Editorial

Of Banks as digital saviours, and digital identity sandwiches

UCDx’s John Harrison maps out a future in which the banks play an ever larger role in the digital identity space as the Open Banking initiative continues to evolve

Posted 13 September 2022 by Christine Horton


Facebook’s motto used to be ‘Move fast and break things’. They succeeded, to the point where their part of the social web needs countless moderators to take down dubious content. Twitter is little different. A solution might be to enable groups and individuals to require – if they wish, or if mandated by the social network operator – that anyone making a post also disclose their real identity. But proving real identity online costs money, more than the social networks could pay under their current business model. The banks already know who we all are. Could they become the saviours of the social web?

Trustworthy data as money

The argument starts with a near cliché, that ‘identity is the new money’. Certainly an individual often needs proof of official identity to get money, whether from an employer as wages, or from DWP as a state benefit. But there are also ways in which an individual can use digital identity – or at least ‘trustworthy personal data’ in digital form – in lieu of money. Suppose you were a student wanting to read a newspaper or journal as part of a course of study. You could reveal nothing at all about yourself to the publisher, and pay full price. Or you could show a proof-of-student-status attribute and claim a student discount. Or you could prove that you are a member of a learning provider which has taken out a mass subscription and so pay nothing at all. Strictly then, identity isn’t the new money. But trustworthy personal data, which may (or may not) include proof of official identity, can be a very close substitute.

Pursuing this ‘trustworthy data as money’ idea, individuals would need to be able to control the data flows from a single point, not just money but also ‘identity’, student-status, qualifications, exemption for prescription charges, digital ‘keys’ to allow physical entry…the list is long. People call such a single point a digital wallet, or sometimes in a more developed form, a Personal Data Service (PDS). Society would need a way of meeting the costs of what would be a new kind of digital infrastructure: the current ‘payments’ approach – a few pence, or a small percentage of value per money transaction – would no longer meet the need.

What might replace it? Take GDPR one step further, and an individual could have the right not only to see what data an organisation holds about them, but also to show that data, in a trustworthy, tamper-proof form, to others. Suppose that organisations began to bear the costs not of payment infrastructure, as they do now, but rather of secure online relationships with each customer, as represented by a PDS of the customer’s choice; and access to whatever trustworthy personal data – including payments – the customer chooses to share via their PDS?

This may seem a small change, but what would roll outwards would be a tsunami of improvements to the web. If the UK, as a nation, chooses to converge payment systems and personal data systems in this way, then the banks would have to change to suit. They are already changing. But, so far, only the top and bottom slices of what might be called “the banks’ identity sandwich” are coming to market: the filling – which will determine whether society really benefits – is still not visible. All that we have are tell-tale signs…

Banking sandwich

First the top slice. Under the Open Banking reforms, imposed by the Competition and Markets Authority, the largest banks are required to cooperate with (i) Account Information Service Provides (AISPs), which allow an individual to aggregate transaction information from different banks, perhaps for budgeting purposes; and (ii) Payment Initiation Service Providers (PISPs), which enable an individual to authorize a payment request, received from a merchant, directly from their current account. A PISP variant is now emerging, enabling an individual to authorise release of data, to a Relying Party, directly from their current account. The terminology has not quite kept up, perhaps a Data Request Initiation Service Provider (DRISP).

For the bottom slice of the sandwich, many of the banks are now cooperating with TISA on a digital identity scheme for use when onboarding new customers. The scheme is being created under the umbrella of DCMS’s UK Digital Identity & Attributes Trust Framework. Instead of relying upon internal systems for the identity checks, participating banks will be able to outsource the work to external identity providers. Such IdPs may offer cost savings, resulting either from simple economies of scale, or because an individual proves his official identity to an IdP once, and uses the digital result with many different banks (and other organisations).

Should this kind of repeated-use IdP become common, the result will be strange. While an individual could use an account, provided by one IdP, to open accounts with several different banks, each bank will then likely insist on use of their in-house authentication system. Few will pause to consider that the individual might find it more convenient to use the IdP’s authentication system for access to all their bank accounts, saving themselves hassle and the banks cost.

But that is perhaps the logical end point of the digital identity journey. And there are only a few more steps ahead. Many IdPs already offer digital wallets, enabling – in theory – individuals to authenticate to many different parties, and take trustworthy data from one party to show to another. If the banks take over this role, and provide for wallet portability, much as they currently provide current account switching, then the destination would be in sight, and the banks would have found the missing filling for their Open-Banking- TISA sandwich, living up to their true potential in this digital age.

Banks would find themselves competing for the privilege of hosting an individual’s digital wallet, and so being the individual’s main ‘relationship’ bank. Individuals would be able to collect trustworthy personal data from any organisation and show it to any other, making payments at the same time if necessary. There would be a convenient path for convergence between the Cabinet Office’s One Login project, and schemes emerging from DCMS’ Trust Framework. And people could participate in a new kind of safer social networking, disclosing official identity at zero cost whenever necessary.

If this vision sounds good, then the public, private and third sectors need to work together to make it happen. So a big “Yes” to small steps, one by one. But “Yes” also to the need for a shared vision, enabling everyone to check that their steps are in the right direction.

John Harrison is lead director of UCDx, a community interest company funded by InnovateUK.