Almost immediately after the September 11 terrorist attacks, lawmakers in Washington and other world capitals started calling for national identification cards - an extreme security measure that has long seemed out of place in free societies.
By Jeffrey Kutler
May 2002
Institutional Investor Magazine
The swift reaction was understandable. After all, the identification and security checks in place failed to prevent the hijackers from boarding airplanes. Subsequently, investigators struggled to ascertain the perpetrators’ real names in the face of false documentation, aliases and other ruses.
Though polls at the time showed that seven out of ten Americans (and more than eight out of ten Britons) supported national ID cards, the fervor has since died down. U.S. policymakers have focused instead on strengthening immigration controls and shortening visas. Some have proposed using fingerprints or other biometric forms of ID to keep closer track of nonresidents at least.
But that’s still just talk. In October the U.S. did enact far-reaching legislation, known as the Patriot Act, that more subtly raised personal identification and authentication standards. How? By tightening the anti-money-laundering regulations that require financial institutions to keep background files on their clients and monitor the legitimacy of their transactions.
In effect, the Patriot Act turned financial services companies into identity-registering agents in the war against terrorism.
The reasoning was simple: Banks have long had to adhere to so-called know-your-customer requirements. They establish their clients’ bona fides when opening accounts and vouch for their legitimacy when clearing payments or responding to third-party inquiries and requests for verification.
Under the Patriot Act virtually all U.S. financial institutions - not just the commercial banks that have been subject to money-laundering rules since the 1970s - are prohibited from dealing with customers they can’t reliably identify. That in itself may be a burden worth bearing by an industry that prides itself on being able to provide personalized services to valued customers.
But how can an institution truly know that its customers are who they say they are? It’s one thing to deploy the latest in customer relationship management software that analyzes account activity and suggests products and services to cross-sell. It’s quite another to get beyond the abstractions of numbers, names, passwords and mothers’ maiden names to verify that a client or counterparty is who he, she or it claims to be.
Questions of verifiable names and identities and how best to authenticate them first came to prominence as electronic commerce took off in the late 1990s. The answers began with personal identification numbers like those entered at automated teller machines and ratcheted up with higher-value transactions to more sophisticated digital signatures and even biometrics.
But as the September 11 disaster showed, the authentication problem is far from licked. “The issue of identity is growing unignorable. It’s something that the financial industry is bumping up against more and more,” says Daniel Geer, chief technology officer at New York-based consulting firm @stake and former senior strategist at CertCo, a data security spin-off of the old Bankers Trust Co.
Indeed, the industry that has found ways to handle $20 ATM withdrawals and $2 million stock transfers with full electronic efficiency - and with risk controls appropriate to each - must rethink its approach to authentication in a world made infinitely more complicated by terrorism. None of the existing methods, from simple passwords on up, are foolproof. Geer even warns against taking fingerprints or other physical characteristics for granted; they are, he says, “a tool of identity confirmation rather than identity assertion.”
That’s because these measures are only as reliable as the sign-up process - the point at which an employee at a financial institution binds a verifiable name to an identifying code or device. If the individual has stolen an identity or established an alias, all bets are off.
“Control starts with knowing someone’s identity. The technology doesn’t do that by itself,” explains Enrique Salem, a veteran Silicon Valley security executive who recently left a senior post at Cupertino, California-based Oblix, which supplies ID management systems to major corporations including American Express Co., Boeing Co., Charles Schwab Corp., Old Mutual of South Africa and Norway’s Norsk Hydro. The Oblix infrastructure lets users authorize or restrict systems access by employees, customers or strategic partners; it’s up to the administrators to request drivers’ licenses, passports or other supporting documents.
“It’s a hard problem,” concedes @stake’s Geer. As U.S. authorities learned in trying to determine the real names of the September 11 hijackers and the Taliban prisoners at Guantànamo Bay, there is a difference, says Geer, “between true identity and a repeatedly verifiable claim to a name.”
Geer adds that there is no such thing as a permanent, universally valid naming system. “Names are not unique,” he says. “Names tend to be unique only as a result of their context.” In other words, a certifying authority, such as a bank, will have to examine ever more closely the proofs of ID that customers present.
What makes identification increasingly vexing is the openness and versatility of the new Internet technology wave known as Web services. Typified by Microsoft Corp.'s .Net architecture, Web services promise seamless linkages among service providers, their clients, wholesale suppliers and joint venture and co-marketing partners. In the financial industry Web services could speed and simplify securities settlement and straight-through processing or make it easier for an online investor to do business with multiple brokerages and banks. But such arrangements require a new leap of trust: The various companies in the transaction chain must accept each others’ customer certifications.
“The question is, Who are you and what are you entitled or authorized to do? At what point does one firm accept an ID issued by another firm or an agent?” says Eliot Solomon, head of Eliot M. Solomon Consulting in Brooklyn, New York, and chairman of the Securities Industry Middleware Council, a New York association attempting to grapple with ID issues.
Web services promoters are touting a solution, called federated identity, that would enable one company to accept online credentials issued by another. That’s the basis for a Microsoft .Net product, Passport, and for a proposed multi-industry standard championed by Microsoft archrival Sun Microsystems called the Liberty Alliance, which consists of American Express, AOL Time Warner, Bank of America Corp., Fidelity Investments, United Airlines and about 30 other companies.
The early federated ID action has been retail. Citigroup’s credit card unit announced plans in March to test Passport, letting online shoppers move between Web sites without having to reenter passwords. Liberty’s initial applications, due out later this year, are likely to include United Airlines’ acceptance of online credentials from Hertz Corp. car renters, and vice versa. Meanwhile, less than a year after it began recruiting for the Liberty Alliance, Sun Microsystems has put its first large-scale Web services ID package on the market, supporting at least 10,000 registrants in its enterprise edition and 250,000 or more across the Internet.
SIMC’s Solomon applauds the rapid progress but maintains that the securities industry can’t adopt federated identity in its raw, generic form. “The standards that are out there are fine for basic Web services, but we have special needs for audit trails, accountability, risk management and supervision,” he says. “We will go back to the technology firms suggesting how our concerns might be addressed.”
Notes Leo Schlinkert, president and CEO of White Plains, New York-based Communicator, which provides online authentication services to the institutional securities industry: “Consumer identity management is much different than in the business world. Consumer transactions are smaller, and you can rely on credit cards [for verification]. In the business-to-business context you absolutely have to know who you are dealing with.”
The limitations aren’t deterring experimentation by Citigroup, which is supporting Liberty Alliance while also working with Microsoft. “We’ve only engaged with .Net in our cards group so far,” says Ed Glassman, vice president of technology for Citi’s e-business group. “But we think this is going to be very important on the corporate side as well, using the Internet to present an integrated view to clients of all their Citigroup relationships. We just don’t know how or when yet.”
Alan Young, executive director of technology for the e-Citi research and development group, says that high-end security technologies - like data encryption systems routinely used for corporate money transfers - could filter down into the mass market. “A smart card with a digital certificate embedded in the chip and locked to an ID could become a strong source of authentication,” he explains. “Even better, if you add a nonintrusive biometric like voice recognition, the bank could make a match and allow a transaction to be initiated over any telephone.”
But that scenario, Young stresses, “is still years away.” The ID technology is in its infancy, and Citi will proceed cautiously. It isn’t yet ready to delegate authentication to a third party. “Trust is our business,” he says. “Once that is dented in any way, we have a big problem.”
