Transactions Drive e-Identity:

Payments and AML/CTF KYC

MODERATOR:
Hue Dang, CAMS
Head of Asia, ACAMS
Jointly Presented by:

Managing Director
John Karantzis B.E., LL.M, M.Ent, FIEAust
iSignthis Ltd (ASX : ISX )

Director
Scott W Minehane B.Econ LL.B., LL.M
iSignthis 2015

What drives the need for e- Identity?

Transactions!
People are identified when they want to do something..
Buy, sell, trade, receive goods and services.
The internet means we need to adapt to how we approach identity.

Regulated (online) transactions are subject to:

Financial Identity (KYC)

Privacy / Data Protection law

Doing things well reduces compliance costs and enhances the customer experience

Todays Presentation
1. Identity? What is it?
2. Regulatory Approaches to Identity
i. European Union
ii. South Korea
iii. Hong Kong
iv. Singapore
v. Australia
3. Private Sector Who needs identity?
4. How do we establish identity?
a. Physical Documents
b. Static Electronic Verification
c. Dynamic Electronic Verification
5. Conclusions
3

1. What is Identity

A lawful or legally standing association, corporation,

partnership, proprietorship, trust, or individual.
Has legal capacity to:

enter into agreements or contracts,

assume obligations,
incur and pay debts,

sue and be sued in its own right, and

to be accountable for illegal activities.

1a. What is Digital Identity?

Lets look at how Privacy law treats identity:
In the US, the law provides multiple definitions of Personally Identifiable
Information (PII), most focusing on whether the information pertains to an
(already) identified person.
By way of contrast, in the EU, there is a single definition of personal data to
encompass all information identifiable to a person.

The E.U. Data Protection Directive defines an identifiable person as one who

can be identified, directly, or indirectly, in particular by reference to an identification

number or to one or more factors specific to his physical, physiological, mental,
economic, cultural, or social identity.

2. Regulatory approaches to identity

1. Specific Type Approach : Regulations specifically state the

means or what must be done
2. Non Public Approach : regulations seek to make use of
information that is not in the public domain to identify a person
3. Principles Based Approach :State the outcome rather than the
means. The means may include elements of Specific Type and
Non Public, as well as other means.
4. FATF risk based approach favours move towards Principles
based Approach.

2a. FATF Recommendations #5

(Principles Based Approach)

Guiding Principle for FATF legislative model jurisdictions

Customer due diligence measures shall comprise:
Identifying the customer and verifying the customer's identity on
the basis of documents, data or information obtained from a
reliable and independent source;

2b. What is a reliable source of data?

Consider the following factors with regards to data
(a) its accuracy;
(b) how secure it is;
(c) how the data is kept up-to-date / its recency
(d) how comprehensive the data is
(e) whether the data is maintained by a government

body or pursuant to legislation; and

(f) whether the electronic data can be additionally

authenticated

2 (i). Identifying the customer (EU)

In the EU, any unique attribute is sufficient to identify a
person (Principle based)
However, EU all member states require verification of
name + address (UK, IRL, SE)
Some states require verification of age as well : name +
address + age (Eg FR, IT and BG).

2 (ii). Identifying the customer (KOR)

South Koreas Article 38 (of 2010 AMLCTF Regs)
takes a specific approach.
Identifying a customer is defined as :
name,
Address,
identity or travel document incl. number and type
If not a Korean Citizen, also require
date of birth
nationality,

10

2 (ii). Remote Verifying the customer (KOR)

Article 35 (Non face-to-face transactions)

(1) Financial institutions shall establish policies and
procedures to address the risk of ML/TF related to
non-face-to-face transactions.

11

2 (ii). Identifying the customer (HKG)

Hong Kong takes a specific approach via the Guidance Note
GN33 (March 2015), similar to South Koreas Article 38
Identifying a customer is defined as :

name,
Address,
date of birth
nationality
identity or travel document incl. number and type

12

2 (iii). Remote Verifying the customer (HKG)

FI must carry out at least one of the following measures for
remote on-boarding:
a. Use additional sources of documents, data or information
b. taking supplementary measures to verify all the information
provided by the customer;
c. ensuring that the first payment made into the customers
account is received from an account in the customers name
with an authorized institution in an equivalent jurisdiction

13

2 (iv). Remote Verifying the customer (SGP)

MAS 626 (New Guidelines 24 April 2015) Appropriate measures to
address risks arising from undertaking transactions via internet, by
using one or more of:
(a) Independent telephone verification of customer;
(b) confirmation of the customers address;
(c) confirmation of the customers employment status;
(d) customers salary confirmation by use of recent bank
statements from another bank;
(e) qualified 3rd party certification of identification documents
(f) requiring the first payment to be carried out through an account in
the customers name with another FI subject to similar or equivalent
customer due diligence standards;

14

2 (iv). Identifying and Verifying the customer (AUS)

The reporting entity must collect and verify the following

KYC information:
i.

the customers full name; and

Collect both of, but verify either /any one of :

a. the customers date of birth, or
b. the customers residential address.

15

2(v). Summary : # of Attributes to be Verified.

7

0
AUS/UK/US/SE

Name + Address
Or Name + DoB

IT/FR/BG

KOR

Name + Address+ DoB

HKG

SGP

Name + Address+ DoB + Nationality +

GovID + [SGP] Contact Details

16

3. Private Sector: Who needs Identity?

Payment
Processing

Payment processors : compliance

requirement for AML KYC & /or
ECB SecuRE Pay.

Professional
Services

eMerchants in the SEPA/EU28 as

part of the ECBs Strong Customer
Authentication.

Financial

Stock Brokers
Financial Systems requiring two
factor authentication technology
Banks (incl debit, card issuers)
Commodity/Bullion Brokers
Crypto Currency Exchanges (e.g.
bitcoin)

Real Estate Sales/Rental Agents

Travel Agents (US Patriot Act)
Life Insurers
Accountants/Auditors/Lawyers
Financial Advisors/Super Funds

Others

eWallets/mWallet Providers
Money remittance p2p
Loan/Pawn Providers
eCasino/eGaming/eWagering
Any business routinely trading >
US $10k/transaction
Currency Exchange

17

3. Private Sector: Who needs Identity?

AUTOMATED

No dynamic means to include customer

on request if not already a historic
customer of a credit reporting agency.
Requires cross check of other databases.
Typical coverage of 60% of online applicants

Face to face checks

Lower
Cost

Lower
Friction

Remote
on boarding

iSignthis + PayPal

Experian or GBGroup style static,

credit database search (UK, US, AU)

LOCAL

Customer
Ease

>3Bn accessible global

payment instruments.
No need for users disclosure of bank
details to a third party.

Notarised:
posted/uploaded documents*

GLOBAL

MANUAL

18

4. How do we establish identity?

Two ways:
(i) Face to Face from reliable document sources, normally using
government issued photo identity documents.
Typically, we look for;

Proof of Identity (POI) birth certificate, marriage certificate

Evidence of Identity (EOI) government issued ID or bank accounts/cards
Social Footprint utility bills, payments, insurances

(ii) Electronic Verification (EV) from reliable data or information sources

19

4a (i). Approach 1 Physical Documents

(Challenges Authenticity, Validity, Transformation, Verification)

The EUs Public Register of Authentic

Identity and Travel Documents Online
(PRADO), recommends:
When checking security features of documents:
FEEL, LOOK, TILT!
And

en.wikipedia.org/wiki/European_driving_licence

Check the validity of document numbers [via]

List of links to websites with information on invalid
document numbers
http://prado.consilium.europa.eu

20

4a (i). Transforming Physical Documents

(Challenges Authenticity, Validity, Transformation, Verification)

Trend in some countries towards using Webcams or non-Certified

images.
Scanners/Webcams cant look, feel tilt ; so, how valid, reliable
or independent is uploading of an identity document(s)?
How reliable is a comparison of a photo on such a document via
webcam?
There is no EU or global register of stolen credentialshow is
validity of these documents checked?
Can a document be transitioned from physical to become data
or information without verification as to its reliability or validity by
issuer?

21

4a (ii). Transforming Physical Documents

Is there a legal basis to rely upon non issuer/third party
transformed physical documents?
NO! This approach is specifically prohibited or not endorsed by regulators
in many jurisdictions:
Eg, Germany (legislation), HKG (GN33 @ 4.12.2), Singapore (MAS
Guidance Note @ 33), Australia (AML Regs), Korea (Original or certified,
Per AMLCTF Reg 39), UK (AML2007, 14(2)(c)), Canada (Schedule 7)
We could not find direct support in any EU, Australian or Asia AML/CTF
regulation that supports the concept of digital transformation of
documents to data as constituting a reliable source of data unless a
qualified person certifies the document

22

4a (ii). Approach 2: Static Database Electronic Verification

(Non Public Approach)

Static database electoral, credit, passport, drivers license

Relies on Non Public Approach Knowledge Based Authentication
(KBA) comparison of collected data to database.
Issues
Highly localised, no global approach
Much of the data is public or easily obtained.
Breach Size
80m , Jan 15

No revocation means if say wallet stolen or mailbox compromised

Data may not change between KBA making ongoing due diligence

risible susceptible to ghosting and/or takeover

Simple to reverse or social engineer the KBA
Breach Size
1m , Nov 14

Once breached, re-credentialing of individuals is difficult data

becomes public what now?

23

4C. Approach 3: Dynamic Re-Use of Bank ID

(Principles based)

Accounts
Unique
Regulated AML
(Identifies
Person)

Physical
Identification

Verify Account
Once verified Reliable Source
for EV (AML)

E- Payment
Account

Proof of Identity
Documents

Secondary
Sources of Data

KYC Identity

Sanction Screen
+ Monitor
Validate data

150m people
200 countries

24

4C (i). Approach 3: Dynamic Electronic Verification

Direct Account Access

Indirect Account Access via KBA

1. Request account login details from

customer
2. Service Provider Accesses account
3. SP Confirms account is active and retrieve
details associated with account

1. Service Provider creates a secret using

payment against payment instrument and
Process secret to a statement of account
2. Ask customer to retrieve secret from payment
instrument secure area

Key Risk : requires customer to provide Sensitive

Account Data (login details + Password)
Key Limitation : limited to 350m bank accounts,
mainly in SEPA. No credit card support.
Global legal, risk, liability issues?

Key advantages :
i)

Customer Sensitive Account Data not exposed

to 3rd party
ii) Global : Leverages more than 3.5Bn cards and
bank accounts across 200 countries
iii) Risks reduced for all parties incl operator
liability under eIDAS for data breach

25

25

4C (ii). KBA Example: iSignthis & PayPal

26

26

4C (iii). Advantages of Transactional Approach:

Metadata is the DNA of a payment message

Device Data
(MAC, IMEI, CPE, Language, OS)

Delivery Data
Address, Phone

Authentication + Validation Data

(Geodata, device data, SAD, phone
number, SMS)

Payment Data (Merchant, Acquirer, Card

Details, Name, Amount, Time, Place, IIN
Data + Country of issue)

Network Data : IP
Address, Carrier,
Channel, route, Cell
Tower

Under EU law, all of this is PII identifiable to a person

Under US law, taken as a whole, this is also PII identifies a person.

27

4c (iv). A reliable means to generate identity on demand

Online or mobile
Customer

Customer transacts
with eMerchant

iSignthis Identity :
AML/CTF KYC Identity
traced & linked to 2FA
and/or Identity file created

Link Identity & Payment Account with 2FA

First Factor: User selected Passcode
Second Factor: One Time Password by SMS
Or Assurity(.sg) hard token

iSignthis process takes

place post cart checkout,
ensuring high conversion
rates.

28

5. Global application- Passporting

Passporting:
Country <> Country
AML Service <> AML Service
AML Service <>Government
Possible in most jurisdictions provided that source is from an
equivalency jurisdiction not necessarily FATF.

29

Key Takeaways
Transactions drive e-identity. And ought do so preboarding is an outmoded concept for online, and Onboarding customers for the sake of doing so is expensive
and unnecessary.
Identity is complex. Legally establishing identity is even
more complex.
Ultimately given its importance to ecommerce a scalable,
dynamic electronic verification approach to identity is
important taking into account security, costs and the user
experience
Global opportunities via passporting approach.
Documents are not data unless transformed by a qualified
certifying party.
30

For further information contact:

Sales:

Andrew Karantzis
andrew.karantzis@isignthis.com
+61 411 428 259

31