Transactions driving eKYC for Identity: A global approach to remote electronic verification

PRESENTED BY: John Karantzis B.E., LL.M, M.Ent, FIEAust Managing Director

iSignthis Ltd (ASX : ISX )

3 iSignthis © 2015

Today’s Presentation

1.  Identity? What is it?

2.  Private Sector – Who needs identity?

3.  Regulatory Approaches to EV of Identity i.  European Union ii.  United Kingdom iii.  France and Belgium iv.  Australia

4.  How do we establish identity? a.  Physical Documents b.  Static Electronic Verification c.  Dynamic Electronic Verification

5.  Key Takeaways

4 iSignthis © 2015

Key Terminology

• AML = Anti Money Laundering

• CTF = Counter Terrorism Funding

• KYC = Know Your Customer (legal identity standard)

•  FATF = Financial Action Taskforce, being the policy and coordination body for monitoring the world’s financial networks. Members include US, China, EU28, Australia, Argentina, Hong Kong, Japan, South Africa, Russia, Brazil, Canada, Singapore, India, Mexico, Turkey and ~100 aspirant countries. http://www.fatf-gafi.org

• Regulated Entity = any entity regulated under AML/CTF law, including

banks, exchanges, commodity/bullion/stock brokers, eWallets/mWallets, payment processors, wagering/betting/casinos, p2p remittances, forex, real estate agents.

5 iSignthis © 2015

What drives the need for e- Identity? Transactions! People are identified when they want to do something…….. Buy, sell, trade, receive goods and services.

The internet means we need to adapt to how we approach identity.

Regulated (online) transactions are subject to: •  Financial Identity : Know Your Customer (KYC) under AML/CTF law a.k.a. Bank Secrecy Act

•  Privacy / Data Protection law

•  Compliance with AML Law is a “stay in business” requirement

•  Doing things well reduces compliance costs and enhances the customer experience

•  Massive fines for non compliance, including corporate “death penalty”

6 iSignthis © 2015

1. What is Identity

A lawful or legally standing association, corporation, partnership, proprietorship, trust, or individual. Has legal capacity to:

•  enter into agreements or contracts, •  assume obligations, •  incur and pay debts, •  sue and be sued in its own right, and •  to be accountable for illegal activities.

✘

7 iSignthis © 2015

2. Private Sector: Who needs Identity? (Stay in business regulatory requirement)

•  Payment processors : compliance requirement for AML KYC & /or ECB SecuRE Pay.

•  eMerchants in the SEPA/EU28 as part of the ECB’s Strong Customer Authentication.

•  Stock Brokers •  Financial Systems requiring two

factor authentication technology •  Banks (incl debit, card issuers) •  Commodity/Bullion Brokers •  Crypto Currency Exchanges (e.g.

bitcoin)

•  Real Estate Sales/Rental Agents •  Travel Agents (US Patriot Act) •  Life Insurers •  Accountants/Auditors/Lawyers •  Financial Advisors/Super Funds

•  eWallets/mWallet Providers •  Money remittance p2p •  Loan/Pawn Providers •  eCasino/eGaming/eWagering •  Any business routinely trading >

US $10k/transaction •  Currency Exchange

Payment Processing

Financial

Professional Services

Others

8 iSignthis © 2015

2a. Private Sector: Who needs Identity?

Customer Ease

Lower Cost

LOCAL

AUTOMATED

MANUAL

Notarised: posted/uploaded documents*

‘Experian’ or ‘GBGroup’ style static, credit database search (UK, US, AU)

Face to face checks

iSignthis + PayPal

GLOBAL

•  No dynamic means to include customer on request if not already a historic customer of a credit reporting agency.

•  Requires cross check of other databases. •  Typical coverage of 60% of online applicants

•  >3Bn accessible global payment instruments.

•  No need for user’s disclosure of bank details to a third party.

Lower Friction

Remote on boarding

The image cannot be displayed. Your

9 iSignthis © 2015

3. Regulatory approaches to identity

1.  “Specific Type Approach” : Regulations specifically state the means or what must be done

2.  “Non Public Approach” : regulations seek to make use of information that is not in the public domain to identify a person

3.  “Principles Based Approach” :State the outcome rather than the means. The means may include elements of Specific Type and Non Public, as well as other means.

4.  FATF ‘risk based approach’ favours move towards ‘Principles based Approach’.

10 iSignthis © 2015

3a. FATF Recommendations #5 (Principles Based Approach)

Guiding Principle for FATF legislative model jurisdictions

“Customer due diligence measures shall comprise: Identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source;”

11 iSignthis © 2015

3b. What is a reliable source of data?

Consider the following factors with regards to data

(a) its accuracy;

(b) how secure it is;

(c) how the data is kept up-to-date / its recency

(d) how comprehensive the data is

(e) whether the data is maintained by a government body or pursuant to legislation; and

(f) whether the electronic data can be additionally authenticated

12 iSignthis © 2015

2c. How do we establish identity?

Two ways:

(i) Face to Face– from reliable document sources, normally using government issued photo identity documents.

Typically, we look for;

•  Proof of Identity (POI) – birth certificate, marriage certificate •  Evidence of Identity (EOI) – government issued ID or bank accounts/cards •  Social Footprint – utility bills, payments, insurances

(ii) Electronic Verification (EV) – from reliable data or information sources

13 iSignthis © 2015

3 (i). ’Identifying’ the customer (UK JMLSG)

Regs : 5(a) and (c), 7(1)(a) and (b), 7(3), 9(2), 14(2) and 14(4).

One match on an individual’s full name and current address; and A second match on an individual’s full name and either his current address or his date of birth.

Regs 5.3.36 to 5.3.39 being positive information, negative information and data from multiple sources and across time/qualitative checks that assess the strength of the information provided.

14 iSignthis © 2015

3(ii). ’Identifying’ & Verifying the customer (FRA & BEL)

Identifying a customer is defined as collecting AND verifying these elements: • first name; • last name; • place of birth; • date of birth. Data Source either government or subjected to EU AML/CTF obligations or third country equivalent;

15 iSignthis © 2015

3 (iii). ’Identifying’ and ‘Verifying’ the customer (AUS)

The reporting entity must collect and verify the following KYC information: i.  the customer’s full name; and

Collect both of, but verify either /any one of : a.  the customer’s date of birth, or b.  the customer’s residential address.

16 iSignthis © 2015

3 (iv). Summary : # of Attributes to be Verified.

0

1

2

3

4

5

6

7

AUS/UK/US/SE IT/FR/BG KOR HKG SGP

Name + Address Or Name + DoB

Name + Address+ DoB Name + Address+ DoB + Nationality + GovID + [SGP] Contact Details

Identity Proofing

18 iSignthis © 2015

4a (i). Approach 1 – Physical Documents (Challenges – Authenticity, Validity, Transformation, Verification)

The EU’s Public Register of Authentic Identity and Travel Documents Online (PRADO), recommends:

“When checking security features of documents: FEEL, LOOK, TILT!”

And

“Check the validity of document numbers – [via] List of links to websites with information on invalid document numbers”

http://prado.consilium.europa.eu

en.wikipedia.org/wiki/European_driving_licence

19 iSignthis © 2015

4a (i). Transforming – Physical Documents (Challenges – Authenticity, Validity, Transformation, Verification)

•  Trend in some countries towards using Webcams or non-Certified images.

•  Scanners/Webcams – can’t look, feel tilt ; so, how valid, “reliable” or “independent is uploading of an identity document(s)?

•  How reliable is a comparison of a photo on such a document via webcam?

•  There is no EU or global register of stolen credentials…how is validity of these documents checked?

•  Can a document be transitioned from physical to become “data” or information without verification as to its reliability or validity by issuer?

20 iSignthis © 2015

4a (ii). Transforming – Physical Documents

Is there a legal basis to rely upon non issuer/third party transformed physical documents?

•  NO! This approach is specifically prohibited or not endorsed by regulators in many jurisdictions:

•  Eg, Germany (legislation), HKG (GN33 @ 4.12.2), Singapore (MAS Guidance Note @ 33), Australia (AML Regs), Korea (Original or certified, Per AMLCTF Reg 39), UK (AML2007, 14(2)©

•  ! We could not find direct support in any EU, Australian or Asia AML/CTF regulation that supports the concept of digital transformation of documents to data as constituting a reliable source of data – unless a certification process takes place by sighting the original documents. Regulators may have granted case by case exceptions.

21 iSignthis © 2015

4a (ii). Approach 2: Static Database Electronic Verification (Non Public Approach)

Static database – electoral, credit, passport, drivers license

Relies on “Non Public Approach” Knowledge Based Authentication (KBA) – comparison of collected data to database. (ie your core data is assumed to be ‘secret’ and not exposed to the public)_

Issues

•  Highly localised, no global approach

•  Much of the data is public or easily obtained.

•  No revocation means if say wallet stolen or mailbox compromised

•  Data may not change between KBA making ongoing due diligence risible susceptible to ghosting and/or takeover

•  Simple to ‘reverse or social engineer’ the KBA

•  Once breached, re-credentialing of individuals is difficult – data becomes “public” – what now?

Breach Size 80m , Jan 15

Breach Size 1m , Nov 14

22 iSignthis © 2015

4C. Approach 3: Dynamic Re-Use of Bank ID / Data (Principles based)

Physical Identification

Proof of Identity Documents

E- Payment Account

Account AML

Regulated (Identifies Person)

Verify Account

Once verified - “Reliable”

Source

KYC Identity

Sanction, PEP Screen +

Monitor Validate data

3.5Bn person reach

Secondary Sources

(if required)

23 iSignthis © 2015

4C (ii). KBA Example: iSignthis & PayPal

24 iSignthis © 2015

4C (iii). Advantages of Transactional Approach: Metadata is the DNA of a payment message

Payment Data (Merchant, Acquirer, Card Details, Name, Amount, Time, Place, IIN Data + Country of issue)

Authentication + Validation Data (Geodata, device data, SAD, phone

number, SMS)

Device Data (MAC, IMEI, CPE, Language, OS)

Network Data : IP Address, Carrier,

Channel, route, Cell Tower

Delivery Data Address, Phone

Under EU law, all of this is PII – identifiable to a person Under US law, taken as a whole, this is also PII – identifies a person.

25 iSignthis © 2015

4c (iv). A reliable means to generate identity on demand

6. iSignthis verifies future payments Identity & Payment Account linked with 2-Factor-Authentication (2FA) 1st Factor: User selected Passcode 2nd Factor: One-Time-Password SMS

3. iSignthis verifies identity Identity traced and linked to a regulated payment account via strong customer authentication

2. Transaction completed with eMerchant or regulated entity

1. Online or mobile customer

4. iSignthis verifies name and address from uploaded bank statement associated with authenticated account. (Satisfies UK, Australia, US, Canada, Sweden). For IT, BG, FR we also check age from passport / ID upload.

C

5. KYC File Created Screened against Sanction, PEP and Law Enforcement lists, as well as credit card lost and stolen lists.

A

B

26 iSignthis © 2015

5. Global application- Passporting

Passporting: •  Country <> Country •  AML Service <> AML Service •  AML Service <>Government Possible in most jurisdictions provided that source is from an equivalency jurisdiction – not necessarily FATF.

27 iSignthis © 2015

Key Takeaways

•  Transactions drive e-identity. And ought do so – ‘pre-boarding’ is an outmoded concept for online, and On- boarding customers for the sake of doing so is expensive and unnecessary.

•  Identity is complex. Establishing identity to a legal standard is even more complex in remote circumstances.

•  Ultimately given its importance to ecommerce a scalable, dynamic electronic verification approach to identity is important taking into account security, costs and the user experience

•  Documents are not data unless transformed by a qualified certifying party.

28 iSignthis © 2015

34 Transactions driving eKYC Identity – a global approach to

automated electronic verification– Day 1

29 iSignthis © 2015

John Karantzis

contact@isignthis.com

+31 681 433 530

For further information contact:

Thank You