Digital Identity’s Role in Open Banking

Have you come across the term “Open Banking” and wanted to know more?

Open Banking and digital identity are currently receiving a lot of attention today. Both subjects tend to attract strong opinions and passionate viewpoints. While debate on any subject is healthy, the core purpose of both Open Banking and digital identity remains the same – to put individuals and organizations in control of their own information and to ensure it is protected..

Banks in Canada have tremendous responsibility to protect their customers, both from a moral and legislative aspect. The banks hold millions of records (if not more) that contain personally identifiable information (PII). If these records were exposed, it could have devastating effects on not only the bank itself, but their customers, and potentially the economy. For these reasons, many financial institutions use “centralized” or “federated” identity models to manage and protect their data. This approach has historically been effective, but does have its pitfalls. Specifically, there is an increased risk of data breaches from storing data in a centralized system; data may be collected, stored, and shared with other parties without the user’s knowledge, and data is owned and controlled by organizations, apps, and services.

So, what is the alternative you may ask? The answer lies in a decentralized identity model. Decentralized identity is a model that is user-centric, where control over the sharing of information is actively in the hands of the subject of a digital credential (a digital identity is a type of digital credential). The benefits of a decentralized model lie in that data is stored by the actual user (which reduces the risk of large scale data breaches), data is only shared when the user gives authorization, and data is fully owned and controlled by the user.

The benefits of a decentralized model for the banks is that they no longer have to worry about storing, administering and protecting large amounts of PII as this is now stored on their customers’ individual wallets. Without having large quantities of sensitive (and valuable) data stored on their systems, the banks become a less appealing target to bad actors seeking to breach their systems. This will result in lower platform and architecture costs for the banks, as well as reduce their risk of a cyber incident.

The main issue in the current banking model, however, is financial inclusion. According to research performed by Acorn Canada, 3% or approximately one million Canadians are unbanked (do not have bank accounts) and 15% or approximately 450,000 Canadians are underbanked (may have a bank account, but their engagement with the mainstream financial sector remains limited.)¹ Reasons for this financial exclusion vary: from the current methods in which banks assess the risk a customer may pose, to minimum balance requirements, and geographical or accessibility related issues (e.g., no branch in their local area, or they can’t physically get to a branch). These issues can create significant barriers when seeking new services like credit cards, loans or mortgages. Addressing these issues is where we see the real benefits of combining open banking and digital identity.

Open Banking seeks to break down these barriers by opening the market to new competitors and services, and widening the view of customers’ profile for when banks are making decisions such as mortgage approvals etc. Pushing this paradigm shift is the growth of fintech, which core services make banking and finance more accessible and streamlined for customers. Fintech uses automation to speed up processes, and applying for loans and mortgages can be done online without any human interaction. Widening the view of their banking profile enables customers to have a clearer picture of their finances, enabling informed decisions around debt, purchases and overall budget. Open Banking could potentially facilitate automated cash flow management, meaning a customer could see all their transactions across accounts in one place. By aggregating their transaction accounts customers can set aside funds to pay commitments (bills, credit card payments etc.,) and will only have to worry about one number – the remaining spendable balance across all accounts.

Digital Identity’s role in this ecosystem, first and foremost, means people can use Open Banking services without ever having to visit a branch to first verify their identity, addressing the geographical challenges highlighted above. It also supports the data portability and customer consent aspects of Open Banking. It does this by putting customers in control of how they share their data and who they share it with. Putting the customer in control is done by enabling a triangle of trust (see Figure 1), where the Issuer (e.g. Province of Ontario) is able to issue a “Credential” (e.g., Driver’s Licence) to a “Holder” (the customer in question). The Holder can then present the “Claim” to a “Verifier” (e.g. a bank seeking to validate the customer’s identity to be able to offer them a service.)

Figure 1. – Triangle of Trust

By sharing these claims digitally, it removes the need for the customer to physically go to a branch to have their identity verified by the bank. Equally, with the customer now in control of their personal identifiable information, they may bring this profile forward to other interactions, with other entities, to enable services elsewhere. Because the customer now owns and is in control of their information and identity, they can leverage this data in a wide number of scenarios. Just as they would with their physical driver’s licence or other government issued photo ID; the difference is, it can now all be done digitally.

Digital identity claims also opens up the possibility of some exciting, privacy enhancing, capabilities such as “selective disclosure” and  “zero knowledge proof”. “Selective disclosure” allows the user to disclose only the information required by the “Verifier”. The example often used is admittance to an age-restricted facility. Instead of presenting the entire credential (e.g., driver license) only birthdate and photo identity attribute need be shared. Whereas “zero knowledge proof” is the provision of verifiable attestation of an acceptable identity attribute without supplying the data itself. Building on the example above, the ability to provide a trustable “yes” response to the question “are you 18 or older?”, without disclosing the actual age of the “Holder”. We’ll explore these concepts further in a future publication. In the Open Banking context, the customer will only be sharing the minimum amount of data they need for that specific transaction, and thus reduces the risk of their data being manipulated or stolen and reduces their risk profile.

At the end of the day, both Open Banking and digital identity seek to bring services we use everyday into the digital world, in a safe, thoughtful and ethical manner, while at the same time, making these services accessible to customers that may not be able to benefit from them in an analog world. Being able to own the data of our identity and control how and when it is shared is truly the benefit that digital identity can offer as we move forward into this digital world.