Ely Pinto Quoted in American Banker

Leumi Chief Information Security Officer Ely Pinto was quoted in an article for American Banker about how blockchain can ease banks’ digital-identity concerns. His commentary can be viewed below:

Can blockchain ease banks’ digital-identity concerns?

American Banker, March 27, 2018

By Bryan Yurcan

Bankers are increasingly flirting with the blockchain model to solve a growing problem: verifying the identity of customers who apply for services via a mobile app rather than in person.

The idea has boosted the startup effort of Los Angeles-based Spring Labs. On Tuesday, it launched the Spring Network — a blockchain-based network designed with the goal of letting lenders, banks, and data providers to securely and efficiently exchange data with one another — with $14.75 million in seed funding.

“We’ve seen the issues within the credit and identity ecosystem firsthand,” said Adam Jiwan, CEO of Spring Labs’ CEO.

Spring Labs was started by members of the founding team and board of the online lender Avant. Avant develops technology to assess applicants’ credit histories, generate immediate credit decisions and provide automated verification steps for final approval, and has partnerships with some banks that use its technology.

Initially, Spring Labs aims to launch a data partnership with Avant. It is now in discussions with banks about adopting the Spring Network for use alongside Avant’s bank-focused products.

Jiwan said distributed ledger technology — which is by nature decentralized — is the ideal medium to exchange information between financial institutions.

The current system of managing identity and authenticating customers “is based on the notion of centralized data, which can be a huge risk because a single point of failure can be catastrophic,” he said.

Jiwan pointed to the Equifax breach last year and resulting fallout as the potential catastrophe that can result when a single storer of large data can be breached.

Instead, in the Spring Network, the source data is not shared, so the data is effectively anonymized and no personally identifiable information is shared, Jiwan said.

It works this way: Bank X has already authenticated a customer for a checking account. That same customer then goes to Bank Y or a fintech firm seeking a different financial product, say a loan. Instead of reauthenticating that customer all over again, Bank Y can request from Bank X information that it already used in authenticating that customer, which is sent through the distributed ledger network. The system can also be sued to share information about creditworthiness so banks and lenders can make quicker lending decisions.

Jiwan said this method will also save banks time and money, as they typically spend money requesting dozens of credit and data reports in the authentication and credit evaluation process.

“Banks don’t typically share this information, because of regulatory concerns and because of competitive reasons,” he said. “We are creating something secure and that allows institutions the benefit of sharing information in an anonymized and regulatory compliant way. It’s a Zelle-like network for information sharing.”

Spring Network isn’t the only fintech chasing this idea. Gem, a startup in Venice, Calif., is focused on getting companies within the same industry to share information via blockchain technology. Another is the CULedger project, an initiative by the Credit Union National Association to study the benefits of creating a distributed ledger that employs credit unions as nodes.

Their efforts come as digital identity is top of mind for banks as they deal with cybersecurity threats.

“One of the terms often thrown around is, ‘Identity is the new perimeter,’ ” said Ely Pinto, the chief information security officer for the U.S. operations of Bank Leumi. “As banks interact with customers digitally on a more frequent basis, you need strong assurance that people are who they say they are.”

Banks walk a fine line between offering customers convenience in the digital space and making sure security is rigorous; banks need to minimize fraud don’t also don’t want to put onerous burdens on customers in the process of doing so.

“Banks could do something like move to issuing RSA-type tokens, for example, but is the extra burden of carrying a physical device and inputting a six-digit code too much” for customers?” Pinto asked. “The difficulty is maintaining the balance; there’s a fine line between increasing security, while not decreasing usability.”

Blockchain-based information-sharing schemes such as Spring Network’s could be one answer, but whatever the future holds for digital identity Pinto said it will likely result from a combination of regulatory and industry changes.

“We’ve seen regulatory bodies like the New York DFS be much more aggressive about this — and there’s pluses and minuses to that — but overall they are trying to do the right thing,” Pinto said, referring to the New York State Department of Financial Services. “At the same time, we’ll also start to see some industry-created requirements. For example, Swift has done a good job laying out what some of the requirements should be” as it has urged banks to bolster security after the 2016 hack of the network.

Such industry solutions may become more likely as banks think more and more about how to manage digital identity.

“If we talk about the top five [cybersecurity] challenges for banks in 2018, I think digital identity is at the top of that list,” said Mary Ann Miller, senior director, fraud executive adviser and industry relations for the technology and consulting firm NICE Actimize. “In general, the threat landscape is moving fast and banks have to try and keep up.”

Issues such as cybersecurity and digital identity are “now board-level topics,” Miller said.

Miller noted that some governments have begun to tackle the issue themselves; there are, for example, national digital identity schemes in India and Estonia, and a recent pilot program between banks and the U.K. government allows French citizens living in the U.K. to open a bank account there using a digital identity.

“There’s more discussion on these issues at the government level, but I think banks would prefer to self-regulate and create their own solutions,” Miller said.