Media
How Do You Solve A Problem Like KYC?
May 2018
There exists, currently, a real issue with the Know Your Customer (KYC) process and it’s one that many people are looking to solve. Required for huge numbers of regulated services, KYC usually involves sending personal information such as name, proof of address, a copy of your passport and other details to a company so they can ensure that you are a legitimate person and not involved with illicit activity. In doing this, the KYC process makes crime harder to pull off and helps prevent terrorism by shutting down avenues for the kinds of people involved in these activities to transfer money or gain financing. In providing this assurance, it is an absolutely vital service.
However, the system as it stands is inefficient in a number of crucial areas. A lack of interoperability and communication between services requiring KYC means that the process is repeated each time a different regulated service is signed up to. For the user, this means not only that the same information is submitted and the same forms have to be filled out over and over, but that they need to wait for their documentation to be verified each time. This can be a particular issue when applying for time-sensitive events like ICOs and is generally a major hassle. Likewise, merchants and institutions have to wait to on-board customers until their KYC verification has been processed. It also means that companies are having to pay for the KYC check, even if the person has been approved before with a different company. The result of this is a long, costly and repetitive process for all involved.
A report by Consult Hyperion estimates that a KYC check can cost 10 to 100 GBP per customer whereas Thomson-Reuters has found instances of firms spending up to US$500 million on KYC compliance and customer due diligence. This amount is expected to increase, with analysts at CEB Global finding that the majority of bank executives expect an increase in KYC compliance spending, with a large proportion citing an expected increase of 4–10%.
Another issue with traditional methods of KYC that are being employed is that they are centralised systems. With centralised systems, data is not under control of the user and its use is not transparent: users don’t know how the merchant or company is using their personal data. This issue has been brought to light with many scandals in recent years where large amounts of information have been lost or leaked by entities such as governments, or where it has been sold on for profit or unapproved research and marketing, such as with Facebook. In a recent article we noted Google’s revelation that it has made around $40 US per person per year since 2012, leading to in excess of US$46,000,000,000 generated every year on consumer data, none of which goes to the person who the data truly belongs to. This centralised model has a second issue which can be seen in the event of data hacks, where malicious actors are drawn to hack a centralised system with the knowledge that they will gain access to thousands or even millions of personal information such as identities. This issue cannot be avoided unless the data model changes to one which is distributed and access to it is under control of the user.
Privacy is another problem in KYC. Data being shared is deeply personal in nature, with names, addresses, ages, bank details etc. all being seen by a group or company. Quite understandably, people are not keen for strangers (or even acquaintances!) to have access to this sensitive information, especially when it may be stolen or sold on without their knowledge or permission. However, without a method to check data without actually seeing the details, there exists no solution to the privacy issue. Zero-Knowledge-Proof (ZKP) would facilitate this by verifying that the information provided for KYC check lay within the acceptable criteria range without giving the verifier access to any of the raw data; however, this is not currently on offer.
In short, whilst KYC is necessary to prevent services from being used and abused by criminals, it is not a simple and convenient process and it doesn’t put the needs of the user first.
Fortunately, this is precisely the kind of problem that Blockpass can solve. When completing KYC through the Blockpass app, users will undergo the KYC process once and then, when verified, be able to share their verified data with merchants that are part of the Blockpass ecosystem if they choose to. Not only does this remove the repetitive, expensive and time consuming current nature of the process for both parties, but it also means that the user is in full control of their data and who has access to it. Instead of the current, inefficient system, all that is required to on-board a customer is to compare the hash of the data sent by the user with the version stored on the blockchain to ensure that no details have changed. Rather than storing the data on one central server which is an attractive target for hackers, the data is held on the user’s mobile device.
Although data is still seen by the merchants in the current version of Blockpass, the future stages are planned to use Zero-Knowledge Proofs to allow merchants to verify customers without having access to any personal details; this is one of the areas that the Blockpass Identity Lab at Edingburgh Napier University will be researching. In addition, users will be able to add extra verifiable data to the app, provided by themselves or from merchant responses, to build the strength of their identity and KYC. Furthermore, the goal of Blockpass is not just to provide KYC for the immediate human use cases, but to provide KYD (Know Your Device) and KYO (Know Your Object) to enable verification on an Internet of Things level. With the rise of IoT, having a safe, re-usable, private and flexible KYC is not only going to be convenient, but necessary.
A report by Consult Hyperion estimates that a KYC check can cost 10 to 100 GBP per customer whereas Thomson-Reuters has found instances of firms spending up to US$500 million on KYC compliance and customer due diligence. This amount is expected to increase, with analysts at CEB Global finding that the majority of bank executives expect an increase in KYC compliance spending, with a large proportion citing an expected increase of 4–10%.
Another issue with traditional methods of KYC that are being employed is that they are centralised systems. With centralised systems, data is not under control of the user and its use is not transparent: users don’t know how the merchant or company is using their personal data. This issue has been brought to light with many scandals in recent years where large amounts of information have been lost or leaked by entities such as governments, or where it has been sold on for profit or unapproved research and marketing, such as with Facebook. In a recent article we noted Google’s revelation that it has made around $40 US per person per year since 2012, leading to in excess of US$46,000,000,000 generated every year on consumer data, none of which goes to the person who the data truly belongs to. This centralised model has a second issue which can be seen in the event of data hacks, where malicious actors are drawn to hack a centralised system with the knowledge that they will gain access to thousands or even millions of personal information such as identities. This issue cannot be avoided unless the data model changes to one which is distributed and access to it is under control of the user.
Privacy is another problem in KYC. Data being shared is deeply personal in nature, with names, addresses, ages, bank details etc. all being seen by a group or company. Quite understandably, people are not keen for strangers (or even acquaintances!) to have access to this sensitive information, especially when it may be stolen or sold on without their knowledge or permission. However, without a method to check data without actually seeing the details, there exists no solution to the privacy issue. Zero-Knowledge-Proof (ZKP) would facilitate this by verifying that the information provided for KYC check lay within the acceptable criteria range without giving the verifier access to any of the raw data; however, this is not currently on offer.
In short, whilst KYC is necessary to prevent services from being used and abused by criminals, it is not a simple and convenient process and it doesn’t put the needs of the user first.
Fortunately, this is precisely the kind of problem that Blockpass can solve. When completing KYC through the Blockpass app, users will undergo the KYC process once and then, when verified, be able to share their verified data with merchants that are part of the Blockpass ecosystem if they choose to. Not only does this remove the repetitive, expensive and time consuming current nature of the process for both parties, but it also means that the user is in full control of their data and who has access to it. Instead of the current, inefficient system, all that is required to on-board a customer is to compare the hash of the data sent by the user with the version stored on the blockchain to ensure that no details have changed. Rather than storing the data on one central server which is an attractive target for hackers, the data is held on the user’s mobile device.
Although data is still seen by the merchants in the current version of Blockpass, the future stages are planned to use Zero-Knowledge Proofs to allow merchants to verify customers without having access to any personal details; this is one of the areas that the Blockpass Identity Lab at Edingburgh Napier University will be researching. In addition, users will be able to add extra verifiable data to the app, provided by themselves or from merchant responses, to build the strength of their identity and KYC. Furthermore, the goal of Blockpass is not just to provide KYC for the immediate human use cases, but to provide KYD (Know Your Device) and KYO (Know Your Object) to enable verification on an Internet of Things level. With the rise of IoT, having a safe, re-usable, private and flexible KYC is not only going to be convenient, but necessary.