Skip to main content
Skip to footer
We're taking you to another TCS website now.



  • The digital identity landscape is evolving rapidly given the heightened focus on data privacy.
  • This will translate into changes in the traditional business model of the credit bureau.
  • The new operating models will revolve around digital identity management, protection of personally identifiable information, and consumer consent management.
  • We believe blockchain-based consumer consent hubs will revolutionize this space and bring forth new models of customer engagement in keeping with the various data policies. 



In this first of two white papers, we explore the changing digital identity landscape in the face of rapidly evolving consumer identity and data privacy legislation. 

What challenges will this present to credit bureaus in embracing the new normal or be further disintermediated from the consumer? 

This paper will redefine the traditional relationship between credit bureaus and consumers by offering a disruptive solution to digital identity management through a self-sovereign identity solution based on blockchain. We propose a solution that will place the control of digital identity and consent to the use of personally identifiable information (PII) in the hands of the individual consumer for the first time. The follow-up article will further expand on this concept of the consumer consent hub.


Data privacy regulations are evolving rapidly across the globe.

There are several legislations such as General Data Protection Regulation (GDPR) in EU, Data Processing Agreement (DPA) in the UK, The California Consumer Privacy Act (CCPA), and the Brazilian General Data Protection Law (LGPD). These legislations are changing the landscape of digital identity and the protection of personally identifiable information (PII).

The rights of the individual are core to all these new regulations, which all have similar base principles:

  • The individual’s right to control their identity and PII

  • The right to explicitly consent to the collection, storage, and use of PII for a specified purpose and duration

  • The right to be forgotten

  • The right to data portability, where it must be transmitted on request to the individual or authorized third-party in an appropriate format

  • The right to know how data is collected, how long it is stored, and its use for what purpose.

  • Current digital identity models do not lend themselves to allowing the individual to control their identity and related PII easily or grant, withhold or revoke their consent effectively to its storage or use


Today, most commentators will describe three digital identity models: silo, federated, and self-sovereign. However, we believe this list should also include the derived identity model (see Figure 1).


Figure 1: Evolution of digital identity



The derived identity model requires no relationship, interaction, or permission from the individual.

 A credit bureau would be a classic example of this model, where the relationship between an individual and a credit bureau is distant at its inception. The individual does not initiate the relationship, and the credit bureau asks for no authority from the individual to create a credit identity. 

Data helps derive credit identity obtained through various channels and from organizations that may have directly issued an individual identity (account). It includes organizations such as banks, insurers, and telecom companies, or organizations that hold official systems of record such as land registries, electoral data, and national identity. 

However, the latter will variously key this data on name or address. The credit bureau will then use a weight of evidence-based algorithm to match the name and address to attribute the data to an individual’s credit identity. The accuracy of the matching algorithm depends on the accuracy of the source data. Each credit bureau will develop its in-house matching algorithm with differing results and accuracy.

The credit bureau has the opportunity to ratify and verify the credit identity of an actual individual only when that individual contacts the credit bureau. Good examples are exercising the right to query a score, correct a data error, and open a direct account with a credit bureau consumer product. An indirect relationship with consumers makes it challenging to ensure appropriate control and consent over identity and PII.

Intermediary organizations such as Credit Karma have taken the opportunity to develop a direct, silo-based relationship with the consumer concerning their credit identity by offering consumers tools and services to understand better and manage their credit scores. These services are provided free to the consumer and curated financial products that best fit the consumer’s credit score. The derived identity model has proved to be very successful and has disintermediated the credit bureau from consumers.


The silo model describes the most common form of digital identity where an organization will issue a unique account to allow that individual to access their products and services. 

Typical examples are bank accounts, mortgage accounts, passports, driver’s licenses, and Amazon accounts. These various identities offer a one-to-one relationship between the individual and the issuer. In this case, the individual has no control, and they are rarely immutable or persistent.  

At the point of creation, this model will require the individual to share some level of PII to establish and verify their identity. The relationship to be created drives the amount of PII required. For instance, the PII needed to create a bank account will be greater than that required to create a social media account. This model drives the extensive proliferation of PII across many organizations. To exercise control and consent, the consumer must do so with each issuing organization.


The federated model attempts to solve some of the issues with the silo model.

 A third-party organization will play the part of the identity issuer, and consumers can then use that identity to access products and services from many other organizations. The most well-known of these federated identities are Facebook, Google, and Apple. 

This model requires fewer identities for an individual to manage and less PII to be shared with and stored by fewer organizations. These identities are still not controlled by the individual and are no more immutable or persistent.


The evolving model is the self-sovereign identity model. In this case, the individual creates and controls a single, persistent, and immutable digital identity.

The underlying technology combines the concepts of decentralized identity, blockchain, and verifiable credentials.

The individual will create a unique identity and add the associated PII as verified credentials. They can then choose to grant, withhold, or revoke consent to any organization they enter a relationship with. This identity, by nature, is in the control of the individual and is unique, immutable, persistent, and secure. It is unnecessary to uphold the PII to be stored by an organization, barring the associated verified credential. Only the verified token attesting to the verified passport needs to be shared, not the passport number.

Self-sovereign identity is the only digital identity model, that comes close to, in spirit and letter, the emerging privacy regulations. The enabling technology is in place, and the underlying standards are rapidly developing.


The concept of self-sovereign identity puts the individual in control of their digital identity and through verified credentials, their PII.

Similarly, the idea of a consumer consent hub gives the individual control over the explicit consent to use that identity and credentials. Since the emergence of legislation to regulate the need for consumer consent for storing and using PII, organizations have approached the problem by creating solutions that directly seek and manage those consumer consent for their purposes. The consumer consents hub will flip this relationship and put the management in the hands of the consumer. Any organization requiring approval will request the data needed for a particular purpose and a defined period via the hub. The consumer will directly give or withhold consent accordingly. The requesting organization can check for valid support at any future point.

This disruptive shift has already started in some markets where open banking regulations layer over new data privacy legislation. Regions like the EU, UK, and Australia are driving the need for explicit consent for the use of consumer data and the ongoing maintenance of that consent.


Embracing the concept of self-sovereign identity will offer the credit reference industry a significant opportunity to disrupt its business model and change its relationship with the consumer by putting them at its heart.

Recent history has shown that if the industry does not face this new standard in digital identity, there will be organizations only too willing to step in to disintermediate them from the consumer further.

If they do not embrace the opportunity, it will be difficult for the traditional credit bureaus to survive the paradigm shift, to play a central role in the industry’s growth toward self-sovereign identity and personal consumer data ecosystems. Suppose they do not have access to large amounts of consumer data and the opportunity to monetize that data. In that case, the bureaus will be little more than analytical credit scoring models. 

A key to accelerating their move towards broad adoption of digital identity and thereby resilience by design is the adoption of emerging technologies and advanced data security standards.

The consumer consent hub will be explored in more detail in the following paper in this series.