Canadian banks are building a digital identity tool

Several major Canadian banks are building a solution to the digital identity dilemma: Legally accepted physical IDs and passports supposedly show that we are who we say we are in the physical world, but don’t do the same in the digital world.

Bank of Montreal, CIBC, Royal Bank of Canada, Scotiabank, TD Bank and credit union network Desjardins are working with SecureKey, an authentication provider in which they collectively invested $27 million in October, and Hyperledger’s blockchain fabric, built with IBM, to create a way for consumers to verify their personally identifiable information for services like new bank accounts, driver’s licenses or other utilities.

When signing up for a new service or utility, customers will receive an alert through a mobile app they’ll soon be able to download. The alert will notify them that the utility provider — a cell phone network, for example — needs to verify certain information like the customer’s name, address, date of birth and social security number and will access it through their bank. The customer would approve by biometrical authenticating on his or her phone and the bank would transfer that data to allow the customer to open the account.

“What’s different about this is it’s very, very private,” said Chuck Hounsell, a senior vice president in payments at TD Bank . “We’re leveraging banks’ trusted relationship and authentication process. It’s not just the bank providing credentials, it’s enabling a system where credentials that can help you get things done in your life are going to be enabled for the benefit of the customer and just speed up commerce in general.”

IBM announced the project Monday, saying it is still in test phase and will become available later in 2017.

Digital identity poses a big problem because what the government and highly regulated financial institutions like banks can legally accept as identification isn’t really in keeping with how people actually identify or what their digital footprints say about them – billing addresses may not match an old address on a government issued ID card, someone’s current salary and spending patterns may clash with his or her credit score. Identity is different every person, and every digital interaction becomes a data point that says more about who someone is than a piece of paper with a headshot.

In financial services, however, there are Know Your Customer and anti money laundering rules that dictate what a bank can accept as identification.

“Financial transactions are not permitted to have multiple identities — that’s normally seen as fraud,” said Steven Murdoch, innovation security architect at data security company VASCO. “In other modes of life other identities are perfectly applicable, that’s why LinkedIn and Facebook exist: people have a work identity and a personal identity.”

The self-identifying process would always be free to the consumer, said SecureKey CEO Greg Wolfond. Each of the organizations on the network has a number of different data sharing contracts with various companies, and none would ever request more of the customer than what they need – if you’re trying to rent an apartment, for example, you should only have to authorize your name, address, credit score and background check.

“We’re creating a frictionless, you-are-you experience that also doesn’t let the parties where the data resides know where you’re sharing it,” Wolfond said. “You can prove who you are to a clinic but not let the provider of the data know who you are.”