The lack of security in selfie-based identification solutions means they are not complaint with Know Your Customer and anti-money laundering regulations, according to Electronic ID CEO Ivan Nabalon.
Despite a rise in technogoly solutions enabling people to verify accounts or complete payments through selfies, these solutions do not comply with the legal regulations on anti-money laundering and terrorism in the financial industry.
Solutions to verify the identity people by taking pictures of IDs or passports, and recording a few frames or user’s are not enough to satisfy the requirements according to Nabalon
“There is not enough security with these solutions as they can be being easily hackable. In terms of security, they are not equivalent to face to face identification, meaning it isn’t enough to support a high security level when required.
“This has been proven in research done by field experts in security. For instance, the NIST from the Commerce Department in the US allows this solution for the first level of identity accreditation, but not for highest.”
The simple reason is its low technical security, the weakness of the electronic proof provided by the process, and the weakness from its lack of integrity. This means that the security level provided is low, far from the security required for formal customer identification according to the strictest regulations in this area, which have fixed in a higher standard the level of the technical requirements to use streaming video for these KYC and AML processes.
The use of biometric facial recognition is still important, but can only be applied as a two-factor authentication (2FA) or in cases that don’t require a high security level.
For the cases which require the highest level of security users should turn to video identification, with more than 12 countries having regulated video for onboarding.
“There are more than 20 currently regulating video, so video in streaming end-to-end has become the standard,” he added. “We solve that having a solution with the video in streaming and applying our patented algorithm of AI for security in real time.”
Everyone is following the Financial Action Task Force FATF standards and the European regulation which is most stringent in terms of security requirements than Anglo-Saxon laws according to Nabalon
“The European Commission is leading the vision with the new AML5 directive, in force since 9 of July of 2018. AML enables the concept of “Digital Single Market”. Before that, every single state member regulated these procedures to identify customers. With this new regulation and the concept of “Digital Single Market” extracted from another regulation named eIDAS, there will be an standard to videoidentify customers in KYC processes .This vision is being extended to other countries in LATAM such as Mexico or even Asia; Singapore.”
How can we check this information about KYC AML?
In US standards:
Given the multiple cases of fraud in customer identification in KYC AML processes, the US Department of Commerce though the National Institute of Standards and Technology (NIST) created digital identity guidelines (NIST SP 800-63A), updated in June 2017, which establish three assurance levels for registration and tests in the verification of identity that are classified from low (IAL1), medium (IAL2), and high (IAL3).
High assurance (IAL3) is the equivalent of in-person identification and is suitable for opening accounts remotely. This level requires human intervention (see point 4.5 of the document) and proposes continuous high-resolution video transmission (see 5.3.3.2 of the document).
This document allows solutions that take pictures/selfies for medium assurance (IAL2) if combined with other strong evidence of the person’s identity, in addition to pictures taken or scanned of the ID and recording of the person’s face. Strong evidence is usually bill recipes or proof of address, background checks of information on the identity of the person being identified.
This would make this kind of solution riskier in the European Union because for privacy reasons and unlike in the Anglo-Saxon world they are not allowed in Europe because personal data, even public data, cannot be processed by organizations before the affected people give their express consent.
In European standards:
Following the mentioned arguments related to the low security of pictures or selfies, there are no best practices, authorizations or non-in-person identification procedures from regulators in the financial industry in Europe to use identity verification solutions based on simple images.
Almost all the European Union’s Member States authorize or are preparing authorizations for procedures to identify customers using the online channel and not in-person. Some cases/references are:
BAFIN (Bundesanstalt für Finanzdienstleistungsaufsicht)- German regulator
FINMA (Swiss Financial Market Supervisory Authority) – Swiss regulator
CSSF (Commission de Surveillance du Secteur Financier) – Luxembourg regulator
BdP (Banco de Portugal) – Portuguese regulator
FCIS (Financial Crime Investigation Service under the Ministry of Interior) – Lithuanian regulator
SEPBLAC (Servicio Ejecutivo de Prevención de Blanqueo de Capitales) – Spanish regulator
In Latin American standards:
CNBV (Comisión Nacional Bancaria y de Valores)- Mexican Regulator
In Asia standards:
MAS (Monetary Authority of Singapore) – Singapore Regulator
Please, note that all these procedures/authorizations can be found free to read online.
There are two types of solutions for KYC AML
Continuous video transmission is becoming a standard to identify customers in the online channel. And we’re seeing two types of solutions, the so-called synchronous solutions (videoconferencing with an agent who interviews the customer online) and asynchronous (where a video is recorded in streaming, ensuring control over and integrity of the video recording process by the regulated entity and an offline verification by a qualified agent later).
These solutions can be combined depending on the use case: videoconferencing for consultative sales to capture new customers and asynchronous video in capture processes that require agility in contracting where the company’s goal is to bother the customer as little as possible.
For more information read the full white paper.
Copyright © 2018 RegTech Analyst