KYC & Identity on the blockchain

By Edmund J. Lowell (KYC-Chain)

Financial digital identity within the realm of financial services , is one of the most important concerns of our time. Financial institutions (FI’s) around the world are required by law to conduct a process known as KYC (know your customer) to establish that a company or a natural person is who they say they are. The problem is that this process can be extremely tedious for FI’s and account holders (both legal entities and natural persons) alike. And as a response, several large companies are attempting to control and own all of the world's most important financial data.

Clients are required to submit documentation such as copies of their passport or government-issued ID and utility bills to verify their identity. This process applies to not only to new clients, but also to  those who have long had a relationship with the FI. Banks oftentimes are required to repeat over and over again the same process of requesting and checking a client’s documents, even after he has been onboarded. It matters not whether a customer has been with the bank for 15 years, he will still be asked to submit a new utility bill or updated passport once every few years to prove that he is who he says he is.

This method of identification also leaves some groups of people financially excluded. Millions of people around the world who are unable to answer the question of who they are with government paperwork are often left without access to financial services. Today, there is a requirement to have a government-issued ID in order to prove identity at a level of confidence required by financial institutions. The World Bank estimates over two billion people do not own even a basic bank account.

For banks, the KYC process is hugely expensive. Goldman Sachs estimates the cost incurred by FI’s to conduct KYC checks and onboard a single client is between $15,000 and $50,000, while JPMorgan places this figure at $30,000. The time associated with KYC onboarding is also lengthy; in Asia, excluding Japan, it takes an industry average of 26 days to onboard a single customer.

But what’s worse than the process being tedious, not financially inclusive and expensive is that clients can still “game the system” and create fraudulent documentation which may be relied upon by unsuspecting banks. India’s Syndicate Bank was a victim of this when it was revealed earlier this year that four businessmen used false documents, including fake or non-existent letters of credit, insurance policies and checks, to steal roughly $160 million over the course of five years.

Those who know how can still break the system. We need to make the system unbreakable. The question of identity — of who an individual is — not just at the point of client onboarding, but on a continuous basis, is not a trivial one, and the ramifications of getting it right or wrong are dramatic.

KYC Shared Utility

So came about an obvious solution: the KYC shared utility. A shared utility is based on the idea that if the work to identify a client was done once and then shared, we shouldn’t have to repeat the process multiple times. Everyone can subscribe to that platform, and the problem would be solved. The approach of the KYC shared utility is essentially one of centralization.

The companies that have made an attempt at creating a KYC shared utility are Markit, SWIFT (for correspondent banking), Thomson Reuters, LexisNexis and Clarient. These companies centralize the collection of documents and data with an operational back office. They operate on the same model of centralization, by storing clients’ data from different banks and buy-side clients in a single database. Then, on a yearly basis, the utility sells this data back to the bank to validate their customers’ data. In essence, this is a private company selling the bank the customer's own data back to them, and the customer doesn’t get much of a benefit, at least not financially.

This solution is not without its problems. While the concept of a shared utility is a good one, it requires a dramatic change in the process from the bank, and for most in the financial industry, the pain of KYC onboarding still exists. Secondly, as a bank client, I’m not sure I would want a third party to have access to my data. Customers tend to prefer retaining a direct relationship with their bank.

Furthermore, when data is centralized, not only does it leave open the question of the data’s ownership, there are also significant security concerns. We have seen time and again that no company is immune to data hacks. In June, an encrypted version of the 2014 Thomson Reuters World-Check database was dumped onto the internet. Earlier this year, SWIFT faced hacking allegations when $81 million was sent fraudulently via the Bangladesh central bank to the Philippines. Even the US’ National Security Agency, the largest and most advanced security agency in the world, was targeted in 2013 when its former contractor Edward Snowden released many classified files to journalist Glenn Greenwald, who then curated the documents for public release.

The bottom line is that no company or government is safe from data hacks, and the KYC shared utility’s centralization of data creates a single point of failure. When you set up a single database with the world’s most important identity and financial documents, you create a large attack threshold and an incentive to be hacked. To apply Murphy’s law, if it can go wrong, it will, and we can safely state that at some point, the KYC shared utility will be hacked, and we risk losing our identity.

Legislation

The KYC shared utility may also run into problems trying to adhere to the new General Data Protection Regulation (GDPR) data privacy law passed in the EU earlier this year. The regulation, which comes into effect in 2018, was created with the objective of giving EU citizens full ownership and accountability of their own identity and personal data. One of the core rules of the GDPR is that companies must give their customers the “right to be forgotten.” If clients’ data is compromised, companies must inform their customers in a timely manner.

The GDPR applies not only to EU countries, but also to any bank or company that has EU citizens as customers. The regulation requires no further passage of law by national governments in the EU, and as punishment for noncompliance, companies can face fines of 20 million, or up to 4 percent of a company’s worldwide annual turnover, depending on whichever is higher. The GDPR indisputably puts a data subject in greater control of his own data, with consent being the core principle for sharing or using said data.

Technology Alternative

Advances in computer technology have enabled us to create an alternative to the centralized model. Distributed databases and distributed ledgers (blockchain) allow for end users to hold their own set of public/private keys. Blockchains allow multiple parties in an untrusting environment to reach consensus on a subject, X. Whatever X is depends on the nature and purpose of the blockchain, which has been well-proven to work for currency, land titles, medical records, diamonds and many more.

Public permissionless blockchains such as Bitcoin and Ethereum allow anyone at any time to join the network, run a node, etc. It can be said that these networks are anonymous, or at least, pseudonymous. This makes them very suitable for some types of projects, but less appropriate for others, such as those where identity to a KYC standard would be required.

Though banks may find the idea of private permissioned ledgers appealing, there are nevertheless issues in terms of real-world adoption and implementation. It’s well possible that private permissioned ledgers continue to exclude the financially forgotten. Many times, private permissioned chains tend to run on closed-source software and have licensing issues. In any event, there is currently no private permissioned ledger well-suited to be the identity ledger for a KYC consortium approach.

While the concept of decentralization is not new, the technology that can carry us there has made exponential advances in just the last few years. When we started discussing decentralizing KYC in a white paper we wrote in late 2013, very few blockchain technologies existed as options. There was bitcoin, as well as a few alt-coins that were mostly hacked together by a fork of the bitcoin blockchain. Now, there are many blockchains and distributed ledgers — and even one that has been specially purposed for identity.

In our 2013 white paper, I wrote about the concept of having a ledger where those who join must

be added by a known validator. This way, we allow for new people or companies entering the system to join via a “web of trust” where the entities are known, but no one is restricted from joining the system. This prevents any one company or consortium of companies from completely dictating access to the network, while also allowing the network to reach consensus on who everyone is. Think of this like an ATM network. Anyone can walk up to an ATM with a card, but unless you have the proper credentials, you won’t be granted access to do very much.

Power corrupts, and absolute power corrupts absolutely. When dealing with a topic as intrinsic to the human experience as our very identity, we must be very careful about who has access to our digital identity, how they handle it, and what happens when it is lost. It is clear that we must design systems to prevent abuse and increase controls, and have worst-case scenarios in mind when planning.

About the author

Edmund J. Lowell is passionate about building technical solutions that solve problems for businesses in a scalable manner. Constantly aware of how I serve my stakeholders including. Currently working on a blockchain solution for KYC which enables bank attested digital identity.
KYC-Chain is a novel platform built over the convenience and security of Distributed Ledger technology, allowing users to manage their digital identity securely, while businesses and financial institutions are able to manage customer data in a reliable and easy manner.