Multiple states in the United States and multiple countries in the European Union have been working on digital identity apps. Governments around the world have created laws to protect personal data and combat fraudulent financial transactions, a criminal enterprise that costs companies millions each year. In this article, Dusty Cooper provides a summary of the current status of digital identity initiatives in the US and EU. He also explores anti-money laundering and counter-terrorism financing laws and regulations and how mobile digital identities will affect and possibly help alleviate the burden financial institutions face due to increased identity verification requirements.

The Digital Identity Competition

As of 2018 in the United States alone, over 70% of adults use smartphones in their daily lives and over a third of online sales were conducted on smartphones, according to Jenni Bergal in Governing.[1] With online retail sales, banking transactions, and other monetary operations on the rise around the world, and the growing food home-delivery app industry, digital identity verification will become a necessity in the near future. Presently, there are multiple initiatives to create more secure and reliable digital identification processes for financial institutions and mobile identification apps are being piloted around the world, but there is little standardisation. The competition among states and nations to create their own digital license app is poised to create stagnation rather than progress.Fig1

The state of the DDL in the US

As mapped out in the June 2018 article by Eric Billiaert, ‘Digital driver’s license:

Security and convenience made into an app,’[2] multiple states in the US have passed legislative initiatives to allow agencies to explore the creation and use of digital driver’s license (DDL) or mobile driver’s license (mDL) technology. However, most states have independently developed their own platforms with various functions, regulations, and more importantly, not all states have worked with the varying state agencies, such as Alcohol and Tobacco Control, to gain trust from these agencies and develop acceptance protocols.

So far, the American Association of Motor Vehicle Administrators (AAMVA) has yet to develop a nation-wide standard for digital licenses. Meanwhile, the TSA continues to move forward with requiring all airline passengers in the United States to provide a physical REAL ID license, the acquisition of which requires citizens to provide more evidence of their identification before their state DMV will issue a license.

Gemalto heads the DDL piloting initiatives in Colorado, Maryland, Washington, DC, and Wyoming.[5] While the system is still in pilot and only available to state employees, the digital identification is accepted for age restricted purchases, police interactions, and by the Transportation Safety Administration (TSA) during airport screenings. The Wyoming pilot experienced positive results overall, but participants were most interested in utilizing their DDL for airports and travel.

Gaining adoption by state and national agencies will be the deciding factor for many US citizens in the accep­tance of this new technology. While offering citizens a fully-functional app will shape public opinion, it’s even more imperative to begin campaigning and working with state agencies to develop regulations for adoption.

In Louisiana, LA Wallet became the first fully launched DDL in the United States. LA Wallet features multiple innovative functions including a fully-rendered digital state license with a touch activated security seal, and the industry-first VerifyYou™ that creates a unique QR code for another LA Wallet user to scan.

Since July 2018, over 52,000 Louisiana residents have purchased their digital driver’s license through LA Wallet. However, that number is expected to increase now that Louisiana Alcohol and Tobacco Control approved the app’s use for age-restricted purchases on December 20, 2018, and Secretary of State, Kyle Ardoin declared the app acceptable at all voting locations in the state. Envoc, the company that created LA Wallet, is currently developing remote verification capabilities to further expand the application’s offered features set.

With all fifty states at varying degrees of development, adoption, and legal acceptance, the competition to become the standard digital personal identification platform has become akin to the Space Race. The winner is yet to be recognised, but it’s clear that the platform that can gain compliance with REAL ID regulations and offer remote identity verification integrations and APIs will be in the forefront.

Digital Identity Initiatives in Europe

As of July 2018, several EU member nations created their own mobile digital identification programs such as Finland, the Netherlands and one created by the United Kingdom’s Tax Incentivised Savings Association (TISA).

As reported by Chris Burt on Biometric Update,[3] one of the Dutch initiatives will be developed on a blockchain technology called Trustchain. Similar to the American LA Wallet, the app will display a QR code. However, this seems to be the only function of the app at this time. Only inhabitants of Utrecht and Eindhoven are participating in the experiment and the results have not been fully released.

The UK TISA project is testing several prototypes for individuals and financial institutions to find the best solution for their demographic. While projects are focusing on digital identification, only the Dutch project appears to be creating a mobile app for everyday use. The TISA project is intended to create a Trust Framework which will follow the European Commission’s Delegated Regulation (C(2019) 1326), created for identifying high-risk third countries that present strategic deficiencies in their regime on anti-money laundering and counter-terrorism financing (AML/CFT).

There is no doubt that digital information transactions are open to fraudulent attacks and nefarious practices, especially in the financial realm. Data protection is ever-evolving and strengthening, and in 2014 over 1.7 million financial crimes reports were filed in Europe. To protect citizens and financial institutions, the Euro­pean Parliament passed the General Data Protection Regulation (GDPR) in 2018. The European Commission claims the intention of the GDPR is to align all EU institutions with the same data protection rules and regulations.

EU: eIDAS

The eIDAS (electronic identification, authentication and trust services) system is an initiative to allow individuals to conduct business and facilitate trans­actions across multiple states in the European Union, which is akin to the United States’ own regulation created as part of the Patriot Act in 2001 Title III, aka Know Your Customer (KYC).

According to the European Commission website, eIDAS will offer new opportunities especially in the following areas:

  • Cross-border electronic transactions, such as enrolment in a foreign university, opening a bank account, and accessing electronic health records. Citizens moving to another European country will be able to manage administrative work online, cutting out the paperwork.
  • Opening a bank account anywhere in the EU without being physically present in full compliance with the EU rules, especially against the money laundering. To make progresses in this area Commission will be assisted by an Expert Group on eID & Know Your Customer (KYC) that was set up earlier this year.
  • Reinforce the rules of the General Data Protection Regulation. Trusted eIDs could be used for age verifi­cation as a prior step to access social media or to protect minors when going online without disclosing the identity of the user or any other information.
  • Sharing only the necessary information, thus reducing significantly the risks of data misuse and scandals like the Cambridge Analytica. This parameter is essen­tial in the development of Blockchain systems where ownership and accountability are the key factors.
  • Reduce costs by using eID and electronic signatures. The Commission has recently launched a special website to raise awareness and assist small and medium-sized enterprises (SME) in this area.
  • Stimulate new innovative authentication services, such as seals or time stamps

US: Know Your Customer

The United States’ Patriot Act was and still is a contro­versial public law, but there are sections of the law that have been in place in one way or another since the early 60s. This includes Know Your Customer, the financial industry’s term that refers to United States’ Patriot Act, Title III: International Money Laundering Abatement and Financial Anti-Terrorism Act of 2001. As stated by John Callahan in his Forbes article, aptly titled “Know Your Customer (KYC) Will Be A Great Thing When It Works,” most financial insti­tutions were on board with KYC, and the move to adopt KYC regulations was swift. However, in nearly two decades since the act was passed, each institution has adopted its own process for verification.

Part of the issue seems to be that KYC/Title III does not specify the minimum number or type of verification information required to fully certify a new customer. The results of this variation from institution to institution has created long delays in registering new clients and most clients finding the process more invasive and unnecessary.

The KYC identification verification process isn’t portable and not only do the requirements vary between insti­tutions, they vary from nation to nation as well.

Additionally, as Callahan points out, KYC processes cost financial institutions $500 million annually, combating profits and nearly mimicking the non-compliance fees institutions would have to pay for not fully vetting all clients.

Conclusion: Sharing and Standardizing Digital Identities

As the percentage of online transactions grows, outpacing in-person interactions, the United States will need to find a unifying solution among states, and the European Union must do the same among nations. In order to mitigate the costs associated with Know your Customer and GDPR, financial institutions should consider accepting a state-issued digital license, such as the REAL ID. Many of the documents required for an individual to verify his or her identity at financial institutions are much the same as those required to obtain a REAL ID, and all digital license information is retrieved directly from the issuing government agency’s database. A state-issued digital license would provide an institution with a much more streamlined process to comply with KYC and eIDAS. However, in order for digital identities to be viable, all states and nations will need to agree on one platform, or at least accept DDL apps across state lines just like with physical licenses.Fig2

References

  1. Bergal, J. (2018). States weigh the benefits and challenges of digital driver’s licenses. [accessed 23 February 2019].
  2. Billaert, E. (2018). Digital driver’s license. Keesing journal of documents & identity, 56, pp.16-20.
  3. Burt, C. (2018). Pilots launched for two European digital ID schemes. [accessed 23 February 2019].
  4. Callahan, J. (2018). Know Your Customer (KYC) will be a great thing when it works. [accessed 23 February 2019].
  5. Digital Driver’s Licenses Are Put To The (Pilot) Test (2018). [accessed 23 February 2019].

Further reading

  1. Bhuiyan, J. (2018). Uber CEO Dara Khosrowshahi says UberEats has a $6 billion bookings run rate. [accessed 23 February 2019].
  2. Cross-border digital identification for EU countries: Major step for a trusted Digital Single Market (2018). [accessed 23 February 2019].
  3. Data protection in the EU (2018). [accessed 23 February 2019].
  4. Tyler, J. (2018). We went shopping at Walmart and Target to see which was better for groceries, and there was a clear winner [accessed 23 February 2019].
  5. Wojciechowska, I. (2018). What is KYC and why does it matter? [accessed 23 February 2019].