What real lesson should the UK take from Finland on making Digital ID popular?

At this month’s ‘Think Digital Identity For Government 2019’ conference, Ubisecure’s UK MD Simon Wood may have given us a very useful clue

Posted 24 June 2019 by Gary Flood

At June 7th’s Think Digital Identity For Government 2019 conference, we heard an interesting perspective on the very different journeys to Digital Identity adoption we’ve seen between the UK and the Nordics from a company well-placed to know – Finnish ID success story Ubisecure.

We wanted to get a bit more on all this, so recently sat down with the presenter (and the company’s UK CEO), Simon Wood.

Hi Simon, and thanks for agreeing to help us out here. Can I ask, Why did you put up the two very different maps you did, of Finland and the UK? What was your point about the different ways ID’s happening in these markets?

Thanks, glad to help. The main point I was trying to make is the very different balance of ownership. In the UK, the large Identity provision projects are all government-based, whereas in Finland they are private company based (bank and telcos, typically). More importantly, using Verify as the example, in the UK, Government has specified how Identity verification should work – it has defined the KYC, Know Your Customer, requirements. In Finland, by contrast, private sector companies are using their existing KYC processes that have then been accepted by the state as appropriate.

Barclays as a Verify provider is a good example here. If you bank with Barclays, this can speed up the verify verification process, but it is still a separate process with differing proof requirements. The KYC process that Barclays have to lend you hundreds of thousands of pounds are seemingly not sufficient to be trusted for you to log on and pay your Self Assessment, then!

Yes, a few conversations at Think Digital Identity For Government 2019 I had reflected that kind of insight. Next up, can you tell us more about what’s happening in Finland around Identity Aggregation, which you talked a lot about, too?

Identity Aggregation in Finland is a booming business – owned and operated by private companies; we work with several in telecoms. We are seeing a buoyant competitive market for the provision of aggregated IdP access. Basically, Finland has unified the banking IdP standards (interoperability, at least, if not verification) which has enabled the creation of the market for ‘wholesale’ Identity provision.

OK, but why is that cool/useful?

Because Identity Management is hard – and managing multiple IdPs is very hard. Before identity aggregators, there was the challenges and overheads of technical integrating different IdPs, and the legal challenges of managing individual contracts with that IdP. Being able to source pre-integrated and pre-established agreement from a mature provider simplified the delivery of services and ensures compliant tracking and adoption of new providers automatically. The good news here is that ‘open’ access to multiple providers ensures that applications can be as flexible and convenient as possible, while at the same time reducing privacy issues by avoiding creating yet another pool of identity data.

Why do we all need to move toward a more compete Identity ‘picture’?

A complete Identity picture brings in organisation identity alongside individual. Managing organisations (be they legal / corporate, or social / family) enables significant savings from full online enablement of business process. This potential is untapped in the UK, we contend.

At the same time. a complete Identity ‘picture’ – full ecosystem – also brings significant benefits to both users and providers. For users, it increases security, increases privacy and brings consistency to the authentication process (making it slightly easier to spot inconsistent uses – think phishing). For providers, it removes the complexity and risk of direct credential management, enables broader support and reduces on-boarding friction (and therefore increasing engagement rates). 

Interesting. Other speakers at the Conference also made points about how ID is likely in the end to be a complex mix of public sector and private sector ID mixed together. Couldn’t this be a bit confusing?

I agree that there is a mindset change required here. It is more confusing to manage 60 accounts or authentication through 10 providers. It is an emotive shift, but I’m still surprised by the number of people that would rather enter credit card details into random sites for purchases than use an FSA-registered payment provider (such as PayPal). The risk to me is massively reduced using such a provider rather than distributing my payment details across multiple databases. And after all. one’s Identity is even more valuable than the credit services it might allow me to register for. 

At the end of your presentation you put up a slide about potential taxpayer savings out of doing some of this better?

Yes, I compiled a few predictions based on adopting the same delegated role management as we have been running in Finland for the last 12 years. In Finland, government data shows a saving of €6-10 per transaction with approximately a million transactions occurring each month; if we take a similar order of magnitude saving for the UK, and look at published transaction data (from www.gov.uk/performance) for HMRC, we see 60 million transactions per year leading to a saving (at £4 per) of £240m per year. Of course, you could argue the saving is more or less than this, but will be a similar order of magnitude. This saving is the same (just from one part of Central Government, HMRC) as the four-year costs for Verify. Being able to delegate seamlessly between individuals and organisations is key to delivering these savings, I should add.

Great, and thanks for all this, Simon. Our final question for today is this: if there was one one sentence message you had in mind about your presentation at the conference you wanted delegates to walk away with, what would it be?

Simple: Don’t just manage individual Identity – manage organisational Identity, too.