14 MINS READ
What challenges will this present to credit bureaus in embracing the new normal or be further disintermediated from the consumer?
This paper will redefine the traditional relationship between credit bureaus and consumers by offering a disruptive solution to digital identity management through a self-sovereign identity solution based on blockchain. We propose a solution that will place the control of digital identity and consent to the use of personally identifiable information (PII) in the hands of the individual consumer for the first time. The follow-up article will further expand on this concept of the consumer consent hub.
INDIVIDUAL'S RIGHTS TO CONTROL AND CONSENT
There are several legislations such as General Data Protection Regulation (GDPR) in EU, Data Processing Agreement (DPA) in the UK, The California Consumer Privacy Act (CCPA), and the Brazilian General Data Protection Law (LGPD). These legislations are changing the landscape of digital identity and the protection of personally identifiable information (PII).
The rights of the individual are core to all these new regulations, which all have similar base principles:
The individual’s right to control their identity and PII
The right to explicitly consent to the collection, storage, and use of PII for a specified purpose and duration
The right to be forgotten
The right to data portability, where it must be transmitted on request to the individual or authorized third-party in an appropriate format
The right to know how data is collected, how long it is stored, and its use for what purpose.
Current digital identity models do not lend themselves to allowing the individual to control their identity and related PII easily or grant, withhold or revoke their consent effectively to its storage or use
MODELS OF DIGITAL IDENTITY
Today, most commentators will describe three digital identity models: silo, federated, and self-sovereign. However, we believe this list should also include the derived identity model (see Figure 1).
SILO IDENTITY MODEL
Typical examples are bank accounts, mortgage accounts, passports, driver’s licenses, and Amazon accounts. These various identities offer a one-to-one relationship between the individual and the issuer. In this case, the individual has no control, and they are rarely immutable or persistent.
At the point of creation, this model will require the individual to share some level of PII to establish and verify their identity. The relationship to be created drives the amount of PII required. For instance, the PII needed to create a bank account will be greater than that required to create a social media account. This model drives the extensive proliferation of PII across many organizations. To exercise control and consent, the consumer must do so with each issuing organization.
FEDERATED IDENTITY MODEL
A third-party organization will play the part of the identity issuer, and consumers can then use that identity to access products and services from many other organizations. The most well-known of these federated identities are Facebook, Google, and Apple.
This model requires fewer identities for an individual to manage and less PII to be shared with and stored by fewer organizations. These identities are still not controlled by the individual and are no more immutable or persistent.
SELF SOVEREIGN IDENTITY MODEL
The underlying technology combines the concepts of decentralized identity, blockchain, and verifiable credentials.
The individual will create a unique identity and add the associated PII as verified credentials. They can then choose to grant, withhold, or revoke consent to any organization they enter a relationship with. This identity, by nature, is in the control of the individual and is unique, immutable, persistent, and secure. It is unnecessary to uphold the PII to be stored by an organization, barring the associated verified credential. Only the verified token attesting to the verified passport needs to be shared, not the passport number.
Self-sovereign identity is the only digital identity model, that comes close to, in spirit and letter, the emerging privacy regulations. The enabling technology is in place, and the underlying standards are rapidly developing.
igm shift, to play a central role in the industry’s growth toward self-sovereign identity and personal consumer data ecosystems. Suppose they do not have access to large amounts of consumer data and the opportunity to monetize that data. In that case, the bureaus will be little more than analytical credit scoring models.
A key to accelerating their move towards broad adoption of digital identity and thereby resilience by design is the adoption of emerging technologies and advanced data security standards.
The consumer consent hub will be explored in more detail in the following paper in this series.
THE CONSUMER CONSENT HUB
Similarly, the idea of a consumer consent hub gives the individual control over the explicit consent to use that identity and credentials. Since the emergence of legislation to regulate the need for consumer consent for storing and using PII, organizations have approached the problem by creating solutions that directly seek and manage those consumer consent for their purposes. The consumer consents hub will flip this relationship and put the management in the hands of the consumer. Any organization requiring approval will request the data needed for a particular purpose and a defined period via the hub. The consumer will directly give or withhold consent accordingly. The requesting organization can check for valid support at any future point.
This disruptive shift has already started in some markets where open banking regulations layer over new data privacy legislation. Regions like the EU, UK, and Australia are driving the need for explicit consent for the use of consumer data and the ongoing maintenance of that consent.
OPPORTUNITY FOR DISRUPTIVE CHANGE
Recent history has shown that if the industry does not face this new standard in digital identity, there will be organizations only too willing to step in to disintermediate them from the consumer further.
If they do not embrace the opportunity, it will be difficult for the traditional credit bureaus to survive the parad