The Identity Proofing Guide: The digital ID verification landscape and why biometrics are crucial
- In the third part of our series on digital identity verification with advisory firm, Ulysses Partners, we were joined by financial industry and fintech experts David Milligan and Graham Seel.
- Watch or listen to our fireside chat about the digital identity verification landscape, the challenges arising from the growth of data sharing consortiums, and why the combination of document-centric identity proofing and biometrics is the gold standard.
The following was produced by Tearsheet Studios. We worked with consulting firm Ulysses Partners to create a four-part series on identity proofing and the importance of user experience in its emerging landscape. The series is based on our co-created publication, The Identity Proofing Guide: A practical hands-on review of user experience in leading solutions.
In this session we’re joined by David Milligan, managing partner at Ulysses Partners, and Graham Seel, strategic advisor to community banks and credit unions. We’ll be talking about the current biometrics and verification landscape, the concept of data sharing consortia, and how different geographies around the world, from the US to India, are tackling the need to prove and verify identities.
Watch the video
Listen to the podcast
David Milligan: I'm David Milligan, and I run a boutique consulting firm called Ulysses Partners where I work with Graham and other financial services industry experts. We help financial services organizations and established fintech firms to work together, enter new markets, and deliver their propositions to wider audiences. I've worked in fintech and financial services for nearly 20 years and have been lucky to work with hundreds of banks, insurers, and fintech companies around the world.
Graham Seel: I'm Graham Seel, and I’ve spent about 40 years in commercial banking, in pretty much every aspect of banking in different leadership roles. Then working as a consultant with large banks, midsize banks, and community banks in the United States, as well as working also with fintechs on how to partner with banks, and with banks on how to partner with fintechs – quite an interesting challenge. Currently I’m focused on the area of financial inclusion, and helping double bottom-line and non-profit organizations to improve the quality of life in particularly the poorest areas around the world through access to financial services.
Proving identity around the globe
Graham Seel: When I started in banking 40 years ago, identity proofing was really straightforward, very effective, and the user experience was actually fairly smooth. Because simply, you had to walk into a branch – that's all there was; there were no ATMs, certainly no online banking -- you had to meet somebody in-person and have a conversation. They had to get to know you.
My uncle managed a branch of Barclays Bank in England, and for many years he knew every one of his customers, and the staff knew every one of their customers. So if someone came in and said they wanted to do something really crazy, they would know whether it’s appropriate or not. Identity proofing and verification were just ‘natural biometrics’ – you actually knew the person and their personality, character, and everything.
Over time, of course, it changed enormously, as the size of the banking market grew. Besides growth in the number of banking customers over the last 20 years, the rapidly increasing process of digitization has seen a whole load of new concerns arise, like the possibility of identity theft. Fraud has changed enormously from being an insider manual activity to something that can happen through internet-based hacking.
As a result, the identity proofing landscape is a mess, especially if you look globally.
The expectations of customers are very different in different contexts. Different industries have varied user experience expectations, but also varied needs in terms of proofing. From country to country and from jurisdiction to jurisdiction, the changes are enormous.
Some countries have gone a long way toward building a consistent, reliable identity system, but most countries don't have that (like the United States), so you deal with what you've got.
The possibility of biometrics has changed as well over time. I think it was a South African bank that first introduced fingerprints at the ATM – and we can tell how well that went because you don't see any ATMs with fingerprint readers around in most places. Today, there are still so many different organizations trying different ways of proving and verifying identities, and they're using whatever tools are at their disposal.
It varies a lot country by country, and within a country; in the cities of Uganda, which I know best, there are opportunities to get decent internet access, so there's a possibility for biometrics. But culturally, it's a pretty hard sell. In rural areas, the networks are not very good and there's great poverty, so you're not going to find smartphones. Taking selfies is possible on a flip phone, but you can't send it anywhere without a data plan. So, there are many different factors that lead into the marketplace being a mess. Any software company that wanted to be a global provider (and I haven't come across any who really have that aspiration) would really have their work cut out.
David Milligan: As Graham pointed out, you have different countries and regions having a whole range of identity proofing approaches. In Europe you have centralized identities with national identity cards, and on the other end of the spectrum are countries like Mexico, which has six or seven different government-issued identity documents, and East Africa, with 15 different government-issued IDs. We might think that's unusual, but even in the US, some states offer different driver's licenses, and some states have state ID cards, while many do not. And the only common denominator across countries is a passport, but not everyone has a passport. The official identity issuers are disparate around the world.
And then on the other side, you've got a whole range of private sector companies who have a need to ‘prove’ the identity of their customers. We talked in earlier sessions about this, including situations where there is a need to ensure that payments are done securely, for a variety of very valid reasons.
In the branch days, people would walk in and sign up and there was that interaction. But that was fairly low volume. Now, you have many more people with many more interactions at many more firms. So the scale of the need to prove an identity and to verify identity have just exploded when it comes to the internet and digital tools being used.
So in that space, we’ve seen a whole bunch of private sector firms come in to try and help financial institutions and other companies to deal with this proving of identity problem.
Initially to meet this need, data aggregator companies would create databases of phone numbers, and later email addresses; and when people signed up or filled in a form for a bank, the bank would go check their number or email against the centralized database maintained by this private sector player.
Now we're seeing more public-private sector partnerships. A fascinating example is Canada – the government has a partnership with the largest banks there, so Canadians can use their bank logins to access their tax records. They are sharing that data between these entities -- banks and government agencies.
I think that we're going to see more of this as this need to prove identities grows, and it raises some interesting questions as to what is the best way of doing this in a world of “data sharing consortiums”.
Graham Seel: In another example, I'm working with a banking startup that plans to become a pan-African financial inclusion digital bank, solely serving the bottom of the pyramid, where identity proofing is really difficult. We started working with an organization called Smile Identity (I like that name, because it's all about capturing a photograph); they currently connect to 15 or so different ID types in five countries, their plan is to move to 100-plus ID types in 30 different countries, and they provide a single point of access for a bank like this one, that otherwise has a virtually impossible integration challenge.
The digital divide, and why data sharing is not good enough
David Milligan: What we're seeing is that there are more and more private sector agreements in markets like the US where, in an effort to reduce fraud while making it easier and more secure, organizations are starting to share data across customer types.
This has many positives, like making it possible for one bank to know that you successfully signed up with another bank – it can speed up the onboarding process and improve that experience.
In the current fragmented digital identity landscape, private sector players are devising many different solutions to help companies check the identities of new customers. But as one of our researchers said, ‘my identity is not my phone number, or my last address’. So just relying on the data-sharing consortium is problematic if that data is wrong. It particularly becomes a problem with new and niche customer segments, like recent immigrants to a country.
Our belief, based on researching this sector and the needs of all stakeholders, is that the gold standard of identity-proofing is taking a government-issued identity document and absolutely proving that the person signing up is the legitimate owner of that document. This is called ‘document-centric identity proofing’.
Older providers of identity-proofing technologies and their approaches to doing this actually have a lot of manual workarounds in the background. In some older solution providers, they take a selfie during their process, but in fact, they send the photograph to an ops center in India, where humans assess it - which is not very secure. Modern advances in AI and ML technology used by new providers are making that process much more seamless, so we can get back to using official identity proofing, rather than just data sharing consortiums.
Graham Seel: One challenge we have to address is the deepening of the digital divide. The need for identity proofing through government issued IDs, which not everybody has, is a new reason for financial exclusion. India has done a fantastic job with their identity solution, against ridiculous odds, where nobody would have thought it possible; but most countries don't have that, so there are many people who are getting further excluded. I would encourage all vendors and government agencies to really be thinking about this.
Another challenge is privacy. I live in California, which is perhaps the most paranoid state in the world when it comes to protecting identity and rights. There are parts of the world where there isn't that kind of paranoia, but it will grow, and California, unfortunately, has quite a lot of influence on the rest of the world. It's essential that we think about those factors.
David Milligan: If government issued IDs haven't been issued, that's a separate problem that needs to be addressed. But where they do exist, we should use them, and I would argue the biometric as well, to allow us to prove our identity in the best possible way. Biometrics are not the problem. It's having the lay of the ‘rules of the road’ of how data should be stored.
In the same way that we had signature cards stored by a bank, we should be able to have our biometrics stored with our bank safely, securely, and used when needed. And when we stop being a customer of the bank, we should have the right to have that biometric destroyed. If we had had those rules laid down, there would be less concern around how sensitive information is used down the line.