‘We can’t pawn it off on other companies’: Equifax has changed the industry’s approach to digital identity

Last week, 143 million Americans’ most personal information was compromised when data systems at Equifax, the major credit reporting bureau, were breached.

This isn’t the first large scale breach U.S. consumers have ever witnessed. Last year Yahoo, Verizon among others suffered data hacks. The year before it was Ashley Madison and Experian. But in the last two years, customers’ lives have become digital — and more and more companies are starting to view personal data as toxic assets instead of valuable ones.

The financial services industry often talks about trusted financial institutions as good potential custodians of data and providers of digital identity. But if Equifax-gate teaches us nothing else — people mostly know that their data is in the wild and being used in ways they don’t know or control — it’s that customers have to start taking control.

We asked attendees at the NYPAY/Consult Hyperion Unconference in New York Monday what the impact of the breach will be on the digital identity space.

Ghela Bosckovich, founder, FemTech Leaders 
When we look at the components of identity it’s much, much more than just a credit rating. This seems to be a less than well thought out solution to have a single provider do that. There needs to be cross-government, cross financial institutions, cross commerce validation of identity because we operate in all of those aspects. A holistic identity provider is not going to be just a credit rating it’ll be something that takes in my government validated identity, my movement, transactions, travel, digital footprint, spend, opinions, biometrics — these are all minimal inputs to identity. If you can’t solve for privacy, identity management is a moot subject.

Donnie Price, practice leader, Edge Consultancy
It’s going to make consumers and financial institutions question having single depositories for risk assessment and identity uses such as Know Your Customer. These are the companies that financial institutions rely on for this information yet being hacked has propounded the problem they’re supposed to be solving. In three to six months you’ll start seeing results of what just happened. I think people are going to seriously think about alternative sources for data — they haven’t jumped into that conversation yet — in the next eight to 12 months.

Digital payments consultant, EY
It reinforces everyone’s belief that all their information is already out there. It makes us think more about how we should be using authentication separate in ways that safeguard financial heatlh. We’re all shocked by Equifax because now it’s on us to safeguard everything when we were assuming the banks and credit bureaus were taking care of it. The Equifax hack brings into focus the fact that consumers have to take responsibility — we can’t pawn it off on these companies. This doesn’t solve the problem but it creates awareness that there are consequences.

Jane Barratt, CEO, Goldbean, an investing startup 
It should change how we think about identity and hopefully it will for the long term. In the short term it’s very disheartening that a private company without any consent has so much data on us and has the power to make or break us financially. And it all come down to your data. I hope this is an inflection point where people will both own and get value out of their own data. We have multiple generations of people who have given up their privacy for a digital experience — like Facebook or Google — we do it willingly because we get value from it. Something from Equifax is an enforced relationship, we’re not actually getting value out of it. People tolerated it before but this should call into question its very being. That data exists elsewhere.

Brandon DeWitt, CEO, Datavore
It doesn’t change the need for a better aproach to digital fingerprinting and identity verification but it remains an often paper-and-pencil business with a lot of legacy systems. This [event] is maybe the straw that broke the camel’s back and make it more top of mind for the industry to give it more of the focus that it deserves. Hopefully the pace of progress increases, but I’m 30 and when I was born I was still given a paper social security card. It takes a really long time to change legacy systems. I don’t think it will change in the near term but you’ll see a lot more companies cropping up and focusing on this, particularly from a cybersecurity standpoint.

Why Equifax is getting into digital identity

Equifax and FIS are the latest companies to put themselves forward as providers of people’s digital identities.

In doing so, Equifax is positioning itself to be “more than just a credit bureau,” according to a spokeswoman, and instead, a data and analytics company in the broader sense — and at a time when the U.S. Consumer Financial Protection Bureau is weighing the benefits and risks of using alternative data (rent payments and mobile phone bills) to evaluate individuals’ creditworthiness.

Equifax would not comment outright on its plans to use alternative data.

“The data that we as users have — the credit data, the transaction data you give to your bank — will always be the core of OnlyID,” said Kenneth Allen, svp of identity and fraud. “On top of that, we’re so data hungry to make sure we’re putting good data to use, so we’re looking at different options of data — including alternative data, because those are part of our business globally today.”

Equifax and FIS have spent the last 18 months co-creating a password-less, biometrically-enabled digital identity solution, called OnlyID, for individuals meant to reduce fraud, improve customer experiences and thereby increase consumer loyalty. The 12,000 banks and 30,000 retailers in their combined network need to opt in to the OnlyID Network but as of now those agreements aren’t in place yet, according to Allen.

Once they opt in, customers will be able to verify that they are who they say they are by using their biometric registered with their OnlyID identity, and it will be the only identifier they need across all the organizations in that network.

Today customers engage with businesses more digitally than they did just two or three years ago. As a result, the disconnect between how they identify themselves online to how their transactions are traced back to their physical lives has become more pronounced and lowered the bar for fraudulent activity.

Traditionally, an identity is created using addresses, names, Social Security numbers — things that are more associated with the physical world. Combining that information around virtual presence, online usage and how people interact with commerce and financial institutions are what will build an accurate digital footprint, said Kim Sutherland, senior director of fraud and identity management at LexisNexis Risk Solutions.

“We’re all striving to build out an ecosystem that has the least amount of friction for consumers and the strongest assurance for organizations trusting these identities,” Sutherland said. “The actual vehicle for asserting identity — whether with a biometric or common credential — will change, but the goal is to have one that is interoperable and secure.”

OnlyID is similar to other identity efforts, like the solution Canadian banks are developing, Capital One’s digital identity API or even the centralized database of identities in India’s Aadhaar initiative — only the identity providers in those cases are the banks and the government. There are almost 200 startups tackling this problem too.

With so many solutions in the market now, how the digital identity ecosystem looks in 10 years is unclear, but it may come down to consumers deciding which entities they trust most with their data.

“We haven’t figured out what’s going to have the most adoption and comfort,” Sutherland said, citing potential solutions by different banks, mobile phone companies, the U.S. Post Office and state motor vehicle departments. “The role of who is providing identity is going to be the organization the consumer feels comfortable with handling their information.”

Inside Aadhaar, India’s massive digital identity program

Digital identity has become a hot topic in the last couple years among U.S. and European banks, who are already watching China leapfrog them in mobile payments. Now, add India to that list, with a digital identity scheme that will allow people to pay using just their biometric.

In 2008, India set up the Unique Identification Authority of India (UIDAI) to create what’s become known as the Aadhaar number for the country’s then 1.21 billion residents (now 1.32 billion). The point was to create a single, unique identification document or number that would link all people’s lives together across their accounts at various businesses. Now, it’s also the basis for banks’ regulatory reporting of customer information and a way for disadvantaged people to access services they’ve been denied because they lacked identification documents.

Aadhaar is hardly the gold standard of digital identity systems but identity experts often refer to it as an example of how an government-mandated scheme could work at scale. In the U.S. and Europe, customers give their personal information away freely to every company it does business with because that’s often the only way to consume a good or service in the digital world. It’s not always clear how that information’s being used or by whom. In India, customers only have to share it once: when they register for their Aadhaar number.

Here’s what you need to know about how Aadhaar works.

How does it work?
Indian residents can apply for an Aadhaar number by submitting their proof of identity, proof of address and registering their biometric (fingerprints and iris scan) information. The Aadhaar number (there’s also a card) doesn’t replace other forms of ID like passports or driver’s licenses, but it can be used in place of them when opening accounts at banks or other businesses that maintain customer profiles.

For example, money transfer giant Western Union has biometric capabilities turned on in India, so when someone wants to initiate a money transfer through Western Union, they can identify and verify themselves using their biometric fingerprint, without showing any paper or plastic documents. And in mid-2014 Indian Prime Minister Narendra Modi instructed banks to provide bank accounts to those who previously didn’t have them, using their newly minted Aadhaar numbers. In 2015, the country’s unbanked population was 233 million — half the number it was in 2011, at 557 million. The Aadhaar system wasn’t just beneficial to everyday people who didn’t have formal financial services, banks made new customers of hundreds of millions of people.

Why does it matter for payments?
China may be ahead in mobile payments, but Aadhaar Pay may usher in a post-mobile payments world, where people don’t need to carry their phones or wallets in order to make payments. They would only need their registered biometric linked to their Aadhaar number.

The Indian government this year mandated that all banks, ATM operations and authorized card payment networks migrate to Aadhaar-based biometric authentication for every transaction to improve security and prevent fraud as India continues its shift to becoming a completely cashless society. Fraud is an increasing concern for all parties of a financial transaction as the digital overhaul has raised the bar for bad actors.

Why does it matter for banks?
When the world became more digital, moving money became less about moving dollars and cents and more about moving customers’ data — and how companies manage, protect and otherwise use that data directly affect customer experience and customer trust. People are spending more time online or on mobile whether they’re on social media, they’re shopping, or even paying their bills and transferring money and as services crop up they’re opening more and more accounts with headache inducing passwords. And with such an overflow of customer information floating around the Internet, every trace of it is vulnerable to online attackers.

“Proving and vetting that you are who you say you are so you can access whatever you want to access online becomes more and more complex because your digital footprint does not have a bridge with your physical footprint,” said venture capital investor Pascal Bouvier.

Banks also have KYC requirements to comply with. Similar to the Canadian banks’ digital identity solution — in which customers wanting to open an account with a certain business would hand over their information through a mobile app in which they would biometrical authenticate that they’re sharing their personal information — Indian customers wanting to open accounts can provide their Aadhaar number as proof of identity and the business can use that information as needed. By contrast, when opening an account in the U.S., customers usually have to fill out some paperwork each time they sign up to use a different service because customer data is a business’s most important asset. And they don’t share that information with their competitors.

“Because banks are under such strong regulatory pressure, they need to vet everyone more and more to more to avoid the impact of bad actors in the system,” he said. “It becomes very complicated and it’s expensive so they take a prudent and conservative approach — which means if you’re an individual or a small business there’s a greater chance you’ll be declined or it’ll take you forever to open an account or continue a service.”

What are its flaws?
It’s not clear how much privacy its users get. That’s a huge part of why Western countries haven’t come together on a single digital identity solution: People are still debating various philosophies around identity — what it is, who should control it, how to let customers retain ownership of their identity while still monetizing it.

“There’s a lot to like about the Aadhaar approach in as much as there is simplicity in centralizing something and having all kinds of services that piggy back on that tech stack,” Bouvier said. “There are also things one has to be careful of.”

The point of the Aadhar system is to have a centralized database and one technology stack enforced on the entire country — that means one centralized point of failure. It’s not clear whether or not Aadhar is unhackable or, at the scale of 1.3 billion people, how it assures the anti-money laundering/KYC data it registers to create an identity in the system is accurate.

“If you want to suspend disbelief and say it can be solved then it is powerful,” Bouvier said. “But if you don’t then you have to be careful what you wish for. A government that all of a sudden has digital identity on everyone but also a central repository that could be breached would be a catastrophe.”

What it will take to make digital identity real

The biggest problem with digital identity is that it’s just a pain in the ass.

As banks, governments and e-commerce giants try to solve the issue of customers having account overload and password amnesia, the problem becomes that security is just inconvenient: there are so many required security specs for passwords and so many different passwords to remember, it’s just easier to create an easy-to-remember password and use it for everything — and at the end of the day, if an account is hacked, the bank can just return the money. No big deal.

Passwords are how customers identify themselves for every service they use. They know the system is hackable but still entrust companies their data, even if they don’t actually trust them. Fixing the system means there has to be a single identifying entity that people trust, that has an established history of collecting and holding personal information. Banks are the best positioned to do so, but trust has to be part of the process of designing identity verification services and it should be clear who owns customer data and what happens to it.

“The use of digital identity will exceed the use of physical identity when more digital identity solutions emerge in the market — that’s what’s lacking today,” said Matthew Thompson, director of digital business development at Capital One, which launched a digital identity application programming interface (API) this week that lets websites and apps authenticate the identity of their customers against the identity information stored by their banks.

“We have to design for trust in the solutions: trust with the relying party or business partner that they can trust the assertion we’re making, and trust with the consumer that they want to use or share the information in this ecosystem. When those things come together you’ll see digital identity exceed the use of physical identity.”

Who has my data?
Collecting customer data is in the interest of the customer, banks (or any company, really) will tell you. By doing so, banks say, they can improve their products and services. Knowing more about customers — their preferences, routines, where they save and when they splurge — helps them personalize their offerings and deepen connections with customers, which makes them feel even more comfortable granting the banks even more of their data.

Right now, it’s not clear who owns customer data, whether it’s banks and our payment information or Facebook and the details we put on social media. Banks are held to higher standards of privacy and security; that’s part of what makes them so well positioned to take the lead on providing digital identity services.

“We don’t know who really owns our data but I bet you the large banks absolutely don’t want that” to be made explicit, said Pascal Bouvier, a venture partner with Santander InnoVentures, the Spanish bank’s fintech venture capital arm. “There [would] be clear liabilities as well as clear asset and cash flow streams that people either have access to — or don’t. In order for us to fully actualize federated digital identities built off data streams we create directly or indirectly, we need to have some type of clarity on that ownership.”

The ownership question is also more important now than ever, as startups and technology providers look to increase their data-sharing agreements with banks. Intuit has landed agreements with JPMorgan Chase and Wells Fargo; Finicity just signed one with Wells; Xero established similar deals with Wells, Silicon Valley Bank and most recently, Capital One. These initiatives also give banks safer ways to move data and help give customers control over how their data is used — the holy grail of digital identity — by using application programming interfaces instead of the more commonly used screen scraping method, in which customers log into the third party site or app with their bank credentials and that company “scrapes” the information to log in as the customer to retrieve account data as necessary.

Convenience over safety
The widely agreed upon solution is data minimization: That an organization will collect only the data it needs, using it only what it agreed to use it for and getting rid of it when the purpose is achieved. A bartender doesn’t know customers’ ages to serve them, she just needs to know it’s greater than or equal to a certain age.

One way is to let the customers opt in to having their data shared. The Canadian banks have a solution to this. Or put a disclaimer on the bank website that spells out how the data is going to be used. But that’s slightly inconvenient. And even when customers are cynical toward banks, they seem to be trusted enough to continue serving them.

“Consumers will always choose the path of least resistance, and if you rely on your consumers to be interested in their best interest when it comes to security, that’s probably not going to happen,” said Ryan Fox, director of consumer identity at Capital One. “We’re always two-step or multi-factor authenticating our customers. It’s always dynamic, always risk-based, aways multilayered.”

In 2015, Capital One launched SwiftID, which removes the friction of passwords by letting people authenticate biometrically from their phones when signing in from an unknown device. By designing security right in the banking experience, Fox says, the bank can send the customer a push notification they can respond to in a second instead of requiring them to read a lengthy security statement, Fox said.

The important thing for banks to remember when building on their security is that people don’t think about it in terms of what’s most secure; they think about what’s easiest, he said.

“That’s why touch ID had such an adoption rate,” Fox said. “We went away from knowledge-based login to something I can just touch. It was adopted not because it was a pattern they understood but because it took half the time. Is it easier? Yes. Do I have a cognitive load associated with doing this? No? Then I’ll do it.”

Do we need blockchains to build digital identities?

As banks plan their future in identity, either as providers of identity services for security or as authoritative identifiers of customers across industries, they could start to partner with startups working on blockchain based solutions to the fragmented system.

Blockchains and shared ledgers let different companies, organizations or other entities rely on the same source of customer data and other personal information — one that’s secure, auditable and looks the same to each party.

Of the many startups looking to tackle digital identity, at least a dozen are focused on using blockchain technology to find solutions, including Blockstack Labs, Trunomi, uPort and Hypr.

We asked attendees at the K(no)w Identity conference in Washington, D.C. to share their views about blockchain technology’s role in the growing digital identity space, and how heavily solutions rely on it.

David Birch, director of innovation, Consult Hyperion
“The characteristics of shared ledgers are actually to do with transparency. If we take blockchain technology and try to shoehorn it into pretending it can run credit cards and stuff like that, it isn’t quicker, it isn’t cheaper, it isn’t better in any way. If you take its characteristics and say ‘what can we do differently because of this,’ the thing that stands out to me is transparency. The blockchain as it is now, its heritage is payments because of bitcoin but in reality its future is in a whole bunch of other things and i think one of the biggest pain points is identity. Banks would tell you the costs that are unmanageable are the costs of Know Your Customer, anti-money laundering and counter terrorism finance. Blockchain isn’t fintech, it’s regtech.”

Laura Spiekerman, cofounder, Alloy
“From a data sharing perspective there’s a role blockchains can play. What I hope happens is that blockchain solutions will become one data point and that over time, whoever is using them is able to prove that it’s effective, which in the long run is meaningful to regulators and financial institutions. It’ll take a while. There are interesting initiatives to create, effectively, databases of people, but I don’t think in the next five to 10 years financial services, banks, regulators, auditors will rely on that at all. In order to be part of the regulated financial system you have to use an existing trusted database, which means it’s not going to be blockchain oriented. It’s going to be LexisNexis, it’s going to be the credit bureaus, the old, boring databases we already know. They’re not totally effective but the regulators know them and that means that everyone that’s on the chain has to use them.”

Matt Thompson, director of digital business development, Capital One
“This is just a platform to get us from where we organize to the objective. Blockchain is just another technical platform that enables us to do more things in different ways but at the end of the day it’s just a platform. It has beneficial application to identity management principles around security and privacy, but it certainly isn’t required. And it certainly owns be the only platform that’s used to enable these trusted services. We’re certainly taking a close look at how companies are looking are using blockchain to enable privacy and security respecting identity management principles and seeing where there might be applications within Capital One.”

Andrea Tinianow, division director, Global Delaware
“You need distributed ledger technology to solve the identity problem because you want to be able to maintain information about each individual person without breaching their privacy and you need to make sure it’s secure and cannot be changed. DLT you get the best of both worlds. If you don’t have DLT that means all the information is in the central depository — which can be attacked, which can be changed. It means you have to change the central body and I don’t think people are willing to do that anymore. If we’re going to give away information — everyone’s most private, personally identifiable information — in one place, it needs to be so secure. For that information to be effective it will need to be shared securely and perhaps with a de-identified identifier.”

Steve Ehrlich, lead analyst for emerging technologies, Spitzberg Partners
“Blockchain technology removes the trust from some central party, and in theory can give it back to the individual so they can utilize their applications, wallets smart contract libraries to dictate the terms under which they’re willing to share information, and they can revoke them if they want to. They don’t have to trust them. If, for example, they say to Google ‘delete my information, I want to give it to somebody else,’ you don’t have to trust they’re going to do that. You can be sure based on code that you have the sole right to do something like that. You don’t have to have blockchain technology. There are a solutions short of it that are improvements of what we have today but requires you to trust that whoever is collecting your data is going to abide by the privacy policies, is keep data secure and not use it for any purposes other than the reason they’re able to collect it from you in the first place.”

Frances Zelazny, vice president, BioCatch
“The chain itself is considered trust, but if the beginning is compromised then the whole chain is compromised. You still need to look at the overall ecosystem to ensure that the entry point is just as secure as the transmission to the end. The Blockchain technology has a place but it should not be considered immune to hacks. If you compromise a blockchain, you’re back to the beginning. It doesn’t take away the need to still add additional layers of security on top of the whole chain or to detect for anomalies in the behavior of who’s accessing the chain.”

Travis Jarae, CEO, One World Identity
“It’s not a technology problem we’re solving for. We have a lot of great technologists and technology but right now were trying to solve a people problem. Blockchain does a good job at giving us an easier way to explain identity and pass it off to other people in a secure, private way but there are other technologies that can do the same thing. It’s a foundational platform. Think of the Internet. Google sits on top of that as a universal or foundational platform and you can create a product or service and plug into it without having to build a whole platform. It’s just naturally easier for customers.”

Kim Sutherland, senior director of fraud and identity management strategy, LexisNexis Risk Solutions
“Blockchain is not gonna be the super solution for all digital identity solutions but there seems to be a lot of interesting pilot projects underway leveraging concepts related to blockchains for things that are more peer-to-peer related. We’ve tried to understand how blockchain and identity and fraud and authentication all can work together; if there is a way to leverage this in a commercial organization and with government agencies. Most scenarios have been for smaller populations, unique use cases that really fit the model.”

Inside Capital One’s digital identity strategy

identity and indian aadhaar

In an ideal digital world, people would have digital identities and own them entirely, without any one organization — your bank, Verizon, state government, Facebook — controlling all aspects of it.

One reason effective identity solutions haven’t taken shape in the past is the space requires a lot of collaboration among different parties; so far, most efforts have been unilateral, said Matthew Thompson, Capital One’s director of digital business development.

Now Capital One is trying to change that, with a digital identity application programming interface (API) that lets websites and apps authenticate the identity of their customers against the identity information stored by their banks. The bank plans to launch out of its beta mode later this year.

For example, instead of a customer providing her name, address and birthdate when registering a Lyft account, she can enter her Capital One account credentials instead and the bank will share her verified identity information instantly and securely.

“We work hard to put our customers in control of their information and enable transparent exchange and access to it,” Thompson said. “We’re seeing regulation in places like Europe that are effectively driving industry towards [self sovereign identity] as a requirement. We want to be ahead of regulation here by doing what’s best for customers.”

Banks already act as stores of trusted information. They have an identity relationship with millions of customers and can provide a lower friction wave for them to prove who they are online. Many solutions in the market today use things that have relatively low success rates and put the friction on the user to prove who they are, like knowledge-based authentication. Answering questions like ‘Which of the following streets did you live on in 2001?’ is harder to answer than it seems for people in urban areas that move a lot.

The recently revealed identity project between IBM, authentication provider SecureKey and Canada’s major banks — Bank of Montreal, CIBC, Royal Bank of Canada, Scotiabank and TD Bank, as well as credit union network Desjardins — is another example of banks collaborating with networks outside themselves to try to fix the problem. They’re creating an app that allows people to verify their personally identifiable information for services like new bank accounts, driver’s licenses or other utilities.

“You don’t want to trust one entity with all aspects of identity, it’s good to have checks and balances in that system,” he said. “And frankly, all the components that are required aren’t core competencies to any one company providing these services. Identity is core to our business.”

In the U.S., BBVA made digital identity the theme for the ninth edition of its Open Talent fintech competition. The finalists, which were announced earlier this month, will have the chance to work with senior leaders across BBVA and make business connections. Also, USAA has invested in and adopted the technology of ID.me, which lets financial institutions remotely verify customer identities. Thompson cofounded ID.me in 2010 and left eight months ago to join Capital One.

“What’s missing in the ecosystem today is the ability to leverage trust you’ve already established with one party and extend that out beyond the one party,” Thompson said, noting he often uses “trust” and “identity” interchangeably. “Trust shouldn’t live in silos. To be effective with identity requires trust by all parties involved.”

What VCs need to know about digital identity startups

The hottest word in financial technology right now is about digital identity.

“Identity is such a core component to being able to deliver financial services,” said Jay Reinemann, a general partner at fintech venture firm Propel Ventures Partners. “It’s the way financial services are priced. It’s a core component of fraud. Even from a governmental perspective, taxation requires identity.”

Here are three big distinctions investors make when analyzing a potential deal in the digital identity space.

Financial inclusion
In the developed world, fixing identity is important for matters of security. In the developing world, it’s a way to bring identity to those that don’t have an economic identity or financial access to those excluded from the formal financial system. Investors’ checklists and how they analyze potential deals will be different in each world.

Also, some jurisdictions don’t have national identity schemes. To some investors it may be easier or more interesting to look at investments in a country that has an identity scheme on the basis that it’ll be easier to create a digital version, but others will prefer to play in the gaps.

PTB Ventures, which invests in early-stage digital identity companies, is backing a company that uses biometric authentication in markets with poor infrastructure for authentication at registration, said managing partner Dave Fields.

“In markets that have really poorly developed infrastructure, creating this basic identity scheme can be really disruptive,” Fields said. However, “if their go to market strategy was based in the U.S. I don’t think people want to be waving their hands in front of cameras every time they need something to eat or are seeking healthcare.”

Reinemann takes a slightly different attitude.

“As long as theres a bad guy they’re always going to find new ways to falsify or to steal an identity to use it for something — whether theres a national identity system in place or not,” he said.

Collaborating with the government 
Despite the many entrepreneurs dedicated to the idea that blockchain technology can solve the fragmented digital identity problem, some VCs say it’s better to invest in a business opportunity build on top of existing technology — blockchain or otherwise — instead of investing in building new technology.

“We invest more in areas where there is a clear business case — trying to find places where to implement solutions,” Reinemann said. “Even in the U.S. … there are very clear requirement of what companies need to gather but a very unclear way of how to do it,” he added, citing banks’ Know Your Customer requirements.

Andi Dervishi, fintech global head of the International Finance Corporation, said it’s interested in companies that mine identity instead of building it.

“As we enter the digital world we leave traces on a day-to-day basis,” he said. “Companies not building identity, but identifying it by reading all these different traces, could be companies we’re interested in because they don’t have this dependence on the government, they look at what’s already there.”

Any early stage business requires some strong collaborating body, Fields said. Fintech startups are partnering with banks — OnDeck Capital and JPMorgan Chase have partnered on small business loans, for example. Digital identity startups are too. When it comes to digital identity, entrepreneurs would be better off thinking of regulators as partners instead of taking an antagonistic approach to them.

Paying for protection
In a perfect world, consumers would get the money from the deals that allow companies to monetizing our data, said Andre Boysen, chief identity officer of SecureKey. Amazon pays about a 2 percent for taking customer credit card information to make a transaction. That pile of fees over the course of a year would average about $50 if Amazon put that burden on the customer. Most customers wouldn’t pay that.

That’s one reason business-to-business companies make for easier investments, for the time being, than business-to-consumer companies: Customers aren’t willing to pay for their protection. There’s a knowledge gap, however. Customers generally understand that their data is being used for reasons beyond identifying them and being sold to third parties to use in some way. Most allow it so they can easily interact with the services they like.

“Actions can be driven by who is more directly bearing the cost of these things,” Fields said. “At a consumer individual level we suspect there are privacy violations but it’s hard to attribute the cost of it. A lot of times the violations are being born of the businesses… but potentially privacy of an individual will be more solved by people who are directly bearing the costs.”

Canadian banks are building a digital identity tool

Several major Canadian banks are building a solution to the digital identity dilemma: Legally accepted physical IDs and passports supposedly show that we are who we say we are in the physical world, but don’t do the same in the digital world.

Bank of Montreal, CIBC, Royal Bank of Canada, Scotiabank, TD Bank and credit union network Desjardins are working with SecureKey, an authentication provider in which they collectively invested $27 million in October, and Hyperledger’s blockchain fabric, built with IBM, to create a way for consumers to verify their personally identifiable information for services like new bank accounts, driver’s licenses or other utilities.

When signing up for a new service or utility, customers will receive an alert through a mobile app they’ll soon be able to download. The alert will notify them that the utility provider — a cell phone network, for example — needs to verify certain information like the customer’s name, address, date of birth and social security number and will access it through their bank. The customer would approve by biometrical authenticating on his or her phone and the bank would transfer that data to allow the customer to open the account.

“What’s different about this is it’s very, very private,” said Chuck Hounsell, a senior vice president in payments at TD Bank . “We’re leveraging banks’ trusted relationship and authentication process. It’s not just the bank providing credentials, it’s enabling a system where credentials that can help you get things done in your life are going to be enabled for the benefit of the customer and just speed up commerce in general.”

IBM announced the project Monday, saying it is still in test phase and will become available later in 2017.

Digital identity poses a big problem because what the government and highly regulated financial institutions like banks can legally accept as identification isn’t really in keeping with how people actually identify or what their digital footprints say about them – billing addresses may not match an old address on a government issued ID card, someone’s current salary and spending patterns may clash with his or her credit score. Identity is different every person, and every digital interaction becomes a data point that says more about who someone is than a piece of paper with a headshot.

In financial services, however, there are Know Your Customer and anti money laundering rules that dictate what a bank can accept as identification.

“Financial transactions are not permitted to have multiple identities — that’s normally seen as fraud,” said Steven Murdoch, innovation security architect at data security company VASCO. “In other modes of life other identities are perfectly applicable, that’s why LinkedIn and Facebook exist: people have a work identity and a personal identity.”

The self-identifying process would always be free to the consumer, said SecureKey CEO Greg Wolfond. Each of the organizations on the network has a number of different data sharing contracts with various companies, and none would ever request more of the customer than what they need – if you’re trying to rent an apartment, for example, you should only have to authorize your name, address, credit score and background check.

“We’re creating a frictionless, you-are-you experience that also doesn’t let the parties where the data resides know where you’re sharing it,” Wolfond said. “You can prove who you are to a clinic but not let the provider of the data know who you are.”