Do information and identity regulators do more harm than good?

If recently attended a meeting of senior bankers at which the thesis was advanced that the recent banking crisis was primarily a failure of information governance: with major players no longer understanding how supposedly diversified risks were correlated. More-over the flow of tick-box regulation (FSA, Sarbanes-Oxley, Basel 1, 2 and 3 etc.) had diverted management attention away from exercises that would have enabled corrective action. Thus regulators were to blame for turning the collapse of a few former building societies and their US equivalents (in the wake of government inspired property booms and associated mortgage scams) into a full blown global liquidity crisis. That is a gross simplification of the arguments, but I was struck by the underlying thesis that regulators do more harm than good when they try to do much more than enable customers to avoid those who do not follow adequate practice.        

If we take a narrower view of information governance we see a lot of verbiage about good practice and breach notification but also derisory penalties for those following rank bad, or even illegal, practice. The penalties for who ran the business selling illegally obtained personal information (including from the phone taps for which some of the wealthier victims are finally obtaining compensation from one of the newspapers involved) appear to have been little more than for those running seriously insecure information services in support of the debt-chasing and anti-piracy industries. One reason may be the customers who used their services. The ACS customer base has not been published but the analysis of the Operation Motorman ledgers indicates that the News of World was by no means the largest customer. Nor were the customers confined to newspapers. In consequence we have yet to see a serious follow up to the previous Information Commissioner’s analysis: “What Price Privacy“. 

Now let us broaden the perspective again. It has been said that you can already obtain enough material from social networking sites and leaks from on-line traders, payment processing services, credentials issuers and on-line gaming organsations to get electronic credentials in the name of almost everyone worth impersonating and also paper-based documentation that will meet the most stringent of “know your customer” requirements. The latter merely make it harder for legitimate customers to change banks in the face of the withdrawal of physical banking services. Perhaps worse are the routines whereby students on a gap year may find their credit and debit cards automatically terminated after three months, despite informing their bank of their travel plans, because of the way UK-centric automated security routines work. If the result is tragedy, can one prosecute for corporate manslaughter? I wonder. I have been given a case study that I am passing to UK payments for comment before I blog on this. I am also waiting to hear whether communication has been re-established with the individual concerned and their credit has been restored. 

I reamin a detemined optimist about the on-line world but sometimes it requires much determination to remain optimistic. Hence my blog earlier this year on “Herding the Sheep On-line to be Fleeced“.

The time has come to take a holistic look at the issues of Information and Identity Governance. The current muddle fails to protect us while getting in the way of legitimate business. More-over the creeping erosion of trust in the on-line world looks set to cause a great deal of personal as well as economic damage

Today is the first day of the Google Zeitgeist  2011. The great and the good will be dreaming of a bright future. But first we have to head off the impending crisis of confidence.

Hence the EURIM plans for a major policy study to put the issues into top down economic perspective (the tens of billions in lost revenues and billion is unnecessary spend that are in prospect) while organising bottom up co-operation to demonstrate that effective co-operation can address many of the practical problems (provided govenments will allow it).

The multi-level, holistic approach appears to have serious support and we hope to be able to announce the leadership team to plan the exercise early in June. Subject to discussion over the next couple of days I hope to be able to blog on some of the work streams likely and how they will link together.         


Start the conversation

Send me notifications when other members comment.

Please create a username to comment.