What challenges will this present to credit bureaus in embracing the new normal or be further disintermediated from the consumer?
This paper will redefine the traditional relationship between credit bureaus and consumers by offering a disruptive solution to digital identity management through a self-sovereign identity solution based on blockchain. We propose a solution that will place the control of digital identity and consent to the use of personally identifiable information (PII) in the hands of the individual consumer for the first time. The follow-up article will further expand on this concept of the consumer consent hub.
There are several legislations such as General Data Protection Regulation (GDPR) in EU, Data Processing Agreement (DPA) in the UK, The California Consumer Privacy Act (CCPA), and the Brazilian General Data Protection Law (LGPD). These legislations are changing the landscape of digital identity and the protection of personally identifiable information (PII).
The rights of the individual are core to all these new regulations, which all have similar base principles:
The individual’s right to control their identity and PII
The right to explicitly consent to the collection, storage, and use of PII for a specified purpose and duration
The right to be forgotten
The right to data portability, where it must be transmitted on request to the individual or authorized third-party in an appropriate format
The right to know how data is collected, how long it is stored, and its use for what purpose.
Current digital identity models do not lend themselves to allowing the individual to control their identity and related PII easily or grant, withhold or revoke their consent effectively to its storage or use
Today, most commentators will describe three digital identity models: silo, federated, and self-sovereign. However, we believe this list should also include the derived identity model (see Figure 1).
A credit bureau would be a classic example of this model, where the relationship between an individual and a credit bureau is distant at its inception. The individual does not initiate the relationship, and the credit bureau asks for no authority from the individual to create a credit identity.
Data helps derive credit identity obtained through various channels and from organizations that may have directly issued an individual identity (account). It includes organizations such as banks, insurers, and telecom companies, or organizations that hold official systems of record such as land registries, electoral data, and national identity.
However, the latter will variously key this data on name or address. The credit bureau will then use a weight of evidence-based algorithm to match the name and address to attribute the data to an individual’s credit identity. The accuracy of the matching algorithm depends on the accuracy of the source data. Each credit bureau will develop its in-house matching algorithm with differing results and accuracy.
The credit bureau has the opportunity to ratify and verify the credit identity of an actual individual only when that individual contacts the credit bureau. Good examples are exercising the right to query a score, correct a data error, and open a direct account with a credit bureau consumer product. An indirect relationship with consumers makes it challenging to ensure appropriate control and consent over identity and PII.
Intermediary organizations such as Credit Karma have taken the opportunity to develop a direct, silo-based relationship with the consumer concerning their credit identity by offering consumers tools and services to understand better and manage their credit scores. These services are provided free to the consumer and curated financial products that best fit the consumer’s credit score. The derived identity model has proved to be very successful and has disintermediated the credit bureau from consumers.
Typical examples are bank accounts, mortgage accounts, passports, driver’s licenses, and Amazon accounts. These various identities offer a one-to-one relationship between the individual and the issuer. In this case, the individual has no control, and they are rarely immutable or persistent.
At the point of creation, this model will require the individual to share some level of PII to establish and verify their identity. The relationship to be created drives the amount of PII required. For instance, the PII needed to create a bank account will be greater than that required to create a social media account. This model drives the extensive proliferation of PII across many organizations. To exercise control and consent, the consumer must do so with each issuing organization.
A third-party organization will play the part of the identity issuer, and consumers can then use that identity to access products and services from many other organizations. The most well-known of these federated identities are Facebook, Google, and Apple.
This model requires fewer identities for an individual to manage and less PII to be shared with and stored by fewer organizations. These identities are still not controlled by the individual and are no more immutable or persistent.
The underlying technology combines the concepts of decentralized identity, blockchain, and verifiable credentials.
The individual will create a unique identity and add the associated PII as verified credentials. They can then choose to grant, withhold, or revoke consent to any organization they enter a relationship with. This identity, by nature, is in the control of the individual and is unique, immutable, persistent, and secure. It is unnecessary to uphold the PII to be stored by an organization, barring the associated verified credential. Only the verified token attesting to the verified passport needs to be shared, not the passport number.
Self-sovereign identity is the only digital identity model, that comes close to, in spirit and letter, the emerging privacy regulations. The enabling technology is in place, and the underlying standards are rapidly developing.
igm shift, to play a central role in the industry’s growth toward self-sovereign identity and personal consumer data ecosystems. Suppose they do not have access to large amounts of consumer data and the opportunity to monetize that data. In that case, the bureaus will be little more than analytical credit scoring models.
A key to accelerating their move towards broad adoption of digital identity and thereby resilience by design is the adoption of emerging technologies and advanced data security standards.
The consumer consent hub will be explored in more detail in the following paper in this series.
Similarly, the idea of a consumer consent hub gives the individual control over the explicit consent to use that identity and credentials. Since the emergence of legislation to regulate the need for consumer consent for storing and using PII, organizations have approached the problem by creating solutions that directly seek and manage those consumer consent for their purposes. The consumer consents hub will flip this relationship and put the management in the hands of the consumer. Any organization requiring approval will request the data needed for a particular purpose and a defined period via the hub. The consumer will directly give or withhold consent accordingly. The requesting organization can check for valid support at any future point.
This disruptive shift has already started in some markets where open banking regulations layer over new data privacy legislation. Regions like the EU, UK, and Australia are driving the need for explicit consent for the use of consumer data and the ongoing maintenance of that consent.
Recent history has shown that if the industry does not face this new standard in digital identity, there will be organizations only too willing to step in to disintermediate them from the consumer further.
If they do not embrace the opportunity, it will be difficult for the traditional credit bureaus to survive the parad
Cloud-based platform that enables subscription businesses to roll out digital services at scale
A digital twin-based simulator to envision, experiment, and execute business decisions
An intelligent system that leverages an organization’s existing technology capabilities to deliver purpose-driven customer engagement
