Let’s talk about digital identity with Elizabeth Garber, Editor of GAIN.
In episode 52, Elizabeth explores the recently announced Global Assured Identity Network (GAIN) initiative. She fills us in on what the GAIN project is, explaining how it’s different from other trust networks and why GAIN is good for financial institutions. She also discusses the role of the Global Legal Entity Identifier Foundation (GLEIF) in the project, and what’s next for GAIN.
“This is really going to unleash creativity and expand access to individuals and communities and sellers all around the world.”
Elizabeth Garber is a customer and product strategist who started her career in telecommunications and honed her craft in six different industries before joining one of the world’s largest retail banks. She is an expert in designing experiences and delivering transformational change based on a deep understanding of people. This interest has underpinned her graduate studies of the psychology of cross functional teams as well as how customers define value in relation to services they use.
In 2015, she was named one of the top 3 marketers under 30 by the UK Marketing Society and was recognised by Energy UK and EY for her work building Trust across the UK energy industry. In 2017 she won the Financial Times/30% club ‘Women in Leadership’ award.
Find Elizabeth on LinkedIn.
Elizabeth recently played a leading role editing the paper published by more than 150 Identity experts – GAIN: How Financial Institutions are taking a leadership role in the Digital Economy by establishing a Global Assured Identity Network. It was announced at the European Identity and Cloud Conference on 13 September by Nat Sakimura, chairman of the OpenID Foundation, and Gottfried Leibbrandt, former CEO of Swift, and then published by, among others, the Institute of International Finance.
To get involved, email email@example.com or join the LinkedIn group.
We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!
Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.
Oscar Santolalla: Hello, and thanks for joining. Our guest today played a leading role editing a paper published by more than 150 identity experts. The paper is called GAIN: How Financial Institutions are taking a leadership role in the Digital Economy by establishing a Global Assured Identity Network. It was announced at the European Identity and Cloud Conference last 13th of September by Nat Sakimura, who is the Chairman of the OpenID Foundation, and Gottfried Leibbrandt, former CEO of Swift, and then was published by, among others, the Institute of International Finance.
Our guest today is Elizabeth Garber. She is a customer and product strategist who started her career in telecommunications and honed her craft in six different industries before joining one of the world’s largest retail banks. She is an expert in designing experiences and delivering transformational change based on a deep understanding of people. This interest has underpinned her graduate studies of the psychology of cross functional teams, as well as how customers define value in relation to the services they use.
In 2015, she was named one of the top three marketers under 30 by the UK Marketing Society, and was recognised by Energy UK and EY for her work building trust across the UK energy industry. In 2017, she won the Financial Times 30% club Women in Leadership Award.
Elizabeth Garber: Hello, thanks for having me.
Oscar: It’s a pleasure. Welcome to our show. And let’s talk about digital identity. And certainly, we always like to start hearing a little bit more about our guest, especially how was your journey into this world of digital identity. Please tell us a bit about yourself.
Elizabeth: Sure. So my name is Elizabeth Garber. As you said, I’m a customer strategist, a product owner and service innovator. Now, I’m also a digital identity evangelist, I suppose. My passion is for understanding people, what drives their behaviour, how does any kind of service really add value in their lives. Then I help organisations to build services and communicate those benefits to real people. So these skills, I think, are critical in the digital identity space, because the solutions that we design really need to reflect the people who use them, how they move through their worlds, globally.
And not only that, but really great customer experience, designers, product owners, they’ll get to know what’s really on people’s mind that might prevent adoption of any one solution. And how different solutions kind of destroy value maybe in sometimes insidious ways, like a really convenient identity solution could come with some real trade-offs that are invisible to users at first. Maybe their data isn’t secure, maybe it’s sold off, maybe they’re giving it willingly, but they’re blind to some of the applications that will follow.
As someone who hasn’t been involved in identity for all that long, I can really relate to the users who don’t understand the difference between the offers that are currently on the market, and what might be there in future. So I’m here to get underneath how our identity solutions are going to create and potentially undermine benefits for real people. And then I want to promote the adoption of good ethical solutions.
Oscar: Excellent. And what was your exact role in this project in this paper, GAIN?
Elizabeth: In the paper?
Elizabeth: Yeah, as it turned out, a few other people thought that I could be useful. So one of the early co-authors Rod Boothby, who chairs the Open Digital Trust Initiative at the Institute of International Finance, reached out to me about his work. I was really floored when he took me through it and I knew that I wanted to get involved. It was really exciting. So, after I read through some of the documentation, I sent him some thoughts about the value to users, to banks, to relying parties.
And then within a few days, I was facilitating a virtual whiteboard session with a lot of the other co-authors all over the world, trying to help them kind of coalesce around who the paper was for, who is the audience, what are the messages that are going to resonate with that audience and then the structure of the paper. At that point, I wondered if someone might realise that I didn’t have a huge background in identity, maybe kick me out, but they are an inclusive group of people, and they really valued the approach. So ultimately, I played a pretty big role in pulling the paper that we published together.
I should say who else was involved. It was really an experiment in radical democracy as Don Thibeau of the OpenID Foundation likes to say. We brought more than 150 people together, experts in the space. I might mention some of their names in this interview, but it was a pro bono, no logos collaboration. But we did have the support of some major organisations in the space. The ones that participated and are now publishing and promoting the paper include the OpenID Foundation, the Institute of International Finance, the Open Identity Exchange, the Global Legal Entity Identifier Foundation, and the Cloud Signature Consortium.
Oscar: Excellent. Tell us a bit more about the…
Elizabeth: The paper itself?
Oscar: Yes, please.
Elizabeth: OK. Yeah, sure. So the paper invites financial institutions. It’s a call to action for financial institutions to join us in solving the biggest problem on the internet – a lack of trust, specifically a lack of trust due to the absence of verified identities. How do you know the person you’re dealing with is real? How do you know that they are who they claim to be? How do you know that your money will end up in the right hands? Fraud and cybercrime increases every year. Some estimates say it’s 5% of GDP, trillions of dollars. Criminals are thriving in anonymous digital spaces.
And at the same time, you and I and our friends are pervasively tracked. We enter our details into countless sites, service providers follow us around, they trade our information. Even our biometrics are seeping around into more and more places, our faces, our fingertips, more and more people or parties have access to really private, really personal information that could be used in any number of ways – steal our identities, for example. And that needs to stop.
The paper argues for the internet’s missing trust layer. That’s a phrase coined by one of the co-authors, Kim Cameron, who led identity at Microsoft for many years, and he wrote the Laws of Identity. Then this concept was really beautifully explained by Nat Sakimura, Chairman of the OpenID Foundation at the European Identity and Cloud Conference in September. In this new paradigm, highly trustworthy identity information is passed from a regulated or otherwise highly trusted institution to an organisation that needs it, with end user knowledge and consent every time.
So, if I’m buying another bottle of Malbec, I shouldn’t have to prove my age by uploading a driver’s license to another site or sharing a photo of my face. You don’t need my name, my face, my address. No one else needs a copy of my credentials or biometric information. You just need to know that I am the person I say I am and that I’m old enough. So my online wine retailer can send a message to my trusted identity information provider. I would choose my bank and they will use their app to authenticate me and say, “Hey, the International House of Malbec wants to know if you’re over 21, should I tell them?” And of course, it’s a yes, because I need to celebrate recording this podcast.
Oscar: Tell us a bit the solution itself because there are some solutions, which one way or another address the problem you described?
Elizabeth: Yeah, so none of this is really new. People have called for this for years. One of my co-authors actually from INNOPAY, Douwe Lycklama, shared a YouTube video arguing for the same thing, and it was dated in 2007. Of course, it does exist in some places already, Norway, Sweden, Belgium, Canada, Finland, in one form or another lots of jurisdictions around the world have a solution like this. And as another GAIN co-author Dave Birch, who also wrote Identity is the New Money, pointed out in Forbes last week – We’re starting to see evidence that these networks really facilitated the rollout of aid during the pandemic, and mitigated the risk of fraud.
In particular, another co-author from Vipps in Norway helped us to compare some early information coming out against the US, UK data. So no, none of its new but we do argue in the paper that now is the time to think about global interoperability of these networks.
Oscar: Yeah, and I think as the model of doing the solving these problems goes towards how the countries you have mentioned, most of them have created a system based on banks, others combined with all of the mobile operators, right, but those are like the main types. And the states, of course, the states, some of the states has also provided that. So these are the three types of identity provider, the one who provision these systems, this identification service, but obviously, it’s not – it’s not commercial big tech, no, that’s out of these group of entities who provide these systems.
And of course, you mentioned different countries. We talk about few countries that have sufficient solutions. But I think the next question would come, how to make it available for the rest of the world, how we ensure some type of global interoperability?
Elizabeth: Absolutely, absolutely. So we think global interoperability is really important for a lot of different reasons. Three in particular spring, to my mind. The number one, end users want to live globally, maybe more importantly, most online companies are global or need to be global. They have suppliers and customers across borders. So the benefits increase dramatically when a trust network is global, rather than local – fewer contracts, fewer integrations, and the benefits extend throughout their supply chains all the way to the end users who benefit from simpler, more convenient services all across the internet.
Because my second point is, it’s an extension of that first one that those benefits actually extend to global society. A global network allows a specialist artisan in one part of the world to reach a global audience without relying on an intermediary. So Oscar, let’s say you have something to celebrate, and you’ve decided to buy yourself a handmade quilt from India, a Kantha. You will be able to find sellers that you can trust and they’ll be able to sell to you, charge you the price that someone in Finland expects to pay, and they will keep a greater percentage of it for themselves, potentially. So this is really going to unleash creativity and expand access to individuals and communities and sellers all around the world.
Finally, there’s a practical benefit from promoting this vision of interoperability. And I believe it’s the key factor that will move the needle towards actually setting up this trust layer in places where it does not exist today. Major relying parties, and I’m talking now about big companies that operate worldwide with the heft to influence a global movement, they buy into this vision only when it has a global reach. They don’t want to integrate with a different provider in every jurisdiction on the planet. So with that in mind, financial service institutions around the world are far more likely to collaborate and catalyse this movement, if they see that the vision is expansive enough to meet the demand for global reach.
Oscar: Okay, so definitely interoperability is something that we aim – not only the ones who are like me, I’m in Finland would like to have the same for the rest, but the ones who don’t have a sufficient identification system like those. But then something caught my attention is in the white paper. It says GAIN Digital Trust: How financial institutions are taking a leadership, et cetera, et cetera. So that means that the 100 persons who have been involved in this are targeting financial institutions. So why is targeting specifically financial institutions?
Elizabeth: Great question. So the main body of the paper is targeting, it’s directed at the world’s large financial institutions. It’s a call to action for them to catalyse the creation of a globally interoperable network. To be really, really clear with everybody though, we don’t think the paper or the global assured identity network is only for banks or financial institutions. The network itself must be inclusive, and in some parts of the world energy companies, telecommunications providers etc., they may be better placed than banks to be trusted identity information providers.
However, we argue that financial institutions are really well positioned to spark this change, to bring it to life, and to benefit from it. And so that’s what the paper really gets into. It runs through the reasons why financial institutions are positioned to do it – a point we repeat a few times – because we’ve seen them do it before. They built the rails for global payments, for cards, for securities, etc. They built Swift, Mastercard, Visa.
There are three main strengths that they have that makes them the perfect catalyst. Number one is trust. It’s a bank’s core offer. I know some people might laugh at that, because you don’t always trust a bank to give you the best rates, or brilliant customer service every time, but you do trust them. You trust them to keep your money and your data safe. That’s why they exist. Some companies monetise your data. Banks, financial institutions are in the business of monetising your security and privacy. And they have been since the very first bank – the Medici bank in 1397. Banks are trusted.
Number two, the second point, is a build off the first. They are regulated. A lot of that trust is underpinned by regulation. They need to be worthy of our trust and meet certain standards so that other businesses do not – and there are governance frameworks to build upon as these new services are created.
The third point that makes them a great catalyst, the third strength, is how well they know their customers. Because of those first two things, banks invest significant amounts of money in making sure that they know their customers. You might hear me say Know Your Customer, or KYC, is the process – and it’s regulated – that they go through to validate your identity when you open an account. And they also build the technical infrastructure to know that it’s you each and every time someone tries to get into your account. They have built best-in-class tools to identify, authenticate you, while keep your account secure and your information private. And all that’s why banks are best placed to vouch for your identity and to use their authentication methods to confirm on behalf of others that it’s really you.
Oscar: What would make possible that there is such interoperability in more practical, more technical terms?
Elizabeth: Good question. So we’re going to try to apply interoperability standards that many different types of systems can plug into. There will be direct participants, banks or other identity information providers who use the network to verify information for the companies who need to consume it. And, of course, there will need to be intermediaries and translation layers to ensure that a BankID Sweden customer can verify their identity with a seller in Mexico, for example. That BankID customer will continue to verify using BankID. But we will have created a way for BankID to communicate to relying parties all over the world, including Mexico.
We can also create servers that tap into self-sovereign identity networks. It’s important to know that we’re designing this system so that identity information passes from the provider, the identity information provider, directly to the relying party without passing through any centralised GAIN entity. That’s really important, at least as we understand it. That’s really important when we start to talk about interoperability from a legal standpoint.
Technically speaking, though, these direct connections are enabled by common API specifications. They’re based on OpenID standards, such as FAPI. With all that said, this field is evolving and technical proof-of-concepts are underway. So I definitely need to reserve the right to build upon my answer later on.
Oscar: Yeah, definitely. It’s very convincing your point, your three points. And I can feel that, absolutely. And the banks have already proved that in some of the countries that we have mentioned that they are leaders in this identification.
Elizabeth: Absolutely. Yep.
Oscar: And now my guess that among the 150 authors, there are some people who are directly involved in banks.
Oscar: OK, excellent.
Elizabeth: Yes. Like I said, it was a no logo collaboration so I won’t be dropping the names of any specific names.
Elizabeth: But we did have the partnership of the Institute of International Finance, who is pulling together a proof of concept with the Open Digital Trust Initiative. And we do have banks involved in that.
Oscar: So why it is really good for banks from the bank’s point of view, why it’s good to join GAIN?
Elizabeth: Yeah, so importantly, it’s not just that they can do this, it’s also that they will benefit from doing it. The first benefit that’s easiest to explain is simple, it’s revenue. Identity verification services will have as they do today, a small price attached. Transactions will result in a small amount of money flowing into the ecosystem. And a percentage will go to the identity information provider, in this case, the bank. That turns the assets that I was just talking about – what they’ve spent to build up KYC, authentication, security, all those infrastructures – that turns them from a major cost centre, into a profit centre.
Second, there will be massive efficiencies for banks, password resets, document signing, mortgage processing, etc. There will be more efficiency inside a bank. They will also see less fraud. In Norway, BankID saw fraud reduced from something like 1% to 0.00042% of transactions.
But the biggest benefits are strategic. New competitors are coming in between banks and their customers, are diminishing the role that banks play in providing access to capital markets. Providing identity information services to their customers, under their brand name, cements a really critical role for banks. They will provide their customers with access to the digital economy. And they will keep their customers safer, more secure in their privacy than they are today. And that’s a real value add for their customers. So strategically, banks really must do this, or they risk getting cut out of a lot of transactions.
Oscar: Indeed, banks have to hear it. When I started reading more about this paper, and you have mentioned at the beginning also, that the Global LEI Foundation is also involved, it’s one of the main supporters of this initiative. So tell me how that relates to that. They are not the banks. Of course, they have some business with the banks. But please tell us what is the connection?
Elizabeth: Yeah, I listened to your podcast that you did with GLEIF, Global Legal Entity Identifier Foundation, while I was preparing to talk to you. And yeah, I think the connections are really strong. So they were a critical partner in pulling the paper together. They’re doing incredibly important work, and will absolutely be part of the next steps as we figure out how to realise a global assured identity network.
There are three types of identity questions that we all really have as we transact online. Who is this person? Can I trust them? Who is this company? Are they trustworthy? And then connecting the two. Is this person related to a company? What’s their role? Are they entitled to be doing this thing, signing this document logging into my account on the company’s behalf? If we start getting key information about the individual, that’s great, that adds a ton of value. GLEIF is answering that second question, who is the company? And once we can get to the third point of connecting the dots, that’s going to be really powerful. So yeah, GLEIF is a critical partner and will remain so throughout the rest of the journey.
Oscar: Yeah, yeah, now the way you have explained also is pretty good. And we say that verify identity of a person, of a company or organisation and how to link these two in this. And that’s pretty critical. That’s something that has not been explored enough, I would say. So that’s, I’m really intrigued to hear how GAIN is addressing doubts about this because it’s essential these days.
So, Elizabeth, I’d like to hear more what comes next. So just a couple of weeks ago was the launch of the paper and I also saw some interest on the media. That’s excellent to hear. But what come next now for GAIN?
Elizabeth: Well, we already have planning underway for GAIN technical proof of concept. And we’re looking for more people to get involved, more companies to participate. So we have big companies who need to de-duplicate their customers, companies that need to collect verified signatures, the number of use cases is seemingly endless. We’re also looking for partners, aggregators, or service providers who can help us – help bring these relying parties on board or technical service providers who can help us to envision and build services on top.
There are so many ways to be involved. So if you’re thinking about getting involved, it might mean that you’re interested in identity. So you’re listening to this podcast after all, that probably means that you’re only one or two steps away from one of the co-authors, so it’d be really easy for you to reach out to them. You can also reach out to me or the Global Assured Identity Network LinkedIn group that we have. And if you’re really interested in the POC, we’ve got an email address for you, it would be digitaltrust@IIF.com. So even if none of that is true for you, there’s something you can do. You could call up your bank and tell them to offer this service
Oscar: Exactly. Even as a user, you can ask your customer for the bank, you can ask the bank, have you heard of GAIN? Yeah, absolutely. And I guess – assume that you already have a big list of the most potential use cases right that some of these customers, companies, service provider that you are now inviting. They could fit into this use cases. Excellent. Elizabeth, finally, tell us – for all business leaders that are listening to us in this interview. So what would you say is the one actionable idea that they should write on their agendas today?
Elizabeth: So these ideas that we’ve been talking about are going to mark a step change in the digital economy. A third wave in identity as my colleague Rod Boothby pointed out on LinkedIn last week. First, it was all about companies providing IDs and passwords to employees to access work systems, and businesses gave customers IDs and passwords to access services on the internet. This third wave is all about us bringing our own trusted digital identity wherever we go. With a really inclusive approach and active global collaboration, this will open up our digital economy. It’s going to expand access, and make life so much simpler and safer online.
So for those who are listening, I would urge business leaders to figure out what role your business can and will play in a globally interoperable assured identity network. Are you an identity information provider? Can you be? Will you be a relying party who consumes these services so that you can verify that the signature on a contract is valid? Can you help us onboard relying parties or integrate these services?
On your agenda, I’d say write down, figure it out, figure out how you’re going to get involved and then get in touch. Again, join our Global Assured Identity Network on LinkedIn, or email digitaltrust@IIF.com. If you know that you want to join the POC.
Oscar: Yeah, indeed. This might still be relatively new concept for companies who are not so exposed to this type of identity services. So yeah, it’s a good idea, as you said, to decide, think about what is going to be that new role of your company from the many choices you have mentioned.
Thanks a lot, Elizabeth. It was super interesting to hear about this extraordinary effort that had been done by GAIN project, very recently launched. And as you said, now, the Proof-of-Concept are starting to keep going. Please let us know how people could get in touch with you if they like to follow this conversation with you.
Elizabeth: Yeah, so you can find me on LinkedIn really easily. My name is Elizabeth Garber. Yeah, I think that’s the easiest way.
Oscar: OK. LinkedIn is the easiest way. Thanks a lot Elizabeth. It was a pleasure talking with you and all the best.
Elizabeth: Thank you. Thanks for having me.
Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episodes at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.
[End of transcript]