Gareth Narinesingh, Identity Development Director at OIX, explains how better-informed risk assessments can potentially resolve the thorny issue of contractual liability risk.
Ask any Chief Risk Officer…
The business of running any enterprise risk management function is in understanding the level of risk that they are prepared to accept to maintain an orderly, smooth, and legal operation.
Senior managers tend to run their businesses within a measured level of risk tolerance, meaning the business has to operate within a certain acceptable risk appetite. But there will never be zero risk because to accept zero risk would be to not do any business at all.
Understanding business risk is to understand that risk is an inherent factor, so the risk manager needs to deploy systems and controls to manage risks. Therefore, residual risk is the actual focus of any mature and established risk function. This means effective oversight of quantifiable indicators, which enable a determination of whether the organisation is operating within established risk threshold parameters.
Another way for an organisation to de-risk its business model is to pass on contractual liability risk to suppliers and vendors of professional services. This includes licensing of software which has become a significant business risk because of digital transformation.
Liability risk is a necessary part of business model risk for suppliers and vendors. For software providers, it is a type of operational risk, specifically the risk of being held liable or responsible for an action or inaction that results in a direct or indirect financial loss to the party who has procured a license to use their software.
However, is it right for firms to pass holistic liability risk back to the software vendor? For digital identity providers, referred to as Identity Service Providers (IDSPs) under the UK government’s digital identity and attributes trust framework and who provide verification and proofing checks on customer identities, before they are taken onboard as new customers, this has been the source of heated and prickly debate for some time.
Digital identity verification provides a relatively new systemic defence mechanism against the threat of identity fraud and impersonation. It is widely regarded as a systems and controls enhancement to the more traditional means of customer onboarding, including face-to-face checking of paper documents.
Digital identity is now on the agenda and must be well understood by institutional risk and compliance functions, whether the challenge is proof of age (for social media and adult content platforms), proof of identity (for government services), or proof of risk profile (for the anti-money laundering regulated sectors).
Institutions are leaning towards this new technology and IDSPs are hoping that new legislations and updates to the Money Laundering Regulations will drive faster acceptance of digital identities and adoption by consumers and citizens. The legislative pace is currently moving at high velocity in places like the UK, Australia, Canada, and across the EU states.
The UK, in particular, will very likely see a sharp rise in digital identity users following the passing of the Online Safety Act, which permits the use of digital identities as a valid means of evidencing that someone is a real person, that they are the person who they make claim to be and that they meet the requisite age restrictions required by digital platforms to access their online content and services.
So, what does this mean for the Chief Risk Officer?
Risk functions need to assess the risk of any new technology product that adds value to the business. In the case of digital identity, this generally tends to mean reducing fraud, providing customers with better onboarding and customer life cycle experiences, and easier Customer Due Diligence case management.
Assuming the business case for digital identity stacks up, then the risk officer has to perform an assessment of the advantages of the new technology deployment versus the things that can conceivably go wrong. Such a risk assessment needs to be well-informed and balanced.
Integration is of course a key factor because it entails resources and budget but there is also a requirement to perform system testing before deployment into live production as well as a requirement for ongoing performance evaluation through an audit plan.
A major challenge is that risk assessments for digital identity systems are not particularly well understood by the institutions that would be acceptors of digital identities.
Without a strong understanding of how to perform an informed and balanced risk assessment, the identity sector is left with a disconnect. This means that institutions, although fully aware that digital identity technology can deliver enhancements to their onboarding controls, cannot determine a specific risk appetite for its deployment as a new digital channel.
This leaves institutions with no alternative other than to train their risk appetites on passing back considerable if not holistic contractual liability risk to the IDSP.
IDSPs, many of them currently only at the start-up or scale-up phase, are unable and unwilling to accept this level of contingent liability risk. Their argument is that their services drastically reduce overall risk – through the introduction of new and innovative methods to spot bad actors, bots, or fake identities, thereby blocking them before entry through the accepting institution’s firewall, or regulatory perimeter.
IDSPs therefore argue that liability risk should be focussed on the stated performance of their systems and controls. In other words, the ability to filter out the ‘chaff from the wheat’, even if that does mean that some of the wheat will be blocked is an inevitability of a strengthened control environment. It is also never a claim by IDSPs that they have a 100% hit rate in terms of determining all bad agents. They are acutely aware of the existential arms race between innovative technology not only as a force for good but also as a driver for criminal enterprise.
Overall, IDSPs make claims that their services will produce better results in terms of regulatory compliance, user experience and anti-fraud, whilst creating a new and exciting channel for customer onboarding at a time when digital identities, under the direct control of those who have created them, are expecting to take off in the UK and beyond.
However, unless accepting institutions can see plain evidence of these claims and, crucially, trust in the technology, how it works and measure its performance, then the disconnect will continue to exist.
And, unfortunately, this will mean that the easy option is simply to pass back contractual liability risk to the providers of this exciting new technology, which is ironically purported to reduce risk.
There is a need for more data and science to prove the claims made by IDSPs. There is a need for clearer communication and an understanding of the intrinsic business risks that digital identity can mitigate or reduce to acceptable risk tolerance levels. There is a need for more informed risk assessments of digital identity systems.
Our work at the Open Identity Exchange is focussed on resolving the disconnect between IDSPs and institutional acceptance of digital identity. We have identified that there is a need to simplify and clarify what digital identity is and how it works. We have also produced checklists for institutions that are grappling with risk assessments.
Our view is that digital identity is a force for societal good and it will become a fundamental component of any institution’s defence system as an important response to the surge in economic crime and identity fraud.
We invite would-be accepting institutions to join our community and discuss with us how digital identity can be used to de-risk their business models as an ethical, secure, and inclusive new technology offering.
About Gareth Narinesingh
Gareth Narinesingh is a digital identity evangelist with a strong conviction that reusable identity will transform people’s lives for the better. He has recent experience in digital identity sales and product management and before this built his career in regulatory consulting, FCA supervision and various market roles in banking. Gareth’s key objective is to work across the OIX membership to promote digital identity through a unified voice, to enable early-stage ecosystems and use cases to be built and adopted under robust trust frameworks.
About Open Identity Exchange (OIX)
The OIX is an influential non-profit trade organisation with a global presence that is on a mission to create a world where everyone can prove their identity and eligibility anywhere through a universally trusted ID.
Every day we send out a free e-mail with the most important headlines of the last 24 hours.
Subscribe now