Let’s talk about digital identity with Adrian Field, Director of Market Development at OneID.

In episode 88, Adrian Field, Director of Market Development at OneID, joins Oscar to explore verifying digital identities with online banking, the importance of online banking-based identity verification alongside it’s benefits for businesses and individuals. Join as they delve into the cross-border challenges that arise from individual country verified identities and how LEIs and UK Trust framework are supporting verified digital identities.

[Transcript below]

“LEIs have been born out of the financial sector, through regulation. But we do see business use, in all sectors, is useful to be able to enable less fraud within a country, or better and smoother cross-border use cases for companies.”

Photo of episode 88 guest, Adrian Field.Adrian Field is Adrian Field, Director of Market Development at OneID. He leads OneID’s market development, working with banks, industry groups, Government and regulators to enable the UK market for ID services to grow and succeed.

Adrian is also engaged with the OpenID Foundation developing global open standards for identity, and global projects to connect identity schemes cross-border.

Connect with Adrian on LinkedIn.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to our YouTube to watch the video transcript for this episode.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.

Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello, and thanks for joining to a new episode of Let’s Talk About Digital Identity. And today we’ll discuss a new perspective on verified digital identities. And for that, we have a special guest who is Adrian Field. He leads OneID’s market development, working with banks, industry groups, governments and regulators to enable the UK market for identity services to grow and succeed. He’s also engaged with OpenID Foundation developing global open standards for identity and global projects to connect identity schemes, cross-border. Hello, Adrian.

Adrian Field: Morning. Hi, thank you for inviting me.

Oscar: It’s a pleasure having you. Thank you. Let’s talk about digital identity but first, I’d like to hear a bit more about yourself. So, tell us, what was your journey into this world of identity?

Adrian: Yeah. So, my background is banking and payments originally, so I spent a long time with one of the card schemes, doing all sorts of things, but learned about the concepts of authentication and authorisation through that process. And then spent a few years at one of the UK’s large banks looking at lots of different innovation topics, but digital identity was one of those. And then I used my authentication knowledge to build on that to investigate more and more about, you know, what is identity? How do you prove that it’s the right person, in a journey, at the right time?

Oscar: And to start this conversation with common understanding, for ones who have not heard or is not completely clear. What is the concept of verified digital identity? So, what are we talking about when you use this term and why is it important?

Adrian: I normally explain this by going back to the question of, “what is identity?” without the digital part. And for us at OneID this is your, it’s the legal concept of your personhood. So, you are a person which is either a natural person, which is a human, or a kind of legal person, which is an organisation. And if you’re a person in UK law, that gives you certain rights, so you can own things, I can sign documents, I can own property. I have certain rights that non-persons, i.e., objects and things don’t have those rights. So, you get your legal identity by – as a person you’re entered into a birth register, or if you’re an organisation, you get entered into a company’s register or charities register as a legal organisation. And that’s how you get the identity part. That’s what an identity is.

The digitisation of that is, how do I securely connect that legal entity or the natural person to that legal identity in a digital process. So, I’ve got to have some way of verifying a birth certificate, or a passport, or a document or some other way to connect those two things together. And then I can store some data, which is the digital part. And I can protect that by providing that person with some secure authenticators, so they can reconnect to that digital identity and use it in other contexts. And that’s when it becomes a reusable digital identity and therefore, it’s more useful and also verified.

Oscar: In most of the countries, there are several co-existing identity verification products. There are some based on getting a passport ID cards, for instance, that’s one category. There are some based on mobile subscriptions. And the one I know you and your company, OneID, is focused is the identity verification based on online banking. So, why this category of verified digital identities are needed?

Adrian: Yeah, so we looked at the UK market, and we looked at a number of different markets that have digital identity schemes and solutions in place. And specifically for the UK, we didn’t feel the government ID was the right way to go. It was quite hard, because politically, people have looked at ID cards from the government in the past, and they didn’t really want those. Whereas in the UK, we’ve got a very strong financial services market. We’ve got open banking infrastructure, which all of the banks have put a lot of investment into. To meet Payment Services Directive 2 requirements, so some EU legislation. And part of that open banking is all around strong customer authentication. So being able to securely identify that you have the right person in place to prevent payments fraud and things like that.

So, we saw that as a very good technical platform on which to build an identity layer, so an identity scheme on top of that. So essentially, it’s a bank ID scheme. So, you leverage the Know Your Customer process that the bank has put you through, so that they know who you are, we can leverage that and make that available in any online customer journey. And it’s a very easy process, because most people in the UK already have the bank app or the credentials that they need to get through our OneID service. And we can enable that for around 40 million UK adults, for instance, already have what they need to use the service. So, it’s a lot less friction for the customers to understand what a digital identity is, all they need to do is click a button and consent to share some data.

And we do – there’s a lot of kind of documents scanning solutions in the market and we recognise, and we look at that as a kind of bridging technology. I’ve got to scan my documents which we kind of see that as a digitised identity rather than a digital identity. Because I’m digitising paper into a digital format, as a follow-on step from that I can choose to store that digital format somewhere with a provider to create a reusable identity, and then protect that in in some way. So, we see that as a long-term process as well.

And in terms of what the telco sector can bring, there’s a lot of kind of useful signals around telcos in terms of SIM swaps, when was the last date that my SIM was swapped, and where is the phone location-based data, and things like that. We definitely see telcos and banks working together and providing complementary features. Although there are some gaps in the telco market in terms of I could have multiple shared handsets on one account. So, it makes it harder for, to know all the IDs on that account, and pay as you go, for instance. If there’s no KYC on getting the device, then that becomes harder to do identities in that manner.

Oscar: Explain us a bit in a, let’s say concrete example. Thinking the user doing some transactions and doing something online in which requires the identity verification, in the case of these online bank base, verify data identities. If you can guide us to a use case to understand how it works.

Adrian: Yeah, sure. So, what our corporate customers who we – relying parties, we use that term. They would implement our service as a, we have a software development kit, an SDK. Essentially that they can embed our button within their app or website, so the consumer, as the service that consumers are trying to get to. They would then click that button, and then select the UK bank that they do their banking with. And once they’ve selected the UK bank, we would route them off to either the bank app that’s on their phone, or an online banking login page for their bank. And they login to that and they see what data that the relying party is requesting, they can consent to share that data. And then we hand off that customer back to the original service or relying party that they’re trying to access.

So, it’s a three click simple process, and the customer is completely in control and has good visibility of what data they’re sharing. And then through that process, we kind of avoid the need to educate the customer on, “This is a digital identity. This is what it is. And this is how you use it.” Because all you really see is I’m sharing my name, address, date of birth, with – I’m trying to get some car finance or trying to buy something online. That’s a lot easier for the consumer to understand in that context.

Oscar: So, so far, it’s already serving different types of relying parties, as you said, or, in practice service provider, or at least the other term just to use that. So, there are many, let’s say type of businesses and also, I guess, government that are already using this type of verified identity.

Adrian: Yes, exactly. So, we’re getting some good traction in e-signing, for instance. So currently, when you sign a document, you typically get an email into inbox, you then click the link and sign the document. But if that email goes astray, or if you, as the contracting provider, want to know that it went to the right person, you can insert a digital identity check in that process. So, we’ve built that and partnered with a number of the e-signature market to be able to have an identity and signature flow, which works really well.

Another use case we’re looking at is Disclosure and Barring Service or DBS Checks in the UK for employment. We can now do that in 100% digital process that doesn’t need documents scanning. So, it’s a much easier flow for the customer to get through.

And final use case is financial services where we’re live in the FCA Regulatory Sandbox working with one of our customers in the asset finance space where we can augment and supply some of the KYC data into their customer due diligence process for money laundering checking.

Oscar: And you have mentioned earlier that one of the reasons why this type of verified digital identity made a lot of sense in the UK is because, the UK has open banking among other parts of the system that are already working, working pretty well. So, if you can tell us a bit more about that online banking, how this approach is using or complementing open banking?

Adrian: Yes, exactly. So, we’re regulated ourselves by the Financial Conduct Authority as the UK FS regulator. We’re an Account Information Service Provider under PSD2, so we have permission to access all of the banks without permissions or contracts from the banks. But you can only get certain limited data under the PSD2 directive. And it’s, you know, eIDAS is the regulation in Europe that covers identity. PSD2 is just about triggering payments and getting bank transaction data so it’s not about identity. So, we partner with the banks to get that additional information. So, we’re using open banking as technical rails to secure the API connectivity. But we have commercial partnerships with the banks to actually get the identity data.

Oscar: And this approach can be replicated in other countries?

Adrian: Yes. So, we’re looking at other countries that have, either open banking, and digital identity frameworks. A lot of countries who will have both of those things and talking to other schemes in terms of how– sharing how people do it elsewhere; what’s worked, what hasn’t worked, and what needs to be put in place, if you haven’t got the relevant frameworks or standards. And how we can connect those things to enable cross-border journeys. So, there’s a lot of activity going on. I think there’s something like 60 countries globally have digital ID systems. They’re not all based on open banking, but open banking, online banking is emerging as a good model on which to base your identity for a number of different reasons.

Oscar: Coming back to the benefits that verified digital identities have, can you tell us what are some of those benefits both for individuals and for businesses?

Adrian: Yes. So, I’ll start with businesses. So firstly, it acts as a key capability within digital transformation. So, understanding who your customers are, and enabling them to access your services in a much quicker way, will lead to increased sales. Basically, you’ll be able to onboard more customers more quickly. They’ll typically spend more with your company, because we find convenience always wins. So, the customers will also use the path of least resistance. If I have one service that is hard to get to and I need to go and find my document and do lots of different steps to get onto that service. Versus one that takes three clicks to get through to the same thing, typically, you’ll find your conversion is better with a simpler service.

We also think this will be a cheaper route. So operationally, the cost if you haven’t got – don’t need people checking documents, then it’s a cheaper provision of service. And also, for the business, we think this will lower fraud because we can keep fraudsters out of the loop because they can’t prove that they are who they are. So typically, impersonation fraud, someone’s pretending to be someone they’re not with a different name. If you then ask them to authenticate themselves with their bank account, they won’t have a bank account in that name so they just can’t get through the process. And this will help things like authorised push payment fraud, and other frauds in the ecosystem.

And then on the on the individual life. It’s really all about making my life simple. So, make my life easier, and not more complex. If I’m trying to get to a service, when I’m out and about maybe my ID documents at home, I can onboard to service easily just with the phone I have when I’m out. It makes my life really simple. We can actually onboard you to a service provider and also do a login afterwards as well. So, there’s no new passwords to remember. I get to see what data I’m sharing so I can control my data. I consent to share exactly what data has been asked for. I can see what data I’ve shared in the past through another consent service that we offer.

And in our model, the data is protected by my bank. So, someone I already have a relationship with, I trust my bank, I trust him with my money, I trust him with my information. And they can help me when it goes wrong as well. So, if something happens and identity is compromised, I can call my bank and say, “Can you help me out? Let’s figure out what went wrong and fix it.”

Oscar: Do you see there could be some cross-border challenges that come from specific country based digital identities?

Adrian: Yeah. So, a lot of a lot of this comes from, you know, interoperability in the standards space. So, what – how do I actually connect to these services, connecting together to share data from one scheme or solution to another one? What’s the kind of data format, what does the data mean? And then from a governance perspective, what’s the level of assurance that was been through, the checking of that identity before that data was issued? And do I trust that that process was followed properly?

So, in the UK, for instance, we have a certification regime set up where I can actually get an independent auditor to verify that I’m safe and doing these things properly. And therefore, you build in different layers of trust in the data that comes out of that ecosystem. And do you have equivalents of those things across different corridors. But essentially, identity, or legal identity always comes from a national authority, so it always will be nation-based. I got my identity from being on a birth register in a country. And then they issued me with a passport, driving license, et cetera, digital identity can be added on to those things.

So, I do see we will have 200 plus countries issue identity, and in what format they do those things. And that’s where some of the work I’m doing with OpenID Foundation and others is in terms of; how do we come up with better, easier-to-use standards that can enable, all of these things, to talk to each other.

Oscar: And how are this type of approach of online bank based verified identity fits with eIDAS 2.0, if it fits?

Adrian Field: Yes, there’s a lot of interesting activity going on in Europe with eIDAS 2.0 with the whole kind of shift to digital wallets and people having a wallet or a container that they can then put digital identity credentials into. What are the kinds of standards and infrastructure that enables that to happen? And how do we give people more control and visibility about what data they have, enable them to choose to share that data with third parties, and a privacy respecting, data minimisation, all of those good things happen through that. And I think that the kind of eIDAS 2.0 framework started to drill down through the layers to say how these things actually going to be implemented, which is really good.

And we’ve got four or five large scale projects with lots of different parties involved, with lots of good capabilities. So, we’re watching that space quite closely in terms of what’s our equivalent approach in the UK to digital wallets between the government, the banking sector, us as a provider, how those things work and interoperate together. To be able to securely provision those credentials into the right wallet.

And I do think some key challenges are going to be around how do you bind the credential to the wallet? How do you bind the wallet to the device, and the person that owns it, to make sure that the credentials that are being presented actually belong to the person that’s in front of you, or in that digital journey?

Oscar: How, first of all, is the UK Trust Framework is supporting verified digital identities?

Adrian: I think the UK government is doing really well with the Department of Science, Innovation and Technology. There’s a new department, but they’ve now taken over ownership with the trust framework. The Trust Framework is in a beta version, and we have 36 providers in the UK market that have been certified under a number of different roles within that framework.

So, I think the UK government’s work has certainly catalyse the UK identity market and enabled providers, such as ourselves, to be certified for services within that. And also, they have launched – there are three schemes, there’s a right to rent, right to work and Disclosure and Barring Service schemes that have been launched under that. Where if relying parties are looking to buy services from the market, the framework is recommending that they use certified providers because you’ve got that layer of trust that you don’t have with non-certified services.

So, I think it’s been a very good framework that’s evolved and enabling the UK market to progress from where it was before. And also, for – we now have a kind of reference point for; anyone that’s doing anything and identity in the UK and point towards the framework and say, “Well, let’s do it this way. We can have that common language between each other. We all know what the inputs and outputs are in terms of a common approach. So, it has been really good.

Oscar: Yes, and as you said earlier when I asked you about the, what are the verified data identity? You mentioned very clear there are verified identity for individuals, which mostly what we’re talking in this conversation, but also you mentioned there’s also for the organisations. So, that touches the topic of the Legal Entity Identifiers, LEIs, to go your view how do LEIs are supporting verified digital identities?

Adrian: Yes, I think this is – these are essential and the whole, the work through GLEIF and the whole ecosystem of, how do we give unique identifiers to legal organisations globally? That can then be used to create security around who are the business organisations that I’m dealing with, who owns which assets, etc. Who owns – what’s the kind of parent-child relationship, in particular businesses, as well. Absolutely helps understand that kind of transparency and trust of, I know, organisationally, who I’m dealing with, who I’m contracted with.

And then we can add in the individual identities from things like OneID to say, “I know who the individuals are, and I’ve verified the individuals.” I can then start to connect those two things together. So, I’ve got OneID for an individual, I’ve got an LEI that I know it’s this particular company. And I can then join those two things together to say, this individual is acting as a director of that organisation. Or it’s the Chief Financial Officer, and they have access to the bank account information. And then you can then start to secure those channels to say, “I’ve only got certain notified people should have access to my corporate bank accounts.” It then protects the corporate bank accounts from fraudulent use of internal people, or the wrong internal people accessing those accounts.

And also, when you’re paying other companies, you can then start to verify, “Am I paying the right company? Am I dealing with the right person within that company, in terms of individual identities?” So, it becomes very powerful, the combination of both.

Oscar: Yeah, exactly. And I really hope to see this – exactly the use case that you just described I hope to see really in the in the near future. Unless, unless you have already seen them. But yeah…

Adrian: And we’re looking at those kinds of use cases as well to say, you know, how can we actually do better corporate identity, and use the LEIs for all sectors, really. So, LEIs have been born out of the financial sector, through regulation. But we do see business use in all sectors is useful, to be able to enable less fraud within a country, or better and smoother cross-border use cases for companies.

Oscar: Yeah, certainly. A final question, Adrian, for all business leaders that are listening to us now, what is the one actionable idea that they should write on their agendas today?

Adrian: I would say, come and talk to us, so my email is [email protected]. Come talk to us, come and engage with the services, come and test and learn and try them out. So, we’re live and we have an easy-to-use API that takes a few hours to integrate. We’re also based on open standards, with OpenID Connect. So, it’s very easy to get up and running with a service and start to consume it, to see what kind of data you get from the service, what kind of assurance, and what certification? How does this interoperate in terms of other things in the market? What kind of solutions are you using today? What kind of problems you have, that these solutions can potentially address? But it’s all ready and up and running, so yes, just come talk to us.

Oscar: Again, it was very nice, very interesting discussing with you Adrian and all the best.

Adrian: OK, thanks for having me.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.