I first blogged about this over at Finextra in January, asking if banks and their Know Your Customer regulations are compatible with the “Levels of Assurance” of federated identity and NSTIC especially? It seems to me that NSTIC and the finance sector don’t speak the same language when it comes to identifying customers.
NSTIC adopts the now orthodox idea of “trust levels” or “Levels of Assurance” (LOA) from federated identity. The US National Institute of Standards and Technology has settled on a four point LOA standard. The idea is that different transactions carry different risks and need to be matched to the right LOA: Low, Medium, High and Very High (or words to that effect). And if different business domains can settle on a common language for describing risk and trust, then their identities should be able to interoperate. It’s intuitively attractive, but in practice difficult to apply, especially in banking, where there are strict regulated protocols for identifying customers.
I myself believe that pigeonholing risk into one of four boxes isn’t helpful. Ironically, the parties to most business transactions make a binary decision as the authorisation of each other: Alice either has a bank account with Bob’s bank, or she does not.
But I digress. If we accept the quaternary LOA scheme, is it compatible with KYC rules in the banking sector?
To take one example: KYC in Australia is regulated by our federal Financial Transactions Reports Act (1988) and by more recent anti-money laundering (AML) laws. We have a legislated proof-of-identity regime where various scheduled identification documents (passport, driver licence, bank cards, Medicare card, birth certificate, utilities bills) are each accorded a number of points reflecting their reliability. To open a new bank account, a customer has to furnish a total of 100 points worth of original documentation, including photo ID. The new AML rules allow for online origination of non-credit instruments by electronic proof of ID, usually mediated by online government services.
Identity federation will necessitate a change to this legislation. KYC rules will first need to adopt the language of LOAs, and the industry will have to map the existing points schema onto the four levels. This will be hard work in a what is an obviously conservative regulatory environment.
A few years ago, a major FS sector federation initiative here failed to proceed, largely because a clear business case for sharing IDM processes & infrastructure never emerged from the morass of legal, corporate and operational complexities. Empricially, we must face the fact that the cost/benefit of federating banking identities is difficult to demonstrate. I’m afrid this stark reality must undermine any impetus to drive what will be difficult changes to banking legislation.
In short, would the time and money invested in changing banking laws be worth it?