How Distributed Ledger Technology Can Eliminate Bank Data Breaches
In the past decade, massive data breaches have exposed the private information of hundreds of millions of people, increasing their desire to protect their personal data. In 2019 alone, the number of breaches was up 17% from the previous year. DataBanking, credit and financial-sector breaches in 2019 were responsible for exposing 61% of the sensitive records, despite having just 8% of breaches that year.*
Banks require personal data to open bank accounts, establish creditworthiness for loans and to provide other financial services to its customers. Know Your Customer (KYC), or know your client, is the process a bank uses to verify the identity of its customers, assess their standing and identify potential risks. Even at smaller banks, the KYC process can cost banks upwards of 100 million in resources each year. Decentralized Identity (DID) promises to solve these challenges by putting the control of personal data back into the hands of its owner.
DID, also referred to as Unified Identity, is the digital representation of someone or something, that can be verified using distributed ledger technology. Currently, there is no trust on the internet because you can’t verify that someone or even an organization is who they say they are. DID can solve this by providing verification that a person or organization is trustworthy. It also gives the person or organization complete control of their identity in a way never possible before. Outside of people and organizations, unified identity can also provide an identity to a thing or object, like a machine, which allows for machines to communicate directly with each other. This new identity protocol creates an environment where interactions between people, organizations, and machines can be done much quicker and with a lot more trust.
DID in Organizations
When it comes to organizations, you often interact with organizations online through their website or through an email that you get from them. But how can you tell if it’s fraud? Quite often it can be someone pretending to be from an organization to steal your personal information with malicious intent. DID provides organizations with a “public key” which acts as a unique identifier that can be verified using a distributed ledger. This also allows customers or users to verify that any interaction you have with an organization is actually coming from that organization. So if you get a bill, it would be signed using the organization’s public key that is registered for its identity on a distributed ledger, like IOTA. If that is not the case, you simply would not trust the bill.
The Role of DLT in DID
Distributed Ledger Technology can play several roles. The first of which is the gathering of all identities in a single place. If you are interacting with someone or something, and you want to verify who they say they are, you will be able to view them in a single decentralized place. No one single person or entity has power over the entire network, so the information stays with the user (this is why it is called decentralized). This provides a decentralized place where all these identities can come together. Secondly, identity is based on verifiable credentials- data that makes up the identity. One example is a national identity, this would include a statement of who you are and a birth certificate signed by the government. If such a statement is revoked, for example, if citizenship is revoked, the ledger can be updated immediately and you can no longer reuse old data which is no longer accurate.
"The use of Unified Identity or Decentralized Identity protocols will soon become commonplace in the financial sector and public services. Distributed Ledgers are perfectly suited to serve as the underlying trust layer in the validation of a person’s identity,” said Dominik Schiener, co-founder of IOTA Foundation.
“It is also important that these technologies are secure, feeless and scalable to allow for mass adoption. Putting the control back into the hands of the identity owner will solve a multitude of problems we face today,” added David Sønstebø, co-founder of IOTA Foundation.
Bring Your Own ID (BYOI) and Data Compliance Regulations
With DID, personal data, like a birth certificate, is not uploaded to any server. Instead, it is stored where the identity owner chooses, like on a phone. As a person or organization, you would decide where the data is stored and you would decide who has access to that data and when. This adheres to all privacy laws and helps companies comply with these laws. Instead of having to store everyone’s information on a bank network, all they need to know is where to request it if they need it again. So if their database is hacked, the information would not become public because it’s not actually stored on the bank’s network.
How it works
Imagine this scenario to understand how DID works in real-life. Let’s say you want to open an account online with a new bank. Initially, you come to a place where you need to enter your personal details. Usually, you are presented with a bunch of fields to fill in. If DID is being used, there would be a button that says “use DID or unified identity data.” You click this button and a QR code appears that you scan on your phone. Using the app that holds your data, you get a request saying “[name of institution] is requesting this data from you. Do you consent to this?.” Then you receive an overview of what data the bank wants.
If they want more data than you are willing to provide, you can decline. If you are willing to provide all the requested data, then you click accept. The data would automatically be populated. The bank would then have all the information they need to accept you as a customer. For the banks, all the information being provided is already verified and signed by a trusted third party. And, the bank knows in a matter of seconds if they can trust your data.
"The biggest upside of Decentralized Identity (DID) technology is that it puts control of personal data firmly into the hands of the owner: the customer. A decentralized ecosystem will make the KYC process more hassle-free — for banks and customers alike. Being a bank that adapts to its customers’ needs rather than the other way around, de Volksbank sees great potential in DID to further advance its ambition to carry out its banking services according to the principle of shared value. This means that our stakeholders – all four of them – must experience equal added value: customers, society, employees and our shareholders,” said Michiel Sollet, Innovatiemanager, De Volksbank.
DID can also enable new revenue models for financial institutions. Given, customers would need to build their DID profile with verified data at first, they would need trusted authorities to assist in this process. Banks have already completed a KYC process for their customers, so they can be seen as a reputable authority with the ability to verify the data for customers building their DIDs. These DIDs could be used by customers at other financial institutions or to obtain other services.
Benefits to Financial Institutions
Financial institutions can easily become GDPR compliance using DID, as it alleviates the burden of responsibility for data on customers. The customer stores and controls access to their personal data, so banks no longer have the risk of data breaches. Secondly, banks can eliminate the lengthy enrollment processes, saving time and the millions each year spent on KYC processes. Customer data can immediately be verified. There is no waiting time or risk anymore because the data can be trusted, so the customer no longer has to spend time entering repetitive information.
Banks can provide an easier and faster onboarding for customers, resulting in better user experience. Signing up to service or website can be reduced to a single click of a button.
What does the future hold?
Compliance with privacy laws and the ongoing struggle with the hacking of databases is a real issue now and will continue to be in the future. In the coming years, the responsibility of storing personal data will no longer fall on the financial institutions. Decentralized ID will change the structure of trust in data, and allow banks to provide better customer experiences all around.
In addition to this, DID standards will become widely accepted and adopted. Specifically, collaborative groups, like the Tangle EE working group governed by Eclipse Foundation are focused on building standards around the use of distributed ledger technology for DID. We should expect to see more standardization around this technology in the near future.
"Trustworthy DID is absolutely required -- not just a good idea -- for a working industrial IoT solution. Knowing the source of your data and knowing your recipients trust your data are absolute requirements for an unhackable system. But that's hard (or impossible) in a world in which you have unstandardized solutions from various vendors,” said Richard Soley, CEO of Object Management Group. “Fortunately, between the 2020 efforts of the Object Management Group to standardize the IoT-leaning IOTA Tangle protocols, plus the Eclipse Foundation-led effort to implement open source in the TangleEE project, users won't have to choose -- they'll have access to broadly supported standards already available in open source. That's an absolutely critical component to DID.”
Jelle Millenaar works as Head of Digital Identities at the IOTA Foundation. He develops the Unified Identity Protocol, an implementation for decentralized identities, for the IOTA Tangle.