This post is the second part of a series. You can read the previous post here.
Most of us are used to signing up for services online and getting started using the service mostly just giving up our name and mobile number or email. We verify the mobile number / email through some OTP mechanism or some link in our email and off we go. That however is just the beginning of a journey for financial services.
You've probably gone to the bank and tried opening an account in-person. They probably asked you for all kinds of documents like your ID card and passport. They probably took a photo of you with the camera attached to the PC. These are all requirements when signing up for some kind of financial service.
Since banks or any other financial services business are a regulated entity they go through the same level of scrutiny when it comes to the "KYC" process.
It's obvious that in-person KYC (IAL 3) provides assurance since the customer is right there in-front of you. However in the modern world we know customers want to be able to do everything in the comforts of their own home. There is also something called Remote In-Person which can qualify as IAL 3 which we'll talk about below.
In this post we will focus on the checks / validations which is under the IAL 2 and IAL 3 standards, and more specifically challenges that arise given that the customer may be conducting the onboarding process remotely. We will cover all the technologies required to ensure that the KYC process is reliable when it comes to managing risks for the company.
How to Decide which IAL level you need?
At this point you may be wondering, how does one decide which level of IAL does a any given company need when providing services to customers. On the Nist document published here. There is a flow chart diagram that you can follow. It looks something like the following.
Suffice to say, if you are providing any kind of financial services you will need at the very least IAL 2. Since as a financial service you will meet the following criterion from the above diagram.
- You need personal information of the customer
- You need the infomration to be validated to do any transaction
- There is risk on every factor (rated as none, low, moderate, high) mentioned for providing financial services to a customer
- If you assess moderate for any of the factors you need IAL 2
- If you assess high on any of the above you need IAL 3
It's important that every company do their own risk assessment and come to their own conclusions on where the fall in the guideline. This post does not provide any guarantees and cannot assess risk factor for your company. It is here to give you enough information to know that risk assessment needs to be done whether within your own organization, or at least seek professional external consulting.
In general if you provide any kind of depositing service like a digital wallet or allow customers to do cross border remittance and payments. You will probably need at least IAL 2 for most customers, you may need IAL 3 if your checks built in your systems deem a given customer is regarded as "high risk".
In the following we will be referencing information from the NIST.SP.800-63a. Which goes into detail about what is necessary in each IAL level. For most IAL level in the document you'll see words written like the following.
Collection of PII SHALL be limited to the minimum necessary to resolve a unique identity in a given context.
It's important to note that even though it's important to manage risk for your organization by collecting information about your customers, that collecting too much un-necessary PII (personally identifiable information) can increase risk for your organization. In short, over-doing KYC data collection can be a risk in itself. It's important to strike a good balance. Now there are laws like GDPR / PDPA and various others that govern the use of personal information. You should collect enough to be able to identify someone's unique identity.
Document Quality Strength
The NIST documents list the following 'strengths' for how sure one can be for any given criteria.
- The identity has some information of the customer like the name and some sort of identification number or maybe even a photo. But you cannot truly verify if this document is reliable or not.
- Something like video rental / gym membership card 🤣 may fall under this.
- Safe to assume that if the customer has access to this document they may be who they say they are
- Document contains some reference number
- Document contains some sort of photo (but not-necessarily)
- Document has some kind of expiry date and is not expired
- Examples include: Driver's license (depending on country) or house registration
- Document is issued by some kind of authority like government agency of some kind
- Document contains reference number of some kind
- Document contains a photo of the user
- Something like a Passport or National ID may fall under this category
- Document which is issued by some kind of authority and with strong method of validation.
- For example a Passport with NFC chip of some kind. Where it can be securely read by some kind of machine
- National ID cards with chips that can be read. Or some kind of database that the information on the ID card can be checked against.
Identity Document Collection and Validation
For IAL 2 you will need at the very least one piece of evidence which is regarded as SUPERIOR or STRONG. In essence you CAN collect just one piece of document if you are sure that the evidence data collected from the customer is indeed from a trusted source. In different countries you will have different requirements on what documents will be regarded as SUPERIOR. However here are some guidelines to give you an idea.
- Passports - If you are able to verify that it is indeed authentic in some form. Either you have access to some government database to verify data on the passport (this is extremely hard to find).
- Or you have some kind of mechanism which will allow you to validate a given passport is not fradulent in nature.
- Or if you can digitaly read (NFC) the passport information in some way that would also be regarded as SUPERIOR when it comes to evidence strength.
- National ID - If you are able to validate the collected national ID information against some kind of trusted source like a government database (this varies from country to country)
If you are not able to qualify for the above the next step is to collect 2 documents which is regarded as STRONG.
If you are not able to collect 2 STRONG documents the next step is to collect 3 documents 1 which is regarded as STRONG and 2 which is regarded as FAIR
It's safe to assume that you will not be able to use a single method of document collection and verification for all customers. The recommendation here would be to design some kind of system which is for the majority. Know your target audience. Some country's passport do not support NFC, some do. Design a system which supports some mechanic for falling back. Have some way to reach out to your customers offline to collect further documents if necessary.
Some of us has actually gone through this as well. When signing up for some services, they will ask you to input your address and show them some kind of document for example utility bill. To prove that the address information you supplied is correct and you can be reached at said address. I think this one is quite straight forward.
This is another area I find interesting when it comes to KYC. For IAL 2 it's regarded as optional however I highly recommend doing some kind of biometric data collection. Given how easy and ubiquitous the technology is.
Everyone is used to taking a selfie nowadays. I highly recommend that you have a process in your product where you just let the customer take a selfie. With this single selfie you can conduct many checks / validations.
To ensure the data is 'biometric' you'll need to do more than just collecting the photo, you'll need to ensure the photo goes through what's called a liveness check. The liveness check will ensure that the photo of the customer is indeed a real photo and not a photo of a photo, or a photo of a person wearing a mask. The liveness check ensures that the selfie is indeed of the person and authentic.
Other things you can do with the selfie photo which is validated is you can do face detection, there are many technologies out there that do this. Once you have the facial data you can do all kinds of other things with it. For example matching it to the photo on the document you collected to enhance the validity of the document.
If your product is regarded as high risk, and you need to be extra sure that the person is who they say they are. You'll need to make sure you have 2 documents collected which are SUPERIOR in validation strength.
This means something like government issued ID with some cryptographic encryption which can be digitally read. Usually this will increase a lot of friction when it comes to collection. Passports with NFC or National ID with some kind of chip will work for this.
If you cannot get to that level you'll need 1 SUPERIOR and 1 STRONG strength document with verification method of some kind.
For address you will also need to make sure your business can indeed reach out to this customer. Perhaps even a address verification method of some kind. For example your business sends some information to this address like a pin code of some kind which the user will then input on your product.
Biometric collection is also necessary for IAL 3. Anything from facial recognition of some kind to finger print collection.
For IAL 3 it is possible to do something called 'Remote In-Person'. These are usually conducted in real-time where the customer is on a video call with some agent from the organization perhaps conducting some kind of interview. This can also be achieved using something like Zoom call with recording. This recording needs to then be uploaded / documented somewhere.
The above is a guideline based on the NIST agency. Each country will generally have their own requirements. Some countries will even have sub IAL level for example IAL 2.1 2.2 or 2.3. Each will have their own requirements for identity proofing. For example Thailand has an agency called ETDA which issues these guidelines.
It's important to consult the local guideline for doing KYC. Each country's regulator will have some kind of guideline your organization can follow.
These are guidelines that will help you make decisions on what your KYC procedure need to comply to. Ultimately you will still need to make decisions on how this process will turn out and how it will fit within your product lineup.
If you enjoyed this post don't forget to subscribe. If you have questions / comments please add them below. If you are looking for some consulting service you can reach me in the comments section or on linked-in. If you're interested in getting in touch with me you can do so via my consultancy artellectual.com