Can open banking be used to verify customers?
Verification is a thorny topic in the world of digital identity. You need it to verify citizens’ identities, but at the same time, verification methods can cause friction in the user journey and put off some citizens. One solution to citizen verification that could remove friction and provide assurance of identity is bank data. However, as digital trust erodes due to synthetic identity and deep fakes, can governments rely on bank data to verify identity?
The answer is orchestration and decisioning that bridges the sharing of multiple verifiable data sources, including open banking.
The open banking revolution and data
Open banking is a natural progression from the open data and API (application programming interface) economy movements. Initially mandated by the EU’s PSD2 regulation, the Open Banking API standard specification was released in 2017. As of October 2023, 11% of British consumers were active users of open banking, up 21% year-on-year. However, the way that open banking works means that any citizen using online banking could be part of a service that utilises open banking data.
The basic concept behind open banking is allowing consumers and businesses to access and share financial data more easily. Until recently, this took the form of payments and aggregation of payment data. However, open banking is much more than a way to make payments. Open banking opens a portal to a person’s data that has already undergone KYC/CDD (verification) as part of onboarding for a bank account. When using an open banking data API, the customer consents to share their bank data with a service.
The data supplied by a bank can be considered at a reasonable assurance level due to prior bank verification checks. But…and there’s always a but…open banking doesn’t tend to supply much data. Open banking data APIs supply a minimal data set, typically consisting of a name linked to an account that the person can access.
Advantages of starting an identification journey using bank data
Open banking access to data is limited unless you use premium banking APIs, but these are not always available and are often not free. However, open banking data is still valid. As a starting point for an “identifying journey,” open banking data can act as a first step in identity assurance, linking an individual to a UK bank account. The bank has already checked the identity data, providing some assurance that this person goes by that name. But often, services need more than basic assurance; government services, especially those linked to accounts or that allow access to high-value resources, need additional data and security checks to build a profile of that person at a point in time, not just at a registration stage. A more fluid approach to identifying citizens will give local governments and departments more control over their services and processes.
Bank data +1+1+1+1…+n
Open banking data is a good starting point for an assured transaction that requires identifying data. Bank-shared data could be provided during registration as part of an online identifying journey or stored as a verified credential in a digital wallet for future use. For verifiable credentials or any other form of personal attributes, a core value for services consuming these credentials is the ability to obtain them from any source, i.e., support an agnostic consumption model for verified credential sharing. Any source, any wallet, and multiple data sources, with real-time verification, is the golden chalice of identifying journeys.
But even assured data may need further checks. Having the ability to utilise additional services, such as AML and PEP checks, starts to build ‘cyber-reliance’ and ‘cyber-resilience’ into a system. The mix of multiple data sources, providing verified credentials and enhanced data checks, offers a dynamic way to deliver fluid, verified transactions at whatever assurance level the service requires. This fluid approach to verification, with on-the-fly checks, can also help de-risk a service from the scourge of deep fakes and synthetic identities; this is a serious issue, with Thomson Reuters finding that 95% of synthetic identities used to trick KYC checks go undetected.
A bridge for verified credentials and open banking data
Governments and commerce must create identity-driven services that balance customer expectations and service requirements. This is a complex task with many moving parts. Agnostic choices and real-time verification can meet these challenges. Open banking is one part of a larger whole. Placing open banking data in a wallet as a verified credential does not address the sharing of these credentials across multiple platforms and services, nor does it address the issue of deep fakes. This is all about the dynamic enablement of verified data and not about creating a static bank or government identity.
Organisations want to use verified credentials, such as open banking data in a wallet, but they struggle to share them across related services. A bridge is needed to allow government services to easily choose and use verified data sources, including open banking. This bridge must also support identity checks initiated when a potential synthetic or deepfake identity is suspected.
Identity orchestration and data decisioning are new concepts in identity delivery: acting as a network layer, they provide a bridge to access verified credentials from any source, including wallets. If citizens wish to use open banking to access a resource, they can do so through a wallet or their bank. Further data and checks can be added as the service requests. The orchestration bridge also provides a way to more easily onboard services, handling protocols associated with open banking, such as the security protocol, FAPI, for open banking.
Open banking is an excellent way for governments and other services to kick-start their interactions with individuals. However, with the challenges presented by fraud and citizen expectations, an orchestration bridge must be used to deliver the robust services people want.
Contact Avoco Secure to get advice on building seamless verified identity journeys