On KYC and blockchains
It’s official: Blockchains for everything!
KYC is a challenge that blockchains are being thrown at (see here, here, here). The premise is “KYC is a headache and blockchains are trendy”. However there is rarely much detail on the problem and insight as to why a blockchain might or might not be a good idea. I aim to explore this use-case more fully in this post.
Firstly, some definitions
Knowing Your Customer (KYC) is a process that occurs in financial services mandated by regulation.
For financial services providers it means having a good idea of who you are providing financial services to, whether they are individuals or businesses.
In the case of individuals, the process ranges from proof of identification and address through to understanding a person’s source of wealth, business interests and family connections, especially if they have politically active family relations.
For businesses it means understanding the business, the entity structure, history, directors and shareholders, and how the business operates and makes money.
AML and CFT
As distinct from KYC, Anti Money Laundering (AML) and Countering the Financing of Terrorism (CFT) are about understanding patterns of money flow at the transaction level to avoid helping criminals.
Banks get into trouble when they get caught moving money around if the money has illegal or immoral origins (dirty money) or is used for illegal purposes, such as funding terrorism.
AML and CFT is mainly about detecting patterns and is out of scope for this post.
For a refresher, here is a gentle introduction to blockchains explaining the technology behind blockchains.
The KYC problem
The problem is that KYC is an expensive part of onboarding a new client and each financial institution must do their own KYC. It is unacceptable to point at another entity and say that someone else has already KYC’d this client so you don’t have to.
This means financial services companies have a high cost of customer acquisition, and for customers it means a painful process to go through every time a new account is opened with a new financial services provider.
I will focus on the KYC of an individual, which is less arduous than KYC on a business (sometimes called KYB Know Your Business) but illustrates the same points.
There are several parts to the KYC process:
- Acquiring personal information
- tell me your name and address and source of wealth
- Acquiring proofs of personal information
- prove your name and address and source of wealth by showing me documents
- Storage of personal information
- so we can prove to regulators that we know you and have followed this process
- Background checks, sometimes called CDD or Client Due Diligence
- so we can find out a little more about you and your background
- Ongoing monitoring of changes to clients
- so if you become a criminal, we can react appropriately
Every new client to every financial institution must go through the same process.
Surely there’s a better way?
A pre-blockchain world
Before talking about decentralisation, let’s think about what can be centralised to create efficiencies. Remember that in most countries it is a regulatory mandate that each bank must do their own KYC.
Personal information. Name, address, date of birth, marital status, passport number, national ID, Passport photocopies, scans of ID cards (front and back), marriage certificates, birth certificates etc etc.
It’s the same static information and most of it doesn’t change that often.
Could this be stored in some sort of National KYC database so that customers can allow (and revoke) third party access with the push of a button? Certainly.
Would it be better than the existing situation? In some respects, yes. However there are a few things to think through:
1. User experience
Ideally I would sign up to a bank online from a mobile or desktop, I would then click a button and type in a password or something, like signing up to new websites with my Facebook profile. I would then be presented with all of my documents and information, with an indication on which ones I will be presenting to the bank. I’d click “allow”, and then wait while the bank decides if I am an appropriate customer.
Would I need to sign a physical piece of paper using a black pen and send it in the post to the bank? Surely not in this age. Maybe a scan of my signature could form part of the dataset held in the National KYC database, and maybe that should be good enough. Note that here I’m talking about wet-ink pen-and-paper signatures, not digital signatures. Digital signatures are much more secure than wet-ink signatures, but cause a different set of problems themselves.
Net-net, I think user experience can be improved with a National KYC system.
2. Bank experience
From the bank’s perspective this would be a huge cost cutter, in terms of having immediate access to relevant documents, and not having to chase up customers for various bits and pieces. Also accounts can be opened more quickly, leading to quicker deposits and revenue generation.
One of the overheads that banks have is needing to sight originals, which makes a mockery of the efficiency of digital scans. And why? Are originals that much harder to forge than scans? No. So if the National KYC database could be used instead of paper originals (as opposed to as well as), we are increasing efficiency.
Once I have given a bank access to my information on the National KYC system, I have no guarantees what the bank will do with it. They will probably need to store it, so that they can prove that they have done their due diligence. I don’t see a way around this unless regulators would be happy with an access log: “Look, you can see we accessed their information on 9 November, but we didn’t store any of the information.”. Not likely.
So, security hasn’t improved: by adding a national register, we have increased the number of entities that hold people’s information. In fact we’ve given hackers another system to attack, and this system has a greater reward if it can be penetrated as it will have a richer amount of data per person, and more people’s data!
Unless we can remove the need for Financial Service providers to store personally identifying information, a KYC database will not help the spread of personal information being stored all over the place.
4. Political and consumer will
Clearly political will is needed to create national identification repositories – and this means both policymakers want it, and citizens want it. In the UK a proposed National ID card system was the subject of much debate and cancelled in 2010. To get this past the consumer, the benefits and ease of use should be communicated: people in general care much more about convenience than privacy (think credit cards, social media, etc).
Blockchains to the rescue?
So where would blockchains fit in? I’ve heard ideas around “doing KYC on a blockchain” by eager blockchain enthusiasts and I have a number of reservations.
The promise of blockchains is to remove the need to trust a third party by trusting the network-agreed dataset. So could you have a blockchain-powered registry without needing that trusted entity? Yes, but:
What would a national KYC blockchain look like? Would actual documents (jpgs, pdfs) be stored on a blockchain? Or just document hashes/fingerprints, which prove the existence of a document at a certain point in time, without revealing the documents themselves? Would that be useful?
Would a KYC blockchain be private (only certain entities can write to it and read from it) or public? If it’s private, who would be allowed to validate and write data? I hear suggestions that various Government ministries could run ‘nodes’ but what value would this bring? Who would be allowed access to the data? Who would be in control?
Where does this leave us in terms of privacy and security? A centralised repository of identity data is bad enough, but if the data is shared on a blockchain, surely this increases the number of weak points that can be attacked? Is this what people want?
For making KYC less painful, I would argue for a centralised registry, with documents and data stored fully encrypted, perhaps with a key embedded on a hardware device issued by a government authority. Here are some ground rules I would argue for:
- People should be in control over their own data.
- People should then be able to grant temporary access to institutions wanting to view their data.
- People should have a choice over what data is revealed.
- People should be able to remove documents from this registry when they are out of date or need updating.
Aside from KYC, there are a couple of other concepts which are interesting to explore:
Digital documents can be signed or “stamped” as valid by authorities are an intriguing possibility for reducing forgery risk. A simple step using today’s technology would be for issuing authorities to email digitally signed PDFs of ID documents, bank statements, wedding certificate, etc at the same time as issuing the laughable bits of paper that everyone relies on. When I email these digitally signed documents to people, they can easily see that they actually originated from the issuing authority and have not been tampered with. This is much more secure than the bits of paper we wave around that can be easily forged.
Digital identities can be “approved” or stamped by authorities by a simple endorsement using today’s technology. Again this would also be a huge improvement. If I had some sort of digital identity which could be endorsed by trusted institutions (banks, government, other businesses), I could build up a reputation over time. By proving ownership of this account, I can prove the link between my physical self and my online activities. Facebook and LinkedIn already kind of do that where your friends provide that kind of endorsement – they are just missing the stamp of approval from authorities that the account is genuine. PGP also already kind of does this, but traction is low due to the poor usability, and there is an issue: if you lose your secret key you are mathematically stuffed.
Finally, MiiCard is a very interesting company which uses your bank account as your digital identity and goes some way to solving for KYC issues.
KYC is not an exclusive requirement of financial institutions, but is required also by communication providers (phone companies, Internet providers, etc), travel operators, shipping operators, recently in Singapore also accountants and lawyers, and in different country and legal systems by other different service providers (purchasing guns, for example). The KYC process changes based on regulations and specific use, and goes by the simple submission of personal data to full in person interviews, with collateral collection of additional information from various other sources (with or without the express consent of the person/company subject to KYC procedure). There are several aggregators if “open source” intelligence that sells rating scores (and sources of the data) to KYC operators. While the identification of a person, when required by regulators, cannot be outsourced to third parties (a bank must take care of identify someone asking to open an account independently), the verification of the quality of the (prospect) client is outsourced. It is clear that a company dedicated to manage intelligence to verify the scoring of a company or a person has a larger possibility to have more accurate results than a if a bank try to do this activity internally. In such articulated, complex, and variegated procedure for the KYC, a generalization if and how could be managed with an instrument or another (being it a blockchain or a centralized database, rather than just a completely independent process) is dismissive of the various part of the full possibilities available. In my opinion there is not an “all or nothing” situation for blockchain in KYC, but for several aspects it can bring a great advantage as it embeds many of the advantages that you correctly explain, such as digital signatures and use of cryptography to validate the origin of information.
My 5 cent on this, as I spent some time studying the KYC requirements for various industries and how the blockchain can help.
I appreciate the requirements can be cumbersome for the KYC process. Cumbersome but necessary. I would be cautious to push towards a centralised registry – perhaps for companies first. As an individual, I would still have to submit and resubmit the related documents to the centralised database with each update. There would then be the additional security concerns with outsourced personal information. Plus, for individuals who were born in one location and raised elsewhere, do you get to select which country holds your information? Banks need to retain the data to prove due diligence and the digital document idea holds merit.
The ground rules you argue for are already in existence with the current process. I’m a fan of blockchain technology and am open to being corrected. However, I’m not sure what real benefit or peace of mind a centralised registry would bring in this instance.
Know Your Client does not have to be a burden and is certainly not only triggered by regulatory requirements. Big companies like Facebook and Google are able to offer valuable service because they collect personal information and use it to target advertising. Banks of course should not be sharing any information but that does not mean they won’t be able to use their insights once they get to know their customer better. A bank that really knows who it’s customer is, can anticipate needs and present solutions before the customer is even bothered by them. I have never been approached by my bank because my house could be re-mortgaged cheaper because my profile falls in a lower risk category than average. With enough information, a customer profile could benefit both the bank and the customer. Having said that, certain information should be shareable both for the customer’s convenience and security and the safety and regulatory compliance of the bank. Your solution may work very well for that.
Thomson Reuters is exactly offering the ‘National KYC’ system that you mentioned on your post, this ‘trusted’ third party will act as an agent by various banks so that the customer does not need to provide their IDs again and again when they open a new account. The idea is that they collect all the IDs from the customer once and ask the customer to whom they want to share their id for ‘KYC verification.
Last time I heard they only offer the services for KYB first
It looked like the assumption for this to work is a central authority that did the initial verification, and stores it securely in a blockchain, that a person wanting banking services authorizes use?
I think we know to little to discount the idea just yet.
The problem with central entities and consumers is that they are notoriously slow to adopt change. Governments still don’t trust cryptography over paper. Consumers would rather provide a hardcopy of their ID once a year, than remember their secret key. Estonia is the only example (I am aware of) where the “central entity” approach was actually successful. If blockchain lets us create something like a throw away ID document which can do no harm if lost, but proves identity over distance while I own it, that would be a great advantage for consumers.