Somewhat lost in the hiatus of the run-up to 25th May 2018, being the birthday of GDPR, were two really interesting announcements; namely Experian named as a top identity vendor in Forrester’s “Top Trends Shaping Identity Verification (IDV) in 2018” Report, and TransUnion’s acquisition of iovation, a global leader in device identity and consumer authentication solutions.
These two companies, along with the recently maligned Equifax comprise the top three credit bureaus in the United States, with combined revenues approaching $10 billion. Credit bureaus are, at base, personal information brokers. They gather account information from various creditors and use that data to provide consumer histories, and credit scores for a fee. In the U.S. the generic name for such an operation is “consumer reporting agency;” in the UK it is a “credit reporting body”; “Credit Information Company” (CIC) in Australia; and “Special Accessing Entity” in the Philippines.
While their core business is tightly linked to individuals’ digital identities, their clients (be they financial institutions, mortgage brokers or others), have elected to build and operate their own ID&V solutions, only rarely augmented with offerings from credit bureaus or other service providers. No business freely shares its customer data, for fairly obvious reasons, but that is changing.
Databases of Personal Information is Risky Business
As the world of identity, authentication and fraud management continues to be disrupted by the surge in digital transformation, large- and small-scale data breaches have followed suit. According to Breach Level Index, there were over 1700 data breach incidents resulting in over 2.6 billion records compromised in 2017; and 2018 has already witnessed multiple data heists across financial services, telecommunications, health and government organizations. Large banks, telco’s, insurance and health service providers are compelled to rethink their data strategies, especially the collection, storage and processing of data that is not core to their offerings.
While shopping, financial, contractual and personal information is a treasure trove for customer insights and product development, this needs to be weighed against the risk of breach which would lead to direct financial losses, not to mention reputational damage. As organizations continue to consider their options, lack of action is resulting in increasingly ‘toxic’ centralized databases.
Centralize or Distribute?
An increasingly attractive option is to embrace advances in distributed and sequential ledger technologies like Blockchain, which supports consumer-controlled Vendor Relationship Management (VRM) strategies such as Self-Sovereign Identity to eliminate the risk of large scale data hacks by distributing information across multiple infrastructures and even end-devices such as mobile phones, secured by advanced encryption where the keys themselves are also distributed. However, ID&V on Blockchain is still a fairly new use-case, and there are many more proof points required.
That leaves the other option which is the continued use of centralized databases, but through trusted third parties (TPPs), who have a track record of experience, capability and scale to provide reliable secure services without the risk of abuse.
Ideal TPP for ID&V: Catalyst for Distributed Solutions
Credit bureaus currently play the role of TPP for credit scoring, among a range of other aggregation, comparison, benchmarking and various analytic services. As organizations whose core business relies on centralized data services, they will continue to remain a top-target for hackers. It is therefore no surprise that one of the greatest data attacks in history was on Equifax, who have reported spent over $242 million on data security and IT systems since the breach.
For credit bureaus, it is more than data security; it’s about survival. Very few organizations are more compelled to find sustainable alternatives. Continued moves by TransUnion and Experian in the ID&V and Fraud space demonstrate that investment is being made in new technologies and modalities. It might also be time for credit bureaus to disrupt themselves through distributed architectures.
Categories: Identification, Intelligent Authentication, Articles