Log In | Subscribe | | |

Digital identities - how and why we are where we are, what it's proposed we do about it and whether it will work.

The fintech world is at last waking up to the biggest problem facing real-world businesses: how to perform KYC on customers you will never physically meet and who live lives which do not intersect with your own except for one specific purpose - the provision of a service. Of course, being tech-driven, fintechs are looking for a tech solution and they've even got a name for it - Digital Identities. The world is full of "White Papers" but there are no practical applications nearing real-world testing, so far as we can ascertain. It appears that, as in so many cases, people are starting with the tech and trying to make the problem fit it, rather than looking at the problem and trying to build tech around reality, says Nigel Morris-Cotterill.

Long read. Free for seven days.

**This article has been updated for spelling, grammar and one or two additions or amendments performed to improve clarity.** 11 November 2019.

Oh, God. He's going to talk about blockchain

Well, yes, for the simple reason that that's where all of this is ultimately going.

First, "smart contracts." If we continue with the same examples, smart contracts, in essence , are nothing more than automated versions of the letter of credit or, even, the TTP schemes. In fact, although they may not yet have adopted the technology, the drop-shipping platforms are a perfect example of the use to which this is put. OK, let's dispel any notion of artificial intelligence in this application - for this purpose the smart contract is simply a series of conditions which are either met or not. If they are met, one thing happens; if they are not met, something different happens.

See this about algorithms if you aren't sure how they work, or if you fancy a bit of light relief.

This means that, in the case of the L/C, the smart contract can be set to await authenticated instructions that the goods are on the ship and then release the payment. Smart contracts can be very simple or very complicated. You will note that in this example, there is no reference to blockchain. That's because it doesn't need or use it.

But, while they are not specifically related to blockchain, they can be integrated with it and it's when that happens that some of the really clever stuff happens.

In November 2017, we published a detailed explanation (in 8 parts) of blockchain and related matters. Read it here

So, if have read that, and the Uncle Bert and Auntie Gert piece about algorithms, you know everything you need to know about blockchains and algorithms. So how does the clever stuff happen with smart contracts and why is this "trustless?" Well, that is where blockchains comes in because there is no need for the paying party to hand over the payment to a TTP. The money stays in his account until the contract terms are satisfied and then the payment happens without the intervention of a third party. That means there is no trust account, no one acting as a trustee and therefore it's "trustless" - but even though we can explain it, it's still a stupid use of terminology because, as you saw, the explanation of why it's technically correct is long and complicated and the vast majority of people who don't get involved with trusts, simply assume it means that the parties don't trust each other, which is a perfectly sensible understanding to come to.

Identity is the easy part..

If one is looking at the question of identity simpliciter, then the challenges are, obviously immense. There are xTech applications that move onto mobile the use of a physical identity card. This is fine for age-limited transactions such as buying tobacco, alcohol, getting senior citizen discounts or going to see an adult film and, if properly executed, can overcome the problems of counterfeiting associated with physical cards. They could, in the future, be linked to events or other activities requiring tickets or disabled parking to unlock barriers to prevent able bodied people using the spaces. There is certainly a call for this after security incidents within sports and entertainment events but it will work only if there is a commercial imperative and that means the collecting of data by ticketing companies for whatever purpose they think fit.

But even if the systems are proving that a person is who he says he is(which as we've seen is a doubtful proposition) is not the same as doing effective KYC or CDD for financial crime risk management and compliance purposes. For that, detailed personal history and financial information is required. That's long, long way from saying "I've uploaded a copy of my passport and something with my address on it and you can check it to see who I am".

That's where a conflict arises: much of that data is held confidential by governments and financial services businesses by operation of law. Passing information to the platform could be a criminal offence. It is therefore necessary for customers to give permission for their information to be released to ... a company they've never heard of, don't know where it's based and cannot check its veracity, if a global system is to be adopted as envisaged by the Basel Institute.

There is a payments system operating in the EU. It's based in Germany but that doesn't mean that all its programming is done there. It's a FinTech that literally does nothing except act as a middle-man for inter-bank transactions. It works by debiting money from the sender's bank account but it doesn't do it by credit or debit card - it takes the customer's banking credentials including the password. Amazingly, it is gaining significant traction amongst financial businesses.

However, this approach, might be something that a central KYC register might consider as a way of obtaining information about accounts without going through the hoops of working around confidentiality. If customers are happy with handing their banking credentials over to a company that may not have the world's best security. Not that even that would be any guarantee.

There are no new problems - but the simple fact is that there are no new ways of dealing with it. Simply putting a paper-based system onto an app might be convenient but it adds no value to the KYC/DCC process.

Centralisation v Decentralisation

Although, often, these two terms are used as if they are the only terms that apply, there is a third, equally important term. We need to draw a distinction between "decentralised" and "distributed." This is a core of blockchain technology.

There is a dislocation between the language of techies and the common use of expressions. The Techies talk of blockchain-based applications as decentralised and, on a purely technical level, they are right, for some applications. But outside their little circle, there is a clear centralisation. First, the database is a common database that is replicated in many locations - that's why it's called a "distributed database": its appeal from a security perspective is that once data is on a chain, it is almost impossible to modify but that's a function of the cryptology more than the chain itself. From a legal and common sense perspective, it is not decentralised, it is replicated. There is, for example, only one bitcoin and bitcoin has only one register. The fact that it's processed and stored on millions of machines around the world does not affect that basic truth. But bitcoin, for example, is decentralised in the sense that there is no single central point of contact. In simple terms, there is no "owner."

That is not at all the same as the proposals for digital identity. True, no matter how many copies there are, there is only one record. However, in this case, there will be someone who, insofar as the database is concerned, has control over the data which is added or updated (which is not the same as amended). So there is distributed access but centralised> control. This militates against the tales that are told when blockchain "solutions" are proposed. While for all practical purposes, existing data is tamper-proof, the addition of new data is only as secure as the people or process adding it. Is it secure if any part of the process is delegated to a data bunny being paid USD100 per month?

The wrap up

Now I'm going to link up all the apparently random things in this article.

First, information stored on a block chain is, for practical purposes, entered, verified and re-verified by a peer-to-peer network and that is not subject to the disadvantages of human interference as a peer-to-peer reference system would be. So you can tick off one of Christopher Allen's points. It is encrypted (indeed it's the cryptography that has made blockchain records worthwhile) so that ticks off Allen's second point. It does not require a trusted third party, nor an escrow or "trust" account (thereby creating the linguistically dubious term "trustless") and making another tick.

Blockchains can record any kind of data because they are, simply, databases.

We know from the scalability of crypto-currencies that extraordinary numbers of records can be created and managed - no one knows how many but there is little doubt that one for every living person would not create a huge technical challenge. It's obvious, then, that there are no technological downsides, that a blockchain can be created with authenticated information which can easily cope with providing verifiable identities for everyone on the planet. Yay.

Er, no. Because in the excitement of seeing what the tech can do, we've failed to return to the critical points at the beginning of this article. There is a clear mismatch between what the tech can do and the organisational issues that are required to make it do it.

---------------- Advertising ----------------

| | | |

--------------------------------------

Author: 
World Money Lau...

hahagotcha