Financial Institutions as Identity Providers

Conference IIW8 Room/Time: 2/B

Convener: Guillaume Lebleu

Notes-taker: Tom Brown

Attendees:

Technology Discussed/Considered: OAuth, OpenID

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

Guiyom: Although the vision of banks as identity vaults/providers has been around for 10+ years, today there isn't any bank that is an identity provider. Why?

One explanation given is that financial institutions will not accept to take on the responsibility of the liability risk.

The question then is: how can we reduce this liability risk? For instance, can we follow M-Pesa foot steps of providing financial services but with limited balances to reduce this liability risk? Or use Pre-paid cards?

Bob: A better explanation is the simply that there is not a business case. If the relying party would agree to pay banks to provide that service, then they may do so. In other words, “Once banks figure out a way to make money as identity providers, they will become Id providers”.

Scott: Wells Fargo has a digital vault service, but no identity-related service, just a place to put secure documents.

Tatsuki: Government regulations related to consumer rights to know what information is stored about them provide a great business case for an identity provider to store private customer information and others to rely on them. In Japan, strict consumer rules are defined: consumers must be albe to revoke access to their information. Compliance with these rules is expensive and some service providers may prefer to become relying parties.

Scott: Equifax seems to be a good identity provider. They haven shown interest (they already provide an 18 year old Information Card). They have verification services. They also have most US residents as customers/users. This is not the case for Wells Fargo, which can only market to its customers.

Guiyom: Another topic is authorization delegation to bank account via OAuth. Currently, with Mint, you have to provide your online banking username/password. Mint does not store your credentials, but they are stored by Yodlee.

David Eyes It seems that we are talking about big-i Identity and small-i identity. Banking information relates to big-i Identity.

Guiyom How to transform Identity to identity? Breaking it into pieces? For instance, a prepaid card with limited amount or a virtual currency.

Scott: Fees are an issue in prepaid case. Paypal is introducing family accounts.