How Mastercard is building a global digital-ID network
The digital-identity space, as with other parts of the fintech ecosystem, is home to scrappy startups as well as major incumbents. Notably, Mastercard is working to establish a digital-identity network that leverages its international reach and focus on compliance to meet a comprehensive suite of commercial and regulatory use cases.
In an interview with The Financial Revolutionist, Sarah Clark, Senior Vice President of Digital Identity at Mastercard, explains the end goal of Mastercard’s digital-identity project, describes the privacy and security guidelines Mastercard is following, and justifies a private actor fulfilling this function—rather than a public entity.
This interview has been edited for length and clarity.
The Financial Revolutionist: What do you envision as the end goal of Mastercard’s digital identity project?
Sarah Clark, Senior Vice President, Digital Identity: The end goal is to leverage our unique experience with managing a global network at scale on the payment side onto the identity side of things and to provide the network that powers where identity is going in the future. It's going to a place where you as an individual will own your own digital identity: You will have your identity credentials in your digital identity wallet, and you will share your identity credentials with your own knowledge, with transparency, and with consent to share.
And there are a lot of great standards and pillars that have been put into place over the course of many years by a lot of thought leaders developing anything from the verifiable credential standard to distributed identifiers and the engine that makes it work. The network plays a really critical role in that, because it makes a lot of what's been thought through viable in the commercial sector.
Where’s this momentum coming from? I know that there are use cases in finance that work really well for banks—as far as reducing customer acquisition costs by not having to do that much overhead for KYC—and there are some humanitarian use cases. But how much of this demand is coming from individual consumers?
You're right, KYC for banking is a very well known use case as it relates to identity, and different identity verification vendors have been really focused on making KYC both easier and more secure. It's still not particularly easy and there are still issues with synthetic identity fraud, so there’s still lots of work to do even within that single use case. But where a lot of the momentum is coming from are other high-frequency use cases where digital identity is really central.
So this maybe gets outside of banking in terms of some of the drivers for individuals, but there is tremendous concern as well as growing legislation around age verification. Of course everybody can think of that in terms of buying alcohol, that is a completely valid use case, but if you look at the internet, protecting minors from harmful content is seeing a lot of legislation. There’s also a lot of focus on data privacy, which is another key component.
And if you look at the other side of the equation, government investment in digital identity like digital driver's licenses are a form of reusable ID that can be leveraged for age verification, KYC, participating in car sharing, home sharing, and other use cases. Those are some examples of the way government investment as well as regulation and common-sense use cases are beginning to happen, and these are going to being to happen at scale, we need the user experience to be as easy as possible and to be as secure as possible.
I know you have been working in certain pilot geographies. I’d love to hear what that's looked like as far as working with regulatory stakeholders.
We've been working across a range of beachhead geographies. If you look at the work that we're doing in Australia as well as the UK, you can see two major markets that have a lot of digital penetration already. Both of those countries have defined what's called a trust framework—the US led by NIST has something similar—that basically says that in order to offer a digital identity, that digital identity will move through a certain amount of rigor that is defined. We work to become accredited with those types of frameworks, which means the product or platform you’re bringing to market to operate in the world of digital identity is in compliance with the trust framework and the ID proofing methods that are mandated. So that is one core pillar.
And the other one is integrating with government ecosystems when it comes to digital identities, digital credentials, as they are brought online. In the US it’s a state-based approach, it's not something where the federal level is creating an all-citizen repository, but rather it's tethered to the existing driver's license ecosystem, so we've looked to plug into that both to ensure that we can pass those digital credentials and so that we can validate other pieces of evidence as are applicable according to different trust frameworks.
I think all of us are familiar with GDPR. There are other GDPRs happening everywhere, and many of them are pushing it even further. We see that in California; we see that in Brazil. So this concept of something that's privacy preserving is not just a do-good concept, but it's also a response to this being a focus of governments to protect their citizens and to protect them against fraud, identity fraud, etc. So we're engaged in trust frameworks, ensuring we can play in regulated use cases, integrating to government digital ID programs, and ensuring we're on the leading edge of complying with data privacy regulations that are sweeping the globe.
What is then the minimum standard in terms of trust and privacy that you are holding yourself accountable to in geographies that don't have formal regulatory frameworks?
When it comes to privacy it’s pretty simple—it means not being willing to negotiate on being privacy preserving, and not building centralized databases. When we equip an individual with a digital identity that's attached to the ID network, it's a decentralized design so your digital identity exists on your own device, it’s not stored in a Mastercard database. We can't track you. No party on the network can track what you're doing elsewhere on the network.
So data privacy, data minimization, only sharing what's needed, those types of tenets are non-negotiable and at the highest level that they can possibly be. On the other side is assurance, and different countries have different trust frameworks, so we must comply with what ends up being the highest level of assurance relayed in order for it to be globally interoperable. One of the big roles we have as a globally interoperable network is take how each country has defined the requirements behind their regulated use cases and ensure that when we're delivering a KYC-grade identity from Country X to Country Y, that it complies with Country Y standards, even if it's higher. It gets quite complex under the hood. And that's one of the values we can bring to the ecosystem, because somebody needs to be focused on that interoperable part of the puzzle. We're not focused on building the identity wallet, but we are focused on ensuring that what goes into the identity wallet can be used cross-border and can meet that level of assurance.
Why should Mastercard fill this role instead of a public actor?
I think the global ecosystem is still shaking out. Singapore is an example of a country that’s done a great job, it has a relatively small population, and they’re way ahead of the curve with essentially a fully government-run reusable digital ID ecosystem that’s working for KYC as well as everything else. But they might want their citizens to be able to get a bank account if they become expats or are temporarily moving to the UK or the US, so that's where someone like Mastercard could come in and help extend the utility of what they've done as a pure government play.
But I think in most countries, the concept of a public-private partnership can really help accelerate this utility to the commercial market, because not all governments are necessarily equipped to be taking all of that on. And I think that in some markets, citizens just don't like that model. So depending on what part of the world you're in, the fear of government overreaching and tracking everything you do—even if that's not true—makes it very, very hard for that to be realistic. So strong public private partnerships to help build this ecosystem tend to be a good model in a lot of places.
If you look at the impact of access to digital services on GDP, a well-formed digital identity ecosystem can create enormous lift. That's good for businesses, that's good for people, that's good for governments. But, you know, again, the world's a big place. So different countries may have different models. We think our experience in the network aspects of this can really help benefit building this so that it works globally and in the commercial sector.