Event Recording
Ryan Fox - The Role of Financial Institutions in Providing Trusted Identities Beyond Banking
Keynote at the Consumer Identity World 2017 in Seattle, USA
Log in and watch the full video!
Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.
I have an account
Log inRegister your account to start 30 days of free trial access
RegisterSubscribe to become a client
Choose a package
So the next speaker, I also looked up provide facts. I think the title is very interesting and intriguing. So I'm really looking for also to your talk. You have what I saw along history with identity management for many years. And you started now at capital one. So I would like to understand these testing identities. I know that a lot of other banks are looking
At it. Yes. Ma'am.
I want, you're ready to go.
Great. I'm ready to go. Good to have you here. Thank you so much. As she mentioned, I'm from capital one and Christian, thank you so much for the, the McDonald's video that was touching, but just for the record, to my knowledge, capital one is not yet accepting love as a form of payment. So just so you're aware, but yeah, so, you know, I know that this particular group, there's a number of folks from, from Europe and other parts of the world, besides the United States, where the financial industry playing a role in the digital ecosystem and trusted identities is, is not news. That's not new to you. It, it is. However, in the United States, a bit fresh, something we've been talking about and an area where capital one in particular is, is making some moves and happy to talk to you for just a few minutes today about kind of why we're doing that and what we see the role of financial institutions evolving to be. So, listen again, I'm gonna state the obvious a couple times here today, forgive me, but as we move through the evolution of the digital economy and how we engage with one another and how we engage with other businesses, trust is increasingly paramount. It matters. It matters whether it's a peer-to-peer interaction, it matters whether you're forming brand trust and, and making a selection for who you're gonna interact with. I, I would've perhaps put trust on that, that timeline of how we make decisions. It's paramount.
You it's difficult for us as capital one to not think about things through the lens of a credit card that's in our DNA. And so when we talk about this, no good consumer identity conferences complete without a reference to the visa network and, and how that relates to identities. So here we go. Imagine if you had a different credit card for everywhere you shopped, it would be horrible. It would be catastrophic. As a matter of fact, that's how life was, is some of you may remember you couldn't have the ubiquity of a card that would work in Montana and then work in Florida or in Ohio or Virginia, they were very stovepipe. They were very relevant only to the merchant that you were engaging with. And, and so, so it was, unfortunately, this is exactly how we do identity today. Doesn't matter, wherever you go. When trust matters, you have to create a new identity, your credit card, if you will, your credential, if you will, your proxy for who you are, is valid and useful. Only within the confines of that environment. This has a number of challenges, which I'll go into them. All
The problem is getting worse. So, you know, what we found in some of our research is that this is a bit of a death by a thousand cuts type of scenario, registering in a new website. Is it gonna prevent me from engaging with that brand that I wanna engage with? Depends. We know it has an impact. We know that there's fallout and abandonment as a result of that. Is it catastrophic? No, but it's there. If I have to create a new credential, which I have to do everywhere, am I gonna quit? Am I gonna walk away? Not every time, but sometimes the problem is is that across every channel and across the entire ecosystem, the problem is continuing to compound, whether it's the news of additional breaches and your fear of sharing additional information with a website or a service, or it's just the fact that you're now creating your 37th credential and trying to remember how to create a, an effective username and password.
And where was that notebook that I keep them all in my mother-in-law, by the way, literally has a spiral bound notebook that she keeps in the upper right hand desk drawer with all of her usernames and passwords. It has the, the name of the website, the password, and a date as to when it was last changed. And I was like, Dana, you, you know what I do for a living, right? Like how, how can you do this? But that that's the only option we have, but across all of these segments, whether it's e-com, which we, I think we all understand that that's gone digital that has happened real estate health, all verticals, the need for trust is increasing. So as the users engage in this environment, the question is, what can we do? What can we do to help their practices out? How can we keep my mother-in-law from writing all of our user and password names down in a notebook? How can we help this? This is my, I smell an ecosystem. Excuse me, I aspire an ecosystem slide. What does this look like? And what role can we play? Apparently I have to point this directly at
The system for function.
How do we establish trust? So, you know, capital one in the financial institution segment, the, you know, one of the things that is a baseline of what we do. So let's focus on that for a moment is validate identities. We have to know who our customers are. We have to provide strong credentials. We have to protect them. We have to establish that trust with them as they interact with us. The next thing we do is we provide them credentials in the form of physical credit card, a bank debit card checks, et cetera. And then that essentially provides a proxy for them to engage in a commerce segment outside of the four walls of our financial institution that has not historically translated to other forms of interactions, performing a real estate transaction, renting an apartment, checking your health claims, et cetera.
So, you know, when we look at this and we see the increasing compounding challenges in the market, our questions that we ask ourselves is what can we do to continue to protect our customers? How can we continue to protect their data? How can we continue to protect their money? How can we protect the merchants that interact? Because what happens is, is as this economy continues to expand the need for trust, continues to expand if that trust starts to fall away. So does the consumer's trust to engage with it? And that has negative consequences for the consumer that has negative consequences for the merchant. And that of course has negative consequences for the financial sector. And then finally, how do we make things easier? So our job here is not just to prevent the collapse of this. How do we make it easier for customers to engage? How do we make it easier for them to perform these transactions across the ecosystem?
So at capital one, what we've decided to do is we've decided to take a lot of the trust that we've established within our own four walls. And we've decided to open that up. We've decided to open that up in the form of a platform to extend essentially the same protections for identity verification, the same protections for authentication to the broader ecosystem, and to extend this out well beyond just the financial sector, to allow this to be consumed by real estate organizations, health organizations, etcetera. And we've done this in the form of three core APIs that we've recently launched that essentially allow our customers, our existing customers to have portability and control effectively at the end of the day. That's what we're providing portability and control over their digital identity into the broader ecosystem that perhaps some of you operate in and we've done this in the form of three core products.
The first is sign up with capital one, which is essentially a trusted registration product. We've verified the, the identities of our customers using data that they've provided us, perhaps different documents or assets. And as they travel about, they may need to prove their age. They don't need to provide their date of birth. They may may need to prove that they are who they say they are. That doesn't mean they need to provide their social security number. They may need to prove where they live. That doesn't mean that they have to provide their explicit address. So we've provided a product that gives the user control over what they share with individual entities as they consume this. So that as a merchant or a relying party consumes this data, they can trust the information that it's been validated and they can get the insights and the information they need to conduct their jobs without the users oversharing, or having data spillage with organizations that have more information than they, they need.
The second is verified with capital one, which is essentially a digital notary product. This product allows you to register your customer, provide information to capital one in the form of hashed data that we then respond back and say, yes, no, that attribute is accurate. Again, providing a mechanism for customers to prove that they are who they say they are out in a broader ecosystem without sharing any data. There's not a need for me to have to share my social security number and my data birth with every website that needs to know who they just need to know that I am, who I say am who provided products out that allow that to occur to then finally sign in with capital one. You know, this is really essentially trying to help our customers have better behavioral patterns as they operate out in a broader ecosystem. As our customers are engaging with e-com sites, as our customers are engaging with, with different trusted platforms, if they have bad behavioral patterns of reuse of credentials, if they have bad behavioral patterns of using weak credentials that are then protecting their PII, that creates vulnerability for them in a broader sense in the entire ecosystem that creates vulnerability for them as they interact with us.
That creates vulnerability for us as an organization. So sign in with capital one is effectively extending our strong credential set, our strong multifactor authentication capabilities, our strong device reputation out into the market to allow the customers to engage with these trusted platforms while avoiding some of the behavioral patterns that we'd like to see them. So that is it for my slides. And I will take questions.
That's great, Ryan, you've got a question in the back.
Yes, Denise,
What's your, what's your revenue model.
We do not have a revenue model for this. You know, first of all, we're just getting started. This is, these are beta products that we've launched out to market. And our objective again, is to protect our customers, give them opportunities to engage with better security behavioral patterns in the market and provide them easier ways of engaging with trusted platforms. So that, that is our objective is to raise the bar with security and privacy in the ecosystem at large.
Do you have any plans to work with?
I can see that applicable
To federal and state
Agencies. Yeah. I mean, I think I didn't refer necessarily to any particular I kind of use like retail or real estate as examples. We're certainly open to that open
Platform, right? Yes. Could you repeat this question? Because we
Could get sure. State or local governments, are we interested in working with state or local governments? So the answer, the short answer is, is yes, this is an open platform. Anyone can move to developer capital, one.com today and sign up to start testing these out and looking at them. So we're open to engaging with anyone on this.
Stop
The question then. Well, I talking about stuff tomorrow, but I'm coming from that point of view. What sort of consent are you talking about to provide this, this service to? And also the other question I have is how trustworthy is this bank? Not necessarily talking about real bank, but I mean, this, you seem to taking on a lot of responsibility. Sure.
So taking on a lot of responsibility and one is the consent model, is that the question was
No, no, no. The two questions really? Yeah. So how do you go ahead take consent from your consumer because that's whose identity
You're gonna yep.
Verify, speak. The next aspect is how sure our banks about their own KYC process. That they're gonna go ahead and say, look, I certify this consumers who she T explain it to me. So there's obviously a risk and library associated with this, with the service, so to speak, right? Yeah.
So, you know, with regards to the first one, which is pretty straightforward, this is an open ID connect oof model. We obtain explicit consent from the consumer at any engagement point where we will actually show them what data is being provided. Why is it being requested? And they will have explicit capability to either consent or deny the ability to share that information with the third party. They also, of course, as part of that model, have the ability to go back and revoke access to anything that may have been durable as far as any type of authentication to anything like that that's provided. So pretty standardized, as far as that model's concerned as far as the, how sure are we, that people are who they say they are. Yeah. I mean, I appreciate that. I mean, it, it, I don't think our objective here is to necessarily make an audacious claim that, you know, we know this better than anyone that's, that's not our, our claim, what our, what our claim is, is that we have customers who have gone through this once.
And we think that there's a better way for them to engage. We think there's a better way for them to engage in the digital ecosystem when it comes time to prove that they are, they say they are. And when it times comes time for them to authenticate in a trust environment, we think there's a better way to do that. And it's up to the customer, whether or not they choose to engage with that or not. It's not us forcing them to engage in any certain way. It it's really up to the customer. So it'll ultimately be for the market and the customers to define the value of that at large. Yes, it is.
Are you gonna require parties to appear to a trust framework or is there, what is the criteria by when you will allow a line party to be part of your network?
Yeah, that's a good question. So I, I think, you know, first of all, there is not a, like a global trust framework that would be like one and done for this. There are different trust frameworks that apply to different ecosystems, depending on if you're in healthcare or if you are in the government or whatever the case may be. So in some circumstances, I think the trust framework is there. And of course we'll write on the back of that were appropriate in other environments, there isn't a trust framework or, you know, we look to help shape that. We look to help participate in that. And in some circumstances it's simply just a one by one evaluation of the engagement. I, I think the interesting, maybe comparison would be with Facebook authentication. Right? Sure. Where their models actually completely the opposite, which is we're gonna tell people more about you than, than you expected us to as part of your authentication, not less.
Yeah. And so I think there's questions on the adoption on both things, right? Yeah. I think there's, our business is gonna adopt a platform where they get less information about a customer than they used to. Yeah. I think it's completely separate objectives. Right? The, the social environment has proven the ubiquity of that and the ease of use and the value that, that delivers to clients and to relying parties. The objective of the social environment has never ne has never been to provide verified, trusted information that has never been the, the kind of core objective of that it's observations. It's aggregate data that you can drive insights from. So I think it's just really a different angle that we're taking the social providers are, are not necessarily looking to engage with governments with trusted platforms like healthcare, et cetera, for engagements. So I think it's a different angle and, you know, it's clearly, I don't think anyone would, I don't think anyone would question that there's a gap in the market today for trust across platforms.
You know, I use the example of the credit card and a different credit card for everywhere you shop. And I make the point that that's how we engage in digital identity today, especially when trust matters, the social providers have made that not true when trust doesn't matter. So there's clearly a gap there. Financial institutions have verified identities. We have strong authentication capabilities. There's an opportunity for us to step up and fill that gap. We think that's the right thing to do for the digital ecosystem. We think it's the right thing to do from a security and privacy perspective. And we think it's the right thing to do for our customers is for providing them control transparency and security across that. Wow. Last question.
Yeah, a lot of in the space Verizon drive, this is a couple years ago, big initiative, didn't go in the, so my questions really going to be around once you've assigned all of this delegated authentication or authorization through capital ones, all these third parties, right. Type. Are you looking at multi model where I can go that consumer go back and start revoking access or once before I'd authorized
It? Yeah. I mean to the degree that that's practical. Yes. Okay. Thank you. An easy one.
At it. Yes. Ma'am.
I want, you're ready to go.
Great. I'm ready to go. Good to have you here. Thank you so much. As she mentioned, I'm from capital one and Christian, thank you so much for the, the McDonald's video that was touching, but just for the record, to my knowledge, capital one is not yet accepting love as a form of payment. So just so you're aware, but yeah, so, you know, I know that this particular group, there's a number of folks from, from Europe and other parts of the world, besides the United States, where the financial industry playing a role in the digital ecosystem and trusted identities is, is not news. That's not new to you. It, it is. However, in the United States, a bit fresh, something we've been talking about and an area where capital one in particular is, is making some moves and happy to talk to you for just a few minutes today about kind of why we're doing that and what we see the role of financial institutions evolving to be. So, listen again, I'm gonna state the obvious a couple times here today, forgive me, but as we move through the evolution of the digital economy and how we engage with one another and how we engage with other businesses, trust is increasingly paramount. It matters. It matters whether it's a peer-to-peer interaction, it matters whether you're forming brand trust and, and making a selection for who you're gonna interact with. I, I would've perhaps put trust on that, that timeline of how we make decisions. It's paramount.
You it's difficult for us as capital one to not think about things through the lens of a credit card that's in our DNA. And so when we talk about this, no good consumer identity conferences complete without a reference to the visa network and, and how that relates to identities. So here we go. Imagine if you had a different credit card for everywhere you shopped, it would be horrible. It would be catastrophic. As a matter of fact, that's how life was, is some of you may remember you couldn't have the ubiquity of a card that would work in Montana and then work in Florida or in Ohio or Virginia, they were very stovepipe. They were very relevant only to the merchant that you were engaging with. And, and so, so it was, unfortunately, this is exactly how we do identity today. Doesn't matter, wherever you go. When trust matters, you have to create a new identity, your credit card, if you will, your credential, if you will, your proxy for who you are, is valid and useful. Only within the confines of that environment. This has a number of challenges, which I'll go into them. All
The problem is getting worse. So, you know, what we found in some of our research is that this is a bit of a death by a thousand cuts type of scenario, registering in a new website. Is it gonna prevent me from engaging with that brand that I wanna engage with? Depends. We know it has an impact. We know that there's fallout and abandonment as a result of that. Is it catastrophic? No, but it's there. If I have to create a new credential, which I have to do everywhere, am I gonna quit? Am I gonna walk away? Not every time, but sometimes the problem is is that across every channel and across the entire ecosystem, the problem is continuing to compound, whether it's the news of additional breaches and your fear of sharing additional information with a website or a service, or it's just the fact that you're now creating your 37th credential and trying to remember how to create a, an effective username and password.
And where was that notebook that I keep them all in my mother-in-law, by the way, literally has a spiral bound notebook that she keeps in the upper right hand desk drawer with all of her usernames and passwords. It has the, the name of the website, the password, and a date as to when it was last changed. And I was like, Dana, you, you know what I do for a living, right? Like how, how can you do this? But that that's the only option we have, but across all of these segments, whether it's e-com, which we, I think we all understand that that's gone digital that has happened real estate health, all verticals, the need for trust is increasing. So as the users engage in this environment, the question is, what can we do? What can we do to help their practices out? How can we keep my mother-in-law from writing all of our user and password names down in a notebook? How can we help this? This is my, I smell an ecosystem. Excuse me, I aspire an ecosystem slide. What does this look like? And what role can we play? Apparently I have to point this directly at
The system for function.
How do we establish trust? So, you know, capital one in the financial institution segment, the, you know, one of the things that is a baseline of what we do. So let's focus on that for a moment is validate identities. We have to know who our customers are. We have to provide strong credentials. We have to protect them. We have to establish that trust with them as they interact with us. The next thing we do is we provide them credentials in the form of physical credit card, a bank debit card checks, et cetera. And then that essentially provides a proxy for them to engage in a commerce segment outside of the four walls of our financial institution that has not historically translated to other forms of interactions, performing a real estate transaction, renting an apartment, checking your health claims, et cetera.
So, you know, when we look at this and we see the increasing compounding challenges in the market, our questions that we ask ourselves is what can we do to continue to protect our customers? How can we continue to protect their data? How can we continue to protect their money? How can we protect the merchants that interact? Because what happens is, is as this economy continues to expand the need for trust, continues to expand if that trust starts to fall away. So does the consumer's trust to engage with it? And that has negative consequences for the consumer that has negative consequences for the merchant. And that of course has negative consequences for the financial sector. And then finally, how do we make things easier? So our job here is not just to prevent the collapse of this. How do we make it easier for customers to engage? How do we make it easier for them to perform these transactions across the ecosystem?
So at capital one, what we've decided to do is we've decided to take a lot of the trust that we've established within our own four walls. And we've decided to open that up. We've decided to open that up in the form of a platform to extend essentially the same protections for identity verification, the same protections for authentication to the broader ecosystem, and to extend this out well beyond just the financial sector, to allow this to be consumed by real estate organizations, health organizations, etcetera. And we've done this in the form of three core APIs that we've recently launched that essentially allow our customers, our existing customers to have portability and control effectively at the end of the day. That's what we're providing portability and control over their digital identity into the broader ecosystem that perhaps some of you operate in and we've done this in the form of three core products.
The first is sign up with capital one, which is essentially a trusted registration product. We've verified the, the identities of our customers using data that they've provided us, perhaps different documents or assets. And as they travel about, they may need to prove their age. They don't need to provide their date of birth. They may may need to prove that they are who they say they are. That doesn't mean they need to provide their social security number. They may need to prove where they live. That doesn't mean that they have to provide their explicit address. So we've provided a product that gives the user control over what they share with individual entities as they consume this. So that as a merchant or a relying party consumes this data, they can trust the information that it's been validated and they can get the insights and the information they need to conduct their jobs without the users oversharing, or having data spillage with organizations that have more information than they, they need.
The second is verified with capital one, which is essentially a digital notary product. This product allows you to register your customer, provide information to capital one in the form of hashed data that we then respond back and say, yes, no, that attribute is accurate. Again, providing a mechanism for customers to prove that they are who they say they are out in a broader ecosystem without sharing any data. There's not a need for me to have to share my social security number and my data birth with every website that needs to know who they just need to know that I am, who I say am who provided products out that allow that to occur to then finally sign in with capital one. You know, this is really essentially trying to help our customers have better behavioral patterns as they operate out in a broader ecosystem. As our customers are engaging with e-com sites, as our customers are engaging with, with different trusted platforms, if they have bad behavioral patterns of reuse of credentials, if they have bad behavioral patterns of using weak credentials that are then protecting their PII, that creates vulnerability for them in a broader sense in the entire ecosystem that creates vulnerability for them as they interact with us.
That creates vulnerability for us as an organization. So sign in with capital one is effectively extending our strong credential set, our strong multifactor authentication capabilities, our strong device reputation out into the market to allow the customers to engage with these trusted platforms while avoiding some of the behavioral patterns that we'd like to see them. So that is it for my slides. And I will take questions.
That's great, Ryan, you've got a question in the back.
Yes, Denise,
What's your, what's your revenue model.
We do not have a revenue model for this. You know, first of all, we're just getting started. This is, these are beta products that we've launched out to market. And our objective again, is to protect our customers, give them opportunities to engage with better security behavioral patterns in the market and provide them easier ways of engaging with trusted platforms. So that, that is our objective is to raise the bar with security and privacy in the ecosystem at large.
Do you have any plans to work with?
I can see that applicable
To federal and state
Agencies. Yeah. I mean, I think I didn't refer necessarily to any particular I kind of use like retail or real estate as examples. We're certainly open to that open
Platform, right? Yes. Could you repeat this question? Because we
Could get sure. State or local governments, are we interested in working with state or local governments? So the answer, the short answer is, is yes, this is an open platform. Anyone can move to developer capital, one.com today and sign up to start testing these out and looking at them. So we're open to engaging with anyone on this.
Stop
The question then. Well, I talking about stuff tomorrow, but I'm coming from that point of view. What sort of consent are you talking about to provide this, this service to? And also the other question I have is how trustworthy is this bank? Not necessarily talking about real bank, but I mean, this, you seem to taking on a lot of responsibility. Sure.
So taking on a lot of responsibility and one is the consent model, is that the question was
No, no, no. The two questions really? Yeah. So how do you go ahead take consent from your consumer because that's whose identity
You're gonna yep.
Verify, speak. The next aspect is how sure our banks about their own KYC process. That they're gonna go ahead and say, look, I certify this consumers who she T explain it to me. So there's obviously a risk and library associated with this, with the service, so to speak, right? Yeah.
So, you know, with regards to the first one, which is pretty straightforward, this is an open ID connect oof model. We obtain explicit consent from the consumer at any engagement point where we will actually show them what data is being provided. Why is it being requested? And they will have explicit capability to either consent or deny the ability to share that information with the third party. They also, of course, as part of that model, have the ability to go back and revoke access to anything that may have been durable as far as any type of authentication to anything like that that's provided. So pretty standardized, as far as that model's concerned as far as the, how sure are we, that people are who they say they are. Yeah. I mean, I appreciate that. I mean, it, it, I don't think our objective here is to necessarily make an audacious claim that, you know, we know this better than anyone that's, that's not our, our claim, what our, what our claim is, is that we have customers who have gone through this once.
And we think that there's a better way for them to engage. We think there's a better way for them to engage in the digital ecosystem when it comes time to prove that they are, they say they are. And when it times comes time for them to authenticate in a trust environment, we think there's a better way to do that. And it's up to the customer, whether or not they choose to engage with that or not. It's not us forcing them to engage in any certain way. It it's really up to the customer. So it'll ultimately be for the market and the customers to define the value of that at large. Yes, it is.
Are you gonna require parties to appear to a trust framework or is there, what is the criteria by when you will allow a line party to be part of your network?
Yeah, that's a good question. So I, I think, you know, first of all, there is not a, like a global trust framework that would be like one and done for this. There are different trust frameworks that apply to different ecosystems, depending on if you're in healthcare or if you are in the government or whatever the case may be. So in some circumstances, I think the trust framework is there. And of course we'll write on the back of that were appropriate in other environments, there isn't a trust framework or, you know, we look to help shape that. We look to help participate in that. And in some circumstances it's simply just a one by one evaluation of the engagement. I, I think the interesting, maybe comparison would be with Facebook authentication. Right? Sure. Where their models actually completely the opposite, which is we're gonna tell people more about you than, than you expected us to as part of your authentication, not less.
Yeah. And so I think there's questions on the adoption on both things, right? Yeah. I think there's, our business is gonna adopt a platform where they get less information about a customer than they used to. Yeah. I think it's completely separate objectives. Right? The, the social environment has proven the ubiquity of that and the ease of use and the value that, that delivers to clients and to relying parties. The objective of the social environment has never ne has never been to provide verified, trusted information that has never been the, the kind of core objective of that it's observations. It's aggregate data that you can drive insights from. So I think it's just really a different angle that we're taking the social providers are, are not necessarily looking to engage with governments with trusted platforms like healthcare, et cetera, for engagements. So I think it's a different angle and, you know, it's clearly, I don't think anyone would, I don't think anyone would question that there's a gap in the market today for trust across platforms.
You know, I use the example of the credit card and a different credit card for everywhere you shop. And I make the point that that's how we engage in digital identity today, especially when trust matters, the social providers have made that not true when trust doesn't matter. So there's clearly a gap there. Financial institutions have verified identities. We have strong authentication capabilities. There's an opportunity for us to step up and fill that gap. We think that's the right thing to do for the digital ecosystem. We think it's the right thing to do from a security and privacy perspective. And we think it's the right thing to do for our customers is for providing them control transparency and security across that. Wow. Last question.
Yeah, a lot of in the space Verizon drive, this is a couple years ago, big initiative, didn't go in the, so my questions really going to be around once you've assigned all of this delegated authentication or authorization through capital ones, all these third parties, right. Type. Are you looking at multi model where I can go that consumer go back and start revoking access or once before I'd authorized
It? Yeah. I mean to the degree that that's practical. Yes. Okay. Thank you. An easy one.
Stay Connected
How can we help you