Nigel's Eyes

20220512 Understanding identity

During the CoVid-19 pandemic, many risk and compliance topics gained fresh momentum. Amongst them was the (internet-) age old topic of identity, something I first drew attention to in the late 1990s.

It's what I call a "Guinness Topic": there's lot of froth to get through before you reach the beer or, in this case, the stuff that really matters.

We tend to think of identity as a one time thing, but it isn't.

I am sitting at my desk. On one corner there is a cup of coffee. I use coffee grounds in environmentally-friendly, reusable, fabric bags. The bag has a drawer string which I leave to hang over the side of the cup. This causes an irritating situation: the coffee wicks up the string and, when it becomes sodden, coffee drips onto the table. Today is the first time this has happened.

So what is the solution? Go and buy a replacement for the cafetière I broke, buy a re-usable cup-top filter, use a saucer?

Each of them has its merits. But each comes with its own question marks.

If I replace the glass and metal jug, that will be ecologically unsound: it's a thing that I don't need that has to be produced and, at some time in the future, disposed of. And having had one for thirty odd years, I have no realised that it doesn't actually improve my life. In fact, the bags are better for me because it's impossible to make the ultra-strong coffee that I had become addicted to.

If I buy a cup-top drip filter, I can't just grab and go. Making the coffee becomes a process. Honestly, if I want to faff about like that, I'll go to a Chinese tea room and let them do it for me.

If I use a saucer, I have to remember to carry it about with me - or leave it on my desk collecting drips until I can't stand the sight of it.

What solution have I adopted? I don't know yet. The temporary solution is to wipe up the drips and leave the tissue under the string. But it might be that the best solution is not to buy anything nor to co-opt technology.

Actually, the best solution is to simply drop the string into the cup with the bag when I put it in before the water. Which, presumably, is what I've been doing until today when, for some inexplicable reason I did something different.

This is a lesson we all need to learn in many areas of financial services and, in particular, in relation to technology and identity. Things work until they don't and the reason they don't is often not that someone did something wrong but that they did something different with adverse results.

Not long ago, we all knew what identity was. Within the blink of an eye, in historical terms, that has all been turned on its head not by most of us but by enough people who have elected to take themselves out of the accepted norms that Society has used as a base-line and upon which all understanding of who we are dealing with are grounded.

This is where we are in relation to identity. We seem to be focussed on the topic as if it is something new but it's as old as people. In "Understanding Suspicion" I talk about how, in the earliest days of humans, there was a Trust or No Trust decision to be made whenever another human approached. It's animalistic: do we trust and invite a person into our home or do we repel them either as a matter of course or with some reason, however arbitrary that might be?

In the 1990s, I wrote that, on the internet, everyone knows your name but no one knows who you are. In recent years, the term "pseudonymous" has gained currency, largely in relation to crypto-assets but it's applicable to every case where someone defines their own identity, even if that identity is temporary.

Which brings us, later, to the oft-repeated phrase "trust but verify." That, in relation to so many things, is a flawed approach.

Today's issues arise not because of any inherent difference in the of identity but because something has changed that makes a peripheral difference, even though that difference is critically important.

The genesis of "identity."

I have for some weeks been working on a new e-learning course about identity. It is a large and rambling topic that funnels into a compact, indeed compacted, area,

We need to know, first, why we need to know a person's identity. That's quite easy and it's far from novel: we need to know who we are dealing with. That is not, primarily, a financial crime risk and compliance matter. It is, primarily, a commercial matter. All businesses who offer any form of credit undertake a risk assessment of those to whom credit is offered.

Financial services is nothing special: while many shops have signs that say "Don't ask for credit as a refusal often offends," the fact is that many shops do offer credit. "Oh, don't worry about it, don't put that back, just pay me next time." But they don't do it for everyone: they do it on one or three bases:

- an existing relationship,
- a willingness to show trust in the hope that it increases trade in the future or, perhaps,
- out of charity knowing that the money will never come back but that someone who was thought to be deserving had their day made a little bit better and no one lost face.

Businesses offer trade credit. It is very widely abused, often by the very customers who have, on the face of it, the most impressive financial credentials. It's so bad that quite a few jurisdictions have passed legislation to combat late paying.

In the field of financial services there is a very specific difference. Banks, for example, have three functions: to take in, hold and pay out according to the customer's instructions. Banks have taken on an additional, not strictly banking, function: that of broking deals between depositors and third parties for the lending of money at interest for which the bank takes a fee or a share in the profits, while guaranteeing that the depositors will not lose if the borrower defaults.

Other companies use their own capital, or that of third parties, for lending purposes.

In both cases, they obtain information from the borrower and verify it before handing over the money.

The recent fascination with "identity" which has, in some circles, become a buzzword arose not out of credit risk but out of identity replication, often mistakenly called identity theft. It's not theft: the identity is copied and used. Reputation may be destroyed but that's not theft, either.

As the buzzword "identity theft" created a deafening roar, regulators and other piled in and started issuing all kinds of notifications. But it was the pandemic that really pushed the question of knowing who you are dealing with to the front. FinTech companies popped up in their thousands, somehow finding a near-bottomless pit of venture capital. There were so-called digital banks and a raft of businesses that interject themselves between the customer and his bank.

Banks reacted incredibly slowly. They already do everything that every FinTech does. They just didn't do it on an app and they didn't have silly names, garish websites and they didn't burn money on advertising.

In the early stages, the FinTechs were allowed to develop their businesses, within limits, effectively outside the financial crime risk and compliance framework. So-called "sandboxes" were set up in a number of jurisdictions. Countries vied to become the, or a, primary FinTech hub.

And the FinTechs didn's much care about identity because there was no credit risk and the amounts of money they allowed to pass through accounts was so small that it posed little or no money laundering risk. No one noticed, or everyone ignored, that tiny amounts can pose a terrorist financing risk.

All of the above assume a very one-dimensional view of identity.

what is your identity

For example, is your identity that which is shown in your passport, or your driving licence?

Is your identity your mobile phone number?

Is your identity whatever you put on an application form?

As more pressure groups try to define "identity" in ways that suit themselves (for example anyone who "identifies as" that has two effects:

1. It reduces clarity with regard to the actual identity the person; and
2. it increases the opportunity for fraud or other criminal conduct.

Governments are allowing self-identity with regard to a range of attribute. This is counter to the clarity that financial crime risk assessments require. We have political movements that become Political without regard to the consequences.

Of course, there are questions of gender but there are also questions of caste in India, of religion, race, even of citizenship which includes those who claim citizenship of countries that do not have formal international recognition, those who claim citizenship of what I call "invented jurisdictions" and, of course, sovereign citizens.

That's one side of the equation. The other is that those who have never used any other name, who have lived in the same place for decades, who have always used the same national identity don't fit into the sausage machines that acceptance programmes have become. For example, I travel. A lot. In my mobile, I have my home SIM plus a local prepaid SIM for where I am. In the UK, I can order a SIM on line but I can't put credit on it from the phone because, although I have a UK bank account, I don't have a UK address. But I can walk into a shop and add credit with the same card. I can think of several reasons why that should be but none of them make sense on anything other than the most superficial analysis.

Nominating identities

A quick look through Linkedin shows that people define themselves in many different ways, many of which are fundamentally meaningless. It also shows that people define themselves in different ways for different purposes. Or in multiple different ways.

Each of these is a part of their identity. Some will be verifiable but most are not. Many are seemingly ego: so many "SMEs" (who don't know that a subject matter expert at the United Nations is, often, someone entirely new to the topic and it's just a job title not a declaration of standing) and "philanthropists" to say nothing of "coaches."

Across social media, people create their own version of themselves. They promote things and they edit things out.

If everyone can be whoever they please, the task for banks, etc., is to work out which identity is the one that they are dealing with and to verify that. But beware: even official government documents can be reproduced for a few dollars if you know where to go. Or if you happen to walk down the road in certain street markets where such services are openly available.

It is very easy to build a "backstory" or a "legend" and even easier to borrow one from a drunk at an all night party on a beach in the tropics.

So while the name and address may be correct, the background information may be misleading. That is something that identity checking tech is not looking for.

Identity Fraud

Identity fraud comes in many types. There's new account fraud and in the USA alone, this runs to several thousands of millions of dollars. This is, at its simplest, where a person opens and operates an account in someone else's name.

There's "Synthetic identity fraud" a new fashionable name for a problem that's ancient: creating an identity and using that to create accounts: this, in the USA, accounts for almost twice as much in losses as new account fraud.

I am astounded by the "open banking" movement which allows third parties to access accounts and make withdrawals. With online banking and card payments I can see absolutely no benefit to consumers in this system but I can see great risk. It is, literally, providing a third party with the credentials to fool the bank into thinking that the third party is you.

While the pandemic shifted FinTechs into overdrive and with it a tsunami of technologies focused on various aspects of establishing identity, the actual result has been a dramatic increase in online and mobile fraud.

And, of course, so far we have only looked at fraud committed against the business. What about frauds committed against consumers who, through phishing or other means, are convinced to use clever tech to identify themselves only to find that their bank accounts are drained?

The Global Assured Identity Network, an industry group attempting to create a standardised, cross-border approach to digital identity that it hopes to release later this year says that the financial sector has something that global tech giants such as Amazon, Google, etc have is a long history of protecting other people's money and identification and, of course, a couple of decades of developing KYC systems. Of the tech giants, the group says "Their current capabilities, however, do not extend to contexts requiring a high degree of certainty about an individual’s identity. Financial institutions, by virtue of their investments in KYC and authentication, offer a high degree of trust."

The group has an interesting question: "The financial industry faces a choice: Will customers ultimately log in to their bank with a social media ID or will they use their bank to gain access across the internet?"

Identity and ego

There is no common approach and no legal framework for identity checking and verification beyond e.g. data protection laws.

There is a myriad scheme, all vying for supremacy and, because it's tech and funded like tech, largely competing by advertising, sponsorship and soft-bribery money. From the point of view of a bank, the array of options is immense.

Worse, they are not integrated into other data systems, at least not natively. Once more, banks, etc. are left with systems that are fundamentally incompatible but can be joined up by some cobbled-together pipework.

It's dumb: if you buy a tap, it connects to the pipe using a standard interface that you can go into any hardware shop and buy for a few pennies.

If you buy technology, you have to pay someone to build that interface - and to maintain it every time that the software supplier at either end changes something.

Identity beyond banking

Biometrics are standard at many borders. They are also often unreliable. For some two years neither of my UK passports would grant me access through the autogates. Then, miraculously, they started to work. Just in time for me not to have to present them to leave the UK as passport control has, at least at Heathrow, been delegated to airline check-in.

In Kenya, the Independent Electoral and Boundaries Commission of Kenya, has suspended part of the registration process because people are slow to verify their biometric data. This raises a question: who is supposed to be responsible for making sure that data held by third parties is accurate? True, companies registries expect that of owners and controllers of companies but that doesn't include biometric data. Is it even feasible to ask Joe Public to check if fingerprint recognition data is accurate? Surely not.

Identity and the undocumented

Kiva, an American charity specialising in microloans for those in poor areas around the world says "Globally, 1.7 billion adults are unbanked today [1]— they do not have an account at a financial institution or via mobile money. This represents 31% of all adults globally. Being invisible to formal financial services, they are forced to operate in a cash-only economy that does not offer the leverage of credit for things like homeownership, education or even basic medical services. "

Many are in that class because they are undocumented or because their identities are not recognised. Matthew Davie of Kiva says "identity is a basic human right. " It is hard to disagree yet even in near-developed countries there are families who have lived for generations that are still denied even a basic identity card with the passport benefits of healthcare and education that this would provide.

Portable identities

I was sitting having a cup of tea with Des Hellicar-Bowman a few weeks ago and we were talking about the question of portable identification. Millions of us have it in our wallets with debit, credit cards, pre-payment cards. Driving licences and other identity cards. But simply having it is no use if you can't use it. Mr Hellicar-Bowman has a programmable ring that includes his London Transport Oyster card data. He recharges it at the same machine as recharges cards. But it only knows what it knows. I have an Oyster card for London, a Touch and Go card for Kuala Lumpur, an E-Z Link card for Singapore, an Oyster Card for Hong Kong and some kind of card that works on trains but not tubes in Jakarta and doesn't work on the train out to the airport.

What if I had a single card that I could tap anywhere and pay my fare? It's not a big leap to that from debit cards - indeed London Transport has already made that leap and the flat fare on buses can be charged on entry.

What if Mr Hellicar-Bowman's ring could serve that function. The practical problem would be communications at the speed necessary: people tapping a dedicated card don't expect to wait. But that's an issue of tech, not an issue of principle.

I refuse to have any financial apps on my phone and I do not accept that sending an SMS to my phone to verify a card transaction is an effective security measure. Why? If I've got the phone and the card and I'm using a website to buy something, the security code goes to my phone. Literally, I have the keys to the account in my hand. How can a criminal do that? Simple: steal a handbag. House and car keys, and bank account keys all in one quick snatch. But, hey, this is the approach that the brainiacs at the European Union have insisted upon.

There remains a great deal to be done on portable identities.

Conclusions

When we look at questions of identity we tend to think it's easy. But it isn't. It's as much a question of philosophy and politics as it is of risk assessment and technology.

We need to go back to basics and to ask the question "why are we doing this and what do we hope to achieve?" And then we need to define the limits of what we intend to use with whatever data we collect and then, once that is done, decide what data must be collected and, finally, how we collect it and integrate it with our systems.

Spiralling fraud on businesses and individuals cannot continue; systems that are unreliable must be weeded out; security must be two ways protecting the bank, etc. and its customers.

And all of this has to be done while making certain that the persons we are dealing with is who they say they are and that who they say they are is not only verifiable but valid.

The e-learning course on identity will be available here when I've finished writing it. I'm available for consultation on this subject now.