Event Recording

Dr. Torsten Lodderstedt: eKYC: Seamless Customer Identification Using Existing Verified Digital Identities.

Log in and watch the full video!

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
Good afternoon, everybody. A lot of, a lot of businesses regulated as well as non-regulated have the needs to really know the identity of their customers. And that hasn't changed in the, in the digital area on a digital space. And there it's called electronic no, your customer E K YC and obviously digital identity is, is a key is a key factor for E K Y C. Let me, let me iterate through some of the use cases. So first of all, financial institutions, financial services, for example, are obliged to verify their customer's identity under anti-money laundering law and counter terrorism financing, and telecommunication services. And companies are obliged to identify their customers for similar reasons, a service providing access to health data, obviously. And for obvious reasons, privacy reasons need to make sure that only person see this very sensible data. And which is also increasingly important is neighborhood networks sharing services, which see, especially the neighborhood networks see a dramatic increase of use due to COVID 19.
They really need to make sure that the other person is who this person wants to be or seems to be. So what, what are the, the option that when typically has for strongly verified the identity of, of a user of a customer? Well, in at least in, in, in the European union, there are a lot of countries where citizens users can use the E I D functions, belonging too, or associated to their ID documents, or even built into the respective ID cards. That's this has seen quite, quite successful use in the, in the tics, for example, but isn't much used in other countries, so Germany and there are other, other, other, other ways to verify the identity of more traditional ways. So for example, the postal service might offer the identification of a customer in, in the branch, in the local branch. The disadvantage, the obvious disadvantage is that if you are in a digital transaction, you have to suspend that transaction, print out a pile of paper, go to the post office sign that that pile of paper show your ID card.
And then the, the clog of the, the post service will wrap that in a, in a, in a letter and send it to the service provider. So obviously that's, that's a real, has real an impact on, on conversion and in user convenience. And that's why, for example, in, in Germany, all kinds of video identification, all the identification are quite successful. These days, they're the, the person talks to an agent via video chat processes it's or her identity document it's verified and so on. And in case of ID auto identification scans of the, of the ID documents, videos, or, or pictures of the, of the person are used to do the identity verification mixing in some artificial intelligence, the challenge with this kind of method is that it's quite complex from a techn technology perspective. So the barrier is, is, is, is, is there for, for the average user. And there's also an emotional barrier because people are, and that's, our experience are reluctant to talk to a foreign wire, a video chat conversation and, and, and, and show the ID card. So the, the problem is, is, is evident and, and yeah, it's, it's still not really solved. And I would like to, to, to talk about one alternative option that doesn't replace those, but could add some benefit to the mix. And this is the sharing of existing digital identities, especially those managed by financial institutions.
Why, why is that, why is that an, an option? Well, basically, as I, as I explained, previously, financial institutions are obliged to verify the identity of their customers. So they, they need, they know the identity of every person that is authorized to access the bank account due to the obligation defined by the any anti-money laundering law. And they maintained this data and associate this data with multifactor authentication credentials, and those multifactor authentication credential, at least in the European union, got even stronger due to the payment service directive. Two that are recently was put into effect. So that's, that's a quite powerful combination. So that means every online banking user account is backed by K YC data and a pair of strength, strong authentication credentials that could be quite useful for third parties as well. And just to give you some numbers, according to, instead of the European union in 2017, there were 2, 2, 200 20 million online and mobile banking user accounts across the European union in the us in 2019.
According to S there were 190 million user accounts and Juniper research came up with a quite impressive number for the whole world in 2024, which is 3.6 billion user accounts, just imagine 3.6 billion digital identities. What, what could we use them for in, in various businesses? And there is momentum behind our topic. So there are services already existing. I just picked a couple of them. So for example, in the Netherlands there's iden, and in Norway and Sweden, there are different flavors of bank ID. And in Germany, for example, we've got, yes, that also leverages bank cable data. Those are local initiatives. The question is how can we come to a global solution that really provides that, that, that reach and that, that valuable data to relying parties in a simple, in a simple manner. And there's one initiative that really stands out, it's run by the Institute of international finance, which is a sub-organization of the international monetary fund.
It's the open digital trust initiative. And it is it aims to set out the governance and also technical standards for sharing digital identities between different institutions and the open ID foundation, the standardization body specifying open ID connect, and other identity standards or extensions to open ID connect runs, contributes to this initiatives and runs to standardization efforts, which is the E K Y C and identity assurance working group and the financial API working group, the letter defining a security profile, the formal defining an open ID connect extension for strong identity assurance. We will come back to that topic later in the European union, there was recently a, an announcement that the European union, the European commission will pursue a so-called European digital identification initiative, which also might include a way for financial institutions to share their identity data as identity providers. This will most likely be part of the upcoming update to the EITs legislation.
And in Germany, just as an example, there is a government run process called ate, which aims at leveraging existing digital identities for a government and other use cases from a technical perspective. We think, I think that the best way to leverage this K IC data for third party is to, well, turn the bank into an IDP. So no aggregation proxying whatsoever. And, and between the direct connection between two, two points is a line. And the line in this case is between the bank acting as an IDP and the relying party that obtains and uses the identity data that clearly creates a challenge. Since there are a lot of banks alone in Germany, we've got more than 4,000 financial institutions in the European union. There are more than fixed thousand financial institutions and worldwide. We are north of 25,000 financial institutions. So this is a clear barrier for adoption. And that's one of the reason why the concept isn't isn't available today to, to, to, to stay on a global basis. But that's why I think the I initiative is, is really groundbreaking and will, will prepare that for success.
What can we achieve if we really integrate or make the bank and IDP and let a relying party obtain the identity data directly from the bank? Well, let's assume we are on a, on an insurance website or in an insurance app, and wanna, wanna identify the first step would need to, to select the bank because there are so many of them, the system cannot really automatically determine where to go, but once the user said, okay, I'm for example, a savings bank, the bank will act as an IDP, which from a user's perspective means, well, I use my online banking login, the online banking login, which I'm available or aware of, and that I, that I use regularly to access my, my balance to issue credit transfers and so on. So I use the same, the same login. Even my mobile banking app were already set up my identity to log into my bank account. In our example, I just used the, the fingerprint to, to log, to open, to, to unlock my, my app. And then the bank asks me whether it's allowed to ship the data that requested the relying party requested. So you see, this is also all very privacy per serving. The relying party needs to ask for specific claims and the user has to consent and potentially also uses strong customer authentication to really strongly authenticate in that process.
And that's it, the data are then provided to the relying party and can be used for whatever process the relying party wants to implement from a technical perspective, the implementation can be based on open ID connect. I think that's the best way to implement it today because of open ID offers a good balance of from maturity, because it's used all over the place. There are thousands implementations available today. It's simple, it's secure and it's suitable for web applications and app based experiences. And with its built in support for or of, it can even be used in the same flow to leverage other services like electronic signing or payment initiation within the same flow. So you could in the same flow, agree to share your data and pay for example, for a new iPhone in order to come with the challenges of higher identity assurance, open ID connect needs to be extended. And I gonna explain why.
So this picture, again, shows the prototypal architecture. If we turn the IDP into a, the bank into an IDP, so the bank would provide the relying party with an assertion to PE an ID token containing the, the user identity data. In this case, we see a user, a user ID, an email address, or name, date of birth, and address what this assertion lacks is additional information about how did the IDP actually verify this data? How did it retain this data who verified the data using what evidence when there is verified? How was it verified? Those are all important information. If one tries to use, utilize the data for regulated and high assurance use cases. So for example, if the data were verified using a video identification method, the relying party, if it operates under the, the email law in Germany would not be allowed to use that data.
Whereas for EI same data could be used. This is just the craziness of regulation, right? But there needs to be clear transparency about all the processing and the trust frameworks that were used. And that's what open ID connect for identity assurance does in the lower part of the, of the assertion. You see the, the data payload, which is the given under the family name and open ID connect for identity show introduces a new container that yeah, allows the IDP to, to provide all the information, the different data that the relying party needs. Namely, a trust framework in this case, anti-money laundering law, could the other laws or regulations, what documents were used verified that here in this case, it's the postal service using a in person proving and what had happened. And this is a useful extension. And we, for example, use that to provide trust service providers under E under eiders. So they can use spontaneously, create qualified certificates and qualified electronic signatures.
All right, let sum up my presentation. So know your customer for digital services is still a big challenge and it's important. And that we have seen that has grown with 19 sharing of digital identities among different institutions is a promising way to cope with this challenge. There are different candidates that could be sources for identities. For example, insurance companies, telecommunication companies, basically any regulated company or company that does strong identity verification. We think financial institutions are very suitable because they maintain verified digital identities and also associate them with strong credentials and a seamless integration between the identity provider and the relying party can be implemented with open ID connect for identity assurance as the representation for that metadata. And we believe that the security profile is the right way to implement that with a suitable security level. And with that I'm thank for your attention and open the floor for questions.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00