Last week marked a watershed Election Day in America, but for those of you expecting a political analysis of what transpired, you will be sorely disappointed; for what I want to talk about is identity. Identity from an American point of view. Identity in the context of a crisis that we are facing in this country, which rears its ugly head in so many different ways.
- Since 2013, more than 13 billion records containing personal information have been stolen, and the total number for the first half of 2018 is 72 percent higher than last year, showing this problem is not going away.
- Minors are a prime target. More than one million children were victims of identity theft in 2017. According to Javelin Strategy & Research, 39 percent of minors who were notified of a breach that exposed their personal information became victims of fraud, as opposed to 19 percent of adults. What will their life be like when they want to apply for a college loan or open up a bank account?
- Traditional identity theft is starting to take a backseat to a new form of identity fraud, called synthetic identity. This is when parts of a real identity are combined with parts of a made-up identity to create a new identity. A recent General Accounting Officestudy revealed that banks can lose an estimated $50-$250 million in a year from Synthetic Identity Fraud-related unpaid debt. In fact, a bust-out scheme in 2013 revealed a syndicate of 19 perpetrators managing 7,000 identities and more than 25,000 credit cards with losses that exceeded $200 million. Government agencies are not immune; according to the report, one state paid an estimated $200 million in fraudulent insurance claims as a result of synthetic identities in the system.
This problem doesn’t exist in many other countries. At least not in this form. Other countries have different identity problems, like how to ensure everyone has one so they can rise socially and economically. Take India, which has invested $1.3B to date in enrolling its population via biometrics into a national identification framework to give people access to financial services, employment guarantee programs, rations and other benefits; to reduce waste and abuse stemming from the ability to automate payments and track the effectiveness of government programs. As a result of this program, when a person tries to enroll into a program, there is a way to validate their identity against a central system.
In the United States, we don’t have this capability. And it’s hurting us. It’s hurting us in terms of tearing at the integrity of our financial system, hurting the way we think about how we do business online. Traditional KYC is dead. Traditional authentication is unreliable.
At a dinner party the other night, sitting around my table were an Argentinian, a Brazilian, a South African, an Israeli and a few Americans. Unsurprisingly, the conversation turned to the political discourse in the US today and the election. The non-Americans had a basic question: How is it that they all have IDs from their native countries, that the ID is used to verify eligibility to vote, to travel, to obtain all sorts of government benefits, to protect against identity theft, to ensure that someone is who they claim to be when they open a bank account, etc., but the United States, the land of the free and the home of the brave, is in such dire straits when it comes to the need to figure out who someone is or is not.
The answer goes back to the founding principles of this country. This country was founded specifically by people who wanted to distance themselves from the British Monarchy, to set up a new country where they would not be beholden to a King or his government, and where governmental institutions would be viewed with skepticism. The first section of the Federalist Papers, which even preceded the US Constitution states, “It has been frequently remarked, that it seems to have been reserved to the people of this country, by their conduct and example, to decide the important question, whether societies of men are really capable or not, of establishing good government from reflection and choice, or whether they are forever destined to depend, for their political constitutions, on accident and force.”
As a result of this distrust, we have separated federal and state governments and a patchwork of identification documents and systems that are used for different purposes.
In the US, the driver’s license and social security number are the closest things we have to a national ID but none of them are issued for that purpose. There is no legal requirement for a person to carry an identification document with them and there is no standard linkage between all the systems to ensure that someone applying for a driver license in one state does not already hold a license in another state.
The social security system on the other hand offers a centralized approach but the social security system was not created for the purposes of authentication (i.e., ensuring that someone is who they claim to be). The social security number was originally created to link a person’s wage and tax data to a central repository and for the management or disbursements of benefits. The fact that it is now relied upon to verify someone’s identity in all sorts of transactions and online interactions really reflects the void that exists in the US when it comes to authenticating identity.
This void is manifesting itself very clearly in the digital world, to which so many of our daily interactions are moving. Because of the recent massive data breaches and the proliferation of synthetic identities, there is a lack of trust that a person is who they claim to be when they present themselves at the start of an online relationship. In some countries with national ID systems, in order to open a bank account or even obtain a SIM card, one must present their biometric for comparison against a central identity database. In theory then, the digital identity can then get managed from the time that the account is opened; the person is vetted against the main system; they are enrolled; the same mechanism is used for authenticating a transaction online and then the same mechanism can be invoked if there is a problem in a session.
Again, because there is no central ID system and personal information is widely available on the Internet thanks to the data breaches, the classic KYC process no longer works in the US and in essence, the scenario as described above is not possible here.
To get out of this mess, the US government, private sector and consumer advocate stakeholders must start thinking about creating an identity framework that can support trusted online interactions. Physical IDs are dying; the driver license system will by definition evolve. The Social Security system will not go away, but it too, needs to evolve. The digital age is upon us.
Faster payments are soon coming to the U.S. This means less time to identify and stop the fraudsters. At the same time, millennials and their successors expect all their interactions to be online and “hassle-free”. The Internet of Things will make various aspects of our lives even more interconnected that we can even imagine today. Presenting our identity for one application will affect many other modes. This is not a political or philosophical call to action; there are enormous economic implications here.
Solving this problem and building an identity framework that is workable in these contexts will require a rethinking of what constitutes identity including how and where that identity record is stored and how the identity record gets invoked and improved over time. (Hint: Static data points are no longer enough.) It is as important to establish that someone is who they really say they are as it is to establish that the person is not an imposter.
Resolving this core issue - how we manage and define identity - will reaffirm what it means to be an American in a fundamental way.