A Self-Sovereign Identity approach to identify fraudulent bank calls and speed up banking services (Part 1)

I am writing this article based on my current works/learnings in Blockchain and Decentralized Identity space and how they could solve some of the pain points faced by customers/banks.

Let me start with some of the pain points faced by customers and banks

Paint points faced by Customers

1. Fake calls/emails from fraudsters in the name of the bank and steal personal information. Often, we unknowingly disclose personal information without validating who the person or entity whom we are talking to/ interacting with.
2. There is no option to validate caller identify except validating through Caller ID apps such as True Caller.
3. KYC (Know Your Customer) process is often lengthy and tedious. We either go online, upload all documents or visit the bank and submit physical copies of the documents. We often end up disclosing a lot more information than what is required. Also, KYC process has to be done with every financial service provider whom they interact with.

Pain Points faced by Banks

1. Currently, customer care (inbound/outbound), KYC Verification Process, and other repetitive tasks are outsourced to different agencies. These agencies can misuse information by selling data to other different parties.
2. Know Your Customer (KYC) process is quite tedious and require a lot of compliance on the banks to manage this sensitive information. Data Privacy is a major concern with KYC verification process often outsourced to third parties. With data on centralized systems, it is quite easy for hackers to hack and steal sensitive data.
3. Other processes such as opening a new bank account or applying for a loan often depends on the KYC process and there is no easy way to identify customer without having to manually verify the documents. This has a huge impact on operating costs.
4. It is quite easy to create duplicate/fake copies (counterfeit) of the documents which in turn is hard for banks to validate Identities.

Key asks from stakeholders

There are multiple stakeholders in the system.

• Banks
• Call Centers/Agencies who handle promotional and customer care inbound & outbound communications
• KYC verification agencies
• Regulatory Authorities
• Governments and Institutions who issues credentials (Passport, Driving License, etc) to other stakeholders.

Below are key asks I can think of

1. Data Owners should have the right to choose what data to be shared with other stakeholders
2. A robust framework to validate person/entity whom they interact with
3. Prevent sharing Identity information with multiple entities (Avoid middlemen)and reduce data leakages
4. A mechanism where data owner should be able to disclose parts of the identity and still be able to prove ownership of data
5. Even if any malicious participant tried to get some sensitivity data, he/she should not be able to act on this data and there should be an easy way for data owners to revoke the credentials
6. Quick and more accurate KYC check

Overview on Self-Sovereign identity

Please skip this section if you are aware of self-sovereign identity & Blockchain

Credits: SSIMeetup & Drummond Reed

Credits: SSIMeetup & Drummond Reed

Here is a good article for a basic understanding of what Siloed, Federated & SSI models (The Three Models of Digital Identity Relationships credits to Timothy Ruff

Identity management solutions (Siloed and Federated) has been around for quite some time and they both failed to provide data ownership to the entity/person who owns it.

Self-Sovereign Identity is the concept of individuals or organizations having sole ownership of their digital and analog identities, and control over how their personal data is shared and used. Under self-Sovereign model, Individual or Organization can present claims and get them validated without going to intermediate authorities.

Credits: SSIMeetup & Drummond Reed

Self-sovereign identity is a two-party relationship model, with no third party coming between you and the organization, now considered your “peer.”

SSI begins with a digital “wallet” that contains digital credentials. This wallet is similar to a physical wallet in which you carry credentials issued to you by others, such as a passport, bank account authorization, or graduation certificate, except these are digitally signed verifiable credentials that can cryptographically prove four things to any verifier:

1. Who (or what) is the issuer;
2. To whom (or what) it was issued;
3. Whether it has been altered since it was issued;
4. Whether it has been revoked by the issuer. ³

You can also carry self-signed credentials in your wallet, such as your preferences, opinions, legally binding consent, or other attestations you’ve made about anything.

Verifiable credentials can be issued and digitally signed by any person, organization, or thing and used anywhere they are trusted. SSI is as strong as the credentials it contains, strong enough for even high-trust industries such as finance, healthcare, and government. Organizations can choose to trust only credentials they have issued, credentials issued by others, or some combination, according to their security and compliance needs.

Current Credentials (education qualifications, healthcare data, financial account details, personal assets), which we hold cannot be verified without contacting issuer (either offline or online). This process requires us to share identity data over the network and there is no standard way to express these credentials in a machine-readable format that can be easily validated without contacting the issuers.

Verifiable Claims Working Group is working to create a standard for verifiable credentials and verifiable presentations that can be verified by any verifier in the ecosystem

Some of the terminology used here (Issuer, Holder, Verifier, Verifiable Credential, Verifiable Presentation) can be found here

What this self-sovereign identity and verifiable credentials essential mean for the stakeholders are

• Identity data will be owned by the data owner and can choose what data can be shared
• Identities can be validated by other entities without any intermediaries
• (No need for any third-party KYC agencies. If they must, they should really add value). Thanks to Blockchain and underlying decentralized ledger that can be trusted across multiple untrusted parties.
• An efficient method to validate who we talk to /communicate with before we disclose critical information.

The current stage of SSI

SSI as a technology is in a primitive stage and there are a large number of companies and foundations working together to bring SSI into reality. Though this is not a comprehensive list, I am listing down some of the key players in this space whom I am aware of

• Sovrin — https://sovrin.org/
• uPort — https://www.uport.me/
• Microsoft ION — https://github.com/decentralized-identity/ion
• Blockstack — https://blockstack.org/
• Civic — https://www.civic.com/
• Veres One — https://veres.one/

In my next article, I will discuss on relevant use cases and how SSI (Self Sovereign Identity) fits into the exiting bank service flows.Here is the link to “A Self-Sovereign Identity approach to identify fraudulent bank calls and speed up banking services (Part 2)”