Identity as infrastructure: holding payments together in a fragmented world

Digital identity is not a layer we add to systems; according to Digital Identity Consultant Andrew Hindle, it is the foundation that allows them to function. From TradFi to Web3, every transaction depends on trust boundaries. 

‘Digital identity is not a layer we add to systems - it is the foundation that allows them to function at all. Whether in traditional financial services or emerging Web3 payment models, every transaction depends on knowing who or what is acting, under what authority, and within which trust boundaries. The challenge is not simply technical. Fragmentation across standards and regulations, combined with the accelerating pace of AI-driven change, is placing increasing strain on that foundation. Automating weak processes does not improve them; it amplifies their flaws. To move forward, organisations need to invest not only in standards and infrastructure, but in the people and governance models that make those systems work. Identity, done well, enables both safety and innovation. Done poorly, it undermines both.’ 

Andrew, you once said that ‘identity is, by its nature, connective tissue’. Could you elaborate on this idea? How does digital identity act as a connective layer across financial services, particularly in emerging Web3 payment ecosystems? 

I originally made that observation as part of my opening keynote at Identiverse 2025. The focus of the talk was on an increasing fragility across a range of interconnected systems (not just identity, and not just technical!). My points were, first, that digital identity is critical in ensuring that a range of emerging technologies can operate - and interoperate - both safely and effectively. Second, because identity is so deeply woven into the fabric of everything that we do, identity professionals are in a rather privileged position to be able to broker conversations across the breadth of an organisation. Those conversations are about enabling services as much as they are about safety (cybersecurity and privacy). 

With ‘identity’, I’m referring broadly to data which can be used to identify an individual or an entity, and the underlying standards, systems, and technologies that transport and use that data to make decisions about access. 

Virtually everything we do digitally relies on identity data. It might be a simple as a unique identifier for the application making the call, or as complicated as an encrypted reference to a set of verified proofs of sensitive personal data about a specific user, but there will be something. 

Regardless of how Web3 payments evolve, systems still need to know who or what is initiating and settling transactions. And we will need to know which systems and entities are involved during any series of transactions or (smart) contract fulfilments. That data is needed not only for compliance reasons, but also to ensure the safe (secure and privacy-preserving) and effective operation of a scalable, global system. 

Finally, let’s be clear that identity data, in the broad definition of the term I gave above, is supportive of individual privacy, not contrary to it. If I can buy a shirt on the high street without anyone knowing ‘who’ I am, I should continue to be able to do that online. Digital identity technologies are a critical part of making that possible. 

If identity is the connective tissue, what are the core building blocks required to make that identity infrastructure reliable for financial institutions? Which parts of this ecosystem are currently the most fragile or underdeveloped? 

I’d argue there are four: technical standards, regulation, trust frameworks, and the body of digital identity professionals. 

Technical standards that address today’s requirements are in good shape. There is important work to be done to support emerging requirements - particularly around digital identity wallets and the novel needs of artificial intelligence systems - and to adapt standards processes to the pace challenges we are all facing. It’s crucial that solutions providers across the board continue to support those efforts both directly and by supporting standards in-product. Enterprises then need to keep up to date with specifications. This can often be the hardest challenge, and it’s why the profession of identity is so critical.  

Compliance is a particular challenge in regulated industries such as financial services. In the best cases, well-aligned regulatory regimes can improve efficiency and reduce costs… but this only works if the alignment is there, if the regulatory bodies are empowered to keep up with the technical standards, and if enterprises treat regulations respectfully and in the spirit in which they were intended. That challenge is already hard, and the demands of AI are going to make it harder.  

Closely linked to this are trust frameworks. The more data we share, the more we need to trust the provenance of that data… in some cases, existing contracts will cover this, but novel use-cases may require new agreements; and cross-sector or even cross-border trust will rely on broader frameworks to facilitate operation. There is good progress in these areas, but more is needed both in creation and in harmonisation. 

Finally, the identity profession as a whole needs support! Organisations still underestimate the role of digital identity. It is not just security or privacy - it is foundational. Without it, modern systems do not operate. That requires investment in both technical and leadership career paths, allocating budget, and supporting management career paths as much as technical/individual contributor paths. 

What are some of the main risks or ‘diseases’ that could weaken this identity layer today, for example, fraud, fragmentation of standards, or regulatory uncertainty? 

Fragmentation is one of the biggest challenges we face. Yes, in some cases with technical standards within the identity sphere, but more broadly with technical and regulatory standards across the board. 

I also worry about the pace of change. AI itself is not the concern. The risk is the rush to apply it without understanding the underlying process. Massive automation of an already stressed or poor process just leads to mediocrity in volume and pace. Executives and Boards need to feel empowered to question assumptions, slow down, and do the right things for the right reasons. 

Accessibility is another one. Not everyone has access to the same devices or platforms. Thinking about - and designing for - so-called ‘edge cases’ will make better systems for everyone. 

Finally: putting the customer first. You may think that it makes things easier for the customer to put the ‘wallet’ into your app. But consider the whole customer experience. Try running user testing, looking beyond the immediate boundaries of your business. 

Continuing with the analogy, what are the ‘immunity boosters’ that could strengthen this digital identity infrastructure? 

At a technical level, there’s an emerging approach that I think is going to be critical as we go forward: Continuous Identity. Continuous Identity assumes identity data flows throughout a transaction, allowing systems to adjust permissions in real time. Most current infrastructure cannot support this model - especially at an AI-driven scale. 

How can robust identity frameworks help financial institutions reduce risk while enabling innovation in areas such as Web3 payments? 

Digital identity will be critical in enabling new payment and transaction systems. Cybersecurity risks, compliance risks, fraud risks, business risks… the list is quite long. 

A standards-based identity foundation supports all forms of risk mitigation - cybersecurity, fraud, compliance, and business risk. When that foundation is strong, organisations can innovate with confidence. So, aside from the specifics that might apply, it is generally true that building on a solid digital identity foundation better enables digital innovation for Web3 payments and beyond. 

What role do industry organisations and standards bodies, such as the FIDO Alliance, play in building trusted identity infrastructure for financial services? 

Industry associations and standards bodies support these building blocks in practical ways. The FIDO Alliance, for example, is best known for advancing passkeys to improve both security and usability, while also expanding into areas such as credential exchange. 

They also play a key role in aligning industry and regulators, helping shape regulatory approaches that underpin trust frameworks. For those frameworks to function, participants need confidence that systems are implemented correctly and processes are followed. Certification and assurance programmes - such as those from the OpenID Foundation, Kantara Initiative, and FIDO, inter alia - provide that confidence. 

Finally, professional associations support the people behind these systems. Organisations such as ISC(2), the IAPP, and IDPro offer certification, ongoing development, and a forum for peer exchange across the global identity community. 

You will be speaking at the KuppingerCole Analysts' European Identity and Cloud Conference 2026. What key ideas or challenges will you address there? 

Automated processes already outnumber humans - and AI agents will accelerate that shift. Continuous Identity architectures will help. But in that context, I’ll be proposing a more fundamental change: we need to entirely reconsider the concept of a user ‘account’. It’s not going to be my usual kind of talk! It will be a little contentious and provocative; I’m hoping the audience will leave with more questions than they had coming in, and I’m not expecting to have many of the answers… but we do need to start having a deep conversation about how to adapt our traditional architectures for a very different set of requirements. My aim is to help kick-start that conversation. 

About the author 

Andrew Hindle is an independent consultant focusing on digital identity, privacy, cybersecurity, and corporate governance. A co-founder of The Identity Salon, Andrew is also Conference Chair for both the Identiverse and Authenticate conferences, serves as a non-executive member of the board at Curity, and chairs the UK Advisory Board at the Kantara Initiative. He can be found online at linkedin.com/in/ahindle. 

About The Identity Salon™ 

The Identity Salon™ (theidentitysalon.com) provides opportunities for senior identity architects to engage in practical discussions about challenges on a 5- to 7-year horizon. We focus on actionable steps for anticipated challenges. We ask: 'What practical measures can we take now to prepare for known identity challenges down the road?'  Such measures may include internal briefings, team development, proactive involvement in standards groups, or encouraging vendors to prioritise specific features.