KYC stands for “Know Your Customer” and this is a process of verifying the identity of a client, customer, or user. It used to be typically only done by banks and other financial institutions to identify people who are opening an account for compliance with government regulations about money laundering and terrorism financing. Increasingly, with the global nature of trade and increased risk of fraud in internet businesses KYC has been adopted in other industries such as Real Estate, Crypto, E-Commerce, Gaming, and E-Healthcare.
The KYC process usually involves collecting personal information such as date of birth, address, employment status, and past transactions by means of verification of identity documents, bank statements, and other such sources of personal information.
Recently with the Optus data breach and Medicare Hack – KYC processes have been making the news. Leading companies with billions in revenue are now facing class actions, brand damage, and potential increased regulation.
An alternate approach to completing KYC while maintaining Privacy
One of the main concerns with completing KYC is that it requires the collection of sensitive personal information. After all, there is nothing more “personally identifiable” than Government-issued identity documents such as Passports, Drivers Licences, or other ID cards. In a casual survey, over 90% of small businesses we spoke to have no written processes for how the personal documents on file. That’s right, copies of your own personal ID documentation are currently stored in shared folders, filing cabinets, email inboxes, or other non-encrypted storage facilities for most of the businesses you’ve ever dealt with!
Putting aside the shocking nature of this, it’s understandable how many small businesses don’t have the resources to invest in bank-grade secure storage and access control systems.
If you’re a small business owner who needs to store personal documents (Legal, Real Estate, Accounting, Conveyancing, etc.), this may be a daunting and expensive prospect. The good news is that while the checking of personal documents is mandatory, storage is not. For example, according to the ATO/TPB while ever-increasing guidance on recording the KYC process is mandatory, the storing of the original documents used in the process is not necessary.
A valid alternative approach is therefore either the tokenisation and/or temporary storage of documents. Temporary storage requires the swift disposal of documents collected. Tokenisation links a separate ID checking process via a unique reference number. The documents are never actually collected or stored locally.
While neither process is completely bullet-proof, no amount of cybersecurity will ever protect documents better than simply not storing them in the first place.
How to enable seamless, private KYC
A good approach to completing KYC in this manner is to leverage integrations. Use your CRM, Accounting tool, or other contact database as your platform of record. Verify the individuals externally, linked via their contact ID, and locally record only the result and timestamps it was processed.
How IdentityCheck works
IdentityCheck can integrate into your CRM (E.g. HubSpot) or be used in a standalone mode. The users simply trigger a check to an email address via IdentityCheck UI or by setting the
KYC_Command property in their CRM. This triggers an email to the person undergoing the check.
Here is the high-level process for completing the verification:
- Follow the link and take pictures of the Identity document (usually front and back)
- Complete the process by taking a selfie
The organisation can then access a report on IdentityCheck. The report is built using images captured during the verification session.
They are then analysed using machine learning to check if the selfie images match the image on the document, using advanced character recognition technology key details such as document numbers, types, etc. are extracted as key fields.
Privacy Features of IdentityCheck that help preserve privacy
Key ways in which the IdentityCheck process can help preserve privacy:
- IdentityCheck report access can be a severely limited set of individuals as opposed to a normal system of engagement such as a CRM
- Images of sensitive identity documents are moved to Cold Storage and the only auditable via request
- The broader team only has access to the status of the verification check as opposed to the full data i.e. they know “Success” or “Fail” without access to details
- No file-based storage of results on shared drives with poor controls
- IdentityCheck accounts can be enabled with two-factor authentication (2FA) to harden against username/password attacks
- Additional information such as IP addresses, device, and location params are also captured in the verification request as second-order markers
Within the global terms of trade – KYC is an important feature of the financial system. With recent advances in legislation from GDPR to Patriot Act, there are severe penalties for any businesses found in breach. Additionally, the threats to businesses from areas such as social engineering and system breaches are also peaking. Within such a macro environment it is critical that businesses look at innovative solutions such as IdentityCheck to meet their KYC needs whilst maintaining privacy.
Learn more about IdentityCheck here.