Be Careful How You Share…
It’s timely to think about how you share, because the unintentional consequences could be dreadful and long-term, if you don’t take sensible precautions. I’m not talking about Covid-19, this time, but about sharing your personal information, like bank account details.
A recent trend in payment and banking apps is to provide a feature that shares your bank details to contacts on WhatsApp and other messaging platforms. The laudable intentions of these solutions are to ensure successful payments, reducing the risk of “large”-fingered misdirection of payments, and to address in some part the massive problem of Authorised Push Payment fraud.
Solutions that send your account details via SMS, WhatsApp or other delivery mechanisms could have some immediate (Person-to Person or P2P) benefits, but these details could be easily misappropriated by bad actors and combined with other personal information for the purposes of identity theft.
Another concern is the more prevalent use of other personal addressing information (like email addresses and mobile phone numbers) for target bank accounts. In Australia, the NPP-based solution PayID looks to do good, but opens the door on malpractice and creates unhelpful digital complexity.
We’re also seeing third party services that offer account verification services. They look like they would help, but simply create another maintenance headache for customers, commercially motivated central data sources (with all the dangers that they have) and potentially legal, liability and social complexities.
Sharing information, like account details, would be much more trustworthy if these could be checked or “verifiable”. This would mean that the receiver could be sure that the account information, a “credential” provided by the bank, is correct, current and hadn’t been altered. The result is that Verifiable Credentials provide massive benefits over self-asserted details, and the W3C has a global standard that helps out.
Unfortunately, the approach in the UK and elsewhere is to put in place “Band Aid” solutions that check some of the target account details as part of the payment process – Confirmation of Payee does this when you look to add new payees online. These payments-based solutions try to solve the problem at the wrong point in the process, don’t check every payment, create customer pain, are expensive to implement and manage, and don’t even provide the levels of certainty for all digital scenarios and accounts.
So, accurate account detail sharing (as verifiable credentials) sounds like a good idea, but we all need to be very careful about what this does. There are two key issues here: “digital detritus” – the data that our actions leave behind, that can cause harm and administrative burden; and “digital deities” – being reliant on one application can unintentionally create an all powerful organisation that can see and know everything you do.
In order to minimise any potential unexpected implications and loss of control, any account detail sharing solution must provide a resounding “Yes” to the the following critical questions when thinking of sharing sensitive data like bank account details:
- Is it convenient and simple for customers, but also clear what they are signing up to? Obviously important
- Can we tell that the details are authentic? Ideally these are issued by the primary data source, the bank, but intermediates could be accredited to do so
- Can the consumer of the credentials check that they were issued to you and yours to share? If not, trust in the process is flawed and risk is increased
- Have you changed these credentials after they were issued to you? Certainty is key
- Are the details still valid or have they been revoked? Being able to check the data in the future is very useful too
- Can we tell that on-sharing of this data can be identified as an unauthorised, subsequent distribution? Not many solutions can do this.
- Does it stop toxic data dumps being created, that could be misused by commercial interests and bad-intentioned actors?
- Can the mechanism of sharing the data evolve based on global standards and global initiatives? Otherwise, the solution won’t evolve in the right way
It’s typically easy to share information. The challenge is often dealing with the outcomes of sharing this information. Of course, the General Data Protection Regulation (GDPR) in Europe looks to provide controls and legal requirements, and we’re used to the requirements of PCI-DSS in the payments world.
Previous expensive and uncoordinated attempts to solve this problem fail at least one, and often more, of these questions. Only now can a global movement and model, Self-Sovereign Identity (#SSI #selfsovereignidentity #decentralisedidentity #decentralizedidentity) provide a realistic and evolutionary framework that can support the customer-controlled sharing and verification of bank account credentials, and evolve to support all sorts of other credentials in the future.
I know I said I wasn’t talking about Covid-19, but the ability to put trust into the payments process is particularly relevant in the current situation in dealing with impacts of Covid-19 and its economic implications. Wouldn’t it be great to have certainty for emergency, stimulant and subsequent payments that make critical, real-life differences to those in most need?
Payments professionals spend a lot of time thinking about how to ensure failures don’t happen and banks spend a lot of money trying to make sure this doesn’t happen too. We need to get behind the right solution, SSI in this case. Lets not slide into spending a fortune, failing our customers and undermining their digital and social evolution yet again, post Covid-19.