Embed Size (px)
Citation preview
Identity AssuranceThe art of knowing your customers
John Erik Setsaas2017-03-07
V 1.12 - 2017-03-06
DisclaimerPlease note that this presentation is for information purposes only, and that Signicat has no obligation to pursue any course of business outlined in this presentation or to develop or release any functionality mentioned in this presentation.
The future strategy and possible future developments by Signicat are subject to change and may be changed by Signicat at any time for any reason without notice.
This document is provided without a warranty of any kind, either express or implied, including but not limited to, the implied warranties of merchantability, fitness for a particular purpose, or non-infringement. Signicat assumes no responsibility for errors or omissions in this document.
About Signicat
Signicat's vision is to be the most comprehensive provider of electronic
identity services to customers in regulated industries across the world
What does Signicat do?
5
Identity AssuranceSCA
Strong Customer Authentication
Electronicsignatures and seals
Preservation of identities and
signatures
Signicat’s reputation• Winner of the Norwegian Fintech Achievement
Award– 2017 – Norway
• Nominated for European Fintech Award– 2016 – The Netherlands
• Winner of the Future Payments 2013 and Cards & Payments Europe “Best innovation” award – 2013 - UK
• Winner of the International Identity Deployment of the Year Awards – 2009 - Las Vegas
• Winner of the Security Award, IT-sikkerhetsprisen– 2009 - Norway
6
Identity assurance background
Traditional assurance• Physical meeting
• Bring ID papers
• Verification done by a person
8
User expectation• Digital registration• Everything can be done from home• Using any type of device
• No human interaction
9
40% have abandoned some kind of application form for financial services in
the past 12 month
What the user meets• Difficult to become a financial customer• Do not understand why
– I have to provide so much info?– I have to upload my passport?– It is so easy to sign up at web stores
• Using social media
10
• Time consuming• Costly• Complex• Losing potential customers
• Losing money
What the business sees
11
3.000.000
1.000.000
2.000.000
0
On-boarding challenges• Digital on-boarding is a complex process
– How to verify that the person is who he or she claims to be?– What about KYC (Know Your Customer) requirements?
• Digital on-boarding is costly– Often requires manual steps
(both for the consumer and the organization)• Digital maturity of the population• Trust
– People are reluctant to use digital identity– Surveillance (Ref. Snowden)
12
A good solution should empower the user to
overcome fear of surveillance
13
Identity assurance must be simplified!
Identity assurance
Business motivation
• Risk– Will you get paid for
your services?
• Consequence– Loss of money
15
• Regulations– KYC– AML
• Consequence– Loss of money– Loss of reputation
§§§$ $ $
KYC – Establish trust in the identity• Collect and analyze information• Name matching against lists of known parties
– such as PEP (Politically Exposed Person)• Determine risk
– Money laundering, terrorist finance, or identity theft• Create transactional behavior profile• Monitor against expected behavior
– Including behavior of customer’s peers
16
Identity Assuran
ce
Reasonable assurance• Establish a reasonable assurance
that the user is who he or she claims to be
• What is reasonable depends upon factors including – Jurisdiction– Risk vs consequences– Resources– Technology state of the art
17
eIDAS assurance levels (EU regulation 2014/910)
18
The requirements established should be technology-neutral.
It should be possible to achieve the necessary security requirements through different
technologies
LowSubstanti
alHigh
Assurance levels should characterise the degree of confidence in electronic
identification means in establishing the identity of a person
What can a user use to prove his or her identity?
19
Physical or virtualmeeting
Commerical identity
Proof of address
Self portrait
Possession ofphone
Derived identity
ID paper
What can the bank do, to verify the identity?• Automatic checks
– Social media attributes• Name, phone etc
– Social media ratings• Recommendations
– ID paper OCR– Registries
• PEP/OFAC• Credit rating • Business roles
– Web searching
20
• Manual checks– Visual check of
information• ID paper vs photo etc
– Phone call– Video conference
21
User motivation vs business risk
I want to buy a houseI want to check outyour banking app
User motivation
Simple assurance Full KYC compliance
The gradual approach example 1
Assurance
John Bank
23
Assurance
John wants to sign up with the bank The bank needs a reasonable degreeof assurance
Assurance threshold 1
Limited functionality
Assurance threshold 2
Full functionality
Assurance
John Bank
24
Assurance
John provides basic informationJohn Doe555-12341970-04-05
John Doe555-12341970-04-05
Assurance
John Bank
25
John responds to OTP(One Time Password)
1234
1234 John Doe555-1234 (verified)1970-04-05
Assurance
John Bank
26
Assurance
Upload self-portrait
John Doe555-1234 (verified)1970-04-05
Assurance
John Bank
27
Assurance
Upload self-portrait with OTP
John Doe555-1234 (verified)1970-04-05
36551234 3655
(verified)
Assurance
John Bank
28
Upload passport
John Doe (verified)555-1234 (verified)1970-04-05 (verified)
3655
(verified)
Assurance
John Bank
29
Manual check
John Doe555-1234 (verified)1970-04-05
3655
(verified)
Assurance
John Bank
30
Video conference
John Doe555-1234 (verified)1970-04-05
3655
(verified)
The gradual approach example 2
Assurance
John Bank
32
Log on to commercial identity
John Doe555-1234 1970-04-05
Assurance
John Bank
33
John responds to OTP(One Time Password)
1234
1234
John Doe555-1234 (verified) 1970-04-05
Assurance
John Bank
34
John Doe555-1234 (verified) 1970-04-05
PEP OFAC
Web verification
Conclusion
Summary• Decide what reasonable assurance means for your
organization
• Define several levels
• Decide which means of assurance– And how to combine them
• Make it simple for the end-user
