Background sounds. [background sounds] the task force will not come to order. The chair is authorized to declare recess of the committee any time that went out objection. There authorized to participate inconsistent we put the practice. Challenges and opportunities. The chair will now recognize himself performance for an opening statement. Thank you everyone for joining us today for what should be a very interesting hearing on the task force to explain the dangerous threat of Identity Theft. Ai is making it easier. How we can safeguard one of the most important things to have in our Digital Economy. That is our identities. Identity fraud is the usually important problem. In 2018 alone, almost 15 billion is estimated to have been stolen from us consumers online. If this doesnt include the more indirect future cost of having a compromise identity. Today criminals have lots of tools. They get sensitive Consumer Financial data, and there is a complicated situation that a member of Congress Buys himself and that we get free things like the one we just saw from his wellwritten, where you go through just how massive the problem is. The techniques that are available and we realize that mentioning them in public its not a wise thing to do. So this puts us in a tough situation. But i urge all of my members on the committee here and the other staff who is interested to get those briefings from members who are testifying today. Its used to generate fake instructions of what an employee thought was his boss to move somewhere it should not even move. So that attack is going to accelerate as the Technology Gets more advanced and were deployed. And the stakes in this are enormous, a name, address and Social Security number, criminals use stolen identity, critical numbers, bank account numbers, obtain fraudulent irs and refund, the list goes on and on. Financial services is at the front lines, et cetera front line of all malware attack, its hit banks and other Financial Services organizations which is more than any other industry. In addition to the billions of dollars that millions and they also spent on customer complaints. With large institutions putting 500 million annually. Artificial intelligence is only enhancing cyber criminals, and i can be used more quickly to find vulnerabilities in the bank software, it can be used to impersonate or phase in a phishing scam. It can be used for synthetic Identity Fraud, criminals make up fake online identities. And from lots of different people, along with Social Security number. They can buy very cheaply off the dark web or the nondark web. These fake identities, the criminals can use them to open new Bank Accounts in the synthetic identity more real. In the common practice is recently have a massive loan you never repay and buy a car, this sort of scam happens using these synthetic identities. , theres a number of things we can do, i was very impressed by the roadmap produced by german grant to achieve his organization, better identity. Org. So some but he only has one to read, that is one personally involved and most useful. It provides a roadmap for what government can do to help. I think government has a unique role in provisioning the id and they should take responsibility for maintaining a valid list of our citizens. I think theres been a lot of emotion, both by government and emotion in terms of the Public Perception of what to do here. So, this is one of the reasons why im really eager to hear more from the witnesses in this hearing. And in light of the fact that were unlikely to have a large amount of time because of folks may be intervening. Ill turn it over to my colleague and representative hill. Thank you mr. Chairman for convening the hearing today as part of our task force on Artificial Intelligence. This is a topic you particularly care deeply about. Im very interested in learning how our identity system can be modernized in such a way that protects the privacy and personal information of all of her citizens and i look forward to hearing from the panel today. We anticipate a Digital World of where were disturbing Financial Services, products digitally through banks and nonbanks across the country, obviously whether a mobile app or through the internet, through the web. This issue of authenticating that you are doing business with and they in turn are just granting you the Financial Services Company Access to the information for a particular purpose, all of this relates to how we identify people and how we authenticate people in the space and of course weve had graham for many years now and a lot of people who are not banks are not covered by graham leach and so this issue on how do we improve that and offer innovation is so important. If we think about a Digital World, you cannot really have a completely digital processed in 50 states in this country or internationally if you do not have not only the Cyber Protection that we are talking about in terms of the data being protected, but also the authentication process. So the individual users identity. So thats why think this hearing is so important to the work that were doing in the task force and its so important for private sector players and by our regulators on how we enhance the robustness of identity, how we do it and how we authenticate people in a more effective way. And moved way beyond the username and password that has spent the last 20 years of repeating our pets names and 123, et cetera. As a way to get into systems as helpful as maybe an app or as important as reviewing Financial Lives online. Also the issue of data breach is critical, and here the federal government does not have a better track record than the publicly private sector, we been in this committee, ive been here for an half years and we spent a lot of hours talking about the incompetence of the federal government of protecting peoples privacy and our data. Obviously this is a key issue for the public and the private sector. Financial companies fostered notice victor more to this kind of attack. Three times more frequently than nonfinancial businesses. Obviously for the admonition that that is where the money is but also if youre an actor, thats where the destruction is a very vulnerable point in the western world. Advances in technology such as Artificial Intelligence and Machine Learning is becoming increasingly easier to mitigate that kind of fraud. We must be vigilant as policymakers to ensure that all our Sensitive Information remains private. I look forward to hearing from the witnesses help us understand the issues and what we might consider legislatively to improve this process and i look forward to the discussion. Without and back. I would like to now yield a moment to mr. Mckendre mckendre. In combating Identity Fraud, only a few months ago where the worlds biggest Bank Executives the same panel youre on, and the cybersecurity has achieved threats of the Financial System, not growth the home, and not the slowdown in china, but cybersecurity. What i appreciate about this panel. We begin with a bipartisan challenge, a challenge that we can seek bipartisan solutions. For enduring congress. And you thinking innovative approach to the really cumbersome dumb passwords like username situations that were currently in and the new type of thinking that is occurring in the private sector but to ensure the policymakers keep pace with what is happening and further enable and move this along much faster. They get so much and i look forward to testimony. Today we welcome the testimony of and washington. And managing director of the security. Germany grant, coordinator of the better correlation. In the president and founder of turkey risk solutions, and andrew wiseman, secure technology is, witnesses are reminded that your testimony will be limited to five minutes and without objection your written statements will be part of the record. Ms. Washington you recommend for five minutes. Chairman foster, Ranking Member hill and the member of the intelligence, im grateful for this opportunity to speak. Before he became a professor its been eight years in Financial Services in addition to many years working in support of this chamber. My name is ms. Washington, why did he get my name . I gave you my name because its an identifier. In digital Financial Services rest on its ability to guess that you are you through identifiers like your name. Artificial intelligence goes further by taking actions based on a presumed identity. Those actions have serious consequent this. Today i will explain why identity is important, why a. I. Makes mistakes because are inevitable and what we might do about it. Consider a firm with an antisystem works 99 of the time. That is great, but actually in a business of 10 million people, that means it failed on 100,000 people. 100,000 people who cannot get credit in an emergency, 100,000 families who cannot get Home Mortgage and build wealth, 100,000 entrepreneurs who cannot get a start at a small business. My example is those individuals and thus not forget owner operators who are individuals with their own business seek even greater financial risk. Much of the Data Technology today was for marketing purposes so if i get a wrong coupon or ad, its cute and momentary curiosity. Financial services stakes are higher, a digital mistake is detrimental and ongoing. A few items from the news. Jennifer noris of boston routinely was in danger of losing her job of unknown bill lee of an identity. A teacher and marilyn had to give up her livelihood because continuous recertification. This new york novelist, all of her daily walls, and author, a parent, a friend she sees herself as a new york driver. The next slide shows us how they can see her. Shes just the information on the slide a name and a birthday. Someone else in new york has the exact same name in the exact same birthday. So they have no recourse to resolve the confusion. No organization can fathom the likelihood of this coincidence. A data double is how this is called. That is somebody who has identifiers but it is not you. Im a Computer Scientist with a degree in business, ill tell you that i think this stuff works and i can tell you theres little financial incentive to fix these mistakes. Mistakes will happen. Its mathematically certain. You could go to the final slide. What are the chances that you will meet sunday with the same birthday, is really high. It only takes 23 people in the same room, probably the member of this committee and your staff, there are two people who have the same birthday. If you go up to 75 people, i dont think we have that many people, is 99. 9 certain. Coincidences are not as rare as we perceive them to be. What can be done . Artificial intelligent identifiers are for a global audience need to scale. Yet respect naming practices that come from different traditions in different cultural traditions. Or even online characters. Finally i will argue that we need a way to get feedback back into Identity Theft. As a technologist, i want to know how i can improve and incrementally make the systems better. It can also help lead toward procedures and exceptions. One example is the system in michigan which out recourse. Its one example of the way the airy systems have a feedback mechanism. Now i argue that the authority of Human Experience must balance the authority of data, why . Because staff happen. And experience matters. Each of you has someone in your District Office who does casework, why is that. Thats a recognition that the institution sometimes secures the needs of individuals. What will be the resolution process for identities to dispute Artificial Intelligence . Your number connect for five minutes to present your testimony. Chairman foster, Ranking Member hill and members of the task force, my name is valerie and i lead a secured practice for this Financial Services clients. Thank you for the opportunity to join here today. I come in for holding a hearing to explore the importance of Digital Identity in the intersection with Artificial Intelligence. Innovation in Digital Identity and Access Management is incredibly important to cybersecurity. Enhancing privacy and to ensure trust and Financial Transactions. We live in a digitally connected world where customers demand for efficient and accurate transactions continue to increase. From taking out a loan or pain my childs babysitter, most of these happen online. In keeping these transactions is trust. Trust that the individual conduct Business Online is who they say they are. However, the information we use to validate identities is widely available to dark web forums and social media postings making us more vulnerable for fishing campaigns. Simply put, identifying yourself online with passwords, usernames and security questions is no longer working. We would like to draw the members attention to the slide on the screen that list five Global Threats to Financial Services thats outlined in a recent report republished. Credential and Identity Theft is first. Its at the root of almost every breach. Not only are cyborg criminals really good at fooling people to gain access into enterprises, once theyre inside the networks, they compromise other access credentials movie dropped the company, learning how they operate and gaining access to privileged data and systems. I would like to call the access inside a system the machine middle. One of the bestknown examples is the 2016 cyber height from the Bangladesh Central Bank where they stole 81 million. That was more than three years ago and hackers are building new capabilities to commit attacks in ways we have not thought of yet. This is why we must use intubation, including a. I. Attacks liberty tax will remain possible until we fundamentally change the Way Enterprises manage employee and customer access and how they detect and respond at machine speed with a sense that something is a myth. Today we can use a. I. To enable Financial Institutions to have more accurate picture of employee access across an enterprise. Through these tools managers can make better decisions of access to a system into the data in realtime. Thus managing the machine middle. On the customer facing side, leading organizations are leveraging biometrics, a. I. Behavioralbased analytics to make realtime riskbased authentication decisions to improve transactions and set limits around the transactions. In the blink of an eye, a Financial Institution can make decisions about whether a person using a mobile app are in fact the actual customer. This customer Risk Management approach is not just used in the United States and other developed countries, but also in economies with the new tools are providing secure online identity. For example, we are part of the id 2020 alliance, it was formed to develop a reliable Digital Identity for people in developing countries so they can confidently receive Government Services and validate their identity to employers, schools and other service providers. These digital identities provide individuals with more secure over the data. Giving them the ability to decide who to show the personal information with, what to share and for how long it can be shared. Congress is helped to benefit our nations ability to improve Digital Identity as a cornerstone for better and more safe Online Transactions. First, Congress Needs to pass a National Privacy law. It will build Consumer Confidence and trust in the Digital Economy while enabling the private sector to gain wider adoption for secure products and services. A good starting point is a framework released by the Business Roundtable last year under the leadership of our ceo. Second, congress should have foster an environment for Digital Identity innovation that enabled the testing of new capability in their ability to scale. Third, i encourage you to sure that any new law designed to advance Digital Identity or security and Technology Neutral and operable with other sectors. In conclusion, there is much work to be done to build Digital Identity that works or Cyber Attacks, improves privacy and ensures trust. I want to thank you again for the opportunity to discuss these issues, i look forward to your question. Thank you. Now mr. Grant you reckon is for five minutes. Chairman foster and Ranking Member hill, thank you for the opportunity to testify today. Im here on behalf of the better identity and organization that was launched last year focus on get together leading firms from different sectors to work with policymakers to improve the establish, protect and verify their identity when online. Members include Financial Services, technology, syntactic insecurity. 22 members are united by common recognition that the way we handle identity is broken by common desire to seek out the public and private sectors to make identity systems work better. Let me saffron, im grateful for this task force to call the hearing today. The way we handle identity in america impacts or security, privacy and liberty. And from an economic standpoint, as we move to highvalue transactions in the Digital World, identity can be the great enabler. Providing the foundation for Digital Transactions and online experience that is more secure, enjoyable for the user and ideally more respect for the privacy. We dont get identity rights, we enable a great set for criminals and other adversaries. 81 of Cyber Attacks are executed by taking advantage of weaker passports. 81 is in an warmest number, it means its an anomaly today when a breach happened in identity did not provide the attack. As a passwords we seen to steal massive data sets of americans in large part because evan e easier time copper was in the questions used in Identity Verification tools. A key take away for the committee to understand today, attackers have caught up with many of the first generation tools we have been using to protect, verify and authenticate identity. Theres a lot of reasons for this and they will allocate but the most part question, what do government and industry do about it now . That is a key point. Government and industry, one message the task force should take away from the hearing today, industry has said they cannot solve this alone. Were at a juncture with the government and will need to step up and play a bigger role to help address critical vulnerability in the identity fabric. Last year the better identity published a blueprint which outlines key initiatives that the government should launch to improve identity that are meaningful and impact and practical to implement. A few highlights, first when talking about the future of the Social Security number, its essential to understand the difference between the identifier, a number used to sort out which jeremy grant i am among all the other in the u. S. Issue no longer be used as authenticator. This means a country we stop pretending the number is a secret or the knowledge can be used to prove that someone who is they claim to be. That does not mean they be replaced as identifiers. Lets build systems that treat them like the widely available members they are today. Ive yet to see any replacement proposal around ssn that does not involve tens of billions of dollars confusing hundreds of billions of people and not giving much security benefit. Second on authentication, theres good news. Multistakeholder efforts like the alliance and the World Wide Web have developed standards for authentication that is being embedded in most devices, operating systems and browsers that enhance security and privacy in user experience. This is near and government complaint role in accelerating the adoption. Government will need to take a more active role in working with industries to deliver nextgeneration proofing solutions. This is not about a national id and were not recommending one be created, where you have a number of nationally recognized id systems, drivers license, passport, ssn. Our challenge is identity gap, all the systems are stuck in the paper world why commerce is increasingly moving online. To fix this, americas paperbased system should be modernized around privacy protecting model that allows the consumer to ask a Government Agency to stan beyond in an online world by validating the information of the credential. How important, the animation on the screen from the policy blueprint demonstrates its about creating a paradigm for Digital Identity the start to the need of the consumer. Here will start with stacy trying to open a bank account online. She provides basic identity information, shes not there in person with a physical id the bank does not know it if its her or shes real person at all. Stacy will ask but hurting no, sir, the dmv to help her prove who she is she claims to be. Show launch a driver license app on her smart phone and then touch id that can securely lock her into the dmv to make the request. Because the app was securely issued to her phone at the time of the drivers license and she unlocked it with a biometric device, it has a chain in trust and allows them to know and its actually here make it across. The dmv and bank have a secure connection in the dmv can validate her identity. This concept was embraced in the 2016 report on the Bipartisan Commission with a cybersecurity as well as the white house published in may. I appreciate the opportunity to testify. Ive submitted a lengthier testimony for the record in a policy blueprint. Thank you. Your number can is for five minutes. The threat to challenges and opportunities. The founder and president of turnkey, and prior to starting the company, we spent 20 years in the Financial Services sector, a lot of large institutions, the last ten years i was at j. P. Morgan chase words responsible for establishing Business Practices around identification, mitigation and remediation of various fraud threats with credit bustout, synthetic identities and credit abuse. As we consider having utilized Artificial Intelligence and Machine Learning to identify consumers, its important that we clarify our target by gaining a conference of understanding of what synthetic identities are. Ive been asked to provide a brief overview of the factor that contributed significantly in order to better frame the threats and challenges we are facing. For the purpose of my discussion, a synthetic identity and the basic form in the Social Security number, dam name and de of birth. Crating synthetic identity is different than traditional Identity Theft. In cases of traditional, impersonating a real person to open an account or take over an existing relationship but in cases of synthetic, criminal is using a limited amount of development of a persons identity and associates who also caand create a completelysepara. They do not want to comingle with an existing person. Once that is created you can use it for anything, obvious the products in the Banking Service but you can create social media account, insurance products, rent an apartment, utilities, and role and benefits programs, you can basically use it for any purpose that the creator intended in whatever they controlled for. To better understand the synthetic identity it important to understand that landscape. Technology plays a huge role. At the same time is created in amenity for the fraudster. Russell acting infrastructure that was but a long time ago to do more and more things that it was not intended without really being able to keep up with the technology in the landscape today. Consumers are a lot more educated understanding the importance of the credit. Understanding the different ways to protect their identifiers to stay away from compromising their information, that information has been put out to help consumers and been used by organized criminals in different criminal actions to understand how the infrastructure works in design to exploit those types of avenues. Regulations and new controls have done a lot to protect Identity Theft victims. They done a lot to make sure they can remediate. We seen those protections exploited leveraged in abuse by criminals. Weve done a lot to make sure that we can erase and eradicate anything related to an identity thief when it comes down to action having a synthetic identity the same protection as leveraged by them. Data breaches were focused on compromising credit data and once we put the chips in the cards, the information was not as useful as a have been in the past. Now they started to move to pii, more static information, peoples name Social Security numbers, date of birth. They played a major role in the synthetic identity. This was engineered to evade assisting controls while vulnerabilities in the system and beyond impacting other verticals. Many groups are highly organized extremely sophisticated and intend to be transnational in nature. These adversaries are focused, committed and wellfunded and have access to technological advances as we preview. We must be proactive in our actions, unified and defenses and more effective in application of evolving Technology Including Artificial Intelligence. As you seek to deliver unprecedented speed to increasingly mobile and Technology Consumers and businesses, we must remain vigilant and understand the threat to her interest in infrastructure. Synthetic Identity Fraud is widespread and conceivably pervasive. Amplified by increased digitalization of products and processes when you couple that with proof elation of available data, and operates across all delivery channels providing perpetrator outside access to the Financial System and federal programs make it essentially acting unified and collaborative manner for the integrity of our infrastructure. We must recognize the complexity of the next generation and be fully informed of the severity and their scope. Advances in technology cannot identify or resolve these issues. Ms. Negation efforts must be fluent and able to ensure the ability to address these issues with urgency they deserve. Our control framework must be updated to address it in synthetic Identity Fraud. Thank you very much. I appreciate your opportunity and look forward to any questions. Thank you. Your number can is for five minutes. Chairman foster and Ranking Member helen all the members of the committee, thank you for the opportunity to discuss this today. Im the chief identity officer at the technology. I look forward to sharing our expenses and building a nationwide privacy Digital Identity for consumers that works across economy. It is a Canadian Company that the world leader in providing Technology Solutions for citizens to access high value digital services. We focus on the intersection of the citizen, public and private sector, privacy and consent. Digital identity is not about expectations, companies, governments and other organizations have strong incentive to move transactions online for experiences an increase of integrity. An organization to do this hinges on a single question, can i trust the person or the Digital Identity at the other end of this transaction . As jeremy said identity is broken, equally problematic for citizens and businesses. To recognize clients and provide access to Services Online get his nations deploy a mix of analog and majors to confirm medicaid risk. As we seen, these solutions tend to be complex and are not fully effective. On the other side, citizens are asked to navigate a continuously changing kaleidoscope of identification method to satisfy the onboarding needs of the organization they Seek Services from. All while we hear stories about data breach in online impersonators. There is reason to be concerned. Fraudsters are collecting information sometimes is more than they are impersonating. Theyre usually counterfeited and often impossible to check with issuing sources. Even biometric methods which have been presented as additional solution to digital fraud are increasingly being targeted by attackers. You cannot change biometrics, you can be tricked out of a selfie. Our collection of silence are too hard to for users to use. Is not solving the problem into expensive to be sustained. Its everyone service for itself. Consider the ceo of twitter and facebook, act or state and mark zuckerberg. They know how it works, understanding Digital Identity best practices in all the resources at the world at the fingertips and they have problems controlling and managing fraudulent access to their identities. Mr. Zuckerbergs problem was selfinflicted, mr. Dorsey failed that he relied on way being became the victim. If they cannot manage and be protected in the current digital landscape, how can the rest of us manage . Urging greater online vigilance has passed a point of diminishing return. It needs to be said theres no organization on the planet that can solve Digital Identity on its own. It takes the village to make it work. Each player to their strengths. Canadian models of private partnership between Financial Institutions and other trusted partners, its a gift to get model. Governments are the foundational issuers of identity documents in the form of birth registry and documents. They also link records with a photo of a living person for drivers license in a passport, they dont know if the person is actually at the end of the digital transaction. The irs has a found everyone in this world by hardpressed to point nus and a crowd. Thats where the use kba. This brings us to Financial Institutions for authentications for year. Compared to other organizations they really interact with government and the daily lives. They renew the drivers license and passport every five years. They will login several times per week. This increases the integrity and the transaction for banks. In our mobile devices are within reach. They have security features that are important and tied to subscriber accounts. Verified means of services by technologies that is built in open standard. Verified me was developed with Financial Institutions in canada, the first of the kind service to solve a Digital Identity problems we talked about with greater simplicity, higher integrity, greater cost efficiency and better privacy. The information is already available, we help to solve a digital problem in canada and developed a model we think will work around the world. Some of the leadership and collaboration partners include the global privacy and security. The u. S. Department of home and security, and the Digital Identity Authentication Council of canada. Thank you for the opportunity to share my comments with you today. Thank you. I will now recognize myself for five minutes for questions. Mr. Grant, one of the things that impressed me in your testimony, the bipartisan nature of the support for this. Youre very involved in the Obama Administration initiative unsecure online digital id. It appears owen be in the Current Administration is strengthening those initiatives. Could you outline the recent history of government involvement in strengthening citizens to authentic themselves online . As you mentioned, i spent some more years in government, and the Obama Administration for the national strategy. Although i was a Civil Servant when i was there and stationed, up the road where he served as a Senior Advisor for identity management. This is never been a partisan issue and its great to see that continuing today in the task force. Much of what the program was focused on how to catalyze a marketplace, the idea that the governments role in the things are in the u. S. Should be limited but government should play a role where there may be gaps to fill. And theres a a lot of good work that was done then but now flowing into the work of the Better Identity Coalition and looking to carve out an appropriate role for the government without one where theres too much role for government. As i mentioned in my written statement in my opening statement, in may, the office of management and budget signed a memorandum into effect, its about 13 pages updating a lot of the governments cybersecurity policy and tax identity. Were really excited to see that they took a key recommendation calling for agencies to create privacy enhanced apis which would allow consumers to ask the agency validate identity about themselves either public or private sector applications. So, now that is in place, theres a good policy foundation in place for the first time in the u. S. To bring government into play more of a role for consumers and businesses. Thank you. Ms. Washington, you both touch on your testimony and the fact that the lack of a way to authenticate yourself falls most heavily on those who are not wealthy. That one in developing countries, the real improvements in the quality of citizens of life comes from having a way to authenticate themselves improve who they are. This sounds counterintuitive, i was wondering if you can add why this is . It is interesting that what we have found, if you look at the things that the chair has said recently about how in her Public Comments about how individuals who are under banked, they use those phones to Financial Transactions. If we could establish the confidence by having the National Privacy law, i think we would go a long way to engender trust so they have certain protections through the National Privacy law in a much less complex way of understanding what the protections are while being able to use the tool in their hand. To be able to validate for Financial Transactions. Into the process would give them access to Financial Transactions in a safe and sound manner. To have anything to add . I want to say, right now without a standard way and procedure for disputing authentication issues, people who feel less powers under powerless are not going to figure out how to disputed, by default we will not have equal access to resolving disputes. This probably also a tendency for wealthy people to have a more established financial transaction record that can be used in a secondary way to make sure the person is real and so on. You have any thing to add . We also have to take into consideration that for all the things were putting in place to protect consumers, there are much easier ways to tech estat p back and go through the system, all the controls putting on for Artificial Intelligence in authentication startup different, you need to know who the person is and then go through and do the authentication. We need to go further up the chain and make sure that identity is actual factual and then he could build controls behind it. We need to get to the root of the issue instead of addressing the system. I think that is how we can get a much more collaborative between industry and government and i think we need to do that because the current infrastructure is doing a good job with what it can but we need to reshape and look at it from a different lens. Thank you. The gentleman from arkansas, mre minutes. Thank you, before he began, id like to ask something be submitted for the record, one area that is concerning to the industry across the country is business email compromise which is another commercial form of fraud in the regard and like to submit a letter from chairman powell as well as response he had on this issue. Without objection. This is been a really good panel, as i said were trying to collect the world we live in and prepare for the world in the future but we cannot do that without the strict privacy standard and the ability to authenticate who were doing business with. Each of you gave great opening comments and im grateful. I was pleased to hear mr. Grant, you talked a little bit about ombs issue and the one thing on this panel has heard, the dangers of data scraping and that is not the best practice in this intech world for accessing customer data. Can you reflect ombs policy impact that in the government sector . Is it a good standard for the private sector . I think the new omb policy assuming theres followup to get more agencies to start providing validation Services Online will help contribute to the challenges we have seen an open making we have different syntax the might want to scrape financial data. Ive been really impressed by the data exchange, a group that was incubated in the fsi, Financial Services the december Security Work and they brought together banks and syntax firms to work on an api that leverages wellknown standards that will allow a consumer to decide to gs rights to some of the financial data. Because identity is a control, if we are able to enhance some of the ways that we do Identity Verification to the api with some of the things the government can provide will have more Robust Solutions across the board. That is very helpful. This issue of synthetic identi identity, can you explain that a little more, i looked at your testimony and listen, are you suggesting people are aggregating a good cell number, address with a different name and different Social Security number without imitating the exact person, theyre creating a new synthetic individual so that using all validated information . Similar. Basically an synthetic can use someones real information lets a Social Security number your much child and then they will take that, added name that is different than the real person and added data birth and if theyre gonna go into more the make it closer to whats more likely for them and then put in an address they can control. Basically from there they create a completely separate and distinct identity. Its not real per se as far as its been a real person, its a real person doing it but not a real identity. But it functions especially in a digital and paperless era like a real identity. When they create that, they know their mothers maiden name, they know the user id and password, they know the different security questions because he created them. So when you go to do the authentication after words, you will not catch them in the existing infrastructure that we have because those credentials are known to them. The key for your contributions. Mr. Grant, i read recently about the beginning of the implementation of the california statute. And for the four and half years i was in congress, we debated privacy and data breach notification and witnessed the battle between retailers in the Financial Services industry which grows tiresome on this committee. In the desire to have 50 state solution which would be great in a Digital World if we can do that. So now california has acted, im interested in your views is a cpa positive for the consumer . Is it a decent basis in terms of definitions in their approach that they took the federal government to consider . I think well have to see how the implementation goes theres a couple things on the identity side epic concerned about. Including it took an ambiguous approach to what you can use data and Fraud Prevention. The background duty are in europe, after using data for marketing purposes, all these rules apply. If im analyzing data im able to capture with the device, thats for security or product under Fraud Prevention. In california, they took a little bit of a different approach and part mightve been because the law was written and they set a consumer cannot go to a company that has information been used for security and Fraud Prevention and asked the information be deleted, which is good. But they did not go ahead and they said you cannot go to a company and outside the information being used at all. So the concern there, even a 2 of people go to companies and tell them to turn off the Security Analytics control, some of the best tools we have two prevent things like credential attacks or other identities, itll put people at risk, consumers are risk and businesses. They give her much. Welcome back. The gentleman from north carolina. Its been a great testimony, youre an informative panel, its quite constructive and again, quite constructive for what has been as mr. Hill outlines, a rather tiresome debate between retailers and banks on who holds the bag. Without talking about progress or fixing the problem, they Want Congress to intervene and make the decision on who gets sued. So lets be on that and get to the solution set. I would like to hear the story of what your company is doing in canada to verify identity. In the undertaking the Union Company have had. Thank you. There has been two generations of services launched in canada, the first 202012 that we did with the government and it was designed to be safe replacement. In 2012 the problem they had, every time as a canadian i went to the Tax Authority every time i forgot the password. So the challenge was how to authenticate, they can do a password reset, the dissent secure mail to my house. Being a busy canadian, they sent me this two weeks later, i would have to come back next year end do the same thing. The cost of 40 a shot. They spent 970 million authenticating 5 million canadians. From 20122018, they will come down to 200 million, the reason is, the canadians are able to use the baking out to get the government. This is been transformational. The reason this works better, the canadians are in the bank account every single week, they will not forget the password. More portly, aching not getting, they would run down to the bank because her terrified the money would be lost. That is also increasing integrity of the transaction. It was authentication only, so many of the sheer, we launched the Identity Service which allows me too improve my identity with banks and the Government Data that i sent to kate with each of the providers and under my control give that back when i want to sign up for new services. And increases integrity and takes the cost down and gives them better results. The technology, walk us through that. We did not start off, it was a very different point of view. Any organization consumed data from a network to confront in three requirements to be met. Requirement number one, they want to know the authoritative source. Somebody they know and trust today. The second one they want to know the data has been altered by the authoritative source. They can take my drivers license and data and stick the photo on it. The third requirement, they want to know the data belongs to the person presenting it. Let me answer your question about watching. It has three very specific things, they called triple buying privacy. In canada today when i use my big account, the bank does not see my only definition. It knows it came from a Tier One Bank in canada but not which one. Our company which operates a network, we dont know who you are, triple bond party ceases not to bid, not the government, the user journey. We wanted to figure out a way to do triple bond identity without wells fargo anointed way to the irs with anything in between. It gave us on prime privacy and allowed us to meet the integrity challenge and meet the requirements of talked about and benefit as we get resiliency because they no. Broadly, the cryptography, the block chain cryptography is a leap forward in order to ensure you can have the movement and data. Is there a cultural absorption in the United States versus folks in canada about the Digital Identity and the willingness to assure the data . I would say the stance of canadians and americans are very similar. I would say the privacy regulation and canada are better and that gives canadians confidence when doing this. They have the course of something negative happens they have somewhere to go. So i would say its icon. Excellent. Lets get out of. Lets make some progress here. Thank you for great panel. Highly informative, i have three hours more of questions but everyone of you are topnotch. Thank you for being here. The judge o gentleman from georgia is organized for five minutes. Thank you, mr. Chairman. Thank you to all of you on the panel, this is intriguing from coming from an it background, ive been dealing with cyber issues for quite some time for my time in the air force dealing with Intelligence Data all the way up there protecting businesses and School Systems with internet access, its an ongoing challenge. And the transactions that happen especially in the Financial Services sector are in incredible speeds. Therefore verification for those who use this has to be done as same speed. Im one of these guys, i like to use cash, i like reading a printed book, i like going to a store and putting my hands on one going to buy. I am unique in the world today as i found out, the younger you are, the more you will rely on the technology. We have to be exploring these areas, but before i get to my question, i like to submit for the record, a letter from the Consumer First Coalition addressing concerns and congressional oversight over the electronic consent base Social Security verification system as they move forward. Without objection. Ms. Washington brought up a very interesting scenario at the beginning which illustrates challenges that we do face. Ive got one, i found quite unique, i was taking a group to the white house, if you ever visited the white house, theres quite a verification system. One thing wrong you get pulled out and put in the holding area. The young lady i was with, probably in her early 30s was put out and put in a holding area, it surprised me so i went to talk to her, she said happens all the time. Really . Really i have an identical twin sister, the mom did not realize she was going to have twins and she chosen the name. So she gave us both the exact same name. It was elizabeth grea grace smi, one was called this one was called grace. Theyre the same name, birthday, birth location, hair, height, weight but what triggered the secret service was a Social Security number were off by one digit. So there was a delineated. There is an illustration of the type of thing that were going to encounter as ms. Washington brought up. But we have to find a path to get there. Im big on intubation and we can go out and explore ways to do this but it has to be done in a controlled environment to protect consumers and have the ability to do these things. It took us a while to adopt the chip Payment System, traveling in europe the head of the longtime for we could adopt here. From what i understand its reduced the counterfeit fraud by 87 . But the bad players, the criminals fol focus on Digital Payment which involve Digital Identity. Solutions, cybersecurity solutions, we need to combat these Digital Payment fronts. Are we heading in the right direction . Do we have the sandbox available to develop these . That is an excellent question. I remember distinctly when i was back working at the control to currency. When the deadline was approaching and the conversation because we had just had the breach of target and had to appear before congress to testify at that moment in time. I remember distinctly having this conversation about what it would do and what it would not do. As you seen the card not present fraud is through the roof, i know and all these Online Transactions are card not present. That means theyre missing the authentication of being present when the chip in hand. I think while it was a step in the right direction and just a layer on the fact that most of her transactions are increasingly only in need to happen at the speed that we discussed her, we need to create an environment for the organization that figures out a way to improve the state of synthetic ids that creates a more trust and do it in a way where they can protect all consumers. I think thats why my colleague jeremy and the Business Roundtable i mentioned earlier that has over 200 ceos have a lot of alignment of what needs to be done to create the transparency for consumers with privacy while also creating a better ecosystem where we prove people to enable them for Online Transactions. Thank you. As the Ranking Member, i have tons of questions, this is intriguing but im out of time, also met the others for the record. I agree with ms. Washington. But i think the solution because those in low income are using Electronic Transaction as others and we gotta find a way to positively protect them as well. The gentleman from ohio is reckonings for five minutes. The q mr. Chairman and they get to the panel for your outstanding testimony. Its been a great setting so far. I want to drill down on mr. Mchenrys question on block chain specifically. Ill spend some time there if you do not mind. As you are intervening, what legal impediments existed in canada that prevented you from developing on the block chain and what has had to change . Walk me through what it was like as your interbreeding and how did you get there . One of the Biggest Challenges is when you look across economy, the most rigorous process of consumers is going to a bank at the regulated process in canada the organization is called sin track in them a set of interpretation bulletins that they used to interpret the legislation to say what things can and cannot do, the problem when we started, it did not include digital methods. It took a long time to talk about the advantages of doing digital methods and i want to pick up on valeries comments on the not present concept. One of the things we could convince the regulators what were doing with services is creating card present identity. I take major resistance to the counter, the bank is defenseless with the attack. All of the data checked in real time. That is getting the regulators and the communities to understand this is better in person but once i got there they said is more powerful. The interpretation bulletin for the sin track were updated to include digital methods. Legislatively . Asked. As you look at the u. S. , where you see similar holes where we should be legislating to enable the technology . Canada had an advantage, we have a small set of banks and provinces and we can get everybody in the room, your economic construction is a little different, you 3000 banks, 50 states, luckily a small set. It can be applied to the u. S. Model so i will say theres a lot of work being done with the organizations with a Similar Service here in the u. S. , but her work needs to be done. There will be similar challenges with updates will be required to support it. Df specifics . Of how the fcc is interpreting this and it needs to change or anybody else . I can provide apollo testimony and i can get an entire legal counselor was done a lot of work. That would be fantastic. If you look at our membership half our firms and banks and synthetic in one of the things we called for was the regulators to do more. They have been really receptive trade discussions, the message we got if you see a barrier a Digital Identity please let us know, marshall who is assistant secretary in the financing the treasury announced theyre working with industry to help bring together leaders in innovators together. I continue to ask members, are we running into things with the intersection of identity in Financial Services . In the biggest answer we get, sometimes theres a regulation of ambiguity and intern to move forward. I think we need a little more effort, we talked about the omb memo. I think we need more of a formal governmentwide initiative candy by the white house to look at how to bring agencies together with industries how to take this to the next steps and more work needs to be done in the framework of standards with a foundation in place in agencies can benefit from a center of excellence that can help Social Security administration is developing against other agencies to do that will need technical help. Zeus steps around the edges to helping the problem. I want to thank everybody for their time and energy. We will follow up. Thank you. The gentleman from virginia is recognized for five minutes. Thank you, mr. Chairman i hope i have 60 minutes. It is good to be here. Anyway i want to give my background really quickly, my background was in military intelligence and in doing this was tracking people and finding their identity without them volunteering information. It is also the bridge between technology and operations and how this would happen. My question might be a little bit more fun i would hope. Right now i had about 50 questions i wrote down, im going to try to go quickly, i always have too many. She said something beforehand and ill start the line of questioning there. A medical backwards with technology. Here we go, is unlike the use of a. I. Will be a goal part of Digital Identity. Should we be concerned that this technology can be cost prohibitive where were unavailable to smaller Financial Institutions or companies . Is that something we have to worry about . I think any time you deal with innovation its interesting, some of the Smaller Companies are creative and make it possible and scale. I think we need to find ways to help find Smaller Companies leverage some of the capabilities that youre pointing out, i would commend the raking members effort in his own district in little rock arkansas to create an Innovation Hub where communities and institutions can learn how to take a vantage of these things. The other way to help them scale to the benefit particularly is to actually do that to the partnership who providers. This is why i get excited, were all creating our own unique identifiers. Refrigerant handles when also, as we go forward, do you see private companies, to see private companies rejecting individuals or business transactions with other entities based on insufficient authentication of identity . When i look up people are going back and forth and utilizing their own signatures, will we get to a point, this is where i get excited in a head start to explode, youll see private companies actually creating their own unique id set of criteria and then do see them insuring the criteria and identity as doing transactional issues with companies and rejecting the companies. I know mr. Grant and i listened to what you did in canada, i want to get to a point where companies will be judged on the criteria for how they protect identity and other companies rejecting it based on you ids. You see that happening in the future . For years one of the things weve done in the u. S. And a lot of countries abroad, and we can have Certification Programs for identity. I talked today about the role of government, my bank knows me, ive seen at the foundation of whats happening in canada and the u. S. , they have to figure out who i am before they open an account so could they then batch for me other places . I login with my bank summer . Perhaps the Social Security administration. There are programs in place from organizations in the most wellknown is called cantata and been recognized by the Services Administration to certify the way that the private sector issues and identity. Going forward, i talk about the concept and identity of the ecosystem, will provide the component government will provide, we could create hybrid solutions that can bring in the best innovation the private sector can deliver the access to the authoritative sources only government house, you can merge those together, you can give people something that is portable so they can use every place they go. Your in my head. Do you believe . You talking about the students, we are dealing with unstructured data, natural processing, things like that, you believe theres a time where we can customize our token were the only way we can find our identity or maker identity known is the stuff that we customize with that information . Is that by customizing our own information . Theres a lot of focus of how you can allow people to only reveal certain things without revealing everything. Great models in place these days that will give people a renewal choice about what they share about themselves. We talk about the privacy debate and is getting a lot of tension on the hill and so much tighter identity. What do i want to be collected, why do i want these companies to know these four things but not the summit. Its having a strong tool to manage that and go back and revoke certain things in the ghetto be a key enabler. It was like five minutes and 30 seconds. You guys are fantastic. Without objection the Ranking Member and i will each have an additional five minutes for questions and closing. With that i would like to recognize mr. Hill. Inaudiblthank you again for g this hearing and i think youve heard a discussion in the panel has been very appreciated. I wanted to go back and finish our conversation about the california proposed statute. Anime brought in that to the panel to compare as you said a set of parameters with a more thoughtful approach to have a compare and contrast. The wall street journal last week reported that private businesses could face half a billion dollar complaint burden trying to comply with the california law. So talk about that and finish her thought, that you were trained to make that it was rushed, you have some concerns, you outlined a couple but did you have Something Else you wanted to finish up . The main point with california night be adopting air, theres been proposals to clarify that. This is the information they use for Fraud Investigation and better customer service. The backdrop on this, identity analytics solution using a. I. Are one of the most powerful tools that we have today to prevent fraud. To give you a number on that, microsoft talked about this publicly, they managed billions of logins in two years ago they received about 10 million attacks a day. A year ago they received 100 million attacks a day, they surely seen 300 million attacks a day to compromise login systems to do all sorts about things. Thats a 30 time increase in tears. The way they combat this, with database analytics systems, some of which that would fall under the definition of personal data cpa or other proposals. As long as you have a carveout this test thats okay if youre worried about protection but you cannot take the data and uses some place else, were good. In europe, the European Banking Authority is promoting the use of transaction risk analysis to secure payment under the directive under the banking. The concern if its more ambiguous in considering federal privacy legislation that does not say is clearly, 2 of people call it microsoft to give the example i suggested and say dont use the systems, turn it off, what are they supposed to do at a time when they might go up next year. You mentioned open banking in the uk for example, in canada as well. Does anybody else want to add to the comment on california . On the privacy directives in europe and what youve done in canada, is europe and the uk solved the password authentication process in order to make open banking be safe activity . Clearly here that would be an open question. Open banking is a singular term but the weight manifest in each country it turned out to be a little different. Some countries is compulsory in other countries its optional. Some places and includes the ability to push payments and the others it does not. As nonuniform application of how it works. One of the fears of open banking, the banks are forced to open up apis and give out the data at no cost and then the consumer will give it to a startup who does not have the same control as the bank and they will get breached and then the consumer will come back and say how did you let this happen. So rather than giving away the data, we should give away trusted data so they can give it to granular rather than giving it all. Thats the approach were looking at in canada. Interesting in australia they took the approach reciprocal. If youre gonna participate in open banking, if you want to get data from the network yet to agree in advance to ensure data back with the network and assault the assets dripping that is in some other jurisdictions. What we need to do regulatory early and again, limiting our conversation to Financial Services about how we handle the requirement of an api approach and a discrete approach instead of allowing and startup entrepreneurs, your disturbing the Customer Experience by doing that. But i would argue, Customer Experience gets really messed up when everything is stolen from them. Thats not a good idea. Is there something specific that the regulatory agencies can do . I would submit you cannot to open banking, the infrastructure cannot be done. Because the consumer, this is the problem, im a consumer, youre the bank that is trying to represent me and jeremy is a startup that was my data, how is he supposed to present the he has my permission to get my data, human threeway triangle and is very complex and the consumer will never get it. The only way to solve it is that identity and see line by line. I yield to you mr. Chairman. Thank you. This conversation is fascinating. Theres Technological Solutions with an app on your cell phone. But the future of this is not an identity dongle and it has things like this which can store the private keys and is it resistant to my compression even against having herself and completely hacked. And captured the screen and Team Passwords transmitted but you cannot steal in the private key which is a tremendous advantage of the approach and you can still have this threeway conversation under the app. I think there has been great progress. In the use of block chain, one of the great advantages it provides a ledger. Is there a solution in the context to develop a Witness Protection Program which is government sponsored Identity Fraud . Is that something people thought about and come up with solutions too . I dont have a great answer, one of the challenges, what youre getting with these, you cannot go back in time and insert appropriate under purpose is very difficult to do, you can find some other method to bring that along. Is a publicly visible walk chain. Ours is not. There is a protection for going back and altering records is hard and what the government could do is have a set of identity standby to use for the future so they have the long deputy that would be required. Its tough, has also sorts of secondary, you should put that on your to do list so we have a perfect example. It seems to come up with the ultimate solution, there has to be a role of government at some point in your life, you have to go and authenticate yourself and be uniquely identified using biometrics. At that point you can be issued a security dongle or the equivalent of one that you can use for many, many purposes and very streamlined entrance fictions. Is there any logical alternative than having every citizen who wants this to authenticate themselves securely knowing there is not synthetic Identity Fraud or using credentials. In the alternative to presenting themselves in front of a trusted Government Authority . I would say, we need to learn from Payment Systems we try to do identity. David burch has the same phrase. Comparing identity to money, theres a lot of things we can learn. When you look at the global Payment System, their 6 billion cards and syrup circulation and never been compromised. You can have your Favorite Bank and i cannot mind and we can go to any merchant and get what we want. More portly when we lose the card we call the bank right away his were terrified will be responsible for the results. When Payment Systems, these three things make the system work, the first thing we made it simple for the consumer and the complexity so they dont have to understand anything. Number two, we have an operator, crooks third most appointed thing to keep the Payment System is behavior. When i look at my wall into my card is gone, over and out to the bank turn the thing off as an terrified ill be responsible. I think i dont want to put words in your mouth, but this is not perfect, synthetic Identity Fraud can still permeate such a system. Agreed. But that wouldnt it comes down to understanding knowing the real customer. We have controls in place that are supposed to do that and we assume banks know who their customers are and theyre all coming from the baking industry and everybody is trying to do that considering the fact that synthetics are as they are in widespread as they are, and a force multiplier i would contend that they dont actually know their customers. I feel if you have an issue that is not right at the root and in compound on top of that you actually make the issue later worse. You get this false sense of security and it does not allow you to be able to contend with individuals and that goes to what theyre looking for, they want to be seen as a regular traditional customer, they dont want to get caught, and want to navigate the system and navigating pretty well for the most part. If you think of the example that he gave, identical twins with identical names, they differ only in their fingerprint. At some point in their lives they have to present themselves to some organization almost certainly a government who has to go and look at all the people claiming to have that name. And i think theres no alternative to biometrics of some kind. This could be an optional system, if youre going to provide citizens who want one with a secure means of authenticating themselves, you have to have a moment in their lives and you have any comments . I think the complete overall, i never worry about the solution, i tend to get very nervous when we create biometrics in part because theres one thing that we learn any other type of valuable data, were not good at protecting them. In the opium breach in 2015 where a topsecret clearance, all the information in the images of my fingerprints are not in china, at least two thirds of the room has the same thing understanding whos here today. I would never want to use a match finger print system online where they did not know i was there to protect anything of value because they can get fingerprint off the images. Theres really helpful tools, the dmv are using face recognition for de duping, forward to going to jeremy grant at the dmv and show three months later under a different name they can say, and looks like you were here before, i need a face recognition in the contest that to the fraud investigator. Leveraging that process is really important, one of the things in the policy blueprint is the drivers license is the one thing that most americans will have a robust in person identity process. It is really valuable and we think people should reuse it. The dmv will play a role, only 87 of the drivers license, one thing we see these days its harder than ever to get one thanks to the real id act from 2005 which on one hand was good security reasons and put a very robust federal standard in place for a person identity proofing, the flipside, if youre on the margin and been in and out of homelessness and evicted in your license and everything was left in a box by the side of the road in the rain, its hard for people to restart their identity life again because the lacking what they used to have to the point in many places you see theres a couple churches like the methodist up the street that works with people i have to gavel myself a timeout. The boats have been called. Without objection i like the report from the butter Identity Coalition to be included in the record. Without objection. I want to think the witnesses for the testimony. This is at the root of so many problems that we have and that we will be facing. Without objection, members will have five legislative days to submit additional written questions for the witnesses and to the chair which will be forwarded to the witnesses for the response and i asked the witnesses to respond as probably as able. Thank you again. [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] [inaudible conversations] Joe Biden Joe biden will be in hampshire this weekend to help open a field office for the 2020 biting president ial campaign. Watch the event in her remarks on apm on cspan. Campaign 2020, watch the live coverage of the president ial candidates on the campaign trail and make up your own mind. Cspan campaign 2020, your unfiltered view of politics. Analytics chief economist mark zandi predicts americas current risk for recession is high and increasing, he leads off the forum on rescission planning which includes panels on Lessons Learned from past recessions and federal state coronations. This is almost three hours. My task is to give you a sense of the prospects for recession over the next 12 18 months. Does everyone have a pen . Ill give you the exact day. [laughter] you need to write this down. The talk is broken dn
vimarsana.com © 2020. All Rights Reserved.