The limitations of traditional KYC. Today, smart criminals rob banks for identity, which is much more valuable.

Remember the good old days when people used to rob banks for money? At least there was no contagion. Apart from anything else, thanks to fungibility, it wasn’t your money that was being stolen anyway, it was the banks’ money. Today though, smart criminals rob banks for identity, which is much more valuable.

An article written by David Birch

Security? What Security?
Your data is worth so much more than your money, financial institutions really should work much harder to protect it because the consequences of your data being copied are so much worse than the consequences of their money being stolen.

Look at the example of Evolve Bank & Trust, where the theft of personal data and alleged images of identity credentials means that the impact of the attack will spread well beyond that bank’s customers and across the broader financial sector. The bank’s website reported that the data that hackers and copied and then released was Personal Identification Information (PII) including “name, Social Security Number, date of birth, account information and/or other personal information”. It doesn’t take much imagination to predict that the primary use of this information, apart from industrial scale phishing attacks, is that it will undoubtedly be used to create new bank accounts. Oh dear.

If you are wondering, as I was, why it is that a bank would be storing pictures of driving licences and passports and so on, the answer is of course know-your-customer (KYC) regulations. The noted investor Paul Graham commented on this sort of thing saying that “I don’t understand why KYC documents ever have to be updated. My identity doesn’t change if my driver’s license expires”.

He has a point. My wife, who is not an international money launderer or mercenary warlord, was turned down for a savings account with a UK bank last year precisely because her driving license had expired.

(I did wonder at the time what her ability to drive had to do with her ability to save especially as she had no intention of driving to the bank to deposit the money.)

Talking about money laundering, I was interested to read that Switzerland intends to „tighten obligations” for Swiss lawyers, accountants and other service providers. This will require them to conduct due diligence on clients, keep records of the checks, and report suspected instances of money laundering to official authorities. Let’s hope that the Swiss lawyers adopt the same stringent measures as in the UK, where money laundering is a thing of the past and the stringent application of the regulations meant that the now ex-Russian mercenary warlord Yevgeny Prigozhin was only able to pass his money laundering checks in London by using his mother’s gas bill from St. Petersburg.

I should explain to our overseas readers that the mention of the gas bill is a critical element of that story. In the finest tradition of British digital identity infrastructure, the envy of less fortunate lands and famed around the world as a bulwark against chaos, the gas bill is central to our defences. Take, for example, the recent story of the woman convicted of money laundering in north London. As the Financial Times reported, she was nicked with over a billion quid in Bitcoin on her person. That’s right. Well over $1 billion! And, of course, had „obtained a fake gas bill” to use as proof of address on a bank account application. which she got.

In the world of financial services, KYC is often a form of security theatre. That is, everyone knows their parts — I have to show you my passport, you have to photocopy it and put it in a drawer somewhere and then tick a box to say that you have verified my identity, even though you are not a Mossad-trained anti-counterfeit passport specialist — and then we go about our business with the appearance of security although no actual security was involved.

If you think I am exaggerating, take a look at the story of the unfortunate man of the cloth who had his house stolen by a criminals who made copy of his driving licence, put their own photograph on it and then used it to obtain a bank account and the utility bills that are the crucial lynchpin of Britain’s 21st century know-your-customer pantomime.

The criminal presented the fake driving licence to a lawyer in order to sell the house. The lawyer, or more likely the lawyer’s clerical assistant, then took a photocopy of the licence and stuck in a draw. End of. Lawyer’s clerks are not, by and large, MI5-trained assessors of global identity documents and wouldn’t know a fake New Zealand passport from a hole in the ground so I don’t really understand what the point of showing them the driving licence was in the first place, but anyway.

The criminal went on to sell the house through an online property service after impersonating real estate agents by setting up a fake site and references and it took two years for a property tribunal to agree that the rightful owner could get the title of his property back and that the current owner of the house (who had apparently bought it in good faith) could receive compensation from the Land Registry.

Crazy. But what’s more, the security-free KYC processes themselves may increase crime rather than defeat it. The Evolve robbery reminds me of the case of Faruk Fatih Özer, the jailed founder of the defunct Turkish crypto exchange Thodex. He vanished with a couple of billion of his customers’ cryptocurrrency but also with their identities. As David Gerard so eloquently phrased it, Özer paid the most „painstaking attention” to money-laundering compliance and was therefore able to take the personal data of hundreds of thousands of users with him (including, inevitably, scans of the customers’ national ID cards) which regulators had forced him to obtain! These KYC procedures continually force us to hand over our sensitive personal information to every Tom, Dick and Faruk on the internet while doing nothing to help us when that personal information is inevitably compromised and sprayed around the web.

No wonder fraud is out of control.

Things might be bad, but they are going to get worse before they get even worse. Jimmy Su, the chief security officer for famed cryptocurrency exchange Binance (which trades billions in cryptocurrencies every day) says that “deepfake” tools today are sufficient to pass liveness checks, even those that require users to hold up their driving licences and then perform actions like nodding their heads and so on.

(I’m very fascinated by deepfakes at the moment. I was flattered to be invited and delighted to be able to accept a role on the advisory board for the Deepfake Summit later this year, and am learning more about the topic with every passing day.)

It seems then that KYC (which is already not that an effective defence against crime) could soon become completely useless as a security measure. So if AI is launching an all out assault on the financial system, what should we do? Arm ourselves with AI in a kind of mutual assured distraction pact? No, that’s a Red Queen’s race. What we need to do instead is to take on board the technological advances in cryptography, the lessons already being learned from the European Digital Identity wallet projects and the available infrastructure of mobile phones, open banking and such like to actually do something about the problem instead of acting out non-solutions.

This means, of course, developing a digital identity infrastructure. In April, the Bank for International Settlement (BIS) published their vision for future financial system, the “Finternet”, with which people and businesses would have ability to transfer any financial asset they like, in any amount, at any time, using any device, to anyone else, anywhere in the world making financial transactions immediate and inexpensive. The BIS working paper identifies digital identity as a key building block of that future system and specifically points to the use of verifiable credentials to deliver integrity and privacy.

In a financial system fit for the future, there would be no need for my wife or a Russian warlord to show their driving licence and gas bill. Instead the bank would ask “who are you” and then you would present your European Digital ID wallet, or your bank wallet or your Google wallet or whatever. Then the bank would get the data it needs from the wallet (with your permission) and you be prompted to authenticate yourself (using FaceID or something) and then the bank would open your new savings account and send the accounts details back to your wallet as another credential.

This is not a pipe dream! Banks are already experimenting with the relevant technologies. HSBC Labs is prototyping a decentralised solution for internal account opening (powered by Polygon ID): When a customer opens an account, the bank conducts KYC and creates a verified credential that later can be used for a number of transactions, including logging into an HSBC account, purchases, applying for a loan, carbon credits, and much more.

National Wealth Service
Whether blockchain-based decentralised alternatives are the way forward or not, I agree with Alexander Ray that the limitations of traditional KYC are becoming more apparent. Slow, inefficient and vulnerable to security breaches, current approaches simply do not meet the demands of modern society. New thinking is needed because KYC as it stands is a massive friction for law-abiding people and nothing more than a speed bump for criminals.

Last year, Bob Wigley, chair of UK Finance and member of Trade Advisory Group for Financial Services at the UK Department for International Trade and the UK’s Economic Crime Strategic Board suggested that we will soon have an app for all our financial data in the same way that we can access all our health data on the National Health Service (NHS) app. This National Wealth Service (NWS) app would allow people to bring together an „economic footprint” including credit ratings, KYC and AML data ready to be passed on to financial institutions.

Well, I might prefer an implementation based on homomorphic encryption, zero-knowledge proofs, secure multiparty computation and such like, but Bob has a point. We are moving into age of AI and smart wallets and we need the financial services industry to take the initiative and give us a wallet that hold and protects this important data with real security so that our personal AIs can increase our financial health while criminals cannot decrease it.

So how could a consumer get such an app? Well, one way would be to use their government digital identity to get it. Here in the UK, the government is launching a UK Wallet (which I hope will be interoperable with the EU Digital Identity Wallet in some way) to simplify access to services. This wallet will in time hold the UK digital driving licence and other important credentials. As I understand it, the first credential to be stored in the new wallet will be the Veterans Card with others to follow soon.

In the future, instead of a fraudster presenting a clerk with a bogus driving licence, the lawyer will request the information needed (eg, your date of birth rather than your ability to ride a motor scooter) and your NWS app will ask you for permission to give it to them. There won’t be clones or forgeries because this is a world verifiable credentials and digital signatures, or secure elements and strong authentication: you can bet the house on it.