cardholder’s payment details.

There are a variety of ongoing developments attempting to make the experience of guest checkout more convenient and more secure for both consumers and merchants. These include different approaches like storing payment details in your device’s browser (W3C Payments Request API in Safari, Chrome, Firefox, etc.) or leveraging digital wallets like Apple Pay, Google Pay or Samsung Pay for in-app payments. While the technologies available today are still early to the market and need time to mature, they each are striving to enable universal acceptance, increased security, and a common checkout experience, but do we need all these solutions? Are we going to just confuse consumers? Which solutions will gain traction and survive? Which solution works best for different merchant types? The answer to these questions may well depend on the consumer experience a merchant wants to provide on their website.

At Consult Hyperion, we are continually working with our clients to make payments simple and secure. Based on what we can see so far, SRC should make paying online more secure for everyone while reducing integration and enrollment roadblocks for the merchant and consumer respectively, however the current implemenatations are somewhat clunky and need to be more streamlined to succeed. The real test will be the adoption rate and the brands’ responsiveness to feedback from participants in the ecosystem to ensure a beneficial approach for everyone involved. If you’d like to learn more please contact us for a copy of our latest digital commerce material at sales@chyp.com.

4 Essential Trends in Money for your Business

By Sanjib Kalita, Editor-in-Chief, Money20/20

This article was originally published on Money20/20.

We are in the midst of seismic societal changes of how people interact and transact.  Across societies, geographies and segments, digital is the new norm. Change has accelerated, placing greater value upon flexibility and speed. Historically, money and finance have been among the more conservative and slower changing parts of society, but this has changed dramatically over the past decade by viewing money as an instigator of change rather than a lagging indicator.

Whether you are a marketer in shining armor conquering new territory, a financial wizard casting spells upon the balance sheet, or the queen or king guiding the whole enterprise, here are 4 trends about money that you should keep in mind for your business.

Platforms are the new kingdoms

Platforms are the base upon which other structures can be built.  For example, App stores from Apple and Google provide the infrastructure for consumers to complete commercial transactions and manage finances through their mobile phones.  While these companies develop their own digital wallets, they also enable similar services from banks, retailers and other companies.  Building and maintaining the platform enables services that they would not have created on their own, like Uber or Lyft, which in turn, have created their own platforms.

Marketers trying to address customers’ needs can plug into platforms to broaden offerings or deepen engagement with target markets. Platform-based thinking implies that product and service design is ongoing and doesn’t stop with a product launch.  Jack Dorsey didn’t stop when he built the Square credit card reader.  The team went into lending with Square Capital.  They got into consumer P2P payments with Square Cash.  Their ecosystem has grown through partnerships with other companies as well as in-house development.

Digital Identities open the gates

How do your customers interact with you?  Do they need to create a username and password, or can they use a 3rd party system like Google or Facebook?  Are security services like two-factor authentication or biometrics used to protect credentials?  Is your company protecting customer identities adequately?  The importance of all of these questions is increasing and often the difference between being forced into early retirement by a massive data breach or surviving to continue to grow your business.

While identity management and digital security might not be top of mind for most marketers, they are table stakes for even the most basic future business.  History is full of tales of rulers successfully fighting off armies laying sieges on castles and fortresses, only to fail when another army gets access to a key for the back door.

Context rules the experience

Credit card transactions moved from predominantly being in-store, to e-commerce sites accessed from desktop computers, and now to mobile phones.  As the point-of-purchase expanded, so did the consumer use cases and thought processes. In tandem, mobile screens presents less information than desktop computer screens, which in turn presents less information than associates in a brick-and-mortar environment.  Companies best able to understand context and deliver the right user experience within these constraints will build loyal customer relationships.

Apps or services created for a different use cases on the same platform, such as Facebook and Messenger apps, can help achieve this. Banks and have different apps for managing accounts or for completing transactions or payments. On a desktop, you can access these services through a single interface but on the mobile, forcing users to select their use case helps present a streamlined experience on the smaller, more time-constrained mobile screen.  The use of additional data such as location, device, etc. can further streamline the experience. Marketers that don’t think about the context will lose the battle before it even begins.

Data is gold

While a marketer’s goal is to generate sales, data has become a value driver.  In the financial world, data about payments, assets and liabilities has become critical in how products and services are delivered.  PayPal, a fintech that began even before the word ‘fintech’, has recently been using payments data from their platform to help build a lending business for their customers.  Similarly, an SME lender named Kabbage has grown to unicorn status by using data from other sources to make smarter lending and pricing decisions.  In the payments industry, Stripe distilled a previously complex technology integration into a minimal data set, accessed via API, to easily build payments into new digital products and services.

Those that are able to harness the power of data will be able to predict what customers want and more effectively address their needs.  In some cases, it might be using data from within your enterprise or from other platforms for targeting, pricing or servicing decisions. In other cases, it might be using data to reimagine what your product or service is.

Looking for more insights on key trends in money? Hear from 400+ industry leaders at Money20/20 USA. Money20/20 USA will be held on October 27-30, 2019 at The Venetian Las Vegas. To learn more and attend visit us.money2020.com.

This article was originally published on www.money2020.com.

Mobility policy: the way forward is unclear

We’ve been thinking about Mobility as a Service (MaaS) for some time. I remember suggesting its consideration in a meeting with a UK sub-national transport body (STB) in 2016 and the question being ‘Isn’t MaaS just a buzz-word?’ In December 2018, the UK Government Office for Science issued a review, ‘MaaS in the UK: Change and its implications’. It was commissioned as part of the UK government’s Foresight Future of Mobility project.

While the review contains the usual disclaimer, ‘this document is not a statement of government policy’, there is actually a lot of change happening in transit-related policy, based around the opportunities presented by technology and the need to provide convenient services for the travelling public, while limiting the impact on the environment. The Williams Rail Review was launched by the Department for Transport in 2018, taking evidence through 2019, with a view to implementation starting in 2020. Its purpose is to put passengers at the heart of the railway of the future, while taking into account the needs of operators and the taxpayer.

The Rail Delivery Group has responded to the Williams review. They report that eight out of ten people feel the current system should be overhauled, while nine out of ten are in favour of smart or electronic ticketing. They also describe the need to include a range of flexible options to support passenger choice. Integrated and Smart Ticketing offers a way of achieving these goals, incorporating flexibility to accommodate a variety of services in a format that is convenient for passengers.

The Rail Delivery Group itself has undertaken a consultation on simplification of fares, resulting in the publication of the ‘Easier Fares for All’ report. They received around 20,000 responses to the consultation, with very strong support for simplification of fare structures. At present, there is a huge variety of fare products available, which means that a passenger can never be sure of getting best value. The priorities highlighted by responses to the consultation were value for money, fair pricing, simplicity, flexibility and assurance. MaaS is specifically mentioned as a goal in the report, to be achieved by simplification of fare structures and implementation of appropriate technologies. Account-based ticketing, to include capping and integration with other modes of transport such as buses and trams, was also considered desirable.

Even before all this, the UK government had policies in place that would seem to be ideal for the encouragement of MaaS implementations. These included:

  • Department for Transport:
    • MaaS could offer an opportunity to support the DfT’s high-level policy commitments, namely: Boosting economic growth and opportunity, Building a One Nation Britain, Improving journeys, and Safe, Secure and Sustainable Transport. Specifically, MaaS would offer a greater level of integration between modes of transport and enable passengers to have confidence in choosing a variety of different options for their journey. This could encourage individuals to choose public transport more often, promoting social cohesion and sustainability.
    • The DfT’s Single Departmental Plan (SDP) 2015-2020 outlines the progress made in supporting the Department’s high-level policy commitments. The SDP’s commitments cross a range of transport sector delivery areas and illustrate DfT’s engagement in many initiatives that support the development of MaaS, These include capping of fares, introduction of more flexible part-time season tickets, focusing on accessibility to enable people with disabilities to have confidence in public transport provision.
  • Department of Health:
    • To support active lifestyle objectives – perhaps through engaging the travel behaviour change capabilities of MaaS. This is typified by initiatives by TfL to encourage people to walk or cycle rather than taking the tube.
    • Reducing respiratory and air quality related health issues – perhaps through engaging with MaaS Providers to manage travel patterns in areas with poor air quality. This could include managing the types and numbers of vehicles permitted in an area. This can be achieved in a number of ways, such as using bus lanes to promote public transport and giving low emissions vehicles exemptions to congestion charging.
  • Department for Business, Innovation and Skills:
    • Supporting innovation and growth, particularly in the sharing economy. This could include car sharing, ride sharing and other innovative approaches to transport and ticketing.
    • Supporting new markets for Connected and Autonomous Vehicles (CAV). This might include provision of autonomous vehicles for use by visitors within a tourist area or more effective monitoring of the use of hire cars in and around airports.

At the time of writing, the government has tabled secondary legislation, expected to pass very shortly, to mandate net-zero carbon emissions throughout the economy by 2050. MaaS is expected to be a key enabler in reaching this goal by offering a range of more convenient alternatives to individual passenger car journeys. These might include ride sharing, car sharing, or simply bus and train services that are better tailored to local needs. Paying for a recharge of electric vehicle at (say) a park and ride centre, potentially at a discount to that available commercially in city centre car parks might be considered.

The UK government has described its support for transformation in the area of mobility in its paper “Future of mobility: urban strategy”. It promotes safe and secure mobility services designed around the needs of the individual, which prioritise active travel such as walking and cycling. It also highlights the key role of mass transit, with the aim of reducing congestion and emissions. Creative use of published data is seen as an important tool in managing an integrated mobility ecosystem.

The MaaS Alliance and UK Transport Systems Catapult commissioned a survey in spring 2017 to generate data on the critical regulatory enablers and barriers for the development and full deployment of MaaS. It is worth noting that policy targets on emissions are likely to have a positive effect on MaaS market developments.

A recent report by the House of Commons Transport Committee concluded:

The key choices the Government can make are on its approach to the governance around MaaS in the areas of incentivising data sharing; introducing a regulatory framework such as a code of conduct and ensuring passenger rights are protected.

Finland was the first country to regulate to facilitate the pre-conditions necessary for MaaS. Their Act on Transport Services (also known as the Transport Code) was adopted in April 2017. All provisions in the Act entered into force by July 2018. It promotes customer-oriented, market-based transport services on a competitive basis. It aims to enable new technologies and digitalisation into the transport sector. It obliges transport operators to make essential data available and provides for the interoperability of ticketing and payment systems. The presentation in January at TTG19 from Minna Soininen, Director of the Finnish Public Transport Association, was less than glowing about the progress to date since regulation, indicating that the way forward is still not clear.

A lot has changed since our STB meeting in 2016. Our recent work with another STB uncovered a shift in thinking. A facilitation role is being sought and there is openness to forming partnerships with a wide range of mobility providers. There is a great deal of uncertainty about the future of MaaS and therefore future policy makers are looking at how to better deal with uncertainty and avoid committing too strongly to the early adopters.

If you’re interested in finding out more, please contact: sales@chyp.com

The EBA blinks first …

EDIT: since posting this blog the UK’s FCA has confirmed our expectation that it won’t be enforcing SCA on the 14th September as long as the participants are aiming to comply with a soon to be announced migration plan. In the meantime it’s “working with the industry to develop a plan to migrate the industry to implement SCA for card payments in e-commerce as soon as possible”.  See: https://www.fca.org.uk/news/statements/fca-response-european-banking-authority%E2%80%99s-opinion-strong-customer-authentication

The doom-laden headlines appearing in the press have, it seems, worked and the EBA has decided to replace the 14th September deadline for the introduction of SCA with … another deadline. Only they won’t tell us what it is, presumably we have to figure it out for ourselves.  

So, let’s see what the EBA has done now …

Firstly, they haven’t actually changed the date as they can’t, it’s written into EU law. But given dire warnings of a collapse in online payments they’ve come up with a fudge:

The EBA therefore accepts that, on an exceptional basis and in order to avoid unintended negative consequences for some payment service users after 14 September 2019, CAs may decide to work with PSPs and relevant stakeholders, including consumers and merchants, to provide limited additional time to allow issuers to migrate to authentication approaches that are compliant with SCA, such as those described in this Opinion, and acquirers to migrate their merchants to solutions that support SCA.

https://eba.europa.eu/documents/

Let’s summarise that. National regulators – competent authorities (CAs) – may work with PSPs (Issuing and Acquiring banks) and unregulated actors (merchants, consumers) to agree to delay the introduction of SCA. Which presumably means unprepared merchants and confused consumers are breathing a sigh of relief. Unfortunately, as this is now in the hands of local regulators there’s no guarantee at all that this will be applied evenly, opening up the possibility that some countries will enforce and others (notably the UK and France) will not.

On top of that, there’s no guarantee that Issuers won’t apply SCA anyway, even if their local regulator permits them to not do so. So merchants who are unprepared may still find themselves suffering random declines. And, furthermore, if Acquirers haven’t implemented the necessary changes then even if the merchants are compliant they may still have transactions irrevocably declined.

Note also the “limited additional time” clause. Frankly, introducing SCA prior to the critical holiday shopping period was foolish anyway (but was an unintended consequence of the 18 month implementation period following the adoption of the RTS), so we can assume that the date will be pushed out at least into early or mid 2020. The EBA adds (but not in the actual Opinion):

In order to fulfil the objectives of PSD2 and the EBA of achieving consistency across the EU, the EBA will later this year communicate deadlines by which the aforementioned actors will have to have completed their migration plans.

And that’s the catch:

This supervisory flexibility is available under the condition that PSPs have set up a migration plan, have agreed the plan with their CA, and execute the plan in an expedited manner. CAs should monitor the execution of these plans to ensure swift compliance with the PSD2 and the EBA’s technical standards and to achieve consistency of authentication approaches across the EU.

Basically, Issuers and Acquirers need to publish what they’re going to do including how they’re going to communicate the requirements to consumers and merchants respectively. Quite how this is all going to be co-ordinated is unclear – no sensible merchant is going to disadvantage themselves by unilaterally turning on SCA when its competitors aren’t. Issuers may take the same approach, as they probably don’t want their cardholders switching to other banks: but there’s no requirement on them to do so.

The rest of the opinion focuses on the validity of various authentication factors. That’s interesting too, but we’ll look at the implications of it another day.

The one thing this does allow is for 3DS-2.2 to be made ready. That’s an advantage to smart merchants who can at least develop a proper, low friction SCA strategy. In the meantime, we’re looking forward to getting involved in lots of migration planning.

Digital Identity Alphabet Soup

We’ve been attending various identity conferences over the last few months, including KNOW 2019, the Internet Identity Workshop, and IdentityNORTH in North America, and EIC and Identity Week in Europe. One of the major themes that continues to stand out in all these events is the number of simultaneous initiatives going on around the world to create standards addressing various aspects of digital identity. It’s one of the reasons we created our 3-Domain Identity Model (see here for a refresher on 3DID), to help our clients navigate their way through all of this and to think about where they may play a role.

Interoperable digital identity will only be possible if there is agreement on how the systems will work from a business, legal and technical standpoint. The variety of proposed international and national standards, guidelines and technology protocols leave our clients wondering “Which of these should I use and when?”.

When we look at the solutions being built the picture is equally confusing. Some are built on open standards, while others are based on proprietary developments, and some are a combination of the two. Some are built for specific industries like healthcare, financial services, or government services. To date, the focus of many digital identity solutions has been within the identification domain (i.e. customer onboarding, ID proofing, KYC, etc.), however the general movement of the industry is now shifting towards a broader ecosystem enabling the sharing of trusted or verifiable data centered around the subject (person, organization or thing).

All these factors have led to a fragmentation of the digital identity market. But all is not lost. Several collaborative cross-sector organizations are actively working to get everyone on the same page.

To try to make some sense of all these initiatives, we pulled together the diagram below to give a representative example (not exhaustive) of the ongoing efforts across each of the domains of identity. Some of these have been developed for targeted purposes (e.g. FIDO biometric authentication) while others have a broader approach that crosses all three domains (e.g. the Pan-Canadian Trust Framework).


Comparing identity standards, solutions and services can be difficult. While in general these are all trying to solve similar problems, they can approach it in quite different ways. Any of these initiatives in isolation will not get us all on the same page.

It has been encouraging to see over the last few months, across the digital identity community, the spirit of collaboration continuing to strengthen. The effort has been building for a few years now, but this year has seemed different with many of the key organizations across the spectrum joining forces and recognizing the necessity to meet the needs of all users to solve the lack of trust online today.

In that spirit, do get in touch if you want to discuss any of these things further. We do not have all the answers, but we hope that an open and collaborative dialogue will help us all to move forward.

Identity Week

The opening keynote at identity week in London was given by Oliver Dowden, the Minister for implementation at the Cabinet office and therefore the person in charge of the digital transformation of government. At Consult Hyperion we think digital identity is central to digital transformation of government (and the digital transformation of everything else, for that matter) so I was looking forward to hearing the UK government’s vision for digital identity. I accompanied the Minister on his visit to the IDEMIA stand where he was shown a range of attractive burgundy passports.

In his keynote, the Minister said that the UK is seen as being at the cutting edge of digital identity and that GOV.UK Verify is at the heart of that success.

(For foreign visitors, perhaps unfamiliar with this cutting edge position, a spirit of transparency requires me to note that back on 9th October 2016, Mr. Dowden gave written statement HCWS978 to Parliament, announcing that the government was going to stop funding Verify after 18 months with the private sector responsible for funding after that.)

Given that the government spends around £1.5 billion per annum on “identity, fraud, error, debt, how much identity costs to validate, and how much proprietary hardware and software bought”, it’s obviously important for them to set an effective strategy. Now, members of the public, who don’t really know or care about digital ID might be saying to themselves, “why can’t we just use ‘sign in with Apple’ to do our taxes?”, and this is a good point. Even if they are not saying it right now, they’ll be saying it soon as they get used to Apple’s mandate that all apps that allow third-party sign-in must support it.

Right now you can’t use a GOV.UK Verify Identity Provider to log into your bank or any other private sector service provider. But in his speech the Minister said that he looks forward to a time when people can use a single login to “access their state pension and the savings account” and I have to say I agree with him. Obviously you’d want a different single login for gambling and pornography, but that’s already taken care of as, according to Sky News, “thanks to its ill-conceived porn block, the government has quietly blundered into the creation of a digital passport – then outsourced its development to private firms, without setting clear limits on how it is to be used”. One of these firms runs the world’s largest pornography site, Pornhub, so I imagine they know a thing or two about population-scale identity management.

Back to the Minister’s point though. Yes, it would be nice to have some sort of ID app on my phone and it would be great if my bank and the HMRC and Woking Council and LinkedIn would all let me log in with this ID. The interesting question is how you get to this login. Put a PIN in that and we’ll come back to it later.

The Minister made three substantive points in the speech. He talked about:

  • The creation of a new Digital Identity Unit, which is a collaboration between DCMS and Cabinet Office. The Unit will help foster co-operation between the public and private sector, ensure the adoption of interoperable standards, specification and schemes, and deliver on the outcome of the consultation.
  • A consultation to be issued in the coming weeks on how to deliver the effective organisation of the digital identity market. Through this consultation the government will work with industry, particularly with sectors who have frequent user identity interactions, to ensure interoperable ‘rules of the road’ for identity.
  • The start of engagement on the commercial framework for consuming digital identities from the private sector for the period from April 2020 to ensure the continued delivery of public services. The Government Digital Service will continue to ensure alignment of commercial models that are adopted by the developing identity market to build a flourishing ecosystem that delivers value for everyone.

The Minister was taken away on urgent business and therefore unable to stay for my speech, in which I suggested that the idea of a general-purpose digital identity might be quite a big bite to take at the problem. So it would make sense to look at who else might provide the “digital identities from the private sector” used for the delivery of public services. Assuming the current GOV.UK Verify identities fail to gain traction in the private sector, then I think there are two obvious private sector coalitions that might step in to do this for the government: the big banks and the big techs.

For a variety of reasons, I hope that the big banks are able to come together to respond to the comments of Mark Carney, the Governor of the Bank of England, on the necessity for a digital identity in the finance sector to work with the banks to develop some sort of financial services passport. I made some practical suggestions about this earlier in the year and have continued to discuss the concept with potential stakeholders. I think it stacks up, but we’ll have to see how things develop.

On the other hand, if the banks can’t get it together and the big techs come knocking, they are already showing off their solutions. I’ll readily admit that when the Minister first said “private sector identities”, the first thought to flash across my brain was “Apple”. But I wouldn’t be at all surprised to go over to the HMRC web site fairly soon to find a “log in with Amazon” and “log in with Apple” next a button with some incomprehensible waffle about eIDAS that I, and most other normal consumers I’m sure, will simply ignore.

How do you use Apple ID to log into the Inland Revenue? Easy: you log in as you do now after sending off for the password and waiting for it to come in the post and that sort of thing and then once you are connected tell them the Apple ID that you want to use in the future. If you want to be “jackdaniels@me.com” or whatever, it doesn’t matter. It’s just an identifier for the Revenue to recognise you in the future. Then next time you go to the Inland Revenue, you log in as jackdaniels@me.com, something pops up on your iPhone and you put your thumb on it or look at it, and bingo you logged in to fill out your PAYE.

Yet another GDPR article – the story so far

How time flies, GDPR has just had its first birthday!

This past year you will have been inundated with articles and blogs about GDPR and the impact on consumers and businesses alike. According to the UK’s Information Commissioner, Elizabeth Denham, GDPR and its UK implementation, the Data Protection Act (DPA) 2018, has marked a “seismic shift in privacy and information rights”. Individuals are now more aware of their information rights and haven’t been shy about demanding it. In the UK, the ICO received around 14,000 personal data breach reports and over 41,000 data protection concerns from the public from 25 May 2018 to 1 May 2019, compared to around 3,300 PDB reports and 21,000 data protection concerns in the preceding year. Beyond Europe, the regulation has had a remarkable influence in other jurisdictions, where they have either enacted or are in the process of enacting a ‘GDPR equivalent’ law – something similar is underway in Brazil, Australia, California, Japan and South Korea.

With all the good intentions of GDPR some of its provisions contradict, other, equally well-intentioned EU laws. Bank Secrecy Laws on one hand, require that customers’ personal data should be protected and used for the intended purpose(s), except where otherwise consented to by the customer. AMLD4/5 on the other hand, requires that identifying personal data in ‘suspicious transactions’ should be passed on to appropriate national authorities (of course without the customer’s consent/ knowledge). Then PSD2 requires banks to open up customers’ data to authorised Third Party Providers (TPPs), subject to obtaining the customer’s consent. One issue that arises out of this is the seeming incongruity between Article 94 PSD2’s explicit consent, and GDPR’s (explicit) consent.

Under GDPR, consent is one of the lawful bases for processing personal data, subject to the strict requirements for obtaining, recording, and managing it, otherwise it’s deemed invalid. In some cases, a lack of good understanding of these rules has resulted in poor practices around consent processing. That is why organisations like the Kantara Initiative are leading the effort in developing specifications for ‘User Managed Access’ and ‘Consent Receipt’.

In addition, EU regulators have been weighing in to clarify some of the conundrums. For example, the Dutch DPA issued a guidance on the interplay of PSD2/GDPR, which shows that there’s no straightforward answer to what seems like a relatively simple question, as one might think. The EDPB has also published an opinion on the interplay between GDPR, and the slowly but surely evolving ePrivacy regulation. Suffice to say, correctly navigating the compliance requirements of all these laws are indeed challenging, but possible.

What will the second year of GDPR bring?

While regulators are keen to enforce the law, their priority is transparent co-operation, not penalties. The ICO has provided support tools, and guidance, including a dedicated help line and chat services to support SMEs. They are also in the process of “establishing a one-stop shop for SMEs, drawing together the expertise from across our regulatory teams to help us better support those organisations without the capacity or obligation to maintain dedicated in-house compliance resources.” However, for those who still choose to ‘wilfully or negligently break the law’, GDPR’s recommended administrative fines may help to focus the mind on what is at stake, in addition to the ‘cleaning up’ costs afterward. Supervisory Authorities require time and resources to investigate and clear the backlog as a result of the EU wide increase in information rights queries and complaints of the past one year. The UK’s ICO, and its Netherlands and Norwegian counterparts are collaborating to harmonise their approaches and establish a “matrix” for calculating fines. France’s CNIL has led the way with the $57 million Google fine earlier in the year, however, the ICO has confirmed that there will soon be fines for “a couple of very large cases that are in the pipeline, so also,the Irish DPC expects to levy substantial” fines this summer.

A new but important principle in GDPR is the ‘accountability principle’ – which states that the data controller is responsible for complying with the regulation and must be able to demonstrate compliance. So, it is not enough to say, ‘we have it,’ you must be able to produce ‘appropriate evidence’ on demand to back it up. The ICO states in its ‘GDPR – one year on’ blog that “the focus for the second year of the GDPR must be beyond baseline compliance – organisations need to shift their focus to accountability with a real evidenced understanding of the risks to individuals in the way they process data and how those risks should be mitigated.” By now one would expect that most organisations would have put in the effort required beyond tick boxes to achieve an appropriate level of compliance with the regulation so they can reap the reward of continued business growth borne out of trust/loyalty from their customers.

One of the methods of demonstrating GDPR accountability is through a Data Protection Impact Assessment­ (DPIA) – a process by which organisations can systematically analyse, identify, and minimise the data protection risks of their project or plan ‘before going live.’ GDPR does not mandate a specific DPIA process, but expects whichever methodology chosen by the data controller to meet the requirements specified in its Article 35(7).

At Consult Hyperion, we have a long track record of thinking about the risks associated with transactional data, so much so that we published and continue to use our own Structured Risk Analysis (SRA) methodology. Our approach, in response to the needs of our customers, has always been to describe the technological risks in a language that allow the business owner, who ultimately owns the risk, to make a judgement. Building on this we have developed a business focused approach to GDPR compliant DPIA to help our customers, for the products we design, review, or develop for them.

If you’re interested in finding out more, please contact: sales@chyp.com

Friday the 13th: PSD2 SCA Cometh

On Friday 13th September this year, the full force of PSD2 Strong Customer Authentication (SCA) comes into force. Anecdotally the lack of readiness of the card payment industry is beginning to suggest that the immediate impact may well look like the aftermath of a dinner party hosted by Jason Voorhees.

To summarise: after 13th September 2019 (yes, that’s in just over 3 months) account holding banks must require two factor authentication compliant with PSD2 SCA on all electronic payments, including all remote card payments, unless an applicable exemption is triggered. There are no exceptions allowed to this, there is no concept of merchants choosing to take liability and avoiding SCA. In the event that a merchant attempts a transaction without SCA and the issuing bank determines that no exemption applies or that there is significant risk associated with the payment the bank must decline and request the merchant to perform a step-up authentication.

Currently, the only real option open to merchants for performing SCA for online card payments is 3DS. To support all of the PSD2 exemptions – which are needed to provide a near frictionless payment experience – the very latest version, 3DS2.2, must be used. As it stands, however, 3DS2.2 will not be ready, so the initial implementation of this will be sub-optimal.

So, come 14th September this year what will happen?

Figures are hard to come by, but within Europe we believe that 75% of merchants don’t implement 3DS today. We also believe that about a fifth of large issuers are taking a hard line in order to be compliant with the regulations and will decline all non-3DS transactions. Even where the issuer is taking a more subtle approach they will request step-up SCA on somewhere between 1 in 5 and 1 in 10 transactions.  On top of this, if the merchant does not support 3DS and the issuer authorises anyway any fraud is the merchant’s responsibility: for non-complying merchants this is a lose-lose-lose proposition.

Given this woeful state of preparedness there’s some industry hope that the regulators may take a relaxed view of compliance come September. Certainly there are representations being made in Brussels, but we think it’s unlikely there’ll be any relief from that direction: (1) the migration date is written into law, national regulators cannot alter it and (2) many issuers will implement PSD2 fully regardless of any softening of the implementation. We suspect that there may be some movement from national regulators since the alternative may be unthinkable, but travelling hopefully doesn’t look like much of a strategy, especially if you’re an e-com retailer or PSP.

Going forward there are a wide range of solutions being developed which will mitigate the impact of SCA on cardholders. Ultimately 3DS is not the only solution, but it is the only pervasive one and it certainly is the only one available in the current time frames.

What can merchants do to avoid carnage in September? Well, as a matter of urgency they need to engage with their PSPs to ensure that they’re capable of supporting 3DS. Given that there’s likely to be a last minute rush the earlier this happens the better. Secondly, to meet 3DS requirements they need to be capturing a range of customer data to feed into the underlying risk management processes (which, of course, needs to be GDPR compliant). And finally, they need to be working on a proper PSD2 SCA strategy that ensures, going forward, that they can minimise the impact on their customers, provide the minimum friction in the payments process and maximise transaction completion.

Here at Chyp we’ve spent the last two years helping Issuers, Schemes, Acquirers, PSPs and merchants prepare – so although the impact across the payments industry may be patchy, we know there will be winners as well as losers. If the worst case comes to pass then the only merchants likely to escape the bloodbath come September are those taking action now. And there’s unlikely to be any downside to immediate action – PSD2 has been in the works for over five years, the SCA implementation date has been known for over a year, and there’s little indication that the European Commission intends to undo or loosen the regulations.

Friday 13th is coming, best make sure you’re prepared …


Subscribe to our newsletter

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

By accepting the Terms, you consent to Consult Hyperion communicating with you regarding our events, reports and services through our regular newsletter. You can unsubscribe anytime through our newsletters or by emailing us.