In the digital world banks can win by doing more of the same, says Marten Nelson, co-founder, Token.io.
What is a bank?
A place to store money? Yes, but keeping cash under the mattress doesn’t make a bank of your bed.
A lender? Sure. But today you can get a line of credit from almost anywhere.
A payments facilitator? Absolutely. Yet banks need third-party tech, independent networks, processors and clearing houses to get the job done. It’s hardly a USP.
Strip away all the products and services that banks provide. What’s left?
A model of trust. A bank verifies your identity and uses it, confidentially, to enable you to securely engage with the transacting world.
Fundamentally, then, banks are two things: they are guardians of identity and enablers of commerce.
It’s commerce, Jim, but not as we know it
Commerce is changing. Heck, money is changing. Digital tech is enabling value to be expressed and transacted in increasingly diverse ways, globally, from merchant loyalty points to cryptocurrencies. Businesses and individuals are increasingly trading in - and raising investment via - tokenized assets as well as traditional currencies and securities.
These changes are here to stay. Virtual currencies are fast becoming part of regulated financial markets. Much-vaunted distributed ledger technologies are offering sustainable and unbanked ways of transacting in, well, almost anything. In Europe, PSD2 is forcing banks to surrender control of their customers’ account information to third parties. Sure, banks have customer volumes on their side but even then disintermediation looms large. Which is a worry: the rise and fall of some of the world’s biggest companies shows how quickly customer volumes can shift when market conditions change. Amazon. Uber. Netflix. And on the flipside: Kodak. Nokia. General Motors.
Banks will have to adapt but perhaps not as much as you might think. Perhaps, fundamentally, not at all.
Digital identity guardians
The world of digital identity verification, for example, needs a serious overhaul and banks – experts in highly-regulated Know Your Customer (KYC) procedures - are primed to deliver.
For years, the digital identity rule has been: ubiquity, convenience, security. Choose two.
Usernames and passwords, for example, are woefully insecure, and used everywhere. Multifactor authentication: secure and ubiquitous, but chronically inconvenient.
And what of biometrics? Sure, your fingerprints and irises are unique, but biometric authentication systems collect data via capture devices and verify that against a stored biometric image, using comparison algorithms. Both the capture device and the algorithm can vary dramatically in terms of accuracy. So, here again: Convenience - tick. Ubiquity - tick. Security? It depends.
Banking on ID
In the physical world, bank cards are widely accepted as forms of ID. They won’t get you across a border or into a hire car, but they provide enough assurance to satisfy most other services.
Why shouldn’t bank ID also apply to a similarly broad set of use cases in the digital world? One such business model is already well established. Google and Facebook take a cut every time you choose to associate a new authentication gateway with the login credentials you use for their accounts; a process known as ‘federated authentication’ or, more commonly, ‘login with Facebook’ or ‘login with Google’. The cut can come in the form of money, of course, or by way of access to the data the new service collects on you, the user.
It is flawed. Lose your root password to a hacker and you automatically gift them access to your other associated web accounts as well. Again: It’s convenient. It’s ubiquitous. But its reliance on password credentials makes it badly insecure.
Using modern, secure authentication solutions based on public-key cryptography, bank-grade digital security can sit behind the federated authentication service just as easily. Then the bank can use this service to generate new revenues or monetizable data, from either their customers or from the service providers whose gateways they secure. Maybe from both.
Let’s get phygital
Closer to home, merchants (who have a vested interest in transacting as quickly and easily as possible) have already cottoned on to the idea that they can use your bank’s digital verification to blend their physical and digital shopping experiences. Eliminating queues by accepting remote mobile payments for in store purchases is one such example. So-called ‘scan and go’ is another. But the process remains clunky. What if an instant, one-touch payment was possible, initiated by your bank, from within the merchant’s mobile app? Then it’s both secure and convenient. And soon to be ubiquitous?
Enablers of digital commerce
There have been two sticking points for banks. First there is a perception problem; banks don’t want to be seen to play fast and loose with their customers’ credentials. In Europe, PSD2 will bury this issue by enabling users to vote with their feet. The decision to use an identity-based commerce service would be taken by the customer, not the bank. As long as the delivering AISPs and PISPs obtain the customers’ permission - and can connect to the bank’s APIs - their services will be free to associate the user’s bank details without the bank’s prior agreement.
This begs an important question. What would the end-user prefer: that this service is delivered directly by their bank, or by a third party using their bank’s credentials?
The second sticking point goes back to ‘that rule’. Banks can enable ubiquity and deliver security, but what about convenience? This hasn’t exactly been their strong point to date.
Partnerships hold the (cryptographic) key here. Banks don’t need to develop these services; they can instead white label them from certified, specialist service providers, and market them as powerful products to attract new customers.
Single-click bank-grade identity verification is already available to banks as a managed service, using technology platforms developed for open banking. Once integrated, the possible use-cases for bank services proliferate: hotels won’t need to take card details when guests check-in. E-commerce sites can combine customer login and payment processes and streamline both. Refundable deposits will become a thing of the past. Authentication hacks can be thwarted, and payment card data-leaks consigned to history. Regulatory compliance will be easier to achieve – service providers will no longer need to maintain databases of card details or customer data because your digital ID can be verified instantly, from anywhere, and at a fraction of the conventional cost.
Digital ID services enable banks to turn the tables on disintermediation. Best of all? They can do it by continuing to be in the digital age what they have successfully been for centuries: the guardians of identity and enablers of commerce.