Identity (ID) schemes in the payments industry, where applications of interest to treasurers are often found, are usually nationwide in nature and necessarily involve a government and bank-led solution, with key security industry involvement, where all scheme members – typically covering the issuers of the ID-credentials – share the cost of the ID deployment. Merchants are usually heavily invovled too, alongside national payment bodies. Depending on the business model, ID-issuers also share the cost of market infrastructures for the distribution of electronic IDs to end users, whether that is finanial institon end users, corproations or merchants.
The electronic security market has changed fast, but business models have not. There are three specific business model challenges concerning national ID schemes that seek to protect customers and authenticate transactions, and three key ways to address these challenges:
- Ownership and governance: How tightly should ID scheme initiators control it and when might it be optimal to open up the scheme membership (at different levels) to industry partners that can drive innovation, expert organisations on interoperability, security best practices and user experience. Today, the ownership structures of most ID schemes reflect the state of market at their conception more than the present market situation and much less, future ambitions. Over time, ID scheme ownership and governance become increasingly invisible and take lower priority on the management agenda as more exciting market discussions take over. The irony is that, as long as the underlying governance structures are not aligned with the changing markets and business ambitions of ID schemes, insights needed to drive right decisions will remain greatly limited. Ownership structures will shape decisions if decisions are not made to shape them. You shape it, or else it shapes you. For an aexample of an ID scheme in action the cross-border, cross-sector identrust scheme is a good example.
- Service scoping: The question on which services should be included in a basic ID scheme – for example, to help corporations protect internal access controls or external fund transfers – versus so-called value-added scheme services, still remains an open issue for debate. As the nature of services to a great extent impacts business models, we cannot have a meaningful discussion on the latter without understanding the scope of the former. Should document signing, anti-fraud, time-stamping and parts of fast emerging forensics be included in what would be ’heavier than traditional’ ID schemes or should ID schemes be lean-and-mean and only focus on efficiently producing ID credentials for authentication, signing (and sometimes encryption), leaving the application layer to scheme partners? Service scoping has another dimension too – namely, that of service ownership by the ID issuers. Should channels such as smart cards and mobile be offered as part of basic ID scheme services or as differentiating value-added services by members in competition? Service scoping can directly impact membership structures especially at affiliate or associate level. Even if service scoping has not yet been done clearly (as is the case even in mature ID schemes), it is strongly recommended that scheme owners draw a line between basic and value-added scheme services and then reflect these decisions in the scheme membership structures.
- Stakeholder management: As an ecosystem an ID scheme must define its strategy not just within the country it operates in, but within the region because at the end of the day, an ID scheme is there to secure electronic and mobile commerce, which are borderless. Initiatives in ID-federation, such as the European STORK scheme or the Pan-European Public eProcurement On-Line (PEPPOL) drive have demonstrated to some extent that the use of electronic identities across countries can work, thereby removing the need for many one-to-one merchant-issuer relations – although a lot of work is still to be done on liability flows and legal jurisdictions. Evolution of governance and service scoping, together with vision in the region (interoperability, merchant support, etc) drive stakeholder engagements. Public authorities should be invited to contribute their visions on regional interoperability across electronic identities, trust levels and transaction flows. Lessons from the single euro payments area (SEPA), STORK and PEPPOL examples can be extremely relevant in creating a so-called Regional Interoperability Group (RIG) to open up the markets for electronic identities. In the UK, for example, the government agencies have been actively involved in planning the future Digital Identity Assurance scheme in cooperation with wide ranging market stakeholders. Corproations, and treasurers transferring funds, can benefit from such widespread schemes.
Figure 1: Below is a snapshot of present government ID schemes across Europe.
To summarise the discussions on business models, those that steadily evolve and remain aligned with market forces remain sustainable in the long-term. Business models must be considered as market instruments more than governance and control instruments. Still, business models are only a means and not an end. This raises the most important question about how ID schemes can sustain growth and profitability. There are at least five lessons to reflect upon based on the developments in the Nordic countries:
- Recognising key segments and right competencies: While ’scheme segments’ are governance-intensive, merchant and enterprise environments are market-intensive. While ID schemes are driven by the industry players initiating them, non-scheme ID services are to a much greater extent driven by commercial considerations and market forces. Consequently the non-scheme ID markets are relatively far more ’chaotic’ as the suppliers can seldom ’lock-in’ end user requirements, which is very often the case in ID schemes (lock-in is never future-proof but a very dominating part of ID-schemes and hence their high level of focus on governance, policy management). The power balance between customers and suppliers are very different in scheme and non-scheme segments. ID schemes are characterised by more power with suppliers compared to end users and merchants, which is not the case in the non-scheme ID solutions where market forces remain complex, more dominating and ’moving targets’. Far too many players continue to naively believe that allowing executives with experience from administration, project management and governance within the ID scheme business would be sufficient to grow the non-scheme business as well. Consequently, most of the time relative lack of vision and competencies from ’scheme trained’ executives mean that they fail to build non-scheme business.
- Understanding a customer’s customer: The commercial success of ID scheme infrastructures depends on the usage volume from mass market, businesses and applications. The key user segments for electronic IDs are the issuers of ID credentials, relying parties (banks, merchants, treasurers, public agencies and other organisations which have applications that use IDs) and users such as citizens, employees and business users. In other words, the customer value chain extends well beyond your direct customers (ID issuers). ID infrastructures will not succeed unless your customer’s customers are using them. So make sure to discuss with your customers early on about their customers’ use cases. This inquiry lies at the heart of creating and serving a successful ID ecosystem.
- Packaging of value-added services: Strong ID ecosystems can be built by packaging a range of other applications with the basic infrastructure. Packaging ID schemes with applications such as invoice management, electronic commerce (e-commerce), mobile services, banking, payments, document management systems, popular business process systems, smart cards (national ID cards, bank cards, driver’s licences, employee ID cards) will drive the usage of electronic identities. Recall again the need to do a proper service scoping in the ID scheme roadmap. Packaging some selected services in the ID infrastructure can be a smart and very powerful market stimulator. Developing key interfaces in the ID scheme towards targeted popular applications in the market side will greatly ease the use of digital certificates in the customer domain. This issue is very closely related to service scoping in the business model.
- From securing content to securing context: The success of ID schemes will be constantly challenged by ever-deteriorating online security environments. Incorporation of new delivery channels, such as smart cards, SIM, mobile phones and PCs, has a strong impact on the contexts of ID-transactions, making the environment more or less hostile, more or less controlled. So the mission security must evolve to secure not just the existing content (i.e. applications) but the relevant contexts around them, which over time become more hostile (ID thefts, man-in-the-middle, real-time phishing attacks). The emergence of anti-fraud for electronic (e)-identities, signatures, forensics and monitoring with predictive analyses are key investment areas to secure trust in ID schemes. On this specific point the stakeholder management becomes extremely critical, as security experts must be on-boarded early on in the policy-making, not just at the time of application development and testing.
- Taking your own medicine: Suppliers of e-ID schemes are too often not found to use the strong ID credentials themselves (i.e. inside their own organisation). Some reasons are genuine – for example, the need for IT security to have full and final control of employee’s digital identity without outsourcing its policy management to an external scheme owner and data privacy issues ,which means that an organisation may not force its employees use their IDs for signing business transactions . However, much of e-ID platform management and application integration knowledge from ID schemes can be used to set up smaller scale enterprise solutions to digitise internal business processes and drive self-service programs. Such internal implementations add to the organisation’s own deployment expertise and bring some scale economies to the entire ID-business case by driving packaging initiatives of e-IDs and other digital solutions in the organisation. In fact, that willingness to utilise those same eID-scheme credentials internally is a clear measure of the suitability of that scheme in the external markets.
Creating commercial business from digital identities must start with business models which are steadily evolving and instruments of commercialisation, not just control and ownership. However driving ID business demands that top managements do not mix-up competencies needed to manage scheme and non-scheme businesses, which are very different, and this remains a key challenge in most mature organisations.