Blockchain and Decentralized Identity: How Transparency Can Improve Identity Verification for Banks
In the Netflix series The Crown, a lead character exclaims: “Who wants transparency when you can have magic?” Magic and transparency can be thought of as different extremes of how large and complex institutions try to win our trust. Typically institutions choose “magic” due to the lack of insight they provide, which means we can only hope that they will act in our interest. We often depend on such institutions – but since we can’t trust magic, we need transparency instead.
Today, technology is providing new transparent approaches to identity verification for banks to improve issues with the customer due diligence phase of onboarding. Aite Group found that abandonment rates for financial account opening processes range between 65 – 95%, depending on the product. If this process is not conducted thoroughly, banks could face regulatory action and costly fines. When re-framing this problem from one that banks must solve individually, to one that banks can solve collectively, then new approaches become possible.
As explained on FinanceDerivative.com, banks can solve problems in identity verification by sharing a live log of data related to identities that have already been verified. Yet this can be difficult to realize, even in the digital age. Pragmatic challenges such as: tracking master copies; resolving version conflicts; and managing concurrent updates, can create an aversion to this type of arrangement due to the risk to the integrity of those records.
Distributed ledgers (blockchains), can help here. Over the years we’ve learnt that:
- You can choose between 1,000 cryptocurrencies at this very moment
- Programming errors in smart contracts will lead to power struggles amongst those who govern public blockchains.
- Realizing a truly decentralized ledger is difficult since centralised power structures naturally emerge.
- People spent $4.5M on an Ethereum-based game about breeding cute kittens
- Permissioned distributed ledgers are more than “just” shared databases
- Creating a global cryptocurrency is difficult for many reasons, including fraud prevention.
Given the attention that distributed ledgers have attracted in recent times, it is inevitable that the first forays into applying transparency to solve identity verification problems have used this technology.
Let’s look at two different approaches to how banks can create transparency by using distributed ledgers.
A Shared Log for Identity Verification
If banks are able to co-operate and maintain a shared log of data relevant to identity verification it can help streamline identity verification. KUBE (Know Your Customer Utility for Banks and Enterprises) is a technology that has been proposed by the Isabel group along with Belfius, BNP Paribas Fortis, ING, and KBC to achieve exactly that.
The technology aims to increase the efficiency of onboarding for business customers through a shared log of identity attributes previously checked by member banks. The technical details of KUBE are not yet clear, but the distributed ledger in the architecture will contribute to consensus between each bank on the latest version of the log, along with assuring the integrity and availability of the data. Once customers are registered in the KUBE system, the identity verification performed with one bank is available to another bank with the consent of the customer, who receives the benefit that they only need to verify their identity once amongst that federation of banks.
In this example, KUBE provides a verifiable and transparent log which creates transparency between banks on the network. But, the customer must rely on KUBE to protect the confidentiality of their personal information.
One other option is to re-envision digital identity completely to place the customer on more of an equal footing with banks. Decentralized Identity (self-sovereign identity) is a model of digital identity whereby a user is equipped with cryptographic techniques to create, self-verify, and own a digital identity that is portable between relying parties. Its constituent components are a trustworthy shared log, public key cryptography, and verifiable credentials (now a W3C standard).
Sovrin is one exemplar of this approach and its technology comprises a public-permissioned distributed ledger based on Hyperledger Indy and cryptographic credentials following the W3C standard. For example, after identity verification the customer is provided with a verifiable credential from that bank, which is stored in an identity wallet on the customer’s mobile device. When the customer onboards with a new bank, they provide that credential along with a decentralized identifier (DID) that they use, and prove their ownership of both using properties of public key cryptography. The receiving bank must then check the validity of the credential on the shared ledger. Thus, identity need only be verified once amongst a federation of institutions and the customer retains control over disclosure of personal information.
This area is one of active investigation; as such, there is no product that is ready-to-go. One crucial challenge that requires research is the relationship between user experience and privacy, since in this model customers will inherit new responsibilities and software to use to manage their privacy.
Privacy is Important
Both examples require privacy for both customers and financial institutions. When designing a shared log for identity verification there might be an inclination to start with a minimum viable product that simply pools the personal information of customers. Pooling the personally identifiable information (PII) of customers creates an attractive honeypot for attackers, and a point in the system design where information can be accidently leaked.
In addition, banks have their own privacy concerns. Clearly, we shouldn’t design a system where banks can conduct surveillance on each other. In the design stage of a technology, we must consider how the benefits of transparency can solve new problems, while at the same time, finding acceptable levels of data confidentiality and privacy.
The value of transparency-enhancing technologies such as trustworthy shared logs are subject to a network effect, which means that the value of an application in the financial industry is tightly coupled with the number of financial institutions that choose to use them. The exciting research direction of the future is to investigate how distributed ledgers and transparency-enhancing techniques more generally, can create new applications in banking, and reduce our need to trust magic.
This article, authored by Paul Dunphy, Research Scientist at OneSpan, first appeared on FinanceDerivative.com on April 20, 2020.