Pages Navigation Menu

An innovative resource for the UK Financial Services sector

Personal Data Management and Identity Assurance in Banks

Personal Data Management and Identity Assurance in Banks

The rise of personal data stores (PDS) and identity assurance technologies (see white paper from Mydex) present some interesting opportunities to banks. This article firstly provides an overview of the regulatory and other contextual drivers for these technologies, before considering how they might apply specifically to banks and what benefits they may bring.

Contents:

 

Background/Context

New opportunities are being created to add value to people by combining the various data gathered about them such as their location, their internet surfing behaviour, their shopping habits, etc. Currently, often for good reasons, the different types of data are kept separate.  This may be about to change.

From a regulatory perspective, there are three key drivers towards consumer control of customer data and the ability to provide a trusted digital identity:

The Consumer Empowerment Strategy (Midata (2011)) at a UK level and the General Data Protection Act (2012) at a European level are concerned with the sharing of data and both are broadly trying to do same thing, that is encourage companies to become less of a data hoarder and more of a data sharer with the consumers who generate the data.  They will have to make the data they hold about individuals available to those individuals in an electronic, machine readable and portable format.  This happens today, to a degree, via subject matter requests for example, but the plan is to go further with consumers being given more right and access to their data and more control over how it is shared and processed.

In parallel to this, the government in the UK has launched a new initiative called Open Identity Exchange.  This is concerned with identity provision and assurance. It seeks to simplify how the government interacts digitally with citizens by assigning a unique digital identity to each citizen so they can identify themselves to the government once and gain access to all the government’s services.

If those are some of the ‘push’ drivers towards better personal data management and identity assurance, there are several important ‘pull’ factors worth mentioning.

On the one hand, consumers would like to do more online in a convenient and secure way.  The average consumer will have a plethora of login details and passwords, often exhibiting risky behaviour like writing these details down or having the same easy-to-remember login details for everything.  This makes them vulnerable to identity-related crimes which in turn makes them anxious about giving out their details online and hinders the interaction.  Finally, they would like for it to be easier to share information with the service provider when it suits them (i.e. not having to fill complicated webforms).

On the other hand, the service providers would like to make electronic transactions more secure and to reduce costs.  Requiring physical identification and signatures is expensive. These have to be manually scanned and entered into image and workflow, and also physically stored in a shelf somewhere.  This is costly. The service providers would also like to reduce identity theft and fraud. And finally, they would like to make sharing information with the individual easier.

Technology

Certain technological enablers are making some of these aspirations increasingly plausible.  With the rise of mobile technology, people are more minded (and enabled) to do things electronically. At the same time, the cost of storing large amounts of data as an individual are plummeting. These trends are creating new opportunities to improve the way we bank, make payments, and share information, especially in the following three ways:

1)   More fine-grained control – Currently service providers are actively prevented from sharing information between each other by controls such as the Data Protection Act.  But the customer, as a point of data aggregation, may choose to make their utility account visible to a bank for the purposes of opening a bank account.

 

PDS

 

In this way customers can choose to share data more dynamically (selective disclosure) to the benefit of individuals and companies.  They can reveal data to an organisation in a bespoke way for individual interactions.  Alternatively, a company could subscribe to certain fields. For example, if I updated my address in my PDS when I moved house, all the organizations subscribed to that field would automatically be updated. Either way, the principle of entering data once and using it multiple times is attractive to a customer.

2)   Easier and safer sharing of large quantities of structured information, which can feed directly into organizations’ systems thereby allowing organisations to come up with much better/more bespoke offers based on richer information.

3)   More compliant and auditable processes.

See Appendix for more detail as to how this happens.

Opportunities in Banks

So what might this look like in a bank and to what end? There are many potential benefits to banks.

On the matter of ID assurance/authentication, having a reliable digital identity holding rich customer information and shared with the bank by the customer could reduce the need for Know Your Customer (KYC) interactions and assist the new product application process, whilst simultaneously reducing the risk of fraud, impersonation, etc.  In the business context, this would also facilitate the identification of significantly more counterparties as required by new policies.

From an Anti-Money Laundering (AML) perspective, the ability to provide verification of potential customers would be a huge benefit. Importantly, this extends to Trustees, Treasurers and Chairmen of charities, clubs and societies which frequently change and are difficult to identify if they do not already bank with that organisation.

Greater automation of regular checks and better intra-Group use of KYC data (accuracy, range/richness, relevance, sharing) would therefore allow banks to better fight financial crime.

More careful customer take-on and advice processes, as well as greater evidence of customer desire/appetite/capacity would also allow banks to improve ethical standards.

Withintensecompetition for deposits,banks would like to offer more digital products as well as more life management applications and more personalised offers. The new technologies make this possible.

On the one hand, banks could broaden their online and telephony offering, improve digital self-service capability, and improve conversion rates as more customers would be able to complete the application process in one channel (i.e. without recourse to go into the branch with physical proofs of ID and address).

Whereas currently to log into the different areas of a bank online a customer needs lots of different login details, with single sign-on it would become possible to simply click on a “Login via PDS” button. What’s more, if the government’s aspiration is to create a de facto single digital identity for all UK citizens, one could use the same details to log into other service providers.  The industry inside banks that exists around the current alternative to this (in the shape of portals development) is expensive and complicated.

Once an applicant has identified themselves to the bank and got as far as the application form for a new account, they could simply select a “Populate via PDS” option and have all the relevant data pulled from their PDS.

By thus simplifying customer take-on banks could also increase lending to UK businesses & home buyers, a goal they are under some pressure to achieve.

By moving to self-service channels (digital, mobile) and enabling self-fulfilment banks could considerably cut the cost to serve and cut costs more generally.

If they were feeling ambitious, banks could go as far as offering clever applications that combined various information that the customer has given them access to in order to create value for the customer.  By pioneering ‘lifestyle planning’ apps, banks could get a step closer to a ‘Market Segment of 1’ strategy and consumer specific marketing.

In order to better understand customer relationships and improve customer retention, banks would like to be able to unify disparate pieces of information about the customer from different parts of the organisation – this is sometimes referred to as Single View of Customer. A PDS not only helps with this by acting as the Single View repository, but also goes further by allowing the bank to outsource Single View of Customer to the customer. This could become particularly powerful as the information the customer opts to share with the bank transcends that particular organisation to include data held by other organisations, effectively expanding the Single View. Then banks could satisfy customers’ multiple financial needs and collaborate with other institutions to cater to their lifestyle plan, resulting in better customer retention.

From the customer’s perspective, the service offered would consider their location, lifestyle and other consumer specific parameters (think clubcard details with intelligent prompting and combining with other data).  It would also increase the scope for savings on commonly utilised products and services.  Customers could even initiate sales themselves by declaring their interest for a particular product/service to the bank.

On the data side, since the customer data is pulled from a single golden source – their own PDS – there would be less room for human error (e.g. wrongly keyed address) and data accuracy and quality would improve. Indeed, data provided by customers via their PDS need not be extensive to bring about benefits for banks. Just having access to a reliable source of name, address and possibly passport number (assuming something like the Open Identity Exchange takes off) would be very useful.

It is not even essential for data to be verified/certified by a 3rd party for it to bring benefits to banks. Unverified data may be no worse than the quality of data today, where the process is for a customer to type it in (probably for the umpteenth time), and for the bank to check it against Experian.  On the contrary, if the customer only has to input it the one time, chances are better that they would enter it correctly.

The type of data a customer chooses to expose to a bank could potentially be much richer than what banks are able to access today, including for example their future plans, intentions, views, feelings, preferences, priorities, etc.  This would allow banks to promote specific benefits of packaged accounts more effectively (e.g. via apps).

It may also be worth considering the application of the same authentication processes to staff. Since the boundaries between individuals’ roles (i.e. professional, customer, personal, etc.) are blurring, the PDS may be equally applicable across an individual’s different roles.

Obstacles

A few potential obstacles to new PDS and ID Assurance solutions are worth noting:

  • RISK & TRUST: Banks are naturally risk-averse creatures so there is a significant Fraud and data protection risk that must be addressed in implementing these technologies. A key concern would be the PDS developer’s ability to prove the robustness of security provided by these technologies. The ability of banks to trust identity providers is a key issue. The involvement of trusted names such as Experian does give some piece of mind.
  • SSO AWARENESS: There is limited awareness of the drive towards a federated ID across government services, and far less of potential wider uses (e.g. Open Identity Exchange). Should the OIX initiative take off, this could become economically interesting to banks.

 

Appendix

PDS 01

 

  • The blue lines represent the core PDS.
  • The red lines represent the infrastructure for extended use of the PDS.
  • The green lines represent the two-way interaction between the individual and the Service Provider.

A user can give bespoke permissions to a Corporate Service Provider via their browser, either for individual transactions or on an ongoing basis (bespoke and automatic selective disclosure respectively).

The Service Provider is able to authenticate the user via the internet and so service the user.

 

Further reading