The governor of the Bank of England, the Canadian ex-Goldman Sachs economist Mr. Mark Carney, recently suggested that digital ID cards “would make it safer for people to access money online”. He is sort-of-correct. We do indeed need to do something to stop the relentless increase in identity-related fraud and scams (such as, for example, “man receives surprise message purporting to be from Mark Carney offering multimillion-dollar sum”)
I don’t think that a digital ID card is quite the solution, because I prefer a more sophisticated solution that is based on digital identities for everything and multiple personae for transactional purposes, but that’s splitting hairs at high level. I am right behind Mr. Carney on this, although I think he was wrong when he went on to say that such a scheme could also prove controversial and could “only be introduced by the Government rather than the Bank of England”. In my opinion he is mixing up the controversial idea of a national digital identity card of some kind with the uncontroversial notion of a some form of secure and convenient identity management for the purposes of interacting with regulated financial institutions.
Only a day after Mr. Carney’s remarks, the Emerging Payments Association (EPA)https://www.finextra.com/newsarticle/33292/payments-body-calls-for-digital-ids-to-tackle-financial-crime?utm_medium=newsflashutm_source=2019-1-31member=87935, calling for UK financial institutions and payment processors to create a “national digital identity scheme to tackle these threats”. So let’s take this national digital identity for financial services and digital ID card for online identity checking in Mr. Carney’s terms and call the concept, for sake of brevity, the Financial Services Passport, or FSP.
I don’t know if Mr. Carney has read my 2014 book Identity is the New Money (still available from all good bookshops and Amazon), but in there I wrote that “One very specific use of the [digital identity] infrastructure should be to greatly reduce the cost and complexity of executing transactions in the UK by explicitly recognising that reputation will be the basis of trust and therefore transaction costs. The regulators should therefore set in motion plans for a Financial Services Passport”.
A few year ago, I spent some time as co-chair (with Ian Jenkins of Deloitte) of the techUK Financial Services Passport Working Group, I was working on this problem with a bunch of smart people and no-one took the slightest interest in this obviously sensible conduct and I do not remember noticing the slightest inclination by the UK’s banks to work together on it. That Working Group, incidentally, was created because of recommendations of an earlier techUK report “Towards a New Financial Services” developed through 2013. Section 3 of this report is actually called “Identity and Authentication: Time for a Digital Financial Services Passport”. The conclusion of that section is
There is clearly a need to look again at identity authentication in financial services. In addition to creating inconvenience for consumers, the current approach is expensive to maintain and inadequate in serving an increasingly digital financial services industry. As trusted authenticators of identity, a new standardised approach by financial services organisation could enable wider societal benefits, while also unlocking new opportunities for the industry. However, moving from the current fragmented identity infrastructure to a standardised financial services passport would require overcoming several challenges; from the competitive dynamics in financial services, to the extent and scope of liability, whilst simultaneously maintaining KYC and AML compliance. In the first instance, the scope of a financial services passport needs to be more clearly defined. This requires a technology roadmap that can match objectives and requirements in managing digital identities in financial services with technical solutions and provide a feel for how trends may already be shaping the market in this space.
It is a testament to the power of my writing and my great influence in the financial services community that it has taken a mere five years for this idea to reach the governor and for him to put it forward as a way to “harmonise the various different systems of online identity checking” and he is right to see it this way. Perhaps now is the right time to use this impetus to revise the concept for Jersey.
So what could a practical Jersey Financial Passport (JFP) actually look like? In the techUK discussions, we explored three broad architectures:
- A centralised solution, some sort of KYC utility funded by the banks. This was seen as being the cheapest solution, but with some problems of governance and control. It could also be a single point of failure for the financial system and therefore unwise given that we are now in a cyberwar without end.
- A decentralised “blockchain” (it wouldn’t really be a blockchain, of course, it would be some form of shared ledger) where financial institutions (and regulators) would operate the nodes and all of the identity crud (“create, read, update and delete”) would be recorded permanently.
- A federated solution where each bank would be responsible for managing the identities of its own customers and providing relevant information to other banks as and when required.
At the time, I thought that the third option was probably best but I’m open to rational debate around the topic. Let’s just say for sake of argument though that in response to Mr. Carney’s comments, the Jersey decided on a federated solution using the three-domain identity (3DID) model. It would look like this.
All of the standards and technologies needed to make this happen already exist except in one area. Let’s imagine that the digital identity is, basically, a key pair. The virtual identity is then a public key certificate. The credentials in that certificate are where we need some standardisation to define attributes (eg, IS_A_PERSON, IS_OVER_18, HAS_OVERDRAFT_AGREEMENT or whatever). It does not seem an insurmountable problem, however, for Jersey to draw up a specific shortlist of relevant attributes for the island’s financial services providers to use so that they could communicate effectively and save both time and money for all concerned.
It strikes me that we should go back to thinking about this very specific implementation of a more general digital identity scheme for Jersey. A Jersey Financial Passport could form a fundamental element of a jurisdictional competition strategy that is genuinely transformational.
