2. 2
What drives the need for e- Identity?
Transactions!
People are identified when they want to do something……..
Buy, sell, trade, receive goods and services.
The internet means we need to adapt to how we approach identity.
Regulated (online) transactions are subject to:
• Financial Identity (KYC)
• Privacy / Data Protection law
• Doing things well reduces compliance costs and enhances the customer experience
3. 3
Today’s Presentation
1. Identity? What is it?
2. Regulatory Approaches to Identity
i. European Union
ii. South Korea
iii. Hong Kong
iv. Singapore
v. Australia
3. Private Sector – Who needs identity?
4. How do we establish identity?
a. Physical Documents
b. Static Electronic Verification
c. Dynamic Electronic Verification
5. Conclusions
4. 4
1. What is Identity
A lawful or legally standing association, corporation,
partnership, proprietorship, trust, or individual.
Has legal capacity to:
• enter into agreements or contracts,
• assume obligations,
• incur and pay debts,
• sue and be sued in its own right, and
• to be accountable for illegal activities.
5. 5
1a. What is Digital Identity?
• Lets look at how Privacy law treats identity:
• In the US, the law provides multiple definitions of Personally Identifiable
Information (PII), most focusing on whether the information pertains to an
(already) identified person.
• By way of contrast, in the EU, there is a single definition of personal data to
encompass all information identifiable to a person.
• The E.U. Data Protection Directive defines “an identifiable” person as “one who
can be identified, directly, or indirectly, in particular by reference to an identification
number or to one or more factors specific to his physical, physiological, mental,
economic, cultural, or social identity.”
6. 6
2. Regulatory approaches to identity
1. “Specific Type Approach” : Regulations specifically state the
means or what must be done
2. “Non Public Approach” : regulations seek to make use of
information that is not in the public domain to identify a person
3. “Principles Based Approach” :State the outcome rather than the
means. The means may include elements of Specific Type and
Non Public, as well as other means.
4. FATF ‘risk based approach’ favours move towards ‘Principles
based Approach’.
7. 7
Guiding Principle for FATF legislative model jurisdictions
“Customer due diligence measures shall comprise:
Identifying the customer and verifying the customer's identity on
the basis of documents, data or information obtained from a
reliable and independent source;”
2a. FATF Recommendations #5
(Principles Based Approach)
8. 8
Consider the following factors with regards to data
• (a) its accuracy;
• (b) how secure it is;
• (c) how the data is kept up-to-date / its recency
• (d) how comprehensive the data is
• (e) whether the data is maintained by a government
body or pursuant to legislation; and
• (f) whether the electronic data can be additionally
authenticated
2b. What is a reliable source of data?
9. 9
2 (i). ’Identifying’ the customer (EU)
• In the EU, any “unique” attribute is sufficient to identify a
person (Principle based)
• However, EU all member states require verification of
name + address (UK, IRL, SE)
• Some states require verification of age as well : name +
address + age (Eg FR, IT and BG).
10. 10
South Korea’s Article 38 (of 2010 AMLCTF Regs)
takes a specific approach.
Identifying a customer is defined as :
• name,
• Address,
• identity or travel document incl. number and type
If not a Korean Citizen, also require
• date of birth
• nationality,
2 (ii). ’Identifying’ the customer (KOR)
11. 11
Article 35 (Non face-to-face transactions)
(1) Financial institutions shall establish policies and
procedures to address the risk of ML/TF related to
non-face-to-face transactions.
2 (ii). Remote ’Verifying’ the customer (KOR)
12. 12
2 (ii). ’Identifying’ the customer (HKG)
Hong Kong takes a specific approach via the Guidance Note
GN33 (March 2015), similar to South Korea’s Article 38
Identifying a customer is defined as :
• name,
• Address,
• date of birth
• nationality
• identity or travel document incl. number and type
13. 13
FI must carry out at least one of the following measures for
remote on-boarding:
a. Use additional sources of documents, data or information
b. taking supplementary measures to verify all the information
provided by the customer;
c. ensuring that the first payment made into the customer’s
account is received from an account in the customer’s name
with an authorized institution in an equivalent jurisdiction……
2 (iii). Remote ‘Verifying’ the customer (HKG)
14. 14
2 (iv). Remote ‘Verifying’ the customer (SGP)
MAS 626 (New Guidelines 24 April 2015) –Appropriate measures to
address risks arising from undertaking transactions via internet, by
using one or more of:
(a) Independent telephone verification of customer;
(b) confirmation of the customer’s address;
(c) confirmation of the customer’s employment status;
(d) customer’s salary confirmation by use of recent bank
statements from another bank;
(e) qualified 3rd party certification of identification documents
(f) requiring the first payment to be carried out through an account in
the customer’s name with another FI subject to similar or equivalent
customer due diligence standards;
15. 15
The reporting entity must collect and verify the following
KYC information:
i. the customer’s full name; and
Collect both of, but verify either /any one of :
a. the customer’s date of birth, or
b. the customer’s residential address.
2 (iv). ’Identifying’ and ‘Verifying’ the customer (AUS)
16. 16
0
1
2
3
4
5
6
7
AUS/UK/US/SE IT/FR/BG KOR HKG SGP
Name + Address
Or Name + DoB
Name + Address+ DoB Name + Address+ DoB + Nationality +
GovID + [SGP] Contact Details
2(v). Summary : # of Attributes to be Verified.
17. 17
3. Private Sector: Who needs Identity?
• Payment processors : compliance
requirement for AML KYC & /or
ECB SecuRE Pay.
• eMerchants in the SEPA/EU28 as
part of the ECB’s Strong Customer
Authentication.
• Stock Brokers
• Financial Systems requiring two
factor authentication technology
• Banks (incl debit, card issuers)
• Commodity/Bullion Brokers
• Crypto Currency Exchanges (e.g.
bitcoin)
• Real Estate Sales/Rental Agents
• Travel Agents (US Patriot Act)
• Life Insurers
• Accountants/Auditors/Lawyers
• Financial Advisors/Super Funds
• eWallets/mWallet Providers
• Money remittance p2p
• Loan/Pawn Providers
• eCasino/eGaming/eWagering
• Any business routinely trading >
US $10k/transaction
• Currency Exchange
Payment
Processing
Financial
Professional
Services
Others
18. 18
Customer
Ease
Lower
Cost
LOCAL
AUTOMATED
MANUAL
Notarised:
posted/uploaded documents*
‘Experian’ or ‘GBGroup’ style static,
credit database search (UK, US, AU)
Face to face checks
iSignthis + PayPal
GLOBAL
• No dynamic means to include customer
on request if not already a historic
customer of a credit reporting agency.
• Requires cross check of other databases.
• Typical coverage of 60% of online applicants
• >3Bn accessible global
payment instruments.
• No need for user’s disclosure of bank
details to a third party.
Lower
Friction
Remote
on boarding
3. Private Sector: Who needs Identity?
19. 19
Two ways:
(i) Face to Face– from reliable document sources, normally using
government issued photo identity documents.
Typically, we look for;
• Proof of Identity (POI) – birth certificate, marriage certificate
• Evidence of Identity (EOI) – government issued ID or bank accounts/cards
• Social Footprint – utility bills, payments, insurances
(ii) Electronic Verification (EV) – from reliable data or information sources
4. How do we establish identity?
20. 20
The EU’s Public Register of Authentic
Identity and Travel Documents Online
(PRADO), recommends:
“When checking security features of documents:
FEEL, LOOK, TILT!”
And
“Check the validity of document numbers – [via]
List of links to websites with information on invalid
document numbers”
http://prado.consilium.europa.eu
4a (i). Approach 1 – Physical Documents
(Challenges – Authenticity, Validity, Transformation, Verification)
en.wikipedia.org/wiki/European_driving_licence
21. 21
4a (i). Transforming – Physical Documents
(Challenges – Authenticity, Validity, Transformation, Verification)
• Trend in some countries towards using Webcams or non-Certified
images.
• Scanners/Webcams – can’t look, feel tilt ; so, how valid, “reliable”
or “independent is uploading of an identity document(s)?
• How reliable is a comparison of a photo on such a document via
webcam?
• There is no EU or global register of stolen credentials…how is
validity of these documents checked?
• Can a document be transitioned from physical to become “data”
or information without verification as to its reliability or validity by
issuer?
22. 22
Is there a legal basis to rely upon non issuer/third party
transformed physical documents?
• NO! This approach is specifically prohibited or not endorsed by regulators
in many jurisdictions:
• Eg, Germany (legislation), HKG (GN33 @ 4.12.2), Singapore (MAS
Guidance Note @ 33), Australia (AML Regs), Korea (Original or certified,
Per AMLCTF Reg 39), UK (AML2007, 14(2)(c)), Canada (Schedule 7)
• We could not find direct support in any EU, Australian or Asia AML/CTF
regulation that supports the concept of digital transformation of
documents to data as constituting a reliable source of data – unless a
qualified person certifies the document
4a (ii). Transforming – Physical Documents
23. 23
Breach Size
80m , Jan 15
Breach Size
1m , Nov 14
Static database – electoral, credit, passport, drivers license
Relies on “Non Public Approach” Knowledge Based Authentication
(KBA) – comparison of collected data to database.
Issues
• Highly localised, no global approach
• Much of the data is public or easily obtained.
• No revocation means if say wallet stolen or mailbox compromised
• Data may not change between KBA making ongoing due diligence
risible susceptible to ghosting and/or takeover
• Simple to ‘reverse or social engineer’ the KBA
• Once breached, re-credentialing of individuals is difficult – data
becomes “public” – what now?
4a (ii). Approach 2: Static Database Electronic Verification
(Non Public Approach)
24. 24
Physical
Identification
Proof of Identity
Documents
E- Payment
Account
Accounts
Unique
Regulated AML
(Identifies
Person)
Verify Account
Once verified -
“Reliable” Source
for EV (AML)
KYC Identity
Sanction Screen
+ Monitor
Validate data
Secondary
Sources of Data
150m people
200 countries
4C. Approach 3: Dynamic Re-Use of Bank ID
(Principles based)
25. 25
25
Direct Account Access
1. Request account login details from
customer
2. Service Provider Accesses account
3. SP Confirms account is active and retrieve
details associated with account
Key Risk : requires customer to provide Sensitive
Account Data (login details + Password)
Key Limitation : limited to 350m bank accounts,
mainly in SEPA. No credit card support.
Global – legal, risk, liability issues?
Indirect Account Access via KBA
1. Service Provider creates a “secret” using
payment against payment instrument and
Process secret to a statement of account
2. Ask customer to retrieve secret from payment
instrument “secure area”
Key advantages :
i) Customer Sensitive Account Data not exposed
to 3rd party
ii) Global : Leverages more than 3.5Bn cards and
bank accounts across 200 countries
iii) Risks reduced for all parties incl operator
liability under eIDAS for data breach
4C (i). Approach 3: Dynamic Electronic Verification
27. 27
Payment Data (Merchant, Acquirer, Card
Details, Name, Amount, Time, Place, IIN
Data + Country of issue)
Authentication + Validation Data
(Geodata, device data, SAD, phone
number, SMS)
Device Data
(MAC, IMEI, CPE, Language, OS)
Network Data : IP
Address, Carrier,
Channel, route, Cell
Tower
Delivery Data
Address, Phone
Under EU law, all of this is PII – identifiable to a person
Under US law, taken as a whole, this is also PII – identifies a person.
4C (iii). Advantages of Transactional Approach:
Metadata is the DNA of a payment message
28. 28
Link Identity & Payment Account with 2FA
First Factor: User selected Passcode
Second Factor: One Time Password by SMS
Or Assurity(.sg) hard token
iSignthis Identity :
AML/CTF KYC Identity
traced & linked to 2FA
and/or Identity file created
Customer transacts
with eMerchant
Online or mobile
Customer
iSignthis process takes
place post cart checkout,
ensuring high conversion
rates.
4c (iv). A reliable means to generate identity on demand
29. 29
Passporting:
• Country <> Country
• AML Service <> AML Service
• AML Service <>Government
Possible in most jurisdictions provided that source is from an
equivalency jurisdiction – not necessarily FATF.
5. Global application- Passporting
30. 30
• Transactions drive e-identity. And ought do so – ‘pre-
boarding’ is an outmoded concept for online, and On-
boarding customers for the sake of doing so is expensive
and unnecessary.
• Identity is complex. Legally establishing identity is even
more complex.
• Ultimately given its importance to ecommerce a scalable,
dynamic electronic verification approach to identity is
important taking into account security, costs and the user
experience
• Global opportunities via passporting approach.
• Documents are not data unless transformed by a qualified
certifying party.
Key Takeaways