R O U N D T A B L E : I D V E R I F I C A T I O NFS

T S

EP

TE

MB

ER

/O

CTO

BE

R 2

00

9 P

AG

E4

9

The discussion started with the mostbasic questions of all – what are thedrivers for better identity

authentication? To what extent are theyregulatory or internal? Marcus Watzlaffstarted the debate off by noting thathowever strong the internal driver, theFSA was always going to be anoverriding driver. He pointed out thateven given the global financial crisis“the FSA considers ID so important thatit is pinpointing ID crime and financialcrime as being potentially high up in theorder of the list of its priorities”.

Stan Matthews took the point forward,noting that whilst compliance must be amajor consideration, the act of verifyingidentity beyond that level was alwaysgoing to be a commercial decisionweighed against the costs of getting itwrong. “Organisations are striving toget more genuine customers, but at thesame time they are bound by the FSAregulations and have to go through theKYC [know your customer] process.This is a real challenge because the risk

and compliance director will be saying’I want to be as secure and robust withmy identity checking as I possibly can‘,but the commercial director will besaying ’we also want to get more goodcustomers through the door‘.”

However, can compliance be morethan just a burden? Perhaps there areelements that are aligned to the biggerpicture of the organisation’s business.Edwin Aldridge picked up the pointand placed a different perspective onmatters: “Banks, like most companies,would aspire to know quite a bit abouttheir customers. It helps in targetingtheir products and developing productsand typically a bank's account databasewill have fields for many, manydifferent attributes of a particularcustomer, so it's not entirely a one-waystreet. Banks are also rather keen toavoid being defrauded and one way ofdoing that is for the customers topretend to be somebody else, so KYC isactually quite a valuable thing.”

Is the issue, internally to the banks at

any rate, more to do with how theyview the ‘churn rate’ of their customers.If they are passing through, low leveland low value, then some organisationsmight aspire to a basic level of inform-ation. However, other organisationsmight be willing to delve deeper andcreate far more interaction with theirclients. Jonathan Wood endorsed thatview, but with a caveat: “There's afollow-on implication for making surethat you acquire and retain cleancustomers. Particularly in a recessionclean customers can go bad; it's not justa one-off task to make sure they're cleanwhen they begin their relationship.We've got to continue to be alert to itbecause good customers go bad as welland, I suppose, conversely bad ones canbecome good.”

As it stands, Aldridge notes that atleast regulation provides a level playingfield: ”You can afford to do KYCbecause everyone else has got to doKYC.” A view which chimes withWood: ”I think it helps if we're

ID Verification and Anti-FraudStrategies RoundtableFST assembled a panel of experts on identity to discuss the issues involved withidentity authentication, trust, and how to deal with credit risk

final_roundTable.qxd 02/11/2009 14:42 Page 2

R O U N D T A B L E : I D V E R I F I C A T I O N

managing our companies properly. Thefact that you're actually doing checkscorrectly, appropriately and diligentlyshould be the thing of beauty in acompetitive market. It shouldn't be seenas a hindrance.”

Generally the feeling around the tablewas that, although regulation could be aburden, it could be a positive driver – ifhandled properly. Nigel Dickens cameup with perhaps the most graphicanalogy of the evening: “When acompany does KYC processes properlyand well it is a business benefit becauseI can certainly remember doing twoseparate financial transactions with twoseparate companies where one wasowned and made to feel good aboutthis, and actually really worked welland I got what I wanted out of it – theother felt like they'd had a visit to aproctologist, so I haven't done businesswith that company since!”

Automatic for the People

The conversation moved on to discuss

the role of automation in the process ofidentification. With significant gains tobe made in both the speed andefficiency of identity authentication bygreater automation, it was reasonable toask why so much remains done byhand.

The consensus is that automation isfragmented, sometimes due to the lackof infrastructure, and at other times dueto the limitations of the systems.Aldridge was typical in his explanationof this: “There’s a real mixture betweena manual system and the systematicmethods, depending on what country aswell. For instance, in India until quiterecently I don't think there was an IDde-duplication service available at all. Infact, I think it's only recent legislationthat's enabled that and credit-checkingin the last two to three years. Somecountries don't have systematicaddresses – postal addresses – so it'svery difficult to do this kind of workautomatically everywhere. For moredeveloped countries it can be automated

through organisations like Experianusing their data, but a lot of it is manualand I think will always be manual.”

Wood made an incisive point on thematter, in that part of the problem isthat there is not a single solution, andthat in a many stranded system it is notalways easy to define which partsshould be automated – or how. “Thereare lots of people with lots of goodideas and lots of people with lots ofgood actions, but there isn't aconsolidated worldwide approach tothis. With so much automation, why arepeople doing it manually? I think theanswer to that is that we are confusedabout the approach we should be takingwith this because there are so manyoptions, and can’t work out the partswhere automation would providegenuine benefit.”

If technology is part of the solution, itcan very well be a problem too, asAndrew Cunnington explained: “It'smade things more difficult in terms ofactually knowing the identity of theperson at the other end and also thespeed at which fraudulent activities canbe committed. Paradoxically we arelooking to technology solutions toovercome these same problems.” This isa case perhaps of the disease and thecure being one in the same.

There is frustration with the existingmethods, with no clear road ahead tocreate automation and hidden dangersin any solution that achieves this goal.Yet the frustration remains, as Phil

PA

GE

50

F

ST S

EP

TE

MB

ER

/O

CTO

BE

R 2

00

9

Attendees:

Ian Fish – Information Privacy ExpertPanel, BCS (Chairman)Edwin Aldridge – InformationSecurity Risk Manager, StandardChartered BankJames Blake – Head of UK DataAuthentication, ExperianAndrew Cunnington – InformationSecurity Officer, Citi

Nigel Dickens – Information SecurityOfficer, BNP ParibasStan Matthews – Key Account Manager, Finance Sector, ExperianMarcus Watzlaff – Interim Head ofRisk, Old Mutual Asset ManagementPhil Welch – Senior InformationSecurity Assurance, BarclaysJonathan Wood – System DevelopmentManager, Bank of Cyprus UK

final_roundTable.qxd 02/11/2009 14:43 Page 3

R O U N D T A B L E : I D V E R I F I C A T I O N

Welch pointed out – authentication stillisn’t perfect: “We are pretty much on alimit to authenticate our customers. Weuse all the checks that I think you'vementioned and all the relevantdatabases and there's a limit to whatyou can do with paper. As yet wehaven't designed/focused on onesystem, but certainly I think that's theway we'll be going in the future.”

How widespread is this situation?Watzlaff uses empirical evidence toform a conclusion: “Banks in theLondon Market are not really happyaccepting any ID checks in a reasonablyshort of space of time and, to me, thatindicates that the systems do not haveautomated solutions.” Perhaps now isthe time to reconsider the way in whicheach organisation sees the future, as weare arguably at the bottom of theeconomic cycle.

Certainly issues will not be getting anyeasier, and to echo Cunnington’s point,technology is a double-edged sword.The problem is that paper is just notrobust enough anymore to prove anindividual's identity, and one member ofthe panel found 27 websites where youcan buy anything from a driving licenceto a foreign passport. These sort of‘Payslips 'R Us’ sites offer paper-basedidentity for small amounts that can bevery difficult to detect as a single sourceof identity. Apparently the going rate isthree years' worth of P60s for £45.

Paper cannot alone provide thesolution. Matthews notes with electronic

identity the data and the resources thatare available far outweigh the benefitsof looking at paper for identity. “It givesus a better overview – Experian canaccess a huge database resource of overa billion records to be able to comparewhat somebody has. We can actuallylook and compare and have confidenceon whether or not somebody is whothey say they are. So we can run quitedetailed analysis on what those peopledo and the profile that they have inseconds to give a decision as to whetherthat person is who they say they are.”

Paper might be in decline, and lessuseful, but perhaps reports of the deathof paper are exaggerated, for Matthewsexplains that with electronic IDauthentication there will always beexceptions; instances where certainindividuals have a thin footprint from acredit point of view – we could look atnew immigrants or a first bank accountas examples. Here, there is a need tofall back on paper and ask for a birthcertificate, a driving licence or passport.

Organisations need to have a numberof processes in place to make it easierfor customers to do business with them;and to grant the ability to focus more onthe ones that are higher risk.

There is another issue with paper, inthat posted documents can take severaldays to be delivered, and such delaysare obstacles in capturing newcustomers. This goes back again to thecommercial aspects when financialorganisations are offering services

online – offering instant decisions afterwhich prospects will not want to gothrough an online account openingprocess which ends with the need tosupply by fax, post or e-mail paperproofs of ID. Providers often have asmall window of opportunity to captureonline applicants, and this is a businessdecision.

Regulation and the Future

We asked where the current trendswere taking us, and how our panel sawthe future of technology, identity andregulation. Regulation, of course, was tothe forefront of the conversation, withpredicted future tightening of the rulesreigniting the debate over its benefitsversus its hindrances.

If the easiest way to ensure thatidentity is connected to the rightfulowner is by up-to-date and correct data,then one solution could be for anagency to take on the responsibilitiesthat are currently undertaken by privatecompanies. As Nigel Dickens called it,“an APACS for identity – or an identityclearing house”.

FS

T S

EP

TE

MB

ER

/O

CTO

BE

R 2

00

9 P

AG

E5

1

“Particularly in arecession cleancustomers can go bad;and, I suppose,conversely bad ones canbecome good.”

final_roundTable.qxd 02/11/2009 14:44 Page 4

R O U N D T A B L E : I D V E R I F I C A T I O NP

AG

E5

2

FS

T S

EP

TE

MB

ER

/O

CTO

BE

R 2

00

9

A good solution? Well the panel wasunsure, and unsure for several reasons.From Watzlaff, there was the privacyargument – both because of the distastefor large centralised databases, and theissue of privacy laws preventing thetransmission of data. There was anequally thorny problem thrown up byMatthews, who has experience in tryingto manage such data: “Maintaining thedatabase of those identities is hard,when somebody moves the last thingthat somebody will do is change theaddress on their driving licence becauseit doesn't have an impact upon theirfinancial status – it's just irrelevant!”

An open question is how it can, orwill, adapt. Cunnington sees regulatorycompliance today in the financeindustry as a one size fits all approachwhen it comes to identity assurance. Heideally sees a more flexible approachthat would link the services andproducts offered to the level of identityassurance required. In short, to rate theregulation to the risk.

The future might see the rise of newbanking competitors, and there areother sectors from which the bankscould learn and apply their ideas goingforward. The people who in somerespects know their customers betterthan anybody else are the retailers,despite the ‘casual’ nature of theirclients. As Wood notes: “Supermarketsare fantastic at knowing theircustomers. Perhaps they target thembetter, and the introduction of loyalty

cards was a genius invention andthey’ve proved very effective. Theyknow their customers probably betterthan most high street banks do.”

Dickens looks forward to thepossibility of other new entrants:“Telecommunications companies arestarting to act like financial servicescompanies. They're heading in thatdirection. The line is starting to blur.They need to know their customer.They need to validate identities –they've quite a vested interest in that. So that may have an interestinginfluence on where we go.” AndAldridge sees “Telcos will be co-venturing with banks, especially indeveloping regions.”

But will the operational standards ofnew entrants be compatible – Watzlaffexpressed some doubts about the wayin which telecommunicationscompanies chase perceived debt. Whichbrings us, rather neatly, to the conceptof trust – so vital in identity.Cunnington notes that: “It still comesdown to trust. Who would you trust toauthorise and authenticate someone?Financial organisations have had somesetbacks there, because at one time,maybe two or three years ago, bankshad a degree of trust in each other and Ithink that post the sub-prime marketcollapse, a lot of that trust has beeneroded and needs to be rebuilt.”

The issue might not just be of inter-bank trust. Part of the issue might betechnical, in that there is no standard

way in which the information can beexchanged – as Dickens puts it: “There'sno TCP IP for identity and we do needto come up with that so that ifsomebody wishes to federate or gothrough a third party at least we'retalking the same language, so thesystems will understand the samelanguage and the same set of criteria.That's got to be done first.”

Aldridge sees the future a littledifferently however, stating that: “Ithink when it comes to financialdealings individual trust is frequentlysuperfluous, particularly betweencompanies where the banks aretraditionally a trust third party. I'm putin mind of the Identrus model which isoperated by some large financialinstitutions. You do have an identity forthe person or company you are doingbusiness with, but the important thingis the trust relationship with your bankwhich in turn trusts their bank which inturn knows them. So the trust is notwith the counterparty and it's not withtheir identity. It's that they are all partof the Identrus system and that youtrust your bank.”

Ian Fish, the evening’s chairperson,called time at that point, summing upthe conversation as having concludedthat there is no one solution, becausethere is no one fixed problem. However,and to end on an optimistic note, headded that the more and better the datawe have, the closer we can get to aneffective system.

final_roundTable.qxd 02/11/2009 14:44 Page 5