Event Recording

Panel - PSD2 and the Identity Problem


Log in and watch the full video!

Panel discussion at the Digital Finance World 2018 in Frankfurt, Germany

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Register  
Subscribe to become a client
Choose a package  
So we have to write now a panel, a panel on the topic of PST two and the identity problem you are having PST two for an identity problem, but it might make sense in worse. So it's a pleasure for me to welcome this repent Analyst to drive Kay, financial services regulatory at for truck based upon the long title plus listen, CEO of know your customer and Zand director of solutions architectures Ws two. So before we dive topic made, we started as a quick round of introductions of yourself. Need to do one start.
Yeah. Perfect. Hi everyone. Yeah. VP of financial services and regulatory. So that piece was sort of added on to my title and I several eight months in and now realize just the full extent of that as I move globally to help organizations address regulations. But yeah, that's me information security for the last 20 years, very focused around ensuring my health banks open up their data security.
Yep. So I'm se fan. So I think you, you can see my details as well. I'm more of a, like a solutions person. So I get to work with our customers. A lot. Most of them are banks, so it's, it's kind of useful to see this kind of PSC, two compliance and new interesting things which has created then problems for customers. They're asking us serious questions about implementation, how things would work. And so, and so forth from security point of view also from, I don't know, implementation because every bank has its own way of, and lendings, it's all changing now. It seems to be good, but also challenging for them.
Okay, close
It close of now your customer, we provided platform for anti-money laundering services. And as part of that, I'm at the, at the peripheral concerned with identity. Of course, that's why I'm here because for Monday morning, you always have to KYC, know your customer, get some sense of your customer, get an identity of them. So the whole idea of digital identity, very near us.
So when I go back to the last 15, 20 minutes, we had some interesting discussion already around strong customer authentication. That's a strong customer authentication and some of the challenges PSD two and the RGS leave us with. And so on one hand, the things are strong, customer educational. Then it comes up with some, as you already said, some Fu things in which are not as clear as they might be. And from what I have in mind, it doesn't really say what is strong customer authentication. Very specifically, you can go back to some of the other regulations that maybe look at what is really acquired, look at what the, whatever the, of the other regulators expect there.
But I, I think it, it okay, a regulation probably doesn't need to, to look at it from a really foreign consumer or customer perspective. But when, when I take this situation, also the one of our other, you might have seen my keynote yesterday morning. And I talked a little bit about one of the action items, which is seek outside in and stop seeking inside out where most organizations still seek inside out. So what works for me? So, and what does my customer have to do? And when we take this thing and I believe that it's better to say customer, whatever is acceptable from compliance perspective and what you want to do, whichever combination of devices, and if you switch your device and move from whatever I windows, phones don't. And if I move from a windows phone to whatever else and decide, okay, let's say I try and Android and learn that the iPhone is better.
I switched the other day. Then I should be able to seamlessly also became in the best way, whichever is supported by these devices, it fingerprint or Iris recognition or whatever. And when I say, okay, I'm sitting, I'm not traveling. I'm sitting at my desktop computer, obviously. So right now it works, but it was sometimes was more in the basement. If the mobile network is not as good, it should still work. Hey, I want to do it my way. So this is my thinking. And if I take on PST two and the idea of strong customer application, then I, I would say maybe one piece of the identity problem is how can we really make it convenient to the customer with that scope? Good might be. And that's where I want have your perspective on some of the ideas you have that maybe some perspective on maybe the fussy regulation helps us because we can do everything. So what's your point on that? Do you wanna start class?
Well, I think one of the main problems with that is that we think of our authentication of often as our identities. And there is, there is this, this problem is actually not. We think even of our Google accounts or Amazon accounts, as we are identifying ourselves towards these services, Amazon is good point because we pay with Amazon sometimes even for services. So it, it feels like an identification, but it isn't, it's authentication, meaning we are just proving. We're the same person who created that account and there's not much backing to it. So it's not a real identity. It's an authentication, we cannot loads and middle of that. And that's one of the problems that causes these inconveniences because we never able to prove this is me. We are only prove proving. This is the same person who started problem. Yeah.
I, I think it's part of the problem, of course, but in terms of how institutions consider a strong customer, like, I don't know, like authentication or it can be identifying the person, but I think the way they kind of think of it as more than a single factor. So they're trying to make it broad so that you don't need to just rely on one way of recognizing yourself, but two or three ways in the process. I fully agree with Martin. Like some things that might work on your mobile phone will not work on your computer. And if you don't have the data connection, it may not work convenient enough for you because you might have to find a place where your connection works. Worst case. If you're traveling, it becomes even more complicated because it anchors lots of roaming charge. And so, and so it, it, it gets it more and more complicated for you as consuming. I really don't think any bank literally can solve it right now because they are kind of relying on iPhone, Android kind of things, or they want to wait till somebody else provides some service. So it's, it's a problem. There is really no solution now.
Okay.
Maybe. Yeah. So I think actually, that's, it's not a technology problem because I think the array of technology discussions that we've had over the last day and a half have just shown that, you know, the technology is perfectly capable of being able to provide seamless customer journeys that are, you know, fraud and risk analysis associated with those journeys that actually the ability to authenticate and authorize and identify that it is that person making that transaction is, is all possible. So then you just have to ask the question, well, why isn't it being done or because all of banks can't get outta their own way. They are a size and scale that procurement is a major issue. Governance is an issue risk. And then, and then their own interest gets in the way. But one thing's for sure, it's not gonna get in the way the customer, because the customer is demanding a better service from their banks. They're demanding more information about their financial wellbeing in a 360 degree view if at all possible. And so I think it's, it's, you know, open banking and PSD two are regulatory demands, but there is a market force that is at work. And it's the banks that recognize that the ones that are taking that first mover advantage to open APIs and extend the knowledge about their customers into, you know, an extended partnerships and propositions, they're the ones that are gonna win ultimately.
Yeah. And I think it's very much about banks have to leave their comfort service. And, you know, for me, I'm a customer of a small folks, bank and Germany. So we have this group of folks ands and market mutual banks, which have 25 million accounts or 35 million customers. In fact, then the other ones have whatever's the same amount. So it would be so logical. I think, you know, there's 25 million, you have a critical class, you can do a lot of stuff here, but it's not happening. And that's where I say, you know, that's really about missing opportunities, but what I like is, is the point you've made. And I think it's a very important point. And I just draw have been drawing the same thing on a whiteboard on my this week and a customer now financial service customer went was basically, it was the same.
So, so what I, I had this discussion recently launch in the workshop where was sample, and then it was about sort of painting an architecture. And some people came up if we do a Facebook, whatever was the kitchen, we don't have the customer record. No, we have, in fact, we have the ID, we have classification and we have the customer record, which are really different things. And so where you look at, from, from, from the, the perspective of identity, what is the identity might be even depending on perspective on a little different places, but obviously, and I think this is an extremely important point you've made, we need to this deep with this as well. I think as in a lot of discussions, I hear these days, it's very much about authentication, but it's sometimes can work that's to also indicator a certain way. You first should have some identification or slash verification growth and you need to roll out an authenticator. So you look like you have any, you have some, some opinion of it.
Well, yeah, I, I think it's an area of real interest. And also you raised about convenience. I think individuals are always leaning into convenience. They're always looking for something that makes it easier to do what they would otherwise find difficult. And they'll migrate to that. And I think authentication is no longer, doesn't have to be a clunky, you know, obstacle as was referred to by Mike's talk in terms of the way that they interact with the service. And in fact, the capabilities are to make it very seamless, no matter what the channel is, but always coming back to, you know, the, the fact that it's being validated and verified, and that's a critical point at the beginning of their journey. So, you know, whether it's account opening it's how do you actually verify and validate that customer? I think there's tremendous opportunities that are being missed currently. When you look at the span of government and financial services, to be able to protect high value credentials, but at the same time enable the economy to do more with, with that data without putting it at risk.
I think there's actually a giant opening for government to do something as consumers in a business, we have moved rushed into the digital demand, but our passport is still paper. We do need a digital identity. The question is, do we need it from the government? Or do we want form government? Do we want this central point? And then there's this it's blockchain people who say, oh, we want all decentralized and so on. But then it clashes with GDPR and, and things like that. But the questions really, what is the central point of digital identity? How can we make this convenient with big pictures and all I'm from Germany originally? I don't know, but in Germany there's a electronic signature function built into our ID cards. I know the UK doesn't do ID cards, but we do. We took a number of people. Well, that's a different thing. And they might do that, but you need a special reader. It's not convenient. Nobody does it. So
Interest, interestingly, I have a German
ID card
And I haven't enabled that feature because, and you know, I, I should be that at least I should be the one who does it. So if no one else it should be me, who else from perspective, I don't do it because there's absolutely zero practical. Well, for me to do it, honestly, I, I didn't like to go write foreign. I got, I don't like to do it. So I not even me is using that, that obviously you raise the question, is the government the right place to do it? Yeah. So how many countries do you know where each have really successfully rolled out national E I D in EU? I know exactly one Estonia's it's that's that an argument who cares different deferring
Example would be, would be maybe Nordic actually Scandinavia did where ID based on, on
The bank equity. Yes. Thanks. I think you could tell us base about that. Yeah.
I, the bank I is full practical purposes. That's what you do. I did. I used of course, for bank, for health, for insurance, for government, I do my taxes. I renew my medical prescriptions, the practical purposes. That is the national money, but it's not issued by it's issued by next.
And there the
UK, there's the federated system of
UK failing isn't this? Well,
There are some significant challenges. Yeah.
Which we are all,
We're all awaiting the McKen, the much trial of McKinsey report. I haven't seen that yet, but there are efforts still ongoing in terms of the private sector for verify, and maybe there's life in that approach. Because I think there is a sense that people will be in a more distributed model will be more accepting
Of that. Yeah. I was meeting couple of months ago was three out of seven or eight ID provider parties. And of the month I after meeting, I don't wanna tell you which one were, but there was a hundred percent thought of absolute frustration. You want something to this discussion?
Well, so I think, I don't know, in terms of the, in terms of the authentication aspect, right. Public sector can kind of, there are some initiatives in the U and I think some of these initiatives are kind of, I don't know, interesting. However, people still don't broadly trust them. I think it is the main challenge. So the bank ID example actually works because people are kind of enforced to use that it is convenient. I think it's not convenient, but also I think if you consider, do you have any other option which is as convenient assets? I don't think you do.
Yeah. That, that's the point. You know, at the end we are in race. I believe we in race between the public sector, ideas and public sector always wants to have some money, but, you know, we had the same thing with the Germany, with the, the email. I think it was so sort of a secure email, but you know, for me, the only, only changing effect it would have had aside of something, convenience is our males to be appeared to be that the Trump tax office is able to reliably send me stuff. So do I want to have a reliable communication where they consult me all the stuff I have to pay? Do I want to make their life easier? No. So there was no reason for me, in fact, no benefit for me, from my perspective. So, and, and I think this is the point, cause you raised, you want, you're a little bit biased regarding the Mo bank ID, but, but anyway, I think it it's, it's because for practical purposes and because it, it reach.
But when I say race, I believe there are three things, three parties where you should be in the race. And one definitely is, and two might not be the one which might be, could be is the government if they would ride thinking outside, inside out. So not from a government, but from a citizen perspective. And right now it's from a government perspective, not from a citizen perspective, most countries, the second one are banks. And I think PSP two, in fact, enables and Oprah the door to do lab. So back to say PS two and third one again, PS two related are all the others, the peoples, the Amazons, the apples of the world. And so if you look at these three groups, which one is definitely participating in race.
Yeah. I think we should kind of include the GSF ma and they implementations as well, because yeah, because mobile phones are more and more practical these and think they have a significant hand in terms of like being an authenticator. But also I think the, the, the, the two main entities I think will be banks and the public sector, because those are the most concerned with regards to public interactions and so on and so forth. Mobile phone companies are seeing as still, I think, like option,
But mobile phones, you know, you take your point, split the customer, split identity, OS you split it in various layers. Then there's an interesting place for the, what do you think
The mobile communication providers have have a huge chance there because they have excellent data about us and who has changed our mobile phone number recently. Nobody we've all had it for years now or decades. Now.
I think I'm studies, mobile operators have no idea that they know who pay. They could, they have no idea who
To use it. Oh, that's right. That's right. Okay. Opportunities. I'm saying
Civic saying one thing they really are good in is creating bills,
Civic opportunity.
That's
Authenticators, but not as I,
Yeah. Okay. Not a gate, but to be sure these devices, we carrying them everywhere and we keep them and we keep safe and all that. So
Operators also one of apps and they didn't manage that.
So that's, I would exclude that, that the group of, of other providers like Facebook are, or Google just think of Yahoo. I, that reach, nobody wants their stored on one of our
Really, I hope that one persons using apple pay, well,
Martin and I talked yesterday about that. Yeah. Okay. You got me there.
So Nick, you always look like,
Sure. Yeah, I got plenty of it.
But, but I think, I think what we will see and we are already seeing it is enterprises in a given sector. So you take orange, France, telecom, take orange, and what they've done with banking. And they've actually taken a big stake in bank in France. And they've developed orange bank. We're actually involved in a project driven by OIS, which is about account opening cross-border, which is exactly the kind of future state that really these an integrated economy should move to where the distribution of a federated identity, you know, is provided between providers. So, you know, we're calling into mobile connect in France for attributes, for someone who's a fresh citizen, opening an account in the UK, you know, with HSSBC or so, you know, those kind of programs are really where it's about making life easier. And ultimately, you know, we all wanna make life easier for ourselves. Convenience choice control. How much time we can spend on one given thing is, is what we are expecting our providers to make much more accessible for us. And if we don't find it, then sure enough, there'll be means by which we can switch.
Okay. That,
Okay. So already capture a couple of five. Maybe let's get a little bit back to PST, two identity. So is PST two enabling or is it hindering the use of my community identity or is it in fact more or less agnostic or least neutral? So what's, what's your point on that? How would you rate this?
So from the implementations that we've seen, I think PSC two is kind of becoming like a supplement. So it's not going to be something that we say that somebody needs to have a PSC, two compliant identification or something like that in the future, at least so far. So I think this is going to be a convenient way of working across banks, which is the kind of scope it has. So I don't see it kind of evolving into a, like a serious authenticator or, or kind of a thing, which is more like broader in its use, but I don't know banks, which are also providers of other services may expand it. Banks who are in larger consortiums may want to kind of make additional uses of it. I know some banks have kind of tied up with other banks, even though they compete with, because they want to kind of avoid the threat from FinTech and then created the authentication ecosystems, which are beyond PSU tool, obviously. So we have to wait and see, I
Think
Chris, Chris, sometimes that's fine.
We said, last time you should, your name should be Chris Christ.
Well, usually the order, my, my Starbucks latte, I cloud like stand up. So anyway, I think it's C two is more a missed opportunity there for parents. They could have gone away and, and got together and said, well, guys, we actually need some underlying identity to make this work correctly and got a and go in the way of maybe bank I, that sort of thing hasn't happened. That doesn't seem to be interest. That's my point.
And yeah, I think so the banks have an opportunity still. I don't think this is, you know, run away from them. And you know, some of the points made earlier that may be the game they're playing, but ultimately, you know, they, they have a level of trust from us as consumers because they do protect very sensitive data. And typically they do it quite well. It's just, how do they, how do they do more with that level of trust? That's been given to them, how do they extend into, through an API, into an ecosystem economy that is actually about the ecosystem that we need around our life moments and our life stages. We've all got families. We've got major purchases. We've got major problems that occur in our lives and backs have an opportunity to build an ecosystem of either their own propositions or FinTech propositions around those life moments and life stages that the dimension that they don't get is we are not very comfortable giving them more data.
We give them a very partial view. We've taken a multi-bank approach. We're banking with several people. We've got loans and credit cards with different people and mortgage with another company, very few banks have a 360 degree view. Some customers are very loyal, give them everything, but there is an opportunity there. And I think that's what some of the banks are leaning into with their way they're working up APIs even without the demand. But then equally, I think as the demand takes shape, we are gonna see that an erosion, if they're not careful, a gradual erosion of either the visibility of the data that they can capture, because all they'll see on a transaction is apple pay apple, apple company, and they won't happen the data. And, and that's when you're gonna start to see them becoming much more of the plumbing and their movement of money.
And, you know, it's interesting. It goes a little bit back to what I've said in last year's opening keynote of this conference. Whereas it's a little bit of banks having to, to decide they will adapt or die, little bit harsh and very, very direct. But I believe it's really what you also said. There's still a bit of opportunity, but banks must become here what they really want to do. So I think the one, from my perspective, the main thing banks must do for a businesses to avoid becoming trusted backend service. And it means you need as a bank, retain a build on the trust you have with you. If my small mutual bank and fact not the one who has it, the group of mutual banks, if they would offer me a well working all finance interface, I would stake step immediately. You know, I say, okay, perfect. Right now I can manage everything here. Very convenient, modern user in the face, which is not early eighties. No, it's, that's hard. It's early two thousands.
Yeah. But, but you know, if, if that thing would be convenient to me, I would say, I stay with them because the small mutual bank has a big advantage for me. You know, if I need something, it works, like give them a call. Oh, we know you. And you know us, they know me. And, and when I back, when I financed my home for such a small mutual bank was relatively small home is a big thing. So it has to, the board had the supervisor board had to sign off. And you know, this means five people who know my entire family for generations though, to speak and know me from childhood, had to sign off, which is super simple compared to an in this bank. So they have a huge opportunity and they are about to listen. I believe from this for you. I think Sarah, Dennis, what banks need to be aware of. And so maybe you had some, some good final state final statements from you.
So I think the banks need to understand the kind of opportunity. And I fully agree if the banks don't add up, it's, it's going to be their own faith. And interestingly, I think about couple of months ago, there was conference where banks were kind of participating, but the presentations were mostly from FinTech and, and the FinTech were explaining the kind of advances they have done. So they were talking about smart cars, people being driven by their car. And they're kind of banking through the cars interface, for instance, all provided by FinTech. Of course, and the banks were kind of asking many questions about safe security, authenticity, all of those things. And the applying costs as a consumer, you really care because if you, if you are on the way to buy something from, you know, like the closest restaurant, are you considering security, authentications all of these things, you on the convenience, right? So I think the banks need better up,
Well, short state, you're the one with custom coffee.
No worries there. No, I think just to, to put this out, there is just a huge opportunity in digital identities that are real because we are all moving into this digital realm. We such a force, and this is the one bit that is missing. How can we have electronic signatures? How can we, can we have binding contracts online with action and identity?
Oh, blockchain.
Blockchain is the answer. What was the question? Yes,
Exactly. So thank you very much for petition. Depending those panel, we have a follow minute coffee break with a, in between a 10 minute presentation of one trust, which you shouldn't list. So in 40 minutes, we start bag again on that room with serious closing keynotes. So thank you very much again to the panelists.
Thank you.

Stay Connected

KuppingerCole on social media

Related Videos

Webinar Recording

Complying With PSD2: Everything You Need to Know

With the Revised Payment Service Directive (PSD2) coming into full effect this fall, banks and online retailers need to adapt to changes that carry with them many regulatory and technical challenges. Acknowledging these extensive changes, Germany’s Federal Financial Supervisory…

Webinar Recording

Prepare for PSD2 with Strong Customer Authentication, Fraud Risk Management and Open Banking APIs

Banks will soon have to comply with the Revised Payment Service Directive, commonly called "PSD2." The directive will introduce massive changes to the payments industry and radically alter the user experience for customers of European banks by allowing third party payment service providers…

Event Recording

Martin Kuppinger - 2018 - The Year of Disruption: Why the Finance Business Will Never Be the Same Again

The year 2018 brings major changes to the financial industry. Two disruptive regulations (PSD2 and GDPR) come into effect early in the year and will have a far-reaching impact. Their implementation can be a challenge, but through these directives new opportunities will be created.…

Event Recording

Urs Zurbuchen - Revised Payment Service Directive: Understanding Its Technical Requirements for a Smooth and Secure Customer Experience

PSD2 will require 2 major technology thrusts: exposing and securing APIs for banking functions, and presenting strong authentication options for financial customers. Banks have to open up many of their core banking functions to enable the PSD2 ecosystem where Third Party Providers (TPPs)…

Event Recording

Parth Desai - Open Banking Challenges & Opportunities: Why AI is the Essential Business Enabler

Presentation at the Digital Finance World 2018 in Frankfurt, Germany

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00