A big question financial institutions and payment providers like Paypal are facing this year is how to authenticate users online while complying with regulatory requirements.
Data breaches — with the highest-profile and most serious of these in the US though affecting the likes of Tesco Bank in the UK — add to banks’ reasons for urgently needing better digital identification.
Know Your Customer (KYC) requirements have become more stringent in the European Union with the advent of the Fourth Anti-Money Laundering Directive (4AMLD) and the Second Payment Services Directive (PSD2).
The 4AMLD requires that businesses continually make efforts to check the veracity of their customers’ information and to monitor transactions, while PSD2 requires “strong customer authentication” from all payment services providers accepting card or digital wallet payments online.
Given the stretched resources and heavy pre-existing compliance, requirements incumbent on banks in particular, it is likely that most will opt to enter a partnership with an existing digital ID provider.
And most digital ID providers specifically market themselves as partners for financial institutions offering solutions to the problem of regulatory compliance.
What does this mean for customers?
Digital ID involves building a verifiable extensive digital identity for customers from a combination of scanned ID documents, biometric information, and social media presence — something many may not be comfortable giving up.
This digital ID is used to authenticate customers at future transactions, with the individual identifiers used to authenticate varying depending on the bank or payment provider’s appetite for risk in the context of the transaction.
The existence of the digital ID makes it more difficult to commit fraud, since there are so many factors that need to match up for a fraudster to successfully pass as a given customer if challenged.
Additionally, the identity information is generally stored by the digital ID provider rather than the partner financial institution, making it more difficult for data breaches (which typically target banks and merchants) to steal valuable customer information.
However, privacy campaigners could push back, claiming that giving bank’s so much of their personal information is unnecessary. Such a battle may be fruitless though, if bank’s want to meet the tough new regulations.