A simple way to build online trust, or another failed technology project in the making? Toby Stevens explores the government’s new identity assurance programme and considers what it means for your business. This article originally appeared in the ICAEW’s Chartech magazine, Jan/Feb 2013.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
The government’s flagship Universal Credit (UC) programme promises to revolutionise in-work benefits, and will certainly have a profound effect on the way employers report employee earnings to HMRC. The IT delivery risks associated with this change have been widely discussed, not least in a submission by ICAEW’s Tax Faculty to Parliament’s Work and Pensions Committee. What has not been so widely discussed is the government’s identity assurance programme, which is intended to deliver the trust framework so that individuals and businesses can interact with UC, and other government services online.
TOUCHING THE IDENTITY VOID
One of the first major policy moves of the coalition government was to throw out the failing national identity scheme. Touted as a panacea for any possible interaction between citizens and the state, from immigration to underage drinking to fighting terrorism, the ID cards programme came to dominate every aspect of the online identity space. The programme’s cancellation left the UK in the odd position of having no identity infrastructure — industry had ended investment in alternative approaches in anticipation of the new scheme.
Nowhere are the implications of this situation more significant than within the financial sector. Employers need to verify employee identities, rights to work or eligibility, and accountants and agents are obliged to check their customers’ passports or equivalent proofs of ID, and to maintain those copies so that they can prove their anti-money laundering practices at any time. Those checks are often completed by individuals who have little formal training in identifying fraudulent documents, and this has created a service industry dedicated to checking documents and managing the results.
It’s even worse for customers, who have to carry and present passports and driving licenses for these checks, thereby running the risk of identity-related fraud.
DIGITAL BY DEFAULT?
The government was quick to recognise that UC and similar transformational policies can only succeed if the bulk of interactions with users take place online: the Department for Work and Pensions (DWP) alone handles over two million telephone calls each day, and the imperative to drive down costs while improving service means that customers need to be encouraged to use online channels.
However, UC will migrate users from a per person to a per household benefit, coupled with inspection of their income on a weekly basis through the Real Time Information (RTI) programme. This change will inevitably give rise to a huge surge in enquiries as users switch to the new system, and any savings associated with the new policy would be wiped out by the contact centre costs. Online engagement is essential, but ‘Digital by Default’ cannot succeed unless the government has a way to trust people online, without going through the expense of registering each user in a face-to-face interview and managing their credentials thereafter.
THE IDENTITY ASSURANCE PROGRAMME
Drawing on experiences of the US National Strategy for Trusted Identities in Cyberspace programme, the government devised a fresh approach to proving identity online in the UK — the Identity Assurance (IDA) programme. The aim is to create the necessary technical, commercial and regulatory infrastructure to allow users to prove their identity or other information about themselves using services from private sector organisations.
In the IDA model, the government provides a number of ‘federation hubs’, which provide the data-matching, anonymisation and audit services to support interaction between a market of identity providers (IDPs) and the government departments that will consume identity information. Companies wishing to act as IDPs will have to bid for the right to do so and undergo rigorous independent certification to ensure that their security and commercial controls are appropriate. IDPs will in the first instance be paid on a ‘per user’ basis for providing identity services.
USING IDENTITY ASSURANCE
The first instance of IDA is in support of UC. Seven providers, including Experian, Post Office and Verizon have been selected to provide the first set of IDP services in support of pilot activities from October 2013.
They will have their work cut out: they have to deliver IDA services in a very short timeframe while forming a self- regulating body to ensure compatibility of their technology, commercial and legal approaches. This ‘trust framework’ will set and maintain standards, represent user interests, and ensure that the commercial liabilities are properly managed if things go wrong.
The likes of HMRC, the Department of Health and a number of local authorities are preparing ‘IDA-ready’ services. The Cabinet Office has mandated that central government departments must use the IDA approach for most ID-related developments, and is encouraging other public authorities to do so.
WHAT ABOUT THE GOVERNMENT GATEWAY?
The UK does have a current online trust service in the form of the Government Gateway, which is used by a number of departments, but principally for interaction with HMRC. Like IDA, the gateway enables users to have a digital credential that provides them with access to online government services.
While the gateway works well enough for many business users, it does not provide the scalability, ease of use, or the assurance of identity that would be required to support the new populations of users wishing to access UC.
IDENTITY ASSURANCE AND BUSINESSES
So how will IDA affect businesses? In the coming year, almost not at all; the early rollout is focused on UC, and employers will not be able to engage with the government through IDA. However, HMRC is expected to start acquiring IDA services in 2013, first for consumers and subsequently for businesses and agents.
Businesses that need to engage with HMRC using IDA are likely to be subject to a slightly different model: the ‘responsible officer’ will obtain a business IDA credential, which can in turn be used to authorise further credentials on behalf of the organisation’s employees.
Unlike DWP, HMRC may choose to mandate use of IDA credentials as they become available, and some IDPs might choose to charge for them; others, such as banks, mobile network operators or accounting software firms could instead offer them for free as part of a broader package of services.
LIVING THE IDENTITY DREAM
Businesses that have an existing online relationship with their customers – in particular those in the finance sector that have completed an anti-money laundering check on their customers – will have an opportunity to extend those relationships into IDA, allowing their customers to assert that existing trust to the government.
Similarly, businesses seeking cost- effective ways to complete anti-money laundering or risk checks on their customers will be in a position to consume IDA credentials, potentially at a much lower cost than traditional face-to- face checks. In time we are likely to witness the abstraction of IDA services, such that providers offer proof of ID services for free in order to augment other data services such as credit scoring.
Perhaps the most important consequence of population-scale trust services will be a change in the way public authorities and businesses consume customer data. When customers can easily prove who they are, and provide accurate verified information about themselves when it is needed, why should businesses submit to the expense of holding large volumes of personal data unless there is a clear commercial case to do so? Businesses wishing to drive down data storage costs and risks, and exploit this new market in personal data will follow IDA’s progress with interest.
This article originally appeared in the ICAEW’s Chartech magazine, Jan/Feb 2013. Note that since then certain key changes have taken place, including the announcement of PayPal as the eighth IDP; the novation of contracts to the Government Procurement Service; and a reduced emphasis on Universal Credit as the initial programme for IDA rollout.