Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Payments and AML CFT KYC


Published on

Payments and amlctf kyc

  • Be the first to comment

  • Be the first to like this

Payments and AML CFT KYC

  1. 1. 1 1iSignthis © 2015 iSignthis Ltd (ASX : ISX ) Transactions Drive e-Identity: Payments and AML/CTF KYC MODERATOR: Hue Dang, CAMS Head of Asia, ACAMS Jointly Presented by: Managing Director John Karantzis B.E., LL.M, M.Ent, FIEAust Director Scott W Minehane B.Econ LL.B., LL.M
  2. 2. 2 What drives the need for e- Identity? Transactions! People are identified when they want to do something…….. Buy, sell, trade, receive goods and services. The internet means we need to adapt to how we approach identity. Regulated (online) transactions are subject to: •  Financial Identity (KYC) •  Privacy / Data Protection law •  Doing things well reduces compliance costs and enhances the customer experience
  3. 3. 3 Today’s Presentation 1.  Identity? What is it? 2.  Regulatory Approaches to Identity i.  European Union ii.  South Korea iii.  Hong Kong iv.  Singapore v.  Australia 3.  Private Sector – Who needs identity? 4.  How do we establish identity? a.  Physical Documents b.  Static Electronic Verification c.  Dynamic Electronic Verification 5.  Conclusions
  4. 4. 4 1. What is Identity A lawful or legally standing association, corporation, partnership, proprietorship, trust, or individual. Has legal capacity to: •  enter into agreements or contracts, •  assume obligations, •  incur and pay debts, •  sue and be sued in its own right, and •  to be accountable for illegal activities.
  5. 5. 5 1a. What is Digital Identity? •  Lets look at how Privacy law treats identity: •  In the US, the law provides multiple definitions of Personally Identifiable Information (PII), most focusing on whether the information pertains to an (already) identified person. •  By way of contrast, in the EU, there is a single definition of personal data to encompass all information identifiable to a person. •  The E.U. Data Protection Directive defines “an identifiable” person as “one who can be identified, directly, or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural, or social identity.”
  6. 6. 6 2. Regulatory approaches to identity 1.  “Specific Type Approach” : Regulations specifically state the means or what must be done 2.  “Non Public Approach” : regulations seek to make use of information that is not in the public domain to identify a person 3.  “Principles Based Approach” :State the outcome rather than the means. The means may include elements of Specific Type and Non Public, as well as other means. 4.  FATF ‘risk based approach’ favours move towards ‘Principles based Approach’.
  7. 7. 7 Guiding Principle for FATF legislative model jurisdictions “Customer due diligence measures shall comprise: Identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source;” 2a. FATF Recommendations #5 (Principles Based Approach)
  8. 8. 8 Consider the following factors with regards to data •  (a) its accuracy; •  (b) how secure it is; •  (c) how the data is kept up-to-date / its recency •  (d) how comprehensive the data is •  (e) whether the data is maintained by a government body or pursuant to legislation; and •  (f) whether the electronic data can be additionally authenticated 2b. What is a reliable source of data?
  9. 9. 9 2 (i). ’Identifying’ the customer (EU) •  In the EU, any “unique” attribute is sufficient to identify a person (Principle based) •  However, EU all member states require verification of name + address (UK, IRL, SE) •  Some states require verification of age as well : name + address + age (Eg FR, IT and BG).
  10. 10. 10 South Korea’s Article 38 (of 2010 AMLCTF Regs) takes a specific approach. Identifying a customer is defined as : •  name, •  Address, •  identity or travel document incl. number and type If not a Korean Citizen, also require •  date of birth •  nationality, 2 (ii). ’Identifying’ the customer (KOR)
  11. 11. 11 Article 35 (Non face-to-face transactions) (1) Financial institutions shall establish policies and procedures to address the risk of ML/TF related to non-face-to-face transactions. 2 (ii). Remote ’Verifying’ the customer (KOR)
  12. 12. 12 2 (ii). ’Identifying’ the customer (HKG) Hong Kong takes a specific approach via the Guidance Note GN33 (March 2015), similar to South Korea’s Article 38 Identifying a customer is defined as : •  name, •  Address, •  date of birth •  nationality •  identity or travel document incl. number and type
  13. 13. 13 FI must carry out at least one of the following measures for remote on-boarding: a.  Use additional sources of documents, data or information b.  taking supplementary measures to verify all the information provided by the customer; c.  ensuring that the first payment made into the customer’s account is received from an account in the customer’s name with an authorized institution in an equivalent jurisdiction…… 2 (iii). Remote ‘Verifying’ the customer (HKG)
  14. 14. 14 2 (iv). Remote ‘Verifying’ the customer (SGP) MAS 626 (New Guidelines 24 April 2015) –Appropriate measures to address risks arising from undertaking transactions via internet, by using one or more of: (a) Independent telephone verification of customer; (b) confirmation of the customer’s address; (c) confirmation of the customer’s employment status; (d) customer’s salary confirmation by use of recent bank statements from another bank; (e) qualified 3rd party certification of identification documents (f) requiring the first payment to be carried out through an account in the customer’s name with another FI subject to similar or equivalent customer due diligence standards;
  15. 15. 15 The reporting entity must collect and verify the following KYC information: i.  the customer’s full name; and Collect both of, but verify either /any one of : a.  the customer’s date of birth, or b.  the customer’s residential address. 2 (iv). ’Identifying’ and ‘Verifying’ the customer (AUS)
  16. 16. 16 0 1 2 3 4 5 6 7 AUS/UK/US/SE IT/FR/BG KOR HKG SGP Name + Address Or Name + DoB Name + Address+ DoB Name + Address+ DoB + Nationality + GovID + [SGP] Contact Details 2(v). Summary : # of Attributes to be Verified.
  17. 17. 17 3. Private Sector: Who needs Identity? •  Payment processors : compliance requirement for AML KYC & /or ECB SecuRE Pay. •  eMerchants in the SEPA/EU28 as part of the ECB’s Strong Customer Authentication. •  Stock Brokers •  Financial Systems requiring two factor authentication technology •  Banks (incl debit, card issuers) •  Commodity/Bullion Brokers •  Crypto Currency Exchanges (e.g. bitcoin) •  Real Estate Sales/Rental Agents •  Travel Agents (US Patriot Act) •  Life Insurers •  Accountants/Auditors/Lawyers •  Financial Advisors/Super Funds •  eWallets/mWallet Providers •  Money remittance p2p •  Loan/Pawn Providers •  eCasino/eGaming/eWagering •  Any business routinely trading > US $10k/transaction •  Currency Exchange Payment Processing Financial Professional Services Others
  18. 18. 18 Customer Ease Lower Cost LOCAL AUTOMATED MANUAL Notarised: posted/uploaded documents* ‘Experian’ or ‘GBGroup’ style static, credit database search (UK, US, AU) Face to face checks iSignthis + PayPal GLOBAL •  No dynamic means to include customer on request if not already a historic customer of a credit reporting agency. •  Requires cross check of other databases. •  Typical coverage of 60% of online applicants •  >3Bn accessible global payment instruments. •  No need for user’s disclosure of bank details to a third party. Lower Friction Remote on boarding 3. Private Sector: Who needs Identity?
  19. 19. 19 Two ways: (i) Face to Face– from reliable document sources, normally using government issued photo identity documents. Typically, we look for; •  Proof of Identity (POI) – birth certificate, marriage certificate •  Evidence of Identity (EOI) – government issued ID or bank accounts/cards •  Social Footprint – utility bills, payments, insurances (ii) Electronic Verification (EV) – from reliable data or information sources 4. How do we establish identity?
  20. 20. 20 The EU’s Public Register of Authentic Identity and Travel Documents Online (PRADO), recommends: “When checking security features of documents: FEEL, LOOK, TILT!” And “Check the validity of document numbers – [via] List of links to websites with information on invalid document numbers” 4a (i). Approach 1 – Physical Documents (Challenges – Authenticity, Validity, Transformation, Verification)
  21. 21. 21 4a (i). Transforming – Physical Documents (Challenges – Authenticity, Validity, Transformation, Verification) •  Trend in some countries towards using Webcams or non-Certified images. •  Scanners/Webcams – can’t look, feel tilt ; so, how valid, “reliable” or “independent is uploading of an identity document(s)? •  How reliable is a comparison of a photo on such a document via webcam? •  There is no EU or global register of stolen credentials…how is validity of these documents checked? •  Can a document be transitioned from physical to become “data” or information without verification as to its reliability or validity by issuer?
  22. 22. 22 Is there a legal basis to rely upon non issuer/third party transformed physical documents? •  NO! This approach is specifically prohibited or not endorsed by regulators in many jurisdictions: •  Eg, Germany (legislation), HKG (GN33 @ 4.12.2), Singapore (MAS Guidance Note @ 33), Australia (AML Regs), Korea (Original or certified, Per AMLCTF Reg 39), UK (AML2007, 14(2)(c)), Canada (Schedule 7) •  We could not find direct support in any EU, Australian or Asia AML/CTF regulation that supports the concept of digital transformation of documents to data as constituting a reliable source of data – unless a qualified person certifies the document 4a (ii). Transforming – Physical Documents
  23. 23. 23 Breach Size 80m , Jan 15 Breach Size 1m , Nov 14 Static database – electoral, credit, passport, drivers license Relies on “Non Public Approach” Knowledge Based Authentication (KBA) – comparison of collected data to database. Issues •  Highly localised, no global approach •  Much of the data is public or easily obtained. •  No revocation means if say wallet stolen or mailbox compromised •  Data may not change between KBA making ongoing due diligence risible susceptible to ghosting and/or takeover •  Simple to ‘reverse or social engineer’ the KBA •  Once breached, re-credentialing of individuals is difficult – data becomes “public” – what now? 4a (ii). Approach 2: Static Database Electronic Verification (Non Public Approach)
  24. 24. 24 Physical Identification Proof of Identity Documents E- Payment Account Accounts Unique Regulated AML (Identifies Person) Verify Account Once verified - “Reliable” Source for EV (AML) KYC Identity Sanction Screen + Monitor Validate data Secondary Sources of Data 150m people 200 countries 4C. Approach 3: Dynamic Re-Use of Bank ID (Principles based)
  25. 25. 25 25 Direct Account Access 1.  Request account login details from customer 2.  Service Provider Accesses account 3.  SP Confirms account is active and retrieve details associated with account Key Risk : requires customer to provide Sensitive Account Data (login details + Password) Key Limitation : limited to 350m bank accounts, mainly in SEPA. No credit card support. Global – legal, risk, liability issues? Indirect Account Access via KBA 1.  Service Provider creates a “secret” using payment against payment instrument and Process secret to a statement of account 2.  Ask customer to retrieve secret from payment instrument “secure area” Key advantages : i)  Customer Sensitive Account Data not exposed to 3rd party ii)  Global : Leverages more than 3.5Bn cards and bank accounts across 200 countries iii)  Risks reduced for all parties incl operator liability under eIDAS for data breach 4C (i). Approach 3: Dynamic Electronic Verification
  26. 26. 26 26 4C (ii). KBA Example: iSignthis & PayPal
  27. 27. 27 Payment Data (Merchant, Acquirer, Card Details, Name, Amount, Time, Place, IIN Data + Country of issue) Authentication + Validation Data (Geodata, device data, SAD, phone number, SMS) Device Data (MAC, IMEI, CPE, Language, OS) Network Data : IP Address, Carrier, Channel, route, Cell Tower Delivery Data Address, Phone Under EU law, all of this is PII – identifiable to a person Under US law, taken as a whole, this is also PII – identifies a person. 4C (iii). Advantages of Transactional Approach: Metadata is the DNA of a payment message
  28. 28. 28 Link Identity & Payment Account with 2FA First Factor: User selected Passcode Second Factor: One Time Password by SMS Or Assurity(.sg) hard token iSignthis Identity : AML/CTF KYC Identity traced & linked to 2FA and/or Identity file created Customer transacts with eMerchant Online or mobile Customer iSignthis process takes place post cart checkout, ensuring high conversion rates. 4c (iv). A reliable means to generate identity on demand
  29. 29. 29 Passporting: •  Country <> Country •  AML Service <> AML Service •  AML Service <>Government Possible in most jurisdictions provided that source is from an equivalency jurisdiction – not necessarily FATF. 5. Global application- Passporting
  30. 30. 30 •  Transactions drive e-identity. And ought do so – ‘pre- boarding’ is an outmoded concept for online, and On- boarding customers for the sake of doing so is expensive and unnecessary. •  Identity is complex. Legally establishing identity is even more complex. •  Ultimately given its importance to ecommerce a scalable, dynamic electronic verification approach to identity is important taking into account security, costs and the user experience •  Global opportunities via passporting approach. •  Documents are not data unless transformed by a qualified certifying party. Key Takeaways
  31. 31. 31 Sales: Andrew Karantzis +61 411 428 259 For further information contact: