Nike CEO Phil Knight has used “you can make any mistake once” as a core of his management style. It would be interesting to see if Knight would consider the recent mistake of Equifax worthy of his one mistake mulligan.
In case you missed it, Equifax, one of the top credit reporting agencies in the world, which houses not only a lot of our personal and financial data, but also our credit scores. They recently had a data breach that exposed the personal information of 143 million Americans. The US Federal Trade Commission issued this “what to do about it” report (https://www.consumer.ftc.gov/blog/2017/09/equifax-data-breach-what-do)
It is going to be interesting to see how this unfolds. An interesting historical reference from a few years ago was the Target stores breach of 41 million American credit cards. There are some pretty major and obvious differences between the two (credit card is one thing – going all the way up stream to the credit reporting agency is much worse in many respects), but one key piece is that Target lost the trust of a lot of their customers who have never returned.
For Equifax – the short-term implications are clear and unsurprising – lawsuits are flying:
“Meanwhile, Equifax continues to be slammed with lawsuits over the data breach. The latest financial institutions to sue are the $79 million-asset Bank of Louisiana in New Orleans; Aventa Credit Union in Colorado Springs and First Choice Federal Credit Union in New Castle, Pa.”
These bank lawsuits are important for a reason that might not be obvious – that gets to some of the longer term implications. Banks already spend at least $20, sometimes into the thousands, just to add a new customer. They are required to run a number of checks that verify the customer is who they say they are (the Know Your Customer, KYC, requirement https://en.wikipedia.org/wiki/Know_your_customer) and they need to know where their money came from as part of the Anti-Money Laundering (AML https://en.wikipedia.org/wiki/Money_laundering#Anti-money_laundering) requirement.
The banks are mad because they are concerned their KYC/AML costs are about to go through the roof – and it’s not a cost they can pass on to the customer.
To their credit – the credit reporting agencies have been making efforts to make their data more secure. In May, they announced that they were using blockchain technology and a company called SecureKey to pass data more securely. https://www.econotimes.com/Equifax-TransUnion-join-Canadian-blockchain-identity-network-trial-685195.
One of the reasons blockchain is such a great step here is because trust is a core aspect of blockchain. And Trust is what Equifax has lost at this point, just as Target lost trust. There are many articles – and William Mougayar’s book The Business Blockchain does a fantastic job of describing it.
But there’s a problem with this approach.
This Canadian blockchain solution assumes the customer is trusted. But that’s what just got blown up.
This is a “first mile” problem, meaning that banks, and everyone has to assume they can trust nothing about their information and go back and start the KYC/AML process over again for each customer because they can’t trust anyone right now.
To make matters worse, they probably aren’t going to be able to ask all of their customers to come back into the bank and re-authenticate their identity to re-establish them from a KYC perspective.
What they need, is a KYC/AML solution that customers can do just using their own phone, or any smart mobile device. This solution has to check a government issued ID like a driver’s license or passport (and it has to make sure it is valid, and hasn’t been tampered, and that it’s not expired, and that it’s actually present) and then compare that with a selfie photo that can be matched to the ID (and lots of checks need to be run on that – that the person is actually there and that it’s not a photo of a photo). The bank also needs to be sure the phone itself is trusted and that the selfie is actually in the secure enclave of the phone (something which cannot be hacked). Further – to protect against future attacks, even though blockchain can and should be used to track the trust of the identity that has just gone through another KYC/AML check – the personally identifiable information, PII, of the individual should remain on the phone – where it cannot be hacked. One of the strategic architectural flaws of Equifax is that all of the data was in one place – so like breaking into a bank vault – you only had to hack one “door” to get all 143 million records. When you keep all of the PII on the 143 million phones of the individuals – hackers then would have to hack 143 million doors – and in this case with information being on the secure enclave – they are not hack-able.
So there you go – that’s the long term solution for Equifax and banking and 143 million Americans. Oh, by the way, that’s what AuthenticID does. Today (hear about their blockchain plans http://tokens.authenticid.co)