Bank Technology News: Uncle Sam Comes Knocking
October 12, 2005
Uncle Sam Comes Knocking
The U.S. government's interest in having banks help it form networks of federated identity, thus allowing vetted, shared user-credentials between government and private industry, is obvious. So far, only four banks-Wells Fargo, Wachovia, National City and an unidentified bank-have signed on, though more are expected to join Uncle Sam's E-Authentication Federation. The looming question: What's in it for banks?
By Glen Fest
By some accounts, banks can accurately denote "who's who" of 90 percent of the U.S. population from a trove of authenticated identities. Reams of documents and data from customers have been compiled through "know-your-customer" regulations and account-opening marketing and sales tools. Uncle Sam, on the other hand, would have difficulty discerning anyone from Adam, given the balkanized user databases of federal agencies and the current lack of a centralized national identity system. It's no surprise, then, that the federal government would like banks' help in creating networks of federated identity-or the concept of sharing vetted user credentials between organizations, including government and private industry.
Foremost among these plans today is the E-Authentication Initiative, a program organized by the U.S. General Services Administration, charged with certifying and organizing standards and protocols for both public and private shareholders for the government's E-Gov services build-out. Scott Lowry, a consultant working with the authentication group explaining the GSA's interest, says banks are highly regulated and identity management "is part of the fabric of the banking system." That means the industry "is sitting on the largest pool of credentialed users" among all potential private sources of authenticated identities, he says.
One hiccup in the government's plan has been the industry's limited interest in participating in federated identity. Only four institutions-Wells Fargo, Wachovia, National City Bank and a "university bank" of unknown geography-are participating in the 150-company E-Authentication Partnership, a stakeholder group formed last year to roadmap the public/private matters of trust levels and rules for issuing credentials. "For the other banks not interested, [it] is being done in such a way that it's kind of hard for a bank to understand how they can benefit from it," says Karen Wendel, CEO of the bank-owned identity authentication consortium Identrus, an EAP member itself. Much of the focus on advancing federated identity through the E-Gov initiative has been with technical issues, and "tended not to address the policy and legal aspects that all the banks have to address," she says. "There's not really an acknowledgement [from banks] that that was something that needed to be fixed." But could the logjam soon be broken?
As early as this month, the GSA is expected to announce its next major phase in federated identity, the E-Authentication Federation. The federation will be the infrastructure by which credential providers approved by the GSA, which partners with 23 federal agencies, will launch pilot programs. Among those key providers will include an undisclosed number of financial institutions.
The initial rollout will involve only a half-dozen implementations through lower-profile specialty federal agencies, and be the first major iteration of the federated identity-authentication service rolled out for E-Gov. On-line credentialed users could surf in from third-party identity authenticators, ready to enroll in benefits or access sensitive personal data from a federal government agency without needing to re-authenticate. According to E-Authentication Initiative deputy manager Georgia Marsh, the audience for this pilot could be huge-as much as 50 percent of the country's enrolled on-line banking market would have access to the six government applications reachable through bank-credentialing portals. "We're going to look at other vertical industries and other entities as well for issuance of credentials down the line," said Marsh, noting it is "clear to us that this was a good fit, and that we had partners that would be willing and would make a lot of sense."
The GSA is "willing to accept credentials from third parties, not just banks, who meet their certification requirements," says Carol Boye Benson, founder and partner of Glenbrook Partners. "Of all the available classes of third parties, banks are the ones that have both a large established on-line credentialed base of customers and solid 'know-your-customer' practices in issuing those certificates."
The names of the partner banks participating are being kept under wraps with nondisclosure agreements for now. Wells Fargo's interest in the GSA's federated identity program is no secret, with its participation in the EAP as well as appearances by Wells senior vp for e-Business, James Gross, at federated identity policy conferences. Earlier in April, Gross commented at another policy conference that education, government and industry interests in identity authentication were converging. "I'm here to tell you we have a long way to go, but there are definitely much stronger forces at work in moving this convergence ahead than just a year ago," he had said. Gross and Wells Fargo declined comment, as did other large on-line banking players, Bank of America and Washington Mutual.
The scope of the banking industry involvement in the GSA's federated identity plans could potentially prove a milestone in the drive to make shared credentials a common cross-industry function. Universities, merchants and utility companies are possible generators of these authentications, but none has the reach, daily consumer contact or trust levels of banks. "If they actually announced agreements and time frames for something that would become real involving banks and [credentialing] agencies, that would be a major milestone," says Dan Blum, senior vp and research director of the Burton Group. "That would be one of the first of the advanced frameworks or federation...[and] that would be a big win for the federal government."
Getting banks technically prepared for federated identity isn't considered an issue. Benson notes that most identity-management products banks invest income with federated-identity components in the box. "It's really significant to note that, technically, the banks are really pretty far along in being able to do whatever they might choose to do in federation," she says. The GSA published plans for the E-Authentication Federation in the August 5 Federal Register, describing the new entity as infrastructure allowing the authorized exchange of information among approved GSA-credentialing providers and federal agencies. A single-sign-on will allow a user to navigate from the credentialed portal site on to government agencies. "At the outset, we will support about a half-dozen pilot implementations, mostly focusing on government applications that serve relatively small, specialized sets of customers," wrote communications specialist Brian Doherty in a statement.
The federation will meet with the GSA's stated goals for the federated identity program: no reliance on a single standard, vendor, product or integrator; the ability to evolve with industry and technology changes; and the use of commercial off-the-shelf products demonstrating interoperability.
Why is this such an important topic? Simply put, Blum says, "It's the wave of the future." The 25 E-Gov Initiatives signed into law by President Bush in 2002 basically envisioned putting the government on-line. Benefit applications, purchases, queries and any transaction with public entities are to evolve into electronic form, for easier citizen access and cost savings.
The E-Authorization Initiative is the "enabler," Marsh says, for the other initiatives, all of which will require user authentication at some point to facilitate E-Gov promises. Citizens, federal employees and businesses officials will only need to be authenticated once, with a single set of authentication tools, be it passwords, PINs, tokens or, eventually, biometrics. "No agency that's running these e-government programs...can afford to keep a database of all the identities of everyone in the government or all of the employees of the businesses that they're concerned about, let alone all of the citizens of the United States," says Blum.
According to Blum and GSA officials, live operations of some federated-identity pilots have started but at primarily lower-activity level spheres of the government, like internal government travel or grant-writing functions with universities.
Some federated-identity models outside the GSA model have sprung up, such as direct contractual partnerships (think Fidelity's 401K NetBenefits product) or industry-specific communities of federation. Many examples of the latter two have been slow to roll out, according to Blum, because of the many legal and procedural hurdles that have to be met even in simple one-to-one federations. "If you have two financial institutions that have a common application that they wanted to play...in order to start federating the application, they need to establish some business and legal agreements," he says. "Let's suppose these two financial institutions haven't worked together a lot before, so there's not a lot of a high level of intrinsic trust between them. They have to resolve a lot of issues around roles and responsibilities, and liability and so forth, and there aren't clear guidelines as to how that should work."
Wendel says the liability issue has been under-analyzed with the GSA federated model. "In the EAP model, they don't support any sort of contractual commitment. What they support is basically [that] you agree to belong to this broad open-standards type of community," Wendel says. "So banks have to make some decisions about the levels of risks that they're prepared to accept under those kinds of circumstances. The government is saying, 'We don't want to do this.' The banks are saying, 'Well, great guys, we'd love to do it, but you need to enable to have the protections that we need in order to manage the risk associated with doing this. You need to meet us halfway.'"
The proposed model also depends on a "trust chain" that Wendel argues may not stand up under the brunt of differing authentication levels among organizations. How would a bank's password- or PIN-authentication credential be sent to a government agency with a higher-level multi-factor access requirement? That point could be moot if regulatory examiners push banks into multi-authentication in the years to come, as the Federal Deposit Insurance Corp. recommended in February, but Wendel believes it won't be a compliance issue until late 2006. "But the minute you have the crossing of different levels of security, the chain is only as strong as the weakest link," says Wendel. "The way the EAP is set up, if something goes wrong, there's still no liability." Or there could be unknown liability on the institution's part, ponders TowerGroup analyst George Tubin. What about passing somebody through who was authenticated, but who turned out to have a stolen identity? "That's where the liability lies," he says.
Doherty says the GSA's pilot programs will mostly feature the lower-level authentications at agencies (the open standards "SAML" assertion, an acronym for security assertion markup language, which has been supported by the Financial Services Technology Consortium for third-party federation).
One question banks must face is the reality of customer acceptance. Even with notable cases of data breaches and identity theft in the headlines, "customers aren't fleeing on-line banking, [even though] most institutions have not gone forward and strengthened their on-line authentication," said Tubin. Would the same hold true, Tubin wonders, if customers were told of a breach outside the bank with its federated identity partner? Benson says the "overwhelming motivation" for banks to enter federated-identity arrangements is for additional services and enhanced relationships with customers. "Banks have a secondary interest in what would be essentially a new stream of revenue, from the government paying for this authentication service," Benson says. "They are certainly interested in the revenue, but I don't think they would do it only for that."
The business case for the federation is ultimately close access to government services, most likely through a banking site portal. With welfare and veterans benefits, grant applications, government loans, banks could "enable government applications as part of a services portfolio for their customers," Blum says. "One could imagine the various kinds of benefits."
In his Educause Policy 2005 Conference presentation, Wells Fargo's Gross said identity-services management at the San Francisco bank are viewed as more than a compliance issue. "Yeah, the risk is important, it doesn't go away, but in reality, there are so many interests in banking and outside of banking that are better served by having strong identity services," Gross says. "We'd like to think of it more as a growth-opportunity view than necessarily a control or risk-management perspective." (c) 2005 Bank Technology News and SourceMedia, Inc. All Rights Reserved. http://www.banktechnews.com http://www.sourcemedia.com