European anti-money laundering legislation means customers and businesses are required to provide potentially sensitive documentation to prove their identities. But how safe are the methods of sharing and storing those documents? Are these attempts to strengthen security creating security and privacy risks of their own?
Right now, we’re stuck with a system that forces customers to duplicate key processes, and means sensitive personal documents are stored in multiple locations with multiple services. That’s a poor experience for customers. More seriously, it greatly increases the risk of data breaches. Recent years have proved – with increasing frequency – just how urgent those risks are.
Reform is under way – but is neither wide-ranging enough nor fast enough. We need a system that enables individuals to stay in control of their personal documents, so they can use them to verify their identities when required without having to store them in vulnerable third-party locations.
Such a system might have sounded like a pipe dream until recently. But decentralized digital identities, enabled by blockchain technology, make it a far more viable concept than many might believe.
The current KYC model is broken
KYC processes enable regulated institutions to verify the identity and intentions of individuals or businesses to whom they provide services. That’s essential for complying with fraud and anti-money laundering regulations.
As such, their importance is beyond doubt. They’re vital for minimising criminality in the global financial system and other services. But the wide range of services requiring KYC has created an inefficient mesh of heavily overlapping processes. Every time a customer wants to start using one of these services, they have to navigate almost identical processes – making the experience inefficient and frustrating.
More worrying is the fact that some of customers’ most sensitive personal documents end up stored in various locations by multiple third parties. There is now ample evidence of the vulnerability of even the world’s largest data referencing companies. The Equifax data breach in 2017, for example, exposed sensitive personal information belonging to 143 million Americans.
The longer banks, mortgage providers, brokers and other regulated bodies rely on this approach, the greater the likelihood of another big breach – like the recent one in America.
Reforms don’t go far enough
Many people are aware of the weaknesses of the current system, and are developing new approaches.
One example is asking customers to go through the KYC process just once, with an organisation the regulator has approved as a trusted verification party. Once the customer has passed this initial KYC, they can use their certification as an attestation of their identity when other service providers ask for verification.
The major advantage of this approach is in customer experience. It means people only go through KYC once, rather than multiple times.
The problem is, most banks and services won’t accept each other’s attestations for business and insurance reasons. And this approach doesn’t solve the central issue that sensitive personal information is still being stored by third party providers (TPPs).
Reducing the number of TPPs storing this sort of data can be seen as a step forward. But when we’ve seen market leaders like Equifax hit so hard, is it really wise to put so much faith in their ability to protect data?
Wouldn’t it be better to give full control of KYC documents to the individual? This effectively atomises all the data securely to individuals and beyond, rather than holding it in honey pot silos. And it’s surely common sense that personal information should only be held by the individual it belongs to.
In fact, blockchain-powered platforms make it possible to create a secure, efficient KYC system that achieves this, while also keeping regulators satisfied and giving businesses a way to offer the same services without the costs and risks of storing personal data.
A new approach to personal document control
It seems the regulatory environment could be open to change in this regard. There’s real potential for regulators to seek out and support new KYC methods that avoid the risks of TPP storage.
Technologies like blockchain, zero-knowledge cryptography and biometrics are proving themselves as powerful components in vastly more secure systems than anything available today. It won’t be long before these technologies are rolled out, enabling individuals to own and store their own KYC documents, and keep them updated.
In this scenario, an individual who wants to interact with a service provider requiring KYC verification can present their information with read-only access – and ideally only as an attestation.
This can be achieved using key pair cryptographic signatures, or a multi-signature smart contract in conjunction with the service provider and/or regulator’s digital identity. When the individual signs that request with their own digital identity, the service provider and/or regulator will have access to a timestamped KYC document for the individual. This document will only be accessible by the specific service or regulator, for the regulatory period required.
This delivers on the twin aims of improving customer experience with only one source of KYC, and eliminating the need for any other party to store the customer’s information.
Evolution, not revolution
As the system exists today, this new approach could transform the simplicity and security of KYC processes required by current regulations. But it’s the future potential that looks really exciting.
In the context of Open Banking, for example, where customers will be enabled and encouraged to switch providers easily and use a range of different services at once, the importance of simple, secure KYC processes will only increase.
Using blockchain platforms, we can establish ownership and control of personal documents and an attestation model. We will no longer need to have sensitive personal documents stored in vulnerable third party silos. We’ll be able to meet regulators’ requirements, make life easier for customers, and eliminate the danger of third-party data breaches. KYC can become as easy as ABC.
by Alastair Johnson