Identity, Authentication and Risk

Bridging Domains – Short Blog – Random Thoughts

This is a “Random Thoughts” blog, which means there are many points that I’ve left hanging (not finished cleanly). The blog’s objective is to stimulate discussion, so please don’t hesitate to comment.  Identity is a hot topic for me with 15+ years of previous bosts. Here are a few updates … as well as my evolving perspective. 

Summary points made previously

  1. Identity, and how it is managed, will define the future of payments and consumer platforms (Trust Assertions 2022)
  2. Perfect Identity and Authentication is a nightmare for banks, as their margin is driven by their unique ability to manage risk. If you take away authentication and identity it is only credit risk they can manage (Perfect Authentication … a Nightmare – 2013)
  3. India’s UPI innovation was dependent upon the tremendous work of Aadhar and a rule set that allowed third parties (ex Google/PhonePE) to authenticate and capture payment instructions to be sent on behalf of consumers to their bank as originator (TCH Tokens in SRC Model – 2022) 
  4. With A2A and other Bank Payment models (PIX, UPI, iDeal, Swish) consumers are responsible for coordinating refunds and errors. Thus they only use these schemes where there is a high degree of trust  (Pay by Bank – Where does it Work and Why? – 2022)
  5. In the US Consumers DO NOT bear the cost of fraud or payments. Current bank products and regulations provide them with near instant credit for disputes. It is very hard for to sell any more “secure” products. (Risk is Behavior … not Authentication – 2011). In most other countries, if a consumer gave away their banking credentials and subsequent fraud was committed on their account, it is the consumer that bears 100% of the fraud loss. 
  6. Real-Time payment fraud has expanded to be the #1 fraud type in the UK. While most of this “fraud” is the result of scammers that “trick” the consumer into initiating payment, it is still fraud. (Fraud Trust and Real Time – 2022)
  7. In card-not-present transactions (CNP), banks have a tremendous data gap caused by their abdication from the space. Merchants, and specialists have spend 25+ years building the tools to manage fraud. The first network products (ex 3DS 1.0) were a nightmare. Mandated liability shifts in the EU (2008) left banks holding the risk of payments with none of the tools to do so, with their only option as declines. Today 3DS 2.2 works well and satisfies the EU’s SCA requirement, it is mandated for all V/MA banks (2020). There is no liability shift in the US for 3DS. In the EU, while all transactions use 3DS 2.2, less than 50% are coded as such as merchants encounter a much higher decline rate when banks own liability (ie they don’t have the data to manage risk). (SRC – What is the Opportunity)
  8. The financial incentives to manage payment risk are HIGHLY COMPLEX. The benefit of a liability shift is weighed against the cost of loss of control and potentially higher decline rates. There are few CREDIT alternatives to V/MA (ex BNPL), and most alternative methods compete with debit (ie UPI, PIX, iDeal, …etc0). Debit costs are very low. Within the US, top retailers have moved debit costs down below $0.10 for eCom (ex Durbin routing). Banks have shown no ability to manage CNP risks, and have a very poor track record (3DS 1.0). V/MA volume incentives further reduce case for switch. (Debit, Routing, Tokens and Liability Shift – 2022).
  9. Banks have a great identity because of their regulated requirement to perform KYC/KYB, but their identity has limited value outside of banking. The problem with extending trust is that it is domain specific, each domain corresponds to: actors, context and permissions. The entities that “touch” the consumer most have a much better view of the consumer and their identities across domains (ex Government, Healthcare, Financial Services, Social, …). (Role of Idenity and Trust in eCom – 2022)
  10. Identity is “useless” unless it can be permissioned, shared, trusted, and acted upon. Banks are thus poorly positioned, as this requires partnerships and consumer permissions. As individuals we never allow anyone to know “everything”. We share information based upon our level of trust and the context of the interaction. The mobile phone is best positioned to serve as this purpose. As both payments and identity are become embedded in mobile, it allows consumers to “bridge” domains and permission interaction. (Innovation in Networks – 2023, Open Banking, Payments and Trust Networks – 2022).
  11. “If we solve for identity in payments everything else is just accounting – Ross Anderson – KC Fed Payments Meeting”. This is a mostly true statement however, V/MA are not commodity payment services. They uniquely unlock financial intermediation roles for banks. The combined investment of network participants over the last 40+ years has built a resilient network. While other payment mechanisms operate efficiently, none have the scale, investment or capabilities. Banks and V/MA win where there is any degree of risk in the transaction (Power of Bank Networks – 2022) 
  12. Identity is a core challenge within innovative DeFi and Crypto environments. While these schemes lead in digital identity, the ability link a digital identity to a person or business that can be held legally responsible (ie Tax, contract) is challenged. Thus bridging domains is problematic without someone that can span both domains and bear risk and compliance responsibilities. Thus it is much more likely that existing players will consumer DLT innovations within existing processes (in near term) than it will be for the environments to mature separately from the existing systems (Near Term Impacts of Distributed Ledger Technology to Financial Services – Chain of Trust – 2022)
  13. Trust Networks. Operating models and a central orchestrator are necessary to build a functional network that can exchange trust. V/MA are the best examples. Open Banking and Open Payments are regulatory schemes without a sustainable operating model. Web 3 and Mobile are providing a new model for trust that is federated with the consumer in control. (Open Banking, Payments and Trust Networks – 2022, Trust Assertions – 2022)

Thoughts for Today

Per yesterday’s blog, I hadn’t realized EU merchants had sought exemptions to 3DS liability shift (due to higher decline rates). Proving that the entities with the best data, business drivers and ability to take action are the ones in control. The question for today is what does the future of identity and bridging domains look like? 

First, let’s baseline on a few terms

  • Identity – Who you are. 
  • Authentication – Verification of who you are. Typically involves verification of something you are (ex biometrics), something you have, and something you know
  • Authorization – Approval of a Consumer or Permissioned Actor to access a service or initiate a transaction (within one or more domains)
  • Risk – The ability to bear risk. This may include compliance, contractual and financial
  • Trust – The degree of certainty which a counterparty can bear responsibility for fulfilling their obligations. This may include financial responsibility, indemnification and reputation. 
  • Permissioned actor. An entity with defined contractual rights and legal authority to hold data, share data and take action (within one or more domains).

The identity space is complex, no one has a complete picture of us (thank goodness). Banks have a bank view of identity that allows them to take action for bank services. DHS and the IRS have a government view of identity that allows them to take tax and customs actions. We could go on across healthcare, permits, licenses and so forth. 

Much of our systems thinking is biased toward centralization. I’m particularly guilty, as back in the dot com boom, I worked for Oracle.. And still see everything as a giant database.  This bias extends through much of financial services. Within a centralized world, there are bi-lateral agreements between consumers-bank hubs, as well as bank-hubs – supplier. Authorization and risk are managed within contracts, with counterparties required prove that they are able to bear the risk of the transactions contemplated (ex insurance, balance sheet, escrow, …etc). 

The innovators within Web 3, DeFi, DLT and Crypto see things much differently (as discussed in Near Term Impacts of Distributed Ledger Technology to Financial Services – Chain of Trust – 2022). For instance, in the DAO world, contracts can be multilateral amongst anonymous parties.  It is not a single counterparty (or regulator) that ensures execution of the contract, but the community of market participants that continuously inspects other participants to establish “Trust” and reputation (see this whitepaper from Poland’s central bank). The challenge here is in bridging domains. What if I want indemnification?  Or I need to report tax aspects of the transaction?

Identity and Risk – Payments

UPI’s success clearly demonstrates what can be accomplished with a sound identity, authentication and “open” payment rails. Less clear is its success in managing risk/fraud (see DNA India). Management of fraud and risk takes a motivated actor, normally within a well defined economic model and enforceable set of rules. 

Few people are aware of the back office demands that risk assumption requires. For instance, Target Red card resembles a check, if funds are reversed then a consumer collection process is necessary.  Within a bank, if a consumer does not pay their credit card bill, the consumer will be reported to bureau and collections process will start. Thus the party responsible for risk has the biggest voice in authentication and authorization. 

In eCommerce, US merchants own CNP risk. They have a much greater data set to pull from (ex SKU level data, IP address, device info, behavioral). Merchants also are the primary owner of the transaction economics (not the payment cost) and can provide other incentives (ex loyalty).  

Ex – Apple as 3DS Alternative

Given merchant primacy, it is little wonder that there hasn’t been more effort to create a merchant “white” label wallet or set of authentication standards. For example, what if Apple created a 3DS equivalent where consumer authentication was not performed on a card, but on a consumer handset (ex biometrics). If this authorization were legally binding (ex Apple Consumer Agreement) the instrument could be much more flexible (ex BNPL, FedNow, …)

Bridging Domains

Within the domain of payments, identity is complex. Expanding this across verticals and expanding its application from web 2 into decentralized systems is mind-numbing (see Auth0 article Bridging Identity in Web 3). 

Anyone looking to bridge a domain must have a role in both, for example a regulated bank and a cryptocurrency. Within consumer-focused activities, what entities are likely to be most successful in bridging domains? 

  1. Holds the most complete view of a consumers identity
  2. Ability to Authenticate and Authorize a Permissioned actor 
  3. Organize and manage economic incentives for counterparites
  4. Ability to bear risk, or hold the counterparty accountable, for fulfilling commitment
  5. Attract a critical mass of participants
  6. Take action across domains
  7. ???Support decentralized model

Today Apple and the Payment Networks are leaders (see Cointelegraph – Cards bridge Web3 and Web2).  If I were to construct an entity from scratch, it would be a well capitalized bank with strong legal (multiparty contractual agreements), risk management, identity and  DAO competencies.

Further Reading

  1. McKinsey – Web3 beyond the hype
  2. Forbes – DAOs are not a fad
  3. Platforms turn to Crypto banks to bridge assets

Thoughts appreciated

1 thought on “Identity, Authentication and Risk

  1. Hi Tom, what do you mean when you say

    “In the EU, while all transactions use 3DS 2.2, less than 50% are coded as such as merchants encounter a much higher decline rate when banks own liability”

    How can all transactions use 3DS2.2 but only 50% be coded as such?

Please Login to Comment.