Is open banking data enough to verify citizens?
Verification is a thorny topic in the world of digital identity. You need it to assure the identity of citizens, but at the same time, verification methods can cause user journey friction and put off some citizens. One of the solutions to citizen verification that could remove friction and provide assurance of identity is bank data. However, as digital trust is eroded by synthetic identity and deep fakes, can governments rely on bank data to provide proof of identity?
The answer is orchestration and decisioning that bridges sharing of multiple verifiable data sources, including open banking.
The open banking revolution and data
Open banking is a natural progression from the open data and API (application programming interface) economy movements. Initially a requirement as part of the EU’s PSD2 regulation, the Open Banking API standard specification was released in 2017. As of October 2023, 11% of British consumers are active users of open banking, with a year-on-year growth of 21%. However, the way that open banking works means that any citizen using online banking could be part of a service that utilises open banking data.
The basic concept behind open banking is allowing consumers and businesses to access and share financial data more easily. Until recently, this took the form of payments and aggregation of payment data. However, open banking is much more than a way to make payments. Open banking opens a portal to a person’s data that has already been through KYC/CDD (verification) processes as part of onboarding a person for a bank account. When using an open banking data API, the customer consents to share their bank data with a service.
The data supplied via a bank can be of a reasonable assurance level because of previous bank verification checks. But…and there’s always a but…open banking doesn’t tend to supply much data. Open banking data APIs supply a minimal data set, typically consisting of a name linked to an account that the person can access.
Advantages of starting an identifying journey using bank data
Open banking access to data is limited unless you use the premium banking APIs, but these are not always available and are often not free to use. However, open banking data is still valid. As a starting point for an “identifying journey,” open banking data can act as a first step in identity assurance, linking an individual to a UK bank account. The bank has already checked the identity data, providing some assurance that this person goes by that name. But often, services need more than basic assurance; government services, especially those linked to accounts or that allow access to high-value resources, need additional data and security checks to build a profile of that person at a point in time, not just at a registration stage. A more fluid approach to identifying citizens will give local governments and departments more control over their services and processes.
Bank data +1+1+1+1…+n
Open banking data is a good starting point for an assured transaction that requires identifying data. Bank-shared data could be provided during registration as part of an online identifying journey or stored as a verified credential in a digital wallet for future use. For verifiable credentials or any other form of personal attributes, a core value to services consuming these credentials is to be able to consume them from any source, i.e., support an agnostic consumption model for verified credential sharing. Any source, any wallet, and multiple data sources, with real-time verification, is the golden chalice of identifying journeys.
But even assured data may need further checks. Having the ability to utilise additional services such as AML and PEP checks starts to build ‘cyber-reliance,’ as well as cyber-resilience into a system. The mix of multiple data sources providing verified credentials and enhanced data checks provides a dynamic way of delivering fluid and verified transactions to whatever assurance level the service needs. This fluid approach to verification, with on-the-fly checks, can also help de-risk a service from the scourge of deep fakes and synthetic identities; this is a serious issue with Thomson Reuters finding that 95% of synthetic identities used to trick KYC checks go undetected.
A bridge for verified credentials and open banking data
Governments and commerce must create identity-driven services that balance the needs of citizen expectations and service requirements. This is a complex task with many moving parts. Agnostic choices and real-time verification can meet these challenges. Open banking is one part of a larger whole. Placing open banking data in a wallet as a verified credential does not solve the sharing of these credentials across multiple platforms and services, and it does not solve the issue of deep fakes. This all about the dynamic enablement of verified data and not about creating a static bank or government identity.
Organisations want to use verified credentials such as open banking data in a wallet, but they struggle to share them across related services. A bridge is needed to allow government services to easily choose, and use verified data sources, including open banking. This bridge must also support identity checks, initiated when a potential synthetic or deep fake identity is suspected.
Identity orchestration and data decisioning is a new concept in identity delivery: acting as a network layer, identity orchestration provides a bridge to access verified credentials from any source, including wallets. If citizens wish to use open banking to access a resource, they can present via a wallet or their bank. Further data and checks can be added as the service requests. The orchestration bridge also provides a way to more easily onboard services, handling protocols associated with open banking, such as the security protocol FAPI for open banking.
Open banking is an excellent way for governments and other services to kickstart their interaction with an individual. However, with the challenges presented by fraud and citizen expectations, an orchestration bridge must be used to deliver the robust services people want.
Contact Avoco Secure to get advice in building seamless verified identity journeys