Underappreciated in the banking industry is the growing role of identity and access in banking. As banks build their digital strategies, we need to stop and think about how we know our customers (identity) and how we know that the verified customer we believe is trying to access a banking channel is really the customer we think it is (access). In this article, we explore the concepts of identity and access management (“IAM”) and how they should fit into every bank’s long-term strategy, especially given the popularity of privacy initiatives.
The Objective of Banking
The goal of banking should be to allow our customers to efficiently and safely transact business. When you hear of successes by Paypal/Venmo (U.S.), MPESA (Africa), and Alibaba (China/Asia), their rise has all been a result of executing on this concept largely at the detriment of the global banking industry. In each case, they allow their customer nearly seamless transaction capabilities.
Specifically, their execution capabilities can be broken down into three parts: 1) e-commerce or the customer interface to affect a transaction, 2) Payments, or the ability to move money, 3) Identity/access, or the ability to verify the other counterparty and safely effect a payment. For banks to have success in the future, they will have to reproduce all three functional aspects.
Creating a digital interface to transact any business is straight-forward. Either the bank or the bank’s solution provider can provide an efficient and pleasurable customer experience. In this day and age, most of the industry is clear on what a superior customer experience looks like.
In terms of payments, most banks are in full control of their electronic networks, wires, and ACH payments. While payments will ultimately go by way of real-time processing (RTP), there are no major decisions to make here except when to move to RTP. The average bank will not possess the scale to deliver a competitive advantage in RTP, so there is little strategic decision here. The only question is what RTP network you get on and when.
However, identity and access are a different story. This is where banks should spend the bulk of their strategic planning time.
Up to this point in our history, the world has worked by having a central identity provider such as a federal or state government validate a person or business I.D. and then issuing some control documents such as a passport, driver’s license or business license. Once a standard I.D. is issued, every individual entity such as a bank or merchant would then create a separate I.D. around this control document. An organization would provide a password and maybe even a personal identification number (PIN) to handle access control. The problem is, this has become woefully inadequate over the past 20 years.
Identities are easy to steal; passwords are easy to break, and banks have a limited view on who is on the other side of the transaction. Most banks check only a single source to verify identity, may do this infrequently, do not take the context of the transaction into account (size, location, risk, etc.), and then just issue a pass/fail to allow the transaction to continue or not continue. In the U.S. alone, there were almost 1,500 REPORTED data breaches, compromising 165 million identities last year. Given the rapid move to digital due to the pandemic and the resulting recession, it is no surprise that financial fraud has increased by double digits and is on a run rate to cost our industry and customers more than $20B.
Over the last fifty years, starting with Visa and Mastercard, individual Identity schemes have given way to more centralized approaches. The card companies, now followed by the likes of Venmo/Paypal, Zelle, Covault, and others, have all created a central database of identity and leverage that identity for the sake of the network. The problem with these networks is that you still don’t have 100% assurance that you have the right person and the right person on the other end (branch, mobile, call, laptop, voice, etc.).
Looking Forward – Decentralized Phone-Based Schemes
Over the last five years, the rise of phone-based biometrics, tokenization, blockchain, and real-time processing has created a confluence of trends that have created a clear path forward for banks. In plain English, this means that we now can: 1) verify a person; 2) validate their device; 3) tie that person to the device; 4) have the network contribute information to that I.D. to make it more secure; 5) give the customer complete control over their I.D.; and, 6) remove credit from the equation - all in a relatively inexpensive manner.
Banks are in the perfect position to not only do this for themselves but for their customer’s customers. Should one entity find out their customer has moved, they can now allow the customer to change their address across the entire network. Banks, retail outlets, phone companies can now contribute their data to make the I.D. more secure, and fraud can be instantly detected across the network. Equally important, customers can have complete control over their data, knowing what is in their profile and why.
Several sovereign governments such as Norway, Sweden, Belgium, and now Canada are well on their way to providing a state-of-the-art solution, while in some cases, banks like Barclays or BBVA are taking the lead.
Why This Matters To Your Bank?
This leaves America’s community banks with a strategic choice to make and a choice to make as soon as this year. The pandemic, largely driven by branch lobby closures, has skyrocketed digital adoption, giving banks the best return on investment that they have ever seen for digital projects. As banks make choices for digitizing deposit account opening, loans, and fee income lines, identity and access play a key role. Unfortunately, most banks have just left it to each vendor to integrate a solution. This hodgepodge of schemes not only creates varied customer experiences but also creates both additional risk and additional cost to banks.
The better approach is to choose a single set of identity and access technologies and then ONLY choose product solutions that can incorporate your chosen identity solution. This means that your identity solution needs to be flexible, expandable (often called extensible), cost-effective, and has the end customer in mind. Some solutions are more developer-heavy requiring some technology resources to handle while others are “low code” solutions complete with pre-built integrations.
Putting This Into Action – Solutions Abound
Banks need to be proactive about managing identity and access and start with the end in mind. Choosing how you manage identity BEFORE deciding on any given piece of customer-facing technology is critical to developing an efficient, secure, and cost-effective platform for your customers across all channels.
Quality solutions abound in this space and can be chosen to fit any bank’s needs. Banks can start with their data and then integrate their profile from data from Alloy, Giact, LexisNexis, and others. Bank can take that profile and leverage highly technical but adaptable solutions such as Auth0, Microsoft, Google, AWS, WSO2, Cloudentity, and FusionAuth or more turnkey solutions such as Okta, Thales, Idaptive, IBM, Ping Identity, Oracle, Akamai, Salesforce, SAP, LoginRadius, ForgeRock, Covault, and others.
The important point is to proactively choose both identity and access control solution and then implement it not only across all channels but to downstream the technology to your customers. By providing this technology to your customers (so they can verify their customers), it generates fees and makes your bank even safer.
The pandemic has increased the rate of change for financial services as well as increased identity fraud. Without physical contact, the risk of getting caught for criminals gets reduced, so there will be more attempts to steal from both banks and our customers. These trends, combined with more plentiful identity frameworks, now allow a bank to solve this problem proactively and to be a driving force towards a positive change.
At its core, the business of financial institutions has been focused on enabling secure transactions with users who can verify their identity, which makes them the perfect providers of multi-purpose digital identity frameworks for both internal use and the use of their customers. Several banks have already shown the way forward, and now it is time to make plans to head down this path. As you work on updating your strategic plan, be sure to make finalizing an IAM structure as a top priority.
Submitted by Chris Nichols on July 06, 2020