Transcription
Presented byGoode Intelligence#IDSumLon202030th January 2020
OUR SPONSORS &PARTNERS – Thank You!
OPENING KEYNOTE10:25 – 11:00Open Identity & Open BankingNick MothershawExecutive DirectorOpen Identity ExchangeChris MichaelHead of Technology,Open Banking & CEO, Ozone#IDSumLon2020
The Identity Ecosystem StatusJanuary 2020
ID Ecosystem – Global ModelOIXINTEROPERABILITYFRAMEWORKIDENTITY SERVICESNational Trust DBrokerRPRPRPRPRPRPTrustSchemeIDBrokerRPRPID kerRPRPRPOIXTrustSchemeIDBrokerRPRPID Servicess schemes)schemes)Identity ProvidersTrustSchemeTrustSchemeID ServiceID Servicess schemes)schemes)Identity ProvidersTrustSchemeTrustSchemeID ServiceID ServiceNational Trust ERELYING PARTIESID Servicess schemes)schemes)Identity ProvidersIDENTITYPROVIDERSID BROKERSID ServiceID ServiceNational Trust FrameworkRPRPIDBrokerRPRPRPRPRP
ID Ecosystem – Regional AdoptionOIXINTEROPERABILITYFRAMEWORKIDENTITY SERVICESNational Trust DBrokerRPRPRPRPRPRPID ServiceID ServiceID Servicess schemes)schemes)Identity ProvidersTrust SchemeTrust SchemeIDBrokerRPRPID ServiceIdentity ProviderTrustSchemeTrustSchemeID ServiceID ServiceNational Trust FrameworkUSERSTrustSchemeSCHEMERELYING PARTIESID Servicess schemes)schemes)Identity ProvidersIDENTITYPROVIDERSID BROKERSID ServiceID ServiceNational Trust RPRPRPRPRPRPRPRPRPRPRPRPRPRPRPRP
ID Ecosystem – UKOIXINTEROPERABILITYFRAMEWORKIDENTITY SERVICESUK Trust FrameworkID ServiceID ServiceID ServiceFinancialServicesSchemeGovernment SchemeIDBrokerRPMARKETADOPTIONID ServiceID ServiceID ServiceGamblingSchemeOtherSectorSchemesID PRPRPRPTravelSchemeUSERSSCHEMERELYING PARTIESID Servicess schemes)schemes)Identity ProvidersIDENTITYPROVIDERSID BROKERSID RPRPRPRPRPRPRPRPRPRPRPRPRPRPRPRPRPRP
Trust Framework FundamentalsInteroperability: for users and relying partiesID TRUSTTrustmarkID Proofing andVerificationIdentity Information PackageID AuthenticationFraud and Cyber ControlsConsumer Informationand ProtectionSecurity and TechnicalRequirementsUser ExperienceLegal and PerformanceRequirementsLoAs, Attributes, ID Evidence
UK Government activitiesCall for EvidenceTrust FrameworkAccess to Government DataCompetent AuthorityDigital Identity UnitCommercial Framework(for Government)Regulatory AcceptanceAnti-Money Laundering20219
But who is going to use Digital IDs? AndWhen?What’s stopping them?GOVERNMENTTRAVEL Critical Mass of Digital IDsEMPLOYMENT Regulatory AcceptanceFINANCETRUST Business CaseGAMBLINGINSURANCE Liability ModelsADULTUTILITIESRETAILVOLUME What happens if it goes wrong?
How will a UK Trust Framework, DIU and an ID CompetentAuthority help accelerate Digital ID adoption? Regulatory Acceptance DIU will make sure sector regulators allow Digital IDs to be accepted Finance KYC AML already being addressed Pension Dashboard consultation response endorses use of Digital ID to UK Framework Standard (GPG45) What sectors next? Business Case Cost to operate will be better understood Regulatory acceptance will mean IdPs can see line of sight to revenue Liability Models / What happens if it goes wrong? Framework will define the HIGH LEVEL rules Will Competent Authority be the ultimate arbiter? Commercial / Legal details will PROBABLY be down to Trust Schemes / ID Brokers Critical Mass of Digital IDs Framework COULD make it easier for those with millions of IDs to enter the market as ”Identity Providers”11
Who is going to be an ID sruptor
What is OIX doing?Working GroupsAnalysisExecutionConsumer Principlesand TrustmarksRelying PartySector Focus GroupsTrust FrameworkInteroperability FundamentalsReviews of UK TrustFramework DRAFTSRole of an ID CompetentAuthorityOIX DirectoryArchitecture InteroperabilityInteroperability and StandardsTrust and LiabilityInclusion
Unlocking thepotential ofopen banking30 Jan 2020Chris Michael Open Banking Limited 2020
Open Banking is a global construct
Regulatory v market driversNCAsCMACMA OrderPSD2Market Needs
The OBIE Standard1. No sharedcredentials2. Same AuthNMethods3. No unnecessarysteps or friction17
Trust FrameworkQTSP 1QTSP 2QTSP 3DirectoryAccountProvidersAuthorisedThird PartiesNCA 1NCA 2NCA 3
Open Banking Timeline20162017Sep 2016: OBIE formed201820192020Jan 2018: PSD2 comes into forceMar 2019: APIs to be available for testingR/W Standard v1CMA9implementationSep 2019: PSD2/RTS deadlineMar 2020: FCA adjustment period endsR/W Standard v2CMA9implementationR/W Standardv3.1Feb/Mar 2020: revised CMA order planv3.1.1 - 3.1.xCMA9 other ASPSPimplementationv3.2.xTBCCMA9 other ASPSP implementationAISP adoptionPISP and CBPII adoption
The UK Ecosystem (Dec 2019) 75 ASPSPs 100 TSPs 300 TPPs ( 150 authorised/live) 100 customer facing apps (live or close to live) 1m customers (CMA9) 250m API calls/month (CMA9) 50k payments (CMA9)
Example use casesPersonal FinanceBusiness AccountingUnbundling OverdraftsBetter LendingEcommerceInternational Payments
What’s next?Evolution of the standardImplementation improvementEcosystem growthTo include regulatory changes,CoP/CRM in PISP journeys,and Variable RecurringPaymentsOngoing monitoring andsupport, with a focus onreduced authentication friction,and conformance/certificationActivity and services to driveadoption by ASPSPs, TPPsand TSPs, thereby enablingmore PSU propositionsEnd customer benefits envisaged by the CMA Order
Identity standards should enable/support Combining with/supplementing PSD2 services BankID services Open Finance (inc non PSD2 accounts) Smart Data Aligned to DIU and OIX Interoperability with other global standards
Thank youwww.openbanking.org.uk
ANALYST VIEWPOINT11:00 – 11:30Latest trends from theWorld of Digital IdentityAlan GoodeCEO & Chief AnalystGoode Intelligence#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30100,000 Years AgoShells#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:305,000 Years AgoTattoos#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:303800 BCPopulation Census#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30450 BCPassports#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30Recent TimesThe return of theblue passport #IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30The Picture TodayEvolution not Revolution“We are in a state of transition wherewe will have a combination of oldand new Identity – physical IDdocuments and digital Identity”David Britton, Experian#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30Digital Identity &Document VerificationSolving an Immediate Problem#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30Digital Identity &Document VerificationMarket Drivers & Adoption#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30Digital IdentityVerified Digital IdentityA digital identity that is issuedby an identity issuer or providerwho has a high level of assuranceof the authenticity of the individual#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30Digital IdentityModelsSource: Gemalto, a Thales company#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30#IDSumLon2020
ANALYST VIEWPOINT11:00 – 11:30#IDSumLon2020
PANEL11:30 – 12:15Diversity & Inclusion in IdentityChair – Emma LindleyCo-Founder of Women in IdentitySchehrezade DavidsonCEO of Tricerion LimitedCharlotte HackettAssociate Director of psd GroupCindy WhiteVice President, Global Marketing of Mitek Systems#IDSumLon2020
KEYNOTE12.15 – 12:40Bridging the Onboarding JourneyTogether with Frictionless AuthenticationMark MatthewsVice PresidentUK & Ireland, Daon#IDSumLon2020
Bringing the Onboarding JourneyTogether with FrictionlessAuthenticationMark MatthewsVP, UK & I1
About DaonTHE MOST TRUSTED NAME IN BIOMETRIC IDENTITYASSURANCE FOR OVER TWO DECADESFounded in 2000 byDermot Desmond Cross-Channel Multi-Factor Biometric Authenticationand Onboarding Platform Millions of Users on 6 Continents 1 Billion identities we’ve been chosen to secure 100 Million authentications performed each day 160 groundbreaking technology patents 150 major financial firms using our technology 100 biometric algorithms Washington DC, USA (HQ)London, EnglandDublin, IrelandCanberra, AustraliaHong Kong, SAR ChinaBelgrade, SerbiaLagos, NigeriaTokyo, Japan2
What’s Driving Simpler Onboarding?#1The #1 reason whybanking consumers abandonedan online application was because“it look too long to complete.”Financial Brand 60MThe average financialorganization spends 60mannually on basic KYC needsThompson Reuters 4kA typical bank onboardingprocess costs up to 4,000 pernew customerGoode Intelligence50%97%43%50% of clients surveyed about their customerservice indicated that in the last 12 months, theyhad to re-supply the bank with copies of theiridentity documentsDeloitteAbandonment rates for onlinebanking applications are at an alltime highForrester43% of millennials find that it is easierto set up an account with a fintech mobile appthan a checking account at a bankEY3
Your Identities for Sale!SocialSecurityNumber 1Credit CardNumber 5- 30Online BankDetails 20-200Driver’sLicense 20MedicalRecords 1-1000Passport,Selfie &Utility Bill 604
Welcome to New Zealand! Population: 4.78 Million Fraud Ranking: 3rd Exercise Ranking: 154th5
Introducing RealMe All from theComfort of Home Renew a driver’s license or passport Open a bank account Apply for student loans6
The In-Person Abandonment Problem50%45%40%35%AbandonmentIn Person Capture30%43%25%20%15%10%5%0%17
Secure Onboarding from the Couch Web or mobile app compares your selfie tothe Government’s trusted source imageFRICTIONLESS, SECURE Digital Identity EstablishmentFrom the CouchPassive and active liveness assessmentsconfirm you’re a real person Human review console facilitatesadjudication of close calls8
Omni-Channel EngagementOmni-Channel Branch Mobile WebCLICK FORCASE STUDY9
Two Sides of Identity 0
The Role of Biometrics – for Corroborating Identity Biometric Blacklists to detect and preventrepeat fraudsters Biometric Searching to search for duplicateregistrations Biometric Liveness Checks to ensure it’s areal person (not photos, videos, masks, etc.) Biometric Authentication to enable strongcustomer authentication11
Case Study: Cross-Channel Biometric Authentication and e-KYC12
Case Study: Cross-Channel Biometric Authentication and e-KYCAt a Glance; Easy-to-use service Meets e-KYC requirements Provides a future-proofed, best-ofbreed biometric engine capability Eliminates expense and complexity Immediate cost savings fy13
App-only Bank: Atom BankFirst UK Bank to provide a choiceof login options;Passcode – choose a six-digitpasscodeFace – Take a selfie and youcan use any device with a cameraVoice – Record and enroll yoursecure pass phrase14
A Holistic View of Digital Onboarding and Ongoing AuthenticationAccording to Gartner, Identity Proofing andCorroboration (IPC) is the combination ofactivities such that; The real-world identity exists The presentation must exhibit genuinehuman presence (i.e., the person is theauthentic possessor of that identity andthat’s confirmed in real time) This process aligns the real-world identity,the digital identity and the personsubmitting the identity claim15
The Role of Biometrics: Seamless, Cross- Channel Identity Journeys16
For more information:www.daon.comMark MatthewsVP, UK & Imark.matthews@daon.com 44 7967 110 164
SUMMIT KEYNOTE13:30 – 14:05Proving & Managing Customer IdentityA Great Customer Experience?Ray HockleySenior Pre-Sales Solution ManagerHitachi EuropeSimon WoodCEO, Ubisecure#IDSumLon2020
Proving andManagingCustomerIdentityA Great UserExperience?Ray HockleyHead of Presales HitachiSimon WoodCEO ecure.com
Identity is complex
Customers are different, scenarios are broader
Friction is the enemy of done
How do we deliver what the customer demandsThe customer and legislationsdemands SecurityLoss of dataStolen loginsPassword stuffingConfidentialityGDPR, PSD2 .SecurityCUX
How do we deliver what the customer demandsThe customer wants a great userexperienceFast access to their informationEasy to access servicesSimple to usePersonalized experienceSecurityCUX
Identity managementUsing a simple BiometricsolutionCustomer Retention Cart abandonment Fast entry Correct resourcesRemoval of Password management Costs Effort Attack vector Customer frustrationKnow who is making transaction Guarantee Identity Reduce fraud Best user xperienceImprovementCustomerSecurity ImprovedTransaction completionSatisfaction ProcessCommunicationStrategicExperience
What is VeinID Five?Step 9Customer logs out of activeSSO / session time-outStep 8Customer provisions resourcesin active SSO sessionStep 7Customer SSO sessionenabled
Joint Proposition Tagline & Underlying VisionsFAST, SIMPLE, SECURE, BIOMETRIC, CUSTOMER IAMTo be a pioneer in biometric Identitymanagement creating proven, user friendlyand flexible solutions utilising 25 years ofHitachi’s Finger Vein technology.
Current-State User Journey (Standard Authentication)MortgageLife InsurancePension
Future-State User Journey (OIDC Hand Gesture Authentication)MortgageLife InsurancePension
Why Are We Partnering Together – a Joint PropositionFAST, SIMPLE, SECURE, BIOMETRIC, CUSTOMER IAMA unique biometric authentication and identity management solution offering a superior userexperience, reducing risk of breach, whilst allowing your enterprise to leverage Identity-as-aService to drive value and scalability.Proven Identity-as-Service cloudProven Finger Vein biometric technologyOn-premise identity management platformHardware less VeinID Five biometric toolsOpenID Connect infrastructureOpenID Connect infrastructureSingle-Sign-On and Multi-Factor AuthenticationSingle-Sign-On and Multi-Factor Authentication
What are the Intended Benefits of Our Joint Proposition?FAST, SIMPLE, SECURE, BIOMETRIC, CUSTOMER IAMA unique biometric authentication and identity management offering improving user experience,reducing risk of breach whilst allowing your enterprise to leverage Identity-as-a-Service to drivevalue and scalabilityImprove user experience for retention and captureUXReduce costs associated with password stuffingRemove cost of resetting passwordsCostReduce direct & reputational costs of password breachesRemove identity & password management overheadsSecurityMove to scalable platform-based solutionsReduce / eliminate multiple loginsControlEnhance control of assets / resources available to users
SummaryCustomer ExperienceSecurityFast accessNon- RepudiationGreat user experienceAccess from any whereAccess everything availableReduced Phishing and stuffingSingle sign onPassword Removal
Thank youHitachi Europe LimitedT: 44 (0) 1268 585000E: veinid@hitachi-eu.comW: hitachidigitalsecurity.comUbisecure IncT: 44 (0) 7718 232602E: Jonathan.clark@Ubisecure.comW: Ubisecure.com
INNOVATION SHOWCASE14:05 – 14:30Mark HarveyChief Revenue OfficerIPification#IDSumLon2020
M-IdentityRemasteredPasswordless Tomorrow Begins Today. No credentials,tokens, SMS OTPs, header enrichment, or face scans.A single tap with unparalleled security.www.ipification.com
First Passport – UKKing Henry V – Granted the first passport toallow his subjects to travel for trade purposes.First Bio-Metric PassportMalaysia 1998 – First Country in theWorld to launch Bio-Metric Passport
First Ever Telephone”Mr. Watson, Come Here”First Ever Mobile PhoneDyna TAC 8000x
Benefit Vantage Limited and IPification IPification is the advanced Mobile Identity brand within BenefitVantage Limited, a Hong Kong-based company also runninginitiatives in Cyber Security solutions, Data Protection & Backupand Mobile Content Distribution 55 staff in six locations – USA, Hong Kong, Belgrade, Vietnam,Schaffhausen (CH), Sarajevo, UK, Brazil IPification solution offers IP-based Operator Discovery,Seamless Authentication, Device Verification, SIM and DeviceSwap and Location/Proximity solutions all based on a simple,fast and low-cost deployment model Live implementations with 7 mobile operators on 3 continents;50 mobile operators currently in implementation phase www.ipification.com
:IPification – How ItWorksOverview of the IPification technical solutionJanuaury 2020www.ipification.com
The IPification ‘Golden Triangle’IPification GMiD Box: Holds hashed unique values forsubscriber, device and SIM Persistent hash (no change) enablesdevice and SIM verification usecases Change to ANY value flags changeto subscriber status IMSI and IMEI changes create SIMSwap and Device Swap signalsIMEI (international mobile equipmentidentity)Mobile Handset identification numberUnique globallyMSISDN (Mobile Station InternationalSubscriber Directory Number)Subscriber Mobile NumberUnique globally with country prefixIMSI (international mobile subscriberidentity)SIM Card identification numberUnique globally
The IPification SolutionGlobal BillingdashboardSPIPification Client API (OIDC)IDGWMNOSingle API integrationMNOMNOSmartDiscoveryTechnicalCommercial One OIDC Client API for SP Minimal cost for mobile operator Simple to deploy (no telco ID Gatewayrequired) Full transparency of real-time transactions and stats(individual dashboards) No need for Telco to expose separate APIs Immediate revenues – established ecosystem
SMS one-time codereplacementlP-based phone number verification and smart operator discovery.Login toYour ApplicationLogin toYour ApplicationLogin toYour ApplicationPhone Num berPhone Num berPhone Num ber 123 123 0 0 0 123 4 5 6 7 8 9 0ConnectingAuthenticating your phoneSuccess!You’ve been authenticatedSorry, this number is not matching yourcurrent device. Please doubl e c hec k.CO NF I RMCO NF I RMCO NF I RMBy clicking CONFlRM you are agreeing to the:Terms and Conditions, Software License,Privacy Policy and all other legal documents.OK
SIM Swap ProtectionReal-time flagging of SIM change in the user device. Proactive notification available.
Proximity Location and Roaming StatusIs your customer currently roaming? If Yes, in which country?Returns True or False value if user is within predefined distance from a target location (ATM location , PoS, etc.).
IPification GMiD Box features enabled1. IP-based phone number verification2. Seamless authentication3. SIM Swap protection (proactive available)4. Smart IP routing/discovery5. Carrier Billing authentication6. Device change detection (proactive available)7. Proximity location8. Roaming flag (proactive available)
Harry Cheung, Founder &PresidentSerial entrepreneur with more than 20 years of experience in cybersecurityand data protection, Top 10 Business Entrepreneurs in China.– "Person of the Year in 2008”Thank YouStefan Kostic, Chief Executive Officer11 years of experience in the FinTech & Telecom industries, ex C-level inCarrier Billing industry, Best Global Direct Carrier Billing (DCB) Aggregatorin 2017 Award and Tier 1 DCB vendor.Aleksandar Brankovic, Chief Technology OfficerICT professional with more than 15 years of extensive experience inanything technology-related.Mark Harvey, Chief Revenue OfficerFinTech & Telecom industries business leader for more than 20 years,ex-GSMA Mobile Connect expert, top 100 influencers in Identity.Jim Small, SVP Business DevelopmentOver 25 years’ experience driving delivery of technology-based neww w w . ip ificatio n . comservice in Telecom industry, ex Digital innovation leader in Orange UHand Orange Group Technocentre.
KEYNOTE14:30 – 14:50Use of Digital Identity at the BorderAdvantages & RisksFrank SmithChair, ENLETS Mobile#IDSumLon2020
Digital ID at the BorderAdvantages and RisksFrank Smith30 January 2020
Security—for the border; for thecountry, against multiple / emergingthreats Facilitation—efficiency and throughputfor passengers eligible to enter; volumesare projected to double in 20 years Cost effectiveness—budgets aren’tlimitless; austerity is real
?
frank@bidborough.com
KEYNOTE14:50 – 15:25People and TechnologyCreating Certainty in anUncertain WorldJoe BloemendaalHead of StrategyMitek Systems#IDSumLon2020
‘Creating certainty inan uncertain world.’Joe BloemendaalIdentity Verification Strategist@ Mitek Systems
in Cinemas 2004 2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
We therefore recommendthat identity proofing solutions that rely on sharedsecret verification, such as out of walletknowledge questions or memorable personaldata,be phased out .’In a recent report, Gartner wrote: ‘. 2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
5,000startups worldwide up from 2,000 just three years ago.first9 months of this year VC poured 2,9Bintoneobanks. Up from 2,3B last year.source: McKinsey 2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
HI & pxdocument verification process 2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
AGENT ASSISTauto 2020 Mitek Systems ary and Confidential ‹#›
AGENT ASSISTauto 2020 Mitek Systems roprietary and Confidential ‹#›
So do the numbers still work out?Let’s have a look . 2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
currentwithMobileVerify350K150K90K260KNTB*Fail KBASet appIn branchCompleteIn KNTB*Fail KBAApprovedMITEK flowSet appIn branchCompleteIn branchGrossloss100%85%15%9%6%330KApprovedSuccess rate inbranch routeafter KBA failsSuccess rate indigital routeafter KBA fails94% 2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
Some quick assumptions to estimate ROICurrent costs and losses Average Cost of Acquistion for a current account client Average Customer Lifetime Value current account holder: 50: 250Current direct costs and opportunity loss is:1. Direct costs 260.000 x 50 13.000.0002. Oppurtunity loss 260.000 x 250 65.000.000 Total per year of: 78.000.000Investment in remote KYC services One-time set up (apex) Transactions 260.000/yr @ 2,00 (opex): 40.000,00: 520.000,00 Total investment for 3 years Nr of approved customers 945.000 x CLV ROI: 1.680.000: 235M: massive 2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
1. eID(V) seems stuck between a rock and a hard place.2. Online identity verification will rely on a combination of experts andmachines for a while.3. It’s worth doing is well because the numbers add up and it is thefundament to all other (future) interaction with customers. 2020 Mitek Systems Inc.Proprietary and Confidential ‹#›
Joe Bloemendaaljbloemendaal@miteksystems.com 31.615095202
KEYNOTE15:25 – 15:45The Role of Government IdentityIn Commercial IdentityAndrew ChurchillSecurity Consultant and Researcher#IDSumLon2020
Goode IntelligenceThe role of Government Identity inCommercial VerificationRise London, Barclays30th January 2020Andrew Churchill, Security ConsultantLead Author, British Standards Institution’s DigitalIdentification, Strong Customer Authentication
Government or Commercial ID?
Intelligence?The role of Government Identity inCommercial VerificationRise London, Barclays30th January 2020Andrew Churchill, Security ConsultantLead Author, British Standards Institution’s DigitalIdentification, Strong Customer Authentication
ID & Security StandardsRelations to a range of Legislative& Regulatory Developments General Data Protection Regulation (GDPR) SARs – Subject Access Requests Anti-Money Laundering Directive 5 (AML5) SARs – Suspicious Activity ReportsNetwork Information Systems Directive (NIS) Access ControlRevised Payments Services Directive (PSD2) SCA - Strong Customer Authentication & TPPs - Third Party Providers
ID & Security StandardsReal-time updates? GDPR – DPA 2018 Anti-Money Laundering Directive 5 (AML5) Revised Payments Services Directive (PSD2) TPPs - Third Party ProvidersHow often are TPP directories updated/TPPs revoked?
Regulatory HistoryGenesis of the StandardElectronic Identification, Authentication,and Signatures (Seals) Regulation(eIDAS) & Revised Payments ServicesDirective (PSD2) – latter in force from01/08/15, as EBA 2014 SecuRe Pay‘Strong Authentication’ - Mandates multi-factorauthentication, but now brings in some interestingcaveats, as one or both of these factors: 1) must be mutually independent, i.e. thebreach of one does not compromise theother(s); 2) should be non-reusable and non-replicable(except for inherence); 3) designed in such a way as to protect theconfidentiality of the authentication data; 4) not capable of being surreptitiously stolenvia the internet.
Regulatory HistoryGenesis of the StandardFinal PSD2 Legislation at Ratification adds:‘For remote transactions, such as onlinepayments, the security requirements goeven further, requiring a dynamic link tothe amount of the transaction and theaccount of the payee, to further protectthe user by minimising the risks in caseof mistakes or fraudulent attacks.’
Regulatory HistoryGenesis of the StandardFinal PSD2 Legislation at Ratification adds:‘For remote transactions, such as onlinepayments, the security requirements goeven further, requiring a dynamic link tothe amount of the transaction and theaccount of the payee, to further protectthe user by minimising the risks in caseof mistakes or fraudulent attacks.’WTF?!
Regulatory HistoryWhat Techniques Fit?!Could use a CAP reader to digitally signevery transaction?
Regulatory Strategy UpdateNovember 2016Payment Systems Regulator’s StrategyForumSolution 4: Guidelines for IdentityVerification, Authentication and RiskAssessment5.75. We will align with current industryinitiatives (e.g. Mobile Identity AuthenticationStandard (MIDAS) or Electronic Identificationand Signature (eIDAS)) during the initial designphase.
Regulatory Strategy UpdateJuly 2017Payment Systems Regulator’s StrategyForumSolution 7: Trusted KYC SharingBlueprint for Future of UK Payments Trusted data KYC as a utility Financial crime intelligenceBEIS Consultation closed August 2019Next steps due shortly (post-purdah)
Real-time Checks on CompaniesImportance of real-time intelligence in securing against fraud &AMLCredit,Kompli-GlobalQED
PAS 499British StandardsInstitution (BSI)Publicly AvailableSpecification (PAS)Code of Practice forDigital Identification andStrong CustomerAuthentication499 – why 499?
Industry ReponseUK Finance Adoption of PAS 499September 2018Announcement that PSR agree thatPAS499 meets UKF deliverable
Standard PublicationFinal Publication of PAS 499July 2019Financial Sector joined by HMGovernment in support Cabinet OfficeNational Cyber Security CentreBarclaysCitibankLloyds Banking GroupBritish Telecominter alia
Government Crime Plan LaunchedPublication of Economic CrimeCommission planJuly 2019 Inter-departmental International Public/Private PartnershipAlongside Asset Recovery Action Plan
Regulatory UpdatesSCA milestones and ‘Mock Exams’October 2019Yet many organisations still not takingit seriously Financial Services themselvesSecurity solutions to FS companiesTech providers to Security solutionsInvestors in all of the aboveLiabilties? Penalties under––––GDPR?AML5?NIS?PSD2
Real-world ContextsCaveat EmptorCould use a CAP reader to digitallysign every transaction?Too much security and lose customersCould just use OTP over SMS?Too little security and lose customersCould use biometrics?Poor implementation and lose customers
Real-world ContextsBBC News website18th October 2019
Real-world ContextsBarclays Bank Customer Text Alert13:57, 23rd October 2019Samsung are working to fix a knownissue with the Fingerprint recognitionfeature on S10 devices. Whilst they dothis, we recommend disablingFingerprint login on your Barclays app.Please use your 5-digit passcode for now.We'll be back in touch to let you knowwhen to switch it back on. Your BarclaysTeamBBC News website18th October 2019
Real-world ContextsYour risk assessment? Meet Standards? Accredited?
Real-time ContextsWhen was your last risk assessment?Have standards changed?Has ownership changed?Has their jurisdiction or governing legislation changed?Are they now proscribed?When did you check?Where did you check?How good is the data?Who checked?Who benchmarked?So where do losses orliabilities fall?
Real-world ContextsCaveat RegulatorCould insist on onerous security tech?Lose customers, lose market valueCould allow ‘new’ security?And find the vulnerability was known inthe 1990sCould enable novel biometrics?But think through potential sensitive dataissues involving other regulators
Global Take-UpGlobal standards bridging:AML-xeIDASPSD-xGDPRet al
Parliamentary updatesTreasury
Business Case Liability Models . Sep 2016: OBIE formed Jan 2018: PSD2 comes into force Mar 2019: APIs to be available for testing R/W Standard v1 Sep 2019: PSD2/RTS deadline Mar 2020: FCA adjustment period ends CMA9 . Goode Intelligence. ANALYST VIEWPOINT
