b"<html>\n<title> - THE FUTURE OF IDENTITY IN FINANCIAL SERVICES: THREATS, CHALLENGES, AND OPPORTUNITIES</title>\n<body><pre>[House Hearing, 116 Congress]\n[From the U.S. Government Publishing Office]\n\n\n\n\n \n                       THE FUTURE OF IDENTITY IN\n\n                      FINANCIAL SERVICES: THREATS,\n\n                     CHALLENGES, AND OPPORTUNITIES\n\n=======================================================================\n\n                                HEARING\n\n                               BEFORE THE\n\n                 TASK FORCE ON ARTIFICIAL INTELLIGENCE\n\n                                 OF THE\n\n                    COMMITTEE ON FINANCIAL SERVICES\n\n                     U.S. HOUSE OF REPRESENTATIVES\n\n                     ONE HUNDRED SIXTEENTH CONGRESS\n\n                             FIRST SESSION\n\n                               __________\n\n                           SEPTEMBER 12, 2019\n\n                               __________\n\n       Printed for the use of the Committee on Financial Services\n\n                           Serial No. 116-49\n                           \n                           \n                           \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]           \n\n\n\n\n\n                             ______                      \n\n\n              U.S. GOVERNMENT PUBLISHING OFFICE \n 42-317 PDF            WASHINGTON : 2020 \n \n \n                           \n                           \n                           \n\n                 HOUSE COMMITTEE ON FINANCIAL SERVICES\n\n                 MAXINE WATERS, California, Chairwoman\n\nCAROLYN B. MALONEY, New York         PATRICK McHENRY, North Carolina, \nNYDIA M. VELAZQUEZ, New York             Ranking Member\nBRAD SHERMAN, California             PETER T. KING, New York\nGREGORY W. MEEKS, New York           FRANK D. LUCAS, Oklahoma\nWM. LACY CLAY, Missouri              BILL POSEY, Florida\nDAVID SCOTT, Georgia                 BLAINE LUETKEMEYER, Missouri\nAL GREEN, Texas                      BILL HUIZENGA, Michigan\nEMANUEL CLEAVER, Missouri            SEAN P. DUFFY, Wisconsin\nED PERLMUTTER, Colorado              STEVE STIVERS, Ohio\nJIM A. HIMES, Connecticut            ANN WAGNER, Missouri\nBILL FOSTER, Illinois                ANDY BARR, Kentucky\nJOYCE BEATTY, Ohio                   SCOTT TIPTON, Colorado\nDENNY HECK, Washington               ROGER WILLIAMS, Texas\nJUAN VARGAS, California              FRENCH HILL, Arkansas\nJOSH GOTTHEIMER, New Jersey          TOM EMMER, Minnesota\nVICENTE GONZALEZ, Texas              LEE M. ZELDIN, New York\nAL LAWSON, Florida                   BARRY LOUDERMILK, Georgia\nMICHAEL SAN NICOLAS, Guam            ALEXANDER X. MOONEY, West Virginia\nRASHIDA TLAIB, Michigan              WARREN DAVIDSON, Ohio\nKATIE PORTER, California             TED BUDD, North Carolina\nCINDY AXNE, Iowa                     DAVID KUSTOFF, Tennessee\nSEAN CASTEN, Illinois                TREY HOLLINGSWORTH, Indiana\nAYANNA PRESSLEY, Massachusetts       ANTHONY GONZALEZ, Ohio\nBEN McADAMS, Utah                    JOHN ROSE, Tennessee\nALEXANDRIA OCASIO-CORTEZ, New York   BRYAN STEIL, Wisconsin\nJENNIFER WEXTON, Virginia            LANCE GOODEN, Texas\nSTEPHEN F. LYNCH, Massachusetts      DENVER RIGGLEMAN, Virginia\nTULSI GABBARD, Hawaii\nALMA ADAMS, North Carolina\nMADELEINE DEAN, Pennsylvania\nJESUS ``CHUY'' GARCIA, Illinois\nSYLVIA GARCIA, Texas\nDEAN PHILLIPS, Minnesota\n\n                   Charla Ouertatani, Staff Director\n                 TASK FORCE ON ARTIFICIAL INTELLIGENCE\n\n                    BILL FOSTER, Illinois, Chairman\n\nEMANUEL CLEAVER, Missouri            HILL, FRENCH, Arkansas, Ranking \nKATIE PORTER, California                 Member\nSEAN CASTEN, Illinois                BARRY LOUDERMILK, Georgia\nALMA ADAMS, North Carolina           TED BUDD, North Carolina\nSYLVIA GARCIA, Texas                 TREY HOLLINGSWORTH, Indiana\nDEAN PHILLIPS, Minnesota             ANTHONY GONZALEZ, Ohio\n                                     DENVER RIGGLEMAN, Virginia\n                                     \n                                     \n                            C O N T E N T S\n\n                              ----------                              \n                                                                   Page\nHearing held on:\n    September 12, 2019...........................................     1\nAppendix:\n    September 12, 2019...........................................    33\n\n                               WITNESSES\n                      Thursday, September 12, 2019\n\nAbend, Valerie, Managing Director, Accenture Security............     6\nBoysen, Andre, Chief Identity Officer, SecureKey Technologies....    12\nGrant, Jeremy, Coordinator, Better Identify Coalition............     8\nWalraven, Amy, President and Founder, Turnkey Risk Solutions.....    10\nWashington, Anne, Assistant Professor of Data Policy, NYU \n  Steinhardt School..............................................     4\n\n                                APPENDIX\n\nPrepared statements:\n    Abend, Valerie...............................................    34\n    Boysen, Andre................................................    45\n    Grant, Jeremy................................................    49\n    Walraven, Amy................................................    76\n    Washington, Anne.............................................    79\n\n              Additional Material Submitted for the Record\n\nBudd, Hon. Ted:\n    Written responses to questions submitted to Valerie Abend and \n      Jeremy Grant...............................................    98\nHill, Hon. French:\n    Letter from Fed Chairman Jerome H. Powell, dated July 9, 2019   100\n    Letter to Fed Chairman Jerome H. Powell from various \n      undersigned Members of Congress, dated June 7, 2019........   102\n    Accenture Security report entitled, ``2019 Future Cyber \n      Threats''..................................................   108\n    Report from the Business Roundtable entitled, ``Building \n      Trusted & Resilient Digital Identity,'' dated July 2019....   139\n\n\n                       THE FUTURE OF IDENTITY IN\n\n                      FINANCIAL SERVICES: THREATS,\n\n                     CHALLENGES, AND OPPORTUNITIES\n\n                              ----------                              \n\n\n                      Thursday, September 12, 2019\n\n             U.S. House of Representatives,\n             Task Force on Artificial Intelligence,\n                           Committee on Financial Services,\n                                                   Washington, D.C.\n    The task force met, pursuant to notice, at 9:32 a.m., in \nroom 2128, Rayburn House Office Building, Hon. Bill Foster \n[chairman of the task force] presiding.\n    Members present: Representatives Foster, Phillips; Hill, \nLoudermilk, Budd, Hollingsworth, Gonzalez of Ohio, and \nRiggleman.\n    Ex officio present: Representative McHenry.\n    Also present: Representative Himes.\n    Chairman Foster. The Task Force on Artificial Intelligence \nwill now come to order.\n    Without objection, the Chair is authorized to declare a \nrecess of the task force at any time. Also, without objection, \nmembers of the full Financial Services Committee who are not \nmembers of the task force are authorized to participate in \ntoday's hearing.\n    Today's hearing is entitled, ``The Future of Identity in \nFinancial Services: Threats, Challenges, and Opportunities.''\n    The Chair will now recognize himself for 4 minutes for an \nopening statement.\n    Thank you, everyone, for joining us today for what should \nbe a very interesting hearing of the task force to explore the \ndangerous threats of identity fraud, how artificial \nintelligence (AI) is making it easier for criminals to engage \nin these activities, and how we can safeguard one of the most \nimportant things to have in our digital economy, and that is \nour identity.\n    Identity fraud is a hugely important problem in financial \nservices. In 2018 alone, almost $15 billion is estimated to \nhave been stolen from U.S. consumers online. This doesn't \ninclude the more indirect future costs of having a compromised \nidentity.\n    Today, criminals have lots of tools at their disposal to \nget at sensitive consumer financial data. And there is a \ncomplicated situation that a Member of Congress finds \nthemselves in, where we get briefings like the one I just \nreceived from Ms. Walraven where you go through just how \nmassive the problem is and the techniques that are available, \nand we realize that mentioning them in public is not a wise \nthing to do. And so, this puts us in a tough situation.\n    But I urge all of the members on the committee here and \ntheir staff who are interested to get those briefings from \nmembers who are testifying today to just see how big of a \nproblem this is, because it is costing us probably a lot more \nthan that $15 billion.\n    There is a large number of tools that criminals are using \ntoday, things like phishing, ransomware, and malware attacks, \nthat are already rife within financial services, and these \ncyber intrusions are only becoming more sophisticated.\n    In the news this week, there was the story of a voice \nsynthesizer, an AI-enabled voice synthesizer that was used to \ngenerate fake instructions from what an employee thought was \nhis boss to move money somewhere where it shouldn't have been \nmoved. And that sort of attack is going to accelerate as the \ntechnology gets more advanced and more widely deployed.\n    And the stakes in this are enormous. With simply a name, \naddress, and Social Security number, criminals use stolen \nidentities to steal credit card numbers and bank account \nnumbers, and to obtain fraudulent IRS and Medicare refunds. And \nthe list goes on and on.\n    The financial services industry is on the frontlines of \nthis attack. More than 25 percent of all malware attacks hit \nbanks and other financial services organizations, which is more \nthan any other industry.\n    In addition to the billions of dollars that financial \ninstitutions spend a year on cybersecurity, they also spend \nover $25 billion a year on anti-money-laundering and know-your-\ncustomer compliance, with large institutions spending up to \n$500 million annually.\n    Artificial intelligence is only enhancing the cyber \ncriminal's arsenal. AI can be used more quickly to find \nvulnerabilities in a bank's software that can be used to \nimpersonate someone's voice or face in a phishing scam, much \nlike those deepfakes of which everyone is aware.\n    It can also be used for something that is called synthetic \nidentity fraud. That is where criminals make up fake online \nidentities by combining real and fake data from lots of \ndifferent people, along with the Social Security number of a \nperson, often a child, which they can buy very cheaply off the \ndark web or even the non-dark web.\n    These fake identities look completely real, and the \ncriminals can use them to open new bank accounts and a record \nof new financial transactions that make the synthetic identity \nlook more and more real.\n    And at the end of this, the unfortunate common practice is \nthe so-called ``breakout,'' where criminals simply take out a \nmassive loan they never repay, or buy a car that they ship \noffshore. This sort of scam happens using these synthetic \nidentities.\n    There are a number of things that we can do. I was very \nimpressed by the roadmap produced by Jeremy Grant, one of our \nwitnesses here, and his organization, the Better Identity \nCoalition.\n    So if someone only has time to read one document in this \nspace, that is the one that I personally have found most \nuseful. It provides a roadmap for what government can do to \nhelp, because I think that government has a unique role in \nprovisioning the ID, that we ultimately should take a \nresponsibility for maintaining a valid list of our citizens.\n    And I think that there has been a lot of motion, both by \ngovernments and motion in terms of the public perception of \nwhat is needed here.\n    This is one of the reasons why I am really eager to hear \nmore from the witnesses in this hearing. And I guess, in light \nof the fact that we are unlikely to have a large amount of time \nbecause of votes maybe intervening, I think I will just cut off \nmy comments here and turn it over to the ranking member of the \ntask force, Representative Hill.\n    Mr. Hill. Thank you, Mr. Chairman, for convening the \nhearing today as a part of our Task Force on Artificial \nIntelligence. I know this is a topic that you particularly care \ndeeply about. I am very interested in learning how our identity \nsystems can be modernized in such a way that protects the \nprivacy and personal information of all of our citizens, and I \nlook forward to hearing from the panel today.\n    When we anticipate a digital world where we are \ndistributing financial services products digitally through \nbanks and nonbanks across the country, obviously, whether it is \na mobile app or through the internet, through the web, this \nissue of authenticating someone truly that you are doing \nbusiness with and that they, in turn, then are just granting \nyou, the financial services company, access to their \ninformation for a particular purpose, all of this relates to \nhow we identify people, how we authenticate people in the \nspace.\n    And, of course, we have had Gramm-Leach-Bliley for many \nyears now, but a lot of people who aren't banks or financial \nservices players are not covered by Gramm-Leach Bliley. And so, \nthis issue of how do we improve that and offer innovation is so \nimportant.\n    If we think about a digital world, you can't really have a \ncompletely digital process in 50 States in this country or \ninternationally if you don't have not only the cyber \nprotections that we are talking about in terms of the data \nbeing protected, but also that authentication process, so that \nindividual user's identity.\n    That is why I think this hearing is so important to the \nwork we are doing in the Financial Technology Task Force, and \nit is so important for our private sector players, and, I \nthink, our regulators on how we enhance the robustness of \nidentity. How do we do it, how do we authenticate people in a \nmore effective way, and move way beyond the user name and \npassword that has spent the last 20 years of repeating our \npet's names and 1, 2, 3, et cetera, as a way to get into \nsystems as helpful as maybe just a sharing app or as important \nas reviewing our financial lives online.\n    Also, the issue of data breaches is critical. And here the \nFederal Government doesn't have any better track record than \nthe private sector. We have been in, this committee--I have \nbeen in Congress for 4\\1/2\\ years, and we have spent a lot of \nhours in this room talking about the incompetence of the \nFederal Government in protecting people's privacy and our data. \nSo obviously, this is a key issue for both the public and the \nprivate sector.\n    Financial services companies, as Dr. Foster noted, are \nvictim more to this kind of attack, 300 times more frequently \nthan nonfinancial businesses, purely for really, though, \nobviously, for Willie Sutton's admonition that that is where \nthe money is. But also, if you are a state actor, that is where \nthe disruption is a very vulnerable point in the Western world.\n    But thanks to advances in technology such as artificial \nintelligence and machine-learning, it is becoming increasingly \neasier to authenticate individuals and mitigate that kind of \nfraud. But we must be vigilant as policymakers to ensure that \nall of our sensitive information remains private.\n    I look forward to having the witnesses help us to \nunderstand these issues and what we might consider either \nlegislatively or regulatorily to improve this process. And I \nlook forward to the discussion.\n    With that, Mr. Chairman, I yield back.\n    Chairman Foster. Thank you.\n    And I would like to now yield 1 minute to Mr. McHenry, the \nranking member of the full Financial Services Committee.\n    Mr. McHenry. Thank you.\n    Equifax, Capital One, what is next? How many breaches is it \ngoing to take before Congress takes appropriate action to view \ncybersecurity as a top priority and combating identity fraud as \na top priority?\n    Only a few months ago, we had the world's biggest bank \nexecutives right here before us, and they identified \ncybersecurity as the chief threat to the financial system, not \nproductivity, not growth at home, not political upheaval in \nEurope, not the slowdown in China, but cybersecurity.\n    What I appreciate about this panel, and I appreciate the \nwork Mr. Foster has brought to the table here, because we begin \nwith a bipartisan challenge, a challenge that we can then seek \nbipartisan solutions for here in Congress, and a new, \ninnovative approach to this really cumbersome ``dumb-passwords \nuser-name'' situation that we are currently in, and a new type \nof thinking that is occurring in the private sector, but to \nensure the policymakers keep pace with what is happening in the \nprivate sector and further enable it and move this along much \nfaster.\n    Thanks so much. And I look forward to your testimony.\n    Chairman Foster. Thank you.\n    Today, we welcome the testimony of Anne Washington, \nassistant professor of data policy, NYU Steinhardt School; \nValerie Abend, managing director of Accenture Security; Jeremy \nGrant, coordinator of the Better Identity Coalition; Amy \nWalraven, president and founder, Turnkey Risk Solutions; and \nAndre Boysen, chief identity officer, SecureKey Technologies.\n    Witnesses are reminded that your oral testimony will be \nlimited to 5 minutes. And without objection, your full written \nstatements will be made a part of the record.\n    Ms. Washington, you are now recognized for 5 minutes.\n\n   STATEMENT OF ANNE WASHINGTON, ASSISTANT PROFESSOR OF DATA \n                 POLICY, NYU STEINHARDT SCHOOL\n\n    Ms. Washington. Chairman Foster, Ranking Member Hill, and \nmembers of the Task Force on Artificial Intelligence, I am \ngrateful for this opportunity to speak.\n    Before I became a professor, I spent 8 years in financial \nservices, in addition to many years working in support of this \nChamber.\n    My name is Anne Washington. Now, why did I give my name? I \ngave you my name because it is an identifier, and digital \nfinancial services rests on its ability to guess who you are \nthrough identifiers like your name. Artificial intelligence \ngoes further by taking actions based on a presumed identity, \nand those actions have serious consequences.\n    Today, I am going to explain why identity is important, why \nAI makes mistakes, because they are inevitable, and what we \nmight do about it.\n    Consider a firm with an AI system that works 99 percent of \nthe time. That is great, right? But actually, in a business of \n10 million people, clients, that means it fails on 100,000 \npeople: 100,000 people who cannot get credit in an emergency; \n100,000 families who cannot get a home mortgage and build \nwealth; 100,000 entrepreneurs who cannot get a start in a small \nbusiness.\n    My examples focus on individuals, but let's not forget that \nowner-operators who are individuals with their own business \nface even greater financial risks.\n    Much of the data technology today was originally designed \nfor marketing purposes. So if I get a wrong coupon or a useless \nad, it is cute. It is a momentary curiosity. In financial \nservices, the stakes are higher. A digital mistake is \ndetrimental, and it is ongoing.\n    A few items from the news. Jennifer Norris of Boston \nroutinely was in danger of losing her job because of an \ninability to resolve a dispute about her identity. A teacher in \nMaryland had to give up her livelihood because she was in a \nprofession that required continuous recertification.\n    As depicted on this slide, this New York novelist sees \nherself in all of her daily roles--an author, a parent, a \nfriend. She probably does not see herself primarily as a New \nYork driver. The next slide shows you how a computer sees her. \nShe is just the information on this slide, primarily a name and \na birth date. Yet, someone else in New York has the exact same \nname and the exact same birth date.\n    The ``Lisas'' have no recourse to resolve this confusion. \nNo organization can fathom the likelihood of this coincidence. \nA data double is what the scholar, Evelyn Ruppert, calls them, \nand that is somebody who has the same identifiers, but it is \nnot you.\n    Now, I am a computer scientist with a degree in business. I \nam going to tell you that I think this stuff works. But I can \nalso tell you that there is little financial incentive to fix \nthese mistakes, because mistakes will happen. It is \nmathematically certain, in fact.\n    You can just go to the final slide.\n    What are the chances that you are going to meet someone who \nhas the same birthday? Actually, it is really high. It only \ntakes 23 people in the same room. Probably in the members of \nthis committee and your staff, there are two people who have \nthe same birthday. If you go up to at least 75 people--I don't \nthink we have that many here--it is 99.9 percent certain. \nCoincidences are not as rare as we perceive them to be.\n    So, what can be done? Artificial intelligence identifiers \nbuilt for a global audience need to scale. That means we have \nto respect naming practices that come from different religious \ntraditions or different cultural traditions, or even non-Latin \ncharacters.\n    Finally, I am going to argue that we need a way to get \nfeedback back into identity systems. As a technologist, I want \nto know how I can improve and also incrementally make these \nsystems better. It could also help lead towards procedures for \nhandling errors and exceptions.\n    One example is the MiDAS system in Michigan which accused \njobless people of fraud without recourse. And that is one \nexample of the way that AI systems need a feedback mechanism.\n    Now, I argue that the authority of human experience must \nbalance the authority of data. Why? Because stats happen.\n    And experience matters. Each of you has someone in your \ndistrict office who does case work. Why is that? That is a \nrecognition that institutions sometimes obscure the needs of \nindividuals.\n    What will be the resolution process for identity disputes \nin artificial intelligence?\n    [The prepared statement of Dr. Washington can be found on \npage 79 of the appendix.]\n    Chairman Foster. Thank you.\n    Ms. Abend, you are now recognized for 5 minutes to present \nyour testimony.\n\n   STATEMENT OF VALERIE ABEND, MANAGING DIRECTOR, ACCENTURE \n                            SECURITY\n\n    Ms. Abend. Chairman Foster, Ranking Member Hill, and \nmembers of the task force, my name is Valerie Abend, and I lead \nAccenture's security practice for our North American financial \nservices clients. Thank you for the opportunity to join you \nhere today. I really commend this task force for holding a \nhearing to explore the importance of digital identity and its \nintersection with artificial intelligence.\n    Innovation in digital identity and access management is \nincredibly important to cybersecurity, to enhancing privacy, \nand to ensuring trust in financial transactions. We live in a \ndigitally connected world where customers' demand for efficient \nand accurate transactions continues to increase.\n    From taking out a loan or paying my child's babysitter, \nmost of these happen online. And key to these transactions is \ntrust, trust that the individual we are conducting business \nwith online is whom they say they are.\n    However, the information we use to validate our identities \nnow is widely available through dark web forums and social \nmedia postings, making us more vulnerable to spearphishing \ncampaigns.\n    Simply put, identifying yourself online through passwords, \nusernames, and security questions is no longer working.\n    I would like to draw the members' attention to the slide on \nthe screen that lists five global cyber threats to financial \nservices as outlined in a recent report that we published.\n    Credential and identity theft is first, because it is at \nthe root of almost every breach. Not only are cyber criminals \nreally good at fooling people through spearphishing to gain \naccess into enterprises, but once they are inside these \nnetworks, they compromise other access credentials, moving \nthroughout the company, learning how they operate, and \nultimately gaining access to privileged data and systems. I \nlike to call this access inside of systems the ``mushy \nmiddle.''\n    One of the best known examples is the 2016 cyber heist from \nthe Bangladesh Central Bank, where attackers stole $81 million. \nThat was more than 3 years ago, and hackers are building new \ncapabilities to commit their attacks in ways we haven't even \nthought of yet.\n    This is why we must use innovations, including AI, to \nthwart them at the speed that cyber attacks occur. Attacks \nleveraging credential theft, as we saw in Bangladesh, will \nremain possible until we fundamentally change the way \nenterprises manage employee and customer access and how they \ndetect and respond at machine speed when they sense that \nsomething is amiss.\n    Today, we can use AI to enable financial institutions to \nhave a more accurate picture of employee access across a \ncomplex enterprise. Through these tools, managers can make \nbetter decisions of who should have access, to what systems, \nand to what data in real time, thus managing this mushy middle.\n    On the customer-facing side, leading organizations are \nleveraging biometrics, AI behavioral-based analytics, and \nmultifactor authentication to make real-time risk-based \nauthentication decisions to approve transactions and set limits \naround those transactions. In the blink of an eye, a financial \ninstitution can make complex risk management decisions about \nwhether a person using their mobile apps is, in fact, their \nactual customer.\n    This customer risk management approach is not just in use \nin the United States and other developed countries, but also in \nemerging economies where these new tools are providing secure \nonline identities.\n    For example, we at Accenture are part of the ID2020 Digital \nIdentity Alliance, which was formed to develop a reliable \ndigital identity for people in developing countries so they can \nconfidently receive government services and validate their \nidentities to employers, schools, and other service providers.\n    These digital identity advances provide individuals with \nmore security and control over their data, giving them the \nability to decide who to share their personal information with, \nwhat to share, and for how long it can be shared.\n    Congress' help would greatly benefit our nation's ability \nto improve digital identity as a cornerstone for better and \nsafer online transactions.\n    First, Congress needs to pass a national privacy law, which \nwill build consumer confidence and trust in the digital economy \nwhile enabling the private sector to gain wider adoption for \nmore secure products and services. A good starting point for \nthis is the framework released by the Business Roundtable last \nyear under the leadership of our CEO, Julie Sweet.\n    Second, Congress should help foster an environment for \ndigital identity innovation through proofs of concept that \nenable the testing of new capabilities and their ability to \nscale.\n    And, third, I encourage you to ensure that any new laws \ndesigned to advance digital identity or cybersecurity be \ntechnology-neutral and interoperable with other sectors.\n    So in conclusion, Mr. Chairman, there is much work to be \ndone to build a digital identity ecosystem that thwarts \ncybersecurity attacks, improves privacy, and ensures trust.\n    I want to thank you again for the opportunity to discuss \nthese issues, and I look forward to your questions.\n    [The prepared statement of Ms. Abend can be found on page \n34 of the appendix.]\n    Chairman Foster. Thank you.\n    And now, Mr. Grant, you are recognized for 5 minutes.\n\n    STATEMENT OF JEREMY GRANT, COORDINATOR, BETTER IDENTIFY \n                           COALITION\n\n    Mr. Grant. Chairman Foster, Ranking Member Hill, members of \nthe task force, thank you for the opportunity to testify today. \nI am here on behalf of the Better Identity Coalition, an \norganization that was launched last year, focused on bringing \ntogether leading firms from different sectors to work with \npolicymakers to improve the way that Americans establish, \nprotect, and verify their identities when they are online. Our \nmembers include recognized leaders from financial services, \nhealth, technology, FinTech, payments, and security.\n    Our 22 members are united by a common recognition that the \nway we handle identity today in the U.S. is broken, and by a \ncommon desire to see both the public and private sectors each \ntake steps to make identity systems work better.\n    Let me say up front that I am grateful to this task force \nfor calling the hearing today. The way we handle identity in \nAmerica impacts our security, our privacy, and our liberty. And \nfrom an economic standpoint, particularly as we move to high-\nvalue transactions in the digital world, identity can be the \ngreat enabler, providing the foundation for digital \ntransactions and online experiences that are more secure, more \nenjoyable for the user, and ideally, more respectful of their \nprivacy.\n    But when we don't get identity right, we enable a great set \nof attack points for criminals and other adversaries. A \nwhopping 81 percent of cyber attacks are executed by taking \nadvantage of weak or stolen passwords. Eighty-one percent is an \nenormous number. It basically means that it is an anomaly today \nwhen a breach happens and identity did not provide the attack \nvector.\n    And outside of passwords, we have seen adversaries seek to \nsteal massive datasets of Americans. In large part, they can \nhave an easier time compromising the questions that are used in \nidentity verification tools, like knowledge-based verification \n(KBV) solutions.\n    A key takeaway for this committee to understand today is \nthat attackers have caught up with many of the first-generation \ntools that we have been using to protect, verify, and \nauthenticate identity. Now, there are a lot of reasons for \nthis, and there is certainly blame to allocate. But the most \nimportant question is, what do government and industry do about \nit now?\n    That is a key point, government and industry. If there is \none message I think this task force should take away from the \nhearing today, it is that industry has said they cannot solve \nthis alone. We are at a juncture where the government will need \nto step up and play a bigger role to help address critical \nvulnerabilities in our digital identity fabric.\n    Last year, the Better Identity Coalition published a policy \nblueprint which outlined a set of key initiatives that the \ngovernment should launch to improve identity that are both \nmeaningful in impact and practical to implement. A few \nhighlights:\n    First, when talking about the future of the Social Security \nnumber (SSN), it is essential to understand the difference \nbetween the SSN's role as an identifier, essentially a number \nthat is used to sort out which Jeremy Grant I am among the \nhundreds of us in the U.S., and its use as an authenticator, \nwhich is something that is used to prove I am really me, this \nparticular Jeremy.\n    SSNs should no longer be used as authenticators. This means \nthat, as a country, we stop pretending the number is a secret \nor that the knowledge of an SSN can actually be used to prove \nthat someone is who they claim to be.\n    But that doesn't mean we need to replace them as \nidentifiers. Instead, let's start to build systems that treat \nthem like the widely available numbers that they are today. I \nhave yet to see any replacement proposal around SSNs that does \nnot involve spending tens of billions of dollars confusing \nhundreds of millions of people and not really giving us much \nsecurity benefit.\n    Second, on the authentication topic, there is good news \nhere. Multi-stakeholder efforts, like the Fast Identity Online \n(FIDO) Alliance and the World Wide Web Consortium, have \ndeveloped standards for next-generation authentication that are \nnow being embedded in most devices, operating systems, and \nbrowsers in a way that enhances security, privacy, and user \nexperience. The passwordless era is near, and government can \nplay a role in accelerating the pace of adoption.\n    Third, government will need to take a more active role in \nworking with industry to deliver next-generation remote ID \nproofing solutions. Now, this is not about a national ID, and \nwe are not recommending that one be created. We already have a \nnumber of nationally recognized authoritative government ID \nsystems: the driver's license; the passport; the SSN.\n    Our challenge here is what I call the identity gap, that \nall of these systems are stuck in the paper world while \ncommerce is increasingly moving online. So to fix this, \nAmerica's paper-based system should be modernized around a \nprivacy-protecting consumer-centric model that allows a \nconsumer to ask a government agency that issued a credential to \nstand behind it in the online world by validating the \ninformation from that credential.\n    So, how would this work? As the animation that is up on the \nscreen from our policy blueprint demonstrates, it is about \ncreating a new paradigm for digital identity that starts with \nthe needs of the consumer.\n    Here, we will start with someone named Stacy who is trying \nto open a bank account online. She provides some basic identify \ninformation. But since she is not there in person with a \nphysical ID, the bank doesn't really know if it is her or, for \nthat matter, whether she is a real person at all.\n    So, Stacy will ask somebody who already knows her, the DMV, \nto help her prove that she is who she claims to be. She will \nlaunch a mobile driver's license app on her smartphone. She \nwill unlock it with an on-device biometric match, say, touch \nID, which then unlocks a cryptographic key that is in the phone \nthat can securely log her into the DMV to make this request.\n    Now, because that app was securely issued to her phone at \nthe time she got her driver's license, and because she unlocked \nit with her biometric on the device, there is now a chain of \ntrust in place which allows that DMV to know it was Stacy who \nwas actually making the request. With that secure \nauthentication and authorization, the DMV and the bank can then \nset up a secure connection, and the DMV can validate her \nidentity.\n    Note that this concept was embraced in the 2016 report from \nthe bipartisan Commission on Enhancing National Cybersecurity, \nas well as a recent White House OMB memo published in May.\n    I appreciate the opportunity to testify today. Note that I \nhave submitted lengthier testimony for the record as well as a \ncopy of our policy blueprint.\n    Thank you.\n    [The prepared statement of Mr. Grant can be found on page \n49 of the appendix.]\n    Chairman Foster. Thank you.\n    Ms. Walraven, you are now recognized for 5 minutes.\n\nSTATEMENT OF AMY WALRAVEN, PRESIDENT AND FOUNDER, TURNKEY RISK \n                           SOLUTIONS\n\n    Ms. Walraven. Thank you, Chairman Foster, Ranking Member \nHill, and members of the task force, for the opportunity to \nappear before you and provide my testimony today to help inform \ndiscussions on the future of identity in the financial services \nsector: threats, challenges, and opportunities.\n    I am the founder and president of Turnkey Risk Solutions, \nand prior to starting that company I spent 20 years in the \nfinancial services sector at a lot of large institutions. The \nlast 10 years of my career, I was at JPMorgan Chase, where I \nwas responsible for establishing the business practices \nspecifically focused around proactive identification, \nmitigation, and remediation of various fraud threats that \nincluded credit bust-outs, synthetic identities, identity \nmanipulation, and credit abuse.\n    As we consider how to utilize artificial intelligence and \nmachine-learning to navigate big data to identify consumers, it \nis important that we clarify our target by gaining a more \ncomprehensive understanding of what synthetic identities are. I \nhave been asked to provide the committee a brief overview of \nthe factors that contributed significantly to their emergence \nin order to better frame the threats and challenges that we are \nfacing.\n    For the purposes of my discussion, Chairman Foster, you \ncovered that a synthetic identity in its basic form is a Social \nSecurity number, a name, a date of birth. But it is important \nto note that creating a synthetic identity is materially \ndifferent than traditional identity theft.\n    In cases of traditional identify theft, the criminal \nimpersonates a real person to open an account or take over an \nexisting relationship. But in cases of synthetic identity, the \ncriminal is using just a limited amount of elements of a true \nperson's identity, for example, just their Social Security \nnumber, and then they pair that with a name, a different date \nof birth, and an address that they can control, and create a \ncompletely separate and distinct persona. And that is \nintentional. They do not want to commingle with an existing \nperson.\n    Once that synthetic has been created, you can use it for \njust about anything you can use a conventional identity for. \nObviously, products in the banking service, but you can also \ncreate a social media account, insurance products, rent an \napartment, obtain utilities, or enroll in benefits programs. \nYou can basically use it for any purpose that the creator \nintended and whatever they are controlling it for.\n    To better understand the threat of synthetic identities, I \nthink it is important to understand the landscape that is \ninfluencing them.\n    Technology plays a huge role. Advances in technology have \ncreated speed and convenience, but at the same time, they have \ncreated anonymity for the fraudsters. We are also asking an \ninfrastructure that was built a long time ago to do more and \nmore things that it wasn't intended to do, without really being \nable to keep up with the technology and the threats that are in \nthe landscape today.\n    Consumer awareness. Consumers are a lot more educated on \nunderstanding the importance of their credit, understanding the \ndifferent ways to be able to protect their identifiers, and \nbeing able to stay away from compromising their information. \nThat information has been put out to help protect consumers, \nbut it has also been used by organized criminals and different \ncriminal actors to be able to understand how the infrastructure \nworks and to be able to design their attacks specifically to \nexploit those types of avenues.\n    Regulations and new controls have done a lot to protect \nidentity theft victims and have done a lot to make sure that \nthey have ways to remediate when they have been victimized. We \nhave seen those same protections, however, exploited, \nleveraged, and abused by criminals.\n    We have done a lot to try to make sure that we can erase \nand eradicate anything that has been related to an identity \nthief. But when it comes down to actually having a synthetic \nidentity, those same protections have been leveraged by them.\n    Data breaches were originally focused on compromising \ncredit and debit data. And once we put the chips in the cards, \nthat information was then as useful as it had been in the past. \nSo now, they had started to move to PII, more static \ninformation, people's names, people's Social Security numbers, \npeople's dates of birth.\n    All of these factors played a major role in an emergence of \nuse of synthetic identities. This fraud threat was specifically \nengineered to evade existing controls while exploiting \nvulnerabilities in the financial services system and beyond, \nimpacting other verticals.\n    Many of the groups committing this type of fraud are highly \norganized, extremely sophisticated, and tend to be \ntransnational in nature. These adversaries are focused, \ncommitted, well-funded, and have access to the same \ntechnological advances as we do.\n    As an industry, we must be proactive in our actions, \nunified in our defenses, and more effective in our application \nof evolving technologies, including artificial intelligence.\n    As we seek to deliver unprecedented speed and convenience \nto increasingly mobile and technology-dependent consumers and \nbusinesses, we must remain vigilant in understanding the \nthreats to our interests and to our infrastructure.\n    Synthetic identity fraud in the United States and around \nthe world is widespread and inconceivably pervasive. It is \nbeing amplified by increased digitalization of products and \nprocesses. And when you couple that with a proliferation of \navailable data, synthetic identity fraud readily operates \nacross all delivery channels, providing the perpetrators with \npotentially unfettered access to our nation's financial system \nand Federal programs, making it essential that we act in a \nunified and collaborative manner to protect the integrity of \nour infrastructure.\n    In order to do so, we must recognize the complexity of \nthese next-generation frauds and be fully informed of their \nseverity and their scope. Advances in technology alone cannot \nidentify and resolve these issues. Mitigation efforts from \nindustry and government must be fluid and nimble to ensure we \nhave the ability to effectively address these issues with the \nurgency they deserve.\n    Our control framework needs to be updated to specifically \naddress synthetic identity fraud. It needs to be universally \ndefined in order for institutions to be able to detect, report, \nand remediate it.\n    Thank you very much. I appreciate the opportunity, and I \nlook forward to any questions you may have.\n    [The prepared statement of Ms. Walraven can be found on \npage 76 of the appendix.]\n    Chairman Foster. Thank you.\n    And, Mr. Boysen, you are now recognized for 5 minutes.\n\n STATEMENT OF ANDRE BOYSEN, CHIEF IDENTITY OFFICER, SECUREKEY \n                          TECHNOLOGIES\n\n    Mr. Boysen. Chairman Foster, Ranking Member Hill, and \nmembers of the task force, thank you for the opportunity to \ndiscuss the future of digital identity with you today.\n    I am Andre Boysen, the chief identity officer at SecureKey \nTechnologies, and I look forward to sharing our experiences in \nbuilding a nationwide privacy-based digital identity network \nfor Canadian consumers that works across the economy.\n    SecureKey is a Canadian company that is a world leader in \nproviding technology solutions to enable citizens to easily \naccess high-value digital services. We focus on the \nintersection of the citizen, the public and private sectors, \nprivacy, and consent.\n    Digital identity is not just about citizen expectations. \nCompanies, governments, and other organizations have strong \nincentives to move transactions online to realize cost savings, \nenhance customer experiences, and increase business integrity. \nAn organization's ability to do this hinges on a single \nquestion: Can I trust the person or the digital identity at the \nother end of this transaction?\n    As Jeremy has already said, identity is broken and it is \nequally problematic for citizens and for business. To recognize \nclients and provide trusted access to services online, \norganizations typically deploy a mix of analog and digital \nmeasures to confirm identity and mitigate risk. As we have \nseen, however, these solutions tend to be complex and are not \nfully effective.\n    On the other side, citizens are asked to navigate a \ncontinuously changing kaleidoscope of identification methods to \nsatisfy the onboarding needs of the organizations from which \nthey seek services. All the while, we all read newspaper \nstories every single day about data breaches and online \nimpersonators.\n    There is reason to be concerned. Fraudsters are collecting \ninformation to know as much, sometimes more, than the citizens \nthat they are impersonating. Standard physical cards for a \npaper-based world are easily counterfeited and it's often \nimpossible to check the document validity with the issuing \nsources.\n    Even biometric methods, which have been presented as a \ndigital solution to digital fraud, are increasingly being \ntargeted by hackers. Unlike passwords, you can't change your \nbiometrics. You can easily be tricked out of a selfie.\n    Our collection of siloed systems are too hard for consumers \nto use. It is not solving the problem, and it is too expensive \nto be sustained. It is every web service for itself.\n    Consider the CEOs of Twitter and Facebook, Jack Dorsey and \nMark Zuckerberg. These two digital leaders know how the system \nworks, understand digital identity best practices, and have all \nthe resources in the world at their fingertips. Yet, even they \nhave problems controlling and managing fraudulent access to \ntheir digital identities.\n    Mr. Zuckerberg's problem was self-inflicted, while Mr. \nDorsey was failed by the telco he relied on when he became the \nvictim of SIM swap fraud.\n    If they can't manage and be protected in the current \ndigital landscape, how are the rest of us supposed to manage?\n    Urging greater online security vigilance has passed the \npoint of diminishing returns. It needs to be said that there is \nno organization on the planet that can solve digital identity \non its own. It takes a village to make digital identity work, \neach player playing to their strengths and combining to create \ntrust greater than the sum of the parts.\n    The Canadian model is a public-private partnership between \nfinancial institutions, telcos, governments, and other trusted \npartners. It is a give-to-get model.\n    For example, governments are the foundational issuers of \nidentity documents in the form of birth registries and \nimmigration documents. Governments also link their records with \na photo to a living person by issuing a driver's license or a \npassport.\n    But governments aren't as adept as the commercial sector at \nknowing if the person actually is at the end of a given digital \ntransaction. The IRS has a file on everyone in this room, but \nthey would be hard-pressed to point any of us out in a crowd. \nThat is why they use knowledge-based authentication (KBA).\n    This brings us to financial institutions who complete \nbillions of authentications per year. Compared to other \norganizations, citizens only rarely interact with government \nduring their daily lives. They may renew their driver's license \nor passport every 5 years. But they will log into their bank \naccount several times per week. This increases the integrity in \ntheir transactions for banks.\n    And our mobile devices are always within reach. The \ncarriers have some security features that are important and \nthat are tied to subscriber accounts. Verified.Me is a service \nthat is offered by SecureKey Technologies, that is built on \nopen standards. Verified.Me was developed in cooperation with \nseven major financial institutions in Canada. It is a first-of-\nits-kind service that takes a village approach to solving the \ndigital identity problems we have been talking about today with \ngreater simplicity, higher integrity, greater cost efficiency, \nand better privacy.\n    With the information and resources already available, we \nhave helped to solve the digital identity problem in Canada, \nand have developed a model we think will work around the world. \nSome of our leadership and collaboration partners include \nGlobal Privacy and Security By Design developed by Ann \nCavoukian, the U.S. Department of Homeland Security, the \nScience and Technology Directorate under Anil John, and the \nDigital ID and Authentication Council of Canada.\n    Thank you for the opportunity to share my comments with you \ntoday.\n    [The prepared statement of Mr. Boysen can be found on page \n45 of the appendix.]\n    Chairman Foster. Thank you.\n    I will now recognize myself for 5 minutes for questions.\n    Mr. Grant, one of the things that impressed me in your \ntestimony is the bipartisan nature of the support for this. You \nwere very involved in the Obama Administration's initiative on \nsecure online digital ID. And it appears as though OMB and the \ncurrent Administration is actually strengthening those \ninitiatives.\n    Could you just sort of briefly outline what the recent \nhistory of government involvement is in strengthening citizens' \nability to authenticate themselves online?\n    Mr. Grant. Sure. As you mentioned, I spent several years in \ngovernment leading an Obama Administration initiative, the \nNational Strategy for Trusted Identities in Cyberspace (NSTIC), \nalthough I was a civil servant when I was there and stationed \nup at NIST, up the road, where I served as their senior adviser \nfor identity management and ran the program.\n    This has never been a partisan issue, as you point out, and \nit is great to see that tradition continuing today in this task \nforce hearing.\n    Much of what the NSTIC program, as it was known, was \nfocused on was how to basically catalyze a marketplace. The \nidea was that the government's role, the way things are in the \nU.S. should be limited, but government should play a role where \nthere might be gaps to fill. And there was a lot of good work \nthat was done then that I would say is now flowing into the \nwork that we are driving in the Better Identify Coalition in \nterms of looking to carve out an appropriate role for the \ngovernment without one where there is too much of a role for \nthe government.\n    As I mentioned in my written statement and opening \nstatement, in May the Office of Management and Budget signed \nMemorandum 19-17 into effect, it is about 13 pages, updating a \nlot of the government's cybersecurity policy as it impacts \nidentity. And we were really excited to see that they took one \nof our key recommendations, basically calling for agencies to \ncreate, I think the language was privacy-enhanced APIs, which \nwould allow consumers to ask that an agency validate identity \ninformation about themselves either for public or private \nsector applications.\n    I think now that that is in place, there is a good policy \nfoundation in place for the first time in the U.S. to actually \nstart to bring government into play more of this role for \nconsumers and businesses.\n    Chairman Foster. Thank you.\n    And, Ms. Washington, Ms. Abend, you both touched on in your \ntestimony the fact that the lack of a way to authenticate \nyourself falls most heavily on those who are not wealthy, in \ndeveloping countries, that one of the real improvements in the \nquality of a citizen's life comes from having a way to \nauthenticate themselves and prove who are they are. This sounds \nsort of counterintuitive, and I was wondering if you could add \na little bit about why this is.\n    Ms. Abend. It is interesting what we found, if you look at \nsome of the things that even the Chair of the FDIC has said \nrecently in some of her public comments about how individuals \nwho are unbanked or underbanked have cell phones and they use \nthose phones to conduct their financial transactions.\n    And so, if we could establish the kind of confidence by \nhaving, as I put in the recommendations, a national privacy \nlaw, I think we would go a long way to engender trust so that \nthey have certain protections through that national privacy law \nand a much less complex way of understanding what those \nprotections are while also being able to use the tool that is \nin their hand to be able to validate themselves for financial \ntransactions. And through that process, would give them access \nto financial transactions in a safe and sound manner.\n    Chairman Foster. Ms. Washington, do you have anything to \nadd?\n    Ms. Washington. I just want to say that right now, without \na standard way and a standard procedure for disputing \nauthentication issues, people who feel powerless in society are \nprobably not going to figure out how to dispute it. So by \ndefault, we are not going to have equal access to resolving \ndisputes.\n    Chairman Foster. I think there is probably also a tendency \nfor wealthy people to have a more established financial \ntransaction record that can be used in a sort of secondary way \nto make sure that the person is real and so on.\n    Ms. Walraven, do you have anything to add there?\n    Ms. Walraven. I think we also have to take into \nconsideration that for all the things that we are putting in \nplace to protect consumers, and they are all very valid, there \nare much easier ways to take a step back and go through and \nnegotiate the system.\n    I think all the controls that we are putting on for \nartificial intelligence and authentication, it starts at the \nfront. You need to know who that person is, and then you go \nthrough and do the authentication. So we need to go further up \nthe chain and make sure that identity is actually factual \nfirst, and then you can build a lot of controls behind it.\n    But we need to get to the root of the issue instead of just \naddressing, in some cases, the symptoms. I think that is really \nhow we can get much more collaborative between industry and \ngovernment. And I definitely think we need to do that, because \nthe current infrastructure is doing a good job with what it \ncan, but we need to reshape the issue and look at it from a \ndifferent lens.\n    Chairman Foster. All right. Thank you.\n    The gentleman from Arkansas, Mr. Hill, the ranking member \nof the task force, is recognized for 5 minutes.\n    Mr. Hill. Thank you, Mr. Chairman.\n    Before I begin my questions, I would like to ask that \nsomething be submitted for the record. One area that has been \nconcerning to our title industries across the country is \nbusiness email compromise, which is just another commercial \nform of fraud. And in that regard, I would like to submit a \nletter from Chairman Powell, as well as the response he had on \nthis issue and how important it is. I would like to submit that \nfor the record.\n    Chairman Foster. Without objection, it is so ordered.\n    Mr. Hill. This has been a really good panel. And as I said, \nwe are trying to correct the world we live in and prepare for \nthe world in the future. And we can't do that without this \nstrict privacy standard and the ability to authenticate whom it \nis that we are doing business with. I thought each of you had \ngreat opening comments, and I am grateful for that.\n    And I was pleased to hear, Mr. Grant, you talk a little bit \nabout OMB's issue, because one thing this panel has heard, and \nour FinTech Task Force has heard consistently is the dangers of \ndata scraping and that that is not a best practice out in the \nFinTech world for accessing customer data.\n    Can you reflect, will OMB's policy impact that in the \ngovernment sector? And is it a good standard for the private \nsector to adopt?\n    Mr. Grant. I think the new OMB policy, assuming that there \nis some follow-up to actually get more agencies to start \nproviding that to validation services online, will help to \ncontribute to some of the challenges we have seen in open \nbanking where you have different FinTechs who might want to \nscrape financial data.\n    But there, I have been really impressed by the work of the \nFinancial Data Exchange. It is a group that was incubated in \nthe FS-ISAC, the Financial Services ISAC, that does a lot of \ncybersecurity work. And they brought together banks and FinTech \nfirms to work on essentially coming up with a standard API that \nleverages well-known standards like FIDO, OAuth, and OpenID \nConnect, that will allow a consumer to decide to essentially \nsecurely grant certain access rights to some of their financial \ndata.\n    Because identity is that core control that is there, if we \nare able to enhance some of the ways we do identity \nverification through that API with some of the things that the \ngovernment can provide, I think we are going to have more \nrobust solutions all across-the-board.\n    Mr. Hill. That is very helpful.\n    And, Ms. Walraven, this issue of synthetic identity, could \nyou explain that a little more? I looked at your testimony and \nlistened to you. But are you suggesting that people are just \naggregating a good cell number, a good address with a different \nname and a different Social Security number, so they are not \nimitating the exact person, they are creating a new synthetic \nindividual, and so they are just using all validated \ninformation? Is that what you are suggesting?\n    Ms. Walraven. Similar. So, basically, a synthetic can use \nsomeone's real information, let's say, a Social Security \nnumber, either yours, or a child's Social Security number. And \nthen, what they will do is they will take that, add a name that \nis different than the real person's name, and add a date of \nbirth. And if they are going to go in person somewhere, they \nprobably would make it closer to probably what is more likely \nfor them. And then put at an address that they can control. And \nbasically from there, they create a completely separate and \ndistinct identity.\n    So it is not real per se as far as it has been a real \nperson. It is a real person doing it, potentially, but it is \nnot a real identity. But it functions, especially in a digital \nand in a paperless area, exactly like a real identity.\n    And when they create that, they know their mother's maiden \nname, they know the user ID and password, they know the \ndifferent security questions, because they created them. So \nwhen you go to do the authentication afterwards, you are not \ngoing to catch them in the existing infrastructure that we \nhave, because those credentials are known to them.\n    Mr. Hill. Thanks for your contribution to that.\n    Mr. Grant, I read recently about the beginning of the \nimplementation of the California statute. And for the 4\\1/2\\ \nyears I have been in Congress, we have debated privacy and data \nbreach notification here and witnessed the battle between \nretailers and the financial services industry, which grows \ntiresome here on this committee, and the desire to have a 50-\nState solution, which would be great in a digital world if we \ncould do that.\n    So now, California has acted. I am interested in your \nviews. Is the California Consumer Privacy Act (CCPA) a net \npositive for the consumer? Is it a decent basis in terms of the \ndefinitions they struck, the approach they took, for the \nFederal Government to consider?\n    Mr. Grant. I think CCPA writ large, I guess we will have to \nsee how its implementation goes and whether it is a positive \nfor the consumer.\n    There is a couple of things on the identity side that I \nhave been very concerned about, including the fact that it took \nkind of an ambiguous approach to whether you can use data for \nsecurity and fraud prevention.\n    As background, the General Data Protection Regulation \n(GDPR) over in Europe did, I thought, a pretty good job saying, \nlook, if you are using data for marketing purposes or other \nthings, all of these rules apply. But if I am analyzing data I \nam able to capture about the way you are interacting with a \ndevice, well, that is for security or fraud presentation only, \nso that is okay.\n    In California, they took a little bit of a different \napproach. And I think part of this might have been because the \nlaw was written in about a week. I think the history of it was \nthey were trying to head off a ballot initiative. They said \nthat a consumer cannot go to a company that has information on \nthem that is being used for security and fraud prevention and \nask that that information be deleted, which is good. But they \ndid not go ahead, you couldn't actually go to a company and opt \nout of that information being used at all.\n    And so the concern there is that if, say, even 2 percent of \npeople go to companies and basically tell them to turn off the \nsecurity analytics controls that are some of the best tools we \nhave today to prevent things like credential stuffing attacks \nor other spoofed identities, it is going to put people at risk, \nconsumers at risk, and businesses at risk.\n    Mr. Hill. Thank you very much.\n    I appreciate it, Mr. Chairman.\n    We will come back to it. Thank you.\n    Chairman Foster. The gentleman from North Carolina, the \nranking member of the full Financial Services Committee, Mr. \nMcHenry, is recognized for 5 minutes.\n    Mr. McHenry. Thank you.\n    This has been great testimony, an informative panel, and I \nthink it is quite constructive, again, quite constructive for \nwhat has been, as Mr. Hill outlined, a rather tiresome debate \nbetween retailers and banks on who holds the bag, without \ntalking about progress or fixing the problem. They want \nCongress to intervene and make the decision on who gets sued.\n    So, let's get beyond that. Let's get to the solution.\n    Mr. Boysen, I would like to hear the story of what your \ncompany is doing in Canada to verify identity and the \nundertaking that you and your company have had.\n    Mr. Boysen. Thank you.\n    There have been two generations of services that we have \nlaunched in Canada. The first one was in 2012, and that we did \nwith the Government of Canada. It was designed to be a safe \nreplacement for multiple user IDs and passwords.\n    In 2012, the problem the Government of Canada had is every \ntime I, as a Canadian, went to our tax authority, every single \ntime, I forgot the password. And so, their challenge was how to \nauthenticate me. They can't do what Amazon does. They can't do \nan email password reset. They have to send secure mail to my \nhouse.\n    Being a busy Canadian, I solved my tax problem with them \nanother way. And they sent me this thing 2 weeks later. I don't \nsend it back in, and I come back here next year and do the same \nthing. That cost them 40 bucks a shot.\n    Between the period 2004 to 2012, they spent $970 million \nauthenticating 5 million Canadians. For the subsequent period, \nfrom 2012 to 2018, their costs have come down to roughly $200 \nmillion in order of magnitude in savings. The reason is that \nCanadians now are able to use their bank account to get to the \ngovernment. This has been transformational.\n    The reason this works better is because Canadians are in \ntheir bank account every single week, so they are not going to \nforget the password. More importantly, if they do forget the \npassword, like, if they can't get in, they are on DEFCON 5, \nthey are going to run down to the bank right now because they \nare terrified their money is going to be lost, and it is that \nself-interest that has actually increased the integrity of the \ntransactions.\n    The challenge with that service, however, is that it was \nauthentication only. It didn't solve the identity problem. So \nin May of this year, with all of the major banks in Canada and \nseveral other trusted partners, we launched an identity \nservice. It allows me to prove my identity in a trustworthy way \nbased on bank, telco, and government data that I authenticate \nwith each of those providers myself. And then I am able to, \nunder my control, give that to someone else when I want sign up \nfor a new service.\n    So this actually increases integrity for all of those end \npoints and takes their cost down and gets them better results, \ntoo.\n    Mr. McHenry. Okay. So, verify me. I use blockchain \ntechnology. Walk us through that.\n    Mr. Boysen. We didn't start off saying, blockchain is cool, \nlet's use it. We came at it from a very different point of \nview. If any organization is consuming data from a network to \nconfirm my data, they have three requirements that need to be \nmet.\n    Requirement number one is they want to know the data came \nfrom an authoritative source, somebody they would know and \ntrust today, like a government-issued ID.\n    The second requirement that they want to know is they want \nto know the data has not been altered since it was written by \nthat authoritative source; the crook didn't take my driver's \nlicense, take all my data, scratch my photo, and stick their \nphoto on it.\n    The third requirement they have is they want to know that \nthe data belongs to the person presenting it.\n    So, let me answer your question about, why blockchain? \nBlockchain does three very specific things. The first thing is \nit allowed us to implement this thing we call triple blind \nprivacy. In Canada today, when I use my bank account to get to \nthe government, the bank account does not get to see my online \ndestination. The government in its place knows that I came from \na tier one bank in Canada but not which one. And our company, \nwhich operates the network, we don't know who you are. Triple \nblind privacy says not the bank, not the government, not \nSecureKey got a complete picture of the user journey.\n    When we tried to go do that with identity, the problem is, \nwith us in the middle, we were going to get to see a lot, and \nwe wanted to figure out a way to do triple blind identity so I \ncould send my data from Wells Fargo to the IRS without Wells \nFargo knowing it went to the IRS, without the IRS knowing it \ncame from Wells Fargo, and without us seeing anything in \nbetween.\n    So, it gave us a method to implement triple-blind privacy. \nThe second thing is, it allowed us to meet the integrity \nchallenge to verify and meet those three requirements that I \ntalked about. And the third side benefit is we get resiliency \nbecause there are so many nodes it is harder to mount a denial-\nof-service attack.\n    Mr. McHenry. So broadly, that cryptography, the blockchain \ncryptography, is this leap forward in order to ensure that you \ncan have that movement of data.\n    But here is a different question. Is there a different \ncultural assumption between folks in the United States versus \nfolks in Canada about their digital identity and that \nwillingness to share that data?\n    Mr. Boysen. I would say the stance of Canadians and \nAmericans is very similar on this front. I would say that the \nprivacy regulations in Canada are generally better, and so that \ngives Canadians confidence when they are doing this. They have \nrecourse. If something negative happens, they have somewhere to \ngo and get it sorted. So, I would say the model would work \nhere, too, is my sense.\n    Mr. McHenry. Excellent. Well, let's get at it, right? \nPitter patter, let's get at her. Let's make some progress here.\n    Thank you for a great panel. It was highly informative. I \nhave 3 hours more of questions, but every one of you are top \nnotch.\n    Thank you for being here.\n    Chairman Foster. Thank you.\n    And the gentleman from Georgia, Mr. Loudermilk, is \nrecognized for 5 minutes.\n    Mr. Loudermilk. Thank you, Mr. Chairman.\n    Thank you to all of you on the panel here. This is \nintriguing, coming from an IT background. I have been dealing \nwith cyber issues for quite some time from my time in the Air \nForce dealing with intelligence data all the way up through \neven protecting businesses and school systems with internet \naccesses.\n    It is an ongoing challenge. And transactions that happen, \nespecially in the financial services sector, happen at \nincredible speeds. Therefore, verification for those who use \nthis has to be done at the same speed.\n    I am one of those guys who likes using cash. I like reading \na printed book. I like going to a store and putting my hands on \nwhat I am going to buy. I am unique in the world today, as I \nfound out the younger you are, the more you are relying on the \ntechnology. So, we have to be exploring these areas.\n    Before I get to my questions, though, Mr. Chairman, I would \nlike to submit for the record a letter from the Consumer First \nCoalition addressing concerns and congressional oversight over \nthe electronic consent-based Social Security verification \nsystem as they move forward.\n    Chairman Foster. Without objection, it is so ordered.\n    Mr. Loudermilk. Thank you, Mr. Chairman.\n    Ms. Washington brought up a very interesting scenario at \nthe beginning of this, which I think illustrates some of the \nchallenges that we do face. But I have one that I found quite \nunique.\n    I was taking a group to the White House. And if you have \never visited the White House, they have quite a verification \nsystem to go through. If there is one thing wrong, you are \ngoing to get pulled out and put in a holding area.\n    A young lady I was with, who was probably in her early \nthirties, was pulled out and put in a holding area. It kind of \nsurprised me, and so I went to talk to her.\n    She said: ``Oh, this happens all the time.''\n    ``Really?''\n    ``Yes. I have an identical twin sister. My mom didn't \nrealize that she was going to have twins, and she had already \nchosen the name, so she gave us both the exact same name.''\n    And I am going to use a different name, but it was \nElizabeth Grace Smith. One was called Liz, the other was called \nGrace. They have the same name, the same birthday, the same \nbirth location, the same hair, the same height, the same \nweight. What triggered the Secret Service was their Social \nSecurity numbers were off by one digit.\n    So. there was this delineator. This is a real illustration \nof the type of thing that we are going to encounter, as Ms. \nWashington had brought up, but we have to find a path to get \nthere.\n    And one of the things--I am big on innovation. I am big on \nsandboxes so we can go out and explore ways to do this, but it \nhas to be done in a controlled environment to protect consumers \nbut yet have the ability to do these things.\n    Ms. Abend, it took us a while to adopt the chip payment \nsystem. Traveling in Europe, they had it a long time before we \nwere able to adopt it here. But from what I understand, it has \nreduced the counterfeit fraud by about 87 percent.\n    But the bad players, the criminals now focus on digital \npayments, which involve digital identities. We need \ncybersecurity solutions to combat these digital payment frauds.\n    Are we heading in the right direction? Do we have the \nsandbox available to develop these?\n    Ms. Abend. Congressman, that is an excellent question. And \nI remember distinctly, when I was actually back working at the \nOffice of the Comptroller of the Currency, when the deadline \nwas approaching for a chip and pin and the conversations, \nbecause we had just faced the breach with Target and actually \nhad to appear before Congress to testify on cybersecurity at \nthat moment in time as well, and I remember distinctly having \nthis conversation about what it would do and what it would not \ndo.\n    And as we have seen overseas, the card-not-present fraud \ngoes through the roof, right? Bad guys know. And all of these \nonline transactions, they are card not present, and that means \nthey are missing that authentication aspect of being present \nwith that chip and pin.\n    And I think that, while it was a step in the right \ndirection and it was just a layer, the fact that most of our \ntransactions are increasingly online and need to happen at the \nspeed that we have discussed here, we do need to create an \nenvironment that fosters more innovation, that figures out a \nway to improve the state of synthetic IDs, as my colleague here \nhas talked about, that creates that more trust that we have \ntalked about here, and do it in a way where people can protect \nall consumers and everyone can get bought into that system.\n    And I think that is why my colleague, Jeremy, and the \nBusiness Roundtable that I mentioned earlier that has over 200 \nCEOs, have a lot of alignment around what needs to be done to \ncreate that transparency for consumers with privacy, a national \nprivacy law, while also creating a better ecosystem where we \nproof people to enable them for online transactions.\n    Mr. Loudermilk. Thank you. I agree with Ranking Member \nMcHenry; I also have tons of questions. This is intriguing. But \nI am already out of time. I will submit the others for the \nrecord.\n    I agree with Ms. Washington on her concerns, but I think \nthe solution, because those with low income are using \nelectronic transactions as much or more as some others are, and \nwe have to be able to find the way to positively protect them \nas well.\n    Thank you, Mr. Chairman.\n    Chairman Foster. Thank you.\n    The gentleman from Ohio, Mr. Gonzalez, is recognized for 5 \nminutes.\n    Mr. Gonzalez of Ohio. Thank you, Mr. Chairman.\n    And thank you to the panel for your outstanding testimonies \nand participation today. I think this has been a great hearing \nso far.\n    Mr. Boysen, I want to kind of drill down on some of Mr. \nMcHenry's questions around blockchain specifically. So, I will \nspend some time there, if you don't mind.\n    As you were innovating in the space, what legal impediments \nexisted in Canada that prevented you from developing the \nblockchain, and what has had to change? Just kind of walk me \nthrough what it was like as you were innovating, and then how \ndid you get there?\n    Mr. Boysen. Sure. One of the biggest challenges, in fact, \nis when you look all across the economy, the most rigorous \nprocess we go through as consumers when we get identity proofed \nis when we go through a bank, and it is a regulated process. \nThey have know-your-customer (KYC) and anti-money-laundering \n(AML).\n    In Canada, our organization for managing that is called \nFINTRAC, and they have a set of interpretation bulletins that \nthey use to interpret the legislation to say what banks can and \ncannot do.\n    The problem when we started this process is it didn't \ninclude digital methods, so it took a long time to talk about \nthe advantages of doing digital methods.\n    And I want to pick up on Valerie's comments around this \ncard-present/card-not-present concept. One of the things we \nwere able to convince the regulators is what we were doing with \nour service is actually creating card-present identity. Today, \nwhen I take my driver's license to the counter, if it is a fake \ndriver's license, the bank is defenseless against that attack \nbecause they can't check against the issuer. With our service, \nall of the data is checked in real time.\n    So that, getting the regulators and the community to \nunderstand this was actually better than what we could do in \nperson, took a long time, but once we got there, they said this \nwas more powerful.\n    Mr. Gonzalez of Ohio. And was that a regulatory fix or a \nlegislative fix?\n    Mr. Boysen. The interpretation bulletins for the FINTRAC \nand KYC and AML were updated to include digital methods.\n    Mr. Gonzalez of Ohio. Legislatively?\n    Mr. Boysen. Yes.\n    Mr. Gonzalez of Ohio. Okay. So, your legislature had to \nact.\n    And then as you look at the U.S., where do you see similar \nholes where we should be legislating to enable the technology?\n    Mr. Boysen. Canada had an advantage in trying to get a \nscheme like this going because we have a small set of banks, we \nhave a small set of provinces, and a small set of telcos. So we \ncould kind of get everything in the room.\n    Your economic construction here is a little bit different. \nYou have 3,000 banks. You have 50 States. Luckily, you have a \nsmall set of telcos.\n    I do think the learnings in Canada can be applied to the \nU.S. model. So I will say that there is a lot of work being \ndone with U.S. organizations to launch a similar service to the \none we have in Canada, here in the United States. That is down \nthe track. More work needs to be done. But I think there will \nbe similar changes where the regulatory updates are going to be \nrequired to support it.\n    Mr. Gonzalez of Ohio. Okay. And do you have any specifics \nin mind on, hey, here is how the SEC is interpreting this, and \nthis needs to change?\n    Or anybody else, frankly?\n    Mr. Grant, you are kind of nodding.\n    Mr. Boysen. Yes. I can provide it as follow-up testimony \nfor the record. I could get our legal counsel, who has actually \ndone a lot of work here, and I will submit that for the record \nand you can review that after.\n    Mr. Gonzalez of Ohio. That would be fantastic.\n    Mr. Grant?\n    Mr. Grant. I would say, if you look at our membership, \nabout half of them are firms in banks or payments or FinTech. \nAnd one of the things we specifically called for was for was \nfor Treasury and the regulators to do more here.\n    I will say they have been really receptive to discussions \nwith us. The message we have gotten is, if you are seeing a \nbarrier to digital identity innovation, please let us know. \nMarshall Billingslea, whom I think is Assistant Secretary for \nTerrorist Financing at Treasury, announced that Treasury wants \nto do a text print, working with industry in the next year to \ntry and help bring regulators and innovators together.\n    I continue to ask my members every month, are we running \ninto things that are precluding innovation, particularly at the \nintersection of identity and financial services? And I think \nthe biggest answer we get is, sometimes there is a regulation \nwhere there is just ambiguity. And then, the compliance people \nkind of have their freak-out and it is hard to move forward. \nBut I am actually bullish there.\n    I think where we need a little more effort--we talked \nbefore about the Office of Management and Budget (OMB) memo, \nwhich is a nice start, but policy memos come out all the time \nfrom OMB and get ignored. So I think we need more of a formal \ngovernment-wide initiative, hopefully convened by the White \nHouse, to try and look at how to bring agencies together, \npotentially within the industry, to figure out how to take this \nto the next step.\n    I think more work needs to be done at my old agency, at \nNIST, on a framework of standards to help put a foundation in \nplace. And I think agencies could benefit from a center of \nexcellence in government as well, that could actually help.\n    The Social Security Administration right now is developing \nan attribute validation service. Congress told them to do so \nlast year, in fact, thanks in part to the work of this \ncommittee. But in getting other agencies to do that, they will \nneed some technical help.\n    These are little steps around the edges that can make a big \ndifference to solving this problem.\n    Mr. Gonzalez of Ohio. Thank you.\n    And, again, I want to thank everybody for the time and \nenergy on this.\n    Mr. Boysen, we will follow up.\n    And I yield back.\n    Chairman Foster. Thank you.\n    The gentleman from Virginia, Mr. Riggleman, is recognized \nfor 5 minutes.\n    Mr. Riggleman. Thank you, Mr. Chairman. I hope I can have \n60 minutes to question the panel, please. Thank you.\n    It is good to be here.\n    And, Ms. Washington, thanks for your--at the beginning when \nyou talked about birthdays, my birthday is March 17th, a show \nof hands for St. Patrick's Day birthdays? Well, look at that. \nNo one. My goodness.\n    I want to give my background really quickly because I \nactually get excited about this stuff. My background was in \nmilitary intelligence, about 26 years combined in the military \nand doing this, was tracking people and finding their \nidentities without them volunteering their information. So I \nmight cover this a little bit differently. But it is also sort \nof the bridge between technology and operations and how this \nwould happen. So my questions might be a little more esoteric \nand a little bit more fun, I would hope.\n    Right now, I have about 50 questions I had written down, so \nI am going to try to go quickly. I always have too many to go \nquickly. But Ms. Abend had said something beforehand, and I \nwill start the line of questioning there.\n    I am going to start with sort of the bottom line upfront, \nand then go backwards with technology. And, here we go.\n    It does sound like the use of AI will be a critical part of \nensuring security in digital identity. I want to know, should \nwe be concerned that this kind of technology could be cost-\nprohibitive--and I am starting at the back--or otherwise \nunavailable to smaller financial institutions or even \ncompanies? Do you think that is something we have to worry \nabout?\n    Ms. Abend. I think that any time you deal with innovation, \nit is actually interesting, some of the smaller companies of \nthe world are really creative, and they partner with Accenture \nto actually make those possible and to make them scale. But I \ndo think we need to find ways to actually help smaller \ncompanies be able to leverage some of these capabilities that \nyou are pointing out, AI being one of them.\n    And to that end, I would commend the ranking member's \neffort in his own district, in Little Rock, Arkansas, to \nactually create an innovation hub where community institutions \ncan actually learn how to take advantage of these things.\n    And I think the other way to actually help them scale to \nthe benefit particularly of smaller entities and in this case \ncommunity institutions is to actually help them do that through \nthe partnerships with their third parties, their large-scale \ntechnology service providers.\n    Mr. Riggleman. This is why I get excited about this, \nbecause we all are sort of creating our own unique identifiers, \nour own ``UIDs.'' But a refrigerator has one also, and I don't \nwant to be mistaken for that.\n    So as we go forward, do you see private companies--and here \nmy questions get a little esoteric--rejecting individual or \nbusiness transactions with other entities based on insufficient \nauthentication of identity?\n    And when I look at how people are going back and forth and \nutilizing sort of their own signatures, my question is, are we \ngoing to get to a point--and this is where I get a little bit \nexcited and my head starts to explode a little bit--where we \nare going to see private companies actually creating their own \nunique ID sort of set of criteria? And then, do you see them \nensuring that criteria or ensuring that identity is doing \ntransactional issues with other companies and then rejecting \nthose companies?\n    That is the thing that--and I know Mr. Grant, and I \nlistened to what you are doing in Canada--I am almost wondering \nif we are going to get to a point where companies are going to \nbe judged based on their criteria for how they protect our \nidentity and other companies rejecting that identity based on \nUIDs. Do you guys see that happening in the future?\n    Mr. Grant, go ahead?\n    Mr. Grant. For years, one of the things we have been trying \nto do here in the U.S. and really in a lot of countries abroad \nhas been looking at whether we could have certification \nprograms for private issuers of identity.\n    I talked today about the role of government, but my bank \nknows me. In fact, that is sort of the foundation of what is \nhappening in Canada, as well as what I think we will see in the \nU.S., because they have to figure out who I am before they open \nan account. So could they then vouch for me other places? Could \nI log in with my bank somewhere, perhaps at the Social Security \nAdministration?\n    There are certification programs in place today from \norganizations. The one that is most well-known is called \nKantara. That has actually been recognized by the General \nServices Administration as what they call a trust framework \nprovider to certify the way that a private sector entity issues \nan identity.\n    Going forward, I talked about a lot about the concept of an \nidentity ecosystem. There are components that industry is going \nto provide, and there are components that the government is \ngoing to provide. And I think we are going to be able to create \nsome hybrid solutions that can really bring in, frankly, the \nbest innovation the private sector can deliver, but that access \nto the authoritative data sources that only government has. \nGovernment is the only entity that authoritatively confers \nidentity. If you can merge those together, you can give people \nsomething that is portable that they can use everyplace they \ngo.\n    Mr. Riggleman. Well, geez, you are in my head.\n    So do you believe, if we are creating, say, this identity \ntoken, and you are talking about these standards, do you think \nwe are dealing with unstructured data? We are dealing with new \nthings like natural language processing, things like that. Do \nyou believe there is ever a time where we are going to be able \nto customize our token where the only way we can find our \nidentity or make our identity known is the stuff that we \nactually customize with that information? Do you think that is \nthe future, where we own our identity by customizing our own \ninformation within the token?\n    Mr. Grant. There is a lot of focus these days on how you \ncan allow people to only reveal certain things about themselves \nwithout revealing everything, and I think there are some great \nmodels that are in place these days that will give people very \ngranular choices about what they share about themselves online.\n    When we talk about the privacy debate in this country--and \nit is getting a lot of attention on the Hill--so much of it is \ntied to identity. What information is collected on me? What do \nI want to be collected? Why do I want these companies to know \nthese four things but not these seven things?\n    So, having a really strong tool that you can use to manage \nthat and in some cases go back and maybe revoke certain things, \nI think is going to be a key enabler here.\n    Mr. Riggleman. Thank you so much. It was already 5 minutes \nand 30 seconds. So, I do apologize for how quick that was. But \nthank you so much. You guys are fantastic. I appreciate it.\n    Chairman Foster. Thank you.\n    And without objection, the ranking member and I will each \nhave an additional 5 minutes for questions and closing \nstatements.\n    So with that, I would like to recognize Mr. Hill.\n    Mr. Hill. Thank you again, Dr. Foster, for holding this \nhearing. And, again, I think we have heard a good discussion \nand the panel has been very appreciated.\n    I wanted to go back, Mr. Grant, and just kind of finish our \nconversation about the California proposed statute. And I may \nbroaden that to the panel as well to compare, as you said, a \nrushed law, a set of parameters with the more thoughtful \napproach the EU took and just have a compare and contrast.\n    The Wall Street Journal last week reported that private \nbusinesses could face a half a billion dollar compliance burden \ntrying to comply with the California law. So, talk about that.\n    And then finish your thought I think you were trying to \nmake on it was rushed, you have some concerns, you outlined a \ncouple. But did you have something else you wanted to finish up \non, on that?\n    Mr. Grant. The main point I was making, from what I could \ntell with California, it might be a drafting error. And there \nhave actually been some proposals to try and clarify that.\n    Mr. Hill. This is the information to be used for fraud \ninvestigation, better customer service?,\n    Mr. Grant. Right. The backdrop on this is that identity \nanalytic solutions, many of them that are using AI, are one of \nthe most powerful tools that we have today to actually prevent \nfraud.\n    So just to give you a number on that, Microsoft started \ntalking about this publicly. So in Azure they manage billions \nof log-ins a day.\n    Two years ago, they were seeing about 10 million attacks a \nday. A year ago they were seeing 100 million attacks a day. \nThis year, they are seeing 300 million attacks a day, trying to \ncompromise log-in systems to get in and do all sorts of bad \nthings. That is a 30 times increase in 2 years.\n    The way that they are actually combating this is with \ndatabase analytic systems, some of which might be collecting \nthings that would fall under the definition of personal data \nunder GDPR or CCPA or other proposals.\n    So long as you have a carve-out that says that is okay if \nyou are worried about security and fraud protection, you just \ncan't take that data and use it someplace else, we are good. In \nfact, in Europe, because GDPR is clear on this, the European \nBanking Authority is actually actively promoting the use of \nwhat they call transaction risk analysis to secure payments \nunder the PSD 2 directive over there for open banking.\n    So I think the concern here is if it is more ambiguous, or \ncertainly if we are concerned that Federal privacy legislation \nthat doesn't say it as clearly, if 2 percent of people start \ncalling up Microsoft, to give the example I suggested, and say, \ndon't use those systems, turn that off, what are they supposed \nto do at a time when attacks might go up another 10 times next \nyear? That is my concern.\n    Mr. Hill. Very helpful. And you mentioned open banking in \nthe U.K. for example, and Canada as well. So I might ask Mr. \nBoysen this.\n    First of all, does anybody else want to add to that comment \non California? Anybody have a comment on California?\n    Okay. Mr. Boysen, on the privacy directives in Europe and \nwhat you have done in Canada, have Europe and the U.K., to your \nknowledge, solved this password authentication process in order \nto make open banking be a safe activity? Because clearly here \nthat would be an open question I would think about open \nbanking.\n    Mr. Boysen. Yes, open banking is a singular term, but the \nway it manifests in each country turns out to be a little \ndifferent. In some countries, it is compulsory. In other \ncountries, it is optional. In some places, it includes the \nability to do push payments. In others, it doesn't. So, it is \nnot a uniform application of how it works.\n    What I will say, however, is one of the fears of open \nbanking is it is going to cause asset stripping. What is going \nto happen is the banks are forced to open up their APIs and \ngive out the data at no cost, and then the consumer is going to \ngive this to some new startup who doesn't have the same control \nas the bank does. That FinTech is going to get breached. And \nthen, the consumer is going to come back to the bank and say, \n``How did you let this happen?''\n    So rather than giving away the data, what we should give \naway is trusted data so consumers can give it away at a \ngranular level, rather than giving it all. So that is kind of \nthe approach that we are looking at in Canada.\n    It's interesting that in Australia, they took the approach \nthat it is reciprocal. If you are going to participate in open \nbanking, if you want to be able to get data from the network, \nyou also have to agree in advance to share data back with the \nnetwork. And that solves part of the asset stripping issue that \nis in some other jurisdictions.\n    Mr. Hill. I think I am interested in what we need to do \nregulatorily, again, limiting our conversation here to \nfinancial services, about how we handle this requirement of an \nAPI approach and a discrete approach, instead of just allowing \nscraping.\n    I hear from start-up entrepreneurs in the FinTech \nenvironment: ``Well, you are disturbing the customer experience \nby doing that.'' But I would argue that customers' experiences \nget really messed up when everything is stolen from them. So, \nthat is not a good idea, either.\n    Is there something specific one of our regulatory agencies \ncould do in this area?\n    Mr. Boysen. I would submit that you can't do open banking \nwithout a good digital identity infrastructure; it just can't \nbe done.\n    This is the problem. I am the consumer, you are the bank \nthat is trying to represent me, and Jeremy is the startup that \nwants my data. How is Jeremy supposed to present to you that he \nhas my permission to get my data?\n    So, you have this three-way triangle of authentication \ntrying to go on and it is very complex and the consumer is \nnever going to get it.\n    The only way to solve this is by allowing the consumer to \nhave a digital identity infrastructure, and then see line by \nline, what is going to go.\n    Mr. Hill. Thank you very much.\n    And I yield to you, Mr. Chairman. Thank you.\n    Chairman Foster. Thank you.\n    That business of this three-way conversation is \nfascinating, for which I think there are technological \nsolutions with a properly designed app on your cell phone. So I \nthink that probably the future of this is not an identity \ndongle but probably an advanced cell phone that has things like \nthe secure enclave on an iPhone which can store the private \nkeys and is resistant, it is my impression, even against having \nyour cell phone completely hacked, that you may be able to \ncapture the screen and see passwords being transmitted but you \ncannot actually steal from the secure enclave in these, the \nprivate key, which is a tremendous advantage of that approach, \nand that you can still have this three-way conversation under \nthe control of a properly designed app. So, I think there has \nbeen, I believe, great progress there.\n    Now, as it relates to the use of blockchain, one of the \ngreat advantages of blockchain is it provides a non-falsifiable \nledger. Is there a solution in that context to developing, say, \na witness protection program which is essentially government-\nsponsored synthetic identity fraud? Is that something that \npeople have thought about and come up with solutions to?\n    Mr. Boysen. I don't have a great answer here. I will say \none of the challenges that what we are getting with these \nlongitudinal records is that you can't go back in time and \ninsert a person for the purposes of witness protection. It is \nvery difficult to do. So, you are going to have find some other \nmethod to bring that identity along.\n    Chairman Foster. If it is a publicly visible blockchain--\n    Mr. Boysen. Ours is not. Ours is a private blockchain. So, \nthere is that protection. But still, going back and altering \nthe records in the past is hard.\n    What the government could do perhaps is have a set of \nidentities on standby to use for the future so they have the \nlongevity that would be required to pass the muster, but that \nhas its own pitfalls.\n    Chairman Foster. That is tough because this has to pass all \nsorts of secondary verifications but it is really--anyway, you \nshould put that on your to-do list when we come up with the \nperfect example here.\n    Now, it also seems to me that to come up with the ultimate \nsolution here, there has to be a role of government, almost \ncertainly government. At some point in your life you have to go \nand authenticate yourself and be uniquely identified using \nbiometrics. At that point you can then be issued a security \ndongle or the cell phone equivalent of one that you can use for \nmany, many purposes in very streamlined and low-friction \ntransactions.\n    Is there any logical alternative other than having every \ncitizen who wants this to be able to authenticate themselves \nsecurity, knowing that there is not synthetic identity fraud or \nother people using their credentials and the alternative to \nhaving them present themselves in front of a trusted government \nauthority?\n    Mr. Boysen. I would say we need to learn from payment \nsystems when we try to do identity. David Birch has this famous \nphrase that identity is the new money, and comparing identity \nto money, there are a lot of things we can learn.\n    When you look at the global payment system with EMV cards, \nwe have six billion cards in circulation and they have never \nbeen compromised. What is good about this model is you can have \nyour favorite bank and I can have my favorite bank and we can \ngo to any merchant on the planet with no prior relationship and \nget what we want.\n    More importantly, when we lose the card, we call the bank \nright away because we are terrified we are going to be \nresponsible for the results if we don't. So, that integrity is \nwhat makes the process works.\n    In payment systems, these three things make the global \npayment system work. The first thing is we made it super simple \nfor the consumer and we hid the complexity away so they don't \nhave to understand anything. We don't have to train users how \nto use credit cards.\n    Thing number two is we have a trusted network operator. \nCrooks can't pop up in the middle and say, ``Hey, I am a crook. \nI take Visa.'' Right? You have to apply to get in the network, \nand you have to behave well to stay in the network.\n    The third most important thing that keeps the global \npayment system safe is user behavior. When I look at my wallet \nand see my card is gone, I am going to be on DEFCON 5, I am \ngoing to run down to the bank to turn the thing off, because I \nam terrified I am going to be responsible.\n    Chairman Foster. Yes. I think Ms. Walraven would feel--\nwell, I don't want to put words in your mouth. But this system \nis not perfect that he just described. Synthetic identity fraud \ncan still permeate such a system.\n    Ms. Walraven. Agreed, I think, but I think that is when it \ncomes down to understanding, knowing your real customer, \nbecause we do have controls in place that are supposed to do \nthat, and we all assume that banks know who their customers \nare, and I know, coming from the banking industry, that \neverybody is trying to do that.\n    But considering the fact that synthetics are as prolific as \nthey are, considering that they are as widespread as they are, \nconsidering that they are growing in a force multiplier, I \nwould contend that they don't actually know their customer.\n    So I feel like if you have an issue that is not right at \nthe root and then you compound on top of that, you actually \njust make the issue later worse because you get this false \nsense of trust, you get this false sense of security, and it \ndoesn't allow you to actually really be able to contend with \nthose types of individuals.\n    And that actually bodes to exactly what they are looking \nfor. They want to be seen as a regular, traditional customer. \nThey don't want to send that many red flags because they don't \nwant to get caught. They want to be able to continue to \nnavigate through the system, and currently they are navigating \npretty well unfettered for the most part.\n    Chairman Foster. But if you think of the example that Mr. \nLoudermilk gave of the identical twins with identical names, \nthey differ only in their fingerprints. So at some point in \ntheir lives, it seems like they have to present themselves to \nsome organization, almost certainly a government, who has to go \nand look and de-dupe all the people who claim to have that \nname.\n    I think there is no alternative to very advanced biometrics \nof some kind. And this can be an optional system, but if you \nare going to provide citizens who want one with a secure means \nof authenticating themselves, you have to have this moment in \ntheir lives.\n    Mr. Grant, do you have any comments on that?\n    Mr. Grant. Yes. I would say biometrics can play a role. I \nworry about saying they are the solution. In part, I tend to \nget very nervous when we talk about creating new central \ndatabases and biometrics, in part, because if there is one \nthing we have learned, it is that like any other type of \nvaluable data, we are not really good at protecting them.\n    And Exhibit A for that was the OPM breach of 2015, where I \nhave a top secret clearance, and all of that information from \nmy SF-86 and the images of my fingerprints are now in China--\nand I think at least two-thirds of this room probably has the \nsame thing, understanding who is here today--which means that I \nwould never want to use a centrally matched fingerprint system \nonline where they didn't know I was there to protect anything \nof value because a nation-state can spoof a fingerprint based \noff those images.\n    That said, there are some really helpful tools. Most DMVs \nare using face recognition for de-duping. So if I were to go in \nas Jeremy Grant to the DMV, and then show up 3 months later \nunder a different name, they are able to say, ``Oh, it looks \nlike you were here before, let's at least''--and, mind you, the \nface recognition is not perfect, but they can toss that to a \nfraud investigator to figure out if they should issue a second \ncredential.\n    Leveraging that process, I think is really important. One \nof the things we point out in our policy blueprint is that the \ndriver's license is the one thing that most Americans get in \ntheir lifetime where they have a robust in-person identity-\nproofing process. That is really valuable, and we think people \nshould be able to reuse it. The DMVs will play a role.\n    But I will flag that only 87 percent of adults have a \ndriver's license. And in fact, one thing we are seeing these \ndays is that it is harder to get one thanks to things like the \nREAL ID Act from 2005 which, on one hand, look, there were good \nsecurity reasons for it and it has put a very robust Federal \nstandard in place for in-person identity proofing.\n    The flip side is, if you are on the margins of society, \nlet's say you have been in and out of homelessness, let's say \nyou were evicted and your license and your birth certificate \nand your Social Security card were left in a box by the side of \nthe road that was soaked in rain and lost, it is really hard \nfor people to restart their identity lives again because they \nare just lacking what they used to have, to the point that we \nare seeing in many places--in fact, in D.C., there are a couple \nof churches, like the ID Ministry at the Foundry United \nMethodist Church up the street, that work with people.\n    Chairman Foster. I am afraid I am going to have to gavel \nmyself; my time is up. Votes have been called.\n    Without objection, I would like the report from the Better \nIdentity Coalition to be included in the record.\n    Without objection, it is so ordered.\n    And I just want to thank the witnesses for their testimony. \nThis is, I think, at the root of so many problems that we have, \nthat we are going to be facing.\n    The Chair notes that some Members may have additional \nquestions for this panel, which they may wish to submit in \nwriting. Without objection, the hearing record will remain open \nfor 5 legislative days for Members to submit written questions \nto these witnesses and to place their responses in the record. \nAlso, without objection, Members will have 5 legislative days \nto submit extraneous materials to the Chair for inclusion in \nthe record.\n    Thank you again. The hearing is now adjourned.\n    [Whereupon, at 10:56 a.m., the hearing was adjourned.]\n\n                            A P P E N D I X\n\n\n\n                           September 12, 2019\n                           \n[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]                           \n                           \n\n\n</pre></body></html>\n"