Cyber, Identity and Privacy (CIP) Part IV – Identity in Crisis

This blog continues to explore the Cyber, Identity and Privacy (CIP) sector, building on our insight series into this section of our RegTech Taxonomy. To date, we have looked at the intersection between Cyber Security and Data Privacy, examined the flurry of M&A activity in this space, and investigated the often missed opportunity relating to Financial Market Infrastructure providers. 

Below, we focus on the Identity sub-category and explore the importance of systems that allow citizens to identify themselves through the use of government technology systems, and the role they play in managing a country through a crisis.

In this day and age, the majority of consumers from across the world, particularly those who find themselves in at least somewhat developed economies, now take digital payments for granted. According to research by UK Finance digital payments in the UK overtook their cash equivalent in 2017 with debit cards remaining the most frequently used payment method in the UK in 2018. However, looking more closely into how other types of digital transactions have been adopted into society as a whole, tells a completely different story. In this article, we look at the adoption of digital services within the UK government and more broadly the role that Digital Identity (DID) has had in recent times, especially during the current COVID-19 crisis.  

Digital Identity Verification

“Digital Identity (DID), the act of proving who you are digitally”

The ability to create and verify your identity ‘online’ is an important tenet of a trusted digital economy.  On the surface of it, commercial companies such as Google, Apple, Amazon and others have been successful in building huge e-commerce platforms based upon user identity, however, this is underpinned by a credit or debit card and not focussed on identifying the actual person buying the service. 

The move beyond a system built primarily for e-commerce, to a comprehensive DID scenario recognised more broadly in society, is critically important to an economy and underpins the move to a wider Digital Society. To understand a bit more about DID we looked at three different country-level approaches:

  1. Gov.UK Verify (UK)   – A program started originally in 2011 by the UK Cabinet Office, it went live in 2016 before becoming owned by Government Digital Services in 2018. 3rd Parties (known as IdPs) are responsible for Identity Verification. The companies are Barclays, Digidentity, Experian, Post Office and SecureIdentity. The service underpins 22 different government agencies from Rural Payments to tax collection. The service is not without controversy, a recent Computer Weekly article is the latest in a series berating the UK government approach.
  2. Login.gov (US) – Login.gov is the successor to the Connect.gov program, the first attempt at offering one account for all government services. Connect.gov was developed by the National Strategy for Trusted Identities in Cyberspace in 2011, with it going live in 2014. Login.gov officially replaced it in 2017.  It appears the Login.gov initiative doesn’t go far enough for some people, Anil Cheriyan, director of GSA’s Technology Transformation Service, called solving the challenge a “game-changer.” and would see the same for other agencies such as the IRS. Cheriyan said at a conference in 2019, he wants a more comprehensive framework for identity management across (US) government.  Login.gov is reported to have reached over 10 million user accounts – an impressive number, but compared to the population of 330 million is a very small percentage of the overall population.
  3. Estonia, e-ID (Estonia)  – One of the most advanced government-backed schemes in existence today is found in Estonia. With a population of 1.4million people, their e-ID program is worthy of mention. Every citizen of the country is issued with a digital identity card, used to access a range of services (tax, medical, voting and more). According to national statistics, 98% of citizens have a digital e-ID with over 96% of those people using digital services regularly.  

These government-backed schemes attract much scrutiny and criticism, but the alternatives are to either stifle the adoption of digital government services across society or to rely purely on the private sector and tech giants to provide an independent DID service/system. To consider whether DID, specifically here in the UK, is delivering it’s intended outcomes and having the desired effect, we look at the role identity services have played during the current (and ongoing) COVID19 crisis.

The role of identity in a crisis

During the current novel coronavirus (COVID-19) crisis, the UK benefits system (known as Universal Credit) saw an increase in new applications of 226% in 7 days.

Universal Credit (UC) and 20 other UK government services use the Gov.UK Verify system for Identity verification and according to Government figures, only 42% of the online verification checks pass. This equates to somewhere in the region of 50-70,000 people per week for the last 3 weeks in March. 

We tried the verification process using one of the IdPs, it’s lengthy, cumbersome and does not take the 10 minutes claimed at the start of the process. It’s easy to understand why only 42% of applicants are successful.  

Bank onboarding is not much better, according to Deloitte research 38% of people drop out of bank onboarding processes due to frustration with the amount of paper or information required. 

Conclusions

Customer expectations now demand three things above all else when it comes to accessing essential and optional services in this digital era – simplicity, speed and security. A seamless omnichannel experience, almost instantaneous real-time results, whilst maintaining absolute integrity and trust within the offering are all of paramount importance to providers. Without strengths in each of these areas, potential prospects will find alternatives, as the choices and options available to us as consumers will inevitably continue to increase.

It’s clear the UK Government and Gov.UK Verify programs have some issues to resolve, however so does the onboarding process and general user experience in Financial Services and across almost every other industry. The relationship between cybersecurity, identity verification and data privacy is becoming more interwoven and apparent, and it is widely recognised as impossible to achieve strength in one of the above areas without the other two.

Onboarding individuals to attain critical government services (benefits, healthcare, visa applications etc) is a topic not to be taken lightly. Making the transition towards adopting countrywide DID programmes are critical to progression in a digital economy.

There is a growing need for governments to facilitate collaboration and encourage public/private partnerships across industries,  particularly those which have recent regulatory requirements for strong identity verification capabilities, including sectors affected by the recent AML5 regulations such as gambling, art and property. We are already beginning to see more utilities in this space, such as the Nordic KYC utility supported by vendors including i-Meta and Encompass, yet there is still much work to be done and this only represents the tip of the iceberg.