Lack of leadership, confusion and frustration - the state of digital identity in the UK

To nobody’s surprise, efforts by a group of peers to force the government to accelerate progress on digital identity in the UK foundered in the House of Lords yesterday (20 April 2021).

Baroness Neville-Rolfe, Baroness Mcintosh Of Pickering and Lord Holmes Of Richmond proposed a series of amendments to the Financial Services Bill, whereby HM Treasury would be obliged to publish plans for a digital ID system for the finance sector within six months of the bill becoming law.

After some debate in the House, the amendments were withdrawn. The financial services element of their proposals was merely a Trojan horse for pushing the establishment of a broader formal scheme. Little will change as a result of the move by the three peers, but their immediate aim was achieved – to express the widespread frustration at the slow pace of government plans to enable a UK digital identity ecosystem.

Computer Weekly readers who have followed the long and drawn-out progress of digital identity in the UK will be very familiar with stakeholders expressing their frustration at the slow pace of government plans.

“It may not surprise noble Lords that I remain disappointed at the pace of change on digital ID,” said Neville-Rolfe during the debate.

“Years are passing, our leadership in digital is eroding, and we can no longer blame the EU. We must solve this problem for the industries, services and, above all, consumers involved. Of course there must be public engagement, but this must not be used as an excuse for undue delay.”

Holmes told Computer Weekly he shares his colleague’s disappointment: “Distributed digital ID mattered when I first started talking about it in 2013 – obviously, it’s even more pressing in 2021. The Department for Digital, Culture, Media and Sport (DCMS) is doing good work, but I would like to see more speed, and a sandbox approach with several proofs of concept getting underway, not least in the financial services sector.”

He added: “The government also needs to lead a national conversation, a public debate. This must be inclusive, addressing people’s concerns, not least around ID cards and Covid passports. There is a huge prize for the UK, the time is now and, if necessary, it is more than worth directing more public money at distributed ID for the benefit of individuals and businesses, for the benefit of Britain and our post-Covid recovery.”

Laughing stock

One former government advisor describes the UK as an “international laughing stock” on digital identity, pointing out the contrast with the digital payments sector, where the UK leads the world and where many common issues such as governance and legal liability are already well established. You might think, therefore, that the government would turn to that expertise.

Fortunately, momentum is building in financial services – at last – around the importance of digital identity. When the Cabinet Office first tried to engage with the sector 10 years ago, the response was extremely limited – only Barclays really bought into the plans, and they later withdrew.

The recent Kalifa Review, which examined post-Brexit opportunities for the UK fintech sector and the actions needed to capitalise on the country’s international leadership, called for a “coalition on digital ID”, noting that: “Previous attempts to establish a universal approach to digital ID have met with limited success and now multiple alternatives are emerging in competition with each other to become the standard.”

To add to the frustration, many of those competing alternatives are coming from within the financial sector itself.

One industry body, The Investing and Saving Alliance (TISA), has been promoting its plans for digital identity for some time – receiving tacit approval from government when Julia Lopez, the minister responsible for the Cabinet Office plan for a new Whitehall scheme to replace the failed £200m Gov.uk Verify scheme, chose a TISA event to announce the latest proposals.

Financial sector insiders however, are largely dismissive of TISA’s initiative.

Further impetus comes from regulator the Financial Conduct Authority (FCA), in its March report on open finance – the next stage of the open banking programme that is slowly opening up banking data to encourage new services and greater competition. Open finance aims to take those principles and apply them to other areas, such as insurance or pensions. The FCA report notes the importance of digital identity as a means to speed up the adoption of open finance.

While DCMS is driving the establishment of a trust framework for digital identity, the Department for Business, Energy and Industrial Strategy (BEIS) is a prime mover in government behind open finance, through its Smart Data initiative, which could set standards and regulation for data sharing within and across industries.

Meanwhile, the Competition and Markets Authority (CMA), which launched the open banking programme in 2017, is considering the input to its recent consultation on future oversight of open banking. And the Treasury is expected to soon publish its response to the consultation on the UK payments sector, which will no doubt be a further influence on what happens next in digital identity.

Confused yet? You’re not the only one.

The tech sector and the existing players in digital identity are watching all this going on and crying out for leadership. With the collapse of Verify and the slow progress at DCMS, there are fears of a new Wild West emerging, with several different bodies pushing their own ideas with little joined-up thinking.

The simple fact of so many different organisations, companies, suppliers, regulators, government departments and other bodies all with a vested interest in digital identity, only reinforces how important it is to finally get this right.

Trust framework

The DCMS work on its trust framework continues to soldier away under a shroud of confidentiality. The department recently sent stakeholders a series of documents relating to certification against the framework. The emails were titled: “Confidential: UK DCMS Certification docs – DO NOT SHARE”.

Hardly in the spirit of openness that was promised. Recipients noted the continued absence of concrete proposals on the two most contentious aspects – governance and liability – as if DCMS wants to get everything else sorted out before fully addressing the two areas most likely to scupper the whole project.

As expected, DCMS appears to have found a fudge to accommodate the finance sector’s calls to use its regulated anti-money laundering (AML) standards for digital identity, rather than the GPG standards preferred by Verify developer the Government Digital Service (GDS).

In a March letter to stakeholders, DCMS said it wanted to “ensure that stakeholders understand the intent” of the GPG standards, which will “be used as a consistent methodology by which identity processes can be expressed” rather than to “mandate all areas” of the standard.

That sounds a bit like showing a Strictly Come Dancing competitor all the moves needed to tango, while insisting they can do any dance they like.

This is still something of a tactical climbdown, though – pretty much forced by the widespread resistance from industry to standards they perceived as an attempt to sustain the failed Verify model.

In the letter, DCMS said it was “confident” that GPG is “compatible with the money laundering regulations”.

“We have, however, had feedback that some members of industry might still have questions about the relationship between the two,” it said, masterfully understated.

“In an effort to better understand these concerns and dispel any misconceptions,” DCMS asked stakeholders to share their views on “the challenges in the use of the trust framework to meet AML requirements”.

Some in industry simply say that in AML the UK already has world-leading regulations, so why not just use them instead of imposing standards that are used by nobody outside of government?

Speaking for the government in yesterday’s Lords debate, Baroness Penn said: “DCMS is working with a range of stakeholders across the public and private sectors, academia and civil society to further refine and develop the trust framework. To ensure the delivery of a productive digital identity market, the department is working with stakeholders so that they understand the framework and the ways in which it can be used.”

Note the choice of words – DCMS wants stakeholders to “understand the framework”, rather than, say, help to develop a mutual framework that works for everyone, or to incorporate their specific preferences.

Penn promised a second iteration of the framework will be published this summer, followed by “a further period of in-depth consultation with stakeholders to ensure that they are confident with their understanding”.

Won’t it be good for stakeholders to feel “confident with their understanding” of the framework? No need to bother with minor issues like whether they can feel confident with its chances of success.

“The government therefore considers that progress is already under way to support the use of digital identity products that will work across the economy and between different economic sectors, and that industry stakeholders and the public are engaged on how this work is being shaped,” Penn concluded.

So, don’t hold your breath, and remember it’s your own fault if you don’t understand.