This document proposes a peer-to-peer (P2P) digital solution for know-your-customer (KYC) data sharing between financial institutions across borders in the European Union. The solution would leverage existing eIDAS trust services and qualified certificates to securely transmit KYC data from the institution that holds the customer's data (the KYC custodian) to other relying parties, like those offering loans or accounts. The proposed approach focuses on interactions between existing KYC custodians and new service providers, is designed to be cross-border by nature and privacy-centric, and could be implemented gradually without large infrastructure investments. Several technical and governance aspects would still need to be addressed, like data standards
1. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
1
A practical X-border KYC solution leveraging the
eIDAS Regulation
EU FinTech Lab – 18 06 2020
A P2P digital gatewayfor private sector interactions
✓ Cross-border by design
✓ Privacy-centricby design
✓ Generic and non-proprietary technology
✓ No single point of failure
✓ Inherently scalable in volume and usage
✓ Can roll out gradually
✓ Based on proven patterns& regulations
✓ Strict and simple governancemodel
2. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
2
• Open an account or apply for a loan in a different member State
• Change residence – move to another member State
• Access goods or services. Examples are eligibility for health
services, student facilities
• Change marital status in a different country
• Apply for jobs requiring background checks in a different
country
• Use services or jobs requiring proof of professional status or
education
Core ID data + additional information needed
Identificationis
crucial but still
onlypart of the
validation
processin most
X-country use
cases
3. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
• The private sector has a similar problem and needs a solution. It also offers
the scale required for a deeper digital internal market with a plethora of
cross-border use cases
• We are not suggesting building a complex/costly central infrastructurebut
rather deploying a peer-to-peersolution with standard bricks that are
available immediately for gradual rollout with a limited investment
• We focus on KYC data but the solution can be extended to other use cases
and industry sectors
3
TheSingle
Digital Gateway
is an exiting
frameworkfor
cross-border
services but
onlyapplies to
publicservices
4. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
4
• KYC data = Identification+ CDD Data
• Discrepancies in KYC regulations act as a brake for an
integrated financial market. 'Competitiveness and regulatory
sovereignty in relation to technology finance require a more
harmonised framework' (ROFIEG Report 2019-12)
• But 'Where to start' is important
• Directly aiming at a ‘grand eKYC framework’ appears unrealistic in
the currentenvironment
• Doing nothing means leaving the initiative to GAFAMs and other
actors – loss of EU sovereignty
• Proposed approach – practical and pragmatic steps are preferred
• Focus on interactions between KYC custodians (existing
banking relationships) and new service providers (KYC relying
parties)
TheeKYCuse
case
Interactions
between KYC
custodians
and relying
parties
5. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
5
• As for PSD2, qualified certificates will be issued by trust
service providers to eligible entities
• These certificates will serve as authentication and to secure
the data towards a KYC custodian
• This will standardize what is happening in the market today
with KYC utilities
• It gives regulators a clear point of control (revocation) and
clear traceability behind the usage of qualified
certificates
The eKYCuse
case
Reuse thePSD2
approach
leveraging
eIDAS Trust
Services
6. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
6
KYC Data
standardisation
needs
addressing
Thisis a related
issueto be
solved
separately
• We propose to start this track in parallel as this is broadly
speaking an independent matter
• We do not propose to synchronize “finish to finish”
• Institutions can start using the Trust Service approach
subject to risk-based assessment - they do not get a free
pass but can use this based on their own risk assessment
and in dialogue with the competent authority
• Temporary domestic requirements can be considered as
intermediate steps while still on the right track for the
final solution. Domestic requirements on what KYC data
is are usually resolvable
7. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
7
• Governanceis
ensured by strict
issuance and
invalidation criteria of
qualified certificates
• Use custom certificate
attributes to define
what request rights an
entity has and which
responserights
• No big bang. Can be
deployed gradually
and grow organically
• Generic approach
which can be used for
other use cases (or
industry sectors)
Generic solution
Leverage eIDAS
qualified
certificates &
trust services to
secure a P2P
virtual single
gateway for the
private sector
8. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
✓Cross border by design
✓Privacy centric by design
✓Generic and non-proprietary technology
✓No single point of failure
• Inherently scalable in volume and usage
• Can roll out gradually
✓Based on established and proven patterns,regulations and components
• P2P pattern
• W3C based infrastructure
• eIDAS regulation
✓Strict and simple governancemodel
❑No magic: scope and data standards needs to be defined
❑No inherentauto discovery.How participants are identified needs
addressing but various options can be contemplated
8
Scorecard
9. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
9
Keytakeaway
and suggested
actions
✓Even if easy convenient onboarding and roll out of digital identities
are of paramount importance it is only a start of the journey
✓To achieve a true single digital market of depth one should start
focusing on the infrastructure required not only at the lowest
levels (networks etc) but also on value adding services
✓Start appropriatework on getting the value adding infrastructure
defined and in place
✓Talk to us. We have no proprietaryproduct to push nor 100’s of
junior consultants to find employment for
10. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
10
Thank you
for
your attention
Ronny Khan
rkh@dnb.no
https://bit.ly/3985fpF
StephaneMouy
sgmouy@stephanemouy.com
https://sgmconsultingservices.com
12. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
12
TheeKYCuse
case
Leverage
eIDAS Trust
Services
• eIDAS Trust Services : e-signature, e-seals, e-registered
letters, e-time stamps and website authentication
• eIDAS Trust Services are regulated – especially for high-
end ‘Qualified Trust Services’ issued by accredited
‘qualified trust service providers’ and legally recognised
on a cross-border basis
• Qualified Trust Services are based upon ‘Qualified
Certificates’ defined by the eIDAS Regulation (esp.
Annexes I & III) which are digital attestation mechanisms
using industry-standard formats (e.g. XAdES, CAdEs,
PAdES)
• More importantly, Trust services are recognised for AML
purposes
13. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
13
• Independently assesses the risk-factors of the
contemplated customer relationship (Risk-based
approach)
• Independently determines which KYC data is
required
• Independently determines when KYC data needs
to be refreshed (reverified) as part of ongoing
CDD processes
• Is fully responsible vis a vis regulatory authorities
in line with FATF Recommendation 17
Cannot rely
on the KYC
custodian for
these
TheeKYCuse
case
AML and
liabilityrules
continue to
apply
The new service provider (KYC relying party) is fully responsible
and applies AML rules
14. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
14
Progresscan be
madequickly
but…
…not everything
can be solvedin
onego
• What are the KYC data and how is it represented ?
• What other attributes are needed and how are the reliability
expressed ?
• What are the consent requirements?
• For eIDAS this would be done by presentation of a signed consent form
• For non eIDAS it can be solved by one-time authorisation codes
• It could even be done on trust with the new service provider
warranting that it has obtained User consentand this is trusted by the
KYC custodian
• Eligibility
• Who qualifies for the usage of such services ?
• What is the business model? How are costs and revenues
shared?
15. Ronny Khan & Stephane Mouy
A practical P2P eKYC solution for the private sector
15
Eligibility
criteria
Entities
allowed to use
thesolution
• Ideally all 'obliged entities' (entities subject to AML
requirements) should be able to use the solution
• As a starting point this is a too big step to take.
• Also in terms of risk and governance of certificate
issuing
• We suggest starting by focusing on easier scenarios which
still correspond to the majority of use cases
• A suggested approach is to allow this for account holding
financial institutions now and expand in later interactions
• This will facilitate the management of user data
consent
• With strong proof of consent it should be possible to
expand the availability of usage