key: cord-0465187-39i8qazm authors: Elliott, Karen; Coopamootoo, Kovila; Curran, Edward; Ezhilchelvan, Paul; Finnigan, Samantha; Horsfall, Dave; Ma, Zhichao; Ng, Magdalene; Spiliotopoulos, Tasos; Wu, Han; Moorsel, Aad van title: Know Your Customer: Balancing Innovation and Regulation for Financial Inclusion date: 2021-12-17 journal: nan DOI: nan sha: 78022b4f348c2ebcf24be866f49a947fce4fee89 doc_id: 465187 cord_uid: 39i8qazm Financial inclusion depends on providing adjusted services for citizens with disclosed vulnerabilities. At the same time, the financial industry needs to adhere to a strict regulatory framework, which is often in conflict with the desire for inclusive, adaptive, privacy-preserving services. In this paper we study how this tension impacts the deployment of privacy-sensitive technologies aimed at financial inclusion. We conduct a qualitative study with banking experts to understand their perspective on service development for financial inclusion. We build and demonstrate a prototype solution based on open source decentralized identifiers and verifiable credentials software and report on feedback from the banking experts on this system. The technology is promising thanks to its selective disclosure of vulnerabilities to the full control of the individual. This support GDPR requirement, but at the same time, there is a clear tension between introducing these technologies and fulfilling other regulatory requirements, particularly with respect to `Know Your Customer.' We consider the policy implications stemming from these tensions and provide guidelines for the further design of related technologies. An important enabler for financial inclusion is the ability of citizens to disclose vulnerability, to allow a bank or other financial service to train staff, allocate resources and design products and services in a way that supports vulnerable populations. In the UK, the Financial Conduct Authority (FCA) has been tracking the vulnerability of consumers over time, together with other aspects of their financial lives. FCA's flagship consumer survey, the Financial Lives survey, has found that, before Covid-19, the number of UK adults showing one or more characteristics of vulnerability was decreasing, with this decrease largely attributed to improvements in digital inclusion and financial resilience. However, the latest results of this survey show that Covid-19 has reversed this positive trend in vulnerability and has disproportionately affected specific population groups, such as younger adults and the self-employed (Financial Conduct Authority UK (2021a)). Our research in financial inclusion has been heavily influenced by the FCA's latest report which provides guidance for firms on the fair treatment of vulnerable customers in finance (Financial Conduct Authority UK (2021b) ). This guidance identifies a vulnerable customer as "someone who, due to their personal circumstances, is especially susceptible to harm -particularly when a firm is not acting with appropriate levels of care". The guidance establishes the protection of vulnerable customers as a key priority for the industry and strongly encourages financial firms to treat vulnerable customers fairly. Exploring the four categories of characteristics that drive financial vulnerability -poor health, impact of life events, low resilience, and low capability, we investigate the use of Verifiable Credentials (VCs) and Decentralised Identifiers (DIDs) for identifying and supporting financially vulnerable consumers. There are two important characteristics that make DIDs and VCs a desirable candidate technology for financial inclusion solutions, namely self-sovereignty and selective disclosure. Self-sovereignty says that people and businesses store and control their own data on their own devices and provide these data only when someone needs to validate them. Selective disclosure says that only relevant private information is shared with interested parties in a privacy-preserving way. Spiliotopoulos et al. (2021) explains our position and examines in detail an overarching scenario that involves a customer interacting with their bank using VCs for different purposes and in different ways (e.g., both directly and via a revocable token), as well as the possible response and use of the vulnerability information by the bank. We engage with representatives of the financial services sector both in advance and after completion of the system implementation. We follow a qualitative approach, conducting in-depth interviews with a selective group of experts. We refer to Section 5.2 for further discussion of the qualitative research methods used in this work. This qualitative approach provides us with a unique up-to-date view financial services experts have on the topic of financial inclusion, which is arguably increasingly important to their sector given various ethical and societal pressures. This paper is organised as follows. In Section 2, we first discuss with experts how the financial industry currently addresses financial inclusion and vulnerability disclosure. Section 3 then provides an overview of technological approaches to the disclosure of credentials, usually integrated with identity systems. We built a working prototype of vulnerability disclosure using emerging DID and VC technology, on top of the Microsoft Identity Overlay Network, see Section 4. We exposed this to the banking experts and Section 5 provides their responses to the DID and VC based approach. This section also explains the qualitative research methods used (Section 5.1). We conclude the paper with suggestions for policy makers and regulators in Section 6. To understand how financial institutions have approached vulnerability in light of the FCA guidance (Financial Conduct Authority UK (2021b)), we accessed stakeholders from the financial services ecosystem. In addition, we spoke to stakeholders of the responsible lending sector, whose clients emanate from disadvantaged and vulnerable cohorts to understand this space from a business (mainstream and alternate) and client perspective. (See Section 5.2 for more detail on the consulted stakeholder.) We asked the mainstream stakeholders how their organisations perceive vulnerability and explore current procedures to identify the customer group. Current processes were reported as predominantly manual, based on customer phone conversations and chat messages with financial agents. Vulnerability is raised by the customer rather than the agent. A vulnerability can range from a lack of digital illiteracy to physical and sensitive conditions impacting an individual's financial capabilities. Customers willingly disclose physical conditions, such as blindness or deafness. However, in relation to more sensitive conditions, e.g., a mental health issue, these are avoided premised on the associated social stigma. Whereas, for terminal illness or bereavement, customers again are reported as open and engaged in voluntary disclosure. Once vulnerability was confirmed, what happened to the customer's accounts? The term vulnerable is replaced with "additional customer care and support" to avoid negative labelling of customers. In addition, 'flagging' policies are used with reviews occurring every 12 months. To flag an account, customers and agents liaise to agree on the nature of the vulnerability, how these impact on their financial capacity, the support required and how customer data is stored and used by the institution (UK GDPR compliance). Flags are read by agents each time the customer accesses services with flexibility to assign an account manager if account arrears accrued and monitored every 3 months. If the issue is resolved the flag is removed. The customer can also request flag removal, and information is no longer stored (cf. GDPR). Thus, stakeholders purport to deliver flexible and tailored customer service for vulnerabilities. We enquired how the engagement process commences with customers in establishing vulnerability. Phone conversations are the current primary route. New functionality is being explored for sensitive conditions. For instance, in relation to mental health conditions, automatic notifications via the Vulnerability Registration Service 1 can inform stakeholders of a vulnerability disclosure with the consent of customers. To compare current processes with verifiable credential technology, we discussed emerging solutions for disclosure: selective disclosure on external cards, or a dedicated vulnerability card. The stakeholder's response was negative premised on part of the design as a binary disclosure card i.e. "are you vulnerable -yes or no" was deemed inappropriate as with insufficient details, stakeholders claimed to be liable to operational risk. (See Section 5 for more on alternative solutions, particularly DID and VC based ones.) Indeed, selective (attribute) disclosure was viewed as aligned to suspicious frequent patterns of fraudulent behaviour. Yet, the experts we consulted suggest that at most half of customers who are vulnerable are captured using the reported manual process. For alternative stakeholders, algorithmic tools are available to onboard customers ensuring that responsible lending is observed. The response from these stakeholders emerged as technological and behavioural challenges. From a technology perspective the question was raised whether decentralised technology can or should share profiles with third parties when the transaction data is used for credit decision-making processes. An "aggregation hub" to consolidate the digital profiles and make them accessible for decisioning was suggested. The binary nature of disclosure was also questioned in ensuring how potential different verifiers of credentials demonstrate digital transaction histories for vulnerable customers. From a behavioural perspective, the question was raised how to motivate engagement to track financial behaviour and how to communicate the benefits, especially, as citizens may trust the anonymity of cash transactions or M-Pesa in Africa, where a credit history is unnecessary. For decision makers questions were raised about the risk of collusion and fraud between verifiers, for instance materialising in creating fake profiles. An overarching concern was that of regulatory obligations and how any solution fulfils such obligations from the FCA around Know Your Customer requirements. To disclose vulnerabilities, identity systems need to be augmented with the ability to associate certain characteristics (also called claims, attributes or credentials) to an identifier. Identity systems have been surveyed extensively, for instance recently in Beduschi (2021) , and in this paper we therefore particularly consider the role of credentials within such systems. Cameron (2005) defines digital identity to be "a set of claims made by one digital subject (e.g., a user) about itself or about another digital subject." These claims are asserted truths of a subject, i.e. attributes, including biometric information (e.g. finger prints), life factors (e.g. data of birth) and qualifications (e.g. degree certificates). A digital identity system is required to reliably deliver identifying information of one subject to another subject while detecting deception. This process introduces the concept of identity verification, which confirms and establishes a link between a claimed identity and the actual, living person presenting the evidence (Beduschi (2021)). Self-sovereign identity is an emerging type of digital identity which has been widely studied but loosely defined, e.g., Mühle et al. (2018) . In the influential work of Christopher Allen (2021), selfsovereign identity is defined to be transportable, which means it can not be locked down to one site or locale, and self-sovereign identity must also allow ordinary users to make claims, which could include personally identifying information or facts about personal capability or group membership. It can even contain information about the user that was asserted by other persons or groups. Sovrin Foundation is a non-profit global consortium aiming towards building and governing a network of self-sovereign identity (Tobin and Reed (2016) ). Their definition of self-sovereign identity highlights three crucial properties: individual control, security and full portability. They also state that "claims made about the user in identity transactions can be self-asserted, or asserted by a third party whose authenticity can be independently verified by a relying party." Decentralised Identifiers are a type of identifier that enables a verifiable, decentralised digital identity, and are based on the self-sovereign identity paradigm of the W3C standardization consortium (World Wide Web Consortium (W3C) (2021)). Verifiable credentials, formerly known as verifiable claims, is defined as the union of different assertions about a self-sovereign identity. Here an assertion is a signed claim bound to an entity. It can be signed by the entity itself, creating the notion of a selfasserted claim. Alternatively, it can be signed by the provider, acting as the trusted third party, creating a provider-asserted claim. In VC approaches such as (World Wide Web Consortium (W3C) (2021)), DID-based URLs are used for expressing identifiers associated with subjects, issuers, holders and other machine-readable information associated with a verifiable credential, see Figure 1 . Note that in principle verifiable credentials are not dependent on DIDs and DIDs do not depend on verifiable credentials. However, many verifiable credentials implementations adopt DIDs, and software libraries implementing the specification resolve DIDs. The core actors and the relationships between them can be represented with a chain of trust, as in Figure 1 . Issuers create credentials, holders store them, and verifiers ask for proofs of claims based upon them. All entities trust the verifiable data registry to be tamper-evident and to be a correct record of which claims are controlled, by which entities. A distributed ledger (i.e. Blockchain) is used to establish a chain of trust between stakeholders. The holder and verifier trust the issuer to issue legitimate credentials about the subject, and to revoke them quickly when appropriate. The holder trusts the repository to store credentials securely, to not release them to anyone other than the holder, and to not corrupt or lose them while they are in its care. The concept of selective disclosure means that a derived verifiable credential is formatted according to the verifier's data schema instead of the issuer's data schema, without needing to involve the issuer after verifiable credential issuance. This provides a great deal of flexibility for holders to use their issued verifiable credentials, and improves privacy. The management of digital identities has always been regarded as a cornerstone for properly organising resources and services in the Internet era. In the past decades, digital identity technology has evolved from isolated to centralised, then to federated and user-centric, and is now moving towards decentralised models (Zhu and Badr (2018) ). In the isolated model, service providers act as both credential provider and identifier provider by controlling the name space for a specific service domain, and allocating identifiers to users (Jøsang and Pope (2005) ). This means the user must manage as many identifiers and credentials (for example passwords) as service providers it transacts with. The drawback of this model is apparent: the user has to memorise the large number of logins and passwords. The user may choose the same password for multiple accounts, but this significantly reduces security levels if any of these servers is attacked and the password is recovered. The centralised model is designed to solve the problems mentioned above (Jøsang et al. (2007) ). The identifier provider in this model centralises digital identity management, which allows several service providers to rely on the same identity provider. Users can use the same identity and credentials to authenticate themselves with multiple service providers, without repeating this process for a new service provider. While the number of identities for each user is significantly reduced in the centralised model, access to distributed services managed by different centralized systems and security domains is still not supported. The federated model groups service providers together to form a federation of identities, enabling service providers to recognise user identifiers and entitlements from other service providers within the same federated domain (Maler and Reed (2008) ). To establish trust relationships among different service providers in this federated domain, both commercial agreements and technology supports are required. Examples of federated identity platform technologies include Shibboleth (Morgan et al. (2004) ), open-source architecture OpenID Connect (Bodnar et al. (2016) ) and WS-Federation by Microsoft and IBM (Goodner et al. (2007)). While the above models indeed mitigate the complexity of managing numerous identities across different security domains, they are designed from the perspective of service providers. This means user experience can still be poor when the number of online service providers is increasing (Alpár et al. (2011) ). Therefore, user-centric models have been proposed to allow users to have take complete control over their personal attributes (Angin et al. (2010) ). For example, Jøsang and Pope (2005) propose a user-centric digital identity system which depends on personal trusted devices (e.g. smartphones) to manage users' identities from different domains. OpenID 2.0 is another example of user-centric digital identity system for web services (Recordon and Reed (2006) ) and Suriadi et al. (2009) also follow usercentric design principles to take into account user privacy in identity systems. Ahn et al. (2009) enhance user privacy for user-centric identity systems by applying privacy labels to personal claims. However, in those systems users still have to rely on third parties, the identifier providers, to access services from different domains, which means users' transactions are all exposed to those identifier providers. Blockchain technology is a critical enabler in addressing the above challenges in digital identity systems (Alharbi and Hussain (2021)). The decentralised trusted nature of blockchain allows users to ensure the privacy and security of their personal data without relying on any third party. Self-sovereign identity is enabled under this type of decentralised model, which grants users the right to selectively disclose their attributes (Toth and Anderson-Priddy (2019)). Christopher Allen (2021) proposes ten principles of implementing self-sovereign identity and Tobin and Reed (2016) further groups these principles into three categories: security, controllability, and portability. Examples of such blockchainbased identity systems include uPort (Panait et al. (2020) ) which is based on Ethereum and Blockstack (Ali et al. (2016) ). Verifiable credentials technology is typically integrated with decentralised digital identity systems. In 2019, W3C (World Wide Web Consortium (W3C) (2021)) issued a formal recommendation of verifiable credentials as digital documents issued with digital signatures, which are protected from corruption by asymmetric (public/private key) cryptography. For enhanced privacy, zero-knowledge proofs can additionally be used to reveal only the minimum of information required in an interaction, which is called selective disclosure. For example, a VC holder can choose to disclose a VC only containing the claim of date of birth, which can be used to derive the presented value to be over the age of 18, in a cryptographically verifiable manner. No additional personal information, also not the precise date of birth, need to be shared. In the age of increasing digital interactions and analysis of user data, self-sovereign identity could become the next stage in the evolution of digital identity systems. We implemented a verifiable credentials system for vulnerability disclosure based on the World Wide Web Consortium (W3C) standards for DIDs v1.0 and Verifiable Credentials Data Model 1.0, running in an Azure environment. We defined a data model for a new Verifiable Credential type that maps the aforementioned drivers (poor health, impact of life events, low resilience, and low capability) of financial vulnerability to attributes. This allows the presentation of tamper-evident claims that cryptographically prove who issued them, but without the need to disclose the specific details of the vulnerability about which the claim is made. The new credential type that asserts claims about vulnerability criteria, called VulnerabilityStatus-Credential, has been defined with a schema built by extending existing vocabulary already available on the web at schema.org. We conducted interviews with partners in the financial industry who would verify these credentials to understand how they intend to request and consume them. To ensure interoperability of this credential, feedback from these sessions has been used to refine the credential type, schemas, and URIs for future use in the financial industry. We define user roles, and the relationship between them to establish a triangle of trust between the Holder, the Issuer, and the Verifier (as in Figure 1 ). This trust model of VCs differentiates itself from most other trust models by ensuring that the Issuer and the Verifier do not need to trust the repository, and that the Issuer does not need to know or trust the Verifier. Our software can issue Verifiable Credentials that attest information about users, who can then present the credential enabling claims to be verified. Through the aforementioned engagement with stakeholders and extensive attention to consumer needs, we have defined user-centered workflows that vulnerable users may encounter when trying to access financial services. Figure 1 ) of credentials in the prototype implementation. The architecture leverages services from Microsoft that facilitate the creation, storage, and presentation of Verifiable Credentials on the Identity Overlay Network (ION), which is a public DID overlay network. Two associated Node.js applications have been developed using the Microsoft VC Software Development Kit that issue VCs to end users and verify VCs from end users. The user interface is shown in Figure 2 to provide a sense of how citizens would experience the use of verifiable credentials using a mobile phone. In this section we use expert assessments to evaluate if verifiable credentials are suitable for the disclosure of vulnerabilities (Section 5.2). But first we introduce in Section 5.1 the research methods we used and the research questions we pursue. We had good access to stakeholders involved in technology, vulnerable customer engagement and financial inclusion aspects of the finance industry, such access is often a major barrier for research. The expert stakeholders agreed to conduct interviews to evaluate the VC prototype described in Section 4.1. We conducted the semi-structured recorded interviews via Zoom because of Covid-19 restrictions, during the period May to June 2021. Consent forms were distributed, signed, and returned prior to the interviews taking place (see Appendix I in Elliott et al. (2021) ). We used a cross-section of representative participants in the financial industry, as suggested by Denis et al. (2001) . For availability and confidentiality reasons, we focused on five experts, details of their demographic information are displayed in Table 1 below, maintaining anonymity. Each interview lasted for approximately one hour with some variation, following the protocol designed by the team (see Appendix II in Elliott et al. (2021) ). We started our interviews by requesting participants to describe their experience within the financial industry. Next, presented the FCAs four characteristics driving vulnerability and walked participants through the verification architecture and process from the individual perspective, culminating in Figure 2 . In short, the National Health Service (in our example) issues a credential. This credential (among other information) holds some attributes (date of birth, test date, disability, etc.). These attributes can be used to make claims about the holder (e.g., age > 18). The verifier (i.e. a bank) makes a request in order to verify a claim (i.e. enough information for a specific claim). We explained the caveat, that our implementation based on Microsoft ION technology currently only permits the sharing of a full credential whereas, selective disclosure (see position paper) posits that only an attribute (or a predicate on an attribute) is required to verify a claim, thus preserving the privacy of the user (a future development in ION). Our subsequent questions focused on evaluating the prototype from the expert's perspective to address our key research questions: RQ1. How can we promote user adoption of DID and VC technologies in the financial sector? RQ2. How can we maximise user disclosure of information in a privacy-preserving manner using VCs? RQ3. How can financial firms use DID/VC technologies efficiently to improve support for vulnerable populations? Post-interview, the recordings were transcribed and to ensure participants retain maximum control over their information, transcripts were triangulated via verification with interviewees (Gioia et al. (2013) ). We have anonymised parts of the interviews included in this section, to ensure that specific individuals cannot be identified from the data presented. All interviews were conducted by the coinvestigator of the research team. Following Strauss (1987) and Corbin and Strauss (2015) , we analysed the subsequent data using a "process" coding approach utilising NVivo software (v.12). This is a cyclical approach, where the general meaning of the discussions conducted within the semi-structured interviews is initially categorised (initiation), structured around specific themes (focus) and then reviewed and encoded (axial coding). All the material was reviewed to check that we had grasped what was significant to the interviewee (respondent validation; see Charmaz (2006) ). Subsequently, items were reduced into a more manageable form of themes or "sets" (Gioia et al. (2013) ). To further enhance the validity of our findings, we include in the results and discussion extensive verbatim descriptions of the expert's views, to reduce the impact of our own biases. This section presents the participant responses to the DID/VC presentation premised on the experts' experience within the financial services sector specifically, seeking to improve vulnerability support and promote financial inclusion using technological solutions. Participants were asked to consider the question from both a business and community/individual perspective. RQ1. How can we promote user adoption of DID and VC technologies in the financial sector? The challenge for the experts in terms of promoting adoption of the technologies in the financial sector is two-fold. First, persuading mainstream and alternate stakeholders that technologies would bring return on investment in investing in the technologies, training staff etc. Second, gaining the trust of customers to understand and use the application (e.g., a wallet function) to share credentials in the manner described in the prototype presentation. One expert, expressed concern that stakeholders would be reluctant to promote the technologies unless the regulators provided a clear indication that such innovation was recommended (at present the FCA vulnerability report is guidance not compulsory): "[I]t's also getting the FCA to acknowledge, approve, enhance their own requirements from a regulatory perspective for this, the adoption of this [technology] . I think that's absolutely key because as I say whether it's a fully regulated bank or a FinTech, who is sponsored by another third party, another issuer, how many of them are operating in this space? They won't move until the FCA has given its blessing and acknowledges and even promotes the application. . . But, I think even to pilot something, such as this would be very, very hard to do without the FCA approval" (Male2) 2 Both industry stakeholders and regulators are included in this description, thus, communication needs to be both internally to the stakeholders and to the broader general public by the FCA to facilitate and promote engagement with the technologies and associated benefits. The complexity added by these broader social actors therefore needs to be accounted for in relation to adoption via future collaboration with industry and regulators. A further challenge was raised in terms of the financial stakeholders gathering information via such technologies and the customers being able to trust this party to ensure their data remained safe: "The banks haven't served the wider community well from the financial crash. And the whole reason why we've got open banking is to create more competition for all. . . if they [banks] are given information about a user and do you remember when aids was a big thing. . . people wanted to keep HIV private. . . if they had to disclose it from for a mortgage and things like that, and people didn't want to disclose it...with the credentials is, it depends what's in there...[t]rust is everything. And. . . fairness for all sounds trustworthy. I think it's a great title for it" (Female2) The challenge is compounded by the impact of the global financial crisis (Pedersen (2021) ) and recent instances where financial providers have breached regulatory rules around "know your customer" leading to more stringent examination of how providers analyse customer data (cf. Wirecard scandal). This has resulted in "the issuers, financial institutions and FinTechs being particularly. . . very, very nervous and very risk averse" (Male2) and mistrust by customers. An expert also raised concern over the cyber security aspect from the business perspective which could influence adoption of the technologies: "[H]ow do you ensure that I'm not a super-hot tech savvy guy? How do I or how does the bank know that I haven't hacked into it [VC] and have just increased my benefits from 30 pounds a month to 5000?" (Male2) These extracts show two key issues facing financial services providers and customers' trust in adopting technologies. On the one hand, the perspective to be compliant with the FCA regulatory expectations suggests providers are prepared to reserve caution to meet all users' needs. On the other hand, in adopting technologies to garner more customer information specifically, around sensitive vulnerable details, scepticism exists surrounding the banks motives, vested interests (Alford (1975) ) and general mistrust of the sector (Edelman (2019)). The use of experimental sandbox facilities allows for testing of alignment with FCA regulations. RQ2. How can we maximise user disclosure of information in a privacy-preserving manner using VCs? For financial services to provide care to vulnerable customers/users, the users will have to first, disclose the information pertaining to their vulnerability to the financial institution. However, as mentioned earlier, this sector suffers from mistrust amongst customer and the general public (Edelman (2019)). Therefore, we wanted the experts to consider how we could reassure customers that the technology can move towards the concept of self-sovereign identity (Der et al. (2017) ) permitting the customer to control the disclosure of vulnerabilities to the financial institution. As part of the protocol, we asked the experts to reflect on two scenarios regarding facilitating disclosure afforded by the technology. Scenario 1. Scenario 1 purported that a national vulnerability scheme, e.g., the 'Fairness for All' scheme is approved and initiated by the FCA. In short, issuers of a verifiable credential may include financial firms, other firms (e.g. the NHS, universities) and professional individuals (e.g. private doctors). For example, after a visit to the NHS, the NHS will issue the 'normal' VC with all the information that would be included in an NHS certificate, as well as a 'Fairness for All' VC that has limited information (attributes) and is only intended to be shared with financial institutions. Thus, the 'Fairness for All' VC may say that the VC holder is not able to work for the next two months due to a disability but, will not disclose any further details about the disability. When the customer interacts with a bank, the bank simply asks for any 'Fairness for All' VCs with a message like "The bank would like access to your credentials based on the Fairness for All scheme -Accept Y/N" and the customer can decide whether to present the VC to the bank. Scenario 2. Scenario 2 concerned no public scheme exists as described above. Instead, when a customer interacts with a bank, a general mobile wallet application opens, and a request may appear as "The bank would like access to your verifiable credential repository for the following information: Are you >= 18 years? Do you have a physical disability? Do you have mental health problems? And so forth, Grant access Y/N?" (see Appendix II in Elliott et al. (2021) ). We sought the experts' opinion on how best to communicate such questions, tenets of the scheme, the process, and benefits in preserving vulnerable information to the customer/user groups. Furthermore, based on the discussions featured in Section 1, would consideration of a 'vulnerability flag' or 'score' be appropriate for both financial institution and customer vulnerability disclosure needs? In response, one expert felt that current systems provided under the open banking system introduced over the past five years in the financial sector could assist in the demonstration of benefits of disclosure (Omarini (2018) ): "[W]hen you're talking about people being reluctant to identify themselves as. . . a vulnerability event. I was thinking. . . GDPR, there are different rules on the data and security. For example. . . we have basic, often very, very basic information on members, but if we started to ask questions such as and more personal questions around. . . whatever it is that is deemed to be sensitive data, then that increases data stored. . . I'm thinking maybe this is open banking at one level, and then maybe there's little offshoots of that, where almost, it's like an option, you can opt into providing the other information that's needed. . . saying this vulnerability factor?" (Female1) In addition, the linkage between the move towards open banking and eventually open life was highlighted in communicating to customers/users the benefits of disclosure to improve individual financial journeys (Sclove (2020)): "A good comms plan around it [technology] to make it user friendly for everybody to understand. But it's pretty intuitive and I think that it could be adopted, I like the thinking about it from a comms point of view, fairness for all, because it's so important now that we have this democracy of life, but also, democracy of technology" (Female2) Specifically, examining the technological use case and benefits, an expert espoused their perspective on VC technologies and the eventual progress to self-sovereign identities: "There shouldn't be any difference between someone that is vulnerable or disabled, as tech enables people to be augmented with more conforming to normality, because tech starts to take those disadvantages away. . . you can promote being vulnerable [using this technology] in a way that is now enabling better service and better support" (Male1) Furthermore, stating that we should examine history to learn lessons from disability and vulnerability disclosure schemes without revealing the 'full' credential, Male1 responded "I'll use the disabled blue badge and the sunflower lanyard examples -how do we modernize that, my experience with the blue badge, if I'm disabled, is all predicated on me being able to get access and fair access". Hence, as suggested, in future iterations, garnering trust and understanding within communities who already access the above schemes where credential attributes are commonplace, could assist in championing and advocating the benefits of using VC technologies. In short, the digitisation of the previous schemes to assist vulnerable cohorts. An expert embedded within marginalised communities further supported the assertion of "vulnerability and inclusion by design" advocated by Male1. Citing that "we work with young people, probably about six to twelve, to do the equivalent of a random control trial and saying, look, you know, this is what we want. This would be good to have our group as testers for such technology. . . you will have the support from people who want to be ambassadors or champions of what you're doing" (Male3). Furthermore, as this cohort utilises social media for communication channels, the expert confirmed their "followers" would trust the communication and awareness would be generated across the most affected groups promoting engagement with VCs. Similarly, the element of trust was raised as pivotal to engendering uptake of new technologies to cohorts where the presumption is a lack of "tech savviness" (Female1). She continued, "we now talk to the majority of our members who do use this open banking, the majority have no problem with it whatsoever. You know, we're not talking on the marginal anymore, people are fine with it. I think because we are trusted with them (customers)". From these excerpts, the difficulty perceived in relation to how to engage the target marginal and vulnerable groups, shows history and collaboration as a design mechanism to generate trust and adoption is feasible. Whether this causes complexity for the financial institutions who as we found are risk averse, especially since the global finance crisis, is beyond the scope of this project but raises areas of research to be explored around the concept of democracy and technology (Sclore, 2020). RQ3. How can financial firms use DID/VC technologies efficiently to improve support for vulnerable populations? Finally, we asked the experts to posit themselves as leading a financial institution and imagining how they could improve the support for vulnerable populations by their organisation. What would be required based on their experience in introducing technologies. Our expert (Male1) continued with the theme of vulnerability by design in advocating taking lessons learned from the development and implementation of open banking which culminated in application programme interfaces (APIs) becoming understood and accepted technologies by financial providers (mainstream and alternative) and customers. He suggested that firms could "start with the principles of open banking, open, trusted custodian convener, independent, mutual, all of those things are not for profit. All those things that engender trust." Simply put, there is a route to implementation not too devoid of the recent open banking experience that applied to VC technology could assist financial firms understand how to better identify and support vulnerable customers. Furthermore, the "digital divide" must also be brought into consideration, the VCs solution is premised on technological access however, a workaround may be revealed in working closer with the communities in this cohort (Male1, 2, 3 and see van Dijk (2019) ). In addition, it was revealed that a mainstream provider had been in discussion with one expert in this regard. "A bank was asking that particular question about just sharing the passport number, nothing else. And by that passport number, it will be read and confirmed by the bank" (Male3). He suggests that the mainstream banks are aware that such technologies are under development and that this change is expected to come hence "very much aware of what's going on" based on this incident. Moreover, if financial providers support using technologies to reduce the stigma of "vulnerabilities" the use of "providing that sense of empowerment" is the key word to garner support from communities and for this question, will improve the mistrust of financial institutions to take the lead or collaborate in this space. This expert considered if financial institutions can use the VC technologies to afford females a "voice and just. . . listen[ed] to them, and how they feel about their finances, they want to be, on top of things, generally, even if they haven't got money. . . this will be welcomed by these women" (ibid.). It could be suggested that the concept of self-sovereign identity releasing attributes of credentials if offered by banks, as reported from this expert, would enable firms to "get this message across, the best way to do it is in the communities where these vulnerable people live and die" (Male1). Likewise, those dealing with vulnerable communities and providing responsible lending, the VC technology was viewed as an "extension of the open banking" innovation and no problems were envisaged in their network of similar providers improving their existing provision in supporting vulnerable customers (Female1). Moreover, all experts viewed the prototype as positive, including the title 'Fairness for All' which was tackling the "upstream problems" to design better vulnerability solutions. Based on the empirical work described in this report and the technology insights obtained from the implementation, we outline a set of recommendations for researchers and practitioners in the financial sector when considering the combination of DID and VC technologies, mostly focused on policy development and associated regulatory approaches. • The tension between fulfilling regulatory requirements and pursuing innovation suggests that without involvement of the regulator, new technologies will find it difficult to gain deployment within the financial sector. From the interviews with experts, we conclude that without a leading role by the regulator (FCA in the UK) there is minimal chance of successful adoption of new technologies such as DID and VC. • In terms of the importance of regulator support, the experts suggested that the industry can draw from the experience and practices of previous technological solutions to increase user uptake of these technologies. In particular, a comparison was made with Open Banking, which particularly in the UK has been strongly supported by regulatory developments, culminating in the 2017 Payment Services Regulations. • Policy development and regulatory frameworks are not only relevant as a 'stick' to enforce technological innovation. Regulation also plays an important role in developing societal trust in new technologies, both from the perspective of the value of new functionality and of the implications the deployment of new technologies may have on privacy and safety of consumers. Policy developers must therefore complement technological functionality with sufficient associated safeguards within any proposed policy and regulation. • The disclosure of sensitive personal data such as vulnerabilities to financial service providers immediately creates challenges related to fulfilling GDPR requirements for the management and security of stored data. We believe that such concerns in part stem from uncertainty about the precise legalities of maintaining certain data, and should not be a show stopper. However, it puts a further onus on financial institution to provide for trained employees and sufficient support, also expanding the range of data under control of the data controller. • On the other hand, the use of selective disclosure ensures data minimisation, meaning that data that are not pertinent to a specific function or service are not collected unnecessarily. This, in turn, reduces the privacy and security risks for financial service providers, protects consumers and facilitates compliance with existing regulation. We believe selective disclosure based on zero-knowledge proves should become commonplace in future disclosure systems. • Improvement of services for vulnerable consumers should be part and parcel of the business strategy of any financial service institution. Although it may be understandable that experts refer to the regulator to make possible solutions based on DIDs and VCs, they should be proactive in putting in place alternative initiatives to pragmatically improving the way vulnerable customers are served. As part of any Corporate Digital Responsibility strategy one would expect the industry to jointly progress the service quality for vulnerable customers, for instance through the use of a vulnerability registration service or solutions based on the blue badge or sunflower lanyard idea mentioned in Section 5.2. The area of identification and credential disclosure may see considerable technological developments in upcoming years. In particular with respect to privacy preserving digital disclosure, systems can be expected to keep evolving in coming years to provide increased privacy guarantees while enabling new services. The principles of selective disclosure and self-sovereignty aim to support this objective and therefore deserve further attention and research. The need to develop consumer trust in proposed technology played a critical role in our expert interviews. Although policy makers and regulators can support building that trust, technological developments should aim to achieve 'trust by design.' That is, systems should be designed such that privacy concerns are met technologically, but, importantly, are integrated in a manner that allow consumers to build trust in the technology. For instance, by making transparent to users the benefits of information disclosure, explaining how this information can enable better services and support in a privacy-preserving way. This paper explored the tension that exists within the financial services industry between the need to fulfil regulatory requirements and the desire to innovate. We studied this dilemma in the context of support for vulnerable customers, which in many jurisdictions is a regulatory requirement and in the UK is supported by guidance from the FCA. Implementing and improving support for vulnerable customers creates conflicts between the need to disclose sensitive personal information, a desire for privacy such as advocated through GDPR and key regulations that pertain to data disclosure (KYC) and management (GDPR). We conclude from our research that to advance support for vulnerable customers all parties need to come together: financial services, citizen representatives as well as regulators and policy makers. Without regulatory support, it will be difficult to enable and gain acceptance for substantive technological innovation, because of the risk averse tendencies of the industry. At the same time, without innovative joined-up contributions from the industry around improved services, it will be impossible to shape a pathway toward more substantial technological innovation, for instance along the line of DIDs and VCs. Privacy-enhanced user-centric identity management Health Care Politics: Ideological and Interest Group Barriers to Reform Blockchain-based identity management for personal data: A survey Blockstack: A global naming and storage system secured by blockchains The identity crisis. security, privacy and usability issues in identity management An entity-centric approach for privacy and identity management in cloud computing Rethinking digital identity for post-COVID-19 societies: Data privacy and human rights considerations Towards privacy in identity management dynamic federations The laws of identity Constructing Grounded Theory: A Practical Guide Through Qualitative Analysis. Introducing Qualitative Methods series The path to self-sovereign identity Techniques and Procedures for Developing Grounded Theory The dynamics of collective leadership and strategic change in pluralistic organizations Self-sovereign identity -opportunities and challenges for the digital revolution 19th annual trust barometer: Financial services Expert feedback on financial inclusion project work Financial lives 2020 survey: the impact of coronavirus Guidance for firms on the fair treatment of vulnerable customers Seeking qualitative rigor in inductive research: Notes on the Gioia methodology Understanding wWS-Federation Using verifiable credentials to identify vulnerable customers in finance-software design specification Usability and privacy in identity management architectures User centric identity management The Venn of identity: Options and issues in federated identity management Federated security: The shibboleth approach A survey on essential components of a self-sovereign identity Banks and FinTechs: How to develop a digital open banking approach for the bank's future Analysis of uPort Open, an identity management blockchain-based solution Financial Technology: Case Studies in FinTech Innovation OpenID 2.0: a platform for user-centric identity management Democracy and technology: an interview with Richard Sclove from Identifying and supporting financially vulnerable consumers in a privacy-preserving manner: A use case using decentralised identifiers and verifiable credentials Qualitative analysis for social scientists A user-centric federated single sign-on system The inevitable rise of self-sovereign identity Self-sovereign digital identity: A paradigm shift for identity The Digital Divide World Wide Web Consortium (W3C) (2021) A survey on blockchain-based identity management systems for the Internet of Things Data Availability Statement. The code of the VC system is available from GitHub, e.g., through the web site http://www .fintrustresearch.com. Reports ) and ) are also available from the web site.Ethical Standards. The research meets all ethical guidelines, including adherence to the legal requirements of the UK.Author Contributions. K.E. compiled and authored an earlier version of this paper (as project deliverable for the Finclusion project); A.v.M. was main author of this submitted paper with contributions from H.W. (technology survey), Z.M. and T.S. (policy considerations); D.H. and S.F. implemented and authored the description of the VC software; E.C. and P.E. were the main designers of the research effort based on the Knowledge Transfer Partnership with Atom Bank; K.C., M.N., K.E and T.S. designed the qualitative study, while K.E. and T.S. conducted the interviews. All authors reviewed the manuscript.