A BIS research paper on cyber risk in central banking noted “the new digital perimeter that must be protected has shifted to identity – the cornerstone of modern security controls in the cloud – and the primary control enforcement on users, devices and data.”
To de Cos’s point this is about banking and not banks per se. As new competitors such as big techs, fintechs, neo-banks and non-banks enter the market and the provision of banking services becomes more fragmented, the importance of secure – and efficient – identity management becomes more and more important.
Inevitably, all financial services are going to outsource more of what they do as they seek to expand their ecosystems, partnering with fintechs, using the cloud, joint venturing with other organisations. “Banking as a service” – BaaS – is already entrenched in the financial system.
That brings its own risks.
“The growth of the fintech industry, of banking-as-a-service (BaaS), and of big tech forays into payments and lending is changing banking, and its risk profile, in profound ways,” argues Michael Hsu, the US Acting Comptroller of the Currency in a paper “Safeguarding Trust in Banking: An Update”.
“How do banks and their third parties view and treat customers in bank-fintech arrangements - when do customers go from being the client to becoming the product and how are consumer protections maintained? How resilient are banking services to stress at fintechs? What happens when fintechs fail?
“The ‘de-integration’ of banking services that is taking place now has its roots in technology, data, and operations and is affecting all banks, not just the large, money centre banks. My strong sense is that this process, if left to its own devices, is likely to accelerate and expand until there is a severe problem or even a crisis.”
Like so many elements of our new digital world, the attractions are immediate but the risks – and costs – only become obvious after things fail and we have the mass hacking of personal details or failures like those in the cryptocurrency world.
Trusted Digital IDs are not the complete answer but they are certainly a vital step forward.
And they are an opportunity.
According to digital intelligence service CB Insights, in a report on Web3, “while a fully decentralised, third version of the internet may still be a distant vision, there are a number of use cases that are gaining traction” - and digital identity provision is one.
CB Insights acknowledges a major challenge for Web3 is “how to verify and track user identity. This is where a decentralised identifier (DID) comes into play.”
This particular version of a Digital ID, a “DID is a string of numbers and letters that underlie apps called ‘identity wallets’. These wallets contain verified credentials and other data that a user generates on the blockchain. The identity wallet grants its owner access to applications.”
DIDs allow users to create a decentralised identity, encrypting digital identity attributes and decentralising the storage of identification documents, like ID cards and passports.
“This is particularly useful for secure identity verification for Know Your Customer requirements (required by banking regulators),” according to the firm.
Cybercrime on a massive, organised scale is unfortunately now part of our lives and it must be tackled on multiple fronts. Secure, efficient and trusted Digital IDs are a key weapon. But critically, we must also be able to trust those who are providing and managing the Digital IDs …
Andrew Cornell is Managing Editor of bluenotes