I just received a white paper about Social KYC from Fintech startup Veridu. The idea is to use our social media profiles to authenticate and onboard as a new 21st century KYC process. It’s an interesting idea I thought I’d share here but, before I do, I posted a note on the blog in 2009 that recommended banks to use social media as a way of verifying whether customers could be trusted, a social KYC if you like. Veridu has now launched just that and here’s their pitch:
The current form of Know Your Customer (KYC) regulation, introduced over a decade ago, was initially focused on banks, and as a result can feel like a hindrance to smaller and more nimble businesses, like cryptocurrency wallets and cross-border e-commerce companies.
Identity verification (IDV) is a particularly challenging aspect of the KYC process, and the traditional way of verifying identities using passports, driving licences and other documentary forms of identification is becoming a barrier. A barrier to trade, but judging by the increase in cases of identity theft (31% increase in the number of victims of identity theft in the UK alone), not a barrier to criminals.
As if this wasn’t enough, traditional identity verification mechanisms also have an unintended negative impact on financial inclusion. Users in developing countries and those under the age of 24 are often seeing themselves declined through no fault of their own simply because they don’t have official identity documents or a comprehensive credit history.
Why is this?
The current form of Know Your Customer (KYC) regulation, introduced swiftly after the 9/11 attacks in the United States, exists to prevent identity theft, financial fraud, money laundering, terrorist financing and other financial crimes. When the current regulations first came into force they were aimed predominantly at banks, but have now been extended to cover more sectors, including providers of cryptocurrency wallets in certain jurisdictions (recently the European Commission advised that all European cryptocurrency exchanges will become obliged entities under the 4th AntiMoney Laundering Directive).
Regulation has also become more stringent but less prescriptive — less about ticking boxes and more about focusing your finite resources on the actual risks you face using a risk-based evidentiary approach. This push for firms to take a risk-based approach is a good thing — it gives you leeway to tailor your processes to meet the needs of your business whilst combating money laundering and terrorist financing.
Verifying the identity of a new customer is one step in the KYC process, and has traditionally been accomplished by checking a person’s official identity documents. All well and good a decade ago when opening a bank account involved turning up at your local branch, completing paper forms and waiting patiently while all the relevant checks were carried out.
However, the environment companies operate in today is changing rapidly. We expect to be able to sign up to new services online, and often on the go, and we expect instant access. If we don’t get it we’ll go somewhere else, it’s that simple. This is where the risk-based approach, and the use of Social KYC comes in.
What is Social KYC?
We generate large amounts of data about ourselves online every single day. We buy online, keep in touch with friends and family online, share photos, stream music and films, it goes on. All of this activity, when analysed as a whole, builds up a very deep and unique digital footprint — something that’s exceedingly difficult for someone to steal or fake convincingly.
Social KYC harnesses this data and uses it to establish a person’s identity — on a consent driven basis, of course. Using algorithms to analyse and corroborate various data attributes across multiple online accounts it is possible to quickly establish the likelihood of a person being:
- who they claim to be (including various demographic data related thereto)
- a legitimate potential user (rather than a fraudster trying to access your platform with malicious intent)
We’re all used to Single Sign On – using an existing social media account to sign up to a new service — and Social KYC is an extension of this. As all you’re doing is asking a user to log in to a variety of their online accounts to prove who they are, it makes for a far more fluid sign up experience which in turn will encourage more users onto your platform.
And just for the record, regulations do not require KYC to be performed on paper. The EU Anti-Money Laundering Directive (Directive) states that customer’s identity can be verified using documents, data or information. Customer due diligence measures shall comprise: ”identifying the customer and verifying the customer’s identity on the basis of documents, data or information obtained from a reliable and independent source” (Article 13, 4th Anti-Money Laundering Directive)
The UK Joint Money Laundering Steering Group (JMLSG) guidance (UK Guidance) offers cross-sector guidance and they emphasise your responsibility to make you own judgements based on the information available and using a risk-based approach.
”Evidence of identity can take a number of forms. In respect of individuals, much weight is placed on so-called ‘identity documents’, such as passports and photocard driving licences, and these are often the easiest way of being reasonably satisfied as to someone’s identity. It is, however, possible to be reasonably satisfied as to a customer’s identity based on other forms of confirmation … How much identity information or evidence to ask for, and what to verify, in order to be reasonably satisfied as to a customer’s identity, are matters for the judgement of the firm, which must be exercised on a risk-based approach…” (JMLSG Guidance 5.3.28 and 5.3.29)
The Directive also allows for firms to carry out simplified due diligence (SDD), as part of a risk based approach, if certain conditions are met, e.g. depending on the person concerned or the product involved. SDD means that firms do not have to carry out full customer due diligence but it does not normally equate to fully anonymous transactions either, operators should ensure they can explain and justify situations where SDD is appropriate.
The UK Guidance states that identity would typically include full name, address and date of birth. However, neither the Directive, nor the UK Money Laundering Regulations (MLRs) defines exactly what identity is. It could be possible to adopt an SDD strategy where, providing no other money laundering / terrorist financing risk indicators are present, a non-traditional approach to identity checking is adopted.
And, for the record, I know at least one bank that already uses a form of social KYC in Brazil.