Embed Size (px)
Citation preview
JOHN KARANTZIS
CEO & Managing Director iSignthis Ltd (ASX : ISX)
Acquiring & Identity Risk
Founded 2013, listed on the ASX March 2015, under code “ISX” Retail eKYC : to remotely identify, verify and onboard retail customers resident in over 200 countries, reaching over 3Bn persons. Acquiring eKYC : to remotely identify and verify directors, UBO’s and Key Controllers of merchants eWallet onboarding : AML & SecuRE Pay card verification for onboarding Strong Customer Authentication & Transaction Monitoring : to meet AML and EBA Security of Internet “Secure Pay” requirements
About iSignthis
Guiding Principle for FATF legislative model jurisdictions “Customer due diligence measures shall comprise: Identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source;”
Applicable throughout the payment processing chain for regulated services.
Establishing (natural person) Identity : FATF Recommendations #5
Identity & Regulation
• Globally, AML Regulations require:
• acquirers to identify their e-merchants as part of customer due diligence / know your customer (KYC).
• Monitor transactions • In the SEPA, the EBA’s SecuRE Pay guidelines reinforce this
obligation. Payment Services Directive 2 (when passed by parliament) will mandate this, and further requirements.
• The ECB’s SecuRe Pay recommendations & policy position with
regards to “one leg out” authentication of customers outside EEA.
Acquiring Risk
• Merchant corporate structures are readily identified
• AML requirements now move beyond the corporate structure to identification of the natural persons who are the UBO’s and Key Controllers/Directors.
• Challenge (and risk) is in verification and KYC of those natural persons.
• For merchant on-boarding : KYC of multiple natural persons is complex and time consuming.
• What about merchant customers on your network? How can we help them together?
Customer Ease
Lower Cost
LOCAL
AUTOMATED
MANUAL
Notarised: posted/uploaded documents*
‘Experian’ or ‘GBGroup’ style static, credit database search (UK, US, AU)
Face to face checks
iSignthis
GLOBAL
• No dynamic means to include customer on request if not already a historic customer of a credit reporting agency.
• Requires cross check of other databases. • Typical coverage of 60% of online applicants
• >3Bn accessible global payment instruments.
• No need for user’s disclosure of bank details to a third party.
Lower Friction
Remote on boarding
Options : Establishing Identity
Trend towards using Webcams or non-Certified images.
Is there a legal basis to rely upon non issuer/third party transformed physical documents?
• NO! This approach is specifically prohibited or not endorsed by regulators in many jurisdictions:
• Eg, Germany (AML legislation s6(2)(b)), HKG (GN33 @ 4.12.2), Singapore (MAS Guidance Note @ 33), Australia (AML Regs), Korea (AMLCTF Reg 39), UK (AML2007, 14(2)(c)), Canada (AML Rules Sch 7)
• We could not find direct support in any EU, Australian or Asia AML/CTF regulation that supports the concept of digital transformation of documents to data as constituting a reliable source of data – unless a certification process takes place by a qualified person.
Transforming – Physical Documents
Breach Size 80m , Jan 15
Breach Size 1m , Nov 14
Static database – electoral, credit, passport, drivers license
Relies on “Non Public Approach” Knowledge Based Authentication (KBA) – comparison of collected data to database.
Issues • Limited reach of persons that can be identified. • Highly localised, no global approach • Much of the data is public or easily obtained. • No revocation means if say wallet stolen or mailbox compromised • Data may not change between KBA making ongoing due diligence
risible susceptible to ghosting and/or takeover • Simple to ‘reverse or social engineer’ the KBA • Once breached, re-credentialing of individuals is difficult – data
becomes “public” – what now?
Static Database Electronic Verification (Non Public Approach)
Consider the following factors
• (a) its accuracy;
• (b) how secure it is;
• (c) how the data is kept up-to-date / its recency
• (d) how comprehensive the data is
• (e) whether the data is maintained by a government body or pursuant to legislation; and
• (f) whether the electronic data can be additionally authenticated
What is a reliable source of data?
Physical Identification
Proof of Identity Documents
E- Payment Account
Accounts Unique
Regulated AML (Identifies Person)
Verify Account Once verified -
“Reliable” Source for EV (AML)
KYC Identity Sanction Screen
+ Monitor Validate data
Secondary Sources of
Data
170m people 200 countries
Dynamic Re-Use of Bank ID (Principles based)
Dynamic KBA
Payment Data (Merchant, Acquirer, Card Details, Name, Amount, Time, Place, IIN Data + Country of issue)
Authentication + Validation Data (Geodata, device data, SAD, phone
number, SMS)
Device Data (MAC, IMEI, CPE, Language, OS)
Network Data : IP Address, Carrier,
Channel, route, Cell Tower
Delivery Data Address, Phone
Under EU law, all of this is PII – identifiable to a person Under US law, taken as a whole, this is also PII – identifies a person.
Transactional Approach: Metadata is the DNA of a payment message
12
KBA Example: iSignthis & PayPal
Private Sector: Who else needs Identity? Helping your customers
• Payment processors : compliance requirement for AML KYC & /or ECB SecuRE Pay.
• eMerchants in the SEPA/EU28 as part of the ECB’s Strong Customer Authentication.
• Stock Brokers • Financial Systems requiring two
factor authentication technology • Banks (incl debit, card issuers) • Commodity/Bullion Brokers • Crypto Currency Exchanges (e.g.
bitcoin)
• Real Estate Sales/Rental Agents • Travel Agents (US Patriot Act) • Life Insurers • Accountants/Auditors/Lawyers • Financial Advisors/Super Funds
• eWallets/mWallet Providers • Money remittance p2p • Loan/Pawn Providers • eCasino/eGaming/eWagering • Any business routinely trading >
US $10k/transaction • Currency Exchange
Payment Processing
Financial
Professional Services
Others
Conclusions
Regulation becoming more onerous. As transactions increase, scalability, automation and remote identification influence risk and viability. Opportunities exist to streamline processes Use of your own processing networks can provide a basis for KYC of natural persons The payment network can be used to onboard your merchant’s end customers as a value added service.
