-Hi, everyone. I’m Mirela Ciobanu Lead editor with The Paypers, a global financial publication. And I'm excited to have, John Erik Setsaas director of innovation at the Tietoevry Banking here live at cyberevolution. And we are going to talk about digital identity and Identity Wallet. John, hopefully I pronounce your name correctly.
-Yes you did. You did very well. Well thanks Thanks for having me.
-Yeah, it's great. And it's great to meet with you again the last time. Yeah. It was actually one year ago. Back at EIC we met and we talked a lot about digital identity. And I'm curious to know. Yeah. What trends have you been following since then related to Identity and Identity Wallet.
-So I mean, Identity Wallet since, we spoke last, the eIDAS and identity wallets have been approved. So now we know it's going to be two years according to the present timeline, which I think it's too optimistic. But before we have this, the wallets in place. So, and we have the large scale pilots are running to experiments test around with this. So there's a lot of activity going on on that. We are, struggling with some of the use cases, you know, why should users do this? Why should the relying parties be be using this also issues around liability. As you know I work with banking. So I'm looking at how would banks utilize these wallets. And we see the challenges with liability. If a bank puts something in the wallet okay. How could they be liable for misuse of that. So I think we are in the wallet area trying to look at this use cases, trying to find out where it's going to fit. And I think in a few years we're going to laugh at the use cases that really happened, because I don't think we see them yet.
-Yeah. And related to use cases. One of them, though, it's, it is evident one. But on the other hand, it is a very important one is to prevent fraud. So digital identity solutions usually help, you know, identity or, you know, authentication verification and, yeah, managing fraud. What are some more threats now related to digital identity and transactions payments in general, that a digital identity solution wallet would be applied to.
-Your identity score? I mean, we need to know who people are. And we've seen a lot of work being done in the last few years. Now to ensure that the right person is doing the transaction. So we have the two factor authentication. You get a text message or you need to approve on the phone, etc. and that's been done really well. And also biometrics are being used. So we are pretty sure that the right user is doing that. If all this technology is being deployed, that has been the threat. Somebody has reached out to you, a fraudster, and trying to get you credentials so I can pretend to be you. Well, that's much more difficult now because I would need that second factor. I would need your biometrics. It's so much more difficult to impersonate now. So what's happening now? We're moving from that. And then to the fraudsters hacking people, as I call it, they will do. They will use AI. They will use new technology to convince you that I'm calling from the bank or I’m your manager, or I'm your child, etc. I trick you, I trigger your sense of urgency. You need to act. So I trick you into transferring money to me. And then I don't need a second factor because you are doing them all. And that's what I see as the biggest threat going forward. Now, with the identity we have sort of blocked the impersonation or we are in the face of blocking that. But now the fraudsters, criminals are going to a new way hacking people and tricking them. And I mean, typical fraud we're seeing is the safe account fraud, somebody calls to say, hey, I'm, I'm from the bank. Somebody hacked into your bank account and I see the money's disappearing, so you need to hurry. You need to transfer this to a safe account, and you transfer that money to the safe account, which happens to be my account. And that's how the fraudster now our operating and stealing the money.
-Yeah. So this indeed was also part of your presentation. And, it seems that indeed the focus now shifts not necessarily on the actual user, but on the transaction itself to analyze it and to make it true We can stop it if it's done under emotional stress, let's say.
-Right I mean, yeah, but I mean, not even emotional stress. We have the the long term fraud, like the romance fraud where the fraudsters are going to going to work on you for a long time and, you know, pretend to to be someone and make you fall in love, etc. and then, well, and now I need some money to, you know, my mom's surgery or things like that. And in those cases, the victims are so convinced that this is real. So even when we as financial crime prevention, we reach out to this victim and say, you know, this transaction of €100,000, this is a fraud, we want to stop it. And the victim says, no, no, no, it's not a fraud. This is for the surgery to my, you know, my my friend, lover. And they're so convinced of this being real. So it's not even emotional stress in that sense.
-Yeah, but how can we prevent this. Can the European digital identity wallet be part of it or how to. Yeah. To to stop it.
-So what we are doing on the financial crime I mean we were working with financial institutions so we monitored transactions. So we know what's a typical user behavior and deviations from that are flagged. So if you suddenly were transferring, you know, a large amount of money to me, which would be nice. Of course, that would be unusual. And that unusual transaction would be then be flagged and check if this is a fraud. Also, one thing we did now we had just Black Friday. What happens during Black Friday is that a lot of fake stores pop up. Stores that only take your money or don't send you anything. We try to keep a list of that, so we block transactions to those those accounts. So this is all about monitoring behavior monitoring what you are, how you are behaving, how you're logging in. I mean, if I was logging in, certainly from a mac, I always use a window. That would be a signal. If I logged in at 2:00 in the morning. John Erik is never awake at that time. doesn't mean it's fraud, but it's a trigger. So we will analyze that. So? So that's how we do analysis of financial transactions. And that's how we see, you know if it's a romance fraud you know this is we recognize the two account very high amount. And then it's probability that it's a romance fraud. And when we reach out to the victim as I mentioned.
-Yeah. So on the other hand so we have this technology. But then to help consumers, on the other hand we have different regulations, compliance. So I'm thinking here about GDPR, about the eIDAS wallet provision not to do profiling. And also I'm thinking since we are referring to financial institutions, this instant payment regulation when things have need to happen instant. So it seems so many things, so many variables within the game for banks to mitigate, to offer the seamless user experience where you would pay and be feel safe and secure. How to balance.
-It is complex and the banks are under a lot of stress with the financial regulations.
-Yeah. You too.
-Yeah. I mean, it's complex just, I mean, touch on the IPR, the instant payment regulation, which, you know, is instant payment, right? Which is, I think a fraudster stream. Right. Because then it has to happen very fast. That gives us little time to investigate. It's only 10s for that transaction to go through. So that's a challenge. GDPR is a challenge for this because we would love to share information with different banks. If we discover you're a fraudster, we would love to tell all banks you know, but we're not allowed to that we need to protect the privacy. So which means if you blocked at one bank, you will just go to another bank and do the same thing and they won't know that that's happening. So in that sense, GDPR is also a challenge for us. It's protecting the fraudsters. And don't get me wrong, I do need we really do need to to protect privacy. That's not what I'm saying. But in this case we are protecting the fraudsters. There are things happening there now. So it's opening up in the financial regulations for sharing information for this. And I think even according to the current regulations, you have the just course in GDPR for fighting crime would be a way to share information. But it's not very often down. It's it's often blocked by the privacy compliance officer because these are different regulations, you know, fighting for the same thing.
-And then the regarding the European digital identity wallet that they are maybe to expand on, how they are helping it. -Exactly. So, so and I mean, if you, if you read that one, one of the things with the identity wallet is that you it's it's very privacy, oriented. And it's clearly stated you're not allowed to profile. Right. And that causes a problem. Well, we will still, you know, profile the financial. I don't know if financial side, you know, your transactions to bank and so on. So that's not going to change. But imagine everything you can use the wallet for. You can do it direct person to person payment. How do we control that. You can transfer your potentially your asset. Let's say you have proof that you own this property. Could you imagine that that could be transferred to another wallet. How do we monitor, you know, transfer of value like that? And the problem is, according to currently, a regulation, we cannot do that. -Yeah. So we've been, quite pessimistic so far. And I want to, also share some advice, some positive, information. And I'm curious if I am a bank or, on the C level, a suite of a bank. What will I do to be prepared for everything that is coming? Right, in terms of regulations of, fighting fraud?
-Oh. Prepare for everything. Okay. That's that's a big one. I mean. -So let's start with. Yeah. Preparing for, regulations.
-Yeah. I mean, the regulations are good. They are here to protect us.
-Yeah -They are here to, you know, make sure we are safe to catch more fraud. And they're tightening. And it's, it's really challenging for the regulated industries because there's a tsunami of, of, regulations coming now with the PSR piece, two three IPR, DORA and everything.
-Yeah, exactly. At cyberevolution, there are also some things on cyber security.
-Exactly. So there is so much and I mean, you and we need to remember there is a reason behind these regulations and it's all to protect that. That's the reasoning behind them, to make sure we do business in a good way and protect people and values. Yeah.
-But in terms of technology solutions, human expertise, what should, banks. Yeah, use deploy.
-I mean, you need to have user friendly solution and consistent solutions. So for the user it looks the same every time. We want to try to educate the users to to behave in a good way. But then we also need to have consistency on how things are done. If things are done very different in different banks, that's confusing for users and it's an opportunity for criminals. It's easier for them to come in to do something so we can have consistency in the user interface, try to educate, but as you mentioned, if you are under stress, if somebody calls you, I mean you can with AI today, you can sample anybody's voice. And one scam is typically your child. Your child. Yeah, yeah. The voice is calling you and hey, I'm in trouble. You know, I lost my phone. You don't transfer money. That's. It's stressful situation. And then it's easy to forget the things you learned. So. But still we need to to educate the users. And that's three good words to Stop, Think, Check. Yeah. It's a it's a campaign we're using there I think and and that is good. And tell users a lot of times things are not really that urgent. In most cases it's not urgent. Stop Think Check are the words so education, consistent user interfaces. I think that's how we can help the end users not to fall victim to fraud.
-And since you mentioned education, what are some, trends or some things that you are taking for cyberevolution back home?
-Yeah. I mean, it's what I'm going to say. I mean, education has been mentioned. There's been some interesting, presentations on, sort of the human, the emotional part of the emotional challenges of this, both for, the people involved in, from the business side, you know, that's being, hacked and so on how to handle that. And I think that's interesting that that even come into the, to the picture of a fairly technical conference. You start to talk about human, human emotions. There was an interesting presentation this morning about, looking at the comparison with personal health and company health, and I really appreciated that one. I mean, for personal health, I mean, you try to eat healthy, you try to exercise, and you should do more, etc., but at least you have some goals and try to to to do that on your company level as well. Think of your company health. I think that was, for me, that was a good takeaway.
-Yeah, actually. Yeah. Max, we also had him on. -Oh, okay.
-That's an inspiring story that it seems it has ripples within the minds of, everyone . -It does. Yeah, I really appreciate that. I like people, and I like stories about people and bringing them into, into the picture. And I think that was that was really good. So that's one of my big takeaways, I think.
-Yeah. Great. Thank you, John, for this discussion. And I'm sorry that I don't have, the fake voice video that you had, with Jean Luc Picard. to end, yeah, on a funny note our, interview.
-No but that's fine. Hey, thank you so much for having me here.
