A frictionless future for identity management A practical solution for Australia’s digital identity challenge White paper December 2016  White paper A frictionless future for identity management Contents A new identity for the digital age Roadblocks for business The rise of eGov Unlocking up to $11billion per annum in economic value Learning from the global experience Developing the right identity solution for Australia On the path to a new digital identity ecosystem 04 05 06 07 08 09 11 Australia Post | Enterprise and government solutions 2 White paper A frictionless future for identity management We live in a digital age, where consumers expect to connect with services and products every day, online and instantly. But our traditional physical identity processes are failing us in this new era – they’re causing friction and mistrust, and locking up billions of dollars in unrealised economic value. Every year, Australians need to prove or verify their identity hundreds of millions of times to carry out everyday transactions. Whether it’s applying for a credit card, purchasing a mobile phone plan, enquiring about their electricity account or interacting with government services, our current system is built around multiple sources of physical identity documents and cumbersome account log-ins. It’s frustrating and time consuming for consumers – and it fails to resolve the growing incidence of fraud for businesses and government. So, what if you could re-use your verified identity whenever you need to prove who you are with any provider – online, on the phone or in person? More secure than your driver’s licence, and just as convenient because it’s held within your mobile phone. In early 2016, Australia Post in conjunction with The Boston Consulting Group (BCG) set out to survey consumers, small business owners and those working in large businesses and government departments about the issue of digital identity. Researchers found that while these groups found identity management time consuming, repetitive and laborious, they struggled to imagine a world better equipped to suit their needs. And when they were presented with a secure, trusted and ubiquitous digital identity solution, the demand was clear; this is what we need – and we need it now. This report shares the findings of this research and what we can learn from the digital identity experience in other countries. And importantly how we can make every digital interaction, for Australians, safer and simpler. In the process, we can help unlock up to $11billion in economic value for the Australian economy. Australia Post | Enterprise and government solutions 3 White paper A frictionless future for identity management A new identity for the digital age As all parts of our economy have digitised, from eCommerce to mobile banking and cinema bookings, the identity infrastructure that supports these essential transactions has failed to keep pace. We increasingly need to prove our identity to third parties, each with different assurance requirements. Despite the push to digital transactions in both the private and public sectors, the existing identity verification system remains primarily paper-based. “Physical processes don’t translate well to the digital realm – you can’t just show your driver’s licence online,” explains Cameron Gough, Australia Post’s General Manager - Digital ID and DDC, Trusted eCommerce Solutions. “But the game has changed with digitisation. Consumers hold the power, and identity is one area where we’ve found an extraordinary mismatch between consumer expectations and what organisations are delivering.” At its core, an identity is a person’s name and date of birth. It can be verified by recognised source documents (such as a birth certificate), and the details are then checked against an authoritative database. How this verification happens today depends on the degree of confidence (Level of Assurance) in the person’s identity that the provider needs to have. Consumers typically have more than 40 accounts and log-ins with service providers, eCommerce retailers and membership organisations. According to our research, they find the process of verifying their identity over and over again frustrating, and remembering user names and passwords, unnecessarily challenging. Australia Post and BCG spoke with consumers and SMB owners across Australia, in cities, regional and rural areas. They also spoke with 50 government departments and large corporations to understand the challenges they face and the opportunities they can see for improving both online and physical interactions. There was no significant difference based on age group or location – all consumers and small business owners found the process of proving who they are cumbersome, and were frustrated they had to do it ‘every time’. In addition, it is critical to users for any digital identity solution to be secure, convenient and trusted. We all want to be in control of our identity, and manage who has access to specific information about us. “Through the research, we found that identity is a highly personal thing. The most precious thing you have,” comments Gough. “But we have to give parts of that identity away to make our way through the digital space, and often for what consumers perceive as a very small convenience benefit.” Andrew Walduck, Australia Post’s Executive General Manager - Trusted eCommerce Solutions, adds; “We need to overcome some fundamental friction that exists inside this world – today it’s too hard to prove you are who you say you are when you want to do something online”. “I had an identity meltdown. I’d been with my bank for 10 years. I wanted a new terminal for my shop, they asked for 100 points of ID... I left them and joined a different bank.” Val, 50s, metro Victoria Australia Post | Enterprise and government solutions 4 White paper A frictionless future for identity management Roadblocks for business Businesses of all sizes are grappling with data privacy regulations, the rise of increasingly sophisticated fraud, and the risk of losing customers through a frustrating on-boarding experience. They need a new identity solution that is secure, efficient and convenient for customers to use. Of the 126,305 fraud and deception offences recorded by Australian police agencies in 2013/14, 40 per cent (almost 50,000 cases) involved identity crime.1 And as online and other forms of card-not-present commerce grow, so does the opportunity for fraud.2 eCommerce merchants currently lose between 1 and 5 per cent of revenue to fraud.3 Across all sectors, compromised security contributes to $2.4billion in fraud every year.4 “Identity is the new ‘money’. It’s the currency for participation in life, which is increasingly pinned to the credibility of your identity,” explains Mike Schwartz, BCG Digital Ventures’ Managing Director. “But there are multiple flaws in our current manual processes – data entry can be inconsistent or stolen. Businesses and government have to rely on this information, but it’s not in good shape right now.” Gough says “many providers – especially eCommerce companies – currently have to trade-off between fraud and convenience. Government and businesses told us they would love to do more to identify who they interact with, but they’d lose them because it introduces too much friction into those interactions. So if we could introduce a frictionless way of identifying online - where it would feel seamless, it would be a win-win for consumers and businesses.” Improving the process for new customers will help increase conversions at the check-out, and encourage more online self-service to help reduce the cost to serve through call centres and in store. “One-click checkout for eCommerce had a huge impact for us.” Online retailer “The more questions we ask, the more drop-outs we get... Re-usable verified 100 points? We’d love it.” Major bank “Know-your-customer is my biggest problem. We need to do it simpler, faster and do it once.” Mid-tier bank 1 Identity Crime and Mis-use in Australia 2013-14, Attorney General’s Department 2 Veda 2015 Cybercrime and Fraud Report 3 BCG digital identity research conducted April 2016, based on interviews with small and large ecommerce companies 4 Identity Crime and Mis-use in Australia 2013-14, Attorney General’s Department, figure includes cost of prevention and response ($350m) Australia Post | Enterprise and government solutions 5  White paper A frictionless future for identity management The rise of eGov “As governments digitise their services, there’s potential to realise many billions of dollars in economic value simply by digitising just 20 per cent of their interactions,” suggests Walduck. The Australian government has a mandate to digitise 80 per cent of its public services by 2020, but research commissioned by Australia Post in 2015 found just 29 per cent of eGov users are currently satisfied with their experience today – and 58 per cent encountered some problem during the process. To effectively expand its digital service offering across more transactions – these frustrations need to be resolved first. Having a single username and password login was one of the most important improvements users suggested, although this may not be the most robust approach to authentication. Interestingly, most citizens (83 per cent) also did not mind sharing their personal data if it made their lives easier, according to the 2015 research. This was echoed in the findings of the Australia Post and BCG research in 2016. “I’m perfectly happy for the government to share my information, to avoid the time consuming repetitive inconvenience,” one respondent said. However, there needs to be a legitimate connection for information to be shared. “If Medicare and Bupa were linked, that’s OK,” said another. “I need to be on top of everything with them (government). If I’m not, I’ll get the service but not the payout I’m entitled to. None of the departments talk, it drives so much paperwork.” Mike, small business owner, NSW 58% of eGov users encountered problems Australia Post | Enterprise and government solutions 6 White paper A frictionless future for identity management Unlocking up to $11billion per annum in economic value As part of the research we calculated the potential value of a digital identity solution for Australia. It found that by addressing the gaps in the current system, up to $11billion5 could be saved through reduced cost to serve, cost of fraud and improved consumer experience. To achieve this, we need to resolve some fundamental issues: • Ubiquity – consumers currently use a multitude of different identity credentials. We need a single individual credential, acceptable to a broad range of service providers so consumers no longer need to continually provide the same information • Trust – some consumers are reluctant to transact online due to security concerns. However, many others will trade off ‘security’ for convenience • Efficiency – streamlining the duplicated verification processes across thousands of entities While there are already several solutions in the market, they meet some but not all of these requirements. The government recognises that a key component of its digitisation agenda is to establish a trusted and secure way for citizens to interact with government agencies. The government’s ‘Trusted Digital Identity Framework” aims to solve this challenge and is a positive step towards addressing many of the concerns raised in our research. “Government and Australia Post, I’d trust them to look after me. Definitely not a bank, they might sell it. But I’m not sure if the government is good with technology?” Mary, 40s, Sydney The economic value of digital identity is approx. $11b per annum $b, p.a. 20 15 10 5 0 Undetermined value of future products and services 11 Reduced cost to serve • 26m face to face verifications • 88m other verifications • 240m phone authentications Reduced cost of fraud • Against individuals • Against business • Against Govt. • Police-recorded fraud • Prevention and response Improved customer experience • Uplift for e/m- commerce • Targeted selling • Purchasing security uplift Consumer value generated • Time spent verifying and authenticating • Document management • Form-filling Total 5 Calculated by BCG based on the following sources: publicly available data on identity services requirements for Federal and State government, financial services, utilities and telcos, Identity crime and misuse in Australia 2013-14 (Attorney General’s Department), How Australians use their time 2006 study (ABS), Value of unpaid work (ABS), NAB Online Retail Index, Internet of things: the re-imagination force, TCS Australia Post | Enterprise and government solutions 7 White paper A frictionless future for identity management Learning from the global experience Identity challenges are not unique to Australia. They are being tackled by governments around the world – from Aadhaar in India to RealMe in New Zealand, with varying degrees of success. The uptake of Sweden’s BankID has been driven by consumer demand. The number of users increased dramatically when partner banks joined the scheme and started referring their customers. It is used for both identification and legally binding signatures, currently has Uptake and acceptance are the main challenges. These can be addressed through explicit government mandate (such as critical services only being available through the platform), or through exceptional consumer experience and widespread acceptance across private and public providers. One thing is clear: single sign-on access to multiple businesses and government agencies can streamline service delivery and realise substantial cost savings. Regis Bauchiere, Australia Post’s General Manager of Identity Services, had this to say about learning from global experiences. “In my experience, there is no single solution to successfully address identity challenges across the globe. Each country or community has its own particularities in terms of culture, public service usage, privacy concerns and economic dynamics. Among the lessons I’ve learned from the various digital identity initiatives I’ve come across; is that success will ultimately reside in the capability 1b In India, the Unique Identification Authority of India (UIDAI) has issued Aadhaar numbers, making it the world’s largest biometric database.6 6.5m The authority estimates it will soon have more than 95% active users – and is now also used by government and telecommunications providers. Estonia is regarded as a leading example of digital identity. Its digitalID is required to access government services, but there is also complete transparency over who holds what data. Private and public participation has been achieved through the open platform. and how it’s shared and managed. We think this will be quite critical to enabling it to take off in Australia.” Other in-country solutions are underway in Canada (DIACC) and the UK (Gov.UK), indicating the demand for digital identity management. Cross-border initiatives, such as eIDAS for the EU7, are also interesting to watch. of adults with an Aadhaar – and in many cases, this is the first document proving their existence. The World Bank estimates this has saved the Indian government around $1b annually by reducing corruption in the delivery of government benefits and subsidies. The program collects three biometrics: fingerprints, an iris scan and a facial photograph, and it claims a ‘two iris authentication’ accuracy of to leverage these particularities to create a framework that delivers tangible benefits to the people, through more convenient and efficient services.” From these experiences, we can see the trend toward open, multi-player ecosystems. Increasing uptake in an opt-in system is challenging, and will depend on engagement and participation within the private sector. If the platform is dominated or owned by a small group, trust can also be an issue. 99.73% In this case, a dedicated agency has ensured both private sector and government participation. “The notion of a single, federated ecosystem for identity is not new, but it requires participation from the market and uptake from consumers,” comments Rebecca Russell, Principal with BCG. “This needs to happen at scale to unlock friction in the economy. One thing many of these overseas models didn’t do is put the consumer at the centre, and in control of their identity 6 Aadhaar – Identification Simplified, Myths Busted, The Wire, March 14, 2016 7 Digital Single Market, European Commission Australia Post | Enterprise and government solutions 8 White paper A frictionless future for identity management Developing the right identity solution for Australia Through the recent research, Australia Post’s 2015 eGov research and our analysis of global best practice, we have identified three core features for the development and execution of a successful digital identity solution in Australia. These all require security and privacy at their foundation. 1. Convenience is the hook Consumers in Australia need to verify and authenticate their identity several times every year, and are increasingly conducting more transactions online – and on mobile devices. They want these transactions to be seamless. They are tired of providing the same information for separate transactions and are frustrated with the proliferation of government and business accounts, usernames and passwords. Many also need to carry out these transactions, both physically and digitally, on behalf of others, such as elderly parents or children. Convenience is the hook that will encourage the most security - or privacy - conscious consumer or business to share its data. If it can make their lives significantly easier, they’ll engage. “The consumer needs to be at the centre of this solution,” comments BCG’s Russell. “They need to be able to do the jobs that matter to them, and they won’t have to go through the laborious process of proving themselves every time.” “If you didn’t have to share (so much data) and it was convenient, that would be ideal. Then you’ve just got more security, more control of what’s going on.” Ben, 20s, regional NSW Identity is used in many moments throughout the year Online dating Name change Adoption guardian/ POA Purchase insurance Change of address Infrequent Discount/ Loyalty Redemption Club and memberships Bar Tab Rent a vehicle Sign up to online service Call centre support Log-into Log-ins bank Payments Enter online Accomodation and hotel check-in Online bookings Pay tax Apply for a license Voting Australia Post | Enterprise and government solutions 9 Phone internet sign up Utilities, Telecoms products Proof of age Download apps Apply for an insurance product Carry diver’s licence Claim benefits Travel visa Memberships and subscriptions Payroll Banking Hotel check in Sign up for loyalty rewards program Pay utility bills Collect parcels from post office Proof of ID use cases Monthly Weekly Daily Start a business Credit check/ scoring Occupational license Pay tuition fees, loans, coaching Superannuation Apply for loan or mortgage Apply for a new banking product (credit card, e-wallet) Buy/claim insurance Online Shopping Sign into accounts online using card account Immigration Travel cheques Register a travel card Birth certificate Visas Death certificate Jury service Police check Passport Driver’s license Wills and inheritance Pay fines Make medical appointment Receive health care Collect prescription medicines Signup Utility/Telco Services Yearly office buildings Pay l a n o i s s e f F o i r n a P n c i a l e r u s i T e r L a / v l e l a i c o S y l i G m o a v F e & r n h m t l e a n e t H / , L e e g m a o l H White paper A frictionless future for identity management 2. Control is king Identity is a highly personal thing, and consumers understand the value of their own data – which means they are only willing to share it when they can see clear personal benefit. They don’t want to share more information than is necessary to complete the job – and they want to control their data and who has access to it. Security, privacy and trust were important to the consumers and business owners Australia Post and BCG spoke with. Trust is difficult to establish online, and that can make some individuals reluctant to transact digitally. A trusted, secure, single digital identity could open up new customer segments for smaller companies and start-ups – such as FinTechs, who often hit a roadblock when it comes to knowing their customers, AML checks and related obligations. “Think of all the businesses that don’t exist today that could if it was easier to identify individuals in the digital realm. That’s the exciting world we’re about to enter into,” comments Gough. 3. Confidence to mitigate risks For business and government to adopt and advocate usage of a digital identity system and minimise the risk of fraud, they need greater certainty of the identities of the people they are dealing with. They also need to be confident the system meets regulations for data privacy and security. The platform that underpins any new digital identity ecosystem needs to be robust. Service providers will realise immediate value, even without consumer scale, from a streamlined, secure process to sign-up customers and service users. A proliferation of digital identity solutions will only replicate the frustration of today’s physical experience – a problem that needs to be resolved. “Our enterprise and government customers want to do more, in the way they chart their own digitisation strategies. They’re evolving how they look after and protect the really important information customers share with them, and how they can connect with new customers in the future,” says Walduck. “Transparency of how the data is used and control over who gets access to it are two fundamentals... but one has to give those away to operate in society today, everything online requires compromise.” Claire, 60s, Metro NSW “Sharing information? It depends if the organisations needed to know... my issue is I just don’t know what they share, I don’t seem to have a say.” Sally, 40s, Regional QLD Australia Post | Enterprise and government solutions 10  White paper A frictionless future for identity management On the path to a new digital identity ecosystem Australia Post is exploring the opportunity of powering a solution that will give people control of their identity and eliminate the frustrations of repeatedly verifying who they are in everyday transactions. We are building, testing and refining the idea of a digital identity ecosystem with input from consumers, business and government. “What we found through the research is that identity in the digital realm is still a friction-filled experience. We want to make it something that seamlessly happens in the background of all the interactions (both physical and digital) we have” explains Gough. A digital identity could potentially be re-used in physical and digital interactions, and will be universally recognised and trusted by others to prove who you are. It’s more secure, because it provides controlled access through biometric authentication. And users will be in control. They could consent, on a transaction-by-transaction basis, “Can I download the proof of age app now?” Student to give specific businesses or government agencies access to their identity data. The platform would also be open to third parties to create and innovate their own digital products and services, relying on Australia Post’s ability to provide them with access to highly assured consumer identities. For the infrastructure to be of maximum use to an individual, it must be trusted and used by government and business. Equally, maximum value to government and business relies on the majority of Australians being “on board”. Getting the ecosystem to scale is a key challenge – but one Australia Post is confident it can overcome, given it already verifies around 6.5 million individuals every year. “Australia Post has an incredible, trusted brand, which is really important when it comes to identity, but it also has unrivalled footprint through physical shopfronts and online engagement,” comments BCG’s Schwartz on the partnership. “It’s hard to think of an organisation that’s better placed to realise the vision.” The future of online transactions A reusable, secure and widely accepted digital identity solution could be used in many different situations, including: • New product or service applications – users can seamlessly sign up in minutes with their already verified digital identity • Customer service calls – background authentication – reduces time proving their identity, so the call centre operator can solve their problem sooner • Event ticketing – concession pricing with minimal information such as proof of age • Delegate simple tasks – such as authority to pick up a parcel or prescription • Updating new address or name details – one click, multiple providers and authorities • Faster form processing with OCR (Optical Character Recognition) It could be just like the way we use our driver’s licence – but more secure, more certain and has the potential to be completely online. Current tests indicate the overwhelming majority of potential users see it as highly desirable and wish they could download it ‘right now’. And as it will be smartphone based, it’s potentially more secure and convenient than a wallet as it’s more likely to be with you. Australia Post | Enterprise and government solutions 11 White paper A frictionless future for identity management As trusted as a passport, but digitally enabled. With a digital identity solution, Australians could seamlessly and securely interact online with government, businesses of all sizes, not-for-profits and colleagues. “We have an opportunity to give consumers control of their identity,” explains Gough. “They will have the tools to easily identify themselves in physical interactions, through a contact centre and in the digital realm. It will increase convenience for people, build trust and unlock enormous value in our economy that we’re not able to tap into today.” This is an important piece of economic infrastructure for Australia – and one with the potential to realise up to $11bllion in economic value. “As we digitise identity, people won’t need to carry physical artefacts, they’ll carry their biometric facts on their body and they’ll have their mobile phone, with certain credentials,” explains Schwartz. “It will make for a much better customer experience, more effective border controls and it will be a lot more cost effective and easier than a paper-based process. “Imagine a world where identity is seamless, where it just happens in the background. It’s an exciting opportunity” – Cam Gough Travel Utility License Online Shopping “I need choice, convenience and peace of mind.” Offline (manual forms) In-person (face to face) Police Check Banking Medical New house Australia Post | Enterprise and government solutions 12 Online (from device) On Phone (call centre) White paper A frictionless future for identity management Investing in Australia’s important digital infrastructure As we’ve seen, identity is a fundamental part of many online transactions. Yet consumers are currently frustrated by the process, and feel a lack of control over how their identity is managed and who has access to it. We are lagging behind – our identity processes and platforms have not kept pace with the digitisation of the economy. Australia needs a single digital identity solution. It is a significant opportunity for business and government – and one with almost immediate return on investment for consumers, government, business and society as a whole. Research indicates the importance of putting consumers at the centre of the solution, and giving them control of their identity. It also highlights the value of an open market solution, and the importance of engaging both public and private sectors. We are excited to be working together to drive the solution to this challenge. Committed to protecting and verifying the identity of all Australians Proving and using identity is an important step in the hundreds of millions of trusted interactions that occur in Australia each year. Australia Post already verifies the identity of over one quarter of the Australian population every year. It is an important part of our trusted role in the community and economy, building on over 200 years helping Australians securely communicate and interact with each other, with government and with business. With the trust of consumers, a proven track record in identity transactions and the core technology capabilities to develop a significant framework to manage the scale of transactions required. We are making the investment needed to power the identity solution Australians need – providing greater access to the full potential of our digital age. 6.5M Australians are verified by Australia Post each year helping government communicate with businesses over 200 years To find out more about our enterprise and government solutions, please visit auspostenterprise.com.au