Proving an individual really is who they say they are can be critical when providing sensitive services and is increasingly important in the commercial world. David Reed finds out about new approaches to identity validation aimed at being more accurate and easy to use.
Having trouble sleeping? You might want to turn to the Official Journal of the European Union. It is where governments in the EU are obliged to publish any procurement requirements they may have in order to ensure open and fair competition. Turgid stuff, except if you are in the business of providing data services to the public sector. In which case a notice which appeared in the JEU in April may have woken you up.
In it, the UK Government announced that it would be looking for a second wave of identity providers to support its identity assurance framework. This follows the first round in which five providers - Digidentity, Experian, Mydex, The Post Office and Verizon - were paid to validate 600,000 identity registrations. One of the surprises in the latest notice is that the project is expecting to have used up all of this resource during 2014 and is now looking to award contracts worth up to £30 million.
What makes this a surprise is that, so far, the Identity Assurance programme has only run in private beta with one test by HMRC and a second by the DVLA. Based on these pilots, larger tests are due to be launched. Clearly, in order to use up that first tranche of validations, the expectation must be of at least one service going live at some point this year. That could see central and local government services being delivered to consumers using a “tell me once” process for individuals to prove who they are.
“Getting your identity validated involves a lot of elements, but once it has been, you will be able to do a lot of different things with government services,” says Nick Mothershaw, UK director, identity and fraud, at Experian. “They will all be confirmed via a single log-on and other factors, like a PIN number.” Identity Assurance will issue a reusable credential to individuals who get over the specific hurdles.
In gaining this, those individuals will be at the forefront of identity validation which is about to move forward in a significant way. Big data is expanding the resources available to data services providers to prove who an individual is. As a result, it will represent a major step on from the era of paper documents forming the basis of identity checks.
“At 17 or 18, somebody may have no credit history, but they may have been online for seven years. If they can provide that evidence, for example by giving permission to access their Facebook profile, Google log-in or Twitter identity, an organisation can see that history, their friends and posts,” says Mothershaw. “A fraudster won’t spend seven years creating that.”
In the early days of Identity Assurance, it appeared that Facebook might become one of the early service providers. While it was not among that first group of five, involvement in the next wave should not be ruled out, precisely because of the digital footprints it can show for users.
The inclusion of social media data as part of identity validation is far from fanciful - any data set which helps to prove who somebody is not only helps government and private service providers, it also helps individuals themselves. Mothershaw points out that, “our view of the world has been the legacy credit bureau view, but that will be only one source.”
Mid-2015 will see the addition of house rental data to support identity validation - currently only home owners appear in formal data sets, with tenants often invisible. “Addresses have been provided by landlords, but the people they rent to are not visible on financial records,” he says. It is easy to assume that this discriminates against more transient members of the population, but Mothershaw notes that some of the most invisible people in formal data sets are the very wealthy. “They may bank privately, they don’t have a credit card, so they are not on the CRA files. We need to cover both ends of the scale,” he says.
The direction of travel with identity data is very much one-way towards far deeper data to support more robust identity validation while still ensuring good customer service. This could remove some of the hurdles for the vast majority of service users who are still obliged to provide physical proofs by narrowing the file of suspects.
Requirement for this level of proof tends to be at the highest level of sensitivity and risk, such as when accessing a government service or applying for credit. For many other companies, proving the identity of an individual is important, but does not demand such robust processes. Online retailers, for example, need not worry overly about identity as long as they get paid and goods are delivered.
Other sectors do need to take more steps, however. “An insurance company may need to be sure the person claiming on a policy is who they say they are. One of the problems is that name, address and date of birth can be used for fraud or identity theft,” says Myles McKeown, technical director at Infoshare-IS.
By combining multiple data sets within the business, he argues that identity can be established via “the extra questions that get asked which yield information a customer would know, but nobody else would. We focus on name and address matching to create a single customer view for clients as the main way to bring that information together because that data is widely available,” notes McKeown.
For all the perceptions of maturity across data management, there are still many organisations which lack this basic resource to identify their customers. Instead, records continue to be held by account number, for example, with any callers asked to route themselves in a call centre depending on the first number of their policy or account. That is a disaster for customer experience and places an unnecessary burden on the individual to know information which is essentially only of value to the business.
Creating a SCV removes this step and is increasingly being used in the public sector as well. “Hackney Council has created a ‘citizen hub’ which it is using to underpin CRM and establishing identities using a series of questions. It is built across multiple systems to get around the limitations of traditional SCV which often only match to a level of 80 per cent,” says McKeown. By raising this to 95 per cent, Hackney has fewer residuals where identity is not proven, while its residents are able to identify themselves once, but access multiple services at a time.
The goal of any identity assurance system is either to find an exact match (1) or no match (0). Where it gets complicated - and the customer experience starts to suffer - is when there are multiple matches. That is when human resources have to be deployed and current processes start to require physical proofs of identity, such as passport or driving licence scans.
McKeown doubts whether social log-in will prove to be robust enough in such circumstances, even if it sufficient for simple, non-contentious scenarios. “The companies we deal with wouldn’t see it as sufficient because it is attritional and can be spoofed too easily, so it is not secure,” he says.
Combining conventional and physical proofs with new digital or data-blended approaches could make the process smoother and more reliable. Mothershaw even speculates on the possibility of biometric records becoming available: “Apple may open up its fingerprint data via an API. Where will that lead us? I am not yet sure.”