MPs hear more revelations about Gov.uk Verify as troubled project gets a new leader

Hello and good luck, to Lisa Barrett  – the newly appointed director of digital identity at the Government Digital Service (GDS). She’s taken on what many people outside GDS see as something of a poisoned chalice.

You might think it strange, that this job has been created for the first time barely 12 months before GDS hands its digital identity system, Gov.uk Verify, to the private sector and government ceases further funding.

But Barrett’s introductory blog is full of positivity, as you would expect. There will be no shortage of people wishing her success in her goals. For there’s one thing GDS has never quite grasped – that the growing band of Verify critics generally have one thing in common, that they want Verify (or something like it) to succeed, and have done so all along. Their criticisms often come from frustration at what they see as such a critical project, struggling as a result of poor decision-making in GDS.

The timing of Barrett’s appointment is all the more difficult after recent events in Whitehall, with a highly critical National Audit Office (NAO) report followed last week by a parliamentary select committee meeting at which, if you didn’t know better, you might have taken away the conclusion that apart from a little over-optimism by that other lot who started the project, Gov.uk Verify is all going swimmingly well. Tickety boo. Nothing to see here, move along now.

That seemed to be the message that the leaders of the troubled digital identity programme wished to impart to MPs on the Public Accounts Committee (PAC).

The committee was investigating progress on Verify after the NAO questioned the value for money of the £154m spent so far on the project and doubted the scale of benefits claimed by GDS.

Making the case for how misunderstood Verify has been were Cabinet Office permanent secretary and civil service CEO John Manzoni, alongside GDS director general Kevin Cunnington.

At times it was difficult to tell whether committee members were seeing hubris or denial in action. Let’s examine some of the highlights:

Gareth Snell, MP from PAC asked: “Mr Cunnington and Mr Manzoni, could you give me any of the quantitative KPIs from any of the five business cases that Verify has actually met? Just one example of any quantitative KPI from any of the five business cases.”

Cunnington: “On the current business case [from 2018], we are on track in terms of the volume of… verifications that we have.”

Note that the original business case was made in 2015. The 2018 business case was intended to rescue the project after the Cabinet Office project management watchdog recommended it be shut down.

Snell: “Okay. Any others?”

Cunnington: “You are testing my memory now. I cannot think of any off hand.”

Snell drilled down into the costs and claimed benefits of the programme and concluded: “So you are saying that spending less, because you failed to meet targets, is now a success, in the Cabinet Office’s definition of success.”

Manzoni acknowledged there have been problems, but did so in a way that he basically threw Cunnington’s predecessors as GDS chief under a bus.

Manzoni: “I do not think there is any question that Verify did not meet its original business case benefits. Nobody is sitting here saying, ‘Right, it met its projections.’ But I think the issue is more one of hopelessly optimistic projections in the original business case than failure,” he said.

Snell: “I will come to the previous business cases, because you are right that they were significantly way off, and several reviews and a number of business cases still maintained optimistic trajectories – let’s say optimistic for the sake of diplomacy. To what do you ascribe the low take-up across government for this system?”

Cunnington them blamed the slow progress of digital transformation at other Whitehall departments for the low take-up of Verify, to which Snell replied:

“Without wishing to paraphrase you, Mr Cunnington – I will do it anyway — it is the government’s fault that they have not transformed their service efficiently to catch up with your groundbreaking technology?”

Diverting away from the failed KPIs, Cunnington instead quoted the four strategic aims of Verify.

“One was to create a standard in the marketplace. That is the most important thing. I think we can say that we have absolutely completed that,” he said.

Snell replied: “It is quite an expensive standard though, is it not – £154m for a standard?”

It’s worth noting that identity standards are now increasingly being driven by the financial services sector in support of open banking legislation. GDS’s preferred GPG45 standard is seen by some as too prescriptive.

Cunnington continued on the three other objectives:

A commoditised cost model – “We have got the price down to a point where it can be bought by the government and by the private sector,” he said. However, the NAO found that GDS was subsidising the price paid by departments to such an extent that it feared it would become unaffordable once Verify is handed to the private sector in March 2020.

A safe and secure service across a multiplicity of private sector vendors – “Which again we have achieved”. Most private sector identity providers complain that the effective monopoly handed to five companies for Verify has hindered UK market progress.

Mass adoption of Verify. “You are right to say that is where we have not had the success we were hoping for,” Cunnington acknowledged.

To which Snell replied: “So there was the application of the first three, which are qualitative, and then the one quantitative that was meant to derive actual benefit to the government and the taxpayer, which has not actually been met.”

Let’s consider these objectives. I will make an admission – I’m a supporter of Liverpool FC. In the style used above, I would say Liverpool’s four strategic objectives in recent years have been to improve the team, qualify for the Champions League, expand the stadium, and win the Premier League.

The club has achieved the first three, but not the fourth. Everybody who knows Liverpool, or English football, will know that only the fourth objective matters. User adoption is Verify’s Premier League.

Later in the inquiry, as Manzoni again pointed the finger at Cunnington’s predecessors, Snell pointed out that Manzoni was in charge when the 2015 business case was signed off.

Manzoni replied: “I am not sure I was concentrating on the business case in 2015; I cannot remember, actually.”

Former Verify boss Nic Harrison was also being questioned by the committee, and he revealed he had reviewed Verify on taking the job in October 2016 and made 11 recommendations – right after the latest business case had been signed off. Here’s the conversation:

Snell: “Okay, so what did you change from the 2016 business case for your 11 recommendations?”

Harrison: “The 2016 business case had been written and had been through the Cabinet Office investment committee and the Treasury – it was a business case. As I came in, I recognised that it was unlikely to deliver in its current form.”

Snell: “Literally a month after it had been signed off and agreed by the Treasury, you said to the Cabinet Office, ‘This is not going to work’?”

Harrison: “I certainly said it was not on a glide path to success.”

To be fair to Harrison, Verify has been reviewed more than 20 times in its five-year existence.

The committee examined that 2016 business case a little further:

Snell: “Bearing in mind that Verify’s original programme business case came in 2015, who agreed to sign off the contracts for additional suppliers in 2016 when there was no immediate evidence that there would be an increase in supply?”

Manzoni: “I can’t remember.”

Snell: “You can’t remember. You are forgetting a lot of things today, Mr Manzoni.”

There was also potential forgetfulness when it came to discussion of Verify failing to get anywhere near its target of a 90% verification success rate:

Harrison: “The 90% figure appears in the 2015 business case, which is highly speculative and shows best probabilities. It was derived from what the likely success rate could be, based on demographics and looking backwards from a period when the product had been a success.”

Snell: “It is also the figure that was in the government business case that was used to allow sign-off of this programme to go forward. Regardless of whether that is a figure that is right or not, it is the figure on which this business case was predicated, and it failed to meet it.”

Cunnington: “No question. It was adjusted down to the range of 20 to 30 in the 2016 business case, when we recognised that wasn’t going to be true. As Nic says, the 90% was based on a future state where a lot of people are already verified – not the challenge of signing up.”

Really? The 2015 business case said, explicitly, as an objective: “90% of people can verify their identity online with a 90% success rate by April 2016”. I have a draft copy of the business case, it’s there in black and white and there has never been any suggestion the final document claimed any different. It has never been suggested that the 90% figure was a “future state” where people are “already verified”. To be fair to Cunnington, he was not in GDS at the time.

UPDATE 26 March 2019: An eagle-eyed reader also pointed out this GDS blog post from 2016, which clearly states the target of 90% and laid out the activities that were underway to achieve, and even exceed, this verification success rate.

When Verify was given its final lifeline in October 2018, its saviour was the Department for Work and Pensions, which uses Verify as part of its Universal Credit (UC) system – despite achieving only 38% verification rate.

Cunnington revealed that Verify is not actually mandatory for UC: “The primary policy objective is to get claimants paid, and claimants go all the way through the process before saying, ‘Wouldn’t it be nice to verify yourself?’”

Not only that, but Cunnington admitted that DWP is “also looking at [its] own alternatives” to Verify. Even Verify’s last great Whitehall hope is considering its options.

Manzoni repeatedly claimed that Verify had delivered significant financial benefits, quoting a figure of £366m. As the committee pointed out, the NAO said it had “not been able to replicate or validate the benefits estimated by GDS.”

GDS remains convinced that Verify will prove itself a success as the vanguard of an emerging digital identity market in the UK, which will be stimulated by handing Verify to the public sector, using the standards established by GDS.

I had an interesting conversation last week with Don Thibeau, chairman of OIX, the identity standards body that has championed Verify and received significant funding from the Cabinet Office.

Thibeau, historically a strong supporter of Verify, said OIX is about to make a significant move – shifting its headquarters from Silicon Valley to London, because it believes the capital is set to be the centre of a nascent global identity market.

Sadly for GDS this is not a vote of confidence in the Verify programme.

Thibeau is excited by the UK’s regulatory support for open banking, which is driving retail banks to work together on standards for ID interoperability that are likely to become adopted globally. While there is overlap with the work done on Verify standards – and GDS has tried repeatedly to get banks enthused about Verify – open banking is instead emerging as the most likely driver for a digital ID market.

Let’s reiterate – people want Verify to succeed, they always have. Airbrushing its troubled history is not going to help. There will be a lot of people wishing Lisa Barrett every success in her new job.

 

UPDATE 26 March 2019: The originally published version of this article included a quote taken from the official Public Accounts Committee transcript, where Kevin Cunnington said: “Our best performing LOA2 services are in the range of 7% to 18%.” GDS subsequently informed us that the transcript was incorrect and the correct figures are “70% to 80%”, and that Cunnington’s words were transcribed incorrectly. GDS said it will ask the committee to also update its transcript accordingly. The incorrect quote and associated references have been removed from this article.

CIO
Security
Networking
Data Center
Data Management
Close