payments and aml cft kyc
TRANSCRIPT
1
1 iSignthis © 2015
iSignthis Ltd (ASX : ISX )
Transactions Drive e-Identity: Payments and AML/CTF KYC
MODERATOR: Hue Dang, CAMS Head of Asia, ACAMS
Jointly Presented by:
Managing Director John Karantzis B.E., LL.M, M.Ent, FIEAust Director Scott W Minehane B.Econ LL.B., LL.M
2
What drives the need for e- Identity?
Transactions!
People are identified when they want to do something……..
Buy, sell, trade, receive goods and services.
The internet means we need to adapt to how we approach identity.
Regulated (online) transactions are subject to: • Financial Identity (KYC)
• Privacy / Data Protection law
• Doing things well reduces compliance costs and enhances the customer experience
3
Today’s Presentation
1. Identity? What is it?
2. Regulatory Approaches to Identity i. European Union ii. South Korea iii. Hong Kong iv. Singapore v. Australia
3. Private Sector – Who needs identity?
4. How do we establish identity? a. Physical Documents b. Static Electronic Verification c. Dynamic Electronic Verification
5. Conclusions
4
1. What is Identity
A lawful or legally standing association, corporation, partnership, proprietorship, trust, or individual.
Has legal capacity to:
• enter into agreements or contracts,
• assume obligations,
• incur and pay debts,
• sue and be sued in its own right, and
• to be accountable for illegal activities.
5
1a. What is Digital Identity?
• Lets look at how Privacy law treats identity:
• In the US, the law provides multiple definitions of Personally Identifiable Information (PII), most focusing on whether the information pertains to an (already) identified person.
• By way of contrast, in the EU, there is a single definition of personal data to encompass all information identifiable to a person.
• The E.U. Data Protection Directive defines “an identifiable” person as “one who can be identified, directly, or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.”
6
2. Regulatory approaches to identity
1. “Specific Type Approach” : Regulations specifically state the means or what must be done
2. “Non Public Approach” : regulations seek to make use of information that is not in the public domain to identify a person
3. “Principles Based Approach” :State the outcome rather than the means. The means may include elements of Specific Type and Non Public, as well as other means.
4. FATF ‘risk based approach’ favours move towards ‘Principles based Approach’.
7
Guiding Principle for FATF legislative model jurisdictions
“Customer due diligence measures shall comprise:
Identifying the customer and verifying the customer's identity on
the basis of documents, data or information obtained from a
reliable and independent source;”
2a. FATF Recommendations #5 (Principles Based Approach)
8
Consider the following factors with regards to data
• (a) its accuracy;
• (b) how secure it is;
• (c) how the data is kept up-to-date / its recency
• (d) how comprehensive the data is
• (e) whether the data is maintained by a government body or pursuant to legislation; and
• (f) whether the electronic data can be additionally authenticated
2b. What is a reliable source of data?
9
2 (i). ’Identifying’ the customer (EU)
• In the EU, any “unique” attribute is sufficient to identify a person (Principle based)
• However, EU all member states require verification of name + address (UK, IRL, SE)
• Some states require verification of age as well : name + address + age (Eg FR, IT and BG).
10
South Korea’s Article 38 (of 2010 AMLCTF Regs) takes a specific approach.
Identifying a customer is defined as :
• name, • Address, • identity or travel document incl. number and type If not a Korean Citizen, also require • date of birth • nationality,
2 (ii). ’Identifying’ the customer (KOR)
11
Article 35 (Non face-to-face transactions) (1) Financial institutions shall establish policies and
procedures to address the risk of ML/TF related to
non-face-to-face transactions.
2 (ii). Remote ’Verifying’ the customer (KOR)
12
2 (ii). ’Identifying’ the customer (HKG)
Hong Kong takes a specific approach via the Guidance Note GN33 (March 2015), similar to South Korea’s Article 38
Identifying a customer is defined as :
• name, • Address, • date of birth • nationality • identity or travel document incl. number and type
13
FI must carry out at least one of the following measures for remote on-boarding: a. Use additional sources of documents, data or information
b. taking supplementary measures to verify all the information provided by the customer;
c. ensuring that the first payment made into the customer’s account is received from an account in the customer’s name with an authorized institution in an equivalent jurisdiction……
2 (iii). Remote ‘Verifying’ the customer (HKG)
14
2 (iv). Remote ‘Verifying’ the customer (SGP)
MAS 626 (New Guidelines 24 April 2015) –Appropriate measures to address risks arising from undertaking transactions via internet, by using one or more of: (a) Independent telephone verification of customer; (b) confirmation of the customer’s address; (c) confirmation of the customer’s employment status; (d) customer’s salary confirmation by use of recent bank statements from another bank; (e) qualified 3rd party certification of identification documents (f) requiring the first payment to be carried out through an account in the customer’s name with another FI subject to similar or equivalent customer due diligence standards;
15
The reporting entity must collect and verify the following KYC information:
i. the customer’s full name; and
Collect both of, but verify either /any one of :
a. the customer’s date of birth, or
b. the customer’s residential address.
2 (iv). ’Identifying’ and ‘Verifying’ the customer (AUS)
16
0
1
2
3
4
5
6
7
AUS/UK/US/SE IT/FR/BG KOR HKG SGP
Name + Address Or Name + DoB
Name + Address+ DoB Name + Address+ DoB + Nationality + GovID + [SGP] Contact Details
2(v). Summary : # of Attributes to be Verified.
17
3. Private Sector: Who needs Identity?
• Payment processors : compliance requirement for AML KYC & /or ECB SecuRE Pay.
• eMerchants in the SEPA/EU28 as part of the ECB’s Strong Customer Authentication.
• Stock Brokers
• Financial Systems requiring two factor authentication technology
• Banks (incl debit, card issuers)
• Commodity/Bullion Brokers
• Crypto Currency Exchanges (e.g. bitcoin)
• Real Estate Sales/Rental Agents
• Travel Agents (US Patriot Act)
• Life Insurers
• Accountants/Auditors/Lawyers
• Financial Advisors/Super Funds
• eWallets/mWallet Providers
• Money remittance p2p
• Loan/Pawn Providers
• eCasino/eGaming/eWagering
• Any business routinely trading > US $10k/transaction
• Currency Exchange
Payment Processing
Financial
Professional Services
Others
18
Customer Ease
Lower Cost
LOCAL
AUTOMATED
MANUAL
Notarised: posted/uploaded documents*
‘Experian’ or ‘GBGroup’ style static, credit database search (UK, US, AU)
Face to face checks
iSignthis + PayPal
GLOBAL
• No dynamic means to include customer on request if not already a historic customer of a credit reporting agency.
• Requires cross check of other databases.
• Typical coverage of 60% of online applicants
• >3Bn accessible global payment instruments.
• No need for user’s disclosure of bank details to a third party.
Lower Friction
Remote on boarding
3. Private Sector: Who needs Identity?
19
Two ways:
(i) Face to Face– from reliable document sources, normally using government issued photo identity documents.
Typically, we look for;
• Proof of Identity (POI) – birth certificate, marriage certificate • Evidence of Identity (EOI) – government issued ID or bank accounts/cards • Social Footprint – utility bills, payments, insurances
(ii) Electronic Verification (EV) – from reliable data or information sources
4. How do we establish identity?
20
The EU’s Public Register of Authentic Identity and Travel Documents Online (PRADO), recommends:
“When checking security features of documents: FEEL, LOOK, TILT!”
And
“Check the validity of document numbers – [via] List of links to websites with information on invalid document numbers”
http://prado.consilium.europa.eu
4a (i). Approach 1 – Physical Documents (Challenges – Authenticity, Validity, Transformation, Verification)
en.wikipedia.org/wiki/European_driving_licence
21
4a (i). Transforming – Physical Documents (Challenges – Authenticity, Validity, Transformation, Verification)
• Trend in some countries towards using Webcams or non-Certified
images.
• Scanners/Webcams – can’t look, feel tilt ; so, how valid, “reliable” or “independent is uploading of an identity document(s)?
• How reliable is a comparison of a photo on such a document via webcam?
• There is no EU or global register of stolen credentials…how is validity of these documents checked?
• Can a document be transitioned from physical to become “data” or information without verification as to its reliability or validity by issuer?
22
Is there a legal basis to rely upon non issuer/third party transformed physical documents?
• NO! This approach is specifically prohibited or not endorsed by regulators in many jurisdictions:
• Eg, Germany (legislation), HKG (GN33 @ 4.12.2), Singapore (MAS Guidance Note @ 33), Australia (AML Regs), Korea (Original or certified, Per AMLCTF Reg 39), UK (AML2007, 14(2)(c)), Canada (Schedule 7)
• We could not find direct support in any EU, Australian or Asia AML/CTF regulation that supports the concept of digital transformation of documents to data as constituting a reliable source of data – unless a qualified person certifies the document
4a (ii). Transforming – Physical Documents
23
Breach Size 80m , Jan 15
Breach Size 1m , Nov 14
Static database – electoral, credit, passport, drivers license
Relies on “Non Public Approach” Knowledge Based Authentication (KBA) – comparison of collected data to database.
Issues
• Highly localised, no global approach
• Much of the data is public or easily obtained.
• No revocation means if say wallet stolen or mailbox compromised
• Data may not change between KBA making ongoing due diligence risible susceptible to ghosting and/or takeover
• Simple to ‘reverse or social engineer’ the KBA
• Once breached, re-credentialing of individuals is difficult – data becomes “public” – what now?
4a (ii). Approach 2: Static Database Electronic Verification (Non Public Approach)
24
Physical Identification
Proof of Identity Documents
E- Payment Account
Accounts Unique
Regulated AML (Identifies Person)
Verify Account Once verified -
“Reliable” Source for EV (AML)
KYC Identity Sanction Screen
+ Monitor Validate data
Secondary Sources of Data 150m people
200 countries
4C. Approach 3: Dynamic Re-Use of Bank ID (Principles based)
25
25
Direct Account Access
1. Request account login details from customer
2. Service Provider Accesses account
3. SP Confirms account is active and retrieve details associated with account
Key Risk : requires customer to provide Sensitive Account Data (login details + Password)
Key Limitation : limited to 350m bank accounts, mainly in SEPA. No credit card support.
Global – legal, risk, liability issues?
Indirect Account Access via KBA
1. Service Provider creates a “secret” using payment against payment instrument and Process secret to a statement of account
2. Ask customer to retrieve secret from payment instrument “secure area”
Key advantages :
i) Customer Sensitive Account Data not exposed to 3rd party
ii) Global : Leverages more than 3.5Bn cards and bank accounts across 200 countries
iii) Risks reduced for all parties incl operator liability under eIDAS for data breach
4C (i). Approach 3: Dynamic Electronic Verification
26
26
4C (ii). KBA Example: iSignthis & PayPal
27
Payment Data (Merchant, Acquirer, Card Details, Name, Amount, Time, Place, IIN
Data + Country of issue)
Authentication + Validation Data (Geodata, device data, SAD, phone
number, SMS)
Device Data (MAC, IMEI, CPE, Language, OS)
Network Data : IP Address, Carrier,
Channel, route, Cell Tower
Delivery Data Address, Phone
Under EU law, all of this is PII – identifiable to a person Under US law, taken as a whole, this is also PII – identifies a person.
4C (iii). Advantages of Transactional Approach: Metadata is the DNA of a payment message
28
Link Identity & Payment Account with 2FA First Factor: User selected Passcode Second Factor: One Time Password by SMS Or Assurity(.sg) hard token
iSignthis Identity : AML/CTF KYC Identity traced & linked to 2FA and/or Identity file created
Customer transacts with eMerchant
Online or mobile Customer
iSignthis process takes place post cart checkout, ensuring high conversion rates.
4c (iv). A reliable means to generate identity on demand
29
Passporting:
• Country <> Country
• AML Service <> AML Service
• AML Service <>Government
Possible in most jurisdictions provided that source is from an equivalency jurisdiction – not necessarily FATF.
5. Global application- Passporting
30
• Transactions drive e-identity. And ought do so – ‘pre-boarding’ is an outmoded concept for online, and On- boarding customers for the sake of doing so is expensive and unnecessary.
• Identity is complex. Legally establishing identity is even more complex.
• Ultimately given its importance to ecommerce a scalable, dynamic electronic verification approach to identity is important taking into account security, costs and the user experience
• Global opportunities via passporting approach.
• Documents are not data unless transformed by a qualified certifying party.
Key Takeaways
