iSignthis - Transactions Drive e-Identity: Payments, eID and AML/CTF

Transactions Drive Identity: Payments, eID and AML/CTF

1 iSignthis © 2015

iSignthis Ltd / iSignthis BV ASX : ISX

Jointly Presented by:

Managing Director John Karantzis B.E., LL.M, M.Ent

Director Scott W Minehane B.Econ LL.B., LL.M

Transactions! People are identified when they want to do something…….. Buy, sell, trade, receive goods and services.

Regulated (online) transactions may require: •  Financial Identity (KYC) •  Government Credentials (eIDAS) Identity

Looking at interaction and prospective harmonisation between •  SecuRe Pay Regulations

•  3rd AML Directive & 4th AML Directive

•  eIDAS Regulations •  Privacy / Data Protection law

Doing things well reduces compliance costs and enhances the customer experience.

What drives Identity?

2 iSignthis © 2015

1.  Identity? What is 2.  Regulatory Approaches to Identity 3.  Private Sector – Who needs identity? 4.  How do we establish identity?

•  Physical Documents •  Static Electronic Verification •  Dynamic Electronic Verification

5.  The Future is now – 4th AML Directive 6.  Conclusions

3 iSignthis © 2015

Today’s presentation

eiDAS AML

SecuRE Pay

KYC

Privacy

The E.U. Data Protection Directive defines “an identifiable” person as “one who can be identified, directly, or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.” The eIDAS : Article 3 (3) ‘person identification data’ means a set of data enabling the identity of a natural or legal person, or a natural person representing a legal person to be established;

4 iSignthis © 2015

1. What is Identity?

2. Regulatory Approaches to Identity 1.   “Specific Type Approach” : Regulations specifically state the means or what

must be done

2.   “Non Public Approach” : regulations seek to make use of information that is not in the public domain to identify a person

3.   “Principles Based Approach” :State the outcome rather than the means. The means may include elements of Specific Type and Non Public, as well as other means.

5 iSignthis © 2015

eIDas Identification Requirements Article 24 (1) When issuing a qualified certificate for a trust service, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom the qualified certificate is issued. Sections 24(1) (a)…(c) rely upon “physical presence” to issue the eID….of limited value.

Ideally, for digital on-boarding, we need digital means (d) by using other identification methods recognised at national level which provide equivalent assurance in terms of reliability to physical presence.

6 iSignthis © 2015

What do we mean by Assurance levels?

7 iSignthis © 2015

EU Electronic Identification and Trust Services (eIDAS)

Regulation Article 8(2), 23 July 2014

Level of Assurance (LoA)

US/CA/AU/EU Stork

Key features

Minimal LoA 1 •  Little or no confidence exists in the asserted identity; usually self-asserted

Low LoA 2 •  Limited confidence as asserted identity •  Controls to decrease risk of misuse or

alteration of identity

Substantial LoA 3 •  Substantial Confidence as to asserted identity

•  Controls to decrease substantially the risk of misuse or alteration of identity

High LoA 3+/4 •  Higher Confidence as to asserted identity •  Controls to prevent misuse of alteration of

identity

However is this equivalent to AML/KYC identification?

What are the AML Identity Requirements?

3rd AML Directive Article 8 (& 4th AML Directive Article 11) 1.  Customer due diligence measures shall comprise: (a) identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source;

8 iSignthis © 2015

Name & Address verifies identity

Unique identifier only required (Principles / Non Public)

9 iSignthis © 2015

AML Identity regimes in the EU: A mix of Specific and Principle based approaches

•  EU based payment processors : compliance requirement for AML KYC & /or ECB SecuRE Pay.

•  eMerchants in the SEPA/EU28 as part of the ECB’s Strong Customer Authentication.

•  Stock Brokers •  Financial Advisors/Super Funds •  Financial Systems requiring two

factor authentication technology •  Banks (incl debit, card issuers) •  Commodity/Bullion Brokers Currency •  Crypto Currency Exchanges (e.g.

bitcoin)

•  Real Estate Sales/Rental Agents •  Travel Agents (US Patriot Act) •  Life Insurers •  Accountants/Auditors/Lawyers

•  eWallets/mWallet Providers •  Money remittance services/p2p •  Loan/Pawn Providers •  eCasino/eGaming/eWagering •  Any business routinely trading >

US $10k/transaction

Payment Processing

Financial

Professional Services

Others

3. Private Sector : Who needs Identity?

10 iSignthis © 2015

Customer Ease

Lower Cost

LOCAL

AUTOMATED

MANUAL

Overview of identification methods

Notarised: posted/uploaded documents*

‘Experian’ or ‘GBGroup’ style static, credit database search (UK, US, AU)

Face to face checks

iSignthis + PayPal

GLOBAL

•  No dynamic means to include customer on request if not already a historic customer of a credit reporting agency.

•  Requires cross check of other databases. •  Typical coverage of 60% of online applicants

•  >3Bn accessible global payment instruments.

•  No need for user’s disclosure of bank details to a third party.

Lower Friction

Remote on boarding


Two ways: (i) Face to Face– from reliable document sources, normally using government issued photo identity documents.

Typically, we look for; •  Proof of Identity (POI) – birth certificate, marriage certificate •  Evidence of Identity (EOI) – government issued ID or bank accounts /

cards •  Social Footprint – utility bills, payments, insurances

(ii) Electronic Verification (EV) – from reliable data or information sources But what is a “reliable source”? Two EV approaches – Static and Dynamic

4. How do we establish identity?


The EU’s Public Register of Authentic Identity and Travel Documents Online (PRADO), recommends:

“When checking security features of documents: FEEL, LOOK, TILT!”

And

“Check the validity of document numbers – [via] List of links to websites with information on invalid document numbers”

Approach 1 Physical Documents (Specific Approach)


http://prado.consilium.europa.eu

From /en.wikipedia.org/wiki/European_driving_licence

•  Scanners/Webcams – can’t look, feel tilt ; so, how valid, “reliable” or “independent is uploading of an identity documents?

•  How reliable is a comparison of a photo on such a document via webcam?

•  There is no EU or global register of stolen credentials…how is validity of these documents checked?

•  Can a document be transitioned from physical to become “data” or information without verification as to its reliability or validity by issuer?

•  Is there a legal basis to rely upon non issuer transformed physical documents?

Transforming Physical Documents

Challenges – Authenticity, Validity, Transformation, Verification


Static database – electoral, credit, passport, drivers license

Relies on “Non Public Approach” Knowledge Based Authentication (KBA) – comparison of collected data to database.

Issues •  Highly localised, no global approach •  Much of the data is public or easily obtained. •  No revocation means if say wallet stolen or mailbox compromised •  Data may not change between KBA making ongoing due diligence risible •  susceptible to ghosting and/or takeover •  Simple to ‘reverse or social engineer’ the KBA •  Once breached, re-credentialing of individuals is difficult – data becomes

“public” – what now?

Approach 2 EV : Static Database Electronic Verification (Non Public Approach)

Breach Size 80m , Jan 15

Breach Size 1m , Nov 14


Approach 3 EV (Principles based) Payment Instruments for eIDAS & KYC

150m people 200 countries

Physical Identification

Proof of Identity Documents

E- Payment Account

(PSD)

Accounts Unique AML

(PSD,) Identifies Person

(Privacy Dir)

Verify Account Once verified -

“Reliable” Source for EV (AML)

E- Identity Social Footprint

Sanction Screen + Monitor

(AML) Creates further Social footprint


17

Approach 3 : Dynamic Electronic Verification

Direct Account Access 1.  Request account login details from customer 2.  Service Provider Accesses account 3.  SP Confirms account is active and retrieve details

associated with account Key Risk : requires customer to provide Sensitive Account Data (login details + Password) Key Limitation : limited to 350m bank accounts, mainly in SEPA. No credit card support. Global – legal, risk, liability issues?

Indirect Account Access via KBA 1.  Service Provider creates a “secret” using payment

against payment instrument and Process secret to a statement of account

2.  Ask customer to retrieve secret from payment instrument “secure area”

Key advantages : i)  Customer Sensitive Account Data not exposed to

3rd party

ii)  Global : Leverages more than 3.5Bn cards and bank accounts across 200 countries

iii)  Risks reduced for all parties incl operator liability under eIDAS for data breach


18

Example: iSignthis & Paypal Transactional, Dynamic KBA


iSignthis Transactional Advantages DNA of a payment message

Payment Data (Merchant, Acquirer, Card Details, Name, Amount, Time, Place, IIN Data + Country of issue)

Authentication Data (Geodata, device data, SAD, phone number)

Device Data MAC, IMEI, CPE, Language, OS

Network Data : IP Address, Carrier,

Channel, route, Cell Tower

Delivery Data Address, Phone

Under EU law, all of this is PII – identifiable to a person Under US law, taken as a whole, this is also PII – identifies a person.


5. The Future is now… 4th AML Directive

•  By using the metadata of the payment transactions themselves we can meet the requirements of the 4th AML directive in a dynamic, non replicable manner.

•  Article 12 (2) …..Member States may allow the verification of the identity of the customer ….. to be completed during the establishment of a business relationship or during the execution of the transaction for entities subject to the obligations...”

•  Article 3 (11a) 'non-face to-face' when used in relation to business relationships or transactions means the carrying out of a contract or a transaction, without the simultaneous physical presence of the contractor or intermediary and the consumer, by making exclusive use of one or more of the following the internet, telemarketing or other electronic means of communication up to and including the time at which the contract is concluded.


Link Identity & Payment Account with 2FA First Factor: User selected Passcode Second Factor: One Time Password by SMS Or Assurity(.sg) hard token

iSignthis Identity : AML/CTF KYC Identity traced & linked to 2FA and/or Identity file created

Customer transacts with eMerchant

Online or mobile Customer

A better solution to generate identity on demand


How do we apply identity to… Security of Internet Payments

•  The EBA requires (amongst other things), that PSPs KYC their customers, verify the payment source, and link these to a 2FA for future transactions.

•  The definition of a PSP now includes acquiring side PSP and technical service providers.

•  The EBA presents a challenge, which iSignthis and PayPal have both solved and patented for cards and eWallets.

•  Both PayPal and iSignthis can authenticate with ‘one leg out’, without active participation of issuer. The ECB is seeking to regulate the world and probably will!


Global application - Passporting •  The eIDAS, PSD2, 3rd AML and 4th AML Directive all contain passporting provisions

•  The 4th Directive recognises all FATF jurisdictions as ‘equivalent’ for this purpose

•  The 3rd only recognises : Australia, Brazil, Canada, Hong Kong, India, Japan, South Korea, Mexico, Singapore, Switzerland, South Africa, and the USA as equivalency jurisdictions

•  Passporting :

•  Country <> Country

•  AML Service <> AML Service

•  AML Service <>Government


6. Conclusions •  Identity is complex. Legally establishing identity is even more complex.

•  Payments, eID, AML and data protection are a regulatory mosaic but the EU laws seem to have got it right

•  Transactions drive identity. And ought do so

•  On- boarding customers for the sake of doing so is expensive and unnecessary

•  Ultimately given its importance to modern EU ecommerce a scalable, dynamic electronic verification approach to identity is important taking into account security, costs and the user experience

•  Global opportunities via passporting approach.


John Karantzis [email protected] +31 681 433 530

Scott W Minehane [email protected] +61 412 995 535

For further information contact:


• 

Regulatory Convergence AML, eIDAS and SecuRE Pay

1

Evidence of Identity (EOI) for KYC and eID:

Using transactions and payment Instruments to KYC a customer Meet KYC & eIDAS Requirements

3

PEP/Sanctions Screens:

Real time analytics incorporating US, UK, EU, UN, Canadian and Australian PEP/Sanctions, together with transaction monitoring Meet AML Requirements

2

Strong Customer Authentication (SCA):

Link identity to a two factor authentication (2FA) system

Meet eIDAS ‘electronic signature’? Meet SecuRE Pay requirements


A new General Data Protection Regulation

In January 2012 the European Commission proposed reform of the 1995 Data Protection Directive, considering that this 30 year old directive no longer adequately addressed modern data protection issues including inter alia cloud computing and social networking. Being a regulation the new General Data Protection Regulation will harmonise privacy law across the EU and address issues not covered in the old Directive. Under the draft Regulation, personal data processing is only lawful if it is in accordance with the law, pursues a legitimate purpose, and is necessary in a democratic society in order to achieve the legitimate purpose. The Regulation passed the European Parliament in early 2014. Since then it has been stalled at the European Ministers Committee. Current plans are for it to be finalised by end 2015 for coming into force at end 2017. But it could be delayed further given debate on topics like what constitutes Consent.


Balancing Privacy with Security of Internet Payments

•  In relation to iSignthis, our processes are consistent with the incoming General Data Protection Regulation and Privacy by Design with only minimal customer personal information (PI) uploaded and retained

•  More specifically, while iSignthis will process personal data it is not considered

sensitive data under the current Data Protection Directive. There remains a obligation in relation to data protection which will be addressed by contract allowing the client to assess compliance with the applicable data protection legislation. In such an environment, iSignthis will be data processor, with the client being the data controller

What’s permissible to be collected / what’s not – •  In accordance with future EU law, personal data is only lawful if it is in accordance

with the law, pursues a legitimate purpose, and is necessary in a democratic society in order to achieve the legitimate purpose


iSignthis - Transactions Drive e-Identity: Payments, eID and AML/CTF

Economy & Finance

social identity

asserted identity controls

transactions drive identity

person identication

legal person

natural person

identiable person

appropriate means