Anil John
Making Digital Services Secure and Trustworthy

Anil John

Why are U.S. Financial Institutions Not at the Identity Table?

 Tweet  Share  Share  Comment  Print  Email

Given that identity is the starting point for delivering high value public services, benefits and entitlements, I've written about my belief that the U.S. Financial Sector is well positioned to be the natural source of high assurance credentials. This blog post lays out my understanding of why this is important, and my admittedly incomplete thoughts on what needs to be addressed to get the Financial Institutions (FIs) to the table.

The typical conversations on this topic tends to revolve around Credential Service Providers (CSPs) and Relying Parties (RPs). But that focus is minimizing the most important stakeholder; the individual who needs to be convinced to use the service.

When you put the individual first, the clear lesson to be learned is that changing existing behavior is hard and aligning User Experience (UX) with customer expectations, while providing fit for purpose security and privacy, is critical to success. So my focus on FIs is as much about leveraging their existing relationship with an individual, as it is about their identity verification and validation capabilities.

Moving on, my sense of why the U.S. FIs are not currently in the game comes down their:

  1. Regulatory Concerns;
  2. Liability Concerns and;
  3. Need for a Viable Business Model.

Regulatory Concerns

This will require finding the right people who are not suffering from a lack of imagination. Not easy, but doable.

Liability Concerns

I remember having a conversation with a lawyer who spends a lot of time in the world of contract law. A comment that struck me was (I am paraphrasing) “There are two types of lawyers; those who are trial lawyers and those who are not. Trial lawyers understand that liability is real, is not unbounded, is not to be feared, and can be dealt with. Those who are not, look for all the ways things could go wrong, and never move beyond increasingly improbable what-if scenarios.”

A bit brutal perhaps, but my sense is that this is an addressable concern if we can ask the right questions, and get the right expertise to bear on answering them. There are also working examples of how this has been addressed in other jurisdictions that can inform us.

Need for a Viable Business Model

This is the piece that I find extremely fascinating because I believe it to be the most important. Being a non-FI person and not all that knowledgeable about that world, I am going back to first principles that if there is a problem someone is seeking to solve, and you can help with that, there is a conversation to be had about the value that can be exchanged.

So, I looked at the Financial Services Sector Coordinating Council's (FSSCC) Research Agenda for the Banking and Finance Sector (PDF) to understand the problems as they see it. And I came across this:

Issue: Our current Identity assurance processes strength is eroding at a number of levels. It is becoming increasingly difficult to correctly and uniquely identify a new customer at enrollment/on-boarding with the level of assurance commensurate with the risk
[...]
Research Area: Establishing confidence in identities of persons, corporations and other entities, at the time of userid creation or service enrollment, including collection of information which will assist in strong identity verification in future interactions, and in the re-establishment of lost or stolen credentials

FSSCC: Research Agenda for the Banking and Finance Sector

I have some ideas around how to help with this that are still in the early stages. I am looking forward to having some good discussions to get feedback from smart people in both the public and the private sector.

RELATED INFO


Did you find this interesting? Don't miss any new posts. Sign up to automatically receive them now!

I will never share, rent, or sell your information to anyone. Cancel anytime.

This blog post first appeared on Anil John | Blog (https://blog.aniljohn.com). The opinions expressed here are my own and do not represent my employer’s view in any way.

Topic(s):
By on |

Continue The Conversation ...

I would love to know your thoughts on this blog post. Please leave a comment below!

I am a digital security coach. I help technical leaders make digital services secure and trustworthy. Learn more »

Free Updates

I will never share, rent, or sell your information to anyone