[House Hearing, 116 Congress]
[From the U.S. Government Publishing Office]




 
                       THE FUTURE OF IDENTITY IN

                      FINANCIAL SERVICES: THREATS,

                     CHALLENGES, AND OPPORTUNITIES

=======================================================================

                                HEARING

                               BEFORE THE

                 TASK FORCE ON ARTIFICIAL INTELLIGENCE

                                 OF THE

                    COMMITTEE ON FINANCIAL SERVICES

                     U.S. HOUSE OF REPRESENTATIVES

                     ONE HUNDRED SIXTEENTH CONGRESS

                             FIRST SESSION

                               __________

                           SEPTEMBER 12, 2019

                               __________

       Printed for the use of the Committee on Financial Services

                           Serial No. 116-49
                           
                           
                           
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]           





                             ______                      


              U.S. GOVERNMENT PUBLISHING OFFICE 
 42-317 PDF            WASHINGTON : 2020 
 
 
                           
                           
                           

                 HOUSE COMMITTEE ON FINANCIAL SERVICES

                 MAXINE WATERS, California, Chairwoman

CAROLYN B. MALONEY, New York         PATRICK McHENRY, North Carolina, 
NYDIA M. VELAZQUEZ, New York             Ranking Member
BRAD SHERMAN, California             PETER T. KING, New York
GREGORY W. MEEKS, New York           FRANK D. LUCAS, Oklahoma
WM. LACY CLAY, Missouri              BILL POSEY, Florida
DAVID SCOTT, Georgia                 BLAINE LUETKEMEYER, Missouri
AL GREEN, Texas                      BILL HUIZENGA, Michigan
EMANUEL CLEAVER, Missouri            SEAN P. DUFFY, Wisconsin
ED PERLMUTTER, Colorado              STEVE STIVERS, Ohio
JIM A. HIMES, Connecticut            ANN WAGNER, Missouri
BILL FOSTER, Illinois                ANDY BARR, Kentucky
JOYCE BEATTY, Ohio                   SCOTT TIPTON, Colorado
DENNY HECK, Washington               ROGER WILLIAMS, Texas
JUAN VARGAS, California              FRENCH HILL, Arkansas
JOSH GOTTHEIMER, New Jersey          TOM EMMER, Minnesota
VICENTE GONZALEZ, Texas              LEE M. ZELDIN, New York
AL LAWSON, Florida                   BARRY LOUDERMILK, Georgia
MICHAEL SAN NICOLAS, Guam            ALEXANDER X. MOONEY, West Virginia
RASHIDA TLAIB, Michigan              WARREN DAVIDSON, Ohio
KATIE PORTER, California             TED BUDD, North Carolina
CINDY AXNE, Iowa                     DAVID KUSTOFF, Tennessee
SEAN CASTEN, Illinois                TREY HOLLINGSWORTH, Indiana
AYANNA PRESSLEY, Massachusetts       ANTHONY GONZALEZ, Ohio
BEN McADAMS, Utah                    JOHN ROSE, Tennessee
ALEXANDRIA OCASIO-CORTEZ, New York   BRYAN STEIL, Wisconsin
JENNIFER WEXTON, Virginia            LANCE GOODEN, Texas
STEPHEN F. LYNCH, Massachusetts      DENVER RIGGLEMAN, Virginia
TULSI GABBARD, Hawaii
ALMA ADAMS, North Carolina
MADELEINE DEAN, Pennsylvania
JESUS ``CHUY'' GARCIA, Illinois
SYLVIA GARCIA, Texas
DEAN PHILLIPS, Minnesota

                   Charla Ouertatani, Staff Director
                 TASK FORCE ON ARTIFICIAL INTELLIGENCE

                    BILL FOSTER, Illinois, Chairman

EMANUEL CLEAVER, Missouri            HILL, FRENCH, Arkansas, Ranking 
KATIE PORTER, California                 Member
SEAN CASTEN, Illinois                BARRY LOUDERMILK, Georgia
ALMA ADAMS, North Carolina           TED BUDD, North Carolina
SYLVIA GARCIA, Texas                 TREY HOLLINGSWORTH, Indiana
DEAN PHILLIPS, Minnesota             ANTHONY GONZALEZ, Ohio
                                     DENVER RIGGLEMAN, Virginia
                                     
                                     
                            C O N T E N T S

                              ----------                              
                                                                   Page
Hearing held on:
    September 12, 2019...........................................     1
Appendix:
    September 12, 2019...........................................    33

                               WITNESSES
                      Thursday, September 12, 2019

Abend, Valerie, Managing Director, Accenture Security............     6
Boysen, Andre, Chief Identity Officer, SecureKey Technologies....    12
Grant, Jeremy, Coordinator, Better Identify Coalition............     8
Walraven, Amy, President and Founder, Turnkey Risk Solutions.....    10
Washington, Anne, Assistant Professor of Data Policy, NYU 
  Steinhardt School..............................................     4

                                APPENDIX

Prepared statements:
    Abend, Valerie...............................................    34
    Boysen, Andre................................................    45
    Grant, Jeremy................................................    49
    Walraven, Amy................................................    76
    Washington, Anne.............................................    79

              Additional Material Submitted for the Record

Budd, Hon. Ted:
    Written responses to questions submitted to Valerie Abend and 
      Jeremy Grant...............................................    98
Hill, Hon. French:
    Letter from Fed Chairman Jerome H. Powell, dated July 9, 2019   100
    Letter to Fed Chairman Jerome H. Powell from various 
      undersigned Members of Congress, dated June 7, 2019........   102
    Accenture Security report entitled, ``2019 Future Cyber 
      Threats''..................................................   108
    Report from the Business Roundtable entitled, ``Building 
      Trusted & Resilient Digital Identity,'' dated July 2019....   139


                       THE FUTURE OF IDENTITY IN

                      FINANCIAL SERVICES: THREATS,

                     CHALLENGES, AND OPPORTUNITIES

                              ----------                              


                      Thursday, September 12, 2019

             U.S. House of Representatives,
             Task Force on Artificial Intelligence,
                           Committee on Financial Services,
                                                   Washington, D.C.
    The task force met, pursuant to notice, at 9:32 a.m., in 
room 2128, Rayburn House Office Building, Hon. Bill Foster 
[chairman of the task force] presiding.
    Members present: Representatives Foster, Phillips; Hill, 
Loudermilk, Budd, Hollingsworth, Gonzalez of Ohio, and 
Riggleman.
    Ex officio present: Representative McHenry.
    Also present: Representative Himes.
    Chairman Foster. The Task Force on Artificial Intelligence 
will now come to order.
    Without objection, the Chair is authorized to declare a 
recess of the task force at any time. Also, without objection, 
members of the full Financial Services Committee who are not 
members of the task force are authorized to participate in 
today's hearing.
    Today's hearing is entitled, ``The Future of Identity in 
Financial Services: Threats, Challenges, and Opportunities.''
    The Chair will now recognize himself for 4 minutes for an 
opening statement.
    Thank you, everyone, for joining us today for what should 
be a very interesting hearing of the task force to explore the 
dangerous threats of identity fraud, how artificial 
intelligence (AI) is making it easier for criminals to engage 
in these activities, and how we can safeguard one of the most 
important things to have in our digital economy, and that is 
our identity.
    Identity fraud is a hugely important problem in financial 
services. In 2018 alone, almost $15 billion is estimated to 
have been stolen from U.S. consumers online. This doesn't 
include the more indirect future costs of having a compromised 
identity.
    Today, criminals have lots of tools at their disposal to 
get at sensitive consumer financial data. And there is a 
complicated situation that a Member of Congress finds 
themselves in, where we get briefings like the one I just 
received from Ms. Walraven where you go through just how 
massive the problem is and the techniques that are available, 
and we realize that mentioning them in public is not a wise 
thing to do. And so, this puts us in a tough situation.
    But I urge all of the members on the committee here and 
their staff who are interested to get those briefings from 
members who are testifying today to just see how big of a 
problem this is, because it is costing us probably a lot more 
than that $15 billion.
    There is a large number of tools that criminals are using 
today, things like phishing, ransomware, and malware attacks, 
that are already rife within financial services, and these 
cyber intrusions are only becoming more sophisticated.
    In the news this week, there was the story of a voice 
synthesizer, an AI-enabled voice synthesizer that was used to 
generate fake instructions from what an employee thought was 
his boss to move money somewhere where it shouldn't have been 
moved. And that sort of attack is going to accelerate as the 
technology gets more advanced and more widely deployed.
    And the stakes in this are enormous. With simply a name, 
address, and Social Security number, criminals use stolen 
identities to steal credit card numbers and bank account 
numbers, and to obtain fraudulent IRS and Medicare refunds. And 
the list goes on and on.
    The financial services industry is on the frontlines of 
this attack. More than 25 percent of all malware attacks hit 
banks and other financial services organizations, which is more 
than any other industry.
    In addition to the billions of dollars that financial 
institutions spend a year on cybersecurity, they also spend 
over $25 billion a year on anti-money-laundering and know-your-
customer compliance, with large institutions spending up to 
$500 million annually.
    Artificial intelligence is only enhancing the cyber 
criminal's arsenal. AI can be used more quickly to find 
vulnerabilities in a bank's software that can be used to 
impersonate someone's voice or face in a phishing scam, much 
like those deepfakes of which everyone is aware.
    It can also be used for something that is called synthetic 
identity fraud. That is where criminals make up fake online 
identities by combining real and fake data from lots of 
different people, along with the Social Security number of a 
person, often a child, which they can buy very cheaply off the 
dark web or even the non-dark web.
    These fake identities look completely real, and the 
criminals can use them to open new bank accounts and a record 
of new financial transactions that make the synthetic identity 
look more and more real.
    And at the end of this, the unfortunate common practice is 
the so-called ``breakout,'' where criminals simply take out a 
massive loan they never repay, or buy a car that they ship 
offshore. This sort of scam happens using these synthetic 
identities.
    There are a number of things that we can do. I was very 
impressed by the roadmap produced by Jeremy Grant, one of our 
witnesses here, and his organization, the Better Identity 
Coalition.
    So if someone only has time to read one document in this 
space, that is the one that I personally have found most 
useful. It provides a roadmap for what government can do to 
help, because I think that government has a unique role in 
provisioning the ID, that we ultimately should take a 
responsibility for maintaining a valid list of our citizens.
    And I think that there has been a lot of motion, both by 
governments and motion in terms of the public perception of 
what is needed here.
    This is one of the reasons why I am really eager to hear 
more from the witnesses in this hearing. And I guess, in light 
of the fact that we are unlikely to have a large amount of time 
because of votes maybe intervening, I think I will just cut off 
my comments here and turn it over to the ranking member of the 
task force, Representative Hill.
    Mr. Hill. Thank you, Mr. Chairman, for convening the 
hearing today as a part of our Task Force on Artificial 
Intelligence. I know this is a topic that you particularly care 
deeply about. I am very interested in learning how our identity 
systems can be modernized in such a way that protects the 
privacy and personal information of all of our citizens, and I 
look forward to hearing from the panel today.
    When we anticipate a digital world where we are 
distributing financial services products digitally through 
banks and nonbanks across the country, obviously, whether it is 
a mobile app or through the internet, through the web, this 
issue of authenticating someone truly that you are doing 
business with and that they, in turn, then are just granting 
you, the financial services company, access to their 
information for a particular purpose, all of this relates to 
how we identify people, how we authenticate people in the 
space.
    And, of course, we have had Gramm-Leach-Bliley for many 
years now, but a lot of people who aren't banks or financial 
services players are not covered by Gramm-Leach Bliley. And so, 
this issue of how do we improve that and offer innovation is so 
important.
    If we think about a digital world, you can't really have a 
completely digital process in 50 States in this country or 
internationally if you don't have not only the cyber 
protections that we are talking about in terms of the data 
being protected, but also that authentication process, so that 
individual user's identity.
    That is why I think this hearing is so important to the 
work we are doing in the Financial Technology Task Force, and 
it is so important for our private sector players, and, I 
think, our regulators on how we enhance the robustness of 
identity. How do we do it, how do we authenticate people in a 
more effective way, and move way beyond the user name and 
password that has spent the last 20 years of repeating our 
pet's names and 1, 2, 3, et cetera, as a way to get into 
systems as helpful as maybe just a sharing app or as important 
as reviewing our financial lives online.
    Also, the issue of data breaches is critical. And here the 
Federal Government doesn't have any better track record than 
the private sector. We have been in, this committee--I have 
been in Congress for 4\1/2\ years, and we have spent a lot of 
hours in this room talking about the incompetence of the 
Federal Government in protecting people's privacy and our data. 
So obviously, this is a key issue for both the public and the 
private sector.
    Financial services companies, as Dr. Foster noted, are 
victim more to this kind of attack, 300 times more frequently 
than nonfinancial businesses, purely for really, though, 
obviously, for Willie Sutton's admonition that that is where 
the money is. But also, if you are a state actor, that is where 
the disruption is a very vulnerable point in the Western world.
    But thanks to advances in technology such as artificial 
intelligence and machine-learning, it is becoming increasingly 
easier to authenticate individuals and mitigate that kind of 
fraud. But we must be vigilant as policymakers to ensure that 
all of our sensitive information remains private.
    I look forward to having the witnesses help us to 
understand these issues and what we might consider either 
legislatively or regulatorily to improve this process. And I 
look forward to the discussion.
    With that, Mr. Chairman, I yield back.
    Chairman Foster. Thank you.
    And I would like to now yield 1 minute to Mr. McHenry, the 
ranking member of the full Financial Services Committee.
    Mr. McHenry. Thank you.
    Equifax, Capital One, what is next? How many breaches is it 
going to take before Congress takes appropriate action to view 
cybersecurity as a top priority and combating identity fraud as 
a top priority?
    Only a few months ago, we had the world's biggest bank 
executives right here before us, and they identified 
cybersecurity as the chief threat to the financial system, not 
productivity, not growth at home, not political upheaval in 
Europe, not the slowdown in China, but cybersecurity.
    What I appreciate about this panel, and I appreciate the 
work Mr. Foster has brought to the table here, because we begin 
with a bipartisan challenge, a challenge that we can then seek 
bipartisan solutions for here in Congress, and a new, 
innovative approach to this really cumbersome ``dumb-passwords 
user-name'' situation that we are currently in, and a new type 
of thinking that is occurring in the private sector, but to 
ensure the policymakers keep pace with what is happening in the 
private sector and further enable it and move this along much 
faster.
    Thanks so much. And I look forward to your testimony.
    Chairman Foster. Thank you.
    Today, we welcome the testimony of Anne Washington, 
assistant professor of data policy, NYU Steinhardt School; 
Valerie Abend, managing director of Accenture Security; Jeremy 
Grant, coordinator of the Better Identity Coalition; Amy 
Walraven, president and founder, Turnkey Risk Solutions; and 
Andre Boysen, chief identity officer, SecureKey Technologies.
    Witnesses are reminded that your oral testimony will be 
limited to 5 minutes. And without objection, your full written 
statements will be made a part of the record.
    Ms. Washington, you are now recognized for 5 minutes.

   STATEMENT OF ANNE WASHINGTON, ASSISTANT PROFESSOR OF DATA 
                 POLICY, NYU STEINHARDT SCHOOL

    Ms. Washington. Chairman Foster, Ranking Member Hill, and 
members of the Task Force on Artificial Intelligence, I am 
grateful for this opportunity to speak.
    Before I became a professor, I spent 8 years in financial 
services, in addition to many years working in support of this 
Chamber.
    My name is Anne Washington. Now, why did I give my name? I 
gave you my name because it is an identifier, and digital 
financial services rests on its ability to guess who you are 
through identifiers like your name. Artificial intelligence 
goes further by taking actions based on a presumed identity, 
and those actions have serious consequences.
    Today, I am going to explain why identity is important, why 
AI makes mistakes, because they are inevitable, and what we 
might do about it.
    Consider a firm with an AI system that works 99 percent of 
the time. That is great, right? But actually, in a business of 
10 million people, clients, that means it fails on 100,000 
people: 100,000 people who cannot get credit in an emergency; 
100,000 families who cannot get a home mortgage and build 
wealth; 100,000 entrepreneurs who cannot get a start in a small 
business.
    My examples focus on individuals, but let's not forget that 
owner-operators who are individuals with their own business 
face even greater financial risks.
    Much of the data technology today was originally designed 
for marketing purposes. So if I get a wrong coupon or a useless 
ad, it is cute. It is a momentary curiosity. In financial 
services, the stakes are higher. A digital mistake is 
detrimental, and it is ongoing.
    A few items from the news. Jennifer Norris of Boston 
routinely was in danger of losing her job because of an 
inability to resolve a dispute about her identity. A teacher in 
Maryland had to give up her livelihood because she was in a 
profession that required continuous recertification.
    As depicted on this slide, this New York novelist sees 
herself in all of her daily roles--an author, a parent, a 
friend. She probably does not see herself primarily as a New 
York driver. The next slide shows you how a computer sees her. 
She is just the information on this slide, primarily a name and 
a birth date. Yet, someone else in New York has the exact same 
name and the exact same birth date.
    The ``Lisas'' have no recourse to resolve this confusion. 
No organization can fathom the likelihood of this coincidence. 
A data double is what the scholar, Evelyn Ruppert, calls them, 
and that is somebody who has the same identifiers, but it is 
not you.
    Now, I am a computer scientist with a degree in business. I 
am going to tell you that I think this stuff works. But I can 
also tell you that there is little financial incentive to fix 
these mistakes, because mistakes will happen. It is 
mathematically certain, in fact.
    You can just go to the final slide.
    What are the chances that you are going to meet someone who 
has the same birthday? Actually, it is really high. It only 
takes 23 people in the same room. Probably in the members of 
this committee and your staff, there are two people who have 
the same birthday. If you go up to at least 75 people--I don't 
think we have that many here--it is 99.9 percent certain. 
Coincidences are not as rare as we perceive them to be.
    So, what can be done? Artificial intelligence identifiers 
built for a global audience need to scale. That means we have 
to respect naming practices that come from different religious 
traditions or different cultural traditions, or even non-Latin 
characters.
    Finally, I am going to argue that we need a way to get 
feedback back into identity systems. As a technologist, I want 
to know how I can improve and also incrementally make these 
systems better. It could also help lead towards procedures for 
handling errors and exceptions.
    One example is the MiDAS system in Michigan which accused 
jobless people of fraud without recourse. And that is one 
example of the way that AI systems need a feedback mechanism.
    Now, I argue that the authority of human experience must 
balance the authority of data. Why? Because stats happen.
    And experience matters. Each of you has someone in your 
district office who does case work. Why is that? That is a 
recognition that institutions sometimes obscure the needs of 
individuals.
    What will be the resolution process for identity disputes 
in artificial intelligence?
    [The prepared statement of Dr. Washington can be found on 
page 79 of the appendix.]
    Chairman Foster. Thank you.
    Ms. Abend, you are now recognized for 5 minutes to present 
your testimony.

   STATEMENT OF VALERIE ABEND, MANAGING DIRECTOR, ACCENTURE 
                            SECURITY

    Ms. Abend. Chairman Foster, Ranking Member Hill, and 
members of the task force, my name is Valerie Abend, and I lead 
Accenture's security practice for our North American financial 
services clients. Thank you for the opportunity to join you 
here today. I really commend this task force for holding a 
hearing to explore the importance of digital identity and its 
intersection with artificial intelligence.
    Innovation in digital identity and access management is 
incredibly important to cybersecurity, to enhancing privacy, 
and to ensuring trust in financial transactions. We live in a 
digitally connected world where customers' demand for efficient 
and accurate transactions continues to increase.
    From taking out a loan or paying my child's babysitter, 
most of these happen online. And key to these transactions is 
trust, trust that the individual we are conducting business 
with online is whom they say they are.
    However, the information we use to validate our identities 
now is widely available through dark web forums and social 
media postings, making us more vulnerable to spearphishing 
campaigns.
    Simply put, identifying yourself online through passwords, 
usernames, and security questions is no longer working.
    I would like to draw the members' attention to the slide on 
the screen that lists five global cyber threats to financial 
services as outlined in a recent report that we published.
    Credential and identity theft is first, because it is at 
the root of almost every breach. Not only are cyber criminals 
really good at fooling people through spearphishing to gain 
access into enterprises, but once they are inside these 
networks, they compromise other access credentials, moving 
throughout the company, learning how they operate, and 
ultimately gaining access to privileged data and systems. I 
like to call this access inside of systems the ``mushy 
middle.''
    One of the best known examples is the 2016 cyber heist from 
the Bangladesh Central Bank, where attackers stole $81 million. 
That was more than 3 years ago, and hackers are building new 
capabilities to commit their attacks in ways we haven't even 
thought of yet.
    This is why we must use innovations, including AI, to 
thwart them at the speed that cyber attacks occur. Attacks 
leveraging credential theft, as we saw in Bangladesh, will 
remain possible until we fundamentally change the way 
enterprises manage employee and customer access and how they 
detect and respond at machine speed when they sense that 
something is amiss.
    Today, we can use AI to enable financial institutions to 
have a more accurate picture of employee access across a 
complex enterprise. Through these tools, managers can make 
better decisions of who should have access, to what systems, 
and to what data in real time, thus managing this mushy middle.
    On the customer-facing side, leading organizations are 
leveraging biometrics, AI behavioral-based analytics, and 
multifactor authentication to make real-time risk-based 
authentication decisions to approve transactions and set limits 
around those transactions. In the blink of an eye, a financial 
institution can make complex risk management decisions about 
whether a person using their mobile apps is, in fact, their 
actual customer.
    This customer risk management approach is not just in use 
in the United States and other developed countries, but also in 
emerging economies where these new tools are providing secure 
online identities.
    For example, we at Accenture are part of the ID2020 Digital 
Identity Alliance, which was formed to develop a reliable 
digital identity for people in developing countries so they can 
confidently receive government services and validate their 
identities to employers, schools, and other service providers.
    These digital identity advances provide individuals with 
more security and control over their data, giving them the 
ability to decide who to share their personal information with, 
what to share, and for how long it can be shared.
    Congress' help would greatly benefit our nation's ability 
to improve digital identity as a cornerstone for better and 
safer online transactions.
    First, Congress needs to pass a national privacy law, which 
will build consumer confidence and trust in the digital economy 
while enabling the private sector to gain wider adoption for 
more secure products and services. A good starting point for 
this is the framework released by the Business Roundtable last 
year under the leadership of our CEO, Julie Sweet.
    Second, Congress should help foster an environment for 
digital identity innovation through proofs of concept that 
enable the testing of new capabilities and their ability to 
scale.
    And, third, I encourage you to ensure that any new laws 
designed to advance digital identity or cybersecurity be 
technology-neutral and interoperable with other sectors.
    So in conclusion, Mr. Chairman, there is much work to be 
done to build a digital identity ecosystem that thwarts 
cybersecurity attacks, improves privacy, and ensures trust.
    I want to thank you again for the opportunity to discuss 
these issues, and I look forward to your questions.
    [The prepared statement of Ms. Abend can be found on page 
34 of the appendix.]
    Chairman Foster. Thank you.
    And now, Mr. Grant, you are recognized for 5 minutes.

    STATEMENT OF JEREMY GRANT, COORDINATOR, BETTER IDENTIFY 
                           COALITION

    Mr. Grant. Chairman Foster, Ranking Member Hill, members of 
the task force, thank you for the opportunity to testify today. 
I am here on behalf of the Better Identity Coalition, an 
organization that was launched last year, focused on bringing 
together leading firms from different sectors to work with 
policymakers to improve the way that Americans establish, 
protect, and verify their identities when they are online. Our 
members include recognized leaders from financial services, 
health, technology, FinTech, payments, and security.
    Our 22 members are united by a common recognition that the 
way we handle identity today in the U.S. is broken, and by a 
common desire to see both the public and private sectors each 
take steps to make identity systems work better.
    Let me say up front that I am grateful to this task force 
for calling the hearing today. The way we handle identity in 
America impacts our security, our privacy, and our liberty. And 
from an economic standpoint, particularly as we move to high-
value transactions in the digital world, identity can be the 
great enabler, providing the foundation for digital 
transactions and online experiences that are more secure, more 
enjoyable for the user, and ideally, more respectful of their 
privacy.
    But when we don't get identity right, we enable a great set 
of attack points for criminals and other adversaries. A 
whopping 81 percent of cyber attacks are executed by taking 
advantage of weak or stolen passwords. Eighty-one percent is an 
enormous number. It basically means that it is an anomaly today 
when a breach happens and identity did not provide the attack 
vector.
    And outside of passwords, we have seen adversaries seek to 
steal massive datasets of Americans. In large part, they can 
have an easier time compromising the questions that are used in 
identity verification tools, like knowledge-based verification 
(KBV) solutions.
    A key takeaway for this committee to understand today is 
that attackers have caught up with many of the first-generation 
tools that we have been using to protect, verify, and 
authenticate identity. Now, there are a lot of reasons for 
this, and there is certainly blame to allocate. But the most 
important question is, what do government and industry do about 
it now?
    That is a key point, government and industry. If there is 
one message I think this task force should take away from the 
hearing today, it is that industry has said they cannot solve 
this alone. We are at a juncture where the government will need 
to step up and play a bigger role to help address critical 
vulnerabilities in our digital identity fabric.
    Last year, the Better Identity Coalition published a policy 
blueprint which outlined a set of key initiatives that the 
government should launch to improve identity that are both 
meaningful in impact and practical to implement. A few 
highlights:
    First, when talking about the future of the Social Security 
number (SSN), it is essential to understand the difference 
between the SSN's role as an identifier, essentially a number 
that is used to sort out which Jeremy Grant I am among the 
hundreds of us in the U.S., and its use as an authenticator, 
which is something that is used to prove I am really me, this 
particular Jeremy.
    SSNs should no longer be used as authenticators. This means 
that, as a country, we stop pretending the number is a secret 
or that the knowledge of an SSN can actually be used to prove 
that someone is who they claim to be.
    But that doesn't mean we need to replace them as 
identifiers. Instead, let's start to build systems that treat 
them like the widely available numbers that they are today. I 
have yet to see any replacement proposal around SSNs that does 
not involve spending tens of billions of dollars confusing 
hundreds of millions of people and not really giving us much 
security benefit.
    Second, on the authentication topic, there is good news 
here. Multi-stakeholder efforts, like the Fast Identity Online 
(FIDO) Alliance and the World Wide Web Consortium, have 
developed standards for next-generation authentication that are 
now being embedded in most devices, operating systems, and 
browsers in a way that enhances security, privacy, and user 
experience. The passwordless era is near, and government can 
play a role in accelerating the pace of adoption.
    Third, government will need to take a more active role in 
working with industry to deliver next-generation remote ID 
proofing solutions. Now, this is not about a national ID, and 
we are not recommending that one be created. We already have a 
number of nationally recognized authoritative government ID 
systems: the driver's license; the passport; the SSN.
    Our challenge here is what I call the identity gap, that 
all of these systems are stuck in the paper world while 
commerce is increasingly moving online. So to fix this, 
America's paper-based system should be modernized around a 
privacy-protecting consumer-centric model that allows a 
consumer to ask a government agency that issued a credential to 
stand behind it in the online world by validating the 
information from that credential.
    So, how would this work? As the animation that is up on the 
screen from our policy blueprint demonstrates, it is about 
creating a new paradigm for digital identity that starts with 
the needs of the consumer.
    Here, we will start with someone named Stacy who is trying 
to open a bank account online. She provides some basic identify 
information. But since she is not there in person with a 
physical ID, the bank doesn't really know if it is her or, for 
that matter, whether she is a real person at all.
    So, Stacy will ask somebody who already knows her, the DMV, 
to help her prove that she is who she claims to be. She will 
launch a mobile driver's license app on her smartphone. She 
will unlock it with an on-device biometric match, say, touch 
ID, which then unlocks a cryptographic key that is in the phone 
that can securely log her into the DMV to make this request.
    Now, because that app was securely issued to her phone at 
the time she got her driver's license, and because she unlocked 
it with her biometric on the device, there is now a chain of 
trust in place which allows that DMV to know it was Stacy who 
was actually making the request. With that secure 
authentication and authorization, the DMV and the bank can then 
set up a secure connection, and the DMV can validate her 
identity.
    Note that this concept was embraced in the 2016 report from 
the bipartisan Commission on Enhancing National Cybersecurity, 
as well as a recent White House OMB memo published in May.
    I appreciate the opportunity to testify today. Note that I 
have submitted lengthier testimony for the record as well as a 
copy of our policy blueprint.
    Thank you.
    [The prepared statement of Mr. Grant can be found on page 
49 of the appendix.]
    Chairman Foster. Thank you.
    Ms. Walraven, you are now recognized for 5 minutes.

STATEMENT OF AMY WALRAVEN, PRESIDENT AND FOUNDER, TURNKEY RISK 
                           SOLUTIONS

    Ms. Walraven. Thank you, Chairman Foster, Ranking Member 
Hill, and members of the task force, for the opportunity to 
appear before you and provide my testimony today to help inform 
discussions on the future of identity in the financial services 
sector: threats, challenges, and opportunities.
    I am the founder and president of Turnkey Risk Solutions, 
and prior to starting that company I spent 20 years in the 
financial services sector at a lot of large institutions. The 
last 10 years of my career, I was at JPMorgan Chase, where I 
was responsible for establishing the business practices 
specifically focused around proactive identification, 
mitigation, and remediation of various fraud threats that 
included credit bust-outs, synthetic identities, identity 
manipulation, and credit abuse.
    As we consider how to utilize artificial intelligence and 
machine-learning to navigate big data to identify consumers, it 
is important that we clarify our target by gaining a more 
comprehensive understanding of what synthetic identities are. I 
have been asked to provide the committee a brief overview of 
the factors that contributed significantly to their emergence 
in order to better frame the threats and challenges that we are 
facing.
    For the purposes of my discussion, Chairman Foster, you 
covered that a synthetic identity in its basic form is a Social 
Security number, a name, a date of birth. But it is important 
to note that creating a synthetic identity is materially 
different than traditional identity theft.
    In cases of traditional identify theft, the criminal 
impersonates a real person to open an account or take over an 
existing relationship. But in cases of synthetic identity, the 
criminal is using just a limited amount of elements of a true 
person's identity, for example, just their Social Security 
number, and then they pair that with a name, a different date 
of birth, and an address that they can control, and create a 
completely separate and distinct persona. And that is 
intentional. They do not want to commingle with an existing 
person.
    Once that synthetic has been created, you can use it for 
just about anything you can use a conventional identity for. 
Obviously, products in the banking service, but you can also 
create a social media account, insurance products, rent an 
apartment, obtain utilities, or enroll in benefits programs. 
You can basically use it for any purpose that the creator 
intended and whatever they are controlling it for.
    To better understand the threat of synthetic identities, I 
think it is important to understand the landscape that is 
influencing them.
    Technology plays a huge role. Advances in technology have 
created speed and convenience, but at the same time, they have 
created anonymity for the fraudsters. We are also asking an 
infrastructure that was built a long time ago to do more and 
more things that it wasn't intended to do, without really being 
able to keep up with the technology and the threats that are in 
the landscape today.
    Consumer awareness. Consumers are a lot more educated on 
understanding the importance of their credit, understanding the 
different ways to be able to protect their identifiers, and 
being able to stay away from compromising their information. 
That information has been put out to help protect consumers, 
but it has also been used by organized criminals and different 
criminal actors to be able to understand how the infrastructure 
works and to be able to design their attacks specifically to 
exploit those types of avenues.
    Regulations and new controls have done a lot to protect 
identity theft victims and have done a lot to make sure that 
they have ways to remediate when they have been victimized. We 
have seen those same protections, however, exploited, 
leveraged, and abused by criminals.
    We have done a lot to try to make sure that we can erase 
and eradicate anything that has been related to an identity 
thief. But when it comes down to actually having a synthetic 
identity, those same protections have been leveraged by them.
    Data breaches were originally focused on compromising 
credit and debit data. And once we put the chips in the cards, 
that information was then as useful as it had been in the past. 
So now, they had started to move to PII, more static 
information, people's names, people's Social Security numbers, 
people's dates of birth.
    All of these factors played a major role in an emergence of 
use of synthetic identities. This fraud threat was specifically 
engineered to evade existing controls while exploiting 
vulnerabilities in the financial services system and beyond, 
impacting other verticals.
    Many of the groups committing this type of fraud are highly 
organized, extremely sophisticated, and tend to be 
transnational in nature. These adversaries are focused, 
committed, well-funded, and have access to the same 
technological advances as we do.
    As an industry, we must be proactive in our actions, 
unified in our defenses, and more effective in our application 
of evolving technologies, including artificial intelligence.
    As we seek to deliver unprecedented speed and convenience 
to increasingly mobile and technology-dependent consumers and 
businesses, we must remain vigilant in understanding the 
threats to our interests and to our infrastructure.
    Synthetic identity fraud in the United States and around 
the world is widespread and inconceivably pervasive. It is 
being amplified by increased digitalization of products and 
processes. And when you couple that with a proliferation of 
available data, synthetic identity fraud readily operates 
across all delivery channels, providing the perpetrators with 
potentially unfettered access to our nation's financial system 
and Federal programs, making it essential that we act in a 
unified and collaborative manner to protect the integrity of 
our infrastructure.
    In order to do so, we must recognize the complexity of 
these next-generation frauds and be fully informed of their 
severity and their scope. Advances in technology alone cannot 
identify and resolve these issues. Mitigation efforts from 
industry and government must be fluid and nimble to ensure we 
have the ability to effectively address these issues with the 
urgency they deserve.
    Our control framework needs to be updated to specifically 
address synthetic identity fraud. It needs to be universally 
defined in order for institutions to be able to detect, report, 
and remediate it.
    Thank you very much. I appreciate the opportunity, and I 
look forward to any questions you may have.
    [The prepared statement of Ms. Walraven can be found on 
page 76 of the appendix.]
    Chairman Foster. Thank you.
    And, Mr. Boysen, you are now recognized for 5 minutes.

 STATEMENT OF ANDRE BOYSEN, CHIEF IDENTITY OFFICER, SECUREKEY 
                          TECHNOLOGIES

    Mr. Boysen. Chairman Foster, Ranking Member Hill, and 
members of the task force, thank you for the opportunity to 
discuss the future of digital identity with you today.
    I am Andre Boysen, the chief identity officer at SecureKey 
Technologies, and I look forward to sharing our experiences in 
building a nationwide privacy-based digital identity network 
for Canadian consumers that works across the economy.
    SecureKey is a Canadian company that is a world leader in 
providing technology solutions to enable citizens to easily 
access high-value digital services. We focus on the 
intersection of the citizen, the public and private sectors, 
privacy, and consent.
    Digital identity is not just about citizen expectations. 
Companies, governments, and other organizations have strong 
incentives to move transactions online to realize cost savings, 
enhance customer experiences, and increase business integrity. 
An organization's ability to do this hinges on a single 
question: Can I trust the person or the digital identity at the 
other end of this transaction?
    As Jeremy has already said, identity is broken and it is 
equally problematic for citizens and for business. To recognize 
clients and provide trusted access to services online, 
organizations typically deploy a mix of analog and digital 
measures to confirm identity and mitigate risk. As we have 
seen, however, these solutions tend to be complex and are not 
fully effective.
    On the other side, citizens are asked to navigate a 
continuously changing kaleidoscope of identification methods to 
satisfy the onboarding needs of the organizations from which 
they seek services. All the while, we all read newspaper 
stories every single day about data breaches and online 
impersonators.
    There is reason to be concerned. Fraudsters are collecting 
information to know as much, sometimes more, than the citizens 
that they are impersonating. Standard physical cards for a 
paper-based world are easily counterfeited and it's often 
impossible to check the document validity with the issuing 
sources.
    Even biometric methods, which have been presented as a 
digital solution to digital fraud, are increasingly being 
targeted by hackers. Unlike passwords, you can't change your 
biometrics. You can easily be tricked out of a selfie.
    Our collection of siloed systems are too hard for consumers 
to use. It is not solving the problem, and it is too expensive 
to be sustained. It is every web service for itself.
    Consider the CEOs of Twitter and Facebook, Jack Dorsey and 
Mark Zuckerberg. These two digital leaders know how the system 
works, understand digital identity best practices, and have all 
the resources in the world at their fingertips. Yet, even they 
have problems controlling and managing fraudulent access to 
their digital identities.
    Mr. Zuckerberg's problem was self-inflicted, while Mr. 
Dorsey was failed by the telco he relied on when he became the 
victim of SIM swap fraud.
    If they can't manage and be protected in the current 
digital landscape, how are the rest of us supposed to manage?
    Urging greater online security vigilance has passed the 
point of diminishing returns. It needs to be said that there is 
no organization on the planet that can solve digital identity 
on its own. It takes a village to make digital identity work, 
each player playing to their strengths and combining to create 
trust greater than the sum of the parts.
    The Canadian model is a public-private partnership between 
financial institutions, telcos, governments, and other trusted 
partners. It is a give-to-get model.
    For example, governments are the foundational issuers of 
identity documents in the form of birth registries and 
immigration documents. Governments also link their records with 
a photo to a living person by issuing a driver's license or a 
passport.
    But governments aren't as adept as the commercial sector at 
knowing if the person actually is at the end of a given digital 
transaction. The IRS has a file on everyone in this room, but 
they would be hard-pressed to point any of us out in a crowd. 
That is why they use knowledge-based authentication (KBA).
    This brings us to financial institutions who complete 
billions of authentications per year. Compared to other 
organizations, citizens only rarely interact with government 
during their daily lives. They may renew their driver's license 
or passport every 5 years. But they will log into their bank 
account several times per week. This increases the integrity in 
their transactions for banks.
    And our mobile devices are always within reach. The 
carriers have some security features that are important and 
that are tied to subscriber accounts. Verified.Me is a service 
that is offered by SecureKey Technologies, that is built on 
open standards. Verified.Me was developed in cooperation with 
seven major financial institutions in Canada. It is a first-of-
its-kind service that takes a village approach to solving the 
digital identity problems we have been talking about today with 
greater simplicity, higher integrity, greater cost efficiency, 
and better privacy.
    With the information and resources already available, we 
have helped to solve the digital identity problem in Canada, 
and have developed a model we think will work around the world. 
Some of our leadership and collaboration partners include 
Global Privacy and Security By Design developed by Ann 
Cavoukian, the U.S. Department of Homeland Security, the 
Science and Technology Directorate under Anil John, and the 
Digital ID and Authentication Council of Canada.
    Thank you for the opportunity to share my comments with you 
today.
    [The prepared statement of Mr. Boysen can be found on page 
45 of the appendix.]
    Chairman Foster. Thank you.
    I will now recognize myself for 5 minutes for questions.
    Mr. Grant, one of the things that impressed me in your 
testimony is the bipartisan nature of the support for this. You 
were very involved in the Obama Administration's initiative on 
secure online digital ID. And it appears as though OMB and the 
current Administration is actually strengthening those 
initiatives.
    Could you just sort of briefly outline what the recent 
history of government involvement is in strengthening citizens' 
ability to authenticate themselves online?
    Mr. Grant. Sure. As you mentioned, I spent several years in 
government leading an Obama Administration initiative, the 
National Strategy for Trusted Identities in Cyberspace (NSTIC), 
although I was a civil servant when I was there and stationed 
up at NIST, up the road, where I served as their senior adviser 
for identity management and ran the program.
    This has never been a partisan issue, as you point out, and 
it is great to see that tradition continuing today in this task 
force hearing.
    Much of what the NSTIC program, as it was known, was 
focused on was how to basically catalyze a marketplace. The 
idea was that the government's role, the way things are in the 
U.S. should be limited, but government should play a role where 
there might be gaps to fill. And there was a lot of good work 
that was done then that I would say is now flowing into the 
work that we are driving in the Better Identify Coalition in 
terms of looking to carve out an appropriate role for the 
government without one where there is too much of a role for 
the government.
    As I mentioned in my written statement and opening 
statement, in May the Office of Management and Budget signed 
Memorandum 19-17 into effect, it is about 13 pages, updating a 
lot of the government's cybersecurity policy as it impacts 
identity. And we were really excited to see that they took one 
of our key recommendations, basically calling for agencies to 
create, I think the language was privacy-enhanced APIs, which 
would allow consumers to ask that an agency validate identity 
information about themselves either for public or private 
sector applications.
    I think now that that is in place, there is a good policy 
foundation in place for the first time in the U.S. to actually 
start to bring government into play more of this role for 
consumers and businesses.
    Chairman Foster. Thank you.
    And, Ms. Washington, Ms. Abend, you both touched on in your 
testimony the fact that the lack of a way to authenticate 
yourself falls most heavily on those who are not wealthy, in 
developing countries, that one of the real improvements in the 
quality of a citizen's life comes from having a way to 
authenticate themselves and prove who are they are. This sounds 
sort of counterintuitive, and I was wondering if you could add 
a little bit about why this is.
    Ms. Abend. It is interesting what we found, if you look at 
some of the things that even the Chair of the FDIC has said 
recently in some of her public comments about how individuals 
who are unbanked or underbanked have cell phones and they use 
those phones to conduct their financial transactions.
    And so, if we could establish the kind of confidence by 
having, as I put in the recommendations, a national privacy 
law, I think we would go a long way to engender trust so that 
they have certain protections through that national privacy law 
and a much less complex way of understanding what those 
protections are while also being able to use the tool that is 
in their hand to be able to validate themselves for financial 
transactions. And through that process, would give them access 
to financial transactions in a safe and sound manner.
    Chairman Foster. Ms. Washington, do you have anything to 
add?
    Ms. Washington. I just want to say that right now, without 
a standard way and a standard procedure for disputing 
authentication issues, people who feel powerless in society are 
probably not going to figure out how to dispute it. So by 
default, we are not going to have equal access to resolving 
disputes.
    Chairman Foster. I think there is probably also a tendency 
for wealthy people to have a more established financial 
transaction record that can be used in a sort of secondary way 
to make sure that the person is real and so on.
    Ms. Walraven, do you have anything to add there?
    Ms. Walraven. I think we also have to take into 
consideration that for all the things that we are putting in 
place to protect consumers, and they are all very valid, there 
are much easier ways to take a step back and go through and 
negotiate the system.
    I think all the controls that we are putting on for 
artificial intelligence and authentication, it starts at the 
front. You need to know who that person is, and then you go 
through and do the authentication. So we need to go further up 
the chain and make sure that identity is actually factual 
first, and then you can build a lot of controls behind it.
    But we need to get to the root of the issue instead of just 
addressing, in some cases, the symptoms. I think that is really 
how we can get much more collaborative between industry and 
government. And I definitely think we need to do that, because 
the current infrastructure is doing a good job with what it 
can, but we need to reshape the issue and look at it from a 
different lens.
    Chairman Foster. All right. Thank you.
    The gentleman from Arkansas, Mr. Hill, the ranking member 
of the task force, is recognized for 5 minutes.
    Mr. Hill. Thank you, Mr. Chairman.
    Before I begin my questions, I would like to ask that 
something be submitted for the record. One area that has been 
concerning to our title industries across the country is 
business email compromise, which is just another commercial 
form of fraud. And in that regard, I would like to submit a 
letter from Chairman Powell, as well as the response he had on 
this issue and how important it is. I would like to submit that 
for the record.
    Chairman Foster. Without objection, it is so ordered.
    Mr. Hill. This has been a really good panel. And as I said, 
we are trying to correct the world we live in and prepare for 
the world in the future. And we can't do that without this 
strict privacy standard and the ability to authenticate whom it 
is that we are doing business with. I thought each of you had 
great opening comments, and I am grateful for that.
    And I was pleased to hear, Mr. Grant, you talk a little bit 
about OMB's issue, because one thing this panel has heard, and 
our FinTech Task Force has heard consistently is the dangers of 
data scraping and that that is not a best practice out in the 
FinTech world for accessing customer data.
    Can you reflect, will OMB's policy impact that in the 
government sector? And is it a good standard for the private 
sector to adopt?
    Mr. Grant. I think the new OMB policy, assuming that there 
is some follow-up to actually get more agencies to start 
providing that to validation services online, will help to 
contribute to some of the challenges we have seen in open 
banking where you have different FinTechs who might want to 
scrape financial data.
    But there, I have been really impressed by the work of the 
Financial Data Exchange. It is a group that was incubated in 
the FS-ISAC, the Financial Services ISAC, that does a lot of 
cybersecurity work. And they brought together banks and FinTech 
firms to work on essentially coming up with a standard API that 
leverages well-known standards like FIDO, OAuth, and OpenID 
Connect, that will allow a consumer to decide to essentially 
securely grant certain access rights to some of their financial 
data.
    Because identity is that core control that is there, if we 
are able to enhance some of the ways we do identity 
verification through that API with some of the things that the 
government can provide, I think we are going to have more 
robust solutions all across-the-board.
    Mr. Hill. That is very helpful.
    And, Ms. Walraven, this issue of synthetic identity, could 
you explain that a little more? I looked at your testimony and 
listened to you. But are you suggesting that people are just 
aggregating a good cell number, a good address with a different 
name and a different Social Security number, so they are not 
imitating the exact person, they are creating a new synthetic 
individual, and so they are just using all validated 
information? Is that what you are suggesting?
    Ms. Walraven. Similar. So, basically, a synthetic can use 
someone's real information, let's say, a Social Security 
number, either yours, or a child's Social Security number. And 
then, what they will do is they will take that, add a name that 
is different than the real person's name, and add a date of 
birth. And if they are going to go in person somewhere, they 
probably would make it closer to probably what is more likely 
for them. And then put at an address that they can control. And 
basically from there, they create a completely separate and 
distinct identity.
    So it is not real per se as far as it has been a real 
person. It is a real person doing it, potentially, but it is 
not a real identity. But it functions, especially in a digital 
and in a paperless area, exactly like a real identity.
    And when they create that, they know their mother's maiden 
name, they know the user ID and password, they know the 
different security questions, because they created them. So 
when you go to do the authentication afterwards, you are not 
going to catch them in the existing infrastructure that we 
have, because those credentials are known to them.
    Mr. Hill. Thanks for your contribution to that.
    Mr. Grant, I read recently about the beginning of the 
implementation of the California statute. And for the 4\1/2\ 
years I have been in Congress, we have debated privacy and data 
breach notification here and witnessed the battle between 
retailers and the financial services industry, which grows 
tiresome here on this committee, and the desire to have a 50-
State solution, which would be great in a digital world if we 
could do that.
    So now, California has acted. I am interested in your 
views. Is the California Consumer Privacy Act (CCPA) a net 
positive for the consumer? Is it a decent basis in terms of the 
definitions they struck, the approach they took, for the 
Federal Government to consider?
    Mr. Grant. I think CCPA writ large, I guess we will have to 
see how its implementation goes and whether it is a positive 
for the consumer.
    There is a couple of things on the identity side that I 
have been very concerned about, including the fact that it took 
kind of an ambiguous approach to whether you can use data for 
security and fraud prevention.
    As background, the General Data Protection Regulation 
(GDPR) over in Europe did, I thought, a pretty good job saying, 
look, if you are using data for marketing purposes or other 
things, all of these rules apply. But if I am analyzing data I 
am able to capture about the way you are interacting with a 
device, well, that is for security or fraud presentation only, 
so that is okay.
    In California, they took a little bit of a different 
approach. And I think part of this might have been because the 
law was written in about a week. I think the history of it was 
they were trying to head off a ballot initiative. They said 
that a consumer cannot go to a company that has information on 
them that is being used for security and fraud prevention and 
ask that that information be deleted, which is good. But they 
did not go ahead, you couldn't actually go to a company and opt 
out of that information being used at all.
    And so the concern there is that if, say, even 2 percent of 
people go to companies and basically tell them to turn off the 
security analytics controls that are some of the best tools we 
have today to prevent things like credential stuffing attacks 
or other spoofed identities, it is going to put people at risk, 
consumers at risk, and businesses at risk.
    Mr. Hill. Thank you very much.
    I appreciate it, Mr. Chairman.
    We will come back to it. Thank you.
    Chairman Foster. The gentleman from North Carolina, the 
ranking member of the full Financial Services Committee, Mr. 
McHenry, is recognized for 5 minutes.
    Mr. McHenry. Thank you.
    This has been great testimony, an informative panel, and I 
think it is quite constructive, again, quite constructive for 
what has been, as Mr. Hill outlined, a rather tiresome debate 
between retailers and banks on who holds the bag, without 
talking about progress or fixing the problem. They want 
Congress to intervene and make the decision on who gets sued.
    So, let's get beyond that. Let's get to the solution.
    Mr. Boysen, I would like to hear the story of what your 
company is doing in Canada to verify identity and the 
undertaking that you and your company have had.
    Mr. Boysen. Thank you.
    There have been two generations of services that we have 
launched in Canada. The first one was in 2012, and that we did 
with the Government of Canada. It was designed to be a safe 
replacement for multiple user IDs and passwords.
    In 2012, the problem the Government of Canada had is every 
time I, as a Canadian, went to our tax authority, every single 
time, I forgot the password. And so, their challenge was how to 
authenticate me. They can't do what Amazon does. They can't do 
an email password reset. They have to send secure mail to my 
house.
    Being a busy Canadian, I solved my tax problem with them 
another way. And they sent me this thing 2 weeks later. I don't 
send it back in, and I come back here next year and do the same 
thing. That cost them 40 bucks a shot.
    Between the period 2004 to 2012, they spent $970 million 
authenticating 5 million Canadians. For the subsequent period, 
from 2012 to 2018, their costs have come down to roughly $200 
million in order of magnitude in savings. The reason is that 
Canadians now are able to use their bank account to get to the 
government. This has been transformational.
    The reason this works better is because Canadians are in 
their bank account every single week, so they are not going to 
forget the password. More importantly, if they do forget the 
password, like, if they can't get in, they are on DEFCON 5, 
they are going to run down to the bank right now because they 
are terrified their money is going to be lost, and it is that 
self-interest that has actually increased the integrity of the 
transactions.
    The challenge with that service, however, is that it was 
authentication only. It didn't solve the identity problem. So 
in May of this year, with all of the major banks in Canada and 
several other trusted partners, we launched an identity 
service. It allows me to prove my identity in a trustworthy way 
based on bank, telco, and government data that I authenticate 
with each of those providers myself. And then I am able to, 
under my control, give that to someone else when I want sign up 
for a new service.
    So this actually increases integrity for all of those end 
points and takes their cost down and gets them better results, 
too.
    Mr. McHenry. Okay. So, verify me. I use blockchain 
technology. Walk us through that.
    Mr. Boysen. We didn't start off saying, blockchain is cool, 
let's use it. We came at it from a very different point of 
view. If any organization is consuming data from a network to 
confirm my data, they have three requirements that need to be 
met.
    Requirement number one is they want to know the data came 
from an authoritative source, somebody they would know and 
trust today, like a government-issued ID.
    The second requirement that they want to know is they want 
to know the data has not been altered since it was written by 
that authoritative source; the crook didn't take my driver's 
license, take all my data, scratch my photo, and stick their 
photo on it.
    The third requirement they have is they want to know that 
the data belongs to the person presenting it.
    So, let me answer your question about, why blockchain? 
Blockchain does three very specific things. The first thing is 
it allowed us to implement this thing we call triple blind 
privacy. In Canada today, when I use my bank account to get to 
the government, the bank account does not get to see my online 
destination. The government in its place knows that I came from 
a tier one bank in Canada but not which one. And our company, 
which operates the network, we don't know who you are. Triple 
blind privacy says not the bank, not the government, not 
SecureKey got a complete picture of the user journey.
    When we tried to go do that with identity, the problem is, 
with us in the middle, we were going to get to see a lot, and 
we wanted to figure out a way to do triple blind identity so I 
could send my data from Wells Fargo to the IRS without Wells 
Fargo knowing it went to the IRS, without the IRS knowing it 
came from Wells Fargo, and without us seeing anything in 
between.
    So, it gave us a method to implement triple-blind privacy. 
The second thing is, it allowed us to meet the integrity 
challenge to verify and meet those three requirements that I 
talked about. And the third side benefit is we get resiliency 
because there are so many nodes it is harder to mount a denial-
of-service attack.
    Mr. McHenry. So broadly, that cryptography, the blockchain 
cryptography, is this leap forward in order to ensure that you 
can have that movement of data.
    But here is a different question. Is there a different 
cultural assumption between folks in the United States versus 
folks in Canada about their digital identity and that 
willingness to share that data?
    Mr. Boysen. I would say the stance of Canadians and 
Americans is very similar on this front. I would say that the 
privacy regulations in Canada are generally better, and so that 
gives Canadians confidence when they are doing this. They have 
recourse. If something negative happens, they have somewhere to 
go and get it sorted. So, I would say the model would work 
here, too, is my sense.
    Mr. McHenry. Excellent. Well, let's get at it, right? 
Pitter patter, let's get at her. Let's make some progress here.
    Thank you for a great panel. It was highly informative. I 
have 3 hours more of questions, but every one of you are top 
notch.
    Thank you for being here.
    Chairman Foster. Thank you.
    And the gentleman from Georgia, Mr. Loudermilk, is 
recognized for 5 minutes.
    Mr. Loudermilk. Thank you, Mr. Chairman.
    Thank you to all of you on the panel here. This is 
intriguing, coming from an IT background. I have been dealing 
with cyber issues for quite some time from my time in the Air 
Force dealing with intelligence data all the way up through 
even protecting businesses and school systems with internet 
accesses.
    It is an ongoing challenge. And transactions that happen, 
especially in the financial services sector, happen at 
incredible speeds. Therefore, verification for those who use 
this has to be done at the same speed.
    I am one of those guys who likes using cash. I like reading 
a printed book. I like going to a store and putting my hands on 
what I am going to buy. I am unique in the world today, as I 
found out the younger you are, the more you are relying on the 
technology. So, we have to be exploring these areas.
    Before I get to my questions, though, Mr. Chairman, I would 
like to submit for the record a letter from the Consumer First 
Coalition addressing concerns and congressional oversight over 
the electronic consent-based Social Security verification 
system as they move forward.
    Chairman Foster. Without objection, it is so ordered.
    Mr. Loudermilk. Thank you, Mr. Chairman.
    Ms. Washington brought up a very interesting scenario at 
the beginning of this, which I think illustrates some of the 
challenges that we do face. But I have one that I found quite 
unique.
    I was taking a group to the White House. And if you have 
ever visited the White House, they have quite a verification 
system to go through. If there is one thing wrong, you are 
going to get pulled out and put in a holding area.
    A young lady I was with, who was probably in her early 
thirties, was pulled out and put in a holding area. It kind of 
surprised me, and so I went to talk to her.
    She said: ``Oh, this happens all the time.''
    ``Really?''
    ``Yes. I have an identical twin sister. My mom didn't 
realize that she was going to have twins, and she had already 
chosen the name, so she gave us both the exact same name.''
    And I am going to use a different name, but it was 
Elizabeth Grace Smith. One was called Liz, the other was called 
Grace. They have the same name, the same birthday, the same 
birth location, the same hair, the same height, the same 
weight. What triggered the Secret Service was their Social 
Security numbers were off by one digit.
    So. there was this delineator. This is a real illustration 
of the type of thing that we are going to encounter, as Ms. 
Washington had brought up, but we have to find a path to get 
there.
    And one of the things--I am big on innovation. I am big on 
sandboxes so we can go out and explore ways to do this, but it 
has to be done in a controlled environment to protect consumers 
but yet have the ability to do these things.
    Ms. Abend, it took us a while to adopt the chip payment 
system. Traveling in Europe, they had it a long time before we 
were able to adopt it here. But from what I understand, it has 
reduced the counterfeit fraud by about 87 percent.
    But the bad players, the criminals now focus on digital 
payments, which involve digital identities. We need 
cybersecurity solutions to combat these digital payment frauds.
    Are we heading in the right direction? Do we have the 
sandbox available to develop these?
    Ms. Abend. Congressman, that is an excellent question. And 
I remember distinctly, when I was actually back working at the 
Office of the Comptroller of the Currency, when the deadline 
was approaching for a chip and pin and the conversations, 
because we had just faced the breach with Target and actually 
had to appear before Congress to testify on cybersecurity at 
that moment in time as well, and I remember distinctly having 
this conversation about what it would do and what it would not 
do.
    And as we have seen overseas, the card-not-present fraud 
goes through the roof, right? Bad guys know. And all of these 
online transactions, they are card not present, and that means 
they are missing that authentication aspect of being present 
with that chip and pin.
    And I think that, while it was a step in the right 
direction and it was just a layer, the fact that most of our 
transactions are increasingly online and need to happen at the 
speed that we have discussed here, we do need to create an 
environment that fosters more innovation, that figures out a 
way to improve the state of synthetic IDs, as my colleague here 
has talked about, that creates that more trust that we have 
talked about here, and do it in a way where people can protect 
all consumers and everyone can get bought into that system.
    And I think that is why my colleague, Jeremy, and the 
Business Roundtable that I mentioned earlier that has over 200 
CEOs, have a lot of alignment around what needs to be done to 
create that transparency for consumers with privacy, a national 
privacy law, while also creating a better ecosystem where we 
proof people to enable them for online transactions.
    Mr. Loudermilk. Thank you. I agree with Ranking Member 
McHenry; I also have tons of questions. This is intriguing. But 
I am already out of time. I will submit the others for the 
record.
    I agree with Ms. Washington on her concerns, but I think 
the solution, because those with low income are using 
electronic transactions as much or more as some others are, and 
we have to be able to find the way to positively protect them 
as well.
    Thank you, Mr. Chairman.
    Chairman Foster. Thank you.
    The gentleman from Ohio, Mr. Gonzalez, is recognized for 5 
minutes.
    Mr. Gonzalez of Ohio. Thank you, Mr. Chairman.
    And thank you to the panel for your outstanding testimonies 
and participation today. I think this has been a great hearing 
so far.
    Mr. Boysen, I want to kind of drill down on some of Mr. 
McHenry's questions around blockchain specifically. So, I will 
spend some time there, if you don't mind.
    As you were innovating in the space, what legal impediments 
existed in Canada that prevented you from developing the 
blockchain, and what has had to change? Just kind of walk me 
through what it was like as you were innovating, and then how 
did you get there?
    Mr. Boysen. Sure. One of the biggest challenges, in fact, 
is when you look all across the economy, the most rigorous 
process we go through as consumers when we get identity proofed 
is when we go through a bank, and it is a regulated process. 
They have know-your-customer (KYC) and anti-money-laundering 
(AML).
    In Canada, our organization for managing that is called 
FINTRAC, and they have a set of interpretation bulletins that 
they use to interpret the legislation to say what banks can and 
cannot do.
    The problem when we started this process is it didn't 
include digital methods, so it took a long time to talk about 
the advantages of doing digital methods.
    And I want to pick up on Valerie's comments around this 
card-present/card-not-present concept. One of the things we 
were able to convince the regulators is what we were doing with 
our service is actually creating card-present identity. Today, 
when I take my driver's license to the counter, if it is a fake 
driver's license, the bank is defenseless against that attack 
because they can't check against the issuer. With our service, 
all of the data is checked in real time.
    So that, getting the regulators and the community to 
understand this was actually better than what we could do in 
person, took a long time, but once we got there, they said this 
was more powerful.
    Mr. Gonzalez of Ohio. And was that a regulatory fix or a 
legislative fix?
    Mr. Boysen. The interpretation bulletins for the FINTRAC 
and KYC and AML were updated to include digital methods.
    Mr. Gonzalez of Ohio. Legislatively?
    Mr. Boysen. Yes.
    Mr. Gonzalez of Ohio. Okay. So, your legislature had to 
act.
    And then as you look at the U.S., where do you see similar 
holes where we should be legislating to enable the technology?
    Mr. Boysen. Canada had an advantage in trying to get a 
scheme like this going because we have a small set of banks, we 
have a small set of provinces, and a small set of telcos. So we 
could kind of get everything in the room.
    Your economic construction here is a little bit different. 
You have 3,000 banks. You have 50 States. Luckily, you have a 
small set of telcos.
    I do think the learnings in Canada can be applied to the 
U.S. model. So I will say that there is a lot of work being 
done with U.S. organizations to launch a similar service to the 
one we have in Canada, here in the United States. That is down 
the track. More work needs to be done. But I think there will 
be similar changes where the regulatory updates are going to be 
required to support it.
    Mr. Gonzalez of Ohio. Okay. And do you have any specifics 
in mind on, hey, here is how the SEC is interpreting this, and 
this needs to change?
    Or anybody else, frankly?
    Mr. Grant, you are kind of nodding.
    Mr. Boysen. Yes. I can provide it as follow-up testimony 
for the record. I could get our legal counsel, who has actually 
done a lot of work here, and I will submit that for the record 
and you can review that after.
    Mr. Gonzalez of Ohio. That would be fantastic.
    Mr. Grant?
    Mr. Grant. I would say, if you look at our membership, 
about half of them are firms in banks or payments or FinTech. 
And one of the things we specifically called for was for was 
for Treasury and the regulators to do more here.
    I will say they have been really receptive to discussions 
with us. The message we have gotten is, if you are seeing a 
barrier to digital identity innovation, please let us know. 
Marshall Billingslea, whom I think is Assistant Secretary for 
Terrorist Financing at Treasury, announced that Treasury wants 
to do a text print, working with industry in the next year to 
try and help bring regulators and innovators together.
    I continue to ask my members every month, are we running 
into things that are precluding innovation, particularly at the 
intersection of identity and financial services? And I think 
the biggest answer we get is, sometimes there is a regulation 
where there is just ambiguity. And then, the compliance people 
kind of have their freak-out and it is hard to move forward. 
But I am actually bullish there.
    I think where we need a little more effort--we talked 
before about the Office of Management and Budget (OMB) memo, 
which is a nice start, but policy memos come out all the time 
from OMB and get ignored. So I think we need more of a formal 
government-wide initiative, hopefully convened by the White 
House, to try and look at how to bring agencies together, 
potentially within the industry, to figure out how to take this 
to the next step.
    I think more work needs to be done at my old agency, at 
NIST, on a framework of standards to help put a foundation in 
place. And I think agencies could benefit from a center of 
excellence in government as well, that could actually help.
    The Social Security Administration right now is developing 
an attribute validation service. Congress told them to do so 
last year, in fact, thanks in part to the work of this 
committee. But in getting other agencies to do that, they will 
need some technical help.
    These are little steps around the edges that can make a big 
difference to solving this problem.
    Mr. Gonzalez of Ohio. Thank you.
    And, again, I want to thank everybody for the time and 
energy on this.
    Mr. Boysen, we will follow up.
    And I yield back.
    Chairman Foster. Thank you.
    The gentleman from Virginia, Mr. Riggleman, is recognized 
for 5 minutes.
    Mr. Riggleman. Thank you, Mr. Chairman. I hope I can have 
60 minutes to question the panel, please. Thank you.
    It is good to be here.
    And, Ms. Washington, thanks for your--at the beginning when 
you talked about birthdays, my birthday is March 17th, a show 
of hands for St. Patrick's Day birthdays? Well, look at that. 
No one. My goodness.
    I want to give my background really quickly because I 
actually get excited about this stuff. My background was in 
military intelligence, about 26 years combined in the military 
and doing this, was tracking people and finding their 
identities without them volunteering their information. So I 
might cover this a little bit differently. But it is also sort 
of the bridge between technology and operations and how this 
would happen. So my questions might be a little more esoteric 
and a little bit more fun, I would hope.
    Right now, I have about 50 questions I had written down, so 
I am going to try to go quickly. I always have too many to go 
quickly. But Ms. Abend had said something beforehand, and I 
will start the line of questioning there.
    I am going to start with sort of the bottom line upfront, 
and then go backwards with technology. And, here we go.
    It does sound like the use of AI will be a critical part of 
ensuring security in digital identity. I want to know, should 
we be concerned that this kind of technology could be cost-
prohibitive--and I am starting at the back--or otherwise 
unavailable to smaller financial institutions or even 
companies? Do you think that is something we have to worry 
about?
    Ms. Abend. I think that any time you deal with innovation, 
it is actually interesting, some of the smaller companies of 
the world are really creative, and they partner with Accenture 
to actually make those possible and to make them scale. But I 
do think we need to find ways to actually help smaller 
companies be able to leverage some of these capabilities that 
you are pointing out, AI being one of them.
    And to that end, I would commend the ranking member's 
effort in his own district, in Little Rock, Arkansas, to 
actually create an innovation hub where community institutions 
can actually learn how to take advantage of these things.
    And I think the other way to actually help them scale to 
the benefit particularly of smaller entities and in this case 
community institutions is to actually help them do that through 
the partnerships with their third parties, their large-scale 
technology service providers.
    Mr. Riggleman. This is why I get excited about this, 
because we all are sort of creating our own unique identifiers, 
our own ``UIDs.'' But a refrigerator has one also, and I don't 
want to be mistaken for that.
    So as we go forward, do you see private companies--and here 
my questions get a little esoteric--rejecting individual or 
business transactions with other entities based on insufficient 
authentication of identity?
    And when I look at how people are going back and forth and 
utilizing sort of their own signatures, my question is, are we 
going to get to a point--and this is where I get a little bit 
excited and my head starts to explode a little bit--where we 
are going to see private companies actually creating their own 
unique ID sort of set of criteria? And then, do you see them 
ensuring that criteria or ensuring that identity is doing 
transactional issues with other companies and then rejecting 
those companies?
    That is the thing that--and I know Mr. Grant, and I 
listened to what you are doing in Canada--I am almost wondering 
if we are going to get to a point where companies are going to 
be judged based on their criteria for how they protect our 
identity and other companies rejecting that identity based on 
UIDs. Do you guys see that happening in the future?
    Mr. Grant, go ahead?
    Mr. Grant. For years, one of the things we have been trying 
to do here in the U.S. and really in a lot of countries abroad 
has been looking at whether we could have certification 
programs for private issuers of identity.
    I talked today about the role of government, but my bank 
knows me. In fact, that is sort of the foundation of what is 
happening in Canada, as well as what I think we will see in the 
U.S., because they have to figure out who I am before they open 
an account. So could they then vouch for me other places? Could 
I log in with my bank somewhere, perhaps at the Social Security 
Administration?
    There are certification programs in place today from 
organizations. The one that is most well-known is called 
Kantara. That has actually been recognized by the General 
Services Administration as what they call a trust framework 
provider to certify the way that a private sector entity issues 
an identity.
    Going forward, I talked about a lot about the concept of an 
identity ecosystem. There are components that industry is going 
to provide, and there are components that the government is 
going to provide. And I think we are going to be able to create 
some hybrid solutions that can really bring in, frankly, the 
best innovation the private sector can deliver, but that access 
to the authoritative data sources that only government has. 
Government is the only entity that authoritatively confers 
identity. If you can merge those together, you can give people 
something that is portable that they can use everyplace they 
go.
    Mr. Riggleman. Well, geez, you are in my head.
    So do you believe, if we are creating, say, this identity 
token, and you are talking about these standards, do you think 
we are dealing with unstructured data? We are dealing with new 
things like natural language processing, things like that. Do 
you believe there is ever a time where we are going to be able 
to customize our token where the only way we can find our 
identity or make our identity known is the stuff that we 
actually customize with that information? Do you think that is 
the future, where we own our identity by customizing our own 
information within the token?
    Mr. Grant. There is a lot of focus these days on how you 
can allow people to only reveal certain things about themselves 
without revealing everything, and I think there are some great 
models that are in place these days that will give people very 
granular choices about what they share about themselves online.
    When we talk about the privacy debate in this country--and 
it is getting a lot of attention on the Hill--so much of it is 
tied to identity. What information is collected on me? What do 
I want to be collected? Why do I want these companies to know 
these four things but not these seven things?
    So, having a really strong tool that you can use to manage 
that and in some cases go back and maybe revoke certain things, 
I think is going to be a key enabler here.
    Mr. Riggleman. Thank you so much. It was already 5 minutes 
and 30 seconds. So, I do apologize for how quick that was. But 
thank you so much. You guys are fantastic. I appreciate it.
    Chairman Foster. Thank you.
    And without objection, the ranking member and I will each 
have an additional 5 minutes for questions and closing 
statements.
    So with that, I would like to recognize Mr. Hill.
    Mr. Hill. Thank you again, Dr. Foster, for holding this 
hearing. And, again, I think we have heard a good discussion 
and the panel has been very appreciated.
    I wanted to go back, Mr. Grant, and just kind of finish our 
conversation about the California proposed statute. And I may 
broaden that to the panel as well to compare, as you said, a 
rushed law, a set of parameters with the more thoughtful 
approach the EU took and just have a compare and contrast.
    The Wall Street Journal last week reported that private 
businesses could face a half a billion dollar compliance burden 
trying to comply with the California law. So, talk about that.
    And then finish your thought I think you were trying to 
make on it was rushed, you have some concerns, you outlined a 
couple. But did you have something else you wanted to finish up 
on, on that?
    Mr. Grant. The main point I was making, from what I could 
tell with California, it might be a drafting error. And there 
have actually been some proposals to try and clarify that.
    Mr. Hill. This is the information to be used for fraud 
investigation, better customer service?,
    Mr. Grant. Right. The backdrop on this is that identity 
analytic solutions, many of them that are using AI, are one of 
the most powerful tools that we have today to actually prevent 
fraud.
    So just to give you a number on that, Microsoft started 
talking about this publicly. So in Azure they manage billions 
of log-ins a day.
    Two years ago, they were seeing about 10 million attacks a 
day. A year ago they were seeing 100 million attacks a day. 
This year, they are seeing 300 million attacks a day, trying to 
compromise log-in systems to get in and do all sorts of bad 
things. That is a 30 times increase in 2 years.
    The way that they are actually combating this is with 
database analytic systems, some of which might be collecting 
things that would fall under the definition of personal data 
under GDPR or CCPA or other proposals.
    So long as you have a carve-out that says that is okay if 
you are worried about security and fraud protection, you just 
can't take that data and use it someplace else, we are good. In 
fact, in Europe, because GDPR is clear on this, the European 
Banking Authority is actually actively promoting the use of 
what they call transaction risk analysis to secure payments 
under the PSD 2 directive over there for open banking.
    So I think the concern here is if it is more ambiguous, or 
certainly if we are concerned that Federal privacy legislation 
that doesn't say it as clearly, if 2 percent of people start 
calling up Microsoft, to give the example I suggested, and say, 
don't use those systems, turn that off, what are they supposed 
to do at a time when attacks might go up another 10 times next 
year? That is my concern.
    Mr. Hill. Very helpful. And you mentioned open banking in 
the U.K. for example, and Canada as well. So I might ask Mr. 
Boysen this.
    First of all, does anybody else want to add to that comment 
on California? Anybody have a comment on California?
    Okay. Mr. Boysen, on the privacy directives in Europe and 
what you have done in Canada, have Europe and the U.K., to your 
knowledge, solved this password authentication process in order 
to make open banking be a safe activity? Because clearly here 
that would be an open question I would think about open 
banking.
    Mr. Boysen. Yes, open banking is a singular term, but the 
way it manifests in each country turns out to be a little 
different. In some countries, it is compulsory. In other 
countries, it is optional. In some places, it includes the 
ability to do push payments. In others, it doesn't. So, it is 
not a uniform application of how it works.
    What I will say, however, is one of the fears of open 
banking is it is going to cause asset stripping. What is going 
to happen is the banks are forced to open up their APIs and 
give out the data at no cost, and then the consumer is going to 
give this to some new startup who doesn't have the same control 
as the bank does. That FinTech is going to get breached. And 
then, the consumer is going to come back to the bank and say, 
``How did you let this happen?''
    So rather than giving away the data, what we should give 
away is trusted data so consumers can give it away at a 
granular level, rather than giving it all. So that is kind of 
the approach that we are looking at in Canada.
    It's interesting that in Australia, they took the approach 
that it is reciprocal. If you are going to participate in open 
banking, if you want to be able to get data from the network, 
you also have to agree in advance to share data back with the 
network. And that solves part of the asset stripping issue that 
is in some other jurisdictions.
    Mr. Hill. I think I am interested in what we need to do 
regulatorily, again, limiting our conversation here to 
financial services, about how we handle this requirement of an 
API approach and a discrete approach, instead of just allowing 
scraping.
    I hear from start-up entrepreneurs in the FinTech 
environment: ``Well, you are disturbing the customer experience 
by doing that.'' But I would argue that customers' experiences 
get really messed up when everything is stolen from them. So, 
that is not a good idea, either.
    Is there something specific one of our regulatory agencies 
could do in this area?
    Mr. Boysen. I would submit that you can't do open banking 
without a good digital identity infrastructure; it just can't 
be done.
    This is the problem. I am the consumer, you are the bank 
that is trying to represent me, and Jeremy is the startup that 
wants my data. How is Jeremy supposed to present to you that he 
has my permission to get my data?
    So, you have this three-way triangle of authentication 
trying to go on and it is very complex and the consumer is 
never going to get it.
    The only way to solve this is by allowing the consumer to 
have a digital identity infrastructure, and then see line by 
line, what is going to go.
    Mr. Hill. Thank you very much.
    And I yield to you, Mr. Chairman. Thank you.
    Chairman Foster. Thank you.
    That business of this three-way conversation is 
fascinating, for which I think there are technological 
solutions with a properly designed app on your cell phone. So I 
think that probably the future of this is not an identity 
dongle but probably an advanced cell phone that has things like 
the secure enclave on an iPhone which can store the private 
keys and is resistant, it is my impression, even against having 
your cell phone completely hacked, that you may be able to 
capture the screen and see passwords being transmitted but you 
cannot actually steal from the secure enclave in these, the 
private key, which is a tremendous advantage of that approach, 
and that you can still have this three-way conversation under 
the control of a properly designed app. So, I think there has 
been, I believe, great progress there.
    Now, as it relates to the use of blockchain, one of the 
great advantages of blockchain is it provides a non-falsifiable 
ledger. Is there a solution in that context to developing, say, 
a witness protection program which is essentially government-
sponsored synthetic identity fraud? Is that something that 
people have thought about and come up with solutions to?
    Mr. Boysen. I don't have a great answer here. I will say 
one of the challenges that what we are getting with these 
longitudinal records is that you can't go back in time and 
insert a person for the purposes of witness protection. It is 
very difficult to do. So, you are going to have find some other 
method to bring that identity along.
    Chairman Foster. If it is a publicly visible blockchain--
    Mr. Boysen. Ours is not. Ours is a private blockchain. So, 
there is that protection. But still, going back and altering 
the records in the past is hard.
    What the government could do perhaps is have a set of 
identities on standby to use for the future so they have the 
longevity that would be required to pass the muster, but that 
has its own pitfalls.
    Chairman Foster. That is tough because this has to pass all 
sorts of secondary verifications but it is really--anyway, you 
should put that on your to-do list when we come up with the 
perfect example here.
    Now, it also seems to me that to come up with the ultimate 
solution here, there has to be a role of government, almost 
certainly government. At some point in your life you have to go 
and authenticate yourself and be uniquely identified using 
biometrics. At that point you can then be issued a security 
dongle or the cell phone equivalent of one that you can use for 
many, many purposes in very streamlined and low-friction 
transactions.
    Is there any logical alternative other than having every 
citizen who wants this to be able to authenticate themselves 
security, knowing that there is not synthetic identity fraud or 
other people using their credentials and the alternative to 
having them present themselves in front of a trusted government 
authority?
    Mr. Boysen. I would say we need to learn from payment 
systems when we try to do identity. David Birch has this famous 
phrase that identity is the new money, and comparing identity 
to money, there are a lot of things we can learn.
    When you look at the global payment system with EMV cards, 
we have six billion cards in circulation and they have never 
been compromised. What is good about this model is you can have 
your favorite bank and I can have my favorite bank and we can 
go to any merchant on the planet with no prior relationship and 
get what we want.
    More importantly, when we lose the card, we call the bank 
right away because we are terrified we are going to be 
responsible for the results if we don't. So, that integrity is 
what makes the process works.
    In payment systems, these three things make the global 
payment system work. The first thing is we made it super simple 
for the consumer and we hid the complexity away so they don't 
have to understand anything. We don't have to train users how 
to use credit cards.
    Thing number two is we have a trusted network operator. 
Crooks can't pop up in the middle and say, ``Hey, I am a crook. 
I take Visa.'' Right? You have to apply to get in the network, 
and you have to behave well to stay in the network.
    The third most important thing that keeps the global 
payment system safe is user behavior. When I look at my wallet 
and see my card is gone, I am going to be on DEFCON 5, I am 
going to run down to the bank to turn the thing off, because I 
am terrified I am going to be responsible.
    Chairman Foster. Yes. I think Ms. Walraven would feel--
well, I don't want to put words in your mouth. But this system 
is not perfect that he just described. Synthetic identity fraud 
can still permeate such a system.
    Ms. Walraven. Agreed, I think, but I think that is when it 
comes down to understanding, knowing your real customer, 
because we do have controls in place that are supposed to do 
that, and we all assume that banks know who their customers 
are, and I know, coming from the banking industry, that 
everybody is trying to do that.
    But considering the fact that synthetics are as prolific as 
they are, considering that they are as widespread as they are, 
considering that they are growing in a force multiplier, I 
would contend that they don't actually know their customer.
    So I feel like if you have an issue that is not right at 
the root and then you compound on top of that, you actually 
just make the issue later worse because you get this false 
sense of trust, you get this false sense of security, and it 
doesn't allow you to actually really be able to contend with 
those types of individuals.
    And that actually bodes to exactly what they are looking 
for. They want to be seen as a regular, traditional customer. 
They don't want to send that many red flags because they don't 
want to get caught. They want to be able to continue to 
navigate through the system, and currently they are navigating 
pretty well unfettered for the most part.
    Chairman Foster. But if you think of the example that Mr. 
Loudermilk gave of the identical twins with identical names, 
they differ only in their fingerprints. So at some point in 
their lives, it seems like they have to present themselves to 
some organization, almost certainly a government, who has to go 
and look and de-dupe all the people who claim to have that 
name.
    I think there is no alternative to very advanced biometrics 
of some kind. And this can be an optional system, but if you 
are going to provide citizens who want one with a secure means 
of authenticating themselves, you have to have this moment in 
their lives.
    Mr. Grant, do you have any comments on that?
    Mr. Grant. Yes. I would say biometrics can play a role. I 
worry about saying they are the solution. In part, I tend to 
get very nervous when we talk about creating new central 
databases and biometrics, in part, because if there is one 
thing we have learned, it is that like any other type of 
valuable data, we are not really good at protecting them.
    And Exhibit A for that was the OPM breach of 2015, where I 
have a top secret clearance, and all of that information from 
my SF-86 and the images of my fingerprints are now in China--
and I think at least two-thirds of this room probably has the 
same thing, understanding who is here today--which means that I 
would never want to use a centrally matched fingerprint system 
online where they didn't know I was there to protect anything 
of value because a nation-state can spoof a fingerprint based 
off those images.
    That said, there are some really helpful tools. Most DMVs 
are using face recognition for de-duping. So if I were to go in 
as Jeremy Grant to the DMV, and then show up 3 months later 
under a different name, they are able to say, ``Oh, it looks 
like you were here before, let's at least''--and, mind you, the 
face recognition is not perfect, but they can toss that to a 
fraud investigator to figure out if they should issue a second 
credential.
    Leveraging that process, I think is really important. One 
of the things we point out in our policy blueprint is that the 
driver's license is the one thing that most Americans get in 
their lifetime where they have a robust in-person identity-
proofing process. That is really valuable, and we think people 
should be able to reuse it. The DMVs will play a role.
    But I will flag that only 87 percent of adults have a 
driver's license. And in fact, one thing we are seeing these 
days is that it is harder to get one thanks to things like the 
REAL ID Act from 2005 which, on one hand, look, there were good 
security reasons for it and it has put a very robust Federal 
standard in place for in-person identity proofing.
    The flip side is, if you are on the margins of society, 
let's say you have been in and out of homelessness, let's say 
you were evicted and your license and your birth certificate 
and your Social Security card were left in a box by the side of 
the road that was soaked in rain and lost, it is really hard 
for people to restart their identity lives again because they 
are just lacking what they used to have, to the point that we 
are seeing in many places--in fact, in D.C., there are a couple 
of churches, like the ID Ministry at the Foundry United 
Methodist Church up the street, that work with people.
    Chairman Foster. I am afraid I am going to have to gavel 
myself; my time is up. Votes have been called.
    Without objection, I would like the report from the Better 
Identity Coalition to be included in the record.
    Without objection, it is so ordered.
    And I just want to thank the witnesses for their testimony. 
This is, I think, at the root of so many problems that we have, 
that we are going to be facing.
    The Chair notes that some Members may have additional 
questions for this panel, which they may wish to submit in 
writing. Without objection, the hearing record will remain open 
for 5 legislative days for Members to submit written questions 
to these witnesses and to place their responses in the record. 
Also, without objection, Members will have 5 legislative days 
to submit extraneous materials to the Chair for inclusion in 
the record.
    Thank you again. The hearing is now adjourned.
    [Whereupon, at 10:56 a.m., the hearing was adjourned.]

                            A P P E N D I X



                           September 12, 2019
                           
[GRAPHIC(S) NOT AVAILABLE IN TIFF FORMAT]