 Welcome to the Center for Global Enterprise, Global Scholars Expert Connect series, Identity in a Digital World. My name is Ira Sager. I am Vice President of Global Learning Initiatives for the Center for Global Enterprise. For our returning viewers, I wanna welcome you back to this our fourth Expert Connect in a series exploring the complex issues surrounding identity in the digital world. For the use of you new to this forum, CGE and our Global Scholars Program, let me briefly explain our mission. CGE is a nonprofit research institute focused on the study of global management as practices, the modern corporation, economic integration, and their impact on society. Our Global Scholars Program is a worldwide learning community for business-interested students, academic faculty, and business professionals. Through Global Scholars, we offer online courses and digital internships as our Alpha team, as well as this and other Expert Connect webinars. Participation in all our Global Scholar programs and membership is free. You can find out more information about our activities on the CGE website. Before we begin today's program, a few notes. We will be recording this session and it will be available on demand from the CGE YouTube channel. We will leave approximately 15 minutes at the end for audience questions. If you have a question for our presenter at any time during the presentation, you can submit your question using the Q&A feature at the bottom of your Zoom screen. We will try to get to all your questions time permitted. For today's discussion, we will look at the role of financial institutions in digital identity systems. Over the next hour, we will explore the origins of our current identity challenge and some of the paths to resolving it, especially the potential role of financial institutions in leading the creation of a new generation of robust digital identity systems. Dr. Irving Ladowski-Berger, a CGE fellow and former IBM Vice President of Technical Strategy and Innovation will lead our discussion and now he will introduce today's presenter. Thank you, Ira, and let me welcome everybody around the world to our digital identity webinar. It is my pleasure this morning here in New York to introduce Jesse McWaters, who leads the World Economic Forum Exploration of Financial Innovation and Related Technologies. Jesse has led the WEF's work in exploring the potential impact of fintech in a few reports like the future of financial services and beyond fintech in blockchain technologies, in a report on the future of financial infrastructure and most relevant to our morning webinar in a blueprint for digital identity, which I consider to be one of the best tutorials on what digital identity is all about and what we should do. Jesse manages the Forum's Global Future Council on Blockchain which considers the emerging governance challenges presented by blockchain technologies and has previously led similar councils on a number of different topics. Prior to his current role with the World Economic Forum work, Jesse worked as a financial services consultant with Deloitte. It's my pleasure to now have Jesse McWaters tell us about digital identity. Jesse? Thanks so much, Irving and Ira. It's a real pleasure to get to be here today and to get to talk about this report. And it's sort of funny because this report actually comes from as far back as 2016 in terms of its launch date. But I think in some ways it's even more relevant today than it's ever been before. And it's really lovely to see organizations like yours coming back to it and sort of looking through it. And I think we're seeing a much more sophisticated discussion about digital identity. And I expect that many of the listeners of this webinar will have thought about digital identity a lot, will have done explorations in it. But just to make sure that we can have the right level of discussion, I think it's really important to go back to basics because I think that so much of our traditional intuition around identity can steer us in the wrong direction when it comes to trying to fix the identity problems that we face. And so today I want to talk about four things. I want to talk about the way we think about identity and why it's often wrong. I want to talk a bit about the ways in which the current system is broken and how that problem is actually getting worse every day. I want to talk thirdly about how a better identity system is possible. And then fourth and finally, I want to talk about why this matters to financial institutions and how financial institutions can play a leading role in the development of new identity systems and the resolution of our current identity crisis. But let's start at first principles. A week ago, me and 500 million of my closest friends found out that a number of aspects of our personal data may have been exposed in a half of Marriott's SPG databases. And if you go back a few years earlier to 2017, Wells Fargo had a challenge wherein they ended up having to fire 5,300 employees and a number of executives in a scandal regarding account openings where people were having many different accounts opening for them that they hadn't actually asked for. And perhaps a bit on the lighter side, if we go back even further to 2008, a 33-year-old woman in Michigan was charged for posing as her daughter to join the high school cheerleading team in effort perhaps to relive the glory days of your. So what do these three things have in common? Well, I think it should be fairly clear given the topic of the presentation that these three stories are all about the fact that it's becoming harder and harder for individuals and indeed institutions as well to manage our identity. But I think that we need to reflect on the fact that solving this requires us to think differently about identity because inevitably if you have discussions about cyber reaches, if you have discussions about identity theft, people will, you know, at some point they'll sit back and they'll say, hmm, well, what we really need to solve this problem is digital identity. And in my work on financial innovation, we heard this over and over again, vis-a-vis discussions of fintech. Fintechs would be having trouble figuring out our onboard customers, there would be challenges around partnerships between fintechs and incumbents and these would often be rooted in the management of customer identity and so people would say, oh, well, what we need to solve this problem is digital identity. But I mean, forget about the digital part for a moment. What do we even mean when we talk about identity? And that may sound like a pointlessly philosophical question, but I think it's important because people mean very different things when they use the word identity. I mean, you might be talking about your personal identity of your familial lineage, where you come from the history of your people, if you will. You might be talking about the way in which you think about yourself, your conception of who you are and how you exist within the world. As we start to get more physical, you might think about it as the cards that exist in your wallet, the passport that you keep in your software. And if you have a teenager at home, they might be thinking about it in perhaps a little bit more of a technologically mediated form and for them, identity might really be the things that they put out onto social media, the social graph that they interact with there and the trail of data and relationships that they leave in their wake. But I think that while identity is all of these things, thinking about the way in which we experience identity today won't help us with problems like the ones that I discussed earlier. Instead, we need to think about identity as a system. A system specifically for serving a core goal and that core goal is enabling you and someone that you don't know to engage in a transaction with confidence. And I don't just mean a monetary transaction here, I really mean any type of interaction that requires individuals to have confidence in each other and what is that confidence? For me, that confidence has two parts. It's confidence that I am who I say I am and it's confidence that the person I say I am has the right attributes to engage in that particular transaction. So I can prove to you maybe that I'm Jesse McWater as I can prove to you that I have his fingerprints and I have his birth date and you can be sure that I am who I say I am. But if you wanna get a bone set, then you probably don't just want to know that I'm Jesse McWater's, you probably wanna know whether or not I've been to medical school. I haven't, please don't ask me to set any bones. So in this sense, I think it's important to start to break identity down into two parts. That is authentication, I am the person I say I am and the attributes that I as an individual or an organization have, things like my birth date, my educational history, my financial assets and my credit history, all of those sorts of things, my past data and interactions, my social track. These are all aspects of my attributes as an individual or an organization. And I think that this distinction is absolutely critical. It's something that identity discussions are getting much better at resolving. But when we wrote this paper in late 2015 or the 2016, there was really a lot of people saying, well, there's a fingerprint reader now on the phone, biometrics, it solves the identity problem. Well, no, because identity isn't just about authentication, it's about the management and the exchange of attributes. And so let's get anthropological for a second here and think about where identity comes from. And I'll practice anthropology without a license for a moment. If we think about early human communities, identity management was easy because everyone knew each other, they knew one another's business and years of interactions developed deep social bonds so that you knew who you could trust and on what terms you could trust them. But as societies became more complex and interactions with strangers became commonplace, new and more sophisticated mechanisms were needed. And in the simplest sense, I think what was needed was a third party. And for the purposes of this discussion, I'm gonna call an identity provider. The identity provider is at its simplest, someone who knew who I was, who knows who I am, and who's trusted by you, the relying party, the person who needs to know whether or not I have an attribute so that you can know whether or not to trust me with your broken arm. You trust the identity provider vouching for my attributes. So we'll call this, you know, me, the attester, the identity provider and the relying party, together we form the early stages of this system of identity. And the technology that we've used to mediate this has evolved over time. You know, if you think back to the middle ages, if you needed to travel to a neighboring village, you might get a magistrate to write you a letter saying that you were of a particular character or you were a member of a particular guild and they would fix it with their seals. So we're seeing here the identity agent, the identity provider using technology to have an attestation be credible to a relying party, somebody in a distant village who needs to know whether or not you're a member of the par's guild or something. And over time, we see this system become more sophisticated, more established, centralized governments become important to mediating complex trade and travel that has characterized the world for hundreds of years. But I think it's important here to recognize that identity doesn't need to only be rooted in the government. The government magistrates and you know, passport issuing agencies aren't the only credible identity issuers. A great example of this from David Birch's iconic book, Identity of the New Money. In the late 1970s and 80s, there were a number of bank strikes in Ireland and the result was that people quickly ran out of cash. And to deal with this, they started writing each other checks. But how do you know in an environment like that whether or not you should accept a check from someone? You don't know maybe who they are and you certainly don't know whether or not they're credit worthy. Where could you find someone or an organization central to the community with the type of knowledge necessary to make those accastations of credit worthiness? Well, the answer, funnily enough, was the pub. Knowing their customers very well, publicans stepped in and started to help relying parties understand who they should and should not accept checks from. And so we see here that identity providers can take many forms. They can be governments, but they can also be private institutions and what's really important is to have free flowing information between the individuals looking to attest to their identity and the underlying relying parties. So this all sounds great. What's the problem with identity today? Do we not have relying parties anymore? Well, certainly we do. And we have identity providers as well. The real challenge though, even though the existing system up until recently hasn't been perfect, the real problem has been the advent of the internet. Now why is that? That's because the internet was built, as it famously said, without an identity layer. That is, the internet was built to have one computer know the identity of another computer that it was speaking with, but not necessarily with the individuals using those computers. And so this is what's brought on that famous New Yorker cartoon that we've all seen far too many times. On the internet, nobody knows that you're a dog or perhaps more accurately today. On the internet, nobody knows that you're a botnet pretending to be a dog. And this absence of an identity layer has been really challenging for relying parties. It is organizations engaged in commerce on the internet who need to confirm the identity of their users. It's effectively meant that you've had to operate in a kind of wild west environment where you're your own sheriff, determining the identity management processes that you need to use, gathering and maintaining the identity data needed to provide services to your user base. And that creates an enormous amount of additional work for relying parties. It makes onboarding customers expensive. It makes serving those customers expensive, particularly when they keep needing to have their passwords reset. And it puts a target on your back because it requires anyone, even if they don't want to, to maintain extensive customer records that are constantly at risk of being hacked and resulting in subsequent lawsuits. It's also problematic for users like you and me. We all know that it's frustrating to go through the rigmarole of providing the same information over and over again to providers. We know that it's insecure because we keep forgetting our passwords. And even if we don't, it seems like the organizations that we give our data to keep on getting hacked. But most importantly, it's resulted for users in a loss of control of identity because we've given our information to half the websites in the world, but there are organizations, large technology companies out there who are specializing in the combination and the monetization of this data. It's a serious problem and it's getting worse. It's getting worse because more and more of our activities are moving from the physical world and into the digital one and we're increasingly having millions of devices on the so-called Internet of Things, all of whom are going to need information about our identity out there in the mix. We need a solution that cuts through the costs and the insecurities of the current system while ideally giving control back to the users and the ultimate owners of the identity data. The good news is that a better identity system is possible, but we need to be careful because there's a temptation to think about the system that's worked before and to try and design some sort of internet passport, if you will, that takes the experiences of identity to date and looks to replicate them in the digital world. But I think that this is actually a great mistake because there's an opportunity to build identity systems that are fundamentally better than the ones we have now. What would a better system look like? Well, a better system would be fundamentally more secure than the one we have now. We would use all the most modern encryption techniques and ensure that things were fully secure. It would put the user in the driver's seat, inviting them to have control over which relying parties they share with and the specific data that they share with as well as how that data is ultimately used and monetized. And I think the most important and the most significant distinction from the way in which the current identity system operates is that it would be privacy preserving. To understand what that means, let's go back to the pub for a moment because if I went into a bar today, I might be asked by the bartender or the publican to provide evidence that I was old enough to be there in the traditional way in which we would do that and as we would hand over a car, right? You'd hand over your driver's license. But my driver's license isn't just a proof that I'm over 21 given that I live in New York or whatever age in whichever jurisdiction you're in. It also contains my date of birth, my home address, my eye color, much, much more information than is needed by the bar. And if we start to put this sort of card-based system into the digital world, it means transiting these packages of information. It means sharing much more information than we need to and having that information be retained on the servers of the relying parties. But in the digital world, all we need is an attestation that in the example of the bar that they can be confident that I am over a required age. And in a digital world, we can ask a tailored question like, are you over 21? And receive a tailored answer from a credible identity agent of yes or no. And moreover, if we seamlessly design this process, there's no need for the relying party to ultimately store any data in order to engage in this simple transaction. It's just something that we can do seamlessly every time. So that sounds great, right? Like, this is a better identity system better for users. It's better for relying parties. It's more secure. How do we get there? I think fundamentally there are three to simplify ways of doing this. One is you push the system top down from the government. We've seen incredible things done on this front in places like India with the Adahar system and Estonia with their EID. But this can be really challenging. It's very politically fraught discussion. Lots of people don't want the government to be in control of all of this data. A single government pool of data can be a honeypot. And I think particularly in Anglo-Saxon communities, there's often been a bit of an allergy to the notion of government being in control of so much. And so maybe you wanna go to the other side of the spectrum. Maybe you want to have self-sovereign identity. You wanna use distributed system, such as a blockchain, to put the individual in control of all of their identity attributes and to be able to share those with individual relying parties. It's an interesting idea. There are lots of people doing work on this right now. So far the technology remains not quite ready, but there's definitely interesting stuff going on. And then there's a middle ground. There's a middle ground of systems that are either centralized or fully distributed that are consortiums led by mobile network operators and banks that are doing things based on high quality information on the identity of their users that they already have, providing a new service of attestations out to third parties. We've seen this particularly with banks who are required to go through a really extensive Know Your Client or KYC process in order to onboard people, something that's heavily regulated. And so in Nordic countries and in a new system being built by the Canadian banks, you're seeing these type of identity and attestation network, sometimes called bank ID being developed. And I think that banks have a key advantage here. They've already done the difficult and expensive work of identifying their customer in a way that's understood by the government. But you might ask, why would a financial institution want to provide this type of service? How is it relevant to the core work that they do of managing money? Well, I'll quickly go through a few reasons why. First, quite simply, there's a huge opportunity to cut costs here, to streamline onboarding and adjudication, to reduce abandonment with new product sales, to improve risk assessment and scoring of credit, potentially even doing some really interesting things there. There's an opportunity to have customers feel better engaged with the bank. They trust the bank in many ways to store their data, to store their money. They can also trust it to streamline their interactions with everyone from a bartender to a rental agent to a home purchase management project. It also gives banks a greater amount of data, potentially, to provide tailored products and experiences. And finally, I think there's an opportunity to roll out new revenue services, the opportunity of offering identity as a service to customers, maybe even to those who don't bank with them, and offering new and interesting streamlined products and experiences, things as far-flung as digital tax filing. But for me, none of this is the most important reason why banks should be thinking about ID. The most important reason is a broader regulatory shift that financial institutions face. Customer data is becoming more portable under open data regulations like European Union's Second Payment Services Directive. At the same time, those regulations form a clear and present danger to the customer ownership of banks. And so banks are in this interesting and challenging position. On one hand, it's being demanded of them to move customers' private data in new and challenging ways, and that in and of itself would benefit from improved digital identity practices. But also, there's a risk that the customer engagement that banks so value might be pulled away by a third party via these open data frameworks. And so I think there's a key opportunity here to deliver identity management from banks as an opportunity to tie themselves to the customer, to deepen the customer's trust with them, and to become an important part of this critical service. And so I think the road ahead for digital ID is far from clear, but I think it's both a responsibility and an opportunity for financial institutions at large, a responsibility to provide their customers with a safe and effective way of managing the world and in particular of managing a world characterized by open banking, but also an opportunity to find the customer more closely to them to provide new products and services and to drive improved ROI in terms of their basic cost face. And so I'll wrap up here and throw it back over to you, Irving. Thank you, Jesse, for that excellent tutorial on what digital identity is and how it should be managed in the future. And let me ask you a few questions and then I'll turn to my colleagues, Chris Kane and Ira Sager for any questions they might have. And we have a couple of questions from the audience. So, Jesse, when I first read the world, the WF report that you collected, I was very intrigued with the recommendation that we should have identity service providers that essentially become the leaders of an ecosystem of institutions that provide data and then the leader of the ecosystem can validate my identity or an institution's identity by querying all that data. Where are we in this notion of creating identity service providers? Yeah, and I like the way that you phrased this as identity service providers because one of the things that I think is always important to understand about this report is that while I work primarily with financial institutions and the challenges of financial institutions and fintechs are my focus, while we identified an opportunity for financial institutions to play an important role in here, we don't think that this role is only for them and we certainly don't want to suggest that we are backing a particular one of the three high level approaches that I said. I think that in terms of the maturity in this space, we've really started to gain momentum. For me, the sophistication of the dialogue that we're having with policymakers and with institutions has significantly improved in recent years. I think in parts that's driven by the challenging environment that we find ourselves in, it seems like every day there's a new hack or a break and people are realizing that we need to think about identity in a different way. I think the most advanced deployment that we're seeing in this space is the one that I referred to in Canada where a company called Securekey is working with a consortium of five banks, the federal and at least one provincial government as well as a few mobile network operators and insurance companies around creating a federated IE system and that's scheduled, I think it was originally scheduled, I believe to go live late fall of this year. I think that they have now pushed it to early 2019, but that's a system that's ready very soon to go live. And I think that seeing that system has been useful for a number of parties. And you're looking, for example, at environments like Australia, thinking about how they can go about building new and better identity systems. And, Jesse, again, when I was thinking about the notion of identity service provider, a term by the way I learned from your report, that's why I've been using it, I thought that this was a natural for let's say credit card companies like Visa or MasterCard, because they already work with, first of all, almost every bank around the world as well as their different clients in different institutions. And when I talked to some senior people in credit card companies, they said, yeah, this could be a potential source of revenue for them and it's very appealing, but the problem is liability, that unless there is limited liability, if it's unlimited, then if you validate an identity and it turns out to be a mistake, you can be sued for everything. I'm sure you've thought about this. What should we do about it? So I think there's no easy solution here and this is something that we've discussed extensively with parties both looking to think about identity at an individual level, but also thinking about identity at a corporate and an institutional level, interestingly. There's been a lot of discussions about KYC, this know your client process and opportunities to collectivize it, right? So it seems a little bit insane that the same six or seven banks are all validating the KYC details that they need to know about the same 100 large institutional customers that they work with, but the problem that they face is exactly the one that you brought up, liability. How can I know that someone else's check is something that I can rely on? I think that fundamentally, this means that from an identity perspective, we need to have governments involved in this process and they need to be involved in defining the appropriate standards, because I think it's clear that if we do a one and done or an ongoing one and done approach to identity management, then we can actually get higher levels of credibility, right? The bartender checking my ID versus the banker onboarding me go through very different levels of authentication of who I am. And so obviously in that case, the bank is more credible at a testing my age than the bartender is at checking an ID. And so there's an opportunity for us to reduce risk in this system, but as you've said, we can only do that. We can only get to those higher levels of assurance if the bartender knows that this is an appropriate identity mechanism for them to use. We have a question here from Wasiola Meady and it's a two-part question. First, does monitoring and evaluation play a big role in digital identity? And second, what in your opinion is the best framework to be used for digital identity? Sorry, can you state the first question again, Irving? Yeah, the first question is does monitoring and evaluation play a big role in digital identity? In other words, let's say I'm assuming my identity service provider may not only validate my identity when I give permission for that to do that, but perhaps they will also monitor what's going on with my identity and alert me if there is a problem as an example. Yes, yeah. And so I think that really cuts to the core challenge of this, right? The identity providers need to be credible entities on a sustained basis, right? And the framework for understanding what that means differs depending on the implementation method used, but in almost any case, there's a need for ongoing monitoring and evaluation. If it's a centralized government system, there's a need to make sure not so much that the entity is credible, the relying parties know that the law would be allowed to rely on the government, but to make sure that there aren't individuals within the government who are misusing the data at their disposal. There's a funny instance from the Estonian ID system where a police officer was bound to be using the ID system to check up on their significant other and basically surveil whether or not they were running around on them. And unfortunately, that system was well structured in such a way that it was audible and that kind of individual could be identified and those sorts of abuses were significantly less prominent, arguably in the Estonian system than they might be in other less regulated identities. And Jesse, I'm assuming that in principle, blockchain could play a role by keeping track of all identity checks so that there is a record that's non-revocable should you need to investigate, correct? Yeah, I think a non-revocable indelible recording system is absolutely critical to aspects of maintaining this. Though there are complexities around that, right? We live in a complicated world that the classic examples are things like, what about espionage agents and witness relocation programs? Those need to have some sort of oversight that allows us to create multiple identity system. So blockchain isn't a perfect fix and there is a need in some cases for governance systems that allow crucial exceptions like that to be made. If we think about the bank ID system, this is very much a world in which we need to ensure that banks or any identity provider within a federated network is, A, meeting the appropriate levels of assurance in terms of their initial validation of attributes and the data within the system is being kept current. And I think all of that lives within a broader regulatory and governance framework. That's why while self sovereign systems, fully distributed systems can be appealing, my view is that in order to have credibility, they still fundamentally need to be grounded in systems that have some level of checks and balances of oversight, be that from government or in the case of some systems like sovereign, a foundation that provides that oversight and that assurance. Yeah, so that takes me to the next question we got from Gregory Meele and Gregory sent a few questions. The first one, he reminds us that our, you know, with the notion of banks being great identity service providers, he reminds us of the role of banks in the financial crisis of 10 years ago. So we have to do much better than we did then about managing the trust in banks. But he also asked, given that each nation may have a totally different view on privacy and how to better manage personal identity assets. How do you cut through that in a global world where, you know, people may be citizen of more than one country or we are traveling and whatever and where does the five eyes feed into all this? And I know this is a long question, so I leave it to you to parse it and prioritize your answers. So I guess, firstly, I'll address, yes, banks were absolutely involved in the financial crisis of 2008, I think no institutions are perfect. And yeah, there are those that you can't track and those that you can, but yeah, so we'll put that aside for a moment. I think there are challenges with government we've seen recently challenges with institutions like the large technology companies that we're gonna have problems wherever. I think having a strong governance framework in place is really what's required. Secondly, onto the second question of international frameworks. Right, right, right. I think that it is tempting to imagine digital identity as a top-down system that we establish as a single global identity, that's fundamentally not possible. No. At a national level, we are still defining or in some cases, super national, such as in the case of the EU, we are defining the appropriate privacy restrictions for the individuals who live there. And we can see that privacy expectations in a place like the European Union versus privacy expectations in a place like the United States versus those that exist in China are very different. And I would argue that there are both governance and cultural forces at play there, right? I think that fundamentally where we landed in our blueprint for digital identity paper was a view that we need to look to set up a network of networks. The fundamentally retail individual digital identity will exist first at national levels and that increasingly we will be able to build networks of interoperability between those. And so think of a system as far from perfect, but the system of payments. Each individual nation has a payment system that operates internally, that is customized to the preferences, the security needs, the banking structure of that country. And then we have systems like Nostro and Swift that provide connectivity across those organizations. Yeah, that's a problematic example to give in some sense because as we often say in financial services, those payment systems are a little bit antiquated, they don't provide the level of service that we would ideally like. But fundamentally I think from an architectural perspective it gives us an idea of the direction we might want to move in. Yeah, and Jesse to follow up on that, for example my US passport is recognized by nations around the world. And that's a kind of example of a global identity systems that more or less works, correct? Yes, I'd agree. So maybe even though it's very difficult, passports and things like that are at least an example of the kind of system that could be used. Let me ask another question we got, this one from Joyce Nambasa. And Joyce again, asked a number of questions. It's the same thing that we've talked a lot about banks but the reality is that let's say mobile network operators have a lot of data but ourselves that is extremely useful in validating identities and other institutions, let's say in the government at our last webinar, Jeremy Grant said that the IRS in the US has a lot of data that they could make available to validate my identity if I give permission, same with the different motor vehicles of the different states. So a really good identity service provider should in principle form the right ecosystem of institutions, both public and private, whose data can help validate my identity with my permission for them to use that in validating my identity. Is that correct that in fact, you can even say that the service providers can compete in how good their ecosystem is and on the failure rates of bad identity answers. Is that a correct way to look at this? So I won't comment on that last piece. I haven't had a chance to really think that through but I think that a good federated identity system involves many different kinds of identity providers not just financial institutions. I think the narrative that I told about, am I or am I not a doctor? That's not data that it would make any sense for a bank to hold. It's information that would make sense for a national health department or perhaps a doctor's accreditation organization makes sense for them to make those sorts of attestations. And so I think that you're absolutely right. Players like mobile network operators have an important role potentially to play here. Even players like the large technology companies could potentially bring to bear useful insights and information into a system like this about my social graph or my past social interactions with an individual or an organization. Fundamentally, what I think is important here is the idea of a network of identity. We're in certain types of identity providers are trusted for certain types of activities. And we saw in this paper that banks might be a particularly important part of catalyzing that system. And I think the catalytic effect is fundamentally that they have certified through their KYC process the core attributes of the vast majority of the population. And so there's a good starting point there for basic information about residency, data for national identifier, number, et cetera, et cetera. They can be a starting point to build out a network. That is to be honest, not as much the case I think in the United States as it is in some other places. If you look at an environment like Canada or an environment like Australia, the establishment of a federated system there is somewhat easier because the banking system is concentrated. 90% of Canadians bank with one of five banks, 90% of Australians bank with one of four banks. And so there's a really easy way there to get a limited number of players with similar interests on the same page and get the ball rolling. But if you look at the system in Canada, government very quickly came to the table. Mobile network operators are increasingly getting involved. And I think you're going to see more and more identity agents fitting themselves into that governance structure. No, I understand. And again, a point that you made in the 2016 blueprint for digital identity report is that a reason you felt financial institutions have a big role to play is they are already used to being regulated and not only in one country, but in all the countries which they do business whereas for example, technology companies or Silicon Valley startups may start by fighting regulation and that will not fly when it comes to identity. Is that correct? I think that's absolutely correct. And I think if you look at the environment that we've lived in the last 10 years, where while it is, as you can see by the news stories, evidently imperfect, increased expectations around things like anti-money laundering have forced financial institutions to make massive investments into understanding identity attributes and the management of those. But I think there's an opportunity here to do two things, to one, leverage the competencies of banks in this area and the existing frameworks of regulatory scrutiny that they're subject to while at the same time making that process more effective and streamlining it from a cost perspective for financial institutions. Very good. Now my CGE colleague Chris Kane has a question. So Chris, go ahead please. Thanks, thanks Irving. Jesse, thank you very much for that excellent presentation. I've got two questions, but I wanna begin with your distinction of identity authenticity versus identity attributes is interesting. And are there practical use cases where identity attributes can be used delinked from identity authenticity or is identity authenticity necessary but not sufficient? That's an interesting question. I think that fundamentally oh yeah, I'm gonna get myself into trouble here. Oh go ahead, get in trouble, that's all right. I guess I can imagine that you, just off the top of my head, that you might be able to design a system where the attribute is the only thing that is important or where, I think you can certainly design systems where the authentication of the individual is blinded to the relying party. So the relying party does not necessarily need to, for example, know that I am who I say I am. They only need to know that the person who's in front of them has the attribute that they're carrying. Similarly, you can imagine something like a voting system wherein the attribute might in and of itself be enough. The attribute of is a citizen eligible to vote and the attribute of has not yet voted together could kind of come together to give you a right to vote. But that's, again, I'm thinking off the top of my head here. It's an interesting question and I think one that's probably worth, I wanted others to probably already thought about much more than I have. Yeah, the reason I asked is I could envision, it might be easier to counterfeit or to falsify identity authentication that it might be identity attributes. But I don't know, thank you for your at least response and that might be an area where we might want to do a little bit more thinking and research. My second question was around your points on government. So if government, according to you, has to be involved and I agree with that, what is the most appropriate and probably accepted point of entry into government? Who in a government do you think should be the owner or the sponsor of government's role in this? Because as we know, governments are multifaceted and your point of entry and who your partner is within the government is going to determine very quickly whether people are going to trust a system like you've been suggesting. Yeah, so I think that's a really interesting question. I'm unfortunately doesn't really have an easy answer because government systems differ so significantly around the world and in particular that you often in a lot of environments have challenges in terms of national and sub national governments needing to come into alignment around developing a system like this because since it touches every aspect of individuals and organizations life, it inherently moves across jurisdictions. I think that for federated systems, the key is establishing some sort of wedge. And so if you look at the discussions that are happening in Australia, for example, they're being driven in large part by a mix of the Treasury Department and the Digital Transformation Authority an organization that's responsible for sort of driving a more digital, a more efficient Australia with higher productivity. In Canada, it started in some senses in a really odd and unexpected place. It started with the tax authority but not in terms of better managing identity in order to claim more taxes from a really, really simple cost reduction plan. So basically the Canadian Revenue Association, the tax authority in Canada, looked at their expenses and realized that both a core point of cyber risk, if you will, and a significant driver of expense was doing password resets for digital filings because people forget their passwords all the time and particularly in an environment where you only file your taxes once a year, they were forgetting almost every year. So you had a huge percentage of passwords being reset every year. And the costs of having the right level of assurance on that were really high because it often involved needing to have a phone call, validating pieces of ID, sometimes needing to have things mailed, a complex process to make sure that there wasn't fraud in the return system. And so effectively what the Canadian Revenue Authority did is they said, we need a way to fix this problem. Let's go to an organization that we, A, know every Canadian works with and B, know has assured their identity at a significant level. And they said, let's use bank ID as a proxy. Let's use digital banking login as an opportunity to streamline onboarding into the tax filing process. And that's really the starting point in many ways of the system that's looking to be rolled out now in Canada. So I think fundamentally to answer your question, just like the characteristics of the system from a privacy perspective, the starting point is going to differ from country to country. Yeah, and let me now turn to Ira Sager. My colleague from CGE who has a question as well. And then Ira can close out the webinar. Ira. Great, thanks for everything. And thank you, Jesse, for a wonderful presentation. I have a question, somewhat of a follow up to Chris's. I'm curious about the role of government because we discussed the financial institutions certainly as a great platform for delivering identity management systems. But the argument can be made for telecom companies and possibly even tech platform companies like an Amazon or Google. And I wonder what specifically is the role of government? You can envision a future where the consumer is confused by competing identity management systems from different players. So what role will the government play or should the government play in standards or offering systems to consumers? So I'll address that on two levels. Firstly, we laid out in our report a set of guiding principles for digital identity in our report. The digital identity should drive for the social good, that it should be privacy enhancing, that it should be user centric, that it should be viable and sustainable. That is, it can continue to exist and that it should be relatively open and flexible, allowing for new connections to be added and allowing for identity to evolve over time. And I think the role of government is fundamentally to enforce and to ensure those principles are in place. And then I think that one of the ways in which that might ultimately be deployed is if we think about the federated identity system at multiple levels. So you might have an identity agent, if you will, a user experience provided around the interaction of identity. There might be competition in that space to provide the best type of user experience. Maybe a bank seeks to do it, maybe a tech company or someone else. But ultimately, the underlying rails that create connectivity between relying parties and identity providers and the standards that the government holds those rails to, I think need to be overseen by the government and that there should be not too many of those sets of rails. So I don't want to say that it should necessarily be that there's only one set of rails. But I think that in many cases only one set of rails would make sense and that the government can be responsible not necessarily for building those rails, but for establishing the minimum standard for those rails in the same way that they might for physical rail networks within their own country. Great, thank you. And I guess we'll wrap up the discussion with that last question. And I want to thank you, Jesse, for a great presentation. Irving, thank you. And of course, our audience. Our next forum will be held on February 7th and we will feature Tarun Wadhwa who will discuss his upcoming book, Identified and he is exploring in the book the global rise and convergence of digital identification systems and how that's quietly reshaping our world. I hope you will join us for another interesting view of identity in the digital world. Thank you. Thank you. Thank you, Jesse. Thank you. Thanks very much.