In this guest post, an anonymous banking insider explains the failures of modern digital identity protocols and the ways we can fix them.
Americans continue to defer to the “risk-based”, profit driven models of the financial services industry to decide if we are who we say we are. Will we continue to bear the costs of allowing private enterprises to affirm, deny, or misappropriate our identity - or are there alternatives for deriving human trust in the digital age?
__________________________________
Despite our technological prowess and stature on the global stage, the United States has been embarrassingly slow to implement laws and standards relating to privacy and identity verification. For example:
Consumer Privacy
Consumer Identity
These interconnected consumer risks have snowballed over time and pose systemic threats to the United States. This does not necessarily mean that the US should hastily mimic the mitigation strategies of its peers; US-specific laws and policies that address these risks must be thoughtfully considered and debated. But, the costs of sustained inaction are tremendous – especially as it relates to digital identity.
In 2022, the US Department of Labor Office of the Inspector General conducted a study that attempted to measure how much fraud was involved in the US government’s payment of pandemic-related assistance (including Pandemic Unemployment Assistance - PUA, Pandemic Emergency Unemployment Compensation - PEUC, and Federal Pandemic Unemployment Compensation - FPUC) to its citizens. The office estimates that 11-15% of all such payments were fraudulent, noting specifically that of the 4 states examined, 1 in 5 dollars from the PUA program likely went to fraudsters. Other estimates from this office calculate this number to be 21.5% (or higher). Given that the US government paid out $4.3 trillion in pandemic assistance, the direct costs of relying on our deficient digital identity infrastructure in this specific instance were anywhere from $470 billion to $925 billion (or approximately 50 to 100%+ of our national defense budget for 2023).
These staggering numbers are the tip of the iceberg of the US government’s cavalier attitude toward digital identity protection and do not include myriad other direct and indirect costs, such as those resulting from the failure of those in need to receive aid that was ultimately paid to fraudsters. Our inability to combat this systemic fraud not only acts as an “incompetence tax” on all of us, but also keeps critical resources from reaching those who need them the most.
As consumers, most of us keenly understand the difficulty involved in verifying identity in a digital context. The FTC states that one in three Americans has faced some form of identity theft and that Americans face 3 times as many identity theft scenarios as individuals that live in other countries.
When governments and businesses do not have an effective way to establish identity in a digital context, that inability threatens and constrains all digital commerce and interactions. In other words, the ability to confidently, securely, and privately confirm that someone is who they say they are is a foundational requirement for modern commerce. Enhancing our digital identity infrastructure would significantly decrease fraud and greatly expand the variety and magnitude of investment and commerce currently hindered by our existing methods.
The US government has long recognized and been aware of this issue, despite its apparent inertia in the face of the recent data on digital identity fraud and its eye-watering costs. In April of 2019, the Department of Homeland Security declared “Identity Management and Associated Trust Services'' to be one of our 55 National Critical Functions: “so vital to the US that their disruption, corruption, or dysfunction would have a debilitating effect on security, national economic security, national public health or safety, or any combination thereof.” Four years later, the number of identity theft reports making their way to the Federal Trade Commission has increased by 70%. Is the United States prepared to face the increasing and compounding costs of continued inaction on digital identity?
Perhaps the most fundamental component of digital trust is ensuring that a counterparty is who they say they are. Today, US businesses attempt to answer this question by leveraging identity verification service providers. Current identity verification standards, tools, and outcomes in the US are largely a product of federal regulations and decades of market forces at play. In 1970, Congress passed the Bank Secrecy Act (“BSA”), which is intended to prevent financial crimes, money laundering, and terrorist financing by ensuring that financial institutions “know your customers” (or “KYC”). Specifically, the BSA and its implementing regulations (predominantly via USC Title 31 section 1020.220) require financial institutions to implement controls to ensure a customer’s identity before allowing them to open a financial account. It’s worth noting that these controls are intended to protect specifically against money-laundering and terrorist financing, as opposed to consumer identity theft.
One aspect of the BSA’s KYC framework requires banks to establish and maintain a customer identification program (“CIP”) that adheres to the bank's internal identity verification procedures. Specifically:
“The CIP must include risk-based procedures for verifying the identity of each customer to the extent reasonable and practicable. The procedures must enable the bank to form a reasonable belief that it knows the true identity of each customer. These procedures must be based on the bank's assessment of the relevant risks, including those presented by the various types of accounts maintained by the bank, the various methods of opening accounts provided by the bank, the various types of identifying information available, and the bank's size, location, and customer base.”
While the BSA’s KYC requirements are designed to allow a financial institution broad discretion in the implementation of its CIP, the regulations do articulate minimum requirements, which include:
In short, banks are required to collect core personally identifying information (“PII”) from their customers and use some unprescribed means to verify all or parts of that information to form a “reasonable belief” that the applicant is in fact who they say they are.
Given these requirements for banks to use “risk-based” methods to determine if someone is who they say they are, the first thing they consider is the universe of relevant risks. Although many risks apply, the two most important risks for a bank to evaluate are credit risk (“will this person pay back any loan or credit we extend to them?”) and fraud risk (“will this person defraud the bank and cause a loss?”). Credit risk is often dependent on fraud risk to a significant degree, as an identity thief is also a major credit risk. Reputational and regulatory risk are also important, but generally speaking, retail banks and other financial institutions optimize their “risk-based” methods as a product of the economics of the specific business cases they are pursuing.
The risk of identity theft to consumers is not directly accounted for or considered as a part of this regulatory framework or commercial calculus. To be clear: banks are not doing their best to ensure that someone is in fact who they say they are; instead they are making an optimized (“risk-based”) business decision while ensuring they comply with the minimum federal requirements.
Further, though it may seem counterintuitive, a bank’s ability to implement other risk controls throughout the customer lifecycle may act as a disincentive to apply more effective identity fraud detection resources at the beginning of the customer relationship, where they would provide the most protection to the person whose identity is being leveraged. For example, a bank may have a funds availability policy to mitigate the risk that a deposit returns before it is withdrawn (i.e. a bounced check or an external credit to the account ends up being unauthorized), leaving the bank with a negative balance. These policies act as ongoing risk controls, supplementing the scrutiny and diligence that is applied at the account opening stage to verify a customer’s identity. These later-stage controls allow a bank to take on more risk at the identity verification / account opening stage than it otherwise would if it had to make the best possible customer identity verification decisions up front. As a bank, if I know I can interrogate and manage identity theft risk throughout the customer lifecycle, I can effectively defer some of my scrutiny at the account opening stage, lowering the hurdles to open an account. While this approach is good for banks, as it likely increases application conversion rates, it’s bad for the person who is becoming a victim of identity theft.
Financial institutions are generally incentivized to maximize profit. These financial incentives, combined with the flexibility and discretion built into the risk-based KYC approach, encourage banks to apply the minimum amount of diligence required to say “yes” and acquire a customer. Generally speaking, if a bank decides to apply additional diligence, it is to protect its own interests and not necessarily those of its customers or potential victims of identity theft.
If an identity thief opens an account with the bank and causes a loss, these outcomes are components of the bank’s customer value calculations - and in many cases, simply the cost of doing business given current policies and controls. In general, reputational and regulatory risks only come into play if a financial institution suffers major and sustained failures in effectively executing minimal identity verification requirements. In other words, a financial institution's diligence in conducting effective identity verification depends largely on the financial risk posed to the institution. If the financial institution stands to lose a lot of money, verification processes and controls are stronger. If the products being offered don’t pose significant loss risk to the financial institution, then identity verification controls are weaker and losses are chalked up as a cost of doing business, to the detriment of the impacted consumers.
Americans are deferring to the financial services industry to decide if we are who we say we are. Without a state-sponsored solution, citizens are subjected to the profit motives and “risk-based” decisions of private enterprises to affirm, deny, or misappropriate their identity. While private enterprises should be free to make business decisions that advance their goals (generally), citizens must be able to retain sovereignty over their identity without reliance on and interference from private enterprise. There must be a better way.
The use of sensitive information as identifying information is the historical backbone of modern identity verification, and is also its most vulnerable point of exploitation. For example, a Social Security Number (“SSN”) is a unique number that the US government issues to each citizen, permanent resident, and temporary (working) resident. Over time, the SSN has become a de facto national identification number used to verify an individual’s identity in a variety of highly-sensitive financial and other situations, including accessing bank accounts, taking out loans and otherwise identifying oneself in a commercial context. Due to the sensitive nature of the information that is accessible through the use of a person’s SSN, it is a high-value ”secret” that must be protected from unauthorized use and disclosure. However, given the 1,802 publicly disclosed data breaches in 2022, it’s clear that our “secret” identifiers are completely compromised.
As discussed above, banks have broad discretion in how they use PII to verify an individual’s identity. However, in general, banks deem an individual’s ability to provide this “secret” information as sufficient evidence that the individual is who they say they are, and are consenting to this information being shared. Using possession of PII as a proxy for consent of the usage of that PII becomes problematic when our PII is routinely compromised and readily available for bad actors.
Zooming out, our current identity verification model requires that each time I need to verify my identity, I must share what is supposed to be my secret, sensitive information with someone else. Imagine that in order to share your home address, you also had to give someone the key to your front door. Anyone who knew your address could access your home. Most people would find this level of home security unacceptable. Just as we can (and should) separate the identifier (our home address) from the secret (the house key) in a physical security context, so we can (and should) in the digital identity verification context.
Asymmetric key cryptography, which involves the use of public and private keys, is a modern security concept that secures most all communications in the digital world today. If applied to the identity domain, this technology would immensely decrease identity fraud, to the massive benefit of governments, financial institutions, and the individuals they serve. This technology enables the separation of the “secret” from the “identifier” in an identity context, allowing an individual to share their identifying information openly while retaining control of the usage of their information.
These public and private keys (which are essentially very long numbers) have a direct relationship. The public key acts as a shared identifier that is widely available (and distributed without risk), while the private key acts as the “secret” that only the owner / controller holds. These key pairs are generated with mathematical formulas termed “one-way” functions, which are easy to compute on every input, but very difficult to invert. These concepts underpin the foundational security practices of today’s digital world, including the TLS protocol (which builds on former security standards such as SSL) - securing information sent via email, instant messaging, web browsers, file transfers, and many other methods globally.
This structure enables several critical use cases, but perhaps none is more important than verifying a digital signature. In the context of identity, once my SSN is compromised, I no longer retain consent over how the information is used - as possessing the information is treated as implied consent to use that information (since conceptually my SSN is a secret), which leads to fraud and misuse as discussed above.
However, with public key cryptography, a user can leverage their private key to “sign” a statement or assertion and share it publicly. Any other party who wants to validate the provenance of this statement can use the public key of the asserting party to verify if that statement was in fact signed by the asserting party. Since a user’s private key is required to produce a digital signature, and this information is known only to them, digital signatures cannot be forged.
This separation of identifiers from secrets allows us to have a public identifier in the digital world without fear of that information being used to impersonate or compromise us. This stands in stark contrast to today’s identity verification paradigm in which sensitive PII serves as our identifier AND our secret. Identity serves as perhaps the most important and fundamental layer of human trust. Given the dramatic costs that our existing identity verification model imposes on all of us, there is a significant opportunity in exploring how governments and businesses might leverage these newer digital security practices to improve our national identity capabilities.
In the next part of this series, we will further explore public key cryptography and evaluate how other countries (and even some of the largest states in the US!) are using it to advance digital identity infrastructure in 2024.
The author is choosing to stay anonymous to protect their identity and the company they work for. They have worked at multiple publicly traded financial institutions in the fraud prevention and mitigation space; from ground-level tactics to enterprise strategy and policy. They have also held leadership roles at one the nation’s largest identity verification companies, preventing fraud and working with federal and local law enforcement. They have been accountable for tactical implementation and monitoring of KYC / CIP programs and work closely with their peers who are focused on Anti-Money Laundering (BSA / AML) compliance and reporting. They are currently employed by a bank as internal consultant in the fraud space, serving them as well as their clients which include several of the top-10 crypto exchanges in the United States to prevent fraud and comply with existing regulatory guidelines around customer identity.
Author’s public key: f996d12f951d2f39dc3ed82a5411caf4a809b73ba1b4ffbf3cc391e186b2f2bb
