By Marius Coetzee, managing director of Ideco
The recent high-profile identity data breaches in South Africa are symptomatic of the overall chaos the identity ecosystem currently finds itself in. Lacking a cohesive strategy, an interlinked architecture and a comprehensive regulatory framework, most organisations have been building their own identity verification databases in isolated pockets, using a variety of data sources, standards and protocols.
But in a rapidly digitising world, the identity environment has to take urgent steps to consolidate, regulate and order the ecosystem, before trust is seriously compromised and irreparable damage is caused.
The identity verification environment is developing along much the same lines as banking developed over the years: moving from a handshake to a paper-based token, to a smart card and now to an Identity 4.0-type model, pioneered in South Africa by identity solutions leader Ideco, where a digital token will serve as trusted identity assurance. But the banking sector is far advanced in managing its trusted financial transactions. With the input of self-regulatory bodies, a stringent regulatory framework in place, and a cohesive integrated ecosystem, digital banking systems are a trusted and effective means of connecting the issuer, acquirer and account owner to authorise a secure transaction in real time, anywhere in the world, and with a clear audit trail.
In the broader identity management ecosystem, however, disparate systems still operate in siloes, with legislation and regulations drafted in a reactive manner, and no collective, smart method of facilitating responsible identity information within a trusted ecosystem that allows customer identities to be verified on a global basis without risk to the owner of the identity.
Amid rising customer expectations for secure, seamless, omni-channel engagement, businesses have been compelled to develop their own identity management systems to remain compliant, deliver on customer expectations and mitigate fraud, cyber threats and reputational risk. Identity solutions today are typically driven by vendors and manipulated by available technology. What seems to be an asset has possibly become organisations’ the largest governance, risk and compliance challenge today.
Several factors stand in the way of a cohesive identity verification ecosystem, including legacy frameworks, regulatory requirements and the current thinking that the State owns identities. Changing times and spiralling cyber crime mean action must be taken fast and traditionally, government organisations adapt slowly to change.
While the Department of Home Affairs is the custodian of identity for citizens, for transactional purposes we will likely see the emergence of a small number of trusted, bank-like organisations serving as identity clearing bureaus, although these organisations will have to generate sufficient revenue to be sustainable.
There is also a move in the world for self-sovereign identities, in which consumers will take responsibility for their own identities. However, a trusted authority will still be needed to underwrite that identity.
By following the example set by banks, the identity verification industry should enable the consumer to entrust a custodial organisation with their identity, while retaining ownership over that identity. A cohesive ecosystem must then be enabled to facilitate transactions with an approved acquirer, validated by the issuer but under the control of the identity owner.
To set the foundations of this system in place, urgent steps must be taken to assess how the financial industry is regulated, using the banking environment as a benchmark. Ideco is taking the lead in developing world-first solutions to support the development of this next-generation identity ecosystem, including advanced new identity switching mechanisms and real-time digital identity authentication solutions. In addition, stakeholder will need to move towards consolidated standards and a sound regulatory framework must be established in collaboration with lobbying and self-regulating industry bodies, to establish a trusted identity framework for the future.