On KYC and blockchains
It’s official: Blockchains for everything!
KYC is a challenge that blockchains are being thrown at (see here, here, here). The premise is “KYC is a headache and blockchains are trendy”. However there is rarely much detail on the problem and insight as to why a blockchain might or might not be a good idea. I aim to explore this use-case more fully in this post.
Firstly, some definitions
Knowing Your Customer (KYC) is a process that occurs in financial services mandated by regulation.
For financial services providers it means having a good idea of who you are providing financial services to, whether they are individuals or businesses.
In the case of individuals, the process ranges from proof of identification and address through to understanding a person’s source of wealth, business interests and family connections, especially if they have politically active family relations.
For businesses it means understanding the business, the entity structure, history, directors and shareholders, and how the business operates and makes money.
AML and CFT
As distinct from KYC, Anti Money Laundering (AML) and Countering the Financing of Terrorism (CFT) are about understanding patterns of money flow at the transaction level to avoid helping criminals.
Banks get into trouble when they get caught moving money around if the money has illegal or immoral origins (dirty money) or is used for illegal purposes, such as funding terrorism.
AML and CFT is mainly about detecting patterns and is out of scope for this post.
For a refresher, here is a gentle introduction to blockchains explaining the technology behind blockchains.
The KYC problem
The problem is that KYC is an expensive part of onboarding a new client and each financial institution must do their own KYC. It is unacceptable to point at another entity and say that someone else has already KYC’d this client so you don’t have to.
This means financial services companies have a high cost of customer acquisition, and for customers it means a painful process to go through every time a new account is opened with a new financial services provider.
I will focus on the KYC of an individual, which is less arduous than KYC on a business (sometimes called KYB Know Your Business) but illustrates the same points.
There are several parts to the KYC process:
- Acquiring personal information
- tell me your name and address and source of wealth
- Acquiring proofs of personal information
- prove your name and address and source of wealth by showing me documents
- Storage of personal information
- so we can prove to regulators that we know you and have followed this process
- Background checks, sometimes called CDD or Client Due Diligence
- so we can find out a little more about you and your background
- Ongoing monitoring of changes to clients
- so if you become a criminal, we can react appropriately
Every new client to every financial institution must go through the same process.
Surely there’s a better way?
A pre-blockchain world
Before talking about decentralisation, let’s think about what can be centralised to create efficiencies. Remember that in most countries it is a regulatory mandate that each bank must do their own KYC.
Personal information. Name, address, date of birth, marital status, passport number, national ID, Passport photocopies, scans of ID cards (front and back), marriage certificates, birth certificates etc etc.
It’s the same static information and most of it doesn’t change that often.
Could this be stored in some sort of National KYC database so that customers can allow (and revoke) third party access with the push of a button? Certainly.
Would it be better than the existing situation? In some respects, yes. However there are a few things to think through:
1. User experience
Ideally I would sign up to a bank online from a mobile or desktop, I would then click a button and type in a password or something, like signing up to new websites with my Facebook profile. I would then be presented with all of my documents and information, with an indication on which ones I will be presenting to the bank. I’d click “allow”, and then wait while the bank decides if I am an appropriate customer.
Would I need to sign a physical piece of paper using a black pen and send it in the post to the bank? Surely not in this age. Maybe a scan of my signature could form part of the dataset held in the National KYC database, and maybe that should be good enough. Note that here I’m talking about wet-ink pen-and-paper signatures, not digital signatures. Digital signatures are much more secure than wet-ink signatures, but cause a different set of problems themselves.
Net-net, I think user experience can be improved with a National KYC system.
2. Bank experience
From the bank’s perspective this would be a huge cost cutter, in terms of having immediate access to relevant documents, and not having to chase up customers for various bits and pieces. Also accounts can be opened more quickly, leading to quicker deposits and revenue generation.
One of the overheads that banks have is needing to sight originals, which makes a mockery of the efficiency of digital scans. And why? Are originals that much harder to forge than scans? No. So if the National KYC database could be used instead of paper originals (as opposed to as well as), we are increasing efficiency.
Once I have given a bank access to my information on the National KYC system, I have no guarantees what the bank will do with it. They will probably need to store it, so that they can prove that they have done their due diligence. I don’t see a way around this unless regulators would be happy with an access log: “Look, you can see we accessed their information on 9 November, but we didn’t store any of the information.”. Not likely.
So, security hasn’t improved: by adding a national register, we have increased the number of entities that hold people’s information. In fact we’ve given hackers another system to attack, and this system has a greater reward if it can be penetrated as it will have a richer amount of data per person, and more people’s data!
Unless we can remove the need for Financial Service providers to store personally identifying information, a KYC database will not help the spread of personal information being stored all over the place.
4. Political and consumer will
Clearly political will is needed to create national identification repositories – and this means both policymakers want it, and citizens want it. In the UK a proposed National ID card system was the subject of much debate and cancelled in 2010. To get this past the consumer, the benefits and ease of use should be communicated: people in general care much more about convenience than privacy (think credit cards, social media, etc).
Blockchains to the rescue?
So where would blockchains fit in? I’ve heard ideas around “doing KYC on a blockchain” by eager blockchain enthusiasts and I have a number of reservations.
The promise of blockchains is to remove the need to trust a third party by trusting the network-agreed dataset. So could you have a blockchain-powered registry without needing that trusted entity? Yes, but:
What would a national KYC blockchain look like? Would actual documents (jpgs, pdfs) be stored on a blockchain? Or just document hashes/fingerprints, which prove the existence of a document at a certain point in time, without revealing the documents themselves? Would that be useful?
Would a KYC blockchain be private (only certain entities can write to it and read from it) or public? If it’s private, who would be allowed to validate and write data? I hear suggestions that various Government ministries could run ‘nodes’ but what value would this bring? Who would be allowed access to the data? Who would be in control?
Where does this leave us in terms of privacy and security? A centralised repository of identity data is bad enough, but if the data is shared on a blockchain, surely this increases the number of weak points that can be attacked? Is this what people want?
For making KYC less painful, I would argue for a centralised registry, with documents and data stored fully encrypted, perhaps with a key embedded on a hardware device issued by a government authority. Here are some ground rules I would argue for:
- People should be in control over their own data.
- People should then be able to grant temporary access to institutions wanting to view their data.
- People should have a choice over what data is revealed.
- People should be able to remove documents from this registry when they are out of date or need updating.
Aside from KYC, there are a couple of other concepts which are interesting to explore:
Digital documents can be signed or “stamped” as valid by authorities are an intriguing possibility for reducing forgery risk. A simple step using today’s technology would be for issuing authorities to email digitally signed PDFs of ID documents, bank statements, wedding certificate, etc at the same time as issuing the laughable bits of paper that everyone relies on. When I email these digitally signed documents to people, they can easily see that they actually originated from the issuing authority and have not been tampered with. This is much more secure than the bits of paper we wave around that can be easily forged.
Digital identities can be “approved” or stamped by authorities by a simple endorsement using today’s technology. Again this would also be a huge improvement. If I had some sort of digital identity which could be endorsed by trusted institutions (banks, government, other businesses), I could build up a reputation over time. By proving ownership of this account, I can prove the link between my physical self and my online activities. Facebook and LinkedIn already kind of do that where your friends provide that kind of endorsement – they are just missing the stamp of approval from authorities that the account is genuine. PGP also already kind of does this, but traction is low due to the poor usability, and there is an issue: if you lose your secret key you are mathematically stuffed.
Finally, MiiCard is a very interesting company which uses your bank account as your digital identity and goes some way to solving for KYC issues.