Banking Review

Reframing identity

Instead of breaking down and then re-building identity silos,
we simply need to reframe them

BY STEPHEN WILSON

‘Break down the silos” is one of the catch cries of modern management practice, and a special rallying call in the Federated Identity movement. Nobody denies that myriad passwords and security devices has become a huge headache, but attempts to solve the problem by sharing identities across different contexts all too often come unstuck.

Banking strategists and financial regulators working in online banking urgently need new ways of looking at these challenges.

Regular readers will be familiar with my critiques of Federated Identity. I have often defended identity silos for the way they safeguard risk-managed relationships between banks and their customers. Business relationships do not interoperate as readily as Federated Identity proponents would like. Even standardised relationships like bank accounts are surprisingly difficult to share across institutions, as the MAMBO project found the hard way (see MAMBO misses the point).

Instead of breaking down and re-building them, I believe we need to fundamentally reframe identity silos. We need to better understand what identity silos mean, why they arise and the forces that act on them, before we can reliably re-use their contents, namely precious customer data. This takes care. Identity silos cannot be busted open and joined up any which way, just as wheat farmers and corn growers cannot join up their grain silos!

Everyone in banking technology will have come across the term ‘ecosystem’ in recent years. It’s become the trendy euphemism for IT marketplace.

With a politically correct ring to it, ‘ecosystem’ is used by vendors to lift the customer conversation above the hurly-burly of competition, and to attract more active government support.

But for all the talk of ecosystems, genuine ecological thinking has been lacking in contemporary identity theory.

The computer scientist Gerald Weinberg famously said “things are the way they are because they got that way”. That is, everything has a natural history. Looking at the rich variety of identities we have in both the real and digital worlds, we should ask: How did they get here?

Multiple personalities

Digital identities are proxies for the various relationships we have with banks, employers, government agencies and so on. Each of these organisations usually knows its customers by an identifier of some sort, which represents the customer’s standing, their entitlements and obligations in a defined context. The fact that we have multiple digital identities is a logical result of having multiple relationships.

For the longest time, most of us have lived happily with a dozen or more digital identities. To confirm this, simply look in your wallet or purse and count the different cards you carry.
While the Federated Identity movement calls for a brand new ecosystem to be built, it’s oblivious to the existing ecology of business, which has spawned different arrangements for managing risk in each of the local contexts we deal in.

Think about the fact that a formal protocol governs the way we sign up with a bank, an insurance company, an employer, a university or a professional association. These protocols are not static; rather they evolve over time. Know-your-customer (or member) rules always embody a mix of local business practices, and legislated elements, especially in regulated industries like finance, aviation and healthcare.

Local rules and legislation alike are continuously varied in response to changing risk dynamics. As new risks emerge, identification protocols are strengthened. And they’re steadily augmented with improved technologies, like document verification, tamper resistance, two factor authentication, smart chips, and real-time risk scoring.

All these factors can be seen as memes: heritable ‘cultural’ units that combine to define how each of us is known in each business context. Identity management processes and technologies are subject to natural selection, exerting survival pressures act on all those elements.

For instance, to deal with escalating money laundering and terrorist financing, prudential regulators have tightened the requirements for account opening. In response to ID theft, banks have added SMS codes or one time passwords. On the other hand, some environmental pressures act to weaken identity practices. For example, heightened privacy awareness means employers may collect less ID from new staff when they join up than they might otherwise prefer.

The ecological frame shows that identity silos are an inevitable result of risk management. They’re like ecological niches. They don’t automatically interoperate – and identities cannot automatically federate – because different businesses manage risk in their own ways.

The dream has been to take a digital identity like a bank account out of its natural niche and use it in other contexts like government or even other banks. But now we see that this is a bit like taking a salt water fish and dropping it into a fresh water tank. Easier said than done!

Stephen Wilson, founder of the Lockstep Group, is an analyst, consultant and innovator in digital identity and privacy.