Press Release

A Blueprint for an Open Data Economy

The OneID® Team

The UK is a world leader in fintech, helped by HM Treasury and the Competition and Markets Authority (CMA) getting us off to an early start with Open Banking, even before the European Commission had fully defined the rules for the related 2nd payment services directive (PSD2).

It is now 8 years since the Open Banking Implementation Entity came into being; all ‘CMA9’ banks and many others now have API platforms that enable customers to make payments and share their transaction data for new use cases such as affordability and income verification, and the OBIE and banks have delivered the CMA roadmap.

The Department of Science, Innovation and Technology (DSIT) is the government department charged with overseeing the UK’s digital landscape. DSIT will be pushing the Digital Information and Smart Data bill (DISD) through parliament to enable digital verification services and ‘smart data’ – secure data sharing via rules that can be defined for different industries. The Department of Business and Trade owns the ‘smart data’ agenda (with ‘smart data’ being defined as enabling citizens to share their data in return for a benefit – “Smart Data is the secure sharing of customer data, upon the customer’s request, with Authorised Third-party Providers (ATPs)”).

There are almost 50 companies certified on the DSIT register to provide ID services (mostly via document ID scanning, but with a few offering fully digital ‘reusable ID’). Assuming the DISD has the same aims as its predecessor (the Digital Information and Data Protection bill), the ‘trust register’ of certified parties and the ID framework itself will be upgraded to a v1 once the DISD bill becomes law, and there will be a new ‘trust mark’ that providers can use to indicate to users that the service is certified.

From the UK experience of building Open Banking and now Digital ID, we have the building blocks and templates that can be reused as a blueprint for moving into Open Finance and an Open Data economy. We need to have ‘Digital Public Infrastructure’ to enable a digital Britain and give us the infrastructure to compete with other economies who are currently ahead of us. DPI enables a modern economy to have identity and payment service layers that connect and function effectively together to enable secure trade and economic/productivity growth.

Other countries already have digital ID schemes, so the UK is playing catch up with that layer of DPI, but we are world-leaders in payments. There are many different initiatives in the payments industry to build future ‘rails’ (the Digital Pound work from the Bank of England, Regulated Liability Network, Faster Payments refresh known as New Payments Architecture, stablecoin regulation and more).

Building on top of the payments and identity layers, enabling citizens and organisations to securely share their data will lead to efficiencies from ‘getting the job done’ much faster, and savings from making it safer (via less fraud). This creates a virtuous circle of more growth, and less ‘leakage’ from the system.

What are the problems from today’s ways of data sharing?

Today's model of data matching creates vulnerability

People typically access services online today by form-filling data without verification of who is actually using the data, which means the receiver could be onboarding a fraudster who is using stolen ID details that match records ‘on file’. A legitimate user could input poor-quality data by mistyping, leading to data quality issues that cause operational costs to correct. And the party receiving the data is typically not verified by anyone, leading to impersonation and ‘Authorised Push Payment’ fraud.

What have we learned from Open Banking and Digital ID?

The standard model of Open Banking is that the consumer consents to a certified ‘Third Party Provider’ to connect to their bank and retrieve their data from that bank. The TPP is certified by the FCA to make the system safe (not anyone can access the bank APIs, you need to be on the OB ‘trust registry’).

There are three parties in the standard OB model:

1^st party – the person who has the bank account – the ‘data subject’
2^nd party – the bank that holds the data – the ‘data holder’
3^rd party – the organisation that is certified under OB – the ‘TPP’

Some TPPs have extended the model to include a 4^th party, where the person can consent to share their data with another service provider to access a service. And some TPPs act as API aggregators to service other TPPs, so there may also be a 5^th party or more in the chain. The flow of data through the Open Banking ecosystem is safer than via other mechanisms as the person has more visibility and control over consent, sees who has access to their data, and the data is shared over secure channels with verified parties.

OneID® CAD flow: Consent & Auth to share ID Data

This extended OB model can be reused as the blueprint for other sectors and ‘data holders’ to enable their users to share their data records. There are three key elements to the blueprint:

Consent – given to the certified 3^rd party by the data subject (1^st party)
Authentication – data subject securely authenticates with the data holder (2^nd party, a bank in the case of Open Banking)
Data sharing – onwards to the 4^th party, a new service provider that the 1^st party wants to access

The ‘CAD’ model already enables anyone who uses UK online banking to securely and simply prove who they are online to a 4^th party, via OneID®. In the future it will enable anyone to consent to a certified party to access their own data record and share it onwards to prove that they have certain entitlements, qualifications or certifications. It will enable the 4^th party to see what products they have from their finance provider, telco or utilities provider, and recommend other providers to enable more competitive services and increase consumer value. The DISD bill will also enable a ‘legal gateway’ for certified providers on the digital ID ‘trust registry’ to access government-held data with citizen consent, unlocking value from gov data.

A blueprint for an Open Data economy

Open Data CAD model: Consent & Auth to share my Data

The CAD model uses global open standards and methods to make data sharing safe, among them:

Trusted registries: Open Banking TPP list, DSIT Digital Verification Services (DVS) register, FCA register, Companies House (being reformed to increase trust)
How to verify a person (GPG45)
Secure API connection (FAPI)
Secure authentication (Strong Customer Authentication, GPG44)

Sharing ID and other data

OpenID Connect (OIDC)
OpenID Connect (OIDC) for Identity Assurance
W3C Verifiable Credentials – these credentials can represent anything, a person, qualification, entitlement or asset

The W3C VC approach is being used for eIDAS2 data sharing protocols:

OID4VCI – Verifiable Credentials Issuance
OID4VP – Verifiable Credentials Presentation

The proposed Open Data schemes in the Department of Business and Trade’s Smart Data Roadmap will define the standards for the sector-based schemes in terms of who needs to share what data, and the data taxonomies to create open data that is commonly understood across an industry and also across sectors. This is all work to be done, but the mechanisms to actually share the data have already been defined by Open Banking and the DSIT ID framework – these methods can be reused to accelerate Open Data.

Open Data Principles

KPMG / Innovate Finance ‘Roadmap to Open Finance’ (modified)

An Open Finance/ Open Data trust framework should adopt the 8 principles (data subject is 1^st party):

Open Finance / Open Data is opt in, not opt out.
Accessing data depends on explicit consent given by the customer to the authorised entity (3^rd party), and the data holder (2^nd party) cannot refuse the data sharing request. The consent can cover data sharing with TPP corporate customers (4^th and 5^th party).
It is as easy to revoke permission as to give it.
Only authorised entities can participate (3^rd party TPP) and need to register on an Open Directory, so unauthorised firms cannot trick customers into sharing their data with them.
The customer never has to share their authenticators with any entity other than their account provider / data holder (2^nd party).
Data is shared via secure APIs and open data standards, with metadata for governance.
APIs should enable read and write of data to enable true data portability.
If anything goes wrong there is a customer redress mechanism.

A better model for data sharing and protection

In the UK, computer misuse and fraud make up 50% of all crime; computer misuse is 10%, and hacking is mainly used to gain ID data that can then be used for carrying out fraud (40% of crime, ONS). Everyone’s data is everywhere. The old model of checking that self-asserted data is consistent doesn’t prove that the person using it is the data subject.

A better model is to verify the data subject so that you know they are sharing their data, and collect consent to use their data for a specific purpose. There is no point in gaining consent if you don’t check the person is actually the data subject.

Centralised data sources are a target for hackers. Keeping data distributed across multiple data sources keeps it more secure. With a CAD data sharing model, the certified party (the TPP) can retain consent ‘tokens’ to enable real-time assembly of the data set needed for a particular transaction, without having to store all the data in one place. This makes it much more secure. ‘Trust registries’, lists of certified or regulated organisations, can be checked in real time to ensure that any party that accesses or receives the data is authorised to do so. If there are any problems with an organisation, their registry entry can be temporarily suspended or even closed to prevent further issues.

Data can be held with ‘authoritative sources’; the ‘issuers’ of the data. For example, government might confirm a passport number or driving licence, the NHS would hold health data, your telco holds your comms data, and your bank your financial data. There is no need to aggregate all this data in one place, as that increases any harm that could be done if the repository got hacked. Having secure access to the distributed data sets in real time negates the need to replicate data everywhere.

Conclusion:

Tomorrow’s model of data sharing creates safety. People can already use OneID® to verify who they are online using their existing bank app or login – this keeps the fraudsters out. Data is sourced direct from a bank; it is verified data that has already been through a KYC process. And the data destination, the 4^th party, has been through due diligence to prove that they are a valid business and not a fraudster or imposter.

By adopting the ‘CAD’ model of data sharing, data sources across any sector can enable a ‘digital Britain’ that delivers the expected benefits for our economy (£30-£60bn of growth).