isignthis - ekyc - emerchant acquiring and identity risk
TRANSCRIPT
![Page 1: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/1.jpg)
JOHN KARANTZIS
CEO & Managing Director iSignthis Ltd (ASX : ISX)
Acquiring & Identity Risk
![Page 2: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/2.jpg)
Founded 2013, listed on the ASX March 2015, under code “ISX” Retail eKYC : to remotely identify, verify and onboard retail customers resident in over 200 countries, reaching over 3Bn persons. Acquiring eKYC : to remotely identify and verify directors, UBO’s and Key Controllers of merchants eWallet onboarding : AML & SecuRE Pay card verification for onboarding Strong Customer Authentication & Transaction Monitoring : to meet AML and EBA Security of Internet “Secure Pay” requirements
About iSignthis
![Page 3: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/3.jpg)
Guiding Principle for FATF legislative model jurisdictions “Customer due diligence measures shall comprise: Identifying the customer and verifying the customer's identity on the basis of documents, data or information obtained from a reliable and independent source;”
Applicable throughout the payment processing chain for regulated services.
Establishing (natural person) Identity : FATF Recommendations #5
![Page 4: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/4.jpg)
Identity & Regulation
• Globally, AML Regulations require:
• acquirers to identify their e-merchants as part of customer due diligence / know your customer (KYC).
• Monitor transactions • In the SEPA, the EBA’s SecuRE Pay guidelines reinforce this
obligation. Payment Services Directive 2 (when passed by parliament) will mandate this, and further requirements.
• The ECB’s SecuRe Pay recommendations & policy position with
regards to “one leg out” authentication of customers outside EEA.
![Page 5: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/5.jpg)
Acquiring Risk
• Merchant corporate structures are readily identified
• AML requirements now move beyond the corporate structure to identification of the natural persons who are the UBO’s and Key Controllers/Directors.
• Challenge (and risk) is in verification and KYC of those natural persons.
• For merchant on-boarding : KYC of multiple natural persons is complex and time consuming.
• What about merchant customers on your network? How can we help them together?
![Page 6: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/6.jpg)
Customer Ease
Lower Cost
LOCAL
AUTOMATED
MANUAL
Notarised: posted/uploaded documents*
‘Experian’ or ‘GBGroup’ style static, credit database search (UK, US, AU)
Face to face checks
iSignthis
GLOBAL
• No dynamic means to include customer on request if not already a historic customer of a credit reporting agency.
• Requires cross check of other databases. • Typical coverage of 60% of online applicants
• >3Bn accessible global payment instruments.
• No need for user’s disclosure of bank details to a third party.
Lower Friction
Remote on boarding
Options : Establishing Identity
![Page 7: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/7.jpg)
Trend towards using Webcams or non-Certified images.
Is there a legal basis to rely upon non issuer/third party transformed physical documents?
• NO! This approach is specifically prohibited or not endorsed by regulators in many jurisdictions:
• Eg, Germany (AML legislation s6(2)(b)), HKG (GN33 @ 4.12.2), Singapore (MAS Guidance Note @ 33), Australia (AML Regs), Korea (AMLCTF Reg 39), UK (AML2007, 14(2)(c)), Canada (AML Rules Sch 7)
• We could not find direct support in any EU, Australian or Asia AML/CTF regulation that supports the concept of digital transformation of documents to data as constituting a reliable source of data – unless a certification process takes place by a qualified person.
Transforming – Physical Documents
![Page 8: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/8.jpg)
Breach Size 80m , Jan 15
Breach Size 1m , Nov 14
Static database – electoral, credit, passport, drivers license
Relies on “Non Public Approach” Knowledge Based Authentication (KBA) – comparison of collected data to database.
Issues • Limited reach of persons that can be identified. • Highly localised, no global approach • Much of the data is public or easily obtained. • No revocation means if say wallet stolen or mailbox compromised • Data may not change between KBA making ongoing due diligence
risible susceptible to ghosting and/or takeover • Simple to ‘reverse or social engineer’ the KBA • Once breached, re-credentialing of individuals is difficult – data
becomes “public” – what now?
Static Database Electronic Verification (Non Public Approach)
![Page 9: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/9.jpg)
Consider the following factors
• (a) its accuracy;
• (b) how secure it is;
• (c) how the data is kept up-to-date / its recency
• (d) how comprehensive the data is
• (e) whether the data is maintained by a government body or pursuant to legislation; and
• (f) whether the electronic data can be additionally authenticated
What is a reliable source of data?
![Page 10: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/10.jpg)
Physical Identification
Proof of Identity Documents
E- Payment Account
Accounts Unique
Regulated AML (Identifies Person)
Verify Account Once verified -
“Reliable” Source for EV (AML)
KYC Identity Sanction Screen
+ Monitor Validate data
Secondary Sources of
Data
170m people 200 countries
Dynamic Re-Use of Bank ID (Principles based)
Dynamic KBA
![Page 11: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/11.jpg)
Payment Data (Merchant, Acquirer, Card Details, Name, Amount, Time, Place, IIN Data + Country of issue)
Authentication + Validation Data (Geodata, device data, SAD, phone
number, SMS)
Device Data (MAC, IMEI, CPE, Language, OS)
Network Data : IP Address, Carrier,
Channel, route, Cell Tower
Delivery Data Address, Phone
Under EU law, all of this is PII – identifiable to a person Under US law, taken as a whole, this is also PII – identifies a person.
Transactional Approach: Metadata is the DNA of a payment message
![Page 12: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/12.jpg)
12
KBA Example: iSignthis & PayPal
![Page 13: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/13.jpg)
Private Sector: Who else needs Identity? Helping your customers
• Payment processors : compliance requirement for AML KYC & /or ECB SecuRE Pay.
• eMerchants in the SEPA/EU28 as part of the ECB’s Strong Customer Authentication.
• Stock Brokers • Financial Systems requiring two
factor authentication technology • Banks (incl debit, card issuers) • Commodity/Bullion Brokers • Crypto Currency Exchanges (e.g.
bitcoin)
• Real Estate Sales/Rental Agents • Travel Agents (US Patriot Act) • Life Insurers • Accountants/Auditors/Lawyers • Financial Advisors/Super Funds
• eWallets/mWallet Providers • Money remittance p2p • Loan/Pawn Providers • eCasino/eGaming/eWagering • Any business routinely trading >
US $10k/transaction • Currency Exchange
Payment Processing
Financial
Professional Services
Others
![Page 14: iSignthis - eKYC - eMerchant Acquiring and Identity Risk](https://reader033.vdocuments.net/reader033/viewer/2022042518/55c3e26cbb61ebfc538b45f8/html5/thumbnails/14.jpg)
Conclusions
Regulation becoming more onerous. As transactions increase, scalability, automation and remote identification influence risk and viability. Opportunities exist to streamline processes Use of your own processing networks can provide a basis for KYC of natural persons The payment network can be used to onboard your merchant’s end customers as a value added service.