What does self-sovereign identity mean for Finance? We asked the experts.

Last week, we were joined by over 250 registrants and three expert panelists for a webinar discussing what self-sovereign identity means for banks, credit unions, FinTechs, and other financial service businesses—and how organizations can prepare for this shift.

The event was moderated by our own Andy Tobin, a veteran of Europe’s mobile banking industry, and featured a cross-sector panel of three self-sovereign identity (SSI) champions:

During the webinar, Andy gave a brief introduction to SSI, Jo spoke to his experience with Open Banking the regulation surrounding digital identity initiatives, Julie shared how SSI is transforming the customer experience for credit unions, and Mike discussed ATB’s exploration into distributed ledger technology and how he established the world’s first cross-sector SSI ecosystem in the heart of Alberta.

This is one webinar we highly, highly recommend watching:

Or read the transcript below:

Andy Tobin:

Jo, could you please start us off by introducing yourself and touching on what self-sovereign identity means for you?

Jo Spencer: (10:06)

Thanks and hello everyone. I’m Jo Spencer. I’ve spent 28 years in payment systems and building banking software around the world, both for countries and banks themselves.

Andy and John Phillips, a good friend of mine and a great advocate for self-sovereign identity in Australia, came to see me two years ago. I worked with them both previously, and they introduced me to SSI and what it could really be used for. At the time I was thinking about open banking, real-time payments, and customer authentication. It seemed to be the perfect, multi-faceted capability that we needed. 

So I decided to join John Phillips at 460degrees, which is an expert management agency in Australia, and we got back to consulting and software-building. We joined up with the Evernym Early Access program about six months ago and built a multi-faceted demonstration that we can use for introducing people to the beauty of SSI. It’s been very successful and seen a lot of interest, predominantly in the area of academic credentials, and we’re also looking to extend it to things like smart cities.

Andy Tobin: (11:54)

Cool! Thank you very much, Jo. Julie, over to you, please.

Julie Esser: (12:03)

Sure! Good morning or afternoon, wherever you might be. My name is Julie Esser, Chief Experience Officer for CULedger.

CULedger started in 2016 as a research action project. At that time, if you recall, there was a lot of attention around bitcoin, cryptocurrencies, and distributed ledger technology. A group of credit unions got together and formed the Credit Union National Association (CUNA) to talk about this technology and the implications it could have on the industry. From there, we were charged with building a first use case, realizing that there are a lot of benefits that distributed ledger technology can bring to credit unions in their operations. They want to see how it can be applied. And so what we did was we incorporated the use of decentralized identity in the call center environment, realizing that there had been an increase of fraud and that is a channel that has a lot of friction in it.

When you’re on a phone call, you can’t see one another to verify people very easily. So you end up going through a series of knowledge-based questions. And unfortunately, a lot of the answers are available online today, so account takeovers and identity theft are some of the real implications for members as a result, that could potentially happen through the call center channel. So CULedger became a credit union service organization, or as we call them in the industry, a CUSO. So they’re primary owned by credit unions, or at least ours is.

We have 40 credit unions and other credit union related organizations that are investors in CULedger. Our existence is to preserve and enrich the trust and relevancy between credit unions and their members for conducting financial transactions in a digital ecosystem. Credit unions, since the early 1900s, have had a very high satisfaction rate and a very strong trust relationship between credit unions and their membership just based on how they’re established as financial cooperatives. We want to make sure that that trust remains and that they can continue to stay relevant in this digital age.

Andy Tobin: (14:39)

Julie, thanks very much indeed. We’ll hear more about your use case so shortly I think as well. Last but not least, Mike Brown.

Mike Brown: (14:52)

Great. Thanks Andy. And thanks everybody for joining in. I’m Mike Brown, Director of Product Innovation with ATB Financial.

ATB Financial is a regional bank in western Canada. I’ve been on the innovation team here for about three years and, similar to the story with CULedger, my entry into this area has been around blockchain and distributed ledger technologies and looking to see how best ATB could get involved and leverage those technologies.

ATB was one of the first banks to test out the Ripple network about three and a half years ago, sending funds over to Germany at that time. About two and a half years ago, I started exploring the area of digital identity and how we could leverage blockchain to enable that. So, that’s where the journey began. During that time, we’ve been involved now for just over two years, exploring and experimenting. We’ve run several experiments in this area. Going back as early as summer of 2017, doing experiments with Telus, a Canadian telco, and last year doing work with IBM and Workday, and now moving forward and actually looking to deploy SSI. Looking forward to chatting more with everybody!

Andy Tobin: (16:09)

Well thanks very much, and it’s true that both ATB and CULedger are stewards of the Sovrin Network, and I’m sure I had a question or two about that coming up as well.

Let’s come on to some of the prepared questions we’ve got. First off, we’re coming to you Julie, because CULedger just crossed a major milestone by issuing your first production credentials. Could you just tell us a bit about what it is they’re being used for? What’s the use case specifically? You spoke a bit about call center authentication. Can you expand on that? What does this credential do, and what is it that you’re sharing?

Julie Esser: (17:01)

Sure! As we’re building out our network of digital exchanges that allows one-to-one interactions for all financial cooperatives, not just credit unions in the U.S., but also globally, we’re starting with decentralized identity because every interaction that a credit union has with its members starts with identifying who they are. That’s regardless of channel. You’re looking at branches, you’re looking at contact centers, you’re looking at mobile and internet banking platforms. ATM is another example. So that’s pivotal.

We introduced a product called MemberPass, which will provide the most safe and secure and private way for credit unions to engage them with their members. It’ll be KYC-compliant. There’ll be all the benefits that self-sovereign identity has to offer; but in our use cases, we are looking at several different things. Call center, as I mentioned earlier, is one credit unions are starting with.

So, you mentioned, Andy, that we issued our first production credentials. We did that with UNIFY, a financial credit union in California, recently and they’re using decentralized identity on MemberPass in a call center environment for high-risk transactions. Right now the call time to authenticate a member on average was about 40 seconds, and it can be even longer than that with high-risk types of transactions. It’s all depending upon how the credit ended up high-risk. It could be they require another level of authentication based on the type of transaction, or if the representative suspects that there could be some level of fraud that would be considered high-risk. So that could be, just for the authentication piece, close to 80 seconds. And what we’ve been able to demonstrate through our pilots and our use cases is that we can bring that call center time down to less than 10 seconds.

“We’ve been able to demonstrate through our pilots that we can bring the call center authentication time from 40-80 seconds to under 10 seconds. If you’re dealing with thousands of calls a month, this really starts to add up.”

The authentication piece has extreme value for credit unions, not only from a member experience standpoint, because they’re not faced with all those knowledge-base credit questions that I mentioned before, but also from the standpoint of their operations. And so with that reduction in authentication, obviously the overall call times will be reduced. And we’re running some ROI models that show that for a credit union that has about 40,000 calls a month, that could mean five FTEs that could be redeployed some other way inside the credit unions. 

And then, of course, there are also fraud benefits that exist. We estimate through account takeovers of the synthetic ids, you know, this could be well into the hundreds of thousands of dollars that credit unions can save. The payback for just this channel alone, for MemberPass can be made in less than a year but we’re seeing credit unions really expanding MemberPass across the entire enterprise, not just in the contact center. So just think about those numbers as a baseline and they can multiply from there.

Andy Tobin: (20:13)

Yeah. It washes its face, as we say in England. What’s the user experience like?

Julie Esser: (20:28)

So we are integrating with the credit unions’ core banking systems. That’s a critical component, and it really all depends on the technology environment that the credit union has. Many of them outsource their technologies because we’re an industry where the average individual credit unions tend to be really, really small, and so we’re relying upon third-party providers. But there are some larger credit unions that might have their own systems. And so that’s one component. 

From the member experience standpoint, the member service representatives will have these indicators on their screen when a member calls in that could indicate whether or not they have enrolled in MemberPass. And once that’s done, then they just click a button on their screen and it sends the text message. It’s a push communication sent out to the member to ask them to either download the app or maybe the credit union had already communicated that, handled the security practices in place, and encouraged them to download the application on their phones and so once that application is done, it’s a very short enrollment period.

After this enrollment is done, they can just get the authentication requests from the member service representative, acknowledge that it is them and they are who they say they are and not somebody else, and it’s a matter of clicking a button and they’re authenticated, so the experience is really fast, it’s easy to use and it’s simple. We’re also testing ways that MemberPass can be incorporated into credit unions in six existing mobile applications as well so we’re trying to make that process even simpler for the credit union member.

Andy Tobin: (22:13)

That’s really cool to me. I think we’ll come back to this when we come onto open banking and strong customer authentication actually because you’ve kind of just described some of those criteria.

Julie Esser: (22:23)

Yeah. We have a number of other use cases that I’m happy to share.

Andy Tobin: (22:28)

No, let’s go to Mike and then come back to that because I think the way that once you have one of these digitally verifiable credentials from a credit union, the way you connect their use is going to be fascinating. So Mike, let’s just come over to you on this next one. Earlier this year, you were pivotal in the launch of the Alberta Credential Exchange, which is the first cross-sector SSI ecosystem up in Canada. Can you tell us a bit more about the Alberta Credential Exchange, what you see, and why it’s being created?

Mike Brown: (23:05)

Sure. Thanks, Andy. Yeah, as I mentioned earlier, we’ve been on this journey looking at self-sovereign identity for over two years and for the first while it was all about the tech – try to understand the tech and how it worked in our first project – it was even all command line-based. There were no user interfaces at that time and we were really working on understanding how the ledger was working and how credentials were structured and how it worked. As we got more and more comfortable with the technology, the next two big question marks for us were consumers and ecosystem and how to advance those two things. 

Knowing that we were comfortable with the tech and the trajectory that the tech was evolving in, we next decided to embrace the ecosystem. That was about a year ago now. We went about internally identifying who typical consumers would interact with. So postsecondary is utility companies, telcos, municipal governments, provincial governments, banks, obviously. We came at it from an approach of a typical consumer using trusted, digital credentials on a regular basis and driving adoption from that perspective. 

We wanted to be leading and pushing this but we wanted to be a participant in a typical consumer’s digital identity life. So we identified those organizations. We met face-to-face with a number of them. We ran a couple of workshops in December of last year where we had about a dozen organizations participate and that was really intended to get them immersed and understanding how SSI worked, and specifics around Sovrin. 

And then earlier this year, as you mentioned, we launched the Alberta Credentials Ecosystem (ACE). So ACE and what that was meant to do is bring together these organizations in a more formal way. And what we do within ACE is we identify different consumer use cases and then we pair up organizations so we have one organization who is an issuer for a particular use case and then one organization who’s a verifier or a recipient of that credential. All designed around, again, an average or typical consumer. That’s how we’ve structured it. 

Now we’ve got about eight or ten organizations involved in case currently and looking to continue expanding it. But really it’s about demonstrating those use cases and it’s early on for some of these organizations; they’ve not been actively involved in the self-sovereign identity community. So it’s a learning curve for them, getting involved and understanding how things work. In some cases we’re starting off with quite simple use cases. 

So we’re not trying to boil the ocean, but we want to start simple in some cases. We have one use case right now that’s around address change. So a telco is issuing an address change credential and then we’re consuming that and automating the updating of our systems based on an address credential. In other cases, some are more involved in more complex like account opening based on digital ID credential, in which case we’ll be having to tackle things like regulatory and and such. So we can touch them mid-March. But that’s really why we created ACE, because we want a strong and flourishing ecosystem around us that we can be a part of.

Andy Tobin: (26:44)

Yeah, you get real network effects when you have an ecosystem, don’t you? And what’s impressive is that you’ve got government bodies in there. You’ve got universities, Teleco’s, banks like yourself, and health care providers as well. It’s fantastic. So anyone who’s up around Alberta, speak to Mike if you want to join the Alberta Credential Ecosystem. We’ve got a question, actually two questions. We might as well handle these before we come over to Jo. What are the regulatory requirements within the Canadian market that are seen as the biggest obstacles to further adoption?

Mike Brown: (27:25)

That’s a great question. I think for me, that question comes up around blockchain, generally around regulatory impacts, but specifically around SSI and in a lot of cases there can be no regulatory impact with something like an address change credential. This is a use case that makes a consumer’s life easier when they go through that change. Other situations like account opening, obviously there are regulatory requirements and so within Canada we have the banks comply with FINTRAC, but recently there was modifications made to some federal language in particular that referred previously to an original and a copy or a scan has now been changed to a verified document. So it’s critical; now you don’t have to have a battle about how a verified credential is an original document. It is just a verified document.

Andy Tobin: (28:40)

Thanks to this, a bunch of questions coming in for your mind. I’ll do one more and then we’ll go on to Jo because we’ve had quite a few questions about a business model, actually. So, John’s approach to ACE could be extended internationally and this is one of the beauties – we really need to have an open standards-based approach, don’t we? A credential issued by ATB could be consumed by ANZ Bank in Australia, right?

Mike Brown: (29:07)

Yeah. The way we’ve structured it, there’s nothing proprietary or unique around ACE and what we’re doing. And you know, that’s the beauty of Sovrin and why we’ve taken this approach is that it’s a global utility approach. The reason we’re focusing on Alberta and ACE in particular is because, first off, we’re Alberta-based, but also I think from a driving adoption perspective, we can, by focusing on a region like Alberta, get about four, four-and-a-half million people; we can drive a very high percentage of adoption quicker here and absolutely every credential that gets issued here could be consumed somewhere else if others start going down this path as well.

“By focusing on a region like Alberta, we can drive a very high percentage of adoption quicker here, but every credential that gets issued here [in Alberta] could be consumed somewhere else if others start going down this path as well.”

Andy Tobin: (29:42)

Yeah, pretty cool! I think that’s a nice thing to watch actually is the sort of initial catalyst for seeing how these ecosystems work. And we were actively involved trying to set some other ecosystems up in other countries based on the same model. So let’s come over to Jo now. How do you think SSI-based solutions will evolve and offer capabilities for open banking and KYC that hadn’t been considered yet? Or, would you sort of help the user experience or the functionality laid down in those requirements?

Jo Spencer: (30:44)

Yeah, thanks. I think clear, open banking, as identified in the UK, was the first time that embedded sharing of information from a bank to a third-party was required for a customer to be able to use those services. PSD2 was about payment service. It was a directive from Europe which allowed the initiation of payments by third parties on behalf of customers. So, it’s about opening up the ecosystem for customers to get better competition from banks and better services, more innovation for Australia and the challenge we have in Australia is that open banking is predominantly concentrated on the sharing of information. 

Now, that’s fine, and some of the models that we’re using in Australia are going to be very similar to what we are doing in the U.K. and we’re still learning about the implications of open banking in the U.K. and it’s not been a massive success. Some of the customer experiences and the adoption has not been as good as it could have been. But it’s a slow burn. It’ll happen. 

What we’re finding in in Australia is that the customer experience is important to have a consistent and common customer experience across the banks. That’s important so that customers actually get used to operating in an open banking environment and don’t worry about it. Obviously, the point is we need to have good interoperability. The API definitions are there to define that but in effect, what’s important is that we need to be able to ensure that we get a good authentication and like Julie and Mike will talk about, authentication and anything which provides the friction reduction in authentication is absolutely critical, and self-sovereign identity can do exactly that. 

The ability to actually identify data and only share the data that you need to, particularly for the scenario that you’re dealing with is really important. In an environment where you have central definition of APIs and so forth, that really constraints this sort of innovation piece and the ability to share schema and data as specific to a use case, a specific use case is really, really critical and necessary. Again, SSI gives you that flexibility to do that. 

The other thing is only sharing what you absolutely need to and not using the wrong interactions and sharing credentials which are not not specific to the interaction, so that’s where that can help. The important thing is to be able to see who you’re sharing your information with and for what reason. That’s where SSI provides a really good model because you actually create connections with the consumers of your data and see what data you shared with them, for what reason. 

“Self-sovereign identity provides a really good model because you actually create connections with the consumers of your data and see what data you shared with them, for what reason.”

The challenge also is that the data can be obviously shared from the third-party provider. And then that’s obviously not a great thing. SSI provides the ability to actually see what information was shared between who and whether, in fact, it’s been changed ever since. So that’s again, certainty of information, the ability to make sure that that data can be controlled, and that you only share what you actually need to in that context is really, really critical and what SSI does is give exactly that.

Andy Tobin: (34:53)

Cool! Thank you, Jo. We’re going to get a lot of interest, actually from people looking at open banking and how one platform that is able to issue or verify credentials can be used for strong customer authentication or for onboarding or for payments. All sorts of things. 

So I had another question come in from an anonymous attendees actually, saying, “while you’re talking about solutions, I don’t really understand how it works. Can you pretend the audience has no real knowledge of these credential platforms?” Thanks very much for that. We’re trying to keep this high-level based on use cases and not on the technology per se, but we did do a webinar a lot like this one called “What is Self-Sovereign identity?” My colleague Alex is gonna drop a link to that Webinar in the chat for you. Thank you Alex. So have a look at that and that’ll describe how it all works. 

Let’s come back to Julie. So Julie, you’ve got, in the banking world, what would be called a sort of honors use case, right? You’re the issuer and verifier of a credential as a credit union but there’s a much bigger potential here both from use cases within credit unions and externally. Can you just expand a bit on the vision there for it?

Julie Esser: (36:14)

Yeah, absolutely. I want to get back to the call center piece because I mentioned UNIFY Financial and their production credentials for high-risk transactions. We have another credit union, Desert Financial, that is a Sovrin steward that is also in that same space. Starting with call center risk before deploying in enterprise and for the credit unions that might be on this call, we also have some system integrations that have already taken place with two very popular, well-used core processing systems and that Symitar, which is a Jack Henry system and also Fiserv.

But getting back to other use cases, we have a number of pilots that are focused on two other types of applications. One of them is a mobile banking authentication. We have a credit union, Suncoast Credit Union, in California and Florida that has their own mobile banking platform that they’re integrating MemberPass into. They’ll allow their members to authenticate into that application very easy and very seamlessly. 

We also have one going on with a voice banking platform. So today, when you have smart devices in your homes, and everybody has some now, the fear is to verbalize very sensitive information into these devices like passwords and pin numbers and any type of other type of authentication in order to conduct a transaction like paying a bill or transferring money. It’s a very friction-full type of process and very insecure, and so we’ve integrated MemberPass into a voice-speaking platform that was created by Best Innovation Group called FIVE, and it’s being piloted today with a credit union. We’re really excited about that!

Beyond those use cases, we’re looking at cross-border payments. We talked about the shared ecosystem of shared KYC. You know, credit unions are regulated the same way in that regard. By using MemberPass as a form of onboarding new memberships, there’s a revenue opportunity for credit unions in addition to all the cost savings they can realize through MemberPass, and tiered branching was a concept that was pioneered by credit unions in the 80s and won’t allow a credit union in let’s say, California to conduct business differently than at a separately credit union in another location, and so we’re breathing new life into that model and actually expanding the footprint of that model geographically because once credit unions are issuing these digital credentials, and this is a worldwide initiative, any credit union in the US can conduct transactions at a credit union across the globe and vice versa. So we’re really, really thinking about how we can make this world even smaller and in credit union space, specifically.

We talked about ATM transactions too, and that’s another channel that is used a lot by consumers to get cash. We rely on those a lot; I know I do, and so I’m using MemberPass as a way of authenticating without a card. You can just think about ordering up your cash like you do on your phone and say I need a hundred dollars and I’m going to go to this branch on Main Street and using MemberPass. You can authenticate that at the ATM and get your cash within seconds, so those are some of the things that we’re working on inside the credit union industry. You mentioned superpowers earlier and we talk a lot about cooperative superpowers and how working together as an industry can make this real and make this grow and make it relevant for our industry.

That’s where I feel that the credit union industry is so right for this type of technology. We’re also getting an interest among other verticals as well. Recognizing the higher regulatory process credit unions have to go to and for that matter, things like Know Your Customer…other verticals are looking at this as: “How can we work together? We don’t want to deal with that process. We can rely on trust the process the credit union industry does already with MemberPass. How can we apply that to our own processes as well?”

Andy Tobin: (41:02)

So the potential way is you could have millions of credit union members walking around with a digital credential they can use anywhere to prove a claim as long as who they are sharing it with trusts the credit union industry, which I’m guessing a lot of them would. They can use it to prove their name or to prove where they live or anything along those lines. Right! So this is one of the main differences, I think, with this new credential-based approach compared with very siloed identity schemes is the openness and interoperability of them. Once you have a credential, like a paper credential, you can take it and use it in any way you want to. Then your customers have this really useful thing that they can use in making their digital life safer.

Julie Esser: (41:51)

And there’s a philosophical component of this, too. We’ve heard a lot about financial inclusion and we’ve heard about unpaid consumers and why they don’t have a financial relationship is because they don’t have an identity. That also, I mean that gives me goosebumps thinking about the opportunity that credit unions can have in serving those underserved and underpaid markets as well, so it’s pretty exciting.

Andy Tobin: (42:18)

Yeah, that’s perfect. So let’s come back around to Mike actually, because one of the biggest areas of interest we see everyday in the financial sector is about how we can solve this onboarding problem? Can we get onboarding down from 30 minutes to 30 seconds? Can you give us some ATB’s perspective on that and how you see self-sovereign identity making compliance easier or cheaper or more efficient?

Mike Brown: (42:50)

Yeah, onboarding is definitely an important area. Both generally as well as with respect to digital identity. With respect to traditional onboarding, I think here at ATB a couple of years ago, it was about 45 minutes. If you walked into a branch, you would take about 45 minutes to open an account. Last year we rolled out an in-branch, but digital onboarding experience with a tablet-based program that our employees would use with customers when they walked into the branch and it separated out the SAP system that we run on from the actual interactions. So we’ve got that down to about five minutes for customer onboarding. Now, with digital credentials, we’re actually looking to get that down to sub one minute. So hopefully in the area of around 45 seconds is what we’re targeting, and all based on having a foundational digital identity credential in your wallet that we would connect with your wallet request that credential.

If you walked into a branch, you would take about 45 minutes to open an account… we’ve got that down to about five minutes.

Mike Brown: (44:01)

And because it’s really truly a foundational digital credential, we can trust it with a very high degree of certainty and in the short term, it’s focused on creating a fully digital and fast customer experience for onboarding. The longer-term gets around fraud reduction and looking to see if we can gain enough market adoption of digital credentials at some point that we can enforce using them. At which point we really remove a lot of the fraud that takes place to this day – people still walk into branches with fake ID and documents and they open up accounts and it happens; and unfortunately, it’s difficult to stop at a branch level. It can be minimized, for sure, but it still happens. 

Once we moved to a trusted digital credential, then we can actually look at eliminating that and all the data that we have about us on the dark web, whether it’s our passwords or our addresses or our social insurance number or social security number, mother’s maiden name, all that information becomes useless once we moved to a digital credential environment. So that’s what we’re aiming towards. And that’s why we’re passionate about driving this, and that’s why we need a broad ecosystem around us helping consumers to adopt it.

Andy Tobin: (45:39)

That’s fantastic. Judy talked about going from 80 seconds to 10 seconds for call center authentication. Here, it grew from about 45 minutes to 40 seconds. It’s all about that friction reduction, but with high security as well, which is the key here, isn’t it? Very cool. Thank you. Jo, let’s come back to you and there’s a load of questions flowing in, by the way, in the Q and A. So we’re going to get to those and I want to ask you this one, Jo, before we go to the Q and A here. With GDPR coming out of Europe, everyone’s worried about what the implications of that are going to be. It seems to have just become an endless clicking on accepting cookies actually. Is that what that is?

Jo Spencer: (46:23)

That is what it feels like. Andy, you’re absolutely right.

Andy Tobin: (46:28)

Australia’s going to go even further though, right? Sort of catalyzing people towards a different, southern solution?

Jo Spencer: (46:37)

We’re really not too sure about the implications of GDPR and what it means for the sharing of information and more than anything else, actually understanding what we are holding in terms of customer information. That the similar sort of situation we had was with PSD2, which was the security standard around the holding of card data and card card numbers. We didn’t realize how endemic that information was around and used until someone told us not to hold it, so we had to actually sort of start stripping it out and so forth and that was a massive, massive effort. I think what we’re going to have a sort of similar sort of situation with GDPR when we start coming to sensitive information.

Andy Tobin: (47:40)

So many Q and A’s! Let’s just cover off this one from Lloyd. Hi, Lloyd. Thanks for joining in. What’s the best way of monetizing this concept as a wholesale bank outside cost reduction that may already exist? I think maybe we’ll throw this one over Mike’s way, because I know you’ve been looking at this as well, Mike. We can reduce cost, but people are interested in how can they make money, right?

Mike Brown: (48:14)

Here is this credential thing, a revenue stream for a bank, right? There are different models out there, for sure. We are starting with customer experience and cost reductions. For me, customer experience comes first because we can provide a stronger, better customer experience. Secondly, there are cost reductions that will come about from this but the way I look at the monetization and the revenue-generating opportunities around this is based on the consumer having a wallet and having many credentials in it. Their employment, their education, the status of their credit card, their banking information, and their government ID; all these things. Once a person has a very rich wallet, which is what we’re trying to create, then I think the new models will start to emerge. 

If I have this information and I can share it or prove it through a zero-knowledge proof, if I can prove it, then how do you monetize that and provide services around that? I think there are models around that that I think are quite interesting. But to get there, we have to start with building all the verifiable credentials into a consumer’s wallet. So that’s really our focus is customer experience first, you know, costs reduction, fraud reduction, and then once the wallet becomes more fulsome than we can really start to drive up the opportunities for monetization.

Andy Tobin: (49:54)

Thanks Mike. I know from personal experience with all the people we speak to around the world, this question keeps coming up and there’s a bunch of stuff that shakes people who’ve got some amazing ideas about how business models, completely new business models could be created. It’s a bit like when the Internet came along, you know, who knew you could make money from showing videos of your cat; you know, incredible! Nobody, nobody would have guessed. Let’s actually come around to Julie. Any views from you on revenue, then I’ve got a follow-up question on this thing and what it looks like, because I know you’ve got two models. So, do you see this as a revenue opportunity or a customer experience thing?

Julie Esser: (50:38)

I think there is a revenue opportunity for credit unions in this space, especially on the verifiable claims aspect of it. For other verticals, other entities are looking at credit union credentials with regard to the KYC component of it; there’s value in that and organizations would have to build their own type of departments to handle that but they’re willing to pay for it. That’s the exciting thing. We certainly see that opportunity in the future for MemberPass.

Andy Tobin: (51:14)

Cool! Thank you. Mike’s been talking about wallets. You know, when we think of a wallet, we typically think of a physical wallet. You put your cards in it and your cards or credentials and your driving license as credentials. So the analogy is that with a digital wallet, now you’ve got two models, haven’t you? One is a purpose-made wallet just for digital credentials, like a standalone. And you have another model in which the credential capability can be used within an existing credit union app. Do you want to just talk about those quickly and the pros and cons of each?

Julie Esser: (51:50)

Yeah, there’s definitely pros and cons of each. For, what credit unions want, the idea of an identity wallet makes a lot of sense. Just like you have a payment wallet today, having an identity wallet makes a lot of sense for storage, not only for your credit union credentials, because you could have several – you could have payment credentials, too, in there – but you could also have other types of credentials that are issued from government agencies or all of those things that we use paper credentials for today. Embedding it in the wallet makes a lot of sense to the credit unions that already have an established mobile banking application than a lot of different cases. 

I’m using that as one experience and maybe it’s a hybrid of both. Makes a lot of sense, and to one of the questions that someone had asked about saving time with conventional mobile banking; well, you use your fingerprint today, but there’s also the username and password element that’s underneath it and that’s the benefit that Suncoast Credit Union is seeing, is the ability to be able to use MemberPass in that system without requiring usernames and passwords. 

That eliminates that component of it and eliminates that fraud, and that’s quite frankly where they were starting to see some fraud occurring and now you have one seamless way to authenticate your members on all the channels versus managing the authentication component with every application that a credit union manages. It eliminates a lot of that cost and a lot of headaches for IT staff.

Andy Tobin: (53:32)

Yeah, that’s actually a really good point, isn’t it? If you do a fingerprint, all you’re doing is on your phone. Apple is saying this is the same thing. With a credential, if you’re also the proof of the credential, you can actually pass useful information like your account number or your address or how long you’ve been a member for things like that. It’s much richer experience and you can combine data from different digital credentials together to make a compound proof of many things in one go.

Given that the majority of financial services institutions still have many legacy applications, how can we integrate with those? If you don’t mind, I’ll take that question. 

I used to build payments systems for banks. I actually built the bank once upon a time. The idea here is that we provide some really simple APIs that can be called from any system. For example, issue a credential, maybe four or five lines of code to verify the credential, a few lines of code and all of the, all of the, let’s call it “Crypto Voodoo” is taken and handled by the credential exchange platform. As it happens, self-sovereign identity offers exactly that to enterprises, the credential exchange platform that makes these connections work and handles credential issuing and verification.

So if you look at all of the use cases that Julie, Mike, or Jo mentioned, you don’t have to buy a different platform to reach your employees. You have one bridge, if you like, that bridges the old world to the new world and there’s a lot of work going on. 

Metaphorically, what would happen if there was a leak of digital identities? We could do like 18 hours on that. I’ll actually ask Mike, because I want to come back to you on something else. Mike, you have been deeply involved in the problem “what if I lose my phone?” and “what happens if I try and steal a credential of yours and presented it myself?” Could you cover that a little bit?

Mike Brown: (56:24)

There are several ways of looking at leaked or lost data. One is with the core issuance of a trusted digital credential via this model. It’s issued to one wallet and one wallet only and it can’t be hacked or stolen from that wallet and then shared by somebody else. So the credential itself is signed by both the issuer and the owner’s wallet and it can be presented from another wallet. So that’s the one kind of basic element. You could have a situation where you had a bad actor inside of an organization issuing bad credentials, same as you would have today where you could have somebody issuing fake driver’s licenses inside of our government. Right. And so it’s difficult to kind of change that but I don’t think that’s a high percentage.

Andy Tobin: (57:22)

If you found that that had happened, you can revoke those credentials once they’d be issued. Right. So that renders them unable to be verified.

Mike Brown: (57:30)

The revocation you have becomes critical where, if you knew there was a fake id that was out there because of a bad actor inside of an organization, revocation allows you to make it pointless, which you can’t do in the physical world. With a fake driver’s license, you can’t get it back unless you find it or the police get involved.

Andy Tobin: (57:57)

Yeah, I think we could do a whole series on what are the threat factors for SSI and, and how could that could evolve and what might people be looking at. Jo, this is from an anonymous attendee: can we use digital credentials exclusively for possession factor, or would an image be sent?. So it’s about two factor authentication basically in strong customer authentication. Do you want to just have a stab at that one?

Jo Spencer: (58:55)

Yeah, I’m not sure I understand the question but in essence, what happens is, as part of an interaction with the bank, a customer can be asked to represent or re-verify their credentials. As part of that, we’ve created a secure connection between the bank and the customer and they can authenticate themselves to the wallet. 

The idea is that in effect, what could happen is you could actually do that real authentication process or additional authentication process before you actually have to start a payment payment initiation. That really reduces the friction at the point at which you actually just starting to do the payment so in that scenario, that provides a very powerful friction reduction as part of that process. The ability to have that secure connectivity between the Wallet and the Bank is useful for all sorts of reasons. I mean, banks really sort of lap that up!

Andy Tobin: (01:00:01)

Let’s pick up another one that came in beforehand: “How are Sovrin stewards different from certificate authorities? I feel the power is with these stewards and not so much on individual users. I can only present a claim if a steward has been generous enough to confirm it.” 

If it’s all right, I’ll handle that one. We actually have two stewards on board here and Evernym is a steward as well. What is a steward? A steward is an organization that has volunteered to run part of the Sovrin network and the Sovrin network is a public, permissioned ledger for those digital credentials.

It’s actually an hour and two minutes in and this is the first time that we really mentioned ledgers and blockchain, which is amazing! So, a ledger is a decentralized store of data that can’t be tampered with and is chronologically ordered basically, and it’s not run by a single entity. It’s run by a group of organizations. In this case, the Sovrin stewards volunteered to adhere to some rules about how the network should be run and the stewards, that’s all they do. They run the network. 

They’re a bit like operators of the DNS servers that make the internet work. They perform a vital role to provide this decentralized store. And what is in the store? Well, very little. In fact, the Sovrin ledger doesn’t have very much on it. If you’re a credential issuer, you’ll have some cryptographic artifacts that you put on the ledger that allow anyone to verify a credential that you issue. You could issue a billion credentials having written to the ledger as an issue only twice. 

The key thing is the stewards provide for the network; they volunteer to make this capability exist for everyone in the world to use, which is fantastic. There’s over over 70 of them. CULedger, ATB, there’s people like Cisco, IBM, and a myriad of other organizations from across the spectrum. 

The bit that’s important is that anyone can issue a credit their credential, right? You don’t need to be a steward to issue a credential and if you’re receiving a credential and, say Andy comes along and presents you with proof that he’s Andy, (that proof comes from ATB), the credential exchange create a call, and the cryptography means that you can determine who issued that credential to me. You can determine that I haven’t tampered with it. It was issued only to me and nobody else, and it hasn’t been revoked and you can do those things without having to contact the issuer. 

You just read the ledger, pull the issuers’ cryptographic public keys, and you can verify those things. You have to have human trust that ATB is good for issuing that credential. So there’s a combination of cryptographic trust and human trust. In our paper world at the moment, you have a piece of paper and it might be a bank statement and I can go and present those proof of address to somebody that somebody is used to seeing bank statements and I’ll go, okay, this is a bank statement from ATB and it shows that Andy lives where Andy lives. So you already have that human trust because ATB’s done a good job.

So this is no different, from that perspective but we’re adding a layer of cryptographic trust that is our cryptographic superpowers, if you like. It’s not about the stewards per se, it’s about the issuers and the issuers issuing credentials and others having human trusts that they’re doing their job onboarding. 

Andy Tobin: (01:03:57)

I think we’ll do just one more. Does anyone think that credential providers will be able to get paid after the credential is provided to the consumer? That’s from John West. This is a really good question. I’ll take this one and then I’ll ask for any other further questions or follow-ups.

If you look back at the first Sovrin white paper, back in 2016, we envisaged an economic model for Sovrin that includes things like the potential for credential issuers to get paid for their time. It’s not been developed yet, but the underpinning architecture and capability,…it’s open source stuff and you can easily develop the capability like that on top of the open-source code. So the answer is yes, lots of thought going into that. And other really advanced, sophisticated things you can only do with some of the latest cryptography techniques. Mike, any last thoughts from yourself?

Mike Brown: (01:05:57)

No, I just want to thank everybody who’s a part of this community. We are, as Andy mentioned, at the beginning of the Internet. This is 1992 or 1994 or what have you, and the potential is still to be imagined. But to get there, we have to start getting the capabilities of issuing verifiable credentials and consuming them and that’s what I’m most excited about is what we can do with this. So it’s a great time to get started!

Andy Tobin: (01:06:32)

As a pioneer, we salute you. Thank you. Julie?

Julie Esser: (01:06:37)

I don’t know if I can echo what Mike said enough. Our message, which is to credit unions, is to get involved. This technology and the pace of this technology is moving so fast and credit unions and actually anybody on this call can’t take a wait-and-see approach to this. We encourage credit unions to start small with some very specific use cases and pilots and then scale within the enterprise. So I have the same message. Get involved!

This technology and the pace of this technology is moving so fast, and we can no longer take a wait-and-see approach to this.”

Andy Tobin: (01:07:15)

Very cool. I love the analogy of it being the start of the Internet. You know, when the internet first emerged, who would have thought that somebody could come along and say, “well I’m going to use it to travel around the world for free by sharing photos of me on a beach.” Craziness! Jo, last words for yourself?

Jo Spencer: (01:07:34)

It’s terrific to see Mike and Julie really making this happen. And I think that’s a really interesting proof of the concept. My scenario is that I would say, look at it and use it. It’s a brilliant solution. The model is actually quite easy to implement. The real interesting consideration is actually around the customer experience, the social engineering that that needs to happen around the implementation of credentials and credential sharing and the way in which you change your customer experience. I would say, as the others have said, get involved. You can use the same solution for multiple scenarios and whatever’s your biggest pain point will be easily adapted to it, very quickly.

I would say, as the others have said, get involved. You can use the same solution for multiple scenarios and whatever’s your biggest pain point will be easily adapted to it, very quickly.

Andy Tobin: (01:08:31)

That was great. Thanks Jo. You know, I think that in five years, every organization is going to be issuing or verifying digital credentials because of their competitive advantage. The ones that don’t will be losing out big time. But for people, people need to just be very comfortable with it as a new way of doing things. And we know people learn really quickly. Nobody had used Instagram a few years back, now everyone uses it. So people can learn really quickly and we shouldn’t underestimate their ability to do that if we give them something they find really useful. So I think with that, let’s wrap up.

It’s been fantastic for you guys to join us. Thank you so much for doing that and to hear about your actual real world experiences of starting to put this stuff into practice. There are plenty of materials on the Evernym website to have a look through. Thank you for those that submitted questions and we hope that this has given you a taste of this new world. And with that, thank you very much!

Self-sovereign identity for banks, FinTechs, and financial service companies

Kickstart your self-sovereign identity strategy

Looking to take the next step in your SSI journey and identify the steps needed to evaluate, pilot, and build decentralized capabilities? Register a free developer account to join 500+ organizations future-proofing their identity architecture with the help of cutting-edge tools and a library of developer resources.