The internet has become a ubiquitous phenomenon in the UK over the last few decades, with over 80 per cent of UK citizens now having access to the World Wide Web. As opportunities for consumer usage grow, so too does the threat of cyber-criminality. Despite the introduction of the General Data Protection Regulation (GDPR) — which gives consumers greater power over their data while ensuring that companies are more transparent about how they deal with sensitive information — tackling the dark side of the web is still an uphill battle. The internet is transforming rapidly, but how will the interaction between regulation and the landscape of web consumerism change in years to come?
Governance innovation, built to support the various conduits of the digital economy, requires an integrated framework that is inclusive of a broad combination of policies, principles, regulations and standards. This integration indicates a shift away from the current regulatory framework epitomised by light-touch regulation, thus ensuring a worldwide standard of personal data privacy that prevents cyber-criminality, especially when it comes to Personally Identifiable Information (PII).
PII is information that can be used to distinguish or trace an individual’s identity, such as their name, national identification number, biometric records and date and place of birth. This personal or identifying information is essential for companies to conduct business online. For example, Know Your Customer (KYC) laws require financial companies to accurately identify people for account opening purposes and ongoing record keeping.
The GDPR and the Payment Services Directive (PSD2) — designed to increase Pan-European competition and participation in the payments industry — offer a more cohesive European-wide set of regulations. But when it comes to global harmony, different countries still have different rules for compliance. This makes cross-country business and data sharing difficult and openly vulnerable to crime. While these mandates are most certainly a step in the right direction, they do beg the question: how can companies navigate the current global web of regulations?
The most obvious solution
The rising power of organisations to comprehensively collect and store personal information requires an increase in the authority of the individual over their PII. Rules and regulations need stricter guidelines so companies can ensure they have the policies and tools in place to not only comply with the law but to also follow consumer demand. Companies must develop systems and values that respect personal information as we proceed into the connected future of big data.
Today, people want and need control over their information; that’s where data portability emerges. There is no ‘one size fits all’ when it comes to identity. The mosaic of identity is a collection of ever-changing attributes and, as a result, requires an agile, adaptable, interoperable solution. Offering consumers more control over their data, in a manner that is easy to manage, is a powerful model for PII; guaranteeing transparency and precise control allows the user to determine the exact level of trust that works for them. While it remains to be seen if consumers will want to actively monitor their PII, giving consumers a choice in the matter is always a good idea.
The purposes, requirements and technology affecting identity verification have changed dramatically. Organisations relying on implied authorisation or other legal constructs to process consumer’s personal information are taking risks that could be avoided by incorporating consumer consent into their verification and business processes.
More regulations would appear to be the most obvious solution to ensure that people can safely harness the benefits that can be brought about by the internet. However, the onus needs to be on the companies themselves to ensure compliance. A study by MasterCard found that only 25 per cent of European online merchants were aware of Strong Customer Authentication (SCA) requirements under PSD2, a mere 14 per cent actively supported SCA, and only 28 per cent mentioned that they would be SCA-ready by the September 2019 deadline. Due to such poor preparation, the Financial Conduct Authority (FCA) felt obliged to push back the deadline to give UK firms more time to prepare for the new regulation rollout.
Simplicity for developers
Keeping on top of all the requirements without using innovations in compliance-led technology (RegTech) is next to impossible; after all, the last 10 years have seen a 500 per cent increase in regulatory changes in the developed markets, and banks are spending $270 billion per year on compliance and regulatory obligations.
One example of RegTech that helps protect privacy while providing regulatory compliance is in the area of identity verification that can be scaled quickly, efficiently and cost-effectively. Without such capabilities, differing regulatory requirements mean businesses must create separate customer onboarding processes when entering new markets. While in the past this task has been complex and time-consuming, now, through the use of an effective API embedded directly into a digital site, it is possible to securely access hundreds of data sources across the globe and thus verify the identity of billions of people.
Additionally, new technology is now available that provides simplicity to developers who can instantly verify customers in multiple markets, while supporting country-specific Anti-Money Laundering (AML) and KYC laws. Businesses can embed a snippet of code into their website — often the sign-up or registration form — to instantly verify customers in multiple markets. This method is quick and convenient by design, which is ideal in today’s digital and borderless economy, where online identity verification needs to be instant, simple and unwaveringly reliable.
Zac Cohen, Chief Operating Officer, Trulioo