OneID® | News and Events

A blueprint for an Open Data economy - September 2024

Written by The OneID® Team | 20/09/24 13:57

The UK is a world leader in fintech, helped by HM Treasury and the Competition and Markets Authority (CMA) getting us off to an early start with Open Banking, even before the European Commission had fully defined the rules for the related 2nd payment services directive (PSD2).

It is now 8 years since the Open Banking Implementation Entity came into being; all ‘CMA9’ banks and many others now have API platforms that enable customers to make payments and share their transaction data for new use cases such as affordability and income verification, and the OBIE and banks have delivered the CMA roadmap.

The Department of Science, Innovation and Technology (DSIT) is the government department charged with overseeing the UK’s digital landscape. DSIT will be pushing the Digital Information and Smart Data bill (DISD) through parliament to enable digital verification services and ‘smart data’ – secure data sharing via rules that can be defined for different industries. The Department of Business and Trade owns the ‘smart data’ agenda (with ‘smart data’ being defined as enabling citizens to share their data in return for a benefit – “Smart Data is the secure sharing of customer data, upon the customer’s request, with Authorised Third-party Providers (ATPs)”).

There are almost 50 companies certified on the DSIT register to provide ID services (mostly via document ID scanning, but with a few offering fully digital ‘reusable ID’). Assuming the DISD has the same aims as its predecessor (the Digital Information and Data Protection bill), the ‘trust register’ of certified parties and the ID framework itself will be upgraded to a v1 once the DISD bill becomes law, and there will be a new ‘trust mark’ that providers can use to indicate to users that the service is certified.

From the UK experience of building Open Banking and now Digital ID, we have the building blocks and templates that can be reused as a blueprint for moving into Open Finance and an Open Data economy. We need to have ‘Digital Public Infrastructure’ to enable a digital Britain and give us the infrastructure to compete with other economies who are currently ahead of us. DPI enables a modern economy to have identity and payment service layers that connect and function effectively together to enable secure trade and economic/productivity growth.

Other countries already have digital ID schemes, so the UK is playing catch up with that layer of DPI, but we are world-leaders in payments. There are many different initiatives in the payments industry to build future ‘rails’ (the Digital Pound work from the Bank of England, Regulated Liability Network, Faster Payments refresh known as New Payments Architecture, stablecoin regulation and more).

Building on top of the payments and identity layers, enabling citizens and organisations to securely share their data will lead to efficiencies from ‘getting the job done’ much faster, and savings from making it safer (via less fraud). This creates a virtuous circle of more growth, and less ‘leakage’ from the system.

What are the problems from today’s ways of data sharing?

 

People typically access services online today by form-filling data without verification of who is actually using the data, which means the receiver could be onboarding a fraudster who is using stolen ID details that match records ‘on file’. A legitimate user could input poor-quality data by mistyping, leading to data quality issues that cause operational costs to correct. And the party receiving the data is typically not verified by anyone, leading to impersonation and ‘Authorised Push Payment’ fraud.

What have we learned from Open Banking and Digital ID?

The standard model of Open Banking is that the consumer consents to a certified ‘Third Party Provider’ to connect to their bank and retrieve their data from that bank. The TPP is certified by the FCA to make the system safe (not anyone can access the bank APIs, you need to be on the OB ‘trust registry’).

There are three parties in the standard OB model:

  • 1st party – the person who has the bank account – the ‘data subject’
  • 2nd party – the bank that holds the data – the ‘data holder’
  • 3rd party – the organisation that is certified under OB – the ‘TPP’

Some TPPs have extended the model to include a 4th party, where the person can consent to share their data with another service provider to access a service. And some TPPs act as API aggregators to service other TPPs, so there may also be a 5th party or more in the chain. The flow of data through the Open Banking ecosystem is safer than via other mechanisms as the person has more visibility and control over consent, sees who has access to their data, and the data is shared over secure channels with verified parties.

 

This extended OB model can be reused as the blueprint for other sectors and ‘data holders’ to enable their users to share their data records. There are three key elements to the blueprint:

  • Consent – given to the certified 3rd party by the data subject (1st party)
  • Authentication – data subject securely authenticates with the data holder (2nd party, a bank in the case of Open Banking)
  • Data sharing – onwards to the 4th party, a new service provider that the 1st party wants to access

The ‘CAD’ model already enables anyone who uses UK online banking to securely and simply prove who they are online to a 4th party, via OneID®. In the future it will enable anyone to consent to a certified party to access their own data record and share it onwards to prove that they have certain entitlements, qualifications or certifications. It will enable the 4th party to see what products they have from their finance provider, telco or utilities provider, and recommend other providers to enable more competitive services and increase consumer value. The DISD bill will also enable a ‘legal gateway’ for certified providers on the digital ID ‘trust registry’ to access government-held data with citizen consent, unlocking value from gov data.

A blueprint for an Open Data economy

The CAD model uses global open standards and methods to make data sharing safe, among them:

Sharing ID and other data

The W3C VC approach is being used for eIDAS2 data sharing protocols:

  • OID4VCI – Verifiable Credentials Issuance
  • OID4VP – Verifiable Credentials Presentation

The proposed Open Data schemes in the Department of Business and Trade’s Smart Data Roadmap will define the standards for the sector-based schemes in terms of who needs to share what data, and the data taxonomies to create open data that is commonly understood across an industry and also across sectors. This is all work to be done, but the mechanisms to actually share the data have already been defined by Open Banking and the DSIT ID framework – these methods can be reused to accelerate Open Data.

Open Data Principles

KPMG / Innovate Finance ‘Roadmap to Open Finance’ (modified)

An Open Finance/ Open Data trust framework should adopt the 8 principles (data subject is 1st party):

  1. Open Finance / Open Data is opt in, not opt out.
  2. Accessing data depends on explicit consent given by the customer to the authorised entity (3rd party), and the data holder (2nd party) cannot refuse the data sharing request. The consent can cover data sharing with TPP corporate customers (4th and 5th party).
  3. It is as easy to revoke permission as to give it.
  4. Only authorised entities can participate (3rd party TPP) and need to register on an Open Directory, so unauthorised firms cannot trick customers into sharing their data with them.
  5. The customer never has to share their authenticators with any entity other than their account provider / data holder (2nd party).
  6. Data is shared via secure APIs and open data standards, with metadata for governance.
  7. APIs should enable read and write of data to enable true data portability.
  8. If anything goes wrong there is a customer redress mechanism.

A better model for data sharing and protection

In the UK, computer misuse and fraud make up 50% of all crime; computer misuse is 10%, and hacking is mainly used to gain ID data that can then be used for carrying out fraud (40% of crime, ONS). Everyone’s data is everywhere. The old model of checking that self-asserted data is consistent doesn’t prove that the person using it is the data subject.

A better model is to verify the data subject so that you know they are sharing their data, and collect consent to use their data for a specific purpose. There is no point in gaining consent if you don’t check the person is actually the data subject.

Centralised data sources are a target for hackers. Keeping data distributed across multiple data sources keeps it more secure. With a CAD data sharing model, the certified party (the TPP) can retain consent ‘tokens’ to enable real-time assembly of the data set needed for a particular transaction, without having to store all the data in one place. This makes it much more secure. ‘Trust registries’, lists of certified or regulated organisations, can be checked in real time to ensure that any party that accesses or receives the data is authorised to do so. If there are any problems with an organisation, their registry entry can be temporarily suspended or even closed to prevent further issues.

Data can be held with ‘authoritative sources’; the ‘issuers’ of the data. For example, government might confirm a passport number or driving licence, the NHS would hold health data, your telco holds your comms data, and your bank your financial data. There is no need to aggregate all this data in one place, as that increases any harm that could be done if the repository got hacked. Having secure access to the distributed data sets in real time negates the need to replicate data everywhere.

Conclusion:

 

Tomorrow’s model of data sharing creates safety. People can already use OneID® to verify who they are online using their existing bank app or login – this keeps the fraudsters out. Data is sourced direct from a bank; it is verified data that has already been through a KYC process. And the data destination, the 4th party, has been through due diligence to prove that they are a valid business and not a fraudster or imposter.

By adopting the ‘CAD’ model of data sharing, data sources across any sector can enable a ‘digital Britain’ that delivers the expected benefits for our economy (£30-£60bn of growth).

Initial target sectors for Open Data

The DBT Smart Data roadmap has defined a set of sector-based smart data schemes that can be further developed to provide value for citizens.

DBT Smart Data Roadmap

https://assets.publishing.service.gov.uk/media/66190f98679e9c8d921dfe44/smart-data-roadmap-action-the-government-is-taking-in-2024-to-2025.pdf

  1. Open Banking (HMT / OB Ltd / Interim Entity)
    https://www.openbanking.org.uk/

2) Open Finance (JROC (FCA/PSR/CMA/HMT) / Future Entity / CFIT)

3) Open Comms (Open Telco) (DSIT, Ofcom)

https://www.gov.uk/government/consultations/open-communications-a-smart-data-scheme-for-the-uk-telecoms-market

4) Open Transport (DfT)

https://opentransport.co.uk/open-standard/

5) Open Energy (DESNZ)

https://openenergy.org.uk/

6) Open Fuel

https://assets.publishing.service.gov.uk/media/65a52da3867cd800135ae870/road-fuel-retail-market-consultation.pdf

7) Open Retail

8) Open Homebuying (DLUHC, HMLR)

HMLR PG81

https://openpropdata.org.uk/ 

9) Open Government

Sharing data from government to DSIT-certified ID providers

Sharing data from government departments to GDS for One Login

10) Open Regulators

11) Open Net Zero

https://opennetzero.org/

12) Content Authenticity (C2PA)

https://c2pa.org/