Anirban Basak – Fellow at MIT Connection Science and Founder CEO of FortifID.
The new data economy is flawed, creating problems for institutions, aggregators and individuals who often have conflicting interests. The consumer lending and insurance industries in the U.S. pay third-party data aggregators to collect and synthesize data and provide insights about individuals. Yet there is no place for individuals to assess the type or accuracy of the data collected about them.
Over the last decade, banks and fintech companies needed to adapt and survive in a quickly evolving digital world. They allocated substantial resources toward big data analytics, machine learning techniques and AI algorithms to drive better and faster decision making over the length of a loan life cycle. In this process, they also inadvertently catapulted the growth of the third-party data aggregator industry. Without a clear governance framework in place around data collection and use, this burgeoning data ecosystem is vulnerable to abuse.
Ongoing data breaches and concerns around privacy permissions and protections indicate that the way we’ve been managing personal data is not working and warrants a radical disruption. I believe we need to adopt a new approach—one that relies not only on business and legal guarantees but primarily on technical solutions and their associated guarantees integrated into data architecture.
Effective solutions for consumer lending and insurance industries should be built around immutable distributed ledgers with a regulatory framework to:
• Generate a strong digital identity for each applicant through claims and assertions
• Allow the individual to retain control of their identity and data in the transaction
• Directly connect individuals to institutions
Overcoming Challenges In The Current Data Economy
At a high level, the customer acquisition process for consumer lending and insurance companies follows five steps:
1. Find
2. Solicit
3. Vet
4. Assess Risk
5. Onboard
The two players in this solicitation process are lending institutions on one side and individuals applying for lending institutions on the other. In between are the third-party data aggregators who collect and sell personal data to institutions. Both lending institutions and third-party data aggregators are resistant to attempts to disrupt or regulate this process and slow the acquisition of new customers. However, the economics of this workflow are not helpful or sustainable for lending institutions.
But from the user’s perspective, there is an increasing need for privacy with respect to personally identifiable information. Individuals are understandably concerned about the privacy and security of their identity and the exploitation of their personal data—beyond their rights to delete inaccurate data as defined in data protections regulations.
Our industry needs to develop a new system of verifying users’ digital identity on non-hackable technology and then directly connecting them to institutions that need the data. This system must address challenges in the following areas:
• Data Breaches
Recent years have seen a steady uptick in data breach incidents across industries. I would argue that an identity architecture that is third-party owned and managed does not adequately protect an individual’s digital identity.
• Digital Identity
Interacting with a new service usually requires creating a new identity from scratch. Financial institutions, shopping sites and governmental services know us only as our service-specific identities. Yet we don’t change our names every time we visit a new store.
The lack of a strong digital identity, a singular whole digital self, is a direct cause of some of the most significant challenges in the digital market. Services see their customers appearing out of nowhere, with no existing preferences or attributes. Somewhat counterintuitively, this absence of a unified identity also diminishes users’ privacy and prevents them from easily generating new and discarding old or compromised identities.
• Transaction Privacy
When transactions are linked, potentially across multiple services, to track user habits and behaviors, it poses a great privacy risk to the digital economy. On the other hand, setting separate accounts for every transaction isn’t practical.
• Transaction Verification
Users must be able to audit and verify transactions within a service that pertain to their identity. It has become standard practice for services to notify users when an unknown device logs in or a password is changed—but it is still rare to provide users with an auditable log of more commonplace transactions that relate to data collection and use.
• Personal Data Privacy
Challenges around digital identity and personal data lead to a broken data ecosystem. Data about us—where we go, who we meet, what we buy—gets collected and stored in every database we’ve created a username for. In the current data environment, true privacy is impossible.
Solutions to these technical challenges must prioritize identity management and sharing of personal data, the two main domains of the digital economy. We need to develop strong identities to achieve two seemingly contradictory goals: making it easy for users to show and prove who they are, while at the same time, making it possible for them to limit (up to full anonymity) what is revealed about them.
Rather than relying on service-specific identities, these solutions should allow a user to create and own an identity profile that contains strong assertions about their attributes, such as their age or credit score. These assertions would remain strong because they are cryptographically signed by entities able to verify their accuracy. The identity profile would stay private to the user, never directly accessible by any service providers, and could be adapted with multiple personas to capture different facets of their identities (for example, “work me” and “kayaking enthusiast me”).
Transaction identities would have the same verified attributes of the main user identity but would be ephemeral and unlinkable. A user could easily retire their existing transaction identities and generate new identities. While these identities would be unconnected, they would still be verifiable, making it simple for them to create new accounts that are bootstrapped with existing attributes and, at the same time, enhancing their privacy protections and control.
The current data ecosystem isn’t working and will continue to put individual privacy and security at risk if not addressed. Yet lending institutions and third-party data aggregators are reluctant to change the process—due to the capital investment required to update technology and workflows, retrain staff and build new tools.
If, as an industry, we can demonstrate the value of these solutions, in the form of improved portfolio economics, profitability and reduced fraud and reputation risk, then we may make it easier for businesses to take the plunge. Our goal should be to help businesses seamlessly transition to a new process—rooted in privacy protections, data utility and user control—without hurting their day jobs or their bottom lines.
Forbes Business Council is the foremost growth and networking organization for business owners and leaders. Do I qualify?
Read the full article here