Transactions Drive Identity: Payments, eID and AML/CTF 1 iSignthis © 2015 iSignthis Ltd / iSignthis BV ASX : ISX Jointly Presented by: Managing Director John Karantzis B.E., LL.M, M.Ent Director Scott W Minehane B.Econ LL.B., LL.M
Jul 19, 2015
Transactions Drive Identity: Payments, eID and AML/CTF
1 iSignthis © 2015
iSignthis Ltd / iSignthis BV ASX : ISX
Jointly Presented by:
Managing Director John Karantzis B.E., LL.M, M.Ent
Director Scott W Minehane B.Econ LL.B., LL.M
Transactions! People are identified when they want to do something…….. Buy, sell, trade, receive goods and services.
Regulated (online) transactions may require: • Financial Identity (KYC) • Government Credentials (eIDAS) Identity
Looking at interaction and prospective harmonisation between • SecuRe Pay Regulations
• 3rd AML Directive & 4th AML Directive
• eIDAS Regulations • Privacy / Data Protection law
Doing things well reduces compliance costs and enhances the customer experience.
What drives Identity?
2 iSignthis © 2015
1. Identity? What is 2. Regulatory Approaches to Identity 3. Private Sector – Who needs identity? 4. How do we establish identity?
• Physical Documents • Static Electronic Verification • Dynamic Electronic Verification
5. The Future is now – 4th AML Directive 6. Conclusions
3 iSignthis © 2015
Today’s presentation
eiDAS AML
SecuRE Pay
KYC
Privacy
The E.U. Data Protection Directive defines “an identifiable” person as “one who can be identified, directly, or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.” The eIDAS : Article 3 (3) ‘person identification data’ means a set of data enabling the identity of a natural or legal person, or a natural person representing a legal person to be established;
4 iSignthis © 2015
1. What is Identity?
2. Regulatory Approaches to Identity 1. “Specific Type Approach” : Regulations specifically state the means or what
must be done
2. “Non Public Approach” : regulations seek to make use of information that is not in the public domain to identify a person
3. “Principles Based Approach” :State the outcome rather than the means. The means may include elements of Specific Type and Non Public, as well as other means.
5 iSignthis © 2015
eIDas Identification Requirements Article 24 (1) When issuing a qualified certificate for a trust service, a qualified trust service provider shall verify, by appropriate means and in accordance with national law, the identity and, if applicable, any specific attributes of the natural or legal person to whom the qualified certificate is issued. Sections 24(1) (a)…(c) rely upon “physical presence” to issue the eID….of limited value.
Ideally, for digital on-boarding, we need digital means (d) by using other identification methods recognised at national level which provide equivalent assurance in terms of reliability to physical presence.
6 iSignthis © 2015
What do we mean by Assurance levels?
7 iSignthis © 2015
EU Electronic Identification and Trust Services (eIDAS)
Regulation Article 8(2), 23 July 2014
Level of Assurance (LoA)
US/CA/AU/EU Stork
Key features
Minimal LoA 1 • Little or no confidence exists in the asserted identity; usually self-asserted
Low LoA 2 • Limited confidence as asserted identity • Controls to decrease risk of misuse or
alteration of identity
Substantial LoA 3 • Substantial Confidence as to asserted identity
• Controls to decrease substantially the risk of misuse or alteration of identity
High LoA 3+/4 • Higher Confidence as to asserted identity • Controls to prevent misuse of alteration of
identity
However is this equivalent to AML/KYC identification?
What are the AML Identity Requirements?
3rd AML Directive Article 8 (& 4th AML Directive Article 11) 1. Customer due diligence measures shall comprise: (a) identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source;
8 iSignthis © 2015
Name & Address verifies identity
Unique identifier only required (Principles / Non Public)
9 iSignthis © 2015
AML Identity regimes in the EU: A mix of Specific and Principle based approaches
• EU based payment processors : compliance requirement for AML KYC & /or ECB SecuRE Pay.
• eMerchants in the SEPA/EU28 as part of the ECB’s Strong Customer Authentication.
• Stock Brokers • Financial Advisors/Super Funds • Financial Systems requiring two
factor authentication technology • Banks (incl debit, card issuers) • Commodity/Bullion Brokers Currency • Crypto Currency Exchanges (e.g.
bitcoin)
• Real Estate Sales/Rental Agents • Travel Agents (US Patriot Act) • Life Insurers • Accountants/Auditors/Lawyers
• eWallets/mWallet Providers • Money remittance services/p2p • Loan/Pawn Providers • eCasino/eGaming/eWagering • Any business routinely trading >
US $10k/transaction
Payment Processing
Financial
Professional Services
Others
3. Private Sector : Who needs Identity?
10 iSignthis © 2015
Customer Ease
Lower Cost
LOCAL
AUTOMATED
MANUAL
Overview of identification methods
Notarised: posted/uploaded documents*
‘Experian’ or ‘GBGroup’ style static, credit database search (UK, US, AU)
Face to face checks
iSignthis + PayPal
GLOBAL
• No dynamic means to include customer on request if not already a historic customer of a credit reporting agency.
• Requires cross check of other databases. • Typical coverage of 60% of online applicants
• >3Bn accessible global payment instruments.
• No need for user’s disclosure of bank details to a third party.
Lower Friction
Remote on boarding
11 iSignthis © 2015
Two ways: (i) Face to Face– from reliable document sources, normally using government issued photo identity documents.
Typically, we look for; • Proof of Identity (POI) – birth certificate, marriage certificate • Evidence of Identity (EOI) – government issued ID or bank accounts /
cards • Social Footprint – utility bills, payments, insurances
(ii) Electronic Verification (EV) – from reliable data or information sources But what is a “reliable source”? Two EV approaches – Static and Dynamic
4. How do we establish identity?
12 iSignthis © 2015
The EU’s Public Register of Authentic Identity and Travel Documents Online (PRADO), recommends:
“When checking security features of documents: FEEL, LOOK, TILT!”
And
“Check the validity of document numbers – [via] List of links to websites with information on invalid document numbers”
Approach 1 Physical Documents (Specific Approach)
13 iSignthis © 2015
http://prado.consilium.europa.eu
From /en.wikipedia.org/wiki/European_driving_licence
• Scanners/Webcams – can’t look, feel tilt ; so, how valid, “reliable” or “independent is uploading of an identity documents?
• How reliable is a comparison of a photo on such a document via webcam?
• There is no EU or global register of stolen credentials…how is validity of these documents checked?
• Can a document be transitioned from physical to become “data” or information without verification as to its reliability or validity by issuer?
• Is there a legal basis to rely upon non issuer transformed physical documents?
Transforming Physical Documents
Challenges – Authenticity, Validity, Transformation, Verification
14 iSignthis © 2015
Static database – electoral, credit, passport, drivers license
Relies on “Non Public Approach” Knowledge Based Authentication (KBA) – comparison of collected data to database.
Issues • Highly localised, no global approach • Much of the data is public or easily obtained. • No revocation means if say wallet stolen or mailbox compromised • Data may not change between KBA making ongoing due diligence risible • susceptible to ghosting and/or takeover • Simple to ‘reverse or social engineer’ the KBA • Once breached, re-credentialing of individuals is difficult – data becomes
“public” – what now?
Approach 2 EV : Static Database Electronic Verification (Non Public Approach)
Breach Size 80m , Jan 15
Breach Size 1m , Nov 14
15 iSignthis © 2015
Approach 3 EV (Principles based) Payment Instruments for eIDAS & KYC
150m people 200 countries
Physical Identification
Proof of Identity Documents
E- Payment Account
(PSD)
Accounts Unique AML
(PSD,) Identifies Person
(Privacy Dir)
Verify Account Once verified -
“Reliable” Source for EV (AML)
E- Identity Social Footprint
Sanction Screen + Monitor
(AML) Creates further Social footprint
16 iSignthis © 2015
17
Approach 3 : Dynamic Electronic Verification
Direct Account Access 1. Request account login details from customer 2. Service Provider Accesses account 3. SP Confirms account is active and retrieve details
associated with account Key Risk : requires customer to provide Sensitive Account Data (login details + Password) Key Limitation : limited to 350m bank accounts, mainly in SEPA. No credit card support. Global – legal, risk, liability issues?
Indirect Account Access via KBA 1. Service Provider creates a “secret” using payment
against payment instrument and Process secret to a statement of account
2. Ask customer to retrieve secret from payment instrument “secure area”
Key advantages : i) Customer Sensitive Account Data not exposed to
3rd party
ii) Global : Leverages more than 3.5Bn cards and bank accounts across 200 countries
iii) Risks reduced for all parties incl operator liability under eIDAS for data breach
17 iSignthis © 2015
18
Example: iSignthis & Paypal Transactional, Dynamic KBA
18 iSignthis © 2015
iSignthis Transactional Advantages DNA of a payment message
Payment Data (Merchant, Acquirer, Card Details, Name, Amount, Time, Place, IIN Data + Country of issue)
Authentication Data (Geodata, device data, SAD, phone number)
Device Data MAC, IMEI, CPE, Language, OS
Network Data : IP Address, Carrier,
Channel, route, Cell Tower
Delivery Data Address, Phone
Under EU law, all of this is PII – identifiable to a person Under US law, taken as a whole, this is also PII – identifies a person.
19 iSignthis © 2015
5. The Future is now… 4th AML Directive
• By using the metadata of the payment transactions themselves we can meet the requirements of the 4th AML directive in a dynamic, non replicable manner.
• Article 12 (2) …..Member States may allow the verification of the identity of the customer ….. to be completed during the establishment of a business relationship or during the execution of the transaction for entities subject to the obligations...”
• Article 3 (11a) 'non-face to-face' when used in relation to business relationships or transactions means the carrying out of a contract or a transaction, without the simultaneous physical presence of the contractor or intermediary and the consumer, by making exclusive use of one or more of the following the internet, telemarketing or other electronic means of communication up to and including the time at which the contract is concluded.
20 iSignthis © 2015
Link Identity & Payment Account with 2FA First Factor: User selected Passcode Second Factor: One Time Password by SMS Or Assurity(.sg) hard token
iSignthis Identity : AML/CTF KYC Identity traced & linked to 2FA and/or Identity file created
Customer transacts with eMerchant
Online or mobile Customer
A better solution to generate identity on demand
21 iSignthis © 2015
How do we apply identity to… Security of Internet Payments
• The EBA requires (amongst other things), that PSPs KYC their customers, verify the payment source, and link these to a 2FA for future transactions.
• The definition of a PSP now includes acquiring side PSP and technical service providers.
• The EBA presents a challenge, which iSignthis and PayPal have both solved and patented for cards and eWallets.
• Both PayPal and iSignthis can authenticate with ‘one leg out’, without active participation of issuer. The ECB is seeking to regulate the world and probably will!
22 iSignthis © 2015
Global application - Passporting • The eIDAS, PSD2, 3rd AML and 4th AML Directive all contain passporting provisions
• The 4th Directive recognises all FATF jurisdictions as ‘equivalent’ for this purpose
• The 3rd only recognises : Australia, Brazil, Canada, Hong Kong, India, Japan, South Korea, Mexico, Singapore, Switzerland, South Africa, and the USA as equivalency jurisdictions
• Passporting :
• Country <> Country
• AML Service <> AML Service
• AML Service <>Government
23 iSignthis © 2015
6. Conclusions • Identity is complex. Legally establishing identity is even more complex.
• Payments, eID, AML and data protection are a regulatory mosaic but the EU laws seem to have got it right
• Transactions drive identity. And ought do so
• On- boarding customers for the sake of doing so is expensive and unnecessary
• Ultimately given its importance to modern EU ecommerce a scalable, dynamic electronic verification approach to identity is important taking into account security, costs and the user experience
• Global opportunities via passporting approach.
24 iSignthis © 2015
John Karantzis [email protected] +31 681 433 530
Scott W Minehane [email protected] +61 412 995 535
For further information contact:
25 iSignthis © 2015
•
Regulatory Convergence AML, eIDAS and SecuRE Pay
1
Evidence of Identity (EOI) for KYC and eID:
Using transactions and payment Instruments to KYC a customer Meet KYC & eIDAS Requirements
3
PEP/Sanctions Screens:
Real time analytics incorporating US, UK, EU, UN, Canadian and Australian PEP/Sanctions, together with transaction monitoring Meet AML Requirements
2
Strong Customer Authentication (SCA):
Link identity to a two factor authentication (2FA) system
Meet eIDAS ‘electronic signature’? Meet SecuRE Pay requirements
26 iSignthis © 2015
A new General Data Protection Regulation
In January 2012 the European Commission proposed reform of the 1995 Data Protection Directive, considering that this 30 year old directive no longer adequately addressed modern data protection issues including inter alia cloud computing and social networking. Being a regulation the new General Data Protection Regulation will harmonise privacy law across the EU and address issues not covered in the old Directive. Under the draft Regulation, personal data processing is only lawful if it is in accordance with the law, pursues a legitimate purpose, and is necessary in a democratic society in order to achieve the legitimate purpose. The Regulation passed the European Parliament in early 2014. Since then it has been stalled at the European Ministers Committee. Current plans are for it to be finalised by end 2015 for coming into force at end 2017. But it could be delayed further given debate on topics like what constitutes Consent.
27 iSignthis © 2015
Balancing Privacy with Security of Internet Payments
• In relation to iSignthis, our processes are consistent with the incoming General Data Protection Regulation and Privacy by Design with only minimal customer personal information (PI) uploaded and retained
• More specifically, while iSignthis will process personal data it is not considered
sensitive data under the current Data Protection Directive. There remains a obligation in relation to data protection which will be addressed by contract allowing the client to assess compliance with the applicable data protection legislation. In such an environment, iSignthis will be data processor, with the client being the data controller
What’s permissible to be collected / what’s not – • In accordance with future EU law, personal data is only lawful if it is in accordance
with the law, pursues a legitimate purpose, and is necessary in a democratic society in order to achieve the legitimate purpose
28 iSignthis © 2015