Phones used to be things that people had in their homes, or on their desks. They were used by people who wanted to talk to each other but who did not want to meet in person. Life was a lot simpler then. Nobody could be sure who would answer a telephone. Now they are sure of who uses a certain phone. A phone used to be associated with a place; now it is associated with a person. In the process, your telephone number became like a national ID number, or a social security number, or a passport number. Your telephone number has become another way of referring to you. Why does this matter to risk and assurance professionals who work for telcos? Because they are now in the identity business. Whether they make money from it or not, their telcos must spend money on verifying who customers are, not just for the sake of the telco, but also for the sake of every other organization that has started to depend on the telco. The stakes have been raised, and that is why crimes like SIM swapping have become so much more popular.
Telcos could treat the burden of managing customer identities as a cost center. But they can also treat it as a profit center. A personalized advert is worth paying for only if relevant information is already known about the recipient. All the talk about monetizing data is essentially an exploration of how to make money from knowing who your customers are. And there is no more lucrative way to make money than from handling other people’s money. That is true whether the customer is a Kenyan using mobile money to pay an electricity bill or a European who uses an app on their smartphone to move money from their bank account to their credit card provider. However, telcos make more money from some of these scenarios from others. We can just sell the bits and bytes of internet connectivity, or we can be more engaged with the service, and hence take a larger share.
The danger for telcos is that we take more of the burdens, and the costs, whilst not obtaining the associated revenues. Because we are in the identity business, whether we chose to be or otherwise, then banks and others will place reliance on us. We might not choose to be as reliable as they would like us to be, but making that choice hurts our business too. Stepping up the value chain is the way to safeguard our business and find new sources of revenue. It will also help us to manage the overheads we will be forced to endure anyway.
One of the best sessions at the RAG Johannesburg conference involved Douglas Jardine of Vodacom speaking about the various new kinds of risks his assurance team covers, as a result of Vodacom’s venture into mobile money. I enjoyed it because I was learning from it. Doug could be almost apologetic about the sophistication of the controls his team put in place, but dealing with foreign exchange risk is a step up from what many assurance professionals are used to. There was a profound contrast between Doug’s matter-of-fact explanation of what his team was doing, and my experience of some conferences in the first world. I see little value in traveling to North America to hear somebody describe the automated switch-to-bill reconciliation they have implemented, when I might otherwise travel to Africa and listen to manual controls for mobile money. The amount spent on technology is not an indicator of which business has the more advanced business model, and so does not signal who has most to teach about risk mitigation.
Listening to what Doug and my friend Joseph Nderitu have said about telcos managing the risk of financial transactions reminded me that Commsrisk needs to keep changing to remain relevant. That is why digital payments have been added as a new category of topics covered by Commsrisk. Joseph keeps wanting to write about the topic, and I am glad he does, because I am in the position of the student, not the teacher. As happy as I am that Joseph is writing about digital payments on a regular basis, it becomes obvious we need more articles about identity management too, and so much work is taking place in this area that they might be split out from the much broader category of fraud and security. However, I have yet to find an author willing to take up the challenge, even though there is an evident need for telcos to improve.
Like it or not, telcos are in the business of managing identities and managing money. We may just enable others in such a meager way that we receive as small as share of the returns from the total economic system as a road builder watching a Lamborghini zoom along the tarmac they laid down. We will still need to endure costs and liabilities, which includes being held responsible for the times a car slides off the road, or a customer has their bank account raided because somebody else successfully gained control of their phone. They say Porsches have good brakes because they allow the driver to go faster. Telcos also need excellent risk mitigation if we are to go faster, and further, and take a share of the commercial opportunities built upon the networks we manage. That means telco risk managers are in the business of managing identity risk and financial risk too, whether they like it or not.