Back to General Resources

House Financial Services Committee Task Force on AI Hearing on the Future of Identity in Financial Services

House Financial Services Committee Task Force on Artificial Intelligence

“The Future of Identity in Financial Services: Threats, Challenges and Opportunities”

Thursday, September 12, 2019

Key Topics & Takeaways

  • Role of Government: Boysen expressed the need to create a system that is simple for consumers, has a trusted network, and is based on user behavior. Grant referenced the Obama administration’s focus on capitalizing on the marketplace with government filling in the gaps as needed. He said that the Office of Management and Budget (OMB) signing memorandum 19-17 helps further U.S. cybersecurity policies and helps regulatory agencies get involved in the process.
  • Canadian System: Boysen said that open banking is not uniform across the globe, and the concerns are about asset dripping. He added that any data that is shared should be for the purpose of analysis. Boysen said before the verify me system, there were not efficient and cost-effective protections in place. He said now Canadians can use banks for authentication purposes, with increased integrity and lower costs to the process.
  • CCPA: Grant responded that using the California Consumer Protection Act (CCPA) as a basis depends on the implementation, but said some areas were ambiguous, such as how data can be used for security and fraud prevention. He stated that the General Data Protection Regulation (GDPR) took a better approach to this matter.

Witnesses

Opening Statements

Chairman Bill Foster (D-Ill.)

In his opening statement, Foster focused on ways to safeguard artificial intelligence (AI) from criminals seeking to exploit industries and encouraged his colleagues to become more knowledgeable about the sophisticated threats to the financial services industry. Foster stated that 25 percent of malware attacks target banks and other financial services related institutions. He said that the industry is spending millions on AI protections, on top of compliance and anti-money laundering (AML) costs. Foster expressed his support for the Better Identity Coalition’s blueprint for how the government can help protect identities.

Ranking Member French Hill (R-Ark.)

In his opening statement, Hill expressed his interest in modernizing current identity systems to better protect all citizens, particularly related to authentication and access to information. Hill added that it is important to address the issue of nonbanks not covered under the Gramm Leach Bliley Act. He said that it is critical to enhance the robustness of identity protection through the work of other committees, regulators, and private sector players. Hill suggested using AI and machine learning to find new ways to authenticate identity other than username and password.

Testimony

Anne Washington, Assistant Professor of Data Policy, NYU Steinhardt School

In her testimony, Washington highlighted the importance of identity, and how “detrimental” a one percent failure in AI is to the financial services industry. She stated that currently, organizations are not able to distinguish between two individuals with the same name or birthdate, with little incentive to correct this concern in the financial services industry. Washington challenged Congress to consider scaling AI practices globally and introduce mechanisms for AI systems to find a balance between the human experience and the authority of data.

Valerie Abend, Managing Director, Accenture Security

In her testimony, Abend stated that digital identity and access management are “incredibly important” to ensure trust in financial transactions online. She noted that in financial services, the top global threats are to prudential and identity theft.  Abend continued that in data breaches, criminals are trying to access privileged data inside systems, which she referred to as the “mushy middle.” She recommended that Congress use AI and other technology to help create real-time risk-based authentication mechanisms to protect the “mushy middle.” Abend’s three recommendations to achieve this goal were: 1) to pass a federal privacy framework, possibly one that looks like the Business Roundtable’s proposal; 2) for Congress to help foster innovation for the digital environment, and 3) for any new laws to be technology neutral and interoperable.

Jeremy Grant, Coordinator, Better Identity Coalition

In his testimony, Grant said that the way identity is handled impacts security, privacy, and liberty and enables online experiences to be secure and more enjoyable for consumers. He said that 81 percent of attacks occur due to weak passwords and other unaddressed attack points, which expose knowledge-based identity tools. Grant said that hackers have caught up with the current privacy protections in place, and that the government and private sector should work together to come up with new privacy protection tools. He referenced the Better Identity Coalition’s blueprint and highlighted three critical points for Congress to consider: 1) to set an alternative to the use of social security numbers as an authenticator; 2) to implement next generation standards as a password-less era is near; and 3) for the government to help produce next generation remote identification proofing solutions, such as fixing the paper-based system that is used to validate credentials online.

Amy Walraven, President and Founder, Turnkey Risk Solutions

In her testimony, Walraven said that the threat of synthetic identity occurs through the theft of basic forms of information, such as social security numbers, dates of birth, or names. Walraven noted that the growth of technology has left room for the anonymity of fraud, and that regulations and new controls should be implemented to protect and remediate exploitation of personally identifiable information (PII). She recommended that Congress remain vigilant in synthetic identity threats, and for efforts to be “nimble and fluid.”

Andre Boysen, Chief Identity Officer, SecureKey Technologies

In his testimony, Boysen said organizations must be able to rely on trust or digital identity for the person on the other end of the transaction, which is challenging on both sides. Boysen added that biometric methods are increasingly targeted by hackers, elevating the risk to such data. He said that with the number of resources Twitter and Facebook possess, their inability to manage the current digital identity landscape has been difficult. Boysen added that it is difficult to expect an everyday citizen to manage the landscape and suggested finding ways to combine the prime factors of identity to give confidence to organizations.

Question & Answer

Role of Government

Reps. Barry Loudermilk (R-Ga.), Anthony Gonzalez (R-Ohio), Foster and Hill asked about ways the government can help address concerns. Walraven said the issue is about knowing the real customer and suggested addressing the root of the problem, rather than compound on the current structure. Boysen expressed the need to create a system that is simple for consumers, has a trusted network, and is based on user behavior. Grant referenced the Obama administration’s focus on capitalizing on the marketplace with government filling in the gaps as needed. He said that the Office of Management and Budget (OMB) signing memorandum 19-17 helps further U.S. cybersecurity policies and helps regulatory agencies get involved in the process. Grant suggested creating a “center of excellence” to assist the government, as well as further utilizing existing mechanisms such as a driver’s license as a tool for authentication.

Canadian System

Hill asked if Canada or Europe solving the password authentication issue has led to open banking. Boysen said that open banking is not uniform across the globe, and the concerns are about asset dripping. He added that any data that is shared should be for the purpose of analysis.

Rep. Patrick McHenry (R-N.C.) asked Boysen to elaborate on the Canadian verification system and if there is a different cultural assumption in Canada about data sharing. Boysen said before the verify me system, there were not efficient and cost-effective protections in place. He said now Canadians can use banks for authentication purposes, with increased integrity and lower costs to the process. Boysen explained that in the implemented system, the identity protection requirements and resiliency standards were met, and that a triple-blind privacy sharing mechanism was implemented. He said privacy protections in Canada are stronger than those in the U.S., and their model could work in the U.S.

CCPA

Hill asked if the California Consumer Protection Act (CCPA) is a decent basis for a federal framework. Grant responded that it depends on the implementation, but said some areas were ambiguous, such as how data can be used for security and fraud prevention. He stated that the General Data Protection Regulation (GDPR) took a better approach to this matter.

Other Concerns

Rep. Denver Riggleman (R-Va.) asked if AI can prohibit the abilities of a small company. Abend said the U.S. would need to find new ways to help smaller companies leverage their capabilities, such as using AI or through third-party provider partnerships.

Riggleman also asked if changes to authentication practices could lead to the rejection of future transactions. Grant said there are components both the government and the private sector will need to innovate to implement proposed authentication measures. He added that there are great models in place that help provide individuals with choice online.

For more information about this hearing, click here.