Lockstep

Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

NSTIC and banking don't speak the same language

I first blogged about this over at Finextra in January, asking if banks and their Know Your Customer regulations are compatible with the "Levels of Assurance" of federated identity and NSTIC especially? It seems to me that NSTIC and the finance sector don't speak the same language when it comes to identifying customers.

NSTIC adopts the now orthodox idea of “trust levels” or “Levels of Assurance” (LOA) from federated identity. The US National Institute of Standards and Technology has settled on a four point LOA standard. The idea is that different transactions carry different risks and need to be matched to the right LOA: Low, Medium, High and Very High (or words to that effect). And if different business domains can settle on a common language for describing risk and trust, then their identities should be able to interoperate. It’s intuitively attractive, but in practice difficult to apply, especially in banking, where there are strict regulated protocols for identifying customers.

I myself believe that pigeonholing risk into one of four boxes isn't helpful. Ironically, the parties to most business transactions make a binary decision as the authorisation of each other: Alice either has a bank account with Bob's bank, or she does not.

But I digress. If we accept the quaternary LOA scheme, is it compatible with KYC rules in the banking sector?

To take one example: KYC in Australia is regulated by our federal Financial Transactions Reports Act (1988) and by more recent anti-money laundering (AML) laws. We have a legislated proof-of-identity regime where various scheduled identification documents (passport, driver licence, bank cards, Medicare card, birth certificate, utilities bills) are each accorded a number of points reflecting their reliability. To open a new bank account, a customer has to furnish a total of 100 points worth of original documentation, including photo ID. The new AML rules allow for online origination of non-credit instruments by electronic proof of ID, usually mediated by online government services.

Identity federation will necessitate a change to this legislation. KYC rules will first need to adopt the language of LOAs, and the industry will have to map the existing points schema onto the four levels. This will be hard work in a what is an obviously conservative regulatory environment.

A few years ago, a major FS sector federation initiative here failed to proceed, largely because a clear business case for sharing IDM processes & infrastructure never emerged from the morass of legal, corporate and operational complexities. Empricially, we must face the fact that the cost/benefit of federating banking identities is difficult to demonstrate. I'm afrid this stark reality must undermine any impetus to drive what will be difficult changes to banking legislation.

In short, would the time and money invested in changing banking laws be worth it?

Posted in Language, Identity, Federated Identity, Security

Comments

Jim FentonFri 11 Mar 2011, 9:17am

You describe an interesting use case. The KYC rules [caveat: I'm neither a banker nor a lawyer] are primarily enrollment requirement. There might very well be situations where it's still necessary to appear in person for enrollment (i.e., to open an account, as you describe), at least until banking regulations recognize the new technology. I don't see that as an incompatibility with NSTIC, because you would still use your NSTIC credentials to perform transactions on the account. Depending on the LOA you authenticated with, it might allow different size transactions.

In order to make opening an account an online process, it would probably make sense to assign point values to different assertions that you provide to the bank. As assertion from the utility company that you are a customer (and perhaps of your home address) would be worth n points. An assertion from your healthcare provider of your name and birthdate would be worth m points. These assertions, of course, would need to have some minimum LOA to be useful.

Stephen WilsonThu 31 Mar 2011, 11:57am

Just as I was getting my thoughts straight to respond to Jim Fenton, I got into a debate on Twitter (if you can call exchange of 140 char snippets a 'debate'!) about LOA. Jim touched on the difference between enroling and transacting. I think this is key, and as I got my thoughts together and rolled in the LOA stuff, my response to Jim became big enough to make a new blog post. So please jump to "Designing out identification uncertainty".

Post a comment

If you are a registered user, Please click here to Sign In

Your Name*

Your Email Address* required, but won't be displayed on this site

To help prevent spam in our blog comments, please type in "the" (without the quotation marks) below*