Role of Identity and Trust in eCom

Please excuse typos.. Editing not complete. I had a great compliment this week: “Tom you write so dense.. why are you so different”? I’m not an analyst or a blogger, but a guy that has run operational businesses and led venture investments. The only great thing I’ve ever done in life is to meet great people with passion and ability to execute on a vision. This blog is how I chat with all my colleagues. Glad others find it useful..

This is a rather long blog.. if you don’t have time read the wrap up at the end which is a summary of key points.


Continuing on from yesterday’s blog on Authentify – Bank ID Service, I thought I would outline the role of identity in eCommerce and the problems to be solved. Although most of you know me as a payments guy, I also have deep roots in data working directly with retailers, AdTech, Google/FB and media (in addition to issuers/acquirers/networks). In looking through eCommerce articles I couldn’t find one relating to identity (from a big picture perspective).. So I thought I would write one.

One of my favorite business books of all time is Clayton Christensen’s Innovator’s Dilemma. The core concept he leaves us with is “what is the problem to be solved?” That is the question with respect to ID in eCommerce. I could have “the best” ID.. but what problems can it solve? What value does it bring? A Bank ID is somewhat like having the best proprietary battery. It is only useful in how it can be integrated/used within a product.

eCommerce Big Picture

Per my 2014 blog Banks as a Data Business,

Banks have always been instrumental in enabling commerce. Enablement requires the ability to partner within a trusted network among millions of participants (see Collaboration and the Sharing Economy).  The value of data is at its intersection. Google, Facebook and Amazon have focused on “value orchestration”.  Google will take a loss on the payment, ship goods to your house for free, all to gain the advertising spend (2000bps vs the 200 bps of payments).  Banks, retailers, mobile operators all want to have a role in expanding commerce.  As I outlined in Transformation of Commercial Networks: Unlocking $2T in Value, today data is flowing to the entities best able to create value (and great consumer experiences).

Problem 1 – Advertising/Discovery the “biggest problem”. Identity is at the core of optimizing the entire marketing funnel,  and also drives the $225B advertising industry. Each entity in advertising has some sort of unique data. On the demand/advertiser side is is WHO is targeted, on the supply/publisher it is WHO can be reached.  The advertising marketplace is too broad for me to cover. However I did want to highlight a key retailer innovation:  Customer Data Platforms (CDPs). 20 yrs ago few advertisers had their own organic data facilities; neither retailers nor CPGs knew who their customers were. CDPs have changed the game. 

Prior to CDPs, advertising was a game of chance, leaving advertisers highly dependent on agencies.  In these “Mad Men” days Advertising was an art form. The top industry event (Cannes Lions) was a “festival of creativity”.  CDPs have given advertisers the data to change this “art” to a science, and data driven insights have made measuring every dollar of marketing spend possible. Of course CMOs aren’t exactly thrilled about the change, as the CFO now scrutinizes the marketing plan, but successful retailers like Target have become profit centers through their data businesses , with CDPs driving retail profitability both online and in the store (think layout). For example, CDP platforms answer key questions: Is my agency doing their job? Who is my customer? What geographies and demos am I underperforming? How to expand loyal customer share of wallet/frequency? Where can I influence them? How do I price? Where can I find others like them? What is the cost of changing their behavior? What ad partners are performing well? How do I retarget consumers with abandoned shopping carts?

Personalization/Shopper Marketing. Moving down the funnel, a successful digital marketing effort leads to an action. Retailers no longer present a one size fits all landing page. Rather landing pages are the curated based upon the retailers unique understanding of what you have purchased with them in the past, and what they believe you are looking for today. See Amazon example for more information.  See this Data Games for deeper dive on what unique data banks hold that could inform personalization. 

Price Promotion/Consideration/Selection. Do you display items that are most aligned or the items that may be similar at a lower price? What price will prompt action? What depth of information do you need on the product to move selection? Is there a value proposition outside of price that will prompt action (ie Deliver today)? Thematic content? Reviews? For more detail see What do Retailers Want – 2014 blog.

Credit expands consideration. BNPL has brought significant change here (see blog). Outside of automotive, financing was not part of most retailers price/promotion strategy. Peloton and Affirm’s 0% interest and $0 fees shows how flexible financing terms can drive purchase of other large ticket items. Why is Amazon’s using BNPL? Amazon seeks partners will make “commitments to underwrite competitively to widen the acquisition funnel.” 

Conversion.  Now that I have a customer with a basket, how do I enable a smooth checkout process? For existing customers and for new customers. Amazon, PayPal and Bolt have focused extensively here. Shopify and Stripe are global specialists. Conversion success (payment) is the key event for everyone in the marketing funnel. Not only is it success.. The conversion event connects the probabilistic advertising data to payment DETERMINISTIC data (more on that below). Within this event, the focus is on consumer experience as consumers understand how to pay. Consumer credit is much more important, hence we see BNPL providing incremental conversion at a higher MDR (BNPL blog). Merchants certainly want new customers to register, but they realize registration reduces conversion, and consumers are hesitant to provide card or PII they have no intention of returning to. Hence PayPal’s improved performance at specialist merchants. 

Payment. Retailers have many options for payment acceptance. Historically, the biggest problem for a new retailer was the merchant account took 3-5 months and contained significant hold backs. Stripe and Square revolutionized the small merchant market in their PayFac models (Acceptance blog).  Today, most merchants use payment specialists to own the merchant account, fraud, checkout process, payment processing, consumer data and overall UX. 

This payment event begins a the new deterministic phase of data gathering as Consumers enter their personal and payment information.  Beyond the market success, risk management begins to require action as 1) merchants are responsible for eCommerce fraud and 2) mandatory/regulatory requirements (ex GDPR, CCPA, PCI, …).  Thus the device graph thus expands greatly,  with new specialists managing risk, fraud, payment, conversion and compliance. Top eCom merchants like Apple, Walmart and Amazon have managed fraud down to around 3bps as customer observations grow… their ability to KYC grows (see Data Games). 

I could go on into post sales support, retargeting, and loyalty.. But my primary point is the complexity of the funnel and the tremendous investment made by retailers to win in eCommerce. Better IDs improve the efficacy of the marketing funnel ID is NOT one that a bank will provide (see Banks as a Data Business)

Side Bar

The coupling of identity, authentication and device is also revolutionizing the eCom payment experience. For example ApplePay provides autofill of payment credentials, with device information and authentication. V/MA/Amex and EMVCo developed the new Secure Remote Commerce (SRC) standard with deep browser integration (blog). 

Payment has become commodity infrastructure ( 2014 blog Payment in the OS). As stated yesterday, the top US issuers are working to change the game here (see Perfect Authentication is a Nightmare for Banks). No one likes becoming a commodity, hence banks endeavor to  provide a better ID for risk, or a new payment instrument (with risk management). 

ID Types and Permissions

The marketing world is filled with 1000s of companies with 3 galactic giants: Amazon, Google and Facebook. Each company operates within a federated data environment where they  must coordinate their proprietary insights with other data sets; federated data sets require a common key. Within advertising the “key” is a consumer identifier and each specialist maintains their own unique customer ID. A common consumer ID unlocks the value of intersections and proprietary insights to coordinate across multiple specialists.  See Dangers of Data Centralization for more detail. 

For example, McDonald’s new CDP can create a campaign targeted to frequent customers for execution on targeted media publishing platforms (Goog, FB, Digital, Targeted TV, …etc). These platforms will receive a target audience and also be given direction as to whether to expand this audience with their proprietary data for look-alikes. Consumers who see the ad (exposures) are tracked through shopping (mobile location, cookies/IP) and purchase (see blog Payments Data and Measurement). 

How big and complex is the is Digital Marketing? Take a look at this Chief MarTech infographic with 8,000 companies (I knew I could get a laugh out of you).  The marketing world is like 1000s of Venn diagrams, each specialist can reach a certain type of customer in a given form of media. Exposures can be tracked, and behavior monitored. 

The common ID opportunity is so large that Acxiom renamed themselves LiveRamp ($Ramp), and they sold the remaining marketing solutions business to Interpublic. Today LiveRamp has become the leading provider of common ID to the advertising ecosystem above. It is the lingua franca for federated data in advertising. Live Ramps IDs are probabilistic: they guess at who the consumer is based on many observations. For example if you were ever online filling out a form with your name and address and used a CC. LiveRamp will create an ID based upon: device, home IP address, your name, CC, browser, …. Etc. Over time, the ID will get refined as the number of observations increase. As a result these LiveRamp IDs are fantastically accurate (90%+).  

Story (2018 blog) – Commerce Signals held no data. We were the core switch operating between the permissionless probabilistic world and the regulated permissioned world (ex bank data). In our early days, a major retailer inadvertently sent us a Live Ramp Google File containing LiveRamp ID to SKU. I was blown away.. Consumer data purchase information, and SKU pricing information is highly sensitive. Of course we couldn’t read any of it given it had the incorrect LiveRamp ID, but the fact that real time SKU information was coming out of almost every retailer and into Google/FB was a data flow I never anticipated. If Google/FB know what consumers buy.. They can adapt their models (ex Nike vs Adidas). Once a consumer model is tuned.. I no longer need the data. Thus retailers are risking the creation of a consumer aggregator that will learn everything about their customers.. And can steer. No wonder Amazon created their own ad business. 

Hierarchy of ID types: at the bottom of the pyramid is probabilistic data (based upon observations), next is deterministic data (data supplied by customers), then at the top of the pyramid is truth marked deterministic data (data verified and trusted).  Each kind of data is governed by the permissions the consumer provided, and by the country/state regulations which govern that consumer and the contexts which data is obtained (see blog).  This is complex stuff with either reputational risk or compliance/financial risk. For this reason Amazon, Google and Facebook allow no data out (ie walled garden). 

Story. Most ad tech collaborations involve file transfers. As I described in 2018, Mastercard’s $35M deal with Google involved sending “anonymized” transactions to Google.  In Google’s work with banks, they asked for anonymized records. Banks asked for exposed audience files. Neither would budge. Google launched an effort called private join and compute, which still required banks to provide their entire transaction file.. But encrypted. This is a flop in financial services. Why? If I perform 2 queries on the data set and only change the audience by one person, I can still determine individual behavior. Google’s work around was to obtain SKU level information, with payment identifier, directly from retailers (see Google Store Sales Upload).

Permissions. Most ad data is probabilistic (based upon observations). Advertisers and AdTech are a tad “loose” no permissions probabilistic data, whereas banks are very very tight with permissions because their data deterministic and was provided by a consumer within an agreement (see Data Leakage). 

Story – CEO of DSP/Ad Publisher. I asked the CEO of a leading advertising platform how he tracked permissions. “Tom I can create an audience for you for example: guys over 40 that shave with Gillette.. Do I know where that data came from? No. Do I know how old it is? No. I don’t want to know because then I would have to pay someone for it and track how I use it.”

For consumer entered deterministic data there are 3 key data questions: 1) do have have the right to hold the data, 2) do I have the right to use the data, 3) do I have the right to share the data. Today, retailers largely append a “anonymized” ID to their data and send it along to Google/FB.  IDs like LiveRamp are designed for the partner to translate.  Obviously consumers did not permission their retailer to share their purchase information.  Today the purchase event has become the equivalent of 3rd party cookies and there is no way a regulated bank can play here. 

Direct consumer permission solves this sharing constraint. Banks can either directly navigate from a banking service (ex online banking) or seek permissions within the consumer agreement (See Wells Fargo Control Tower). For example, iDeal is the leading eCom payment scheme in the Netherlands and solves both permissions and payment by having the consumer open the banking application and taking a picture of a merchant QR code on the screen. 

StoryBanks want a role. Banks love the idea of starting every payment with them. Using online/mobile banking to begin a user experience solves permissions and allows for rapid expansion (and approval) of counter-parties. However, I don’t think any US CMO would be thrilled at the process UX (ie please log into your bank to continue (compared to Paypal/Bolt one click).

Ten years ago I was working on the Google Wallet team (as advisor), the TCH banks wanted to create their own wallet for this reason, as did the MNOs in THREE efforts (firethorn, payfone, ISIS/Softcard). The wallet ship has long sailed, however it is important to remember the historical perspective as banks still tend to design “start with your bank site” user experience in mind. 

A truth marked deterministic ID is a diamond. But how can I use it? Retailers top challenge is at the top of the funnel, banks can provide insight here, but lack consumer permissions (this space is owned by Argus/Commerce Signals now part of Transunion). How can banks broker this great identity (see blog)? 

Externalizing Trust – The Problem to be Solved

As regulated institutions, there is nothing better than the “trust” of a bank; they are regulated fiduciaries of capital with direct connections to consumers. Banks are required to Know Their Customers (KYC) and their Merchants (KYB). The problem with extending trust is that it is domain specific. Thus there are many challenges in externalizing trust across domains as each domain corresponds to: actors, context and permissions. 

The federated data model allows each participating entity to hold their insights within their domain, but collaboration brings shared observations, which results in decay of unique insight. For example, credit bureau scores are the oldest form of trust externalization in FinTech. If I tie a bureau score to a marketing ID, and consumer preferences it would be powerful. To curate and model how your credit score is predictive of other behavior? Anyone participating in card marketing doesn’t really need the FICO score. Observations of what kind of people start the card process and which people are issued cards leads to shared insight on both the prospect and the captured customer. Each entity participating in a process learns more about the individual and can predict behavior. 

As unique data decays in value, the ability to take action becomes the key differentiator, hence the dominant roles of Google, Facebook and Amazon. 

Thus many parties have good enough view of trust, within specific contexts, with many with no permissions or constraints on use (probabilistic observations). I would maintain that Amazon has better data to manage transaction risk than any bank could provide. Unfortunately for the Authentify a “good enough” trust is adequate for 90% of the “problems” in commerce, and a transparent permission may actually bring on a negative consumer reaction. 

For example. Imagine Trust externalization problem as a public conversation. If you are opening a new account with your auto insurer, and your insurer then asks you to call up your bank so that they can verify who you say you are. You may be a tad insulted.. You play tennis with the insurance broker and he asked you to apply.. Now they don’t trust who you say you are? 

Externalizing trust means adding entities to a commercial transaction. Additions may make sense from a risk perspective, but do they make sense from a consumer experience and marketing perspective?  The fraud team at an insurer will love the process above, while the marketing team will hate it. A great marketing team would say: “lets get this guy signed up and committed.. Then let’s work on the back end, behind the scenes, to do the checking necessary to open the account”. This is how IDV works today. 

IDV is an active market. ID vendors source and maintain IDs across domains and geographies, bundle services with document signing, integrated compliance and auditing. This holistic approach provides flexibility externalize trust within multiple domains and provides varying levels of IDV dependent upon: domain, geography objective and price. For example a healthcare claim form requirement differs from a new account.  

Socure is one of the hottest start ups in the ID space. They are the “Stripe of Identity” providing both solution bundles and APIs to integrate ID into any business process. The majority of Socure’s clients are the financial services firms behind the new Early Warning bank ID. 

Players in ID market have also created frameworks for “consuming” trust within the context (and permissions) necessary for action (think Stripe for Identity). For example there are use cases where speed of decision are critical: an online gaming site must legally verify if the user is above 18 and not currently in a state that prohibits online gaming. To take action, the gaming site must verify both user age and location. The selection of identity to solve this problem is complex: Is it legal for the MNO to provide this information? What is the degree of certainty in the MNOs solution? Will regulators accept the process? Who is indemnify if it is not accurate?  What data must be stored for auditing?

The framework for extending trust within context, with permissions and through a framework, is where mobile phone OEMs (Google/Apple) win. Hardware tokens, integrated biometrics and consumer permissions provide every App (consumer of trust) with a consistent credential that can be authenticated within the consumer journey. Handset authentication, is the ubiquitous always on platform for creation of trusted credentials. There is a flaw here however.. Consumer information within the platform is self attested. If Apple/Google were forward looking, they would have a higher form of “verified identity” that consumers would be able to extend (ie see UNUM). 

Wrap Up

As I stated 8 yrs ago, data is flowing to the entities best able to create value (and great consumer experiences). Trust and identity are identity are core to commercial and social interactions. Unique insight is held by every entity that touches a consumer, as well as their partners. However data leaks between partners as they each observe the overall interactions of a journey. Any new identity product must solve a problem and enable action within a winning user experience. 

I’m fortunate to have met with many retail CMOs. As discussed, retail CMOs are the #1 or #2 executive (ie think “head of sales”). Retailers have become data driven organizations with marketing transitioning from an art to a science. CMOs recognize the core of any data business is the Consumer ID.  The value of unique bank data has decayed as merchants, and the ad industry, engage in more frequent observations of consumers. The deterministic data within the eCom checkout page has led to massive dissemination of “trust” and joins the probabilistic and deterministic ecosystems within the marketing funnel. 

The bottom end of the funnel (ex account opening and payment) is a competitive market with IDV providers like Prove, Socure, Trulioo, Jumio, …etc. enable buyers to source the best identity based on a given use. Consumer direct permission and credentials have become part of the mobile OS. While there is a role for truth marked identity, the identity in Apple Pay is “good enough” for most purposes. 

So where does a Authentify, or any Bank ID play? If Banks had one opportunity to have a discussion with the CMO, what would they “sell”? What problem are they solving for the CMO? This is the question banks must ask themselves in selling Authentify or a new payment scheme. 

I assume Authentify will be the best bank ID within the bank domain. However there seems to be a desire for Authentify to power new value beyond banking. Competing services  operate both as a stand alone product or within specialized bundles that address specific market or regulatory needs. A competitive “trust market”  exists today where the best ID and UX wins. Outside of bundles, stand alone IDs are consumed as a “competitive ingredient” measured on 5 factors: price, coverage, speed, lift above alternatives, actionability and indemnification. 

Given these metrics, a simple SWOT analysis leads to my top 7  approaches for Authentify to gain foothold:

    1. Eat your own dog food. Own the bank domain, and make Authentify the best (or required) component of all bank account opening and transactional processes.
    2. Own a bundle that solves existing problem. Payment to fraud case management and customer satisfaction. Shift liability, take on all fraud management through to customer problem resolution.  
    3. Focus in areas where ID performance delivers incremental value over alternatives. Ex Travel – enable partners to integrate/bundle, online dating, …etc
    4. Deliver a within a new “bank owned”  transactional product for increased conversions (Zelle, Instant Lending, Bank driven BNPL, …etc)
    5. Market participation. Allow Authentify ID play as stand alone “ingredient” in the market. Users and platforms will experiment with your ID to find where it adds value. It may be a place that is unexpected (ex Travel or online dating). 
    6. Differentiate (for merchant/business) – Ex. create an indemnification guarantee, cost performance, regulatory compliance or coverage. For example indemnification “guarantee” of ID. Transition “Trust” from probabilistic to enforceable and financially backed.
    7. Drive a consumer benefit or create consumer demand. 

Thoughts appreciated

© Starpoint LLP, 2022. No part of this site,, may be reproduced in whole or in part in any manner without the permission of the copyright owner.

Leave a Reply

Your email address will not be published.