Capital One: Trust, Identity and Authentication in Digital Banking

Identifying internet users is a problem as old as email. For banks verifying high-value money transfers, it’s a major issue that must be confronted every day, around the clock, and stakes are high for both the customer and the institution. At Money20/20 in Las Vegas earlier this month, CCG Catalyst‘s Director of Communications Philip Ryan spoke with Capital One’s Managing Vice President of Consumer Identity, Andrew Nash, shorty before Nash went on stage with Dave Birch of Consult Hyperion. The talk covers the newest forms of authentication, which technologies hold the most promise for identity in the future, and much more.

Read the full transcript here:

Phillip Ryan [00:00:01] Hello and welcome to another episode of Bank FinTech Fusion. This is Phillip Ryan, Director of Communications at CCG Catalyst. I’m here at Money 20/20 in Las Vegas, and I got the chance to catch up with Andrew Nash, who manages identity services at Capital One shortly before his fireside chat with Dave Birch. And we got to talk about a lot of issues around authentication and identity in the digital world. Welcome, Andrew.


Andrew Nash [00:00:31] Thanks. It’s great to be here.


Phillip Ryan [00:00:32] So what first drew you to financial services? You can learn anything in the world, and yet here you are in financial services. Was there something, a particular problem you wanted to solve or what was the attraction?


Andrew Nash [00:00:42] You know, I wish they’d let me know I could have done anything at all because, like, I maybe there would have been a different answer. But seriously, the identity space, depending on what part of the problem you want to go solve, if you’re interested in the problem of how do you do something that’s significant and useful for consumers in the identity space and you want to deal with information trust at some level, the really only kind of three verticals that make sense there, the like something like insurance, something like mobile operators. But the one that our research shows that comes out on top in terms of trusted expectations is the financial services. So people feel comfortable that banks are managing their money and that they will do a good job with their information as well.


Phillip Ryan [00:01:29] What is the greatest lesson that you’ve learned in your career? And tell us a bit about your journey through the financial services space.


Andrew Nash [00:01:37] Originally, I was engaged doing a bunch of work in the security space, working for our State’s Security, did a bunch of start ups at various times I’ve been in and out of large companies. I ran identity services at PayPal and at Google, then did a couple more start ups and then ended up at Capital One in all of that. It turns out that the most interesting discovery is that what you really have to do is identify the simplest problem that you can actually deal with and then go and solve it and build on it. So the version of this I sometimes use that most people probably won’t get anymore more is that we used to have these enormous directory structures based around X500, which like we’ll have the one global directory that will solve all problems. And we spent years working on it. And then we ended up with a different kind of directory structure called [00:02:33]Elapp, [0.0s] which was like, hey, you build out a small directory and then somebody else builds out one and you connect them and then you get select share information. And that stuff worked. So starting small, doing something useful and then building it out, as opposed to spending 10 years on an architecture that never gets utilized. Life’s too short. You know, it’s like I’d rather actually and you learn so much if you go in for the large scale architecture, the challenges that invariably it turns out that there was a bunch of stuff you didn’t understand at the beginning. And so the quicker you can get down to cases, the quicker you come to understand what are the real challenges and problems and maybe are some better solutions.


Phillip Ryan [00:03:13] Of course, Steve Jobs said simplicity is difficult, right? So simple problems often have complicated, complicated solutions.


Andrew Nash [00:03:21] Yeah, I totally agree. One of my favorite statements is actually from John Adams, the President originally, who said if I’d had more time, I would have written less.


Phillip Ryan [00:03:33] So what is the greatest challenge that you’re facing right now at Capital One in identity services?


Andrew Nash [00:03:39] You know, I think the greatest challenge actually is that the world is moving really, really fast. There are a lot of if you look over the last two years, the set of new technologies and new engagements that have occurred over that time, the number of players that are trying to create various types of ecosystems, the biggest challenge is actually trying to run fast enough to actually ensure that we are engaging in the right set of technologies and coming up with the set of answers that’s future proofed and makes sense in that whole space. And literally the complexity level is so high. There are so many divergent ways that you could actually handle a set of the problems in the identity space at the moment. Working out which of them might be successful is what gets to places, I think biggest challenge.


Phillip Ryan [00:04:32] So Capital One is a bit of a startup itself in the banking world being just 25 or so years old and I think is a little more accustomed to working with startups than maybe some other financial institutions. But what is the key to banks and fintechs finding effective ways to work together?


Andrew Nash [00:04:51] That’s a really good question. You know, I’ve done a lot of start ups over time, you know, the one adjective I would apply to start ups is scrapie. You know, there’s this sense of you like you do whatever it takes to get things done as quickly as possible. And often the challenge between fintechs and larger banks is impedance matching notes like these timeframes at which you need to move your start up. You know, every week that someone delays signing an agreement with you, like just puts you in like extreme conditions from a runway perspective. A lot of the challenges around impedance matching. But I think the other challenge for both banks and fintechs is trying to come together from a trust perspective. So banks are highly regulated, as we all know, fintechs are scrapie and like are looking for ways to break all the rules, to connect the two of them. The challenge is how do we do the impedance matching in a way that allows us to have the banks feel more comfortable within their regulatory constraints to try some different things. And then the fintechs understanding that the solutions they’re providing, if they want to interact with large scale banks, have to actually fit into that regulatory space at some point. And so you just can’t burn the world down from fintech perspective if you’re going to work with banks because, you know, the regulation will catch up with you. You know, sometimes I think it is a maturity question, which like understanding that maybe there some trade offs that we can make in various ways that would allow the solutions to be more tractable for things. So I think that’s the kind of area that I would look to.


Phillip Ryan [00:06:35] It does seem that the regulators are a little more open to bank fintech relationship. Just the FDIC was here at Money20/20 where we are and the O.S.S. and there they’re saying positive things about it. So that’s something right.


Andrew Nash [00:06:51] I totally agree. It’s know banking is like this enormously old set of institutions. And still, though, from a financial fintech perspective, just the speed is so different. The rate at which you want to affect change just creates interesting challenges. But I agree. I think that we’re seeing good movement. So that’s encouraging.


Phillip Ryan [00:07:14] So say you’re a banker, say you’re a startup and you’ve decided to work with the other guy. So you can wear whichever hat you like because you’ve been in both what a success look like for a bank fintech collaboration.


Andrew Nash [00:07:26] Kind of depends on the lens that you place on it. Obviously, there are technology answers in that space. The one that I know that I like a lot is and we see a lot more in places like the UK where fintech is in some respects have gotten a lot more traction than they have in us. The user experience engagement like the models that they have that are creating useful solutions for consumers. That whole user experience kind of aspect, I think is one of the great values that fintechs can bring in. It’s like how to think about a different model that is going to be useful to your consumer. Looking at how to integrate that into the banking context, I think creates really great potential for success.


Phillip Ryan [00:08:13] Which currently developing technology do you see having the greatest potential benefit for financial services? Obviously we hear a lot about AI here at Money20/20. There’s quantum computing, block chain, all these sorts of things. What is the one that you really have your eye on as making a difference?


Andrew Nash [00:08:29] Well, by definition, I’m highly prejudiced and single minded in this whole space. It’s frankly its identity. And the reason is that. So call out, shout out to David Burch. You know, “Identity is the New Money” is the book that he wrote a few years back. The information that we have to share is in many respects, creating an opportunity for new types of payment mechanisms to be created. And they are divorced from physical mechanisms like cards or accounts or checkbooks and part of our life interaction as individuals with identity payments and what we have in terms of financial transactions, just like one of the sets of attributes associated with us. So in many respects, as we move into a digital world, the enabler for all of this really is not just identity, but the verified information techniques and sharing, particularly as we’re moving into a world which allows us to ensure that consumers have better control over that. That’s me, I think is one of the most exciting things. A lot of the other things you reference are technology kinds of things, and they’re all useful. But I don’t know that they are necessarily going to be as ground changing as some of identity options.


Phillip Ryan [00:09:53] So some industry experts have said that financial institutions may have a role to play in managing identity, I could point to Chris Skinner, I guess, in this regard, is Capital One confirm a way to do this?


Andrew Nash [00:10:05] Yeah, absolutely. That’s a large chunk of the reason that I am actually working with Capital One is that there is this enormous potential to and I hesitate to use the word manage identities because this is kind of paternalistic kind of aspect of that. In some sense, it’s more helping people facilitate their own information and their own interactions. And that I think financial services have a great potential for in many cases in the identity space. We have this view where we talk about high assurance kinds of aspects to the way that we do with identity. The financial institutions have been living under a set of regulated requirements that mean that they’re actually really good at petitioning the way that identity information is used. There is a high degree of care and frankly, a high degree of regulation that looks to ensure that financial institutions do, in fact, deal effectively with the expectations of consumers around whether information gets used. So financial institutions are kind of a natural fit to do this. And Capital One, as you said, is very much kind of, you know, the kind of the start up guy, at least on the banking credit kind of space. So it’s kind of a natural fit.


Phillip Ryan [00:11:25] I remember Capital One, too, was those nine dots that you logged in on mobile. I remember no one else was doing something that that was a very creative use. So I’ve heard about this concept of decentralized identity. Is this something you think banks can take part in?


Andrew Nash [00:11:43] Yeah, this is the one that will get me in trouble. And the reason is that my wife is actually works for Microsoft and in fact, one of the smartest people in the identity space. And she is driving a bunch of the decentralized identity stuff for Microsoft. So we have this conversation on a regular basis, like, well, is this going to be useful? Where is it going to be useful? And the answer you asked very specific question, which is it going to be useful to banks? And I think that’s the right way to frame it. Decentralized identity fundamentally is the concept that you or I get to create our own identity. And then we exchange some set of cryptographic information which allows other people to be able to recognize us when we move around the Web. If you’re in a low assurance environment, that stuff works reasonably well, there’s a lot of conversation in both the decentralized identity space and also in the world of SSI about trust frameworks, the challenges that way that the technologists in those spaces think about trust is very much like a cryptographic level of trust. And strictly it’s more like cryptographic agreements, like you have set of keys that I can recognize when you look at what a financial institution requires in terms of the trust level, that I have to have to know that it’s actually you and like the right outcomes are going to occur, not only fraud, but to ensure that we do the right things with your information and finances. There’s a huge gap at the moment between the cryptographic level of trust that we talk about in that space and the regulated governed trust frameworks that we actually need to have in not only financial services, but insurance and a bunch of other those regulated environments, decentralized identity of all of the current technologies I have the most hope for. But it’s got a fairly long way to go to actually deal with those trust connections in a way that would certainly let the financial institutions leverage effectively.


Phillip Ryan [00:13:49] Final question. In the Expo Hall, walking around, I couldn’t help but notice there seemed to be a lot of identity solutions. I don’t know if you’ve had a similar impression. How do you view this coming from a bank? Obviously, all these guys would be so excited to talk to you. How do you approach this, all these startups out there that are starting to take this on?


Andrew Nash [00:14:09] You know, being a startup guy, I love to encourage startups in this space. One of the I guess one of the conclusions you reach after you’ve been around the traps a few times is you realize that often folks that come into this space have kind of a simplistic view of what identity is all about. And so getting from the, you know, what’s often a core of really useful capabilities and technology into a space where you can deal with what’s really a fairly complex and quite subtle set of interactions in the identity space, this is a real challenge. And so you see, for example, biometrics companies that are doing a great job around, you know, recognition of various, you know, personal characteristics in one way or another. But you hear this conversation, which is, oh, I’m a biometrics authentication service and I do identity. And it’s like it’s a valid part of the, you know, the space. But it’s not actually a complete answer. There’s a lot of other parts. The big challenge for startups is being able to form effectively the partnerships that allow them to fit their piece into the rest of the puzzle. And kind of like I was talking about before, which is, you know, finding the minimal set that you can be really effective at, having startups bounds the expectations about what they’re actually going to be able to solve. So instead of like, I will solve all world hunger associated with identity, being really specific about the part that you really can do and being really clear about it is incredibly helpful because it allows you to work out. All right. Well, I can fit this piece in here. And then if I can get it to interact with these other five pieces, then now we really have a solution that might do something. The challenge as an entrepreneur is always that you’re busily casting a vision for where the world is going to be. And invariably you end up overselling the concept and the capabilities, being able to pull back and understand and literally say, hey, this is how far we can get and we think we can do a really good job at that. And here’s how you get the rest of the way that takes kind of a mature entrepreneur to be able to do.


Phillip Ryan [00:16:29] Yeah, because your investors saying how are you going to be a billion dollar business if you’re just one of these pieces of the puzzle?


Andrew Nash [00:16:34] That’s exactly the driver. You know, as soon as you deal with VCs, there’s this question of so, you know, you know, prove to me you’re going to give me my, you know, 25X return in the next three years or whatever. It’s you know, it’s a challenge. That’s a pressure we all face. And, you know, once I had a CEO at a startup that I was at who made the comment once that buying from a startup is fundamentally an irrational decision. And so your goal as a startup is to help people, like, make that irrational jump in order to, like, buy your stuff. And so you’re into this, like, mode of trying to create a vision for where you can get to. You just have to learn how to temperate in a way. And what my own experience in startups is the fastest way I establish trust with the clients that we had was to literally say, you know, hey, here’s what we can get you to. And like, we’re going to go further. But this is the reality. It just develops a level of trust that actually gets your way further than you might expect.


Phillip Ryan [00:17:35] Andrew, thank you so much. It’s been a pleasure. And I hope you enjoy the rest of Money20/20.


Andrew Nash [00:17:39] Thank you. It’s been great to share with you.

Subscribe to CCG Insights.