[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]
THE FUTURE OF IDENTITY IN
FINANCIAL SERVICES: THREATS,
CHALLENGES, AND OPPORTUNITIES
=======================================================================
HEARING
BEFORE THE
TASK FORCE ON ARTIFICIAL INTELLIGENCE
OF THE
COMMITTEE ON FINANCIAL SERVICES
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED SIXTEENTH CONGRESS
FIRST SESSION
__________
SEPTEMBER 12, 2019
__________
Printed for the use of the Committee on Financial Services
Serial No. 116-49
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]
______
U.S. GOVERNMENT PUBLISHING OFFICE
42-317 PDF WASHINGTON : 2020
HOUSE COMMITTEE ON FINANCIAL SERVICES
MAXINE WATERS, California, Chairwoman
CAROLYN B. MALONEY, New York PATRICK McHENRY, North Carolina,
NYDIA M. VELAZQUEZ, New York Ranking Member
BRAD SHERMAN, California PETER T. KING, New York
GREGORY W. MEEKS, New York FRANK D. LUCAS, Oklahoma
WM. LACY CLAY, Missouri BILL POSEY, Florida
DAVID SCOTT, Georgia BLAINE LUETKEMEYER, Missouri
AL GREEN, Texas BILL HUIZENGA, Michigan
EMANUEL CLEAVER, Missouri SEAN P. DUFFY, Wisconsin
ED PERLMUTTER, Colorado STEVE STIVERS, Ohio
JIM A. HIMES, Connecticut ANN WAGNER, Missouri
BILL FOSTER, Illinois ANDY BARR, Kentucky
JOYCE BEATTY, Ohio SCOTT TIPTON, Colorado
DENNY HECK, Washington ROGER WILLIAMS, Texas
JUAN VARGAS, California FRENCH HILL, Arkansas
JOSH GOTTHEIMER, New Jersey TOM EMMER, Minnesota
VICENTE GONZALEZ, Texas LEE M. ZELDIN, New York
AL LAWSON, Florida BARRY LOUDERMILK, Georgia
MICHAEL SAN NICOLAS, Guam ALEXANDER X. MOONEY, West Virginia
RASHIDA TLAIB, Michigan WARREN DAVIDSON, Ohio
KATIE PORTER, California TED BUDD, North Carolina
CINDY AXNE, Iowa DAVID KUSTOFF, Tennessee
SEAN CASTEN, Illinois TREY HOLLINGSWORTH, Indiana
AYANNA PRESSLEY, Massachusetts ANTHONY GONZALEZ, Ohio
BEN McADAMS, Utah JOHN ROSE, Tennessee
ALEXANDRIA OCASIO-CORTEZ, New York BRYAN STEIL, Wisconsin
JENNIFER WEXTON, Virginia LANCE GOODEN, Texas
STEPHEN F. LYNCH, Massachusetts DENVER RIGGLEMAN, Virginia
TULSI GABBARD, Hawaii
ALMA ADAMS, North Carolina
MADELEINE DEAN, Pennsylvania
JESUS ``CHUY'' GARCIA, Illinois
SYLVIA GARCIA, Texas
DEAN PHILLIPS, Minnesota
Charla Ouertatani, Staff Director
TASK FORCE ON ARTIFICIAL INTELLIGENCE
BILL FOSTER, Illinois, Chairman
EMANUEL CLEAVER, Missouri HILL, FRENCH, Arkansas, Ranking
KATIE PORTER, California Member
SEAN CASTEN, Illinois BARRY LOUDERMILK, Georgia
ALMA ADAMS, North Carolina TED BUDD, North Carolina
SYLVIA GARCIA, Texas TREY HOLLINGSWORTH, Indiana
DEAN PHILLIPS, Minnesota ANTHONY GONZALEZ, Ohio
DENVER RIGGLEMAN, Virginia
C O N T E N T S
----------
Page
Hearing held on:
September 12, 2019........................................... 1
Appendix:
September 12, 2019........................................... 33
WITNESSES
Thursday, September 12, 2019
Abend, Valerie, Managing Director, Accenture Security............ 6
Boysen, Andre, Chief Identity Officer, SecureKey Technologies.... 12
Grant, Jeremy, Coordinator, Better Identify Coalition............ 8
Walraven, Amy, President and Founder, Turnkey Risk Solutions..... 10
Washington, Anne, Assistant Professor of Data Policy, NYU
Steinhardt School.............................................. 4
APPENDIX
Prepared statements:
Abend, Valerie............................................... 34
Boysen, Andre................................................ 45
Grant, Jeremy................................................ 49
Walraven, Amy................................................ 76
Washington, Anne............................................. 79
Additional Material Submitted for the Record
Budd, Hon. Ted:
Written responses to questions submitted to Valerie Abend and
Jeremy Grant............................................... 98
Hill, Hon. French:
Letter from Fed Chairman Jerome H. Powell, dated July 9, 2019 100
Letter to Fed Chairman Jerome H. Powell from various
undersigned Members of Congress, dated June 7, 2019........ 102
Accenture Security report entitled, ``2019 Future Cyber
Threats''.................................................. 108
Report from the Business Roundtable entitled, ``Building
Trusted & Resilient Digital Identity,'' dated July 2019.... 139
THE FUTURE OF IDENTITY IN
FINANCIAL SERVICES: THREATS,
CHALLENGES, AND OPPORTUNITIES
----------
Thursday, September 12, 2019
U.S. House of Representatives,
Task Force on Artificial Intelligence,
Committee on Financial Services,
Washington, D.C.
The task force met, pursuant to notice, at 9:32 a.m., in
room 2128, Rayburn House Office Building, Hon. Bill Foster
[chairman of the task force] presiding.
Members present: Representatives Foster, Phillips; Hill,
Loudermilk, Budd, Hollingsworth, Gonzalez of Ohio, and
Riggleman.
Ex officio present: Representative McHenry.
Also present: Representative Himes.
Chairman Foster. The Task Force on Artificial Intelligence
will now come to order.
Without objection, the Chair is authorized to declare a
recess of the task force at any time. Also, without objection,
members of the full Financial Services Committee who are not
members of the task force are authorized to participate in
today's hearing.
Today's hearing is entitled, ``The Future of Identity in
Financial Services: Threats, Challenges, and Opportunities.''
The Chair will now recognize himself for 4 minutes for an
opening statement.
Thank you, everyone, for joining us today for what should
be a very interesting hearing of the task force to explore the
dangerous threats of identity fraud, how artificial
intelligence (AI) is making it easier for criminals to engage
in these activities, and how we can safeguard one of the most
important things to have in our digital economy, and that is
our identity.
Identity fraud is a hugely important problem in financial
services. In 2018 alone, almost $15 billion is estimated to
have been stolen from U.S. consumers online. This doesn't
include the more indirect future costs of having a compromised
identity.
Today, criminals have lots of tools at their disposal to
get at sensitive consumer financial data. And there is a
complicated situation that a Member of Congress finds
themselves in, where we get briefings like the one I just
received from Ms. Walraven where you go through just how
massive the problem is and the techniques that are available,
and we realize that mentioning them in public is not a wise
thing to do. And so, this puts us in a tough situation.
But I urge all of the members on the committee here and
their staff who are interested to get those briefings from
members who are testifying today to just see how big of a
problem this is, because it is costing us probably a lot more
than that $15 billion.
There is a large number of tools that criminals are using
today, things like phishing, ransomware, and malware attacks,
that are already rife within financial services, and these
cyber intrusions are only becoming more sophisticated.
In the news this week, there was the story of a voice
synthesizer, an AI-enabled voice synthesizer that was used to
generate fake instructions from what an employee thought was
his boss to move money somewhere where it shouldn't have been
moved. And that sort of attack is going to accelerate as the
technology gets more advanced and more widely deployed.
And the stakes in this are enormous. With simply a name,
address, and Social Security number, criminals use stolen
identities to steal credit card numbers and bank account
numbers, and to obtain fraudulent IRS and Medicare refunds. And
the list goes on and on.
The financial services industry is on the frontlines of
this attack. More than 25 percent of all malware attacks hit
banks and other financial services organizations, which is more
than any other industry.
In addition to the billions of dollars that financial
institutions spend a year on cybersecurity, they also spend
over $25 billion a year on anti-money-laundering and know-your-
customer compliance, with large institutions spending up to
$500 million annually.
Artificial intelligence is only enhancing the cyber
criminal's arsenal. AI can be used more quickly to find
vulnerabilities in a bank's software that can be used to
impersonate someone's voice or face in a phishing scam, much
like those deepfakes of which everyone is aware.
It can also be used for something that is called synthetic
identity fraud. That is where criminals make up fake online
identities by combining real and fake data from lots of
different people, along with the Social Security number of a
person, often a child, which they can buy very cheaply off the
dark web or even the non-dark web.
These fake identities look completely real, and the
criminals can use them to open new bank accounts and a record
of new financial transactions that make the synthetic identity
look more and more real.
And at the end of this, the unfortunate common practice is
the so-called ``breakout,'' where criminals simply take out a
massive loan they never repay, or buy a car that they ship
offshore. This sort of scam happens using these synthetic
identities.
There are a number of things that we can do. I was very
impressed by the roadmap produced by Jeremy Grant, one of our
witnesses here, and his organization, the Better Identity
Coalition.
So if someone only has time to read one document in this
space, that is the one that I personally have found most
useful. It provides a roadmap for what government can do to
help, because I think that government has a unique role in
provisioning the ID, that we ultimately should take a
responsibility for maintaining a valid list of our citizens.
And I think that there has been a lot of motion, both by
governments and motion in terms of the public perception of
what is needed here.
This is one of the reasons why I am really eager to hear
more from the witnesses in this hearing. And I guess, in light
of the fact that we are unlikely to have a large amount of time
because of votes maybe intervening, I think I will just cut off
my comments here and turn it over to the ranking member of the
task force, Representative Hill.
Mr. Hill. Thank you, Mr. Chairman, for convening the
hearing today as a part of our Task Force on Artificial
Intelligence. I know this is a topic that you particularly care
deeply about. I am very interested in learning how our identity
systems can be modernized in such a way that protects the
privacy and personal information of all of our citizens, and I
look forward to hearing from the panel today.
When we anticipate a digital world where we are
distributing financial services products digitally through
banks and nonbanks across the country, obviously, whether it is
a mobile app or through the internet, through the web, this
issue of authenticating someone truly that you are doing
business with and that they, in turn, then are just granting
you, the financial services company, access to their
information for a particular purpose, all of this relates to
how we identify people, how we authenticate people in the
space.
And, of course, we have had Gramm-Leach-Bliley for many
years now, but a lot of people who aren't banks or financial
services players are not covered by Gramm-Leach Bliley. And so,
this issue of how do we improve that and offer innovation is so
important.
If we think about a digital world, you can't really have a
completely digital process in 50 States in this country or
internationally if you don't have not only the cyber
protections that we are talking about in terms of the data
being protected, but also that authentication process, so that
individual user's identity.
That is why I think this hearing is so important to the
work we are doing in the Financial Technology Task Force, and
it is so important for our private sector players, and, I
think, our regulators on how we enhance the robustness of
identity. How do we do it, how do we authenticate people in a
more effective way, and move way beyond the user name and
password that has spent the last 20 years of repeating our
pet's names and 1, 2, 3, et cetera, as a way to get into
systems as helpful as maybe just a sharing app or as important
as reviewing our financial lives online.
Also, the issue of data breaches is critical. And here the
Federal Government doesn't have any better track record than
the private sector. We have been in, this committee--I have
been in Congress for 4\1/2\ years, and we have spent a lot of
hours in this room talking about the incompetence of the
Federal Government in protecting people's privacy and our data.
So obviously, this is a key issue for both the public and the
private sector.
Financial services companies, as Dr. Foster noted, are
victim more to this kind of attack, 300 times more frequently
than nonfinancial businesses, purely for really, though,
obviously, for Willie Sutton's admonition that that is where
the money is. But also, if you are a state actor, that is where
the disruption is a very vulnerable point in the Western world.
But thanks to advances in technology such as artificial
intelligence and machine-learning, it is becoming increasingly
easier to authenticate individuals and mitigate that kind of
fraud. But we must be vigilant as policymakers to ensure that
all of our sensitive information remains private.
I look forward to having the witnesses help us to
understand these issues and what we might consider either
legislatively or regulatorily to improve this process. And I
look forward to the discussion.
With that, Mr. Chairman, I yield back.
Chairman Foster. Thank you.
And I would like to now yield 1 minute to Mr. McHenry, the
ranking member of the full Financial Services Committee.
Mr. McHenry. Thank you.
Equifax, Capital One, what is next? How many breaches is it
going to take before Congress takes appropriate action to view
cybersecurity as a top priority and combating identity fraud as
a top priority?
Only a few months ago, we had the world's biggest bank
executives right here before us, and they identified
cybersecurity as the chief threat to the financial system, not
productivity, not growth at home, not political upheaval in
Europe, not the slowdown in China, but cybersecurity.
What I appreciate about this panel, and I appreciate the
work Mr. Foster has brought to the table here, because we begin
with a bipartisan challenge, a challenge that we can then seek
bipartisan solutions for here in Congress, and a new,
innovative approach to this really cumbersome ``dumb-passwords
user-name'' situation that we are currently in, and a new type
of thinking that is occurring in the private sector, but to
ensure the policymakers keep pace with what is happening in the
private sector and further enable it and move this along much
faster.
Thanks so much. And I look forward to your testimony.
Chairman Foster. Thank you.
Today, we welcome the testimony of Anne Washington,
assistant professor of data policy, NYU Steinhardt School;
Valerie Abend, managing director of Accenture Security; Jeremy
Grant, coordinator of the Better Identity Coalition; Amy
Walraven, president and founder, Turnkey Risk Solutions; and
Andre Boysen, chief identity officer, SecureKey Technologies.
Witnesses are reminded that your oral testimony will be
limited to 5 minutes. And without objection, your full written
statements will be made a part of the record.
Ms. Washington, you are now recognized for 5 minutes.
STATEMENT OF ANNE WASHINGTON, ASSISTANT PROFESSOR OF DATA
POLICY, NYU STEINHARDT SCHOOL
Ms. Washington. Chairman Foster, Ranking Member Hill, and
members of the Task Force on Artificial Intelligence, I am
grateful for this opportunity to speak.
Before I became a professor, I spent 8 years in financial
services, in addition to many years working in support of this
Chamber.
My name is Anne Washington. Now, why did I give my name? I
gave you my name because it is an identifier, and digital
financial services rests on its ability to guess who you are
through identifiers like your name. Artificial intelligence
goes further by taking actions based on a presumed identity,
and those actions have serious consequences.
Today, I am going to explain why identity is important, why
AI makes mistakes, because they are inevitable, and what we
might do about it.
Consider a firm with an AI system that works 99 percent of
the time. That is great, right? But actually, in a business of
10 million people, clients, that means it fails on 100,000
people: 100,000 people who cannot get credit in an emergency;
100,000 families who cannot get a home mortgage and build
wealth; 100,000 entrepreneurs who cannot get a start in a small
business.
My examples focus on individuals, but let's not forget that
owner-operators who are individuals with their own business
face even greater financial risks.
Much of the data technology today was originally designed
for marketing purposes. So if I get a wrong coupon or a useless
ad, it is cute. It is a momentary curiosity. In financial
services, the stakes are higher. A digital mistake is
detrimental, and it is ongoing.
A few items from the news. Jennifer Norris of Boston
routinely was in danger of losing her job because of an
inability to resolve a dispute about her identity. A teacher in
Maryland had to give up her livelihood because she was in a
profession that required continuous recertification.
As depicted on this slide, this New York novelist sees
herself in all of her daily roles--an author, a parent, a
friend. She probably does not see herself primarily as a New
York driver. The next slide shows you how a computer sees her.
She is just the information on this slide, primarily a name and
a birth date. Yet, someone else in New York has the exact same
name and the exact same birth date.
The ``Lisas'' have no recourse to resolve this confusion.
No organization can fathom the likelihood of this coincidence.
A data double is what the scholar, Evelyn Ruppert, calls them,
and that is somebody who has the same identifiers, but it is
not you.
Now, I am a computer scientist with a degree in business. I
am going to tell you that I think this stuff works. But I can
also tell you that there is little financial incentive to fix
these mistakes, because mistakes will happen. It is
mathematically certain, in fact.
You can just go to the final slide.
What are the chances that you are going to meet someone who
has the same birthday? Actually, it is really high. It only
takes 23 people in the same room. Probably in the members of
this committee and your staff, there are two people who have
the same birthday. If you go up to at least 75 people--I don't
think we have that many here--it is 99.9 percent certain.
Coincidences are not as rare as we perceive them to be.
So, what can be done? Artificial intelligence identifiers
built for a global audience need to scale. That means we have
to respect naming practices that come from different religious
traditions or different cultural traditions, or even non-Latin
characters.
Finally, I am going to argue that we need a way to get
feedback back into identity systems. As a technologist, I want
to know how I can improve and also incrementally make these
systems better. It could also help lead towards procedures for
handling errors and exceptions.
One example is the MiDAS system in Michigan which accused
jobless people of fraud without recourse. And that is one
example of the way that AI systems need a feedback mechanism.
Now, I argue that the authority of human experience must
balance the authority of data. Why? Because stats happen.
And experience matters. Each of you has someone in your
district office who does case work. Why is that? That is a
recognition that institutions sometimes obscure the needs of
individuals.
What will be the resolution process for identity disputes
in artificial intelligence?
[The prepared statement of Dr. Washington can be found on
page 79 of the appendix.]
Chairman Foster. Thank you.
Ms. Abend, you are now recognized for 5 minutes to present
your testimony.
STATEMENT OF VALERIE ABEND, MANAGING DIRECTOR, ACCENTURE
SECURITY
Ms. Abend. Chairman Foster, Ranking Member Hill, and
members of the task force, my name is Valerie Abend, and I lead
Accenture's security practice for our North American financial
services clients. Thank you for the opportunity to join you
here today. I really commend this task force for holding a
hearing to explore the importance of digital identity and its
intersection with artificial intelligence.
Innovation in digital identity and access management is
incredibly important to cybersecurity, to enhancing privacy,
and to ensuring trust in financial transactions. We live in a
digitally connected world where customers' demand for efficient
and accurate transactions continues to increase.
From taking out a loan or paying my child's babysitter,
most of these happen online. And key to these transactions is
trust, trust that the individual we are conducting business
with online is whom they say they are.
However, the information we use to validate our identities
now is widely available through dark web forums and social
media postings, making us more vulnerable to spearphishing
campaigns.
Simply put, identifying yourself online through passwords,
usernames, and security questions is no longer working.
I would like to draw the members' attention to the slide on
the screen that lists five global cyber threats to financial
services as outlined in a recent report that we published.
Credential and identity theft is first, because it is at
the root of almost every breach. Not only are cyber criminals
really good at fooling people through spearphishing to gain
access into enterprises, but once they are inside these
networks, they compromise other access credentials, moving
throughout the company, learning how they operate, and
ultimately gaining access to privileged data and systems. I
like to call this access inside of systems the ``mushy
middle.''
One of the best known examples is the 2016 cyber heist from
the Bangladesh Central Bank, where attackers stole $81 million.
That was more than 3 years ago, and hackers are building new
capabilities to commit their attacks in ways we haven't even
thought of yet.
This is why we must use innovations, including AI, to
thwart them at the speed that cyber attacks occur. Attacks
leveraging credential theft, as we saw in Bangladesh, will
remain possible until we fundamentally change the way
enterprises manage employee and customer access and how they
detect and respond at machine speed when they sense that
something is amiss.
Today, we can use AI to enable financial institutions to
have a more accurate picture of employee access across a
complex enterprise. Through these tools, managers can make
better decisions of who should have access, to what systems,
and to what data in real time, thus managing this mushy middle.
On the customer-facing side, leading organizations are
leveraging biometrics, AI behavioral-based analytics, and
multifactor authentication to make real-time risk-based
authentication decisions to approve transactions and set limits
around those transactions. In the blink of an eye, a financial
institution can make complex risk management decisions about
whether a person using their mobile apps is, in fact, their
actual customer.
This customer risk management approach is not just in use
in the United States and other developed countries, but also in
emerging economies where these new tools are providing secure
online identities.
For example, we at Accenture are part of the ID2020 Digital
Identity Alliance, which was formed to develop a reliable
digital identity for people in developing countries so they can
confidently receive government services and validate their
identities to employers, schools, and other service providers.
These digital identity advances provide individuals with
more security and control over their data, giving them the
ability to decide who to share their personal information with,
what to share, and for how long it can be shared.
Congress' help would greatly benefit our nation's ability
to improve digital identity as a cornerstone for better and
safer online transactions.
First, Congress needs to pass a national privacy law, which
will build consumer confidence and trust in the digital economy
while enabling the private sector to gain wider adoption for
more secure products and services. A good starting point for
this is the framework released by the Business Roundtable last
year under the leadership of our CEO, Julie Sweet.
Second, Congress should help foster an environment for
digital identity innovation through proofs of concept that
enable the testing of new capabilities and their ability to
scale.
And, third, I encourage you to ensure that any new laws
designed to advance digital identity or cybersecurity be
technology-neutral and interoperable with other sectors.
So in conclusion, Mr. Chairman, there is much work to be
done to build a digital identity ecosystem that thwarts
cybersecurity attacks, improves privacy, and ensures trust.
I want to thank you again for the opportunity to discuss
these issues, and I look forward to your questions.
[The prepared statement of Ms. Abend can be found on page
34 of the appendix.]
Chairman Foster. Thank you.
And now, Mr. Grant, you are recognized for 5 minutes.
STATEMENT OF JEREMY GRANT, COORDINATOR, BETTER IDENTIFY
COALITION
Mr. Grant. Chairman Foster, Ranking Member Hill, members of
the task force, thank you for the opportunity to testify today.
I am here on behalf of the Better Identity Coalition, an
organization that was launched last year, focused on bringing
together leading firms from different sectors to work with
policymakers to improve the way that Americans establish,
protect, and verify their identities when they are online. Our
members include recognized leaders from financial services,
health, technology, FinTech, payments, and security.
Our 22 members are united by a common recognition that the
way we handle identity today in the U.S. is broken, and by a
common desire to see both the public and private sectors each
take steps to make identity systems work better.
Let me say up front that I am grateful to this task force
for calling the hearing today. The way we handle identity in
America impacts our security, our privacy, and our liberty. And
from an economic standpoint, particularly as we move to high-
value transactions in the digital world, identity can be the
great enabler, providing the foundation for digital
transactions and online experiences that are more secure, more
enjoyable for the user, and ideally, more respectful of their
privacy.
But when we don't get identity right, we enable a great set
of attack points for criminals and other adversaries. A
whopping 81 percent of cyber attacks are executed by taking
advantage of weak or stolen passwords. Eighty-one percent is an
enormous number. It basically means that it is an anomaly today
when a breach happens and identity did not provide the attack
vector.
And outside of passwords, we have seen adversaries seek to
steal massive datasets of Americans. In large part, they can
have an easier time compromising the questions that are used in
identity verification tools, like knowledge-based verification
(KBV) solutions.
A key takeaway for this committee to understand today is
that attackers have caught up with many of the first-generation
tools that we have been using to protect, verify, and
authenticate identity. Now, there are a lot of reasons for
this, and there is certainly blame to allocate. But the most
important question is, what do government and industry do about
it now?
That is a key point, government and industry. If there is
one message I think this task force should take away from the
hearing today, it is that industry has said they cannot solve
this alone. We are at a juncture where the government will need
to step up and play a bigger role to help address critical
vulnerabilities in our digital identity fabric.
Last year, the Better Identity Coalition published a policy
blueprint which outlined a set of key initiatives that the
government should launch to improve identity that are both
meaningful in impact and practical to implement. A few
highlights:
First, when talking about the future of the Social Security
number (SSN), it is essential to understand the difference
between the SSN's role as an identifier, essentially a number
that is used to sort out which Jeremy Grant I am among the
hundreds of us in the U.S., and its use as an authenticator,
which is something that is used to prove I am really me, this
particular Jeremy.
SSNs should no longer be used as authenticators. This means
that, as a country, we stop pretending the number is a secret
or that the knowledge of an SSN can actually be used to prove
that someone is who they claim to be.
But that doesn't mean we need to replace them as
identifiers. Instead, let's start to build systems that treat
them like the widely available numbers that they are today. I
have yet to see any replacement proposal around SSNs that does
not involve spending tens of billions of dollars confusing
hundreds of millions of people and not really giving us much
security benefit.
Second, on the authentication topic, there is good news
here. Multi-stakeholder efforts, like the Fast Identity Online
(FIDO) Alliance and the World Wide Web Consortium, have
developed standards for next-generation authentication that are
now being embedded in most devices, operating systems, and
browsers in a way that enhances security, privacy, and user
experience. The passwordless era is near, and government can
play a role in accelerating the pace of adoption.
Third, government will need to take a more active role in
working with industry to deliver next-generation remote ID
proofing solutions. Now, this is not about a national ID, and
we are not recommending that one be created. We already have a
number of nationally recognized authoritative government ID
systems: the driver's license; the passport; the SSN.
Our challenge here is what I call the identity gap, that
all of these systems are stuck in the paper world while
commerce is increasingly moving online. So to fix this,
America's paper-based system should be modernized around a
privacy-protecting consumer-centric model that allows a
consumer to ask a government agency that issued a credential to
stand behind it in the online world by validating the
information from that credential.
So, how would this work? As the animation that is up on the
screen from our policy blueprint demonstrates, it is about
creating a new paradigm for digital identity that starts with
the needs of the consumer.
Here, we will start with someone named Stacy who is trying
to open a bank account online. She provides some basic identify
information. But since she is not there in person with a
physical ID, the bank doesn't really know if it is her or, for
that matter, whether she is a real person at all.
So, Stacy will ask somebody who already knows her, the DMV,
to help her prove that she is who she claims to be. She will
launch a mobile driver's license app on her smartphone. She
will unlock it with an on-device biometric match, say, touch
ID, which then unlocks a cryptographic key that is in the phone
that can securely log her into the DMV to make this request.
Now, because that app was securely issued to her phone at
the time she got her driver's license, and because she unlocked
it with her biometric on the device, there is now a chain of
trust in place which allows that DMV to know it was Stacy who
was actually making the request. With that secure
authentication and authorization, the DMV and the bank can then
set up a secure connection, and the DMV can validate her
identity.
Note that this concept was embraced in the 2016 report from
the bipartisan Commission on Enhancing National Cybersecurity,
as well as a recent White House OMB memo published in May.
I appreciate the opportunity to testify today. Note that I
have submitted lengthier testimony for the record as well as a
copy of our policy blueprint.
Thank you.
[The prepared statement of Mr. Grant can be found on page
49 of the appendix.]
Chairman Foster. Thank you.
Ms. Walraven, you are now recognized for 5 minutes.
STATEMENT OF AMY WALRAVEN, PRESIDENT AND FOUNDER, TURNKEY RISK
SOLUTIONS
Ms. Walraven. Thank you, Chairman Foster, Ranking Member
Hill, and members of the task force, for the opportunity to
appear before you and provide my testimony today to help inform
discussions on the future of identity in the financial services
sector: threats, challenges, and opportunities.
I am the founder and president of Turnkey Risk Solutions,
and prior to starting that company I spent 20 years in the
financial services sector at a lot of large institutions. The
last 10 years of my career, I was at JPMorgan Chase, where I
was responsible for establishing the business practices
specifically focused around proactive identification,
mitigation, and remediation of various fraud threats that
included credit bust-outs, synthetic identities, identity
manipulation, and credit abuse.
As we consider how to utilize artificial intelligence and
machine-learning to navigate big data to identify consumers, it
is important that we clarify our target by gaining a more
comprehensive understanding of what synthetic identities are. I
have been asked to provide the committee a brief overview of
the factors that contributed significantly to their emergence
in order to better frame the threats and challenges that we are
facing.
For the purposes of my discussion, Chairman Foster, you
covered that a synthetic identity in its basic form is a Social
Security number, a name, a date of birth. But it is important
to note that creating a synthetic identity is materially
different than traditional identity theft.
In cases of traditional identify theft, the criminal
impersonates a real person to open an account or take over an
existing relationship. But in cases of synthetic identity, the
criminal is using just a limited amount of elements of a true
person's identity, for example, just their Social Security
number, and then they pair that with a name, a different date
of birth, and an address that they can control, and create a
completely separate and distinct persona. And that is
intentional. They do not want to commingle with an existing
person.
Once that synthetic has been created, you can use it for
just about anything you can use a conventional identity for.
Obviously, products in the banking service, but you can also
create a social media account, insurance products, rent an
apartment, obtain utilities, or enroll in benefits programs.
You can basically use it for any purpose that the creator
intended and whatever they are controlling it for.
To better understand the threat of synthetic identities, I
think it is important to understand the landscape that is
influencing them.
Technology plays a huge role. Advances in technology have
created speed and convenience, but at the same time, they have
created anonymity for the fraudsters. We are also asking an
infrastructure that was built a long time ago to do more and
more things that it wasn't intended to do, without really being
able to keep up with the technology and the threats that are in
the landscape today.
Consumer awareness. Consumers are a lot more educated on
understanding the importance of their credit, understanding the
different ways to be able to protect their identifiers, and
being able to stay away from compromising their information.
That information has been put out to help protect consumers,
but it has also been used by organized criminals and different
criminal actors to be able to understand how the infrastructure
works and to be able to design their attacks specifically to
exploit those types of avenues.
Regulations and new controls have done a lot to protect
identity theft victims and have done a lot to make sure that
they have ways to remediate when they have been victimized. We
have seen those same protections, however, exploited,
leveraged, and abused by criminals.
We have done a lot to try to make sure that we can erase
and eradicate anything that has been related to an identity
thief. But when it comes down to actually having a synthetic
identity, those same protections have been leveraged by them.
Data breaches were originally focused on compromising
credit and debit data. And once we put the chips in the cards,
that information was then as useful as it had been in the past.
So now, they had started to move to PII, more static
information, people's names, people's Social Security numbers,
people's dates of birth.
All of these factors played a major role in an emergence of
use of synthetic identities. This fraud threat was specifically
engineered to evade existing controls while exploiting
vulnerabilities in the financial services system and beyond,
impacting other verticals.
Many of the groups committing this type of fraud are highly
organized, extremely sophisticated, and tend to be
transnational in nature. These adversaries are focused,
committed, well-funded, and have access to the same
technological advances as we do.
As an industry, we must be proactive in our actions,
unified in our defenses, and more effective in our application
of evolving technologies, including artificial intelligence.
As we seek to deliver unprecedented speed and convenience
to increasingly mobile and technology-dependent consumers and
businesses, we must remain vigilant in understanding the
threats to our interests and to our infrastructure.
Synthetic identity fraud in the United States and around
the world is widespread and inconceivably pervasive. It is
being amplified by increased digitalization of products and
processes. And when you couple that with a proliferation of
available data, synthetic identity fraud readily operates
across all delivery channels, providing the perpetrators with
potentially unfettered access to our nation's financial system
and Federal programs, making it essential that we act in a
unified and collaborative manner to protect the integrity of
our infrastructure.
In order to do so, we must recognize the complexity of
these next-generation frauds and be fully informed of their
severity and their scope. Advances in technology alone cannot
identify and resolve these issues. Mitigation efforts from
industry and government must be fluid and nimble to ensure we
have the ability to effectively address these issues with the
urgency they deserve.
Our control framework needs to be updated to specifically
address synthetic identity fraud. It needs to be universally
defined in order for institutions to be able to detect, report,
and remediate it.
Thank you very much. I appreciate the opportunity, and I
look forward to any questions you may have.
[The prepared statement of Ms. Walraven can be found on
page 76 of the appendix.]
Chairman Foster. Thank you.
And, Mr. Boysen, you are now recognized for 5 minutes.
STATEMENT OF ANDRE BOYSEN, CHIEF IDENTITY OFFICER, SECUREKEY
TECHNOLOGIES
Mr. Boysen. Chairman Foster, Ranking Member Hill, and
members of the task force, thank you for the opportunity to
discuss the future of digital identity with you today.
I am Andre Boysen, the chief identity officer at SecureKey
Technologies, and I look forward to sharing our experiences in
building a nationwide privacy-based digital identity network
for Canadian consumers that works across the economy.
SecureKey is a Canadian company that is a world leader in
providing technology solutions to enable citizens to easily
access high-value digital services. We focus on the
intersection of the citizen, the public and private sectors,
privacy, and consent.
Digital identity is not just about citizen expectations.
Companies, governments, and other organizations have strong
incentives to move transactions online to realize cost savings,
enhance customer experiences, and increase business integrity.
An organization's ability to do this hinges on a single
question: Can I trust the person or the digital identity at the
other end of this transaction?
As Jeremy has already said, identity is broken and it is
equally problematic for citizens and for business. To recognize
clients and provide trusted access to services online,
organizations typically deploy a mix of analog and digital
measures to confirm identity and mitigate risk. As we have
seen, however, these solutions tend to be complex and are not
fully effective.
On the other side, citizens are asked to navigate a
continuously changing kaleidoscope of identification methods to
satisfy the onboarding needs of the organizations from which
they seek services. All the while, we all read newspaper
stories every single day about data breaches and online
impersonators.
There is reason to be concerned. Fraudsters are collecting
information to know as much, sometimes more, than the citizens
that they are impersonating. Standard physical cards for a
paper-based world are easily counterfeited and it's often
impossible to check the document validity with the issuing
sources.
Even biometric methods, which have been presented as a
digital solution to digital fraud, are increasingly being
targeted by hackers. Unlike passwords, you can't change your
biometrics. You can easily be tricked out of a selfie.
Our collection of siloed systems are too hard for consumers
to use. It is not solving the problem, and it is too expensive
to be sustained. It is every web service for itself.
Consider the CEOs of Twitter and Facebook, Jack Dorsey and
Mark Zuckerberg. These two digital leaders know how the system
works, understand digital identity best practices, and have all
the resources in the world at their fingertips. Yet, even they
have problems controlling and managing fraudulent access to
their digital identities.
Mr. Zuckerberg's problem was self-inflicted, while Mr.
Dorsey was failed by the telco he relied on when he became the
victim of SIM swap fraud.
If they can't manage and be protected in the current
digital landscape, how are the rest of us supposed to manage?
Urging greater online security vigilance has passed the
point of diminishing returns. It needs to be said that there is
no organization on the planet that can solve digital identity
on its own. It takes a village to make digital identity work,
each player playing to their strengths and combining to create
trust greater than the sum of the parts.
The Canadian model is a public-private partnership between
financial institutions, telcos, governments, and other trusted
partners. It is a give-to-get model.
For example, governments are the foundational issuers of
identity documents in the form of birth registries and
immigration documents. Governments also link their records with
a photo to a living person by issuing a driver's license or a
passport.
But governments aren't as adept as the commercial sector at
knowing if the person actually is at the end of a given digital
transaction. The IRS has a file on everyone in this room, but
they would be hard-pressed to point any of us out in a crowd.
That is why they use knowledge-based authentication (KBA).
This brings us to financial institutions who complete
billions of authentications per year. Compared to other
organizations, citizens only rarely interact with government
during their daily lives. They may renew their driver's license
or passport every 5 years. But they will log into their bank
account several times per week. This increases the integrity in
their transactions for banks.
And our mobile devices are always within reach. The
carriers have some security features that are important and
that are tied to subscriber accounts. Verified.Me is a service
that is offered by SecureKey Technologies, that is built on
open standards. Verified.Me was developed in cooperation with
seven major financial institutions in Canada. It is a first-of-
its-kind service that takes a village approach to solving the
digital identity problems we have been talking about today with
greater simplicity, higher integrity, greater cost efficiency,
and better privacy.
With the information and resources already available, we
have helped to solve the digital identity problem in Canada,
and have developed a model we think will work around the world.
Some of our leadership and collaboration partners include
Global Privacy and Security By Design developed by Ann
Cavoukian, the U.S. Department of Homeland Security, the
Science and Technology Directorate under Anil John, and the
Digital ID and Authentication Council of Canada.
Thank you for the opportunity to share my comments with you
today.
[The prepared statement of Mr. Boysen can be found on page
45 of the appendix.]
Chairman Foster. Thank you.
I will now recognize myself for 5 minutes for questions.
Mr. Grant, one of the things that impressed me in your
testimony is the bipartisan nature of the support for this. You
were very involved in the Obama Administration's initiative on
secure online digital ID. And it appears as though OMB and the
current Administration is actually strengthening those
initiatives.
Could you just sort of briefly outline what the recent
history of government involvement is in strengthening citizens'
ability to authenticate themselves online?
Mr. Grant. Sure. As you mentioned, I spent several years in
government leading an Obama Administration initiative, the
National Strategy for Trusted Identities in Cyberspace (NSTIC),
although I was a civil servant when I was there and stationed
up at NIST, up the road, where I served as their senior adviser
for identity management and ran the program.
This has never been a partisan issue, as you point out, and
it is great to see that tradition continuing today in this task
force hearing.
Much of what the NSTIC program, as it was known, was
focused on was how to basically catalyze a marketplace. The
idea was that the government's role, the way things are in the
U.S. should be limited, but government should play a role where
there might be gaps to fill. And there was a lot of good work
that was done then that I would say is now flowing into the
work that we are driving in the Better Identify Coalition in
terms of looking to carve out an appropriate role for the
government without one where there is too much of a role for
the government.
As I mentioned in my written statement and opening
statement, in May the Office of Management and Budget signed
Memorandum 19-17 into effect, it is about 13 pages, updating a
lot of the government's cybersecurity policy as it impacts
identity. And we were really excited to see that they took one
of our key recommendations, basically calling for agencies to
create, I think the language was privacy-enhanced APIs, which
would allow consumers to ask that an agency validate identity
information about themselves either for public or private
sector applications.
I think now that that is in place, there is a good policy
foundation in place for the first time in the U.S. to actually
start to bring government into play more of this role for
consumers and businesses.
Chairman Foster. Thank you.
And, Ms. Washington, Ms. Abend, you both touched on in your
testimony the fact that the lack of a way to authenticate
yourself falls most heavily on those who are not wealthy, in
developing countries, that one of the real improvements in the
quality of a citizen's life comes from having a way to
authenticate themselves and prove who are they are. This sounds
sort of counterintuitive, and I was wondering if you could add
a little bit about why this is.
Ms. Abend. It is interesting what we found, if you look at
some of the things that even the Chair of the FDIC has said
recently in some of her public comments about how individuals
who are unbanked or underbanked have cell phones and they use
those phones to conduct their financial transactions.
And so, if we could establish the kind of confidence by
having, as I put in the recommendations, a national privacy
law, I think we would go a long way to engender trust so that
they have certain protections through that national privacy law
and a much less complex way of understanding what those
protections are while also being able to use the tool that is
in their hand to be able to validate themselves for financial
transactions. And through that process, would give them access
to financial transactions in a safe and sound manner.
Chairman Foster. Ms. Washington, do you have anything to
add?
Ms. Washington. I just want to say that right now, without
a standard way and a standard procedure for disputing
authentication issues, people who feel powerless in society are
probably not going to figure out how to dispute it. So by
default, we are not going to have equal access to resolving
disputes.
Chairman Foster. I think there is probably also a tendency
for wealthy people to have a more established financial
transaction record that can be used in a sort of secondary way
to make sure that the person is real and so on.
Ms. Walraven, do you have anything to add there?
Ms. Walraven. I think we also have to take into
consideration that for all the things that we are putting in
place to protect consumers, and they are all very valid, there
are much easier ways to take a step back and go through and
negotiate the system.
I think all the controls that we are putting on for
artificial intelligence and authentication, it starts at the
front. You need to know who that person is, and then you go
through and do the authentication. So we need to go further up
the chain and make sure that identity is actually factual
first, and then you can build a lot of controls behind it.
But we need to get to the root of the issue instead of just
addressing, in some cases, the symptoms. I think that is really
how we can get much more collaborative between industry and
government. And I definitely think we need to do that, because
the current infrastructure is doing a good job with what it
can, but we need to reshape the issue and look at it from a
different lens.
Chairman Foster. All right. Thank you.
The gentleman from Arkansas, Mr. Hill, the ranking member
of the task force, is recognized for 5 minutes.
Mr. Hill. Thank you, Mr. Chairman.
Before I begin my questions, I would like to ask that
something be submitted for the record. One area that has been
concerning to our title industries across the country is
business email compromise, which is just another commercial
form of fraud. And in that regard, I would like to submit a
letter from Chairman Powell, as well as the response he had on
this issue and how important it is. I would like to submit that
for the record.
Chairman Foster. Without objection, it is so ordered.
Mr. Hill. This has been a really good panel. And as I said,
we are trying to correct the world we live in and prepare for
the world in the future. And we can't do that without this
strict privacy standard and the ability to authenticate whom it
is that we are doing business with. I thought each of you had
great opening comments, and I am grateful for that.
And I was pleased to hear, Mr. Grant, you talk a little bit
about OMB's issue, because one thing this panel has heard, and
our FinTech Task Force has heard consistently is the dangers of
data scraping and that that is not a best practice out in the
FinTech world for accessing customer data.
Can you reflect, will OMB's policy impact that in the
government sector? And is it a good standard for the private
sector to adopt?
Mr. Grant. I think the new OMB policy, assuming that there
is some follow-up to actually get more agencies to start
providing that to validation services online, will help to
contribute to some of the challenges we have seen in open
banking where you have different FinTechs who might want to
scrape financial data.
But there, I have been really impressed by the work of the
Financial Data Exchange. It is a group that was incubated in
the FS-ISAC, the Financial Services ISAC, that does a lot of
cybersecurity work. And they brought together banks and FinTech
firms to work on essentially coming up with a standard API that
leverages well-known standards like FIDO, OAuth, and OpenID
Connect, that will allow a consumer to decide to essentially
securely grant certain access rights to some of their financial
data.
Because identity is that core control that is there, if we
are able to enhance some of the ways we do identity
verification through that API with some of the things that the
government can provide, I think we are going to have more
robust solutions all across-the-board.
Mr. Hill. That is very helpful.
And, Ms. Walraven, this issue of synthetic identity, could
you explain that a little more? I looked at your testimony and
listened to you. But are you suggesting that people are just
aggregating a good cell number, a good address with a different
name and a different Social Security number, so they are not
imitating the exact person, they are creating a new synthetic
individual, and so they are just using all validated
information? Is that what you are suggesting?
Ms. Walraven. Similar. So, basically, a synthetic can use
someone's real information, let's say, a Social Security
number, either yours, or a child's Social Security number. And
then, what they will do is they will take that, add a name that
is different than the real person's name, and add a date of
birth. And if they are going to go in person somewhere, they
probably would make it closer to probably what is more likely
for them. And then put at an address that they can control. And
basically from there, they create a completely separate and
distinct identity.
So it is not real per se as far as it has been a real
person. It is a real person doing it, potentially, but it is
not a real identity. But it functions, especially in a digital
and in a paperless area, exactly like a real identity.
And when they create that, they know their mother's maiden
name, they know the user ID and password, they know the
different security questions, because they created them. So
when you go to do the authentication afterwards, you are not
going to catch them in the existing infrastructure that we
have, because those credentials are known to them.
Mr. Hill. Thanks for your contribution to that.
Mr. Grant, I read recently about the beginning of the
implementation of the California statute. And for the 4\1/2\
years I have been in Congress, we have debated privacy and data
breach notification here and witnessed the battle between
retailers and the financial services industry, which grows
tiresome here on this committee, and the desire to have a 50-
State solution, which would be great in a digital world if we
could do that.
So now, California has acted. I am interested in your
views. Is the California Consumer Privacy Act (CCPA) a net
positive for the consumer? Is it a decent basis in terms of the
definitions they struck, the approach they took, for the
Federal Government to consider?
Mr. Grant. I think CCPA writ large, I guess we will have to
see how its implementation goes and whether it is a positive
for the consumer.
There is a couple of things on the identity side that I
have been very concerned about, including the fact that it took
kind of an ambiguous approach to whether you can use data for
security and fraud prevention.
As background, the General Data Protection Regulation
(GDPR) over in Europe did, I thought, a pretty good job saying,
look, if you are using data for marketing purposes or other
things, all of these rules apply. But if I am analyzing data I
am able to capture about the way you are interacting with a
device, well, that is for security or fraud presentation only,
so that is okay.
In California, they took a little bit of a different
approach. And I think part of this might have been because the
law was written in about a week. I think the history of it was
they were trying to head off a ballot initiative. They said
that a consumer cannot go to a company that has information on
them that is being used for security and fraud prevention and
ask that that information be deleted, which is good. But they
did not go ahead, you couldn't actually go to a company and opt
out of that information being used at all.
And so the concern there is that if, say, even 2 percent of
people go to companies and basically tell them to turn off the
security analytics controls that are some of the best tools we
have today to prevent things like credential stuffing attacks
or other spoofed identities, it is going to put people at risk,
consumers at risk, and businesses at risk.
Mr. Hill. Thank you very much.
I appreciate it, Mr. Chairman.
We will come back to it. Thank you.
Chairman Foster. The gentleman from North Carolina, the
ranking member of the full Financial Services Committee, Mr.
McHenry, is recognized for 5 minutes.
Mr. McHenry. Thank you.
This has been great testimony, an informative panel, and I
think it is quite constructive, again, quite constructive for
what has been, as Mr. Hill outlined, a rather tiresome debate
between retailers and banks on who holds the bag, without
talking about progress or fixing the problem. They want
Congress to intervene and make the decision on who gets sued.
So, let's get beyond that. Let's get to the solution.
Mr. Boysen, I would like to hear the story of what your
company is doing in Canada to verify identity and the
undertaking that you and your company have had.
Mr. Boysen. Thank you.
There have been two generations of services that we have
launched in Canada. The first one was in 2012, and that we did
with the Government of Canada. It was designed to be a safe
replacement for multiple user IDs and passwords.
In 2012, the problem the Government of Canada had is every
time I, as a Canadian, went to our tax authority, every single
time, I forgot the password. And so, their challenge was how to
authenticate me. They can't do what Amazon does. They can't do
an email password reset. They have to send secure mail to my
house.
Being a busy Canadian, I solved my tax problem with them
another way. And they sent me this thing 2 weeks later. I don't
send it back in, and I come back here next year and do the same
thing. That cost them 40 bucks a shot.
Between the period 2004 to 2012, they spent $970 million
authenticating 5 million Canadians. For the subsequent period,
from 2012 to 2018, their costs have come down to roughly $200
million in order of magnitude in savings. The reason is that
Canadians now are able to use their bank account to get to the
government. This has been transformational.
The reason this works better is because Canadians are in
their bank account every single week, so they are not going to
forget the password. More importantly, if they do forget the
password, like, if they can't get in, they are on DEFCON 5,
they are going to run down to the bank right now because they
are terrified their money is going to be lost, and it is that
self-interest that has actually increased the integrity of the
transactions.
The challenge with that service, however, is that it was
authentication only. It didn't solve the identity problem. So
in May of this year, with all of the major banks in Canada and
several other trusted partners, we launched an identity
service. It allows me to prove my identity in a trustworthy way
based on bank, telco, and government data that I authenticate
with each of those providers myself. And then I am able to,
under my control, give that to someone else when I want sign up
for a new service.
So this actually increases integrity for all of those end
points and takes their cost down and gets them better results,
too.
Mr. McHenry. Okay. So, verify me. I use blockchain
technology. Walk us through that.
Mr. Boysen. We didn't start off saying, blockchain is cool,
let's use it. We came at it from a very different point of
view. If any organization is consuming data from a network to
confirm my data, they have three requirements that need to be
met.
Requirement number one is they want to know the data came
from an authoritative source, somebody they would know and
trust today, like a government-issued ID.
The second requirement that they want to know is they want
to know the data has not been altered since it was written by
that authoritative source; the crook didn't take my driver's
license, take all my data, scratch my photo, and stick their
photo on it.
The third requirement they have is they want to know that
the data belongs to the person presenting it.
So, let me answer your question about, why blockchain?
Blockchain does three very specific things. The first thing is
it allowed us to implement this thing we call triple blind
privacy. In Canada today, when I use my bank account to get to
the government, the bank account does not get to see my online
destination. The government in its place knows that I came from
a tier one bank in Canada but not which one. And our company,
which operates the network, we don't know who you are. Triple
blind privacy says not the bank, not the government, not
SecureKey got a complete picture of the user journey.
When we tried to go do that with identity, the problem is,
with us in the middle, we were going to get to see a lot, and
we wanted to figure out a way to do triple blind identity so I
could send my data from Wells Fargo to the IRS without Wells
Fargo knowing it went to the IRS, without the IRS knowing it
came from Wells Fargo, and without us seeing anything in
between.
So, it gave us a method to implement triple-blind privacy.
The second thing is, it allowed us to meet the integrity
challenge to verify and meet those three requirements that I
talked about. And the third side benefit is we get resiliency
because there are so many nodes it is harder to mount a denial-
of-service attack.
Mr. McHenry. So broadly, that cryptography, the blockchain
cryptography, is this leap forward in order to ensure that you
can have that movement of data.
But here is a different question. Is there a different
cultural assumption between folks in the United States versus
folks in Canada about their digital identity and that
willingness to share that data?
Mr. Boysen. I would say the stance of Canadians and
Americans is very similar on this front. I would say that the
privacy regulations in Canada are generally better, and so that
gives Canadians confidence when they are doing this. They have
recourse. If something negative happens, they have somewhere to
go and get it sorted. So, I would say the model would work
here, too, is my sense.
Mr. McHenry. Excellent. Well, let's get at it, right?
Pitter patter, let's get at her. Let's make some progress here.
Thank you for a great panel. It was highly informative. I
have 3 hours more of questions, but every one of you are top
notch.
Thank you for being here.
Chairman Foster. Thank you.
And the gentleman from Georgia, Mr. Loudermilk, is
recognized for 5 minutes.
Mr. Loudermilk. Thank you, Mr. Chairman.
Thank you to all of you on the panel here. This is
intriguing, coming from an IT background. I have been dealing
with cyber issues for quite some time from my time in the Air
Force dealing with intelligence data all the way up through
even protecting businesses and school systems with internet
accesses.
It is an ongoing challenge. And transactions that happen,
especially in the financial services sector, happen at
incredible speeds. Therefore, verification for those who use
this has to be done at the same speed.
I am one of those guys who likes using cash. I like reading
a printed book. I like going to a store and putting my hands on
what I am going to buy. I am unique in the world today, as I
found out the younger you are, the more you are relying on the
technology. So, we have to be exploring these areas.
Before I get to my questions, though, Mr. Chairman, I would
like to submit for the record a letter from the Consumer First
Coalition addressing concerns and congressional oversight over
the electronic consent-based Social Security verification
system as they move forward.
Chairman Foster. Without objection, it is so ordered.
Mr. Loudermilk. Thank you, Mr. Chairman.
Ms. Washington brought up a very interesting scenario at
the beginning of this, which I think illustrates some of the
challenges that we do face. But I have one that I found quite
unique.
I was taking a group to the White House. And if you have
ever visited the White House, they have quite a verification
system to go through. If there is one thing wrong, you are
going to get pulled out and put in a holding area.
A young lady I was with, who was probably in her early
thirties, was pulled out and put in a holding area. It kind of
surprised me, and so I went to talk to her.
She said: ``Oh, this happens all the time.''
``Really?''
``Yes. I have an identical twin sister. My mom didn't
realize that she was going to have twins, and she had already
chosen the name, so she gave us both the exact same name.''
And I am going to use a different name, but it was
Elizabeth Grace Smith. One was called Liz, the other was called
Grace. They have the same name, the same birthday, the same
birth location, the same hair, the same height, the same
weight. What triggered the Secret Service was their Social
Security numbers were off by one digit.
So. there was this delineator. This is a real illustration
of the type of thing that we are going to encounter, as Ms.
Washington had brought up, but we have to find a path to get
there.
And one of the things--I am big on innovation. I am big on
sandboxes so we can go out and explore ways to do this, but it
has to be done in a controlled environment to protect consumers
but yet have the ability to do these things.
Ms. Abend, it took us a while to adopt the chip payment
system. Traveling in Europe, they had it a long time before we
were able to adopt it here. But from what I understand, it has
reduced the counterfeit fraud by about 87 percent.
But the bad players, the criminals now focus on digital
payments, which involve digital identities. We need
cybersecurity solutions to combat these digital payment frauds.
Are we heading in the right direction? Do we have the
sandbox available to develop these?
Ms. Abend. Congressman, that is an excellent question. And
I remember distinctly, when I was actually back working at the
Office of the Comptroller of the Currency, when the deadline
was approaching for a chip and pin and the conversations,
because we had just faced the breach with Target and actually
had to appear before Congress to testify on cybersecurity at
that moment in time as well, and I remember distinctly having
this conversation about what it would do and what it would not
do.
And as we have seen overseas, the card-not-present fraud
goes through the roof, right? Bad guys know. And all of these
online transactions, they are card not present, and that means
they are missing that authentication aspect of being present
with that chip and pin.
And I think that, while it was a step in the right
direction and it was just a layer, the fact that most of our
transactions are increasingly online and need to happen at the
speed that we have discussed here, we do need to create an
environment that fosters more innovation, that figures out a
way to improve the state of synthetic IDs, as my colleague here
has talked about, that creates that more trust that we have
talked about here, and do it in a way where people can protect
all consumers and everyone can get bought into that system.
And I think that is why my colleague, Jeremy, and the
Business Roundtable that I mentioned earlier that has over 200
CEOs, have a lot of alignment around what needs to be done to
create that transparency for consumers with privacy, a national
privacy law, while also creating a better ecosystem where we
proof people to enable them for online transactions.
Mr. Loudermilk. Thank you. I agree with Ranking Member
McHenry; I also have tons of questions. This is intriguing. But
I am already out of time. I will submit the others for the
record.
I agree with Ms. Washington on her concerns, but I think
the solution, because those with low income are using
electronic transactions as much or more as some others are, and
we have to be able to find the way to positively protect them
as well.
Thank you, Mr. Chairman.
Chairman Foster. Thank you.
The gentleman from Ohio, Mr. Gonzalez, is recognized for 5
minutes.
Mr. Gonzalez of Ohio. Thank you, Mr. Chairman.
And thank you to the panel for your outstanding testimonies
and participation today. I think this has been a great hearing
so far.
Mr. Boysen, I want to kind of drill down on some of Mr.
McHenry's questions around blockchain specifically. So, I will
spend some time there, if you don't mind.
As you were innovating in the space, what legal impediments
existed in Canada that prevented you from developing the
blockchain, and what has had to change? Just kind of walk me
through what it was like as you were innovating, and then how
did you get there?
Mr. Boysen. Sure. One of the biggest challenges, in fact,
is when you look all across the economy, the most rigorous
process we go through as consumers when we get identity proofed
is when we go through a bank, and it is a regulated process.
They have know-your-customer (KYC) and anti-money-laundering
(AML).
In Canada, our organization for managing that is called
FINTRAC, and they have a set of interpretation bulletins that
they use to interpret the legislation to say what banks can and
cannot do.
The problem when we started this process is it didn't
include digital methods, so it took a long time to talk about
the advantages of doing digital methods.
And I want to pick up on Valerie's comments around this
card-present/card-not-present concept. One of the things we
were able to convince the regulators is what we were doing with
our service is actually creating card-present identity. Today,
when I take my driver's license to the counter, if it is a fake
driver's license, the bank is defenseless against that attack
because they can't check against the issuer. With our service,
all of the data is checked in real time.
So that, getting the regulators and the community to
understand this was actually better than what we could do in
person, took a long time, but once we got there, they said this
was more powerful.
Mr. Gonzalez of Ohio. And was that a regulatory fix or a
legislative fix?
Mr. Boysen. The interpretation bulletins for the FINTRAC
and KYC and AML were updated to include digital methods.
Mr. Gonzalez of Ohio. Legislatively?
Mr. Boysen. Yes.
Mr. Gonzalez of Ohio. Okay. So, your legislature had to
act.
And then as you look at the U.S., where do you see similar
holes where we should be legislating to enable the technology?
Mr. Boysen. Canada had an advantage in trying to get a
scheme like this going because we have a small set of banks, we
have a small set of provinces, and a small set of telcos. So we
could kind of get everything in the room.
Your economic construction here is a little bit different.
You have 3,000 banks. You have 50 States. Luckily, you have a
small set of telcos.
I do think the learnings in Canada can be applied to the
U.S. model. So I will say that there is a lot of work being
done with U.S. organizations to launch a similar service to the
one we have in Canada, here in the United States. That is down
the track. More work needs to be done. But I think there will
be similar changes where the regulatory updates are going to be
required to support it.
Mr. Gonzalez of Ohio. Okay. And do you have any specifics
in mind on, hey, here is how the SEC is interpreting this, and
this needs to change?
Or anybody else, frankly?
Mr. Grant, you are kind of nodding.
Mr. Boysen. Yes. I can provide it as follow-up testimony
for the record. I could get our legal counsel, who has actually
done a lot of work here, and I will submit that for the record
and you can review that after.
Mr. Gonzalez of Ohio. That would be fantastic.
Mr. Grant?
Mr. Grant. I would say, if you look at our membership,
about half of them are firms in banks or payments or FinTech.
And one of the things we specifically called for was for was
for Treasury and the regulators to do more here.
I will say they have been really receptive to discussions
with us. The message we have gotten is, if you are seeing a
barrier to digital identity innovation, please let us know.
Marshall Billingslea, whom I think is Assistant Secretary for
Terrorist Financing at Treasury, announced that Treasury wants
to do a text print, working with industry in the next year to
try and help bring regulators and innovators together.
I continue to ask my members every month, are we running
into things that are precluding innovation, particularly at the
intersection of identity and financial services? And I think
the biggest answer we get is, sometimes there is a regulation
where there is just ambiguity. And then, the compliance people
kind of have their freak-out and it is hard to move forward.
But I am actually bullish there.
I think where we need a little more effort--we talked
before about the Office of Management and Budget (OMB) memo,
which is a nice start, but policy memos come out all the time
from OMB and get ignored. So I think we need more of a formal
government-wide initiative, hopefully convened by the White
House, to try and look at how to bring agencies together,
potentially within the industry, to figure out how to take this
to the next step.
I think more work needs to be done at my old agency, at
NIST, on a framework of standards to help put a foundation in
place. And I think agencies could benefit from a center of
excellence in government as well, that could actually help.
The Social Security Administration right now is developing
an attribute validation service. Congress told them to do so
last year, in fact, thanks in part to the work of this
committee. But in getting other agencies to do that, they will
need some technical help.
These are little steps around the edges that can make a big
difference to solving this problem.
Mr. Gonzalez of Ohio. Thank you.
And, again, I want to thank everybody for the time and
energy on this.
Mr. Boysen, we will follow up.
And I yield back.
Chairman Foster. Thank you.
The gentleman from Virginia, Mr. Riggleman, is recognized
for 5 minutes.
Mr. Riggleman. Thank you, Mr. Chairman. I hope I can have
60 minutes to question the panel, please. Thank you.
It is good to be here.
And, Ms. Washington, thanks for your--at the beginning when
you talked about birthdays, my birthday is March 17th, a show
of hands for St. Patrick's Day birthdays? Well, look at that.
No one. My goodness.
I want to give my background really quickly because I
actually get excited about this stuff. My background was in
military intelligence, about 26 years combined in the military
and doing this, was tracking people and finding their
identities without them volunteering their information. So I
might cover this a little bit differently. But it is also sort
of the bridge between technology and operations and how this
would happen. So my questions might be a little more esoteric
and a little bit more fun, I would hope.
Right now, I have about 50 questions I had written down, so
I am going to try to go quickly. I always have too many to go
quickly. But Ms. Abend had said something beforehand, and I
will start the line of questioning there.
I am going to start with sort of the bottom line upfront,
and then go backwards with technology. And, here we go.
It does sound like the use of AI will be a critical part of
ensuring security in digital identity. I want to know, should
we be concerned that this kind of technology could be cost-
prohibitive--and I am starting at the back--or otherwise
unavailable to smaller financial institutions or even
companies? Do you think that is something we have to worry
about?
Ms. Abend. I think that any time you deal with innovation,
it is actually interesting, some of the smaller companies of
the world are really creative, and they partner with Accenture
to actually make those possible and to make them scale. But I
do think we need to find ways to actually help smaller
companies be able to leverage some of these capabilities that
you are pointing out, AI being one of them.
And to that end, I would commend the ranking member's
effort in his own district, in Little Rock, Arkansas, to
actually create an innovation hub where community institutions
can actually learn how to take advantage of these things.
And I think the other way to actually help them scale to
the benefit particularly of smaller entities and in this case
community institutions is to actually help them do that through
the partnerships with their third parties, their large-scale
technology service providers.
Mr. Riggleman. This is why I get excited about this,
because we all are sort of creating our own unique identifiers,
our own ``UIDs.'' But a refrigerator has one also, and I don't
want to be mistaken for that.
So as we go forward, do you see private companies--and here
my questions get a little esoteric--rejecting individual or
business transactions with other entities based on insufficient
authentication of identity?
And when I look at how people are going back and forth and
utilizing sort of their own signatures, my question is, are we
going to get to a point--and this is where I get a little bit
excited and my head starts to explode a little bit--where we
are going to see private companies actually creating their own
unique ID sort of set of criteria? And then, do you see them
ensuring that criteria or ensuring that identity is doing
transactional issues with other companies and then rejecting
those companies?
That is the thing that--and I know Mr. Grant, and I
listened to what you are doing in Canada--I am almost wondering
if we are going to get to a point where companies are going to
be judged based on their criteria for how they protect our
identity and other companies rejecting that identity based on
UIDs. Do you guys see that happening in the future?
Mr. Grant, go ahead?
Mr. Grant. For years, one of the things we have been trying
to do here in the U.S. and really in a lot of countries abroad
has been looking at whether we could have certification
programs for private issuers of identity.
I talked today about the role of government, but my bank
knows me. In fact, that is sort of the foundation of what is
happening in Canada, as well as what I think we will see in the
U.S., because they have to figure out who I am before they open
an account. So could they then vouch for me other places? Could
I log in with my bank somewhere, perhaps at the Social Security
Administration?
There are certification programs in place today from
organizations. The one that is most well-known is called
Kantara. That has actually been recognized by the General
Services Administration as what they call a trust framework
provider to certify the way that a private sector entity issues
an identity.
Going forward, I talked about a lot about the concept of an
identity ecosystem. There are components that industry is going
to provide, and there are components that the government is
going to provide. And I think we are going to be able to create
some hybrid solutions that can really bring in, frankly, the
best innovation the private sector can deliver, but that access
to the authoritative data sources that only government has.
Government is the only entity that authoritatively confers
identity. If you can merge those together, you can give people
something that is portable that they can use everyplace they
go.
Mr. Riggleman. Well, geez, you are in my head.
So do you believe, if we are creating, say, this identity
token, and you are talking about these standards, do you think
we are dealing with unstructured data? We are dealing with new
things like natural language processing, things like that. Do
you believe there is ever a time where we are going to be able
to customize our token where the only way we can find our
identity or make our identity known is the stuff that we
actually customize with that information? Do you think that is
the future, where we own our identity by customizing our own
information within the token?
Mr. Grant. There is a lot of focus these days on how you
can allow people to only reveal certain things about themselves
without revealing everything, and I think there are some great
models that are in place these days that will give people very
granular choices about what they share about themselves online.
When we talk about the privacy debate in this country--and
it is getting a lot of attention on the Hill--so much of it is
tied to identity. What information is collected on me? What do
I want to be collected? Why do I want these companies to know
these four things but not these seven things?
So, having a really strong tool that you can use to manage
that and in some cases go back and maybe revoke certain things,
I think is going to be a key enabler here.
Mr. Riggleman. Thank you so much. It was already 5 minutes
and 30 seconds. So, I do apologize for how quick that was. But
thank you so much. You guys are fantastic. I appreciate it.
Chairman Foster. Thank you.
And without objection, the ranking member and I will each
have an additional 5 minutes for questions and closing
statements.
So with that, I would like to recognize Mr. Hill.
Mr. Hill. Thank you again, Dr. Foster, for holding this
hearing. And, again, I think we have heard a good discussion
and the panel has been very appreciated.
I wanted to go back, Mr. Grant, and just kind of finish our
conversation about the California proposed statute. And I may
broaden that to the panel as well to compare, as you said, a
rushed law, a set of parameters with the more thoughtful
approach the EU took and just have a compare and contrast.
The Wall Street Journal last week reported that private
businesses could face a half a billion dollar compliance burden
trying to comply with the California law. So, talk about that.
And then finish your thought I think you were trying to
make on it was rushed, you have some concerns, you outlined a
couple. But did you have something else you wanted to finish up
on, on that?
Mr. Grant. The main point I was making, from what I could
tell with California, it might be a drafting error. And there
have actually been some proposals to try and clarify that.
Mr. Hill. This is the information to be used for fraud
investigation, better customer service?,
Mr. Grant. Right. The backdrop on this is that identity
analytic solutions, many of them that are using AI, are one of
the most powerful tools that we have today to actually prevent
fraud.
So just to give you a number on that, Microsoft started
talking about this publicly. So in Azure they manage billions
of log-ins a day.
Two years ago, they were seeing about 10 million attacks a
day. A year ago they were seeing 100 million attacks a day.
This year, they are seeing 300 million attacks a day, trying to
compromise log-in systems to get in and do all sorts of bad
things. That is a 30 times increase in 2 years.
The way that they are actually combating this is with
database analytic systems, some of which might be collecting
things that would fall under the definition of personal data
under GDPR or CCPA or other proposals.
So long as you have a carve-out that says that is okay if
you are worried about security and fraud protection, you just
can't take that data and use it someplace else, we are good. In
fact, in Europe, because GDPR is clear on this, the European
Banking Authority is actually actively promoting the use of
what they call transaction risk analysis to secure payments
under the PSD 2 directive over there for open banking.
So I think the concern here is if it is more ambiguous, or
certainly if we are concerned that Federal privacy legislation
that doesn't say it as clearly, if 2 percent of people start
calling up Microsoft, to give the example I suggested, and say,
don't use those systems, turn that off, what are they supposed
to do at a time when attacks might go up another 10 times next
year? That is my concern.
Mr. Hill. Very helpful. And you mentioned open banking in
the U.K. for example, and Canada as well. So I might ask Mr.
Boysen this.
First of all, does anybody else want to add to that comment
on California? Anybody have a comment on California?
Okay. Mr. Boysen, on the privacy directives in Europe and
what you have done in Canada, have Europe and the U.K., to your
knowledge, solved this password authentication process in order
to make open banking be a safe activity? Because clearly here
that would be an open question I would think about open
banking.
Mr. Boysen. Yes, open banking is a singular term, but the
way it manifests in each country turns out to be a little
different. In some countries, it is compulsory. In other
countries, it is optional. In some places, it includes the
ability to do push payments. In others, it doesn't. So, it is
not a uniform application of how it works.
What I will say, however, is one of the fears of open
banking is it is going to cause asset stripping. What is going
to happen is the banks are forced to open up their APIs and
give out the data at no cost, and then the consumer is going to
give this to some new startup who doesn't have the same control
as the bank does. That FinTech is going to get breached. And
then, the consumer is going to come back to the bank and say,
``How did you let this happen?''
So rather than giving away the data, what we should give
away is trusted data so consumers can give it away at a
granular level, rather than giving it all. So that is kind of
the approach that we are looking at in Canada.
It's interesting that in Australia, they took the approach
that it is reciprocal. If you are going to participate in open
banking, if you want to be able to get data from the network,
you also have to agree in advance to share data back with the
network. And that solves part of the asset stripping issue that
is in some other jurisdictions.
Mr. Hill. I think I am interested in what we need to do
regulatorily, again, limiting our conversation here to
financial services, about how we handle this requirement of an
API approach and a discrete approach, instead of just allowing
scraping.
I hear from start-up entrepreneurs in the FinTech
environment: ``Well, you are disturbing the customer experience
by doing that.'' But I would argue that customers' experiences
get really messed up when everything is stolen from them. So,
that is not a good idea, either.
Is there something specific one of our regulatory agencies
could do in this area?
Mr. Boysen. I would submit that you can't do open banking
without a good digital identity infrastructure; it just can't
be done.
This is the problem. I am the consumer, you are the bank
that is trying to represent me, and Jeremy is the startup that
wants my data. How is Jeremy supposed to present to you that he
has my permission to get my data?
So, you have this three-way triangle of authentication
trying to go on and it is very complex and the consumer is
never going to get it.
The only way to solve this is by allowing the consumer to
have a digital identity infrastructure, and then see line by
line, what is going to go.
Mr. Hill. Thank you very much.
And I yield to you, Mr. Chairman. Thank you.
Chairman Foster. Thank you.
That business of this three-way conversation is
fascinating, for which I think there are technological
solutions with a properly designed app on your cell phone. So I
think that probably the future of this is not an identity
dongle but probably an advanced cell phone that has things like
the secure enclave on an iPhone which can store the private
keys and is resistant, it is my impression, even against having
your cell phone completely hacked, that you may be able to
capture the screen and see passwords being transmitted but you
cannot actually steal from the secure enclave in these, the
private key, which is a tremendous advantage of that approach,
and that you can still have this three-way conversation under
the control of a properly designed app. So, I think there has
been, I believe, great progress there.
Now, as it relates to the use of blockchain, one of the
great advantages of blockchain is it provides a non-falsifiable
ledger. Is there a solution in that context to developing, say,
a witness protection program which is essentially government-
sponsored synthetic identity fraud? Is that something that
people have thought about and come up with solutions to?
Mr. Boysen. I don't have a great answer here. I will say
one of the challenges that what we are getting with these
longitudinal records is that you can't go back in time and
insert a person for the purposes of witness protection. It is
very difficult to do. So, you are going to have find some other
method to bring that identity along.
Chairman Foster. If it is a publicly visible blockchain--
Mr. Boysen. Ours is not. Ours is a private blockchain. So,
there is that protection. But still, going back and altering
the records in the past is hard.
What the government could do perhaps is have a set of
identities on standby to use for the future so they have the
longevity that would be required to pass the muster, but that
has its own pitfalls.
Chairman Foster. That is tough because this has to pass all
sorts of secondary verifications but it is really--anyway, you
should put that on your to-do list when we come up with the
perfect example here.
Now, it also seems to me that to come up with the ultimate
solution here, there has to be a role of government, almost
certainly government. At some point in your life you have to go
and authenticate yourself and be uniquely identified using
biometrics. At that point you can then be issued a security
dongle or the cell phone equivalent of one that you can use for
many, many purposes in very streamlined and low-friction
transactions.
Is there any logical alternative other than having every
citizen who wants this to be able to authenticate themselves
security, knowing that there is not synthetic identity fraud or
other people using their credentials and the alternative to
having them present themselves in front of a trusted government
authority?
Mr. Boysen. I would say we need to learn from payment
systems when we try to do identity. David Birch has this famous
phrase that identity is the new money, and comparing identity
to money, there are a lot of things we can learn.
When you look at the global payment system with EMV cards,
we have six billion cards in circulation and they have never
been compromised. What is good about this model is you can have
your favorite bank and I can have my favorite bank and we can
go to any merchant on the planet with no prior relationship and
get what we want.
More importantly, when we lose the card, we call the bank
right away because we are terrified we are going to be
responsible for the results if we don't. So, that integrity is
what makes the process works.
In payment systems, these three things make the global
payment system work. The first thing is we made it super simple
for the consumer and we hid the complexity away so they don't
have to understand anything. We don't have to train users how
to use credit cards.
Thing number two is we have a trusted network operator.
Crooks can't pop up in the middle and say, ``Hey, I am a crook.
I take Visa.'' Right? You have to apply to get in the network,
and you have to behave well to stay in the network.
The third most important thing that keeps the global
payment system safe is user behavior. When I look at my wallet
and see my card is gone, I am going to be on DEFCON 5, I am
going to run down to the bank to turn the thing off, because I
am terrified I am going to be responsible.
Chairman Foster. Yes. I think Ms. Walraven would feel--
well, I don't want to put words in your mouth. But this system
is not perfect that he just described. Synthetic identity fraud
can still permeate such a system.
Ms. Walraven. Agreed, I think, but I think that is when it
comes down to understanding, knowing your real customer,
because we do have controls in place that are supposed to do
that, and we all assume that banks know who their customers
are, and I know, coming from the banking industry, that
everybody is trying to do that.
But considering the fact that synthetics are as prolific as
they are, considering that they are as widespread as they are,
considering that they are growing in a force multiplier, I
would contend that they don't actually know their customer.
So I feel like if you have an issue that is not right at
the root and then you compound on top of that, you actually
just make the issue later worse because you get this false
sense of trust, you get this false sense of security, and it
doesn't allow you to actually really be able to contend with
those types of individuals.
And that actually bodes to exactly what they are looking
for. They want to be seen as a regular, traditional customer.
They don't want to send that many red flags because they don't
want to get caught. They want to be able to continue to
navigate through the system, and currently they are navigating
pretty well unfettered for the most part.
Chairman Foster. But if you think of the example that Mr.
Loudermilk gave of the identical twins with identical names,
they differ only in their fingerprints. So at some point in
their lives, it seems like they have to present themselves to
some organization, almost certainly a government, who has to go
and look and de-dupe all the people who claim to have that
name.
I think there is no alternative to very advanced biometrics
of some kind. And this can be an optional system, but if you
are going to provide citizens who want one with a secure means
of authenticating themselves, you have to have this moment in
their lives.
Mr. Grant, do you have any comments on that?
Mr. Grant. Yes. I would say biometrics can play a role. I
worry about saying they are the solution. In part, I tend to
get very nervous when we talk about creating new central
databases and biometrics, in part, because if there is one
thing we have learned, it is that like any other type of
valuable data, we are not really good at protecting them.
And Exhibit A for that was the OPM breach of 2015, where I
have a top secret clearance, and all of that information from
my SF-86 and the images of my fingerprints are now in China--
and I think at least two-thirds of this room probably has the
same thing, understanding who is here today--which means that I
would never want to use a centrally matched fingerprint system
online where they didn't know I was there to protect anything
of value because a nation-state can spoof a fingerprint based
off those images.
That said, there are some really helpful tools. Most DMVs
are using face recognition for de-duping. So if I were to go in
as Jeremy Grant to the DMV, and then show up 3 months later
under a different name, they are able to say, ``Oh, it looks
like you were here before, let's at least''--and, mind you, the
face recognition is not perfect, but they can toss that to a
fraud investigator to figure out if they should issue a second
credential.
Leveraging that process, I think is really important. One
of the things we point out in our policy blueprint is that the
driver's license is the one thing that most Americans get in
their lifetime where they have a robust in-person identity-
proofing process. That is really valuable, and we think people
should be able to reuse it. The DMVs will play a role.
But I will flag that only 87 percent of adults have a
driver's license. And in fact, one thing we are seeing these
days is that it is harder to get one thanks to things like the
REAL ID Act from 2005 which, on one hand, look, there were good
security reasons for it and it has put a very robust Federal
standard in place for in-person identity proofing.
The flip side is, if you are on the margins of society,
let's say you have been in and out of homelessness, let's say
you were evicted and your license and your birth certificate
and your Social Security card were left in a box by the side of
the road that was soaked in rain and lost, it is really hard
for people to restart their identity lives again because they
are just lacking what they used to have, to the point that we
are seeing in many places--in fact, in D.C., there are a couple
of churches, like the ID Ministry at the Foundry United
Methodist Church up the street, that work with people.
Chairman Foster. I am afraid I am going to have to gavel
myself; my time is up. Votes have been called.
Without objection, I would like the report from the Better
Identity Coalition to be included in the record.
Without objection, it is so ordered.
And I just want to thank the witnesses for their testimony.
This is, I think, at the root of so many problems that we have,
that we are going to be facing.
The Chair notes that some Members may have additional
questions for this panel, which they may wish to submit in
writing. Without objection, the hearing record will remain open
for 5 legislative days for Members to submit written questions
to these witnesses and to place their responses in the record.
Also, without objection, Members will have 5 legislative days
to submit extraneous materials to the Chair for inclusion in
the record.
Thank you again. The hearing is now adjourned.
[Whereupon, at 10:56 a.m., the hearing was adjourned.]
A P P E N D I X
September 12, 2019
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]