The 'taste' of a global digital identity framework – interoperable, decentralised, secure

What is the connection between Stroopwafel, Cheeseburger, and Zacusca? Could it be digital identity?

For 100 business, technical, and legal experts in identity and banking, co-authors of a White Paper called ‘The Global Assured Identity Network, a Financial-Grade Identity Data Sharing Scheme’, the answer is yes. Ahead of the European Identity and Cloud Conference 2021, we sat with Don Thibeau, Project Lead at Open Digital Trust initiative, and Douwe Lycklama, founder of INNOPAY, to learn about this ‘crazy idea’ of building a Global Assured Identity Network.

Digital identity at crossroads

More than a buzzword, digital identity promises to unlock lots of benefits for consumers and businesses alike in many sectors: healthcare, legal, government, financial. But lack of interoperability or data privacy issues hinders the development of these advantages. Not only this, but the need to find new ways to identify consumers remotely (ways that are secure and inclusive), or that more and more fintechs and bigtechs have started replacing banks from securely identifying a customer and protecting their data, demand the global development of a digital identity infrastructure.

But who is to build a safe, global, and easy-to-use digital identity infrastructure? What do we need to achieve it? Rules (governance), tools (technology/tech systems), or both? What is the business case for it? At the moment, we have digital identity infrastructures that perform well, and that can provide good examples. Take for instance digital ID schemes in Sweden and India that have transformed digital payments and caused wider societal benefits including medical benefits, unemployment allowance, etc. As Douwe Lycklama, INNOPAY says ‘we don’t need to discover from a technological point, or conceptual base’ how to create a digital identity infrastructure. ‘It is something double, interoperability is double in Europe as we have a cross-jurisdictional legislation for organising this identity scheme’. But technology alone is not enough — financial and digital literacy are critical if we are to reap the benefits of digitisation while avoiding the potential pitfalls.

‘To build a safe, easy-to-use [digital identity] infrastructure, on a global basis, we need to capture the tools (technology/techs systems) and rules (e.g., governance)’ says Don Thibeau, Digital Trust initiative. Plus, ‘the combination of data protection legislation like GDPR, shared KYC registries, federated Bank ID, new payment rails and standardised Legal Entity Identifiers (LEI) will give a major boost to the soundness, safety, and efficiency of internet commerce’, according to Citi’s white paper – ‘The Age of Consent – The Case for Federated Bank ID’.

On the other hand, the world of global policy and global regulation is challenging because of fragmentation, which leads to a lack of interoperability. ‘With no interoperability, there is no security. With no security, no economic engine that drives financial inclusion’, as Don puts it bluntly.

Need of interoperability to achieve security

Don Thibeau serves on the Board of the OpenID Foundation, a non-profit, international standards development organisation of individuals and companies committed to enabling, promoting, and protecting open standards for identity systems. Open ID has created a set of standards that have become part of the plumbing of the digital identity infrastructure for consumers and businesses. The organisation observed that the pandemic has accelerated the development of two fundamental standards: one is for eKYC and the other is for financial grade APIs*.

These two standards reflect two burning business problems we see globally: one fighting fraud and bad actors attacking our financial infrastructure/system and the other is focused on identifying good customers securely and privately. Not only this, because eKYC enables banks to standardise and automate technology, processes, data, and organisational models, but it could also reduce a lot of costs and stands as a good business case.

Identity data sharing as a first layer

eKYC and identity data sharing is data sharing in its most critical sense. But these must be done in a decentralised way. One of the thought leaders of digital transactions, Douwe Lycklama, co-founder of INNOPAY, and the author that coined the term ‘Afsprakenstelsel’** agrees that ‘we need to improve identity and identity options and we strongly believe that collaboration/coordination, interoperability, trust, governance, all these things associated with decentralised structures are crucial’.

He suggests ‘starting from something that works globally but doesn’t have central points and going from this to other applications’. Moreover, ‘the future is for decentralisation because it will be bringing resilient proof with maximum choice’. But the first layer of this decentralised identity data sharing infrastructure is the identity one, and once this is built correctly, other layers/services like paying, billing, identity, data sharing, and applicable regulation can be built on top.

What’s cookin’ Doc? - the Global Assured Identity Network

‘First and foremost, it is a crazy idea’, laughs Don.

This summer, a group of 100 payments, identity, technical, business, legal experts ‘crowded in the digital identity kitchen’ to discuss how to provide a no-logos, no-sponsors, and pro-bono blueprint for a global bank identity scheme that would promote the secure sharing of high assurance digital identity among banks and FIs. ‘What happened is that friends invited friends to collaborate on this international piece of infrastructure and we challenged ourselves on what can be done, not on what can be talked about, not what can be debated, theorised’, Don adds. Still, ‘how the editors manage 100 cooks in a kitchen will be a miracle’ he smiles.

Getting serious, Douwe mentions that even if the white paper addresses financial institutions, it is not limited just to banks, and its purpose is to ‘challenge our colleagues to layout on an open-source base about what we think can be done today [about digital identity]’. The message of the digital identity group expert/enthusiasts is that ‘there is no reason not to do this and there is a cost of not doing it, as we see a world where identity will become unbundled more and more in financial services’. As we need identity for non-financial services more and more, Douwe expressed his fear that ‘this will lead to the risk that identity and data become more and more centralised. And this is the cost of doing nothing. Where we would end up with most of our data in a few large platforms.’

Authors asked themselves why the institutions that are more involved in securing trust – the banks – are not involved in the development and monetisation securing and sharing of our identity data, while the least regulated, trusted, centralised, platform providers are exploiting and monetising data fairly well. Therefore, one of the main motivations of the blueprint is to support banks build assured digital identity infrastructures that could be used to improve lives across society.

Banks have a natural role in the provision of digital ID

Despite the major role banks play in managing digital identity, they cannot do it alone. Banks need to understand the difference between competitors and adversaries, and therefore these institutions must collaborate with competitors. What does this mean? Don says that ‘they have to be able to trust other banks with data that these banks can provide them for eKYC data and in turn, they also need to be trusted by the other banks for the integrity/security of their identity data’.

Banks have finally realised that they cannot do it themselves, that they must come up with a global infrastructure, as they did in the past with SWIFT – a common infrastructure that allows them to compete for the customer’s business, monetary, and data businesses. As Douwe says it directly ‘grow the pie bigger together – not fight over customers’.

Overall, the main point of this white paper is to upgrade a market infrastructure based on rules and technology coming from the financial world, where coordination and governance around it are extremely well organised. This enables a global, safer, and secure coverage and user experience; ‘it is similar like everyone knows how a global card payment scheme works, despite being so many logos, plans, cards schemes’. We are all wired to detect when a card doesn’t work as it should work. With identity, we aren’t there yet. But identity is the most important transaction. Even in payments is the authentication that determines the UX.

‘If you solve identity, the rest is accounting’, Douwe concluded citing Ross Anderson.

If you like this article, don’t miss the recorded interview with Douwe and Don on the 9^th August 2021 and join us on September 13-16th in Munich for the European Cloud and Identity Conference to have the chance to taste the meal the editors have prepared.

* Financial-grade API (FAPI) is an industry-led specification of JSON data schemas, security, and privacy protocols to support use cases for commercial and investment banking accounts as well as insurance and credit card accounts.

** Afsprakenstelsel means ‘trust scheme’ – a set of uniform agreements enabling anybody to share data with anybody else, whilst retaining control over their data.

About Mirela Ciobanu

Mirela Ciobanu is a Senior Editor at The Paypers and has been actively involved in drafting industry reports, carrying out interviews, and writing about innovation in payments and fintech. She is passionate about finding the latest news on AI, crypto, blockchain, DeFi and she is an active advocate of the need to keep our online data/presence protected. Mirela has a bachelor’s degree in English language and holds a master’s degree in Marketing. She can be reached at mirelac@thepaypers.com or via LinkedIn.