Global privacy and security experts launch the International Council on Global Privacy and Security, by Design
October 17, 2016
Ann Cavoukian launches the International Council on Global #Privacy & #Security By Design
October 24, 2016
Show all

How Blockchain Will Allow Banks To Become Brokers of Personal Data

By Jennifer L. Schenker

Privacy may not be dead after all.

Today’s announcement by six banks that they are jointly investing $20.5 million ($27 milion CDN) in a fin-tech start-up called SecureKey is part of an ambitious plan to roll out a national digital identity network in Canada that aims to offer a secure way for consumers to exchange all types of personal data.

It is being hailed as the largest privacy- by –design consumer digital identity service initiative to date, is expected to be among the first widespread commercial uses of blockchain distributed ledger technology by financial services institutions and, if it lives up to its promise, could serve as a model for other countries.

“This could be a game changer,” says blockchain expert Oliver T. Bussmann, former Group Chief Information Officer and Managing Director at UBS. “The combination of new distributed ledger technology, banks and government support will be key to establishing trusted digital identity services.

When fully launched in 2017 the Canadian program will build on top of the secure digital ID that banks have already established nationwide with the help of SecureKey, a start-up specialized in secure identity and authentication founded by serial entrepreneur Greg Wolfond. In addition to blockchain technology SecureKey uses biometrics to ensure the identity of the person logging in.

Under the new program blockchain technology will be used to allow the secure exchange of any type of personal data. The permission-based system would allow, for example, a bank to release all of the digital documents needed for someone to be approved to rent an apartment. Banks would charge a fee to the business requesting the information.

The service aims to make it much easier and safer for consumers to do business online with private and public sector service providers and to conduct peer-to-peer transactions with other individuals.

Canada’s banks are hoping their nation-wide initiative will place them in a pole position in the digital economy.

“ We want to go beyond a digital ID and create a marketplace of digital attributes,” Chuck Hounsell, senior vice president payments at TD, one of the six Canadian banks investing in SecureKey, said in an interview. BMO Bank of Montreal, Bank of Nova Scotia, CIBC, Desjardins and Royal Bank of Canada also participated in the round.

Revenues from payments are eroding over time so banks need to handle all types of digital assets, says TD Bank’s Hounsell. “If we don’t someone else will.”

With the help of other start-ups similar nationwide systems are being set up by banks in the Nordics and in the Netherlands.

The Business Case For Banks

Digital identity, data management and data privacy are key components of the Internet of Things. People, devices and the software powering services will each be given a digital identity.

There is a need for a trusted entity to manage these digital IDs and develop a way for consumers to share data while maintaining control.

Microsoft attempted to create a centralized digital identity service 14 years ago with its Passport and Hailstorm initiatives. Intel, Sun, Oracle and AOL developed their own such service through a group called the Liberty Alliance. Those efforts flopped but other Silicon Valley companies have succeeded in aggregating consumers’ personal data in other ways.

Some of the largest Internet companies, including Google and Facebook, reap most of the profits from collecting, analyzing and monetizing personal data. Most consumers don’t know who has access to their data and how it is being used.

Some argue that banks are better placed to create and safeguard our digital identities and be the brokers for all types of exchanges of data, bringing bank grade privacy and security to the global exchange of any digital asset between any parties.

With these kind of future services in mind, a dozen banks — including Citi, HSBC, JPMC, BNP and Deutsche Bank — in 2011 began working closely with The Society for Worldwide Interbank Financial Telecommunications (Swift), on an initiative to build an underlying infrastructure called the Digital Asset Grid. The goal was to bring bank-grade identity, privacy and security to the global exchange of any digital asset. The project has since been abandoned.

“If the banks had embraced (the Digital Asset Grid) they would be five years ahead of the curve today,” says Udayan Goyal, the co-founder and managing partner of Apis Partners, a London-based private equity fund focused on financial services companies.

Still, the World Economic Forum argues in an August 2016 report that financial institutions are “exceptionally well positioned to drive digital identity systems” since they already have well-developed ways to verify user information for commercial and regulatory purposes.

There is a strong business case for banks to move into digital identity services, says the WEF report. Doing so would allow banks to offer extended financial advisory services and behavior-based insurance.

Banks could also offer identity-as-a-service to businesses that can’t or do not wish to store their clients’ personal data. And, they could extend their customer bases to include ID-only clients, offering identity as a separate, fee-based service for individuals who do not otherwise transact with them.

Coupled with payment platforms digital identity services could enable financial inclusion and poverty alleviation for billions of people.

But safeguards must be put in place.

Spotlight on Canada

SecureKey, which is headquartered in Toronto and has offices in San Francisco, thinks it has the answer: it is using distributed ledger technology to create a permission-based system that takes the pain out of signing up for banking services, using government services and engaging in all sorts of commerce.

The system limits the use of people’s information to an intended purpose, putting individuals in control of how their data is used, says founder and CEO Wolfond. For example, a bar could use the system to verify that someone is over 18 and legally allowed to drink alcohol but could not access other information typically printed on a driver’s license such as weight, exact birth date or their home address, or any other type of information about the person.

The privacy-by-design system requires no broker and the use of blockchain’s distributed ledger technology means there is no central depository of information, making it harder to hack.

“The whole beauty of the system is that it puts the consumer in the center and puts privacy-by-design at the forefront,” says Wolfond.

The new services will be built on top of the nationwide SecureKey Concierge service, which is already being used by about seven million Canadians. The project was conceived five years ago and it took about three years to get the major banks on board, Wolfond says.

The Concierge service is delivered through a secure cloud service that grants users access to online services via their familiar online banking sign-in process, rather than having to create an user ID and password to manage. While using their trusted credential from a sign-in partner to access online services, SecureKey Concierge ensures that no passwords or personal information (name, date of birth, etc.) are shared or exchanged.

Customers can access 80 different government services using SecureKey as well as other services. The government and other service providers pay for the service and SecureKey shares the revenue with participating banks.

Banks participating in the initial project include TD, BMO Bank of Montreal, Choice Rewards MasterCard, Desjardins, RBC Royal Bank, Scotiabank, Tangerine, CIBC, Caisses Popularies Acadiennes and Caisses Popularies.

The new digital ID and data brokering services “enhance the value proposition for users while leveraging the authentication and controls banks are already building,” says Wolfond.“And it will bring in new revenues for the banks.”

Wolfond has a track record of bringing companies global and inventing innovative solutions for the financial services industry. He is a co-founder of 724 Solutions, a wireless infrastructure provider launched in Canada, then expanded globally and went public in 2000. Footprint, a financial software company he founded, also went global before being purchased by IBM.

SecureKey has raised more than $73 million (96 million Canadian dollars) in financing to date through four rounds of strategic and institutional funding. Venture capital backers include Rogers Venture Partners and Blue Sky Capital.

European Initiatives

Dutch banks are also working on a national digital identification service, which will allow online customers to use their bank login details to access other commercial and government sites. Participating banks include ABN Amro, ING, de Belastingsdienst , Rabobank, SNS Bank and Triodos Bank. Insurers Delta Lloyd and Freo have agreed to participate with the pilot.

Nordic banks are, in fact, the pioneers in digital ID services. The banks first got together to launch a nation-wide service, called BankID, in 2000. The system initially used key fobs, then moved to SIM cards, but the system proved to be costly and clunky, so a decision was made to allow consumers to identity themselves via whatever device they had in their hands.

A smart authentication platform developed by start-up Encap Security was selected last June for a pilot program . The in-app authentication process covers mobile, online, phone and in-branch and introduces smartphone biometrics to millions of users, says Thomas Bostrom Jorgensen, Encap’s CEO. (Encap is now owned by the U.S.’s AllClear.)

Swedish banks have also teamed to provide a national digital ID. “It makes conducting business easier,” says Paal Kaperdal, a fintech investor who has 24 years experiences helping large financial institutions build services. “In Norway there are some 800 government services accessible in addition to banks and private sector services using a common digital identity that is shared with the banks. It has taken ten years to get here but now with the spread of mobile devices this timetable can probably be accelerated in other countries.”

Kaperdal, who has served as an advisory capacity in both the Norwegian and Canadian national digital ID projects, says there are major differences between the programs.

“ In the Nordics we have very high trust in the government’s ability to maintain this information and we also have a high degree of transparency meaning information is shared freely but it may also mean that is shared without consent,” he says. “That model works well within the Nordics but in many other countries where the trust in government is not as strong and the trust in the system is not as strong a model that more strongly follows the privacy-by-design principles would be more scalable and the Canadian model is example of that.”

Kaperdal served as an advisor to the Canadian banks and is a founding member of Canada’s DIAC, a public-private group that sponsored the discussion and the ideas around a stronger identity model for Canada. He is also a consultant to Encap, a start-up working with Norwegian banks.

Kaperdal says the Canadian initiative’s use of blockchain sets it apart from other national initiatives because it will “reduce the availability of data honey pots (collection points of data that attract hackers) and in addition to that the owner of the information will have greater leverage on how the data should be used and who it should be shared with. The Scandinavian model does not offer that level of control.”

Canada’s Strong Privacy Focus

The Canadian government has been discussing ways of dealing with digital identity and securing privacy with banks for years. In 2012 Anne Cavoukian, who was then the Information and Privacy Commissioner of Ontario, Canada, worked on a white paper called Privacy by Design and The Emerging Personal Data Ecosystem in collaboration with Swift and several other partners.

The focus on privacy is particularly important in Canada because its citizens balk at the idea of a national identity and any type of centralized government database that would store personal data, says Rita Whittle, Executive Director, Security and Identity Management Policy, Treasury Board of Canada Secretariat.

SecureKey’s Wolfond envisions data asset sharing between consumers, banks, telcos, law enforcement agencies, credit rating agencies and all types of government and other services.

Canada’s national initiative is attracting the interest of other nations. In early November government representatives from the U.S., UK, Israel, Denmark, Japan, Mexico and Australia will meet in Canada to discuss digital identity, says Whittle.

“I am sure that other parts of the world will want to adopt what we are building here,” says Wolfond.