Identity Management in a Digital World
‘Customers are willing to sacrifice security for engagement’, one speaker said to a full ballroom of payments professionals at the Global LEI (Legal Entity Identifier) Foundation (GLEIF) workshop in San Francisco. Customers are increasingly willing to de-prioritise security for a seamless user experience. But in a progressively digital world, how can you be certain who you are transacting with?
That is one of the aims of the GLEIF. It was the financial crisis of 2008 that laid bare the need for a universal system of identifying legal entities. It would take entities months and years to understand their exposure to the fallen financial institutions rather than days and weeks. In the wake of this, the Group of 20 (G20) and the Financial Stability Board resolved for the financial services industry to implement a little known code named the Legal Entity Identifier (LEI). The 20 digit code and associated reference data is used to ensure unambiguous identification of an entity engaged in financial transactions (not natural persons). The publicly available LEI data pool can be regarded as a global directory, which greatly enhances transparency in financial markets. Through various global legislations, this became a mandatory requirement in regulatory reporting and supervision. However, despite the development of the LEI, the process of entity and even personal identification continues to be notoriously complex, especially in a global marketplace.
Self Sovereign Identity
There are various different models of identity out there, but one that is catching the interest of professionals and was described during the GLEIF workshop was the notion of “self-sovereign” identity (SSI) — that purports to “re-imagine the identity data model”. A 2017 Gartner report Blockchain: Evolving Decentralized Identity Design states that
“The same way that people start physical life by having a birth certificate, people should start digital life with a self-sovereign identity.”
The way things currently work online is that individuals (and businesses) share key words, numbers, or phrases that only you should know — with the presumption that if you know these secrets, you must be who you claim to be. There simply hasn’t been a way for us to be easily recognized by those with whom we already have a relationship. Currently most individuals have a physical wallet where they carry around items that were issued by third parties even though you own them, for example a passport or driving license, a credit card or a store loyalty card. There is no high security component to their use but organisations make sure they are authentic before they accept them, as far as is possible. A digital wallet is a digital representation of this, where trust is established by sharing credentials back and forth. You are the sovereign owner of your SSI wallet and the credentials inside. SSI begins with a digital “wallet” that contains digital credentials. The digital representations of these physical items are digitally signed verifiable credentials.
Governments potentially have a role to play in issuing digital passports, to prove who you are online, whether a business or person. Some countries already give you an identification number from birth that is used in all elements of society, for example Denmark issued a Personal Identification Number at birth, which an integral part of Danish society. It is virtually impossible to receive any form of government service without one. Even in the private sector one would be hard pressed to receive services without such a number, unless it is minor daily business.
LEI In the context of PSD2
The LEI is based on an ISO standard which can also be leveraged by the wider business community to streamline entity verification processes. The potential uses for the LEI extend well beyond the current uptake including payments and supply chain management.
Financial services businesses are investing significant amounts of time, money and resource into the basic task of identifying legal entities as they onboard new client organisations. Entity verification processes do not stop with the conclusion of the onboarding process. The client data must be kept up-to-date throughout the business relationship. In a PSD2 context, this also applies to National Competent Authorities and the register of different actors in the payments ecosystem.
The current situation means that National Competent Authorities are (i) able to accept any means of identifying an organisation registering to be a Payment Service Provider, Third Party Provider, Account Information Service Provider or Payment Initiation Service Provider. This could be a BIC, National Tax ID number, Company Registration Number or other means of identifier. And (ii) the National Competent Authority can use this identifier or another to include in the national public register as a means of identifying this entity in the PSD2 ecosystem. Therefore there is no standardisation of identifying entities in this space. There is a use case for the LEI. National Competent Authorities could agree to adopt the LEI and include the LEI in their national public registers. There is a PSD2 requirement that the European Banking Authority (EBA) can only include in its register information that has been provided by the National Competent Authorities and included in their own national public registers. Both the EBA and the National Competent Authorities could use the LEI to identify all payment provider types. LEIs can be assigned to individuals acting in a business capacity, thus covering payment service providers that are not legal entities and ensuring that uniform identification of payment service providers fully can be ascertained.
Further, the design of the LEI, in which the code itself is persistent and the updates and maintenance is performed only on the related reference data, is relevant to PSD2 past the management and maintenance of the EBA register and the registers of the National Competent Authorities. The persistence of the LEI code would ensure compliance with the use of digital certificates according to the eiDAS framework, as the eiDAS technical specification already includes a tag for the LEI to be embedded within certificates and seals, to support identify validation and management for PSD2.
Identity is not an illusion
There is unlikely to be a dominant technology platform for managing digital identities in the near future, so standardization is key. Efforts are underway to establish standards in the self-sovereign identity ecosystems, such as in the W3C consortium and Oasis but data standards are a public good therefore producing them can be a collective action problem. Unless all policy makers are going to embrace a particular data standard together there is no perceived value in one going it alone. The European regulators have been fairly silent on this issue in relation to PSD2. The industry may be on the road to propagating messy legacy, where National Competent Authorities are permitted to issue identifiers for TPPs based on no pre-agreed format or principles.
One can imagine in a PSD2 world, where there is broader access to the payments market, and customers have the ability to grant access to their data to third parties, understanding who is who, who owns whom and who is authorised to do what is of paramount importance. It is vital that the transacting parties have trust, in a PSD2 context this includes the customer (whether personal or business) and a variety of payment actors. Trust needs to be imbedded in system design. PSD2 combined with GDPR means that now more than ever transparency over who you are engaging with in a quick but secure manner should be high on the list of priorities. Do customers know what they are giving away? Is there genuine consent? There is no doubt that once the data is out there it is hard to control. How does the industry build a trust network? The industry needs to police itself and companies need to do right by their customers, but there is no guarantee of that.
There will be predominant technology players in each industry group, for example GS1 in the Fast Moving Consumer Goods world. Additionally, within the world ecosystem different countries have different ideas on identity but the LEI and the Global LEI Foundation may have a role to play in the financial services world. Sanctioned by global regulators, the GLEIF is a supra-national not for profit organisation tasked to ensure the operational integrity of the Global LEI System. It has proven itself in the capital markets side of financial services and may be able to contribute for the need to unambiguously identify parties in the payments chain.
Accurate identification and authentication is still the great unsolved problem of the internet and as the world moves more away from paper and more towards digital technology, this is an area that the industry must solve if it is to reap its benefits.