The Age of Consent

The Case for Federated Bank ID


At a Glance

Introduction

When the pyramids were being built, there wasn’t any other way of doing it than starting from the bottom and working up. As we build out the digital economy, there isn’t any gravity to force us to begin with the foundations. We sometimes realise we have started work in the middle and are missing the lower levels: for example, poor Strong Customer Authentication (SCA) is proving an impediment to the development of open banking.

The modernisation of payment systems is a serious undertaking that aims to bring money into the 21st century. Ecommerce and digital platforms are already 24/7/365 and always on, but the banking system is not. Banking still runs on batch processes and “store-and-forward” messaging. Fintechs are building bridges between clockwork banking systems and the world of digital platforms, but there is a need to update core national payment infrastructures.

There is a significant amount of work for governments, regulators, banks, and bigtechs and fintechs to help upgrade the “fiat currency stack” of systems.1 Real-time retail payment schemes are being introduced around the world, and regulators are opening up banking systems through APIs. Each country is following its own blueprint and not always starting work on the foundations. This could be dangerous: if the fiat currency system doesn’t meet the needs of 21st century digital commerce, then cryptocurrency alternatives to national currencies are waiting in the wings.

Banks are fully occupied by a changing regulatory landscape, emerging competitors from fintech and bigtech, and a host of new, potentially disruptive technologies that they fear missing out on. In this noisy environment, it can be very difficult to focus on the few must-win battles that will secure the role of banks as the financial layer in the digital economy.

As software and digital platforms reorganise the economy, it is becoming clearer that digital ID and data protection legislation are the base layers of the digital pyramid. Upon this solid foundation, the digital economy will be built. And banks have a key role to play.

The Age of Consent

The purposeful act of granting consent will become commonplace in the digital economy, including the banking domain. The need to provide digital consent will be embedded in signing up for new online services, authorising a banking transaction and granting permission for a thirdparty to access your data. The ability to provide digital consent is a basic function in the digital economy for both individuals and legal entities.

The European General Data Protection Regulation (GDPR) is a comprehensive framework to address data privacy in the emerging digital age. GDPR asserts the rights of individuals (data subjects) to exert a greater degree of control over their personal data, including rights of access, erasure and data portability.

GDPR brings the act of consent to the forefront as a deliberate act by the individual:

Consent should be given by a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of the data subject’s agreement.2

Consents are not just about granting access to data: they are also about granting permission for transactions, such as the permission for a merchant to take one or a series of payments over time. In the banking space, consents will be increasingly expressed through Strong Customer Authentication (SCA):

“Strong customer authentication” means an authentication based on the use of two or more elements categorised as knowledge (something only the user knows), possession (something only the user possesses) and inherence (something the user is) that are independent.3

In practice, the methods employed by banks to obtain SCA consents from individuals in open banking are unacceptable to merchants who are otherwise looking for simpler, safer ways to collect payments from consumers. Merchants do not find it acceptable that consumers are redirected from online checkouts to go through the elaborate and proprietary SCA methods deployed by each individual bank.

PSD2 rules to obtain consents through SCA apply to card transactions and Payment Initiation through open banking APIs. A report commissioned by Stripe forecast that Europe’s online economy would lose EUR57 billion of sales in the year following SCA implementation.4

Regulators want to reduce fraud and increase competition in payment services by opening bank infrastructures to third parties, but one of the foundations of the digital pyramid is missing: a frictionless way to achieve customer consent through SCA.

The Case for Federated Bank ID

Banks are compelled by regulation to perform strong know-your-customer (KYC), anti-money-laundering (AML), sanctions and other checks on individuals and legal entities, based on government IDs and other sources. The need to perform these checks imposes extra costs on banks, but they can also be the basis of secure digital credentials.

As we enter a world of digital platforms, banks need to think about what role they will play and where to set up shop. A bank’s presence on the high street is tangible and obvious, but its presence and relevance on the information superhighway cannot be taken for granted.

Digital analogues of physical constructs may not work. We can see from the example of Ant Financial and Alibaba in China how financial services can be embedded into digital platforms, and those financial services do not have to be provided by a bank.

The Bank of International Settlements (BIS) released a working paper that demonstrated how bigtech’s informational and network scale advantages enable bigtech firms to successfully address core banking activities like lending.5 Bigtech firms are also targeting bank revenues in payments and seeking to cement their position as providers of digital identity:

An additional goal of the (Libra) association is to develop and promote an open identity standard. We believe that decentralised and portable digital identity is a prerequisite to financial inclusion and competition.6

There is a race between banks and fintech and bigtech firms to provide the financial layer of the digital economy. If banks are to remain relevant, they will need to cultivate a world in which:

Different models are emerging around the world. In India, the national ID scheme called Aadhaar (“foundation” in Hindi) has been transformative as the base layer of the India Stack but its future usage in the banking space and interaction with privacy regulations are under discussion.7 Banks around the world may consider the lessons from BankID in Sweden, where financial institutions have worked together to build the base layer of an almost cashless society and unlocked a wide range of opportunities for a thriving digital ecosystem to develop.

Case Study: BankID in Sweden

The Swedish BankID is the foundation of cashless payments in Sweden, but it is also a key component of a rapidly growing digital ecosystem. The development of BankID is instructive, as regulators, banks and other stakeholders seek to upgrade the fiat currency system to meet the needs of 21st century data-driven commerce.

What is BankID

BankID is the leading digital ID scheme in Sweden, used by 80% of the population (almost 100% for 21 - 60 year olds) for a wide variety of private and public services.8 In 2019, it is expected that financial institutions, central governments, municipalities and thousands of private companies will use BankID over 4.5 billion times.

BankID is a credential issued by a participating banking institution that can be used for digital identification and signature. It has the status of an “advanced digital signature” under EU rules, meaning that it is equivalent to a physical signature for contracting purposes.

BankID is available in various formats to support different use cases:

BankID Timeline

The story of BankID in Sweden is not one of overnight success. The foresight of, and continued collaboration between, consortium members has paid off over many years by adapting to new challenges and threats:

BankID Development Ethos

Banks realised that the security of identification and signature was best pursued in a collaborative rather than competitive domain. A common solution engendered overall trust in internet banking and digital signatures. Banks decided to draw on traditional strengths of complying with stringent regulations to create a common solution that would benefit the whole ecosystem.

BankID Influence on Society

BankID has facilitated the development of digital government services in Sweden at central and local levels, leading to the faster processing of cases and efficiency savings in time and money. BankID has served as the basis of innovation in the development of new public and private services that could otherwise not have existed. A 2019 survey of users elicited a positive response, with customers reporting high trust and few operational issues.

In the PSD2 context, the financial institutions using BankID have been well placed to comply with SCA rules as the population is already well versed in using BankID to authenticate Swish transactions. Banks report high levels of collaboration on security matters and the ability to extend value-added services like Swish to additional use cases, for example consumer-to-business (C2B) transactions.

Swedish consumers use BankID between 40 and 50 times a month for a variety of transactions. Consumers report high trust in the service and freedom to execute transactions wherever they are.

Towards a Cashless Society

BankID and overlay services like Swish have resulted in a dwindling use of physical cash in Sweden. Only EUR8 billion of cash was in circulation in 2016 and the country is on track to become cashless by 2025. The government asks citizens to keep cash at home in case of a power cut, war or cyberattack. The Riksbank is also considering the introduction of a Central Bank Digital Currency (CBDC).10

Expert Perspectives

There is a broad consensus that digital ID is foundational to the full development of digital commerce. Banks are well positioned to unlock this potential, if they can work together to build federated schemes, with the support of governments.

Thomas Egner

Thomas Egner,
Secretary General, Euro Banking Association


Digital consent management lies at the heart of any possible solution for a number of challenges, including improvements in data accessibility. This is in line with the objectives of PSD2 and GDPR to enhance the control of businesses and individuals over their data through the right to provide (or withdraw) consent to allow authorised third parties to access their personal and business information.

Standardisation of digital consent at a pan-European level would make it easier for businesses and individual customers to mandate their banks and/or other service providers to obtain and use business data held by other parties to innovate their services for the benefit of the customer. On top of this, digital identity is also a key enabler of automation in Internet of Things ecosystems.

Banks traditionally play a role in the value exchange because of their trusted and regulated position. As data exchange is increasingly fraught with operational complexity and liabilities, banks could leverage this trust to play a crucial role in such consent transactions. In its thought leadership work, the Euro Banking Association continues to touch upon the topic of digital consent management.11

Imran Gulamhuseinwala OBE

Imran Gulamhuseinwala OBE,
Implementation Trustee, Open Banking Implementation Entity


Open banking should be thought of as just one instance of a more general principle enshrined in GDPR — data belongs to the individual and not to the institution or corporation. In the UK, we have implemented a scheme to enable individuals to safely access their banking data and take advantage of a growing wave of incredible innovation and competition.

GDPR’s principle of data portability applies to all financial services products and indeed to all sectors of the economy. If we can build security and consent into the heart of an “Open Data” digital economy, we can create markets that serve consumers and businesses of all sizes. To do this, sectors need mechanisms for users to easily authenticate and consent. Through open banking we have created a federated authentication and consent mechanism covering 95%+ of the UK market, but there is always scope for more industry collaboration as we have seen in the Nordic countries. It is time to think seriously about how a federated Bank ID could become a foundation stone of the UK’s digital economy.

David G.W. Birch

David G.W. Birch,
Director, Consult Hyperion


A “Financial Services Passport” could be transformational for banks and the wider economy. For banks that already spend around 5% of their revenue on compliance, it would reduce the costs of customer due diligence (CDD) across the industry. Globally, banks spend more than USD100 billion on compliance. The wasted human capital is as much of an issue as the wasted money.

A Bank ID would create a new service category and provide the opportunity to turn the sunk costs of CDD into an income stream. Bank ID could be used when renting a house, buying a mobile phone or choosing a new accountant. The bank earns a new income stream from the “relying party”, while the burden of CDD would be removed from a large swathe of economic actors.

There is no reason to build the kind of national ID scheme that Anglo-Saxon countries find politically repellent — a federated scheme has been shown to work well and deliver not only a rational solution to the problems of banks, but also an essential utility that will benefit every digital economic actor, including machines!

Oscar Berglund

Oscar Berglund,
CEO, Trustly


Convenient authentication is a crucial component to unlock the value of open banking. Mobile Bank ID has been hugely successful in Sweden due to two factors. Firstly, its decoupled design, meaning that it is not embedded in the online banking interface but it is instead a standalone mobile app through which the user can authenticate. Mobile Bank ID supports authentication online and at point of sale. Secondly, Mobile Bank ID supports simple authentication methods such as biometrics and PIN-codes. Consumers no longer accept scratch cards, tokens and card readers, but instead want a simple-to-use, mobile-based and decoupled authentication solution.

Ralph Bragg

Ralph Bragg,
Founder & Partner, Raidiam


UK banks could readily develop the kind of Bank ID scheme that has proved so powerful in Sweden, Norway, Denmark and other countries. They should form a consortium to agree standards (which already exist), liability models and a common acceptance mark to promote consumer adoption. The government has a key role to drive adoption as a relying party, helping to kick start the market and setting a baseline business model. We can then rapidly see the development of a market where banks offer a given level of identity assurance for a given level of liability at a given price. There are no technical barriers — banks only need to realise the opportunity and the danger of losing ID to bigtech.

Hamish Thomas

Hamish Thomas,
Partner, EY


The provision of a cross-industry, cross-sector, verified and enriched digital ID has the potential to provide the foundation of a “trust network” where customers participate and control their own personal data, with simplified access to digital products and services. It would also allow for operational and revenue benefit for financial institutions and other participants of the “trust network” and improved access to and adoption of digital financial (and other) services, ultimately increasing the growth potential of the digital economy.

Bianca Lopes

Bianca Lopes,
Co-Founder, Talle


I am fascinated by the different roads that countries follow to reach the same destination — providing core infrastructure to enable people and businesses to transact digitally, with security and privacy.

Denmark combines its famous “hygge” concept of cozy togetherness with advanced tech. This small nation was named the most digital country in the Europe in 2018 — this small nation of 5.8 million people is a frontrunner in 4G, internet usage and digital public services.12 Its government has saved USD300 million annually in self-service efficiencies and aims to unlock a further USD8 billion of benefits. The Danish use the NemID 55 million times a month. This scheme will be replaced by the MitID in 2021, replacing physical code cards with more digital solutions that comply with EU eIDAS regulations.13

India has been the posterchild for digital ID through its national Aadhaar scheme that has enrolled over 1.2 billion people. While Aadhaar provides a solid base to the India stack and helped bring 350 million people into the banking system, it has also faced privacy challenges. India is seeking to balance the benefits of digital ID with the need to protect personal data. While Aadhaar famously means “foundation” in Hindi, people are waking up to the reality that data protection needs to be enshrined in law before we build digital ID schemes. Privacy and consumer education are the true foundations of the digital economy.

Erin Mccune

Erin Mccune,
Partner, Glenbrook Partners


Federated digital ID infrastructure would bring great benefits to the United States in a consumer context, but it may be even more transformative for B2B transactions. As new push payment rails become available, businesses need to publish their payment address — in effect, proclaiming “send money here”.

Unlike consumers, businesses typically utilise multiple financial solutions: at least one bank, a card acquirer, an accounting/ ERP platform, often a separate billing/invoicing provider, and an accounts payable and/or a procurement solution. An increasing number of these business solution providers enable payment. Many of these providers suffer from network fantasies, hoping to achieve scale and differentiate by serving a proprietary ecosystem of business buyers and their suppliers. Businesses need to manage not only their identities and access to their payment credentials across the ecosystem of their own providers — but also those of their counterparties with whom they exchange invoices and payment.

The small community bank, mid-sized regional bank or national/ global treasury bank where a business maintains its operating account is the most logical custodian of its digital ID regardless of the business process or transaction context. In concert with open banking permissions/consent, directories that enable look up and new real-time request-to-pay messages, a federated digital ID would allow businesses to confidently transact with a wide array of trading partners.

Dr Brad Pragnell

Dr Brad Pragnell,
Principal, 34 South 45 North Payments Canada’s Moder


Payments Canada’s Modernization initiative is gathering pace and collaborative initiatives such as SecureKey have brought together banks, payment schemes, telcos and technology providers. For a number of years, Canadians in a number of provinces have been able to use their banking credentials to access government services. And to facilitate this ecosystem, the Digital ID and Authentication Council of Canada is consulting on a Pan-Canadian trust framework.

Digital identity initiatives remain formative in Australia — the Australian Payments Council (APC) has made a bank-based digital identity one of its key initiatives and the federal government has made consent a central pillar in their open banking reforms. Though digital identity efforts remains formative, the APC’s efforts along with the NPP’s PayID alias service and its proposed “consent and mandate vault” service may provide some of the building blocks for full-blown digital ID.

Hiroshi Kawagoe

Hiroshi Kawagoe,
GM, Transaction Business Planning Department, SMBC


In the aftermath of the global financial crisis, the Global Legal Entity Identifier (LEI) System was established to provide a standardised way to identify parties to financial transactions and help manage financial risks. Over 1.4 million LEIs have been issued under a federated model as a public-private partnership. The global adoption of LEI has the potential to bring transparency to many financial transactions. For example, the Reserve Bank of India recently said that LEI should be explored to identify the parties involved in cross-border payments.14 LEI combined with shared KYC utilities and federated Bank ID schemes have the potential to bring greater transparency and security to global digital commerce.

Simon Black

Simon Black,
CEO, PPRO


There is increasing friction for consumers and business as governments and regulators look to increase security and address the growing threats of fraud, money laundering and terrorist financing. Consumers wrestle with clunky user experiences that result in friction at the checkout or difficulty in getting access to services they want to sign up to.

For businesses seeking access to financial services, KYC creates huge inefficiencies as, time after time, each financial institution has to request the same information on the individuals behind the business. Inaccuracies and errors resulting from multi-step, manual approval processes can result in lost business.

Federated Bank ID would solve these issues for consumers, businesses and their service providers. It would accelerate adoption and innovation in the digital space. Standardised Bank ID would promote consumer choice of payment method, bank and service provider, all as easily and securely as with any alternative.

Kenneth Tessem

Kenneth Tessem,
COO, BankID


BankID has been transformative for Sweden and its benefits can apply to many other countries. We have learned many lessons throughout its development and so we have a wealth of experience to share with other countries thinking about the foundations for a digital economy. Our spirit of partnership and collaboration has meant that we are now an almost cashless society and the digital sector is blossoming. We extend an open invitation to other countries to learn from our example and benefit from our continued journey.

Michael Salmony

Michael Salmony,
Executive Adviser, equensWorldline SE


“If you have solved identity, everything else is just accounting” said my old university professor. Identity is the basis for everything else in the digital economy, in banking, in payments. Once one has assured it is the right person (or thing!) and does have sufficient rights, then the rest is indeed often mere bookkeeping. Since this is a topic so fundamental to all industries, all should work together in a federated way to make this work. Banks have ideal prerequisites (KYC, trust, network, etc) and must have an interest in playing a key role here. Especially since identity is bigger than payments. We pay ca 2-3 times per day, but we need to identify ourselves (log in, verify credentials, access emails, open doors, sign documents, …) many more times than this. So the volume of Identity is much bigger than the volume of payments. Also the value of an identity transaction (being the basis for all digital business) is clearly much higher than the value of processing a payment transaction (which is tending towards zero). Thus a federated identity system with banks playing a key role is in the interest of everyone: of keeping us all safe, of enabling the digital economy and of providing new business avenues for banks.

Conclusion

In the digital world, we need ways to give consents and authenticate transactions. We need credentials to establish our entitlements as we transact across an increasingly interconnected digital and physical world. The need for digital ID and the benefits are clear. A 2019 Report from McKinsey concludes: 15

The question is who will provide the digital ID layer — governments, banks, fintech or bigtech firms, or a combination of players? Banks have a natural advantage in providing digital ID (based on underlying government ID) because of the position of trust that they still enjoy and the extra levels of due diligence that they are required to perform by regulators.

Open banking and PSD2 has provided an object lesson in the dangers of building digital pyramids from the middle. SCA has been shown to be a major pain point with a potentially significant impact on European online businesses. If the EU wants to complete the “Single Market for Money”, then it might consider catalysing a Pan-European federated Bank ID scheme modelled on the Swedish example.

Regulators and the banking industry should take this opportunity to consider the fiat currency stack in a holistic manner and realise that digital identity is the base layer. After all, the puzzle of payments is solved through a combination of digital ID, accounting entries and rulebooks for the participants.16

Federated Bank ID has great potential as an enabler of the global digital economy, and it would be a wise investment for banks seeking continued relevance in the digital realm. But even as Denmark displays a synthesis of digital advancement and interpersonal hygge, we cannot forget the human element: financial and digital literacy are the best investments that will enable us to reap the benefits of digital commerce without the downsides.

The human factor also raises its head on the question of whether the banking industry can coalesce around Bank ID — there is no technical impediment, only the need to prioritise and execute. All that we need is common consent.

Postscript: Fiat Currency 2.0

Many fiat currency systems are still built on batch processing and store-and-forward messaging. There are several ways in which the fiat currency stack can be improved to bring national currencies into the 21st century. The blueprint for Fiat Currency 2.0 includes:

Governments, regulators, banks, and fintech and bigtech firms have the opportunity to unleash enormous innovation through the revitalisation of national and international payment systems.

Endnotes

1 The fiat currency stack is the set of systems that makes digital money work, and it includes digital identity, Real-Time Gross Settlement (RTGS), Automated Clearing House (ACH), SWIFT, CLS, Faster Payments, Request to Pay, card networks, open banking and electronic money schemes.

2 Directive (EU) 2015/2366 of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC, from https://eur-lex.europa.eu.

3 Regulation (EU) 2016/679 of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), from https://eur-lex.europa.eu.

4 The Impact of SCA: Shaking Up Europe’s Online Economy from www.stripe.com.

5 BigTech and the Changing Structure of Financial Intermediation available at www.bis.org.

6 The Libra White Paper, Introducing Libra, available at www.libra.org.

7 See www.indiastack.org.

8 See www.bankid.com.

9 See www.getswish.se.

10 E-krona available at www.riksbank.se/en-gb.

11 From “B2B Data Sharing: Digital Consent Management as a Driver for Data Opportunities” (2018) and “Security and Identity Challenges in CryptoTechnologies” (2017) at www.abe-eba.eu/publications.

12 See https://ec.europa.eu/digital-single-market/en/desi.

13 For MitID, see https://digst.dk/it-loesninger/mitid. For eID, see https://ec.europa.eu/digital-single-market/en/trust-services-and-eid.

14 See section 5.4.5 of Payment and Settlement Systems in India: Vision – 2019-2021 available at www.rbi.org.in.

15 See Digital Identification: A Key to Inclusive Growth available at www.mckinsey.com.

16 See Identity is the New Money by David Birch.

17 See www.citibank.com/tts/sa/flippingbook/2017/The-Request-to-PayRevolution.

18 See www.emvco.com/emv-technologies/qrcodes.

The expert perspectives provided in this document are personal opinions and for information purposes only, they do not represent the views of the organisations of these experts.