On November 24th, the KNOW Identity Digital Forum focused on eKYC expansion globally and cross-industry. In partnership with Mastercard, we hosted a candid discussion on the progress made towards creating eKYC programs that can be implemented at scale and interoperate on a global level.
This panel featured Sarah Clark, Senior Vice President, Digital Identity at Mastercard, Jonathon Thorpe, General Manager Digital Identity and myGov at the Digital Transformation Agency within the Australian government, and Lovlesh Chhabra, Managing Director, Head of Product Identity & Access Management at Goldman Sachs. The conversation covered private and public-sector stakeholders’ respective roles and the evolving eKYC needs for both consumers, institutions, and governments.
Mastering eKYC Globally
OWI: Setting the stage on eKYC: Why is this important? Where is the landscape right now? Where has there been progress or delays in innovation? Why has it been difficult thus far to establish consistent practices?
Mastercard: Those of us in the industry have learned a lot about best practices by focusing on eKYC; it’s critical for every single digital player in the ecosystem, regardless of what your business is, whether you are a financial services provider or a digital commerce provider. You should be doing KYC as a competitive differentiator, and I would say most digital properties are. But how hard or easy it is to get through the process can make or break your relationship with your customer.
Whether people go through the process early in their journey with your brand can be a competitive edge because you can personalize things for them. And ultimately, if your customers choose to buy something from you, you can make the payment more secure by having sound eKYC in place, even if you are in a financial institution. There are many reasons that it’s so important, and there’s been a ton of innovation in the space (like selfie biometrics, liveness, etc.). But by the same token, it’s still filled with friction. There’s so much more potential to make it easier and more pervasive, which is just a win-win for individuals and the security of payments and all digital businesses.
OWI: Why is Mastercard interested in the identity space?
Mastercard: The worlds of digital identity and payments are not as different as you may think. Both fundamentally rely on networks of trust and verification. For more than half a century, Mastercard has worked with partners to develop a model for payments that brings together consumers, merchants, financial institutions, governments, and technology providers. There are clear parallels with our existing areas of expertise and the complex multi-stakeholder orchestration required by a global digital identity service. In payments, the mutual exchange of identity marks the beginning of the interaction between consumer and merchant. According to the World Economic Forum, the framework currently underpinning financial transactions worldwide is the closest thing we have to an interoperable system of authentication and identification. Digital Identity is a natural progression for Mastercard, given its experience here, its focus on financial inclusion, our sensitivity to data privacy, and our commitment to investing in global infrastructure.
OWI: Global eKYC offers the promise of benefits for institutions and consumers. However, localized data privacy barriers might deter this from being possible. What are your thoughts on establishing a global interoperable eKYC standard?
Digital Transformation Agency: Obviously, KYC has a particular legal connotation with it and, in Australian contexts, compliance with regulations, and it could be to enable a bank account. But it also has much broader benefits. Doing KYC right creates a single view of a customer. If you’ve got that view, then you can create some great experiences. We’re trying to develop excellent service and understand the customer better to deliver those services, regardless of whether they’re public or private. We need to make sure there are some consistent standards in place because otherwise, you can’t achieve things like interoperability. And frankly, consumers don’t know what that is and that they need to.
It’s more about making sure that if they go through the effort of going through an onboarding process and creating a digital identity, it’s something they can use somewhere else. It’s something they keep and keep using. We do it over time, and we stop asking them the same things over and over again. That’s the opportunity with digital identity and doing KYC right.
Goldman Sachs: I believe that the consent frameworks are evolving so that that standard is soon to get formed. Standards are being proposed around consent receipts and users managing consent across a broad set of products. I think that is an important key to unlocking this potential. If you go back in time a number of years ago, social login was the thing; that’s how you onboarded to everything. And we now know where that led us: data leaked in unexpected situations unintentionally, so nobody wants to do that anymore.
What that means is as a user, I need to be fully in control of my data, i.e., of my privacy. If I allow you to share, I should also have equally easy access to disallow that sharing and that sharing should stop at the point when it is disallowed. Doing this digitally, i.e., enabling somebody to share my identity digitally with other businesses, one needs me to consent upfront and then requires me to be able to un-consent very easily. Today, if you attempt to unconsented anywhere, it’s a rabbit hole. It takes forever to figure out how you stop data sharing from party A to party B.
OWI: Solving these challenges isn’t just public or private but rather a collaboration between the two. We’ve seen success in Australia – what lessons could be learned or applied to other regions based on this work? How can the public sector resources and initiatives push the private sector towards a preferred digital identity system? How could that collaboration work?
Digital Transformation Agency: The way that we’ve undertaken this journey from an Australian context is essentially creating a framework that has involved 5,000 pieces of feedback from all aspects of the community, industry, and government applying international standards and ensuring that we continuously iterate based on what we’ve learned. We’ve spent four years developing a trust framework. We’re part of a working group with the Australian financial services sector to develop a trust framework to do exactly what we’re describing, make sure it works for this particular use case, and be conscious that success with digital identity is for the whole economy.
This needs to be something that works for everyone, regardless of whether they are opening a bank account, applying for a driver’s license, or getting government support. We’ve learned through that journey to iterate the framework based on particular KYC opportunities. We did that recently by introducing additional identity proofing levels to deal with certain AML compliance. Again, listening to feedback from particular sectors has been our success so far. I think it’s also important to understand what can be achieved as well.
We’ve undertaken research here, and for us, the key thing was that opt-in is entirely voluntary. Our education piece with the community is about saying digital identity is entirely voluntary in the Australian context, and it just simply makes things easier for you.
OWI: What are the emerging eKYC standards?
Mastercard: A collaborative approach is necessary to establish the core of a commercial, operational digital identity infrastructure, and this is particularly important concerning the technology used. Current regulation around privacy and open data provides a supportive framework for effective digital identity services, as does ongoing work at national and regional levels, such as with the European Union’s Electronic Identification Authentication and Trust Services (eIDAS), the National Institute of Standards and Technology (NIST) in the United States, and a number of other bodies. Regulators should ensure that they continue to accommodate the commercial involvement of an innovative private sector. In addition, we welcome the work of the Decentralized Identity Foundation (DIF) for distributed identifiers, the World Wide Web Consortium (W3C) for verifiable claims, and the OpenID Foundation in driving open identity standards.
OWI: In thinking about what work remains to be done, do we feel the technology is already developed, or is the time more needed developing public-private partnerships? Which is the most pressing gap?
Goldman Sachs: You need the critical mass of users to come along for any of these systems to be useful, usable, or meaningful. Secondly, you need a level of regulation or a level of support from regulators at a minimum for somebody to be a partner in this framework. You need the assurance from the regulatory frameworks that this isn’t like a violation of the citizen’s right. Second, I think you need strong support from the government regarding responsibility, almost fiduciary duty that the data or something close enough to that as you make trades in the market. Every broker that is involved, every brokerage account that you have, there is a lot of responsibility that those companies carry.
The technology is already there; I think we have the technology and the expertise within the industry to pull this off. The holdback is mostly the ability to establish relationships or those coalitions and establish somewhat of a standardization or some kind of open standard or framework for what this sharing could look like.
Mastercard: One of the key challenges in a digital identity system of any kind is the chicken and egg problem of getting consumers signed up to the service alongside relying parties and others in the ecosystem. A service like this has to provide value to both – and numbers of sign-ups are the key and interoperability so the ID can be used among different relying parties and for other uses. The journey described is feasible – and could work if offered by one party to bring users into the network, registering them and helping verify them on the ID network, which can then be trusted by others. The value from such a scheme would come from its interoperability and ensuring others agree on it as an onboarding mechanism. Otherwise, it’s just going to result in a fancier version of the current system where a company can verify a user just for its systems.
There’s always more to dive into (we recommend you secure your seat now at our next digital event). Take a moment to catch up on the sessions from this event or other KNOW Identity Digital Forums you may have missed!