Interac plans national Canadian digital ID service

T

he rise of Covid-related fraud, the launch of real-time payments in 2022, and the eventual introduction of open banking make this the right time for a national Canadian digital ID scheme.

Interac is well placed to operate a national digital ID scheme since it enjoys a high level of trust and transactions as a core payments provider with nearly 300 Canadian FIs connected to its network. It operates the Interac-branded debit card and ATM networks and the Interac e-Transfer funds transfer service. Canadians use Interac products an average of 18 million times a day for payments and transfers.

By partnering with Interac, SecureKey is able to leverage the payments company’s trusted brand and ubiquity in Canada. SecureKey provides digital ID verification services in Canada to government agencies including Canada Revenue Agency and to banks, insurers and healthcare providers.

SecureKey launched the Verified.Me blockchain-based federated digital ID platform in 2019, enabling consumers to prove their identity when logging into government services or opening new bank accounts. It does this by drawing on data from their existing FI and mobile telco, and from Equifax and ID documents such as driver’s licenses.

Use of Verified.Me to access Canadian government services accelerated during the pandemic, as the government looked for a fast and efficient way to disperse Covid aid to Canadians. Verified.Me usage grew “in the hundreds of percent” in the last six months, according to Greg Wolfond, SecureKey’s CEO. “The growth is coming predominantly from our government sign-in service but also from people using Verified.Me for private-sector applications,” he says.

Interac’s agreement with SecureKey involves acquiring the digital ID platform’s Canadian clients, which include Scotiabank, TD, healthcare provider Dynacare, and Sun Life of Canada as well as the exclusive licence for its intellectual property in Canada. SecureKey will continue to provide the underlying technology for Verified.Me in Canada, with Interac rebranding the service under the Interac Digital ID brand, which will be launched later this year.

In 2019, Interac acquired 2Keys, a provider of digital ID services to Canadian government agencies, banks and commercial organisations. “We mapped out a strategy for Interac’s role in digital ID several years ago, and then went out to the market to see who was doing what,” says Debbie Gamble, Interac’s Chief Officer, Innovation Labs and New Ventures. “We identified 2Keys and SecureKey as the key enablers in this space. By acquiring 2Keys and licensing SecureKey’s platform in Canada, we can now provide secure digital ID verification services that are fundamentally easy and without friction for businesses and consumers.”

Gamble says Interac is trusted by Canadians as their provider of interbank payments and money transfers. “With SecureKey’s Canadian platform under the Interac banner, we now have the capability to also provide Canadians with secure trusted ID services,” she says. “Interac believes that digital ID is key to the future of the digital economy in Canada.”

The pandemic provided a significant driver for the adoption of digital ID. By shifting interactions from real life to the digital realm, the pandemic made many Canadians feel more vulnerable to fraud, Interac’s research found. According to the Canadian Anti-Fraud Centre, in the eight months to 31 August 2021, Canadians lost C$144m to fraud, up from C$106m in 2020.

Gamble says that both consumers and business will see significant benefits from trusted digital ID. “For banks and other businesses, digital ID delivers huge operational efficiency as it eliminates the need to exchange paper documents,” she says.

The Digital ID & Authentication Council of Canada (DIACC) and its participating banks estimate that trusted digital ID will create potential net savings per FI at or above C$100m per year through operational efficiencies created by reducing manual processing costs and reducing fraud.

A nationwide digital ID scheme will be a key strategic enabler for initiatives in Canada such as open banking and real-time payments, by helping to prevent fraud.

In late 2022, Payments Canada, which operates Canada’s clearing and settlement systems, will launch the Real-Time Rail, which will enable consumers and businesses to perform instant payment transactions. Payments Canada has selected Interac to provide the payments messaging technology for the RTR.

Being able to use digital ID to verify the sending and receiving parties in an instant payment transaction will help prevent the authorised push payments fraud which has occurred in the UK via the Faster Payments network.

Open banking is set to follow the launch of the RTR. In August 2021, the Canadian government’s Department of Finance published a report by its advisory committee on open banking recommending that open banking be introduced in Canada in 2023. Being able to prove one’s identity digitally when opening financial accounts or initiating payments with a fintech via open banking APIs will be critical in preventing fraud.

When a consumer uses services that have integrated with Verified.Me such as bank or government websites, they are asked to authenticate themself to prove it is really them. They do this by clicking the Verified.Me link or scanning the Verified.Me QR code and then selecting their bank in the menu of FIs that support Verified.Me.

“Users log into their bank using their existing bank login credentials and are then asked: ‘are you willing to provide the following data to this party – for example, Canada Revenue Agency - for this purpose?’” says Wolfond. “It could be data from your bank, Equifax or other sources.”

SecureKey conducts a “liveness” check by asking users to provide a selfie that is checked against their driver’s licence. It also checks with the user’s telco that their cellphone hasn’t been hacked, for example through SIM card swap.

Once users have consented, SecureKey obtains the ID data from their bank and other sources and delivers it in encrypted form to the requesting party. SecureKey uses IBM’s blockchain technology to enable consumers to share their ID attributes with requesting parties.

Examples of where Verified.Me can be used include digitally opening or renewing Costco membership accounts; opening RBC brokerage accounts; opening bank accounts on Scotiabank’s website; logging into TD’s precious metals digital store; and using the Ontario Trusted Account service which enables Ontario residents to access their health accounts.

“SecureKey doesn’t see or store users’ personal identifiable information,” says Wolfond. Also, unlike screen-scraping services, when consumers use Verified.Me, they never share any of their banking login credentials with third parties.

Securekey is connected to all the participating data sources and has a governance model for data-sharing. “This means that the parties are willing to share data under the rules of the network,” says Wolford.

SecureKey’s data-sharing and consent model complies with the “Privacy and Security by Design” standard, which was developed by Dr Ann Cavoukian, the former Ontario Privacy Commissioner. “The basis of this standard involves asking the consumer: ‘do you consent to share this data with this party for this purpose?’” says Wolfond. “You consent very explicitly to what you’re sharing - in layman terms and not after reading a multi-page agreement - and you only give the minimum needed. SecureKey is huge on only sharing what you need to share and what you consent to share, and on the third party not keeping copies of your data.”

Verified.Me’s business model is based on providing remuneration to companies providing accreditation data as part of the ID verification process. “We try to make the process cost-effective for aligned parties that request ID data, and share the resulting revenues with the providers of that data,” says Wolfond.

When a consumer uses services that have integrated with Verified.Me such as bank or government websites, they are asked to authenticate themself to prove it is really them. They do this by clicking the Verified.Me link or scanning the Verified.Me QR code and then selecting their bank in the menu of FIs that support Verified.Me.

“Users log into their bank using their existing bank login credentials and are then asked: ‘are you willing to provide the following data to this party – for example, Canada Revenue Agency - for this purpose?’” says Wolfond. “It could be data from your bank, Equifax or other sources.”

SecureKey conducts a “liveness” check by asking users to provide a selfie that is checked against their driver’s licence. It also checks with the user’s telco that their cellphone hasn’t been hacked, for example through SIM card swap.

Once users have consented, SecureKey obtains the ID data from their bank and other sources and delivers it in encrypted form to the requesting party. SecureKey uses IBM’s blockchain technology to enable consumers to share their ID attributes with requesting parties.

Examples of where Verified.Me can be used include digitally opening or renewing Costco membership accounts; opening RBC brokerage accounts; opening bank accounts on Scotiabank’s website; logging into TD’s precious metals digital store; and using the Ontario Trusted Account service which enables Ontario residents to access their health accounts.

“SecureKey doesn’t see or store users’ personal identifiable information,” says Wolfond. Also, unlike screen-scraping services, when consumers use Verified.Me, they never share any of their banking login credentials with third parties.

Securekey is connected to all the participating data sources and has a governance model for data-sharing. “This means that the parties are willing to share data under the rules of the network,” says Wolford.

SecureKey’s data-sharing and consent model complies with the “Privacy and Security by Design” standard, which was developed by Dr Ann Cavoukian, the former Ontario Privacy Commissioner. “The basis of this standard involves asking the consumer: ‘do you consent to share this data with this party for this purpose?’” says Wolfond. “You consent very explicitly to what you’re sharing - in layman terms and not after reading a multi-page agreement - and you only give the minimum needed. SecureKey is huge on only sharing what you need to share and what you consent to share, and on the third party not keeping copies of your data.”

Verified.Me’s business model is based on providing remuneration to companies providing accreditation data as part of the ID verification process. “We try to make the process cost-effective for aligned parties that request ID data, and share the resulting revenues with the providers of that data,” says Wolfond.