1. 1. Transactions driving eKYC for Identity: A global approach to remote electronic verication PRESENTED BY: John Karantzis B.E., LL.M, M.Ent, FIEAust Managing Director iSignthis Ltd (ASX : ISX )
2. 2. 3iSignthis 2015 Todays Presentation 1. Identity? What is it? 2. Private Sector Who needs identity? 3. Regulatory Approaches to EV of Identity i. European Union ii. United Kingdom iii. France and Belgium iv. Australia 4. How do we establish identity? a. Physical Documents b. Static Electronic Verication c. Dynamic Electronic Verication 5. Key Takeaways
3. 3. 4iSignthis 2015 Key Terminology AML = Anti Money Laundering CTF = Counter Terrorism Funding KYC = Know Your Customer (legal identity standard) FATF = Financial Action Taskforce, being the policy and coordination body for monitoring the worlds nancial networks. Members include US, China, EU28, Australia, Argentina, Hong Kong, Japan, South Africa, Russia, Brazil, Canada, Singapore, India, Mexico, Turkey and ~100 aspirant countries. http://www.fatf-ga.org Regulated Entity = any entity regulated under AML/CTF law, including banks, exchanges, commodity/bullion/stock brokers, eWallets/mWallets, payment processors, wagering/betting/casinos, p2p remittances, forex, real estate agents.
4. 4. 5iSignthis 2015 What drives the need for e- Identity? Transactions! People are identied when they want to do something.. Buy, sell, trade, receive goods and services. The internet means we need to adapt to how we approach identity. Regulated (online) transactions are subject to: Financial Identity : Know Your Customer (KYC) under AML/CTF law a.k.a. Bank Secrecy Act Privacy / Data Protection law Compliance with AML Law is a stay in business requirement Doing things well reduces compliance costs and enhances the customer experience Massive nes for non compliance, including corporate death penalty
5. 5. 6iSignthis 2015 1. What is Identity A lawful or legally standing association, corporation, partnership, proprietorship, trust, or individual. Has legal capacity to: enter into agreements or contracts, assume obligations, incur and pay debts, sue and be sued in its own right, and to be accountable for illegal activities.
6. 6. 7iSignthis 2015 2. Private Sector: Who needs Identity? (Stay in business regulatory requirement) Payment processors : compliance requirement for AML KYC & /or ECB SecuRE Pay. eMerchants in the SEPA/EU28 as part of the ECBs Strong Customer Authentication. Stock Brokers Financial Systems requiring two factor authentication technology Banks (incl debit, card issuers) Commodity/Bullion Brokers Crypto Currency Exchanges (e.g. bitcoin) Real Estate Sales/Rental Agents Travel Agents (US Patriot Act) Life Insurers Accountants/Auditors/Lawyers Financial Advisors/Super Funds eWallets/mWallet Providers Money remittance p2p Loan/Pawn Providers eCasino/eGaming/eWagering Any business routinely trading > US $10k/transaction Currency Exchange Payment Processing Financial Professional Services Others
7. 7. 8iSignthis 2015 2a. Private Sector: Who needs Identity? Customer Ease Lower Cost LOCAL AUTOMATED MANUAL Notarised: posted/uploaded documents* Experian or GBGroup style static, credit database search (UK, US, AU) Face to face checks iSignthis + PayPal GLOBAL No dynamic means to include customer on request if not already a historic customer of a credit reporting agency. Requires cross check of other databases. Typical coverage of 60% of online applicants >3Bn accessible global payment instruments. No need for users disclosure of bank details to a third party. Lower Friction Remote on boarding The image cannot be displayed. Your
8. 8. 9iSignthis 2015 3. Regulatory approaches to identity 1. Specic Type Approach : Regulations specically state the means or what must be done 2. Non Public Approach : regulations seek to make use of information that is not in the public domain to identify a person 3. Principles Based Approach :State the outcome rather than the means. The means may include elements of Specic Type and Non Public, as well as other means. 4. FATF risk based approach favours move towards Principles based Approach.
9. 9. 10iSignthis 2015 3a. FATF Recommendations #5 (Principles Based Approach) Guiding Principle for FATF legislative model jurisdictions Customer due diligence measures shall comprise: Identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source;
10. 10. 11iSignthis 2015 3b. What is a reliable source of data? Consider the following factors with regards to data (a) its accuracy; (b) how secure it is; (c) how the data is kept up-to-date / its recency (d) how comprehensive the data is (e) whether the data is maintained by a government body or pursuant to legislation; and (f) whether the electronic data can be additionally authenticated
11. 11. 12iSignthis 2015 2c. How do we establish identity? Two ways: (i) Face to Face from reliable document sources, normally using government issued photo identity documents. Typically, we look for; Proof of Identity (POI) birth certicate, marriage certicate Evidence of Identity (EOI) government issued ID or bank accounts/cards Social Footprint utility bills, payments, insurances (ii) Electronic Verication (EV) from reliable data or information sources
12. 12. 13iSignthis 2015 3 (i). Identifying the customer (UK JMLSG) Regs : 5(a) and (c), 7(1)(a) and (b), 7(3), 9(2), 14(2) and 14(4). One match on an individuals full name and current address; and A second match on an individuals full name and either his current address or his date of birth. Regs 5.3.36 to 5.3.39 being positive information, negative information and data from multiple sources and across time/qualitative checks that assess the strength of the information provided.
13. 13. 14iSignthis 2015 3(ii). Identifying & Verifying the customer (FRA & BEL) Identifying a customer is dened as collecting AND verifying these elements: rst name; last name; place of birth; date of birth. Data Source either government or subjected to EU AML/CTF obligations or third country equivalent;
14. 14. 15iSignthis 2015 3 (iii). Identifying and Verifying the customer (AUS) The reporting entity must collect and verify the following KYC information: i. the customers full name; and Collect both of, but verify either /any one of : a. the customers date of birth, or b. the customers residential address.
15. 15. 16iSignthis 2015 3 (iv). Summary : # of Attributes to be Veried. 0 1 2 3 4 5 6 7 AUS/UK/US/SE IT/FR/BG KOR HKG SGP Name + Address Or Name + DoB Name + Address+ DoB Name + Address+ DoB + Nationality + GovID + [SGP] Contact Details
16. 16. Identity Proofing
17. 17. 18iSignthis 2015 4a (i). Approach 1 Physical Documents (Challenges Authenticity, Validity, Transformation, Verication) The EUs Public Register of Authentic Identity and Travel Documents Online (PRADO), recommends: When checking security features of documents: FEEL, LOOK, TILT! And Check the validity of document numbers [via] List of links to websites with information on invalid document numbers http://prado.consilium.europa.eu en.wikipedia.org/wiki/European_driving_licence
18. 18. 19iSignthis 2015 4a (i). Transforming Physical Documents (Challenges Authenticity, Validity, Transformation, Verication) Trend in some countries towards using Webcams or non-Certied images. Scanners/Webcams cant look, feel tilt ; so, how valid, reliable or independent is uploading of an identity document(s)? How reliable is a comparison of a photo on such a document via webcam? There is no EU or global register of stolen credentialshow is validity of these documents checked? Can a document be transitioned from physical to become data or information without verication as to its reliability or validity by issuer?
19. 19. 20iSignthis 2015 4a (ii). Transforming Physical Documents Is there a legal basis to rely upon non issuer/third party transformed physical documents? NO! This approach is specically prohibited or not endorsed by regulators in many jurisdictions: Eg, Germany (legislation), HKG (GN33 @ 4.12.2), Singapore (MAS Guidance Note @ 33), Australia (AML Regs), Korea (Original or certied, Per AMLCTF Reg 39), UK (AML2007, 14(2) ! We could not nd direct support in any EU, Australian or Asia AML/CTF regulation that supports the concept of digital transformation of documents to data as constituting a reliable source of data unless a certication process takes place by sighting the original documents. Regulators may have granted case by case exceptions.
20. 20. 21iSignthis 2015 4a (ii). Approach 2: Static Database Electronic Verication (Non Public Approach) Static database electoral, credit, passport, drivers license Relies on Non Public Approach Knowledge Based Authentication (KBA) comparison of collected data to database. (ie your core data is assumed to be secret and not exposed to the public)_ Issues Highly localised, no global approach Much of the data is public or easily obtained. No revocation means if say wallet stolen or mailbox compromised Data may not change between KBA making ongoing due diligence risible susceptible to ghosting and/or takeover Simple to reverse or social engineer the KBA Once breached, re-credentialing of individuals is dicult data becomes public what now? Breach Size 80m , Jan 15 Breach Size 1m , Nov 14
21. 21. 22iSignthis 2015 4C. Approach 3: Dynamic Re-Use of Bank ID / Data (Principles based) Physical Identication Proof of Identity Documents E- Payment Account Account AML Regulated (Identies Person) Verify Account Once veried - Reliable Source KYC Identity Sanction, PEP Screen + Monitor Validate data 3.5Bn person reach Secondary Sources (if required)
22. 22. 23iSignthis 2015 4C (ii). KBA Example: iSignthis & PayPal
23. 23. 24iSignthis 2015 4C (iii). Advantages of Transactional Approach: Metadata is the DNA of a payment message Payment Data (Merchant, Acquirer, Card Details, Name, Amount, Time, Place, IIN Data + Country of issue) Authentication + Validation Data (Geodata, device data, SAD, phone number, SMS) Device Data (MAC, IMEI, CPE, Language, OS) Network Data : IP Address, Carrier, Channel, route, Cell Tower Delivery Data Address, Phone Under EU law, all of this is PII identiable to a person Under US law, taken as a whole, this is also PII identies a person.
24. 24. 25iSignthis 2015 4c (iv). A reliable means to generate identity on demand 6. iSignthis veries future payments Identity & Payment Account linked with 2-Factor-Authentication (2FA) 1st Factor: User selected Passcode 2nd Factor: One-Time-Password SMS 3. iSignthis veries identity Identity traced and linked to a regulated payment account via strong customer authentication 2. Transaction completed with eMerchant or regulated entity 1. Online or mobile customer 4. iSignthis veries name and address from uploaded bank statement associated with authenticated account. (Satises UK, Australia, US, Canada, Sweden). For IT, BG, FR we also check age from passport / ID upload. C 5. KYC File Created Screened against Sanction, PEP and Law Enforcement lists, as well as credit card lost and stolen lists. A B
25. 25. 26iSignthis 2015 5. Global application- Passporting Passporting: Country Country AML Service AML Service AML Service Government Possible in most jurisdictions provided that source is from an equivalency jurisdiction not necessarily FATF.
26. 26. 27iSignthis 2015 Key Takeaways Transactions drive e-identity. And ought do so pre-boarding is an outmoded concept for online, and On- boarding customers for the sake of doing so is expensive and unnecessary. Identity is complex. Establishing identity to a legal standard is even more complex in remote circumstances. Ultimately given its importance to ecommerce a scalable, dynamic electronic verication approach to identity is important taking into account security, costs and the user experience Documents are not data unless transformed by a qualied certifying party.
27. 27. 28iSignthis 2015 34 Transactions driving eKYC Identity a global approach to automated electronic verification Day 1
28. 28. 29iSignthis 2015 John Karantzis contact@isignthis.com +31 681 433 530 For further information contact: Thank You