Trust Ratings

The story thus far can be summarised with the following key points:

• Identity Management has traditionally been viewed as necessary for compliance with regulation and also as a driver for cost reduction and efficiency of operations (ala enabling smoother provisioning and de-provisioning of user credentials).
• Customer Management, through CRM products, has been viewed as necessary for marketing and cross-selling of services and products.
  
• The concept of trust can be (coarsely) measured by mining the data that is collected over time as a Subject transacts with a Relying Party.
• Identity Management becomes exciting to business people when it is shown to relate to their primary, revenue generating processes. Relating Identity Management to Trust via a trust rating is what allows this connection to become obvious.

The concept of a trust rating is not new. eBay has been using it for a while and using it to enable a more satisfactory experience for its customers. Their version of a trust rating is captured in their Feedback score. On each transaction, buyers and sellers rate each other using on a simple scale of Negative, Neutral or Positive. eBay provides the number of transactions that a user has conducted next to their username and provides an easy link from this number to data about the user and in particular, the proportion of transactions that were rated Positive. A Relying Party assesses the trustworthiness of the Subject they want to transact with by taking into considerations these two parameters which essentially encapsulate the transaction history of the Subject. They accept the risk of a transaction because they can develop a reason to trust the person they are about to transact with.

The eBay trust rating is simple, quite coarse in its measurement, and by no means infallible. However, it is a simple and effective first step towards introducing a mechanism for communicating trust in the closed and controlled environment that is the eBay marketplace.

In general, every system will have its own definition of trust rating - one that captures the general health of the transaction history of the Subjects in the system. Let us design a simple trust rating for an Internet banking application, where we take the perspective where the Relying Party is the bank and the Subject, a customer. First we need to measure the health of the transaction history of customer - define a Customer Transaction Index (CTI) that takes values of Negative, Neutral and Positive where:

• Negative corresponds to a bad transaction history - e.g. the customer has had more than 2 instances of an overdrawn account (account balance negative);
• Neutral corresponds to a lack of transaction history (a new customer) or no more than 2 instances of an overdrawn account;
• Positive corresponds to a transaction history that involves at least 3 months of transactions and has no instances of an overdrawn account.

Also, assume that the business intelligence products used by the bank are able to measure whether a customer is profitable or not. Then, the trust rating for this system can be a function of the CTI and the profitability of a customer via the following (draw a simple table to see this more clearly - I will get around to having one here shortly):

• Trust rating = 1 (lowest) if the Subject has CTI = negative or if CTI = neutral and the Subject is not profitable;
• Trust rating = 2 (medium) if the Subject has CTI = neutral and they are profitable, or, if their CTI = positive and they are not profitable;
• Trust rating = 3 (highest) if the Subject has CTI = positive and they are profitable.

Clearly the CTI and trust rating would have to be recalculated on regular intervals (say, monthly).

Now, the delivery of the Internet banking service can be tailored to accept more risk for customers with trust rating = 3 and less risk for customers with trust rating = 1. For example, the daily limit for payments might be increased by 20% for customers with trust rating = 3 or a periodic bill payment that might result in an overdraft can be honoured (within reason!) and trigger an e-mail or SMS communication to the customer that informs them of the overdraft.

This kind of mechanism will provide the bank with the ability to enhance its service delivery for those customers who it wants to keep and wants to reward for being well behaved. Unlike the current state of online service delivery, not all customers will be presented with the same service experience - the fact that they will be acknowledged and rewarded for being "trusted customers" will only go towards increasing their loyalty to the bank. This will only increase customer retention and brand strength.

First posted on Thursday, July 13, 2006 at 08:38PM