Digital Identities with Cambridge Blockchain

Verification of customers and counterparties is vital in financial services. Identity defines and permits the relationship between financial services providers and their clients. But, according to the World Economic Forum:

“Current identity systems are limiting Fintech innovation as well as secure and efficient service delivery in Financial Services and society more broadly.”

Identity verification is a huge source of inefficiency for financial firms during the onboarding process. Customer data has to be gathered, evaluated, stored securely (and then updated regularly). Costs of AML and KYC compliance are huge and growing. Fines for willful failure are also rather large.

There are other issues. Tightening AML and KYC requirements can exclude innocent individuals and small businesses from the global financial system. Legitimate applications are sometimes rejected by firms as either not worth the cost of compliance or because firms, having been caught aiding money launders in the past, move too far in the other direction. Beyond this, many people – refugees, for example – currently lack government issued identity documents such as passports and birth certificates. Forget about a credit history.

WEF goes on to state:

“Digital identity is widely recognized as the next step in identity systems.”

A comprehensive digital identity solution could allow for trust-based engagement with providers of government, health, and financial services while simultaneously complying with strict data privacy rules such as the European General Data Protection Regulation (GDPR). The EU has announced its intention to develop a digital identification system that can be used by all residents in all member states.

Having access to a reliable system of digital identity would mean greater accuracy and allow FSIs to streamline critical activities, partially or fully automate many processes that are currently manual, and greatly improve customer experience. It would mean better risk assessment and reduced fraud, and smarter, more targeted marketing. Major savings would come from the reuse of data and the elimination of redundancy.

The immutability, transparency and auditability of blockchain make it an interesting choice for a distributed approach to digital identity. You can link a cryptographic hash on the blockchain to evidence of a strong digital identity validated by a trusted 3rd party (bank, government, etc.), thereby addressing the competing challenges of transparency and privacy and putting control of personal identity data back in the hands of the end user.

Founded in 2015 by Alex Oberhauser, Alok Bhargava, and Matthew Commons, Cambridge Blockchain provides digital identity software for financial institutions. Their use of a distributed architecture to offer a consistent view of customer reference data offers the promise of faster onboarding, lower costs, and improved compliance. Cambridge Blockchain explicitly incorporates GDPR standards for consent, data minimization, the right to be forgotten, data security, and data controllership.

Cambridge Blockchain closed on its first institutional funding round in January of 2017 raising $2,000,000. The round was led by Partech Ventures and Digital Currency Group, with participation by LaunchPad Ventures, a Boston-based angel investment group, among others. I recently met with Matt, who is CEO.

Matt Commons of Cambridge Blockchain

Q.   Matt, what are we talking about when we talk about digital identities? Is there a generally accepted model of identity?

A.   One of the ways we like to think about digital identities is the way the World Economic Forum thinks about them. When people say digital identities oftentimes they mean many different things. It can get muddled.

The WEF issued a very good report called A Blueprint for Digital Identity. They break identity down into several different layers that work together. What you are ultimately trying to get to with digital identity is to deliver some kind of service to a customer or an end user.

In order to deliver the service, that user needs to be appropriately authorized, so authorization is a layer. That authorization is based on certain attributes of the user – attribute exchange is a separate layer.

The user needs to somehow authenticate – and this is often what people are thinking of when they talk about biometric identity or two-factor identity they are thinking about the need for authentication. These attributes also need to be collected to be useful and there need to be standards governing everything from data structures to protocols for sharing data across networks.

Q.   Why blockchain? What can we do with digital identities on the blockchain that we can’t do with other options?

A.   Blockchain is not always the right approach! Although we have blockchain in our name, there are plenty of identity applications that it makes perfect sense to do with a centralized database. The ones that don’t make sense for blockchain are those where there’s a single, trusted party for governance and operations – where you have a hub-and-spoke trust mechanism where everyone trusts one party and that one party should see everything and know everything.

Where blockchain-based identities really add a lot of value are in areas where, first of all, you don’t necessarily want one party to see and know everything about all the participants, and, in particular, in environments where you have certain restrictions around things like data privacy or data geo-residency (the location of that data). In those situations, a peer-to-peer trust network is much more appropriate for identity.

Q.   How do you handle authentication?

A.   We don’t have our own authentication system which is a difference between Cambridge Blockchain and others. We actually plug into other authentication systems, such as an LDAP system, or an OAuth system. In the example of our first deployment in Luxembourg, LuxTrust makes an authentication technology that is used by the whole population of Luxembourg.

Q.   So you’re agnostic?

A.   Our model sets up a construct where there are end users who are the data subjects and who control their own personal data. In addition, there are trusted parties that validate attributes. In principle, that can be anybody or any institution. Service providers are the ones who are consuming that identity data in order to provide a service to the end user.

Q.   Is identity authority a natural role for banks? Is it something they should be looking into?

A.   That certainly can be a key role for them. Going back to this WEF view, they believe that because banks are playing such an important role in validating the identity of customers, that it’s natural for them to be able to use that data to provide other types of identity services. That’s certainly something that we would support.

Q.   You mentioned LuxTrust. What can you tell me about your partnership with them?

A.   We will be going live in 2018 with over half a million end users in Luxembourg, together with our partner LuxTrust. LuxTrust is what is known as a trust services provider. What that means is that they are able to issue digital certificates and digital signatures. Those digital certificates are also used for a common authentication or access token, which is essentially used by the entire population of Luxembourg to access government services, pay their taxes, and also to access their bank accounts.

Starting in 2018, everyone that has a LuxTrust authentication service will also have a Cambridge Blockchain personal data service that stores all of their structured identity data.

Q.   Does this work for companies as well as individuals?

A.   Absolutely.

Q.   How do you attach individual identities (say, board directors or major shareholders) to corporate identities?

A.   In our model, the construct from a technology standpoint is called a personal data service. You can have a personal data service for a corporation in the same way you can have a personal data service for an individual. That corporate PDS can contain data about the beneficial owners, the authorized signatories, etc., and depending on how you set it up, this can be controlled by those other entities.

Q.   It seems to me that a truly transformational digital identity system needs to be widely accepted. It would require the buy-in of the entire industry (and maybe governments, too). That’s a huge challenge for a startup. Are you trying to make that happen or are you relying on other forces?

A.   We don’t believe there will be just one identity system that will drop from the sky and achieve universal adoption. We share the view of the WEF that identity networks will start as what they call natural identity networks, which are groups according to a certain geography or stakeholder sets that make sense.

Q.   Like Luxembourg?

A.   Like Luxembourg. There could be others, say a group of banks in Norway or in Spain. Or, maybe a group of institutional investors that share a common transfer agent. These different networks can be set up with identity systems and over time those networks will grow and come to interoperate through linkages. That’s the way we see this evolving. We’ve been actively following the progress of groups working to connect these things, such as the WC3’s verifiable claims initiative and the Decentralized Identity Foundation.

Q.   Is there a dystopian downside to digital identities that Philip K. Dick should have warned us about?

A.   The fact that we are creating so much more personally identifiable data about ourselves and don’t know where that’s going is of profound concern to me personally and, I think, to a lot of other people. Security and privacy are not necessarily a tradeoff – rather, they really go together. Strong privacy goes together with strong security. So in this environment where we are creating so much data about ourselves, the types of technologies that allow us to securely store, share, and validate that data are quite important.

Q.   Your recent financing round was done with a convertible note. Why was this the right decision for you rather than a priced equity round?

A.   We had our first close back in March of 2016. I think for an early-stage company doing its first financing round, where there’s uncertainty about the valuation, a convertible note can make sense. In essence, the convertible note links the valuation to a future, priced equity round, with some type of a discount or maybe a valuation cap. What that does is allow the entrepreneur who thinks the company is highly valued to go out and get that valuation in the future. But if it turns out that future equity financing round ends up being at a lower valuation than he or she expected, the early investors in the convertible note aren’t penalized for that.

Q.   Why not a token sale?

A.   There are certainly a lot of people raising money using that methodology. It may make sense for certain use cases. We tend to believe that in the large majority of token sale use cases, the token doesn’t add a lot of fundamental business value and there’s a whole lot of heavy speculation as to why they’re being issued.

For us, it really didn’t make sense because our product is all about compliance. If we were to issue something in a legal grey area in terms of if it were a security or not or legal in particular jurisdictions, it really doesn’t fit with our brand value. It would make it very hard for us in terms of our core business, which is delivering digital identity enterprise software to financial institutions.

Q.   It’s obvious why you, as a blockchain startup, would want Digital Currency Group as a lead investor. By why Partech?

A.   Partech has been a great partner for us (as has Digital Currency Group). They’re one of the larger VCs in Europe. Europe is a great market for us due to the data privacy rules over there. Partech is headquartered in Paris. They have offices in Berlin and San Francisco. They helped us get set up in office space at Partech Shaker and they have a program called Europe Made Easy that allowed us to establish a subsidiary quite rapidly and start our growth trajectory there. They’ve also been quite helpful in making introductions to major European financial institutions.

Q.   As we all know, the current system put people whose identity has been hoovered up by companies like Equifax at great risk of identity theft. Will acceptance of digital identities mean the death of the credit bureau model (he asks, hopefully)? Will it put control of identity data back in the hands of its rightful owners?

A.   We view the Equifax hack as a real perception-changing event in the U.S. We think a lot of the data privacy protections we see in Europe will be moving to the U.S. The drivers may be a little different – in Europe, there the view that data privacy is a fundamental right that is not now shared in the U.S. It may be driven more by security concerns as opposed to privacy – but we see some big changes coming.

We see that consumers are going to demand that this model be replaced by something that works better. The idea that everything is linked to your social security number and one company holds 143 million records in an easily-hackable database connected to the internet – I think a lot of people recognize that as unsustainable.

Q.   You recently opened a new office from which to tackle the European market. Why did you choose Paris over London or Frankfurt or Luxembourg? Are there reasons beyond your relationship with Partech?

A.   Paris is a phenomenal location. Certainly, the fact that Partech is there was a factor. They’ve helped us land nicely. I think the French market is quite interesting in and of itself. We’re doing a number of things there with some of the major French banks.

It’s a great geographic location from which to get anywhere in Europe. It’s easy to get a train to London or Frankfurt or Brussels or Luxembourg. That was one of our criteria. We wanted to be close to Luxembourg by train. Plus, there are direct flights to Boston.

Given that our software is really about supporting EU data privacy regulations, Brexit was a contributing factor to the decision, but not a deciding factor.

Q.   What about the ecosystem for startups in Paris? Is it supportive? Are the resources that you need there? Is it easy to hire the people that you need?

A.   Paris has a thriving startup ecosystem and we’ve been able to find a lot of support. We’ve also been very pleased with the talent pool in Paris. It’s a global city with deep technical resources. Also, partners like Accenture are there. They have their blockchain Center of Excellence in France, in Sophia Antipolis, and a major presence in Paris.

Q.   What were the benefits of forming a separate subsidiary when you opened your Paris office?

A.   It’s cleaner to have a separate subsidiary rather than a branch or a bunch of consultants. Europe is a key market for us. We need to support both the LuxTrust project and other commercial deployments. We needed to have full-time staff, and the best way to do that was with a wholly-owned subsidiary.

Q.   What do they offer you at Partech Shaker?

A.   Partech Shaker is a co-working space run by Partech Ventures. A number of major technology companies are there, including Dropbox, Pinterest, and Hired. For us, it’s been great. They are right in the 2nd arrondissement and offer a very supportive environment for us to grow. Plus, they’ve got a great roof-top deck with views of the Eiffel Tower!

Q.   Are you finding greater acceptance in Europe because of PSD2 and the GDPR initiative which comes into effect in the EU in May?

A.   Absolutely. Europe has always had stronger data privacy rules, but GDPR really raises the bar. Companies can be fined the greater of €20 million or 4% of world-wide revenues for data privacy violations. It’s really made it a priority for these institutions and in many cases their legacy systems don’t comply, so that’s really been a catalyst for new approaches.

Q.   Yours is the first non-European company to join the Infrachain blockchain initiative. What can you tell me about it?

A.   Infrachain is quite exciting. Cambridge Blockchain joined this group earlier this year. Infrachain is a blockchain initiative in Luxembourg where you have a group of different financial institutions, the telecom provider, the Luxembourg government, LuxTrust and others coming together to provide a governance framework – what they call an orchestration platform for blockchain. These are especially for permissioned or private blockchains where the nodes need to be certified by Infrachain. So it really provides a lot of legal and governance certainty that you don’t have with public blockchains like Bitcoin or the public version of Etherium.

Q.   What are some of the next-level benefits to FSIs of broad adoption of a digital identity system? What sort of additional capabilities might they be able to offer? Do you foresee new products resulting?

A.   When we look at this, it’s in the context of the overall trend toward open banking where banks are increasingly being forced to open their APIs for custom account data, for payment instructions, and so forth. The banks that really get the message that a successful model won’t simply involve offering siloed alternatives but will mean offering a great customer experience and the ability to access different products and services from other providers are the ones that will be successful in the future. Digital identity is a key enabling component of that.

Q.   What impact will digital identities have on the pace or direction of FinTech innovation?

A.   Historically, each institution had its own separate authentication system and also would check its own attributes about a customer. In many applications now that’s still the same. Now we’re at the point where, increasingly, there are common authentication systems. And I’m not talking about the relatively weaker ones like login with Facebook and the like. Especially in Europe, there are more bank-grade authentication systems like LuxTrust or BankID in Norway or NemID in Denmark.

But still most institutions, even if they log into the common authentication system, they still check the identity attributes separately. We see distributed systems – and our software in particular – enabling a move toward common storage, sharing and validation of identity attributes. We see that as really being key to unlocking frictionless transactions, not just in the financial services space, where we’re starting, but well beyond.

Q.   You are currently a team of nine. Are you hiring?

A.   We are. We’re very encouraged by the number of developers coming into this space and exploring blockchain. A few years ago, people didn’t even know what it was.

Q.    When will we see your first commercial deployment?

A.   We haven’t announced a specific release date for the LuxTrust ID platform, yet, but certainly having those capabilities in place around the time that GDPR comes into effect in Q2 of 2018 is something we are really focused on.

Q.   You participated in the 2016 FinTech Innovation Lab in New York City. What was it like, and do you recommend it to other startups?

A.   I highly recommend that program. It’s sponsored by Accenture and the Partnership Fund for New York City. They take only a modest amount of equity.

Within that program, startups are mentored by a group of financial institutions. In the case of Cambridge Blockchain, that included JP Morgan, Citi, and the Spanish bank BBVA. It was great opportunity to refine our product/market fit, and was really what led us to start understanding the constraints of those European data privacy rules and that that could be a big catalyst for our technology.

Q.   Did you come out of the program with any PoCs?

A.   It really started our relationship with BBVA, during which time we scoped out a deployment of our software for what is known as cross-border onboarding. So basically, someone within one division of BBVA wants to open second account with BBVA in a different country. It’s a huge problem. That directly led to having something very tangible in the BBVA Open Talent competition, which we ended up winning in 2016.

Q.   Tell me about your relationship with the MIT Media Lab. They’re just down the street from where we’re sitting today.

A.   That’s certainly one of the reasons we set up our business here at the Cambridge Innovation Center in an MIT-owned building. We work closely with a number of the digital identity research scientists there. We are closely aligned in terms of the broad vision for digital identity.

Q.   One thing blockchain startups tell me is they are often invited in for meeting that it later becomes clear are really set up so that they can educate these big companies on the blockchain. How do you avoid that? How do you qualify your leads so you’re spending time and resources on legitimate prospects? What advice do you have for other B2B FinTech startups?

A.   I have to admit that we wasted an enormous amount of time in the beginning, but we have improved our execution in that respect significantly. We now use an approach called “question based selling” that we’ve found quite effective at really qualifying prospects. For example, are the people around the table the right decision makers? Do they have the budgetary authority? This is critical to avoid wasting time.

Q.   Do you worry about Facebook or Google? They have so much data, are they potentially competitors?

A.   To date, they have stayed away from the regulated markets. We may see Facebook Bank or Google Bank at some point in the future. I would say that a lot of the ways they use personal data is concerning to the European authorities. I think laws like GDPR were written with that in mind. In some ways they are a catalyst to a regulatory environment that we are quite supportive of and that our technology has been specifically designed to address.

Q.   While regulation seems to be driving adoption, are there legal or regulatory hurdles that you didn’t expect?

A.   You can view it as a barrier or a challenge to build something that complies with GDPR, or with the fourth anti-money laundering directive, or PSD2, or the new digital signature initiative, but we view our level of regulatory engagement and the depth of understanding we have as a real competitive advantage. But it certainly takes a lot of time and effort to get it right.

Q.   You are headquartered in Cambridge, Massachusetts. What are your thoughts on the Boston FinTech ecosystem?

A.   Boston has been a great place to grow and thrive. There’s a very active startup ecosystem and a growing presence of blockchain and cryptocurrency. There are many interesting meetups happening all the time.

# # #