We have already dealt with digital identity in a previous article on Risk & Compliance platform (https://www.riskcompliance.it/news/adeguata-verifica-nel-mondo-delle-identita-digitali/), introducing the topic and the connections with due diligence for anti-money laundering purposes. We have decided, with this new contribution also available in Italian (https://www.riskcompliance.it/news/una-rassegna-degli-esperimenti-di-identita-digitali-nella-finanza/), to review cases of use from different countries, including non-European countries, with the aim of telling what is happening and what results the experiments have achieved so far. We are convinced that the sharing of experiences is fundamental in a phase that still presents margins of uncertainty and a tumultuous underlying technological development. We have devoted attention to the world of Self-Sovereign Identity, which we believe is more promising and at the same time less known, summarising initiatives underway in the United Kingdom, the United States and Colombia. As for the national sphere, we present research projects, with distinct approaches to innovation, trying to quickly assess the pros and cons of each.
In the UK
While introducing the main elements of innovation in the UK’s digital environment, it is inescapable to mention Smart Credentials [Smart Credentials – PwC UK] which, by offering its users a secure, fast and efficient service, earned a bronze medal at the Reimagine Education Awards in London in 2019. It is a platform that, on the one hand, allows participating professionals to easily share their credentials in real time and, on the other, gives users more control over their personal data. Smart Credentials is a platform that has being successfully tested in the UK in a number of areas, including education, aviation, healthcare and, most notably, financial services. With the outbreak of the Covid-19 pandemic, all of these areas have become particularly relevant. Smart Credentials works very simply: the platform issues verifiable credentials, i.e. digital certificates protected by encryption, to the user, who can share them with other institutions or revoke them at any time. The institution with which the user decides to share their data receives them, ascertains their authenticity and allows the user to access the desired service.
In the US
On the US digital scene, in the financial sphere, MemberPass [https://www.memberpass.com/creditunions/] stands out, a platform whose functioning is reminiscent of the aforementioned Smart Credentials. The mechanism is governed by a triangular trust relationship: an institution issues a MemberPass to a user who stores them in an ewallet to be shared with third parties who, in turn, verify the authenticity of the data provided by the user. It is a platform characterised by a high level of security and efficiency: not only is it fully compliant with user privacy regulations, but it is also easy to implement, being based on encryption and biometrics. The combination of these strengths makes MemberPass an effective tool in minimising the risk of fraud. Among the most important credit institutions contributing to the platform is Desert Financial Credit Union, with a turnover in excess of $6 billion.
As reported in the September 2021 WEF report [https://www3.weforum.org/docs/WEF_Guide_Digital_Identity_Ecosystems_2021.pdf], digitisation is also a national priority in Colombia. In particular, attention was paid to the analysis of SoyYo, a company founded by the three most important banks in Colombia, namely Bancolombia, Banco de Bogotá and Davivienda. SoyYo has proved to be a very helpful tool for some companies, as it has contributed to the overall improvement of onboarding procedures. In addition, it has customer identification mechanisms that minimise the risk of fraud. It is an ecosystem for managing the relationship between users, verifying entities, digital identity issuers and trust providers, i.e. companies that have a close relationship with their customers through their KYC process. Also important for the efficiency of this ecosystem are the issuers, including the authorities that provide data for KYC for anti-money laundering procedures.
In the Nordic countries
In the digital and financial landscape of the Nordic countries, the founding of Invidem by the six major Scandinavian banks (Danske Bank, DNB, HandelsBanken, Nordea, SEB and SwedBank) in 2019 is a new element. Before being officially launched on the market in 2021, Invidem started offering its services in 2020 to medium to large enterprises in the Nordic market. Its purpose is to retrieve and manage KYC information. What is special about this platform is that Invidem’s services and related KYC information will also be made available to other banks and companies outside the banking sector that are equally interested in anti-money laundering regulations, including insurance companies.
While in Italy
In mid-December last year, at an event organised by the Politecnico di Milano, an initiative of the Politecnico Observatories, Fabrik, PwC and Bonelli Erede was presented. The aim of the project is to use SPID (Italian Digital Identity) and the information provided by Fabrik through PSD2 to simplify the onboarding of customers of banks wishing to join. In Germany, Yes.com already provides a similar service, and a relevant success story is BankID, an Open Banking-enabled service that consists of the creation of a personal electronic identity that can be used to sign documents online and to ensure secure digital user identification, developed by a consortium that started operating in the early 2000s in Scandinavian countries.
Reliance on SPID is, in my opinion, a short-sighted choice, even though it is supported by the growing diffusion of the technology. At the time of writing, SPID has in fact been adopted by 27,500,000 Italian citizens [cfr. Stato di avanzamento Trasformazione Digitale | Avanzamento Digitale AgID (italia.it)]. In order to be competitive, a lower cost per check is required compared to the current one, but, as already argued in the article cited in the introduction, the approach of the European Digital Identity Wallet, more powerful, secure and decentralised, built according to a logic of privacy by design, seems sufficient to impose some cost-opportunity considerations. Another interesting project, developed within Cetif, the research centre on technology in the financial sphere at the Cattolica University of Milan, is O-KYC, an initiative of Cherry Chain, Intesa IBM and Chiomenti. It is an infrastructure, based on blockchain, that allows banking intermediaries, telcos and multi-utilities to share information about their customers: in case the customer Andrea D. would like to open a second account at Banca Beta, O-KYC will retrieve his personal data held at Banca Alfa, sending them to Beta after receiving Andrea D.’s authorisation to transmit them. The project was launched in June 2020 and ended its testing in March 2021, with the aim of resuming activities this year in order to industrialise it.
Despite several promising aspects, we see some implementation difficulties due to the security of customer data that should be constantly online and accessible, likely leading intermediaries to mirror datasets and invest on a redundant network. Currently, the failure of an O-KYC actor to connect does not allow the recovery of its customers’ data – not unlike the failure of an identity provider for SPID.
In addition, integration issues may arise: how to manage the variety of customer base management (CRM) software across different intermediaries? How to manage the transition to new CRMs? According to the creators of O-KYC, with whom the authors were able to exchange views, the solution consists of a mapping activity of the fields to be enhanced and the documents required in the onboarding processes that feeds a metadata service of the identity attributes available to each operator.
In the midst of game theory
So far, experiments with centralised KYC utilities have largely failed; they have been successful in countries whose market is characterised by a few large players. What are the problems?
1. The larger the number of players, the longer the decision time.
2. Heterogeneous actors have different needs.
3. It complicates the management of innovation risks.
If the negotiating table wants to include the most important players from the outset, purely organisational time is needed to schedule meetings, to wait for the various internal authorisation paths (Board of Directors, AML manager, etc.), to analyse in detail the contractual documentation that regulates the provision of services – anything but simple, since the regulatory framework of a KYC utility is currently unclear.
Heterogeneity can also be a problem: a big bank has different spending constraints compared to a niche intermediary: customer verification for a retail bank, for customers who have a few thousand euros in a current account, does not have the same value as verification carried out on large assets for a wealth manager. You are dealing with different kinds of risks and the reputational impact is not the same.
Point 3 is very problematic. A small bank may not have the resources to change its choices if they prove ineffective.
A large bank would have the opposite problem, of having to convince a large number of its customers to change their behaviour to adapt to a new system, with the risk of taking months to transition between the two systems and paying the maintenance costs of both.
In any case, incumbents will be competing with fintechs and challenger banks, which have an advantage in integrating new technological solutions thanks to the increasingly popular API-based, modular “banking as a service” philosophy.
This is why we believe that the right approach should be as interdisciplinary and collaborative as possible: IT, risk, AML and business managers must agree to adopt solutions that are convenient, secure and easy to integrate. It is better if they are technologically advanced, so as not to risk having to replace them quickly.