Open Finance: The FCA's Call For Input

The FCA has called for suggestions by 17 March 2020 as to how it can support more open access to customers’ financial data. A few thoughts here, with an article to follow in the coming weeks...

The major stumbling blocks, as ever, are genuine customer problems/demand and supplier appetite, which tend to be focused quite narrowly; and who gets access to the data and for what purpose. 

One suspects that the Nirvana of a single consumer 'dashboard for everything' remains a long way off. We’ve seen broad-based initiatives before, like the UK government’s ‘midata’ programme from 2011. Key challenges remain customer identity and authentication on a broad scale, as opposed to channels more closely aligned with specific customer activities. In July 2019 the Government Digital Service and the Department for Digital, Culture, Media & Sport were still calling for evidence of how the Government can support improvements in identity verification and the development (and secure use) of digital identities generally. 

Yet there have been genuine advances around more defined customer activities. The FCA itself cites the second payment services directive and related standards designed to open up the payments market, for instance. These were partly a response to strong demand for new, unregulated services that were already providing access to current account data and enabling the remote initiation of bank transfers. Those competing to provide these services were encountering a distinct lack of co-operation from the current account providers (mainly banks). Specific regulation was forthcoming and has duly helped account information and payment initiation services proliferate and scale. But regulation did not itself catalyse either the demand or the services themselves. 

At any rate, it will be interesting to see whether the FCA receives evidence of other existing but nascent 'open finance' type services whose growth is genuinely stymied by issues that can be resolved by regulation. Whether such use-cases are sufficiently distributed across the range of day-to-day activities in which customers are engaged to constitute generally 'open finance' will be interesting to discover but of secondary importance. 

Of course, the elephant in the room is who will have access to all the data and for what purpose. In this respect, it would be particularly interesting to know when the FCA and PRA will begin to actually audit the use of artificial intelligence by financial services providers, rather than merely survey the industry on a self-disclosure basis. If they're true to form, we'll see a few major train wrecks first...

Keeping Humans At The Heart Of Technology: Conference Wrap

This is a long overdue summary of my closing remarks at the SCL Technology Law Futures Conference on whether humans can survive the advent of super-intelligent machines. The podcasts for each session are available on the SCL site.

I am confident that we can keep humans at the heart of technology during the current era of artificial narrow intelligence.  It seems we are a long way into the process of coping with computers being better than us at certain things in some contexts. The sense was that the dawn of artificial general intelligence, where computers can do anything a human can, is 20-40 years away. It's also possible, of course, that the machines may never completely exceed human capabilities - more a matter of faith, in any event, as it would only be us who judged that to be the case. 

There are clear signs that humans are using computers to enhance the human experience, rather than replace it. E-commerce marketplaces for everything from secondhand goods, to lending and borrowing, to outsourcing household tasks and spare rooms show that humans are working together directly to remove intermediaries by relying on faciltators who add significant value to that human-to-human experience. 

This underscores the fact that computers' lack of 'common sense' will severely limit their ability to replace us – not just rationally speaking but also in terms of a shared understanding of our own five senses, and how we co-operate and use that shared understanding with each other in subtle yet important and uniquely human ways, for example, simply to summon the smell of freshly cut grass. 

Misuse of machines by humans - to constrain choice, for example - will also hold back development or lead humans to develop alternatives. We have worked around technology-based monopolies in various industries, such as music, but we also heard how the few major mobile 'app stores' are not only becoming the preferred distribution platforms for software, but also choke points to throttle competition. Such attempts at control will prove futile if those platforms do not give us what we want or are not aligned with how we behave or fail to reinforce the shared sense of community that is a feature of, say, peer-to-peer marketplaces and the new distributed ledgers.

The point was also made that we should recognise the value in our freedom to make mistakes or to simply forget or fail to do something – indeed the fact that someone else has forgotten or failed presents an opportunity for someone else. Perhaps this is the key driver of competition and innovation in the first place. [So, would machines evolve to be so efficient that change would no longer be necessary? Superintelligence could be a dull experience!]

Yet it is human fallibility, not that of machines, which is behind most online fraud. Turns out that it's simpler and cheaper to hack the human operating system with confidence tricks than it is to cut through the security systems themselves. Ironically, in this context, it seems there’s more a role for machines to help us avoid being fooled by other humans into giving out sensitive information, rather than to evolve ever more sophisticated encryption, for example.

A key issue is that the evolution of machine ability and interoperability is adding vast complexity to the rules and contracts that govern their use. Layers and layers of rules, terms and conditions must knit together to ensure effective governance of even the humble home entertainment network. Of course, the earlier the lawyers, legislators and regulators are involved in this, the easier it is for governance infrastructure to keep up.  That point is often made by lawyers, but it was also very heartening to hear the direct invitation for more lawyers to be involved directly with engineers in the step-by-step development of driverless cars, so they are aligned with how we humans want them to work on our roads. 

Yet the speed of technological development versus the speed at which the law moves make it unlikely that the law and rules alone will be effective in directly controlling the development of machines, whereas incentives such as commission, fees and fines will likely prove more useful in nudging behaviour in the right direction and keeping interests aligned. How the economic models evolve is therefore critical - and a good area for less direct legal control of machines, particularly through the apportionment of liability and theregulation of markets and competition.

Economically speaking, however, it was pointed out that we are prone to overstating the impact of technology has had in the past, and overestimating its effect in the future. In terms of GDP growth, for example, it turns out there was no industrial 'revolution' but merely a steady increase in output in parallel with various technological improvements. Tech booms and busts are also evidence of this.

We also tend to get hung up on globalisation and the need for harmonious rules across regions, yet much of the benefit of the internet, for example, has actually occurred at local level, and most of us use our phones and email to stay in touch with local people. 

Against this background, the conference keynote speech provided an entertaining overview of artificial intelligence and the community behind it, finishing nicely with a list of the top priorities for urgent human attention. The 'Internet of things' - 50 billion connected devices by 2020 - clearly covers a vast area, so it's important to bring it down to specific scenarios, such as the home, the car, the streets and how sensors, software and machines in each context inter-operate. Other critical developments and scenarios deserving our attention are driverless cars; the use of drones in the context of both civil surveillance and warfare; and applications that control or monitor our health.

More on those fronts in due course, no doubt.

Thanks again to all the speakers for such a thought provoking series of presentations.

Guest Post at Open Identity Exchange - A Pragmatic Approach To Distributed Ledgers

The post appears here.

Thanks to OIX for the opportunity to support the initiative.

Of #Smart Contracts, Blockchains And Other Distributed Ledgers

Seems I caught Smart Contract Fever at last week's meeting of the Bitcoin & Blockchain Leadership Forum. So rather than continuing to fire random emails at colleagues, I've tried to calm myself down with a post on the topic.

For context it's important to understand that 'smart contracts' rely on the use of a cryptographic technology or protocol which generates a 'ledger' that is accessible to any computer using the same protocol. One type of 'distributed ledger' is known as a 'blockchain', since every transaction which is accepted is then 'hashed' (shortened into a string of letters and numbers) and included with other transactions into a single 'block', which is itself hashed and added to a series or chain of such blocks. The leading distributed ledger is 'Bitcoin', the blockchain-based virtual currency. But virtual currencies (commodities?) are just one use-case for a distributed ledger - indeed the Bitcoin blockchain is being used for all sorts of non-currency applications, as explained in the very informative book, Cryptocurrency: How Bitcoin and Digital Money are Challenging the Global Economic Order. As Jay Cassano also explains, another example is Ripple, which is designed to be interoperable with other ledgers to support the wider payments ecosystem; while Ethereum is even more broadly ambitious in its attempt to use smart contracts as the basis for all kinds of ledger-based applications.

Generally speaking, the process of forming a 'smart contract' would be started by each party publishing a coded bid/offer or offer/acceptance to the same ledger or 'blockchain', using the same cryptographic protocol. These would be like two (or more) mini-apps specifying the terms on which the parties were seeking to agree. When matched, these apps would form a single application encoding the terms of the concluded contract, and this would also be recorded in the distributed ledger accessible to all computers running the same protocol. Further records could be 'published' in the ledger each time a party performed or failed to perform a contractual obligation. So the ledger would act as its own trust mechanism to verify the existence and performance of the contract. Various applications running off the ledger would be interacting with the contract and related performance data, including payment applications, authentication processes and messaging clients of the various people and machines involved as 'customers' or 'suppliers' in the related business processes. In the event of a dispute, a pre-agreed dispute resolution process could be triggered, including enforcement action via a third party's systems that could rely on the performance data posted to the ledger as 'evidence' on which to initiate a specific remedy. 

Some commentators have suggested this will kill-off various types of intermediaries, lawyers and courts etc. But I think the better view is that existing roles and processes in the affected contractual scenarios will adapt to the new contractual methodology. Some roles might be replaced by the ledger itself, or become fully automated, but it's likely that the people or entities occupying today's roles would be somehow part of that evolution (if they aren't too sleepy). The need for a lot of human-readable messages would also disappear, signalling the demise of applications like email, SMS and maybe even the humble Internet browser. Most data could flow among machines, and they could alert humans in ways that don't involve buttons and keyboards.

So what are the benefits?

Well, it might take significant investment to set up such a process, but it should produce great savings in time, cost, record-keeping and so on throughout the lifetime of a contract. And, hey, no more price comparison sites or banner ads! Crypto-tech distributed ledgers would enable you to access and use a 'semantic web' of linked-data, open data, midata, wearables, smart meters, robots, drones and driverless cars - the Internet of Things - to control your day-to-day existence.

The downside?

This also might also play into the hands of the Big Data crowd (if they find a way to snoop on your encrypted contracts), or even the machines themselves. So it's critical that we figure out the right control mechanisms to 'keep humans at the heart of technology - the topic of the SCL's Tech Law Futures Conference in June, for example.

Meanwhile, I'm reviewing my first smart contract, which is proving rather like being involved in the negotiation of a software development agreement - which it is, of course. I'll post on that in due course, confidentiality permitting...

Of #Blockchains And #MultiFactorAuthentication

Okay, so yesterday I was trying to use the car rental scenario to understand the concept of blockchains and distributed ledger technology and ended with the point that all sorts of computer applications could run "on" the blockchain. Some could act as gateways between/among blockchains, and some could link applications on blockchains with the applications running on the Internet - like social media, email - or applications on mobile networks, including SMS. 

So, in the example, the contractual program running on the blockchain that doubles as my car rental contract could also initiate a text message telling me where and when to pick up my rental car. 

I also mentioned that my own request to rent a car could provide the details for where the car rental company's program could go to verify my driver's licence. I didn't mean for identification purposes, but to work out if I'm licensed to drive a vehicle.

On the identity front, I mentioned that both me and the car rental company would be acting pseudonymously. That's important because blockchain transactions are accessible by anyone with a device running the relevant technology. So mine and the rental car company's respective bits of code would have to offer a way for us to authenticate each other. And this is where the public nature of blockchains really come into their own.

Back in 2011, we had a big discussion on identity at the CSFI from which my 'takeaways' were that (1) identity is dynamic, not static - we are better defined by the data generated by everything we do, rather than a birth date or fingerprints. So (2) verifying our identity could be based on a unique snapshot of our behavioural data, which could then be discarded, rather than a passport etc.  which could be copied and used by fraudsters.

The challenge with multi-factor authentication in the Internet world is possibly that the data is subject to alteration (though on a mass scale it could be hard to alter every item of data about a person's behaviour).

But blockchains are infinitely harder to alter, since (I'm told) all the computers running the technology check each block when it is completed and that can't be undone, unless you control most of the computers at any one time (like a villain in a Bond movie).

So our identities could be verified by reference to a series of our blockchain transactions. For privacy and security reasons, each blockchain transaction should be coded so as not to give away much information about the transaction itself. That ought to be easy, since the code only needs to be understood by the computers who process each transaction at that time. At any rate, each transaction could somehow be combined into a unique identity token that would continually evolve to remain unique.

Hey presto, reliable multi-factor authentication!

Do I have any of this right?

 

Artificial Intelligence, Computer Misuse and Human Welfare

The big question of 2015 is how humans can reap the benefit of artificial intelligence without being wiped out. Believers in 'The Singularity' reckon machines will develop their own superintelligence and eventually out-compete humans to the point of extinction. Needless to say, we humans aren't taking this lying down, and the Society for Computers and Law is doing its bit by hosting a conference in June on the challenges and opportunities that artificial intelligence presents. However, it's also timely that the Serious Crime Act 2015 has just introduced an offence under the UK's Computer Misuse Act for unauthorised acts causing or creating the risk of serious damage to "human welfare", not to mention the environment and the economy. Specifically, section 3ZA now provides that: 

(1) A person is guilty of an offence if—
(a) the person does any unauthorised act in relation to a computer;
(b) at the time of doing the act the person knows that it is unauthorised;
(c) the act causes, or creates a sign ificant risk of, serious damage of a material kind; and
(d) the person intends by doing the act to cause serious damage of a material kind or is reckless as to whether such damage is caused.

(2) Damage is of a “material kind” for th e purposes of this section if it is—
(a) damage to human welfare in any country;
(b) damage to the environment in any country;
(c) damage to the economy of any country; or
(d) damage to the national security of any country.

(3) For the purposes of subsection (2)(a) an act causes damage to human welfare only if it causes—
(a) loss to human life;
(b) human illness or injury;
(c) disruption of a supply of money, food, water, energy or fuel;
(d) disruption of a system of communication;
(e) disruption of facilities for transport; or
(f) disruption of services relating to health.

I wonder how this has gone down in Silicon Valley...

Travelling With The ID Pioneers

Seeking a New State of Identity

If the penultimate CSFI roundtable on Identity in Financial Services was anything to go by, the final one should be a proper knock-down, drag-out affair worthy of past pioneering epics ;-) In fact, the Innholders should replace it's sign for the day, to read:

The issue that sparked the most heat (again) was whether banks might somehow be suited to be the guardians of the so-called 'hard' element our identities - the proof currently required to move our money, access our government records and so on - rather than 'soft' credentials necessary to access, say, your social media accounts. 

Spotted the flaws already? 

We shouldn't bother picking on the banks anymore (though it is fun). I mean, I seriously doubt they want to be cast in this role at all. And as Richard Martin pointed out, the banks are each wedded to different identity solutions, chosen for fairly mundane IT procurement reasons rather than any attempt to use ID services as a source of competitive advantage (banks compete?!) in offering secure access to your money their services. At any rate, to the extent that any banks are availing themselves of the latest e-ID tools to more efficiently KYC their customers, they are merely using the credit reference agency databases. So if one were to look only at the development of 'hard' identity services, one should cut through the banking platforms to the credit reference agency roadmaps and how they plan to enable access to those services in ways that are much more useful and empowering for consumers.

And while the Money Laundering Regulations do erect a reasonably heavy barricade to the usability of financial services, it's unduly trusting to pretend they amount to best practice in establishing a person's identity. Real danger lurks in this idea that social media identity is somehow 'soft'. The premise for this seemed to be that Facebook, Google, Amazon, eBay and so on don't offer any services that attract the need for 'bank-standard' ID checks and personal data protection, and couldn't operate to such high standards. Yet, many of them already operate financial institutions. And I suggest that there is more real value to the use of your identity to personalise products and pricing than in simply accessing your bank records. Even the Eurocrats are onto this. It's ironic that the person who was most pressing in his demand to know 'who owns my identity data' in a social network setting also admitted to entering a joke date of birth in a leading social media service. I guess he'd also be the first to complain if that service provider and those in its network were to hold the 'lie' against him...

But, of course, identity verification is developing in ways that mean your joke date of birth in one or more databases - and even your passport, driving licence and energy bill - won't necessarily matter amidst a far wider set of identity factors. As I've explained after the previous roundtable on this topic, what makes us unique is our collection of behaviours and the data they generate. So I'll end this post in a similar way to the last.

There are two key identity problems to be solved. As consumers, we need to be able to simply, conveniently and efficiently prove our identities in the course of any day-to-day activities.  And as a community, we need the source of that proof to be less vulnerable to being hacked or guessed, and to contain its cost.

Given those key problems, the solution cannot possibly comprise a single, static set of data that is 'held' by some institution. Rather, the solution has to involve the capability to generate a unique and momentary proof of identity by reference to a broad array of data generated by a user's own activity,  which is then immediately useless and can be safely discarded.

Identity Is Dynamic, Not Static. Proof: Momentary.

On Tuesday we had a very revealing discussion on whether "banks and/or mobile operators should provide the identity infrastructure" at the CSFI's Sixth roundtable in the series on Identity and Financial Services.

Of course we began by discussing what identity actually is - not something that can be isolated or assumed, as was also apparent from the Fifth roundtable.

In this discussion, it was very clear that a bank or telco views identity as a static collection of data about an individual that can be stored or held, with varying degrees of subject access and control. In this entrenched view of the world, institutions - like banks and telcos - can compete for the privilege of 'holding' your identity and enabling you to prove who you are. In essence, those institutions are in control of your identity.

So what's stopping them providing an all-purpose identity infrastructure today?

The fact that identity is not a static concept. It's dynamic, contextual, and defined more by your various sets of activities or behaviours - "routes and routines", as Tony Fish put it - than by a picture, address and date of birth. That collection of behaviours and the data they generate are what makes us unique. Further, Dean Bubley made the point that we over-estimate the degree to which telcos (and banks), actually 'know' their customers in the sense of understanding their customers' end-to-end activities. And we over-estimate these institutions' technological ability to enable their customers to prove their identity at all, let alone conveniently in scenario's of their choosing.

A Finnish delegate also made the point that Finnish banks offer identity services, based on a government database, but make very little money out of them. Which suggests the services are not very useful or compelling.

In any event, static data repositories are vulnerable to attack; and the services that rely on them are apt to be 'gamed' by simply replicating the data held - as in the case of skimming card data or fabricating identity documents to gain control of a bank account. The fact that the individual consumer is ultimately compensated and therefore not 'harmed' in a direct financial sense is beside the point. We all pay for such inefficiencies in the form of higher interest rates, fees and retail prices.

So there are two key problems to be solved. As consumers, we need to be able to simply, conveniently and efficiently prove our identities in the course of any day-to-day activities.  And as a community, we need the source of that proof to be less vulnerable to being hacked or guessed, and to contain its cost.

Given those key problems, the solution cannot possibly comprise an "identity infrastructure" or 'service' that relies on a single, static set of data that is 'held' by some institution. Rather, the solution has to involve the capability to generate a unique and momentary proof of identity by reference to a broad array of data generated by our own activity, on the fly, which is then useless and can be safely discarded.


Image from Young Lee.

What Is Identity, Anyway?

I was a pleasure to join a CSFI round-table discussion on identity today. It was the latest in a series of discussions to elucidate the problems with the current approach to identifying customers (and providers) in the financial services context. Subsequent discussions will focus on potential improvements and alternative solutions.

It was a broad-ranging discussion, as you'd expect, and tough to do justice to everyone's remarks, but worth a quick summary. Dr Ian Brown of the Oxford Internet Institute set the context in terms of the various meanings of 'identity' and how other disciplines view it. However, he doesn't believe it's helpful to think in terms of 'identity' itself, as opposed to 'reputation', for example. And it's not actually necessary in many cases for someone to be identified (e.g. a tube journey). People's attitudes to privacy vary with context: students have been shown to disclose more in their responses to an informal student survey than to official university research questionnaires. Ian also explained how the technological landscape is evolving - and ought to be encouraged to evolve - including the work of David Chaum and others on how to ensure 'unconditional anonymity' or that transactions you undertake are not shown as related. He suggested that approach could be promoted via initiatives like Project Stork (a project to enable interoperability of EU member state ID cards).

Marc Dautlich of Olswang pointed out that "identity" itself is not legally prescribed, but explained the relevant provisions of the Data Protection Act and the offences created by the Identity Documents Act 2010 relating to the possession of false documentation with improper intent. However, he believes the law does not adequately address the fact that the consequences of misuse of identity or personal data vary greatly according to the context. His sense is that it would be more helpful in the future to regulate for appropriate outcomes rather than regulate identity or personal data itself.

My role was to say something about alternative legal approaches to identity.

From the outset, given the pan-European approach to regulating data protection and money laundering, it's important to consider the difference between common law and civil law attitudes to regulation. In common law jurisdictions the law tends to follow commerce, whereas in civil law jurisdictions there's an expectation that the law should stipulate what can and cannot be done. That means UK players can't sit back and leave market forces to reveal any need for new regulations to support a shift to a new identity model. The EC will be under pressure to regulate how the new paradigm should work, and to influence such regulation we would need to participate in the EU 'social dialogue'.

At any rate, 'identity' is not a constant, but flexible in terms of the data used to distinguish the subject from everyone else, the sources of that data, who controls it and the source of any requirement to identify the subject. Identity is contextual, as Ian mentioned. Some personal data we volunteer happily in a social media situation (or on reality TV), but less so in a formal or institutional situation. Often we have no control over the process. Money laundering regulation, for instance, casts an obligation on product providers to identify their customers by reference to official data.

An organisation's attitude to identity data also tends to be governed by whether the organisation is a 'facilitator' (which exists to solve its customers' problems) or an 'institution' (which primarilty exists to solve its own problems). Facilitators try much harder than institutions to ensure that their collection and use of personal data, and treatment of identity, is transparent and proportionate to the customer activity being facilitated, and 'friction' in the customer experience is kept to a minimum.

However, some institutional identity requirements may be disproportionate partly because the government views the institutions concerned as useful 'choke points' for imposing requirements for public policy purposes, like anti-terrorism or serious crime prevention.

In future, I suggested that we determine identity requirements from the consumer/customer standpoint, and ensure they are facilitative and proportionate (rather than simply a hurdle to be cleared). That may also mean solving public policy identification requirements in different ways. The semantic web represents an ideal opportunity to minimise identity issues. For instance, I've long been a proponent of the idea that you should have an applet on your computer that holds your personal profile and can interrogate product provider's semantic datafeeds to find, say, an insurance product that's right for you without requiring you to disclose your personal data.

I look forward to seeing the output of this round table process in due course.

Image from Brainstorm Services.