We sat down with Chris Connelly, Propositions and Solutions Director, to talk us through the recent developments of the Pensions Dashboards Programme.
Chris also discusses EQ’s recent response to the Money and Pension Service's (MaPS) call for input on identity, which looks at the proposed methods to verify that dashboard users really are who they say they are.
Often, in our industry, we never meet the people we serve. Their employer usually tells us who has joined. They themselves have checked the employee’s identity, and we as scheme managers or trustees trust that they have done so. Have we ever checked how rigorous the recruitment process was to prove someone is who they say they are?
Wind forward 20, 30 years when our member has long since left that company, moved house three times, got married, divorced and re-partnered. We have to re-identify them to make sure we are paying the right person the right amount at the right time.
We probably all have our own well-honed processes. Some will still be paper-based, but increasingly they will be digital and biometric. Whatever we all do will rely on something they have to prove who they are (for example, a certificate) and something they know, such as a pin, password or old address.
In the future, there will be a new front door for members that gives access to the personal and benefit data we control and process: Pensions Dashboards. The member will control how secure that front door is going to be. Not you.
The GDPR conundrum
Pensions Dashboards will achieve this very powerful service via a central digital architecture, explained in this 2-minute video, published by the Pensions Dashboards Programme (PDP).
As explained in the video, the digital architecture is going to include a central Identity Service (IDS), which will confirm that the person logging into their chosen pensions dashboard is actually who they claim to be.
Looking to the industry
Last month, the PDP published an outline of how they propose the service will work and asked for our industry’s views. The PDP is proposing to require identity service provider(s) to prove, and then authenticate, dashboard users’ identities in line with two existing Government good practice guides:
For example, having to use a second way of confirming who you are. A common tool today is receiving an email or a text to a device you have previously used so that you can confirm it is really you logging into the website.
For identifying someone for the first time (GPG45), a “Medium” level of confidence indicates that there is very strong, genuine/valid and real-world evidence that the individual’s claimed identity exists. It also reduces any known risks of fraud of the identity and gives confidence that the individual using the dashboard matches their evidence of identity. It is also fair to say that it is not an iron-clad guarantee.
As stated in the response below, EQ agrees in principle that Medium is probably a fair reflection of the balance of risks, for now. Security is always a balance, and the balance continually shifts. Too little or too easy, and members would be unsure and uncomfortable using it. Too much or too hard, and you risk members not getting over the hurdles and not using the service. That would mean the initiative fails its objectives. You need to find a middle ground. Security professionals sometimes refer to security as “appropriate friction” rather than “frictionless” because people gain comfort from an appropriate challenge.
Over time, as digital IDs become more prevalent and more user-friendly, we would expect to see the security levels rise. Initially, Pensions Dashboards will be information-only services, so Medium seems appropriate. However, in future, the roadmap for online dashboards and tools will lead to transactions becoming possible. At that stage, we would expect the bar to rise to High.
You can read the full EQ response below. As you will see, EQ is posing a number of questions back to the programme to ensure their plans for Identity and Security will satisfy your needs.
Please take a look, think about how you identify people today and let me know what you think.
What security related controls (other than identity proofing and authentication) do you see as important in your acceptance of the PDP solution for Pensions Dashboards?
As mentioned before, we would like to see the DP impact assessments of all of the infrastructure, and understand the spans of controls and who owns which liabilities at specific points of the data flow map.
Additionally, whilst not related to the identification and verification, this process falls down if the underlying data processors and controllers are unable to successfully match the request to an internal record. To this end we believe the degree of assertion to each data item needs revisiting. We would push back on the proposal that the NI Number is only asserted by the end user and not checked at any point as part of the verification. NI Numbers are a vital part of the data that data processors will use to match.