By Nick Mothershaw, Chief Identity Strategist at the Open Identity Exchange,
Full digital ID adoption will be critical to the growth of the banking and finance sector. The government is finalising its digital ID trust framework and there is a growing market of ID providers who are ready to go. Despite this recognition and all the activity around digital ID, there is still a notable lack of understanding among banking and finance companies that will come to accept digital IDs – what it is, why it is good for them and how it will work. And this is slowing the progress on digital ID adoption.
The Open Identity Exchange has been working across this sector, and very closely with trade bodies including the UK Finance, FLA and TISA, to address both barriers and concerns, as well as offer clarity. Below are the key myths and questions about digital ID that are coming up time and time again.
Myth: The data within a digital ID is not safe.
A digital ID trust framework ensures that identity providers are certified to global security standards for data management. This includes ensuring data is encrypted in transit and, where appropriate, at rest. It also includes robust data access and management procedures commensurate with those used in financial services. Data in a digital ID is as safe as data in a bank.
Myth: If a person loses their device, they also lose their digital ID.
In the majority of cases, the user’s digital ID is securely backed up in the cloud in a distributed way, so if a device is misplaced or stolen, the user will be able to easily recover their ID to a new device. Banking and financial services that will come to accept digital IDs should focus on those where the user’s digital ID is securely backed up in the cloud, rather than those reliant on a single device.
Myth: Anyone can access the data in a Digital ID.
A user’s data can only be released to other parties with the user’s specific consent to do so. Only the person who owns the digital ID will be able to access and manage the data held within it.
Myth: Digital ID is not inclusive of all customers.
OIX has been leading a significant amount of work on the subject of digital ID inclusion with the objective of ensuring all users who want one can get a digital ID. Its work has revealed that a key priority for all the parties involved in driving the growth of digital ID ecosystems, whether they are public, private or third sectors, is the desire to be inclusive. This work is global, and is looking at ways to ensure that people who cannot establish a digital ID because they do not have digitally presentable evidence or need assistance presenting it, have secondary options available to them.
What if a digital ID has been taken over by a fraudster?
Under the rules of any good trust framework, there are specific details around protection from fraud. If the ID provider fails to following those rules and this has allowed a fraudster to gain control of a digital ID, the liability position will depend on the rules of the specific trust framework, trust scheme or contractual arrangements between the ID provider and the financial services firm. The ID provider will be responsible for notifying the genuine users of the stolen ID, as well as all the organisations where the ID may have been used fraudulently.
What if a user wants to move, delete or update their data in the Digital ID?
Ultimately, users own their data, consent to its release and can ask for it to be deleted at any time. Digital IDs operate within data protection legislation, so data protection regulations apply to digital ID ecosystems. They must allow users deletion of their data, and ideally should allow users to move their data from one ID provider to another.
If users update their data, the new data will firstly be validated and verified, so that there is trust present when that data is shared. The user should have access to a list of organisations that have previously received their data and can choose who should receive an update. Organisations could also choose to subscribe to update services.
Can a digital ID be incorrect?
A key feature of a digital ID is that the information it provides you has been validated as being correct and belonging to the user. In the few cases, where attributes cannot be validated, they should have an un-validated status attached so that the organisations using them are aware. If information is found to be incorrect, it can be raised with the ID provider who will liaise with the end user.
Will passwords still exist with digital ID?
Password will still exist for some time. However, authenticators, such as biometrics or tokens, are proven to be far more robust than passwords. It’s evitable, therefore, that the use of passwords will decline over time as more digital ID providers are move to more secure ways to access IDs.
What if there are issues with a particular ID provider?
There is an escalation procedure within the trust framework to deal with any issues that arise with a digital ID provider and cannot be resolved with them directly. This should initially be to the operator of the trust scheme then to the trust framework governance body itself. The OIX Guide to Trust Framework Issues and Complaint Services can help banks and financial services understand more about what to expect.
Conclusion: The adoption of digital ID will soon start to move at speed
The benefits for banking and financial services that embrace digital ID will be significant. They’ll see greater user success rates at the point of onboarding, enabling positive engagement both first time and on return and reducing risk of loss. Compliance will be more achievable, fraud levels will be reduced and they should see cost efficiencies overall.
Banking and finance providers will be among those that will come to rely on digital ID, so it is vital that misunderstandings around digital ID are clarified and their questions are answered. Or they will find themselves left behind as digital ID is adopted by other sectors at a faster pace.