(Offtopic) Best examples of account verification/KYC?


(james_e_bell) #1

Hi - just a quick question for the community!

As I guess a lot of the community have tried new fintech offerings I was wondering what people considered the ‘best’ examples of KYC/account verification that you have come across? If i remember correctly the verification of Revolut was quite cool with scan of driving license or passport in the app plus a selfie from the camera (though ive no idea how they would distinguish between that being a valid or ‘stolen’ selfie). Im guessing its a manual process behind where they have support staff comparing the passport/diving license photo to the selfie.


Out-of-date terms?
(Cristian Randazzo) #2

The technology right now is very good, I think that for some people will be easy to broke the security ? Is a good idea, I like it, but too much, pictures…if the light is bad or who knows what , maybe then the picture will be bad…I would prefer something like a little chip ? Like HSBC ? and … Or, steps verification like, 1st, 3rd and 5th letters of your password… No idea haha ;D


(james_e_bell) #3

I was thinking rather than for logging in (where 1st, 3rd, 5th etc is you proving that you are the person who created the account), more the bank/fintech proving that you actually are the person you claim to be. This is important for their security and for regulatory reasons (though you the user dont actually get anything out of it). Examples of this can include for example a credit check showing that someone of your name lives at the address that you say (this of course doesnt prove that you are who you say you are - just that you know where the person lives!)


(knows someone who knows Tom quite well) #4

Number26 ask you to video call with them and show your passport. They control the front and back cameras, grabbing a shot of you with one and the passport with the other, you have to rotate it too, so they can see the anti counterfeit features.

Interestingly, they do not require proof of address - not sure if the UK is over zealous on this.


(james_e_bell) #5

Thats pretty cool - they control back and front cameras at the same time from the app?


(knows someone who knows Tom quite well) #6

One at a time from within the app


(James Billingham) #7

Cuvva (my company) has a pretty strong KYC process. We pull your driving licence directly from the DVLA, and have you take a selfie and a photo of the licence. We then have a nearly-guaranteed validation of the identity of the person signing up.

We also check payment card details of course, as well as retrieving claims/underwriting records.


(Andy Johnson) #8

The guys over at uphold.com have an excellent KYC verification process.


(Rika Raybould) #9

Can confirm, it’s really good. Took just a couple of minutes thanks to the app being able to make intelligent guesses at what the long code on my driving license should be, etc. Don’t know how much of it is transferable over to banking but I was certainly impressed at how little it asked of me.


(James Billingham) #10

At present the driving licence thing is exclusive to insurance companies, and it only works for GB DVLA issued licences. I could see the DVLA offering some kind of “login with DVLA” type thing though, which would likely be sufficient. i have suggested that type of service to them.


(james_e_bell) #11

Interesting that number26 dont require proof of address - maybe the requirements are different in the countries they operate in compared to UK. The UK guidance seems a bit vague - this article about ‘EU payments Regulation’ says that address or date and place of birth needs to be captured (so could presumably just get date and place of birth off passport and forget about verifying current address)

https://www.gov.uk/guidance/how-to-comply-with-eu-payments-regulation

This means you’ll need:

the payer’s address - or their date and place of birth

Part on verification:

You may also need to verify this information in some cases. You verify the information using documents, data or information from a reliable and independent source such as:

a passport
a photocard driving licence
documents issued by a government department


(knows someone who knows Tom quite well) #12

Yes indeed. They do need an address to send your debit card to, but it doesn’t have to be your address. They even specifically allow ‘care of’ in the address you enter.


(James Billingham) #13

When it comes to KYC/AML for the purposes for money transferring, there are different levels of verification. Up to a certain amount of money, proof of address is not needed. Above some number of thousand euros/pounds, you have to do additional checks which usually include proof of address.


(Rob Schlitt) #14

Whilst this doesn’t really help much, I think a company needs to be mindful that not everyone these days have a passport or a drivers license. Obviously being able to validate such documents electronically makes for a slick process but I would urge caution in relying on just these things as there’s a risk you’ll alienate a portion of your customer base. In many respects that’s where conventional banks with branches win - a new customer has somewhere to actually go.


(Josh Bray) #15

The UK regulators are a huge pain but it keeps everyone safe.


#16

Whatever process is/will be used, Mondo should try to avoid keeping government identity documents. Once they have been used for KYC purposes, a record should be kept that the comparison was done and the outcome, and then delete the document files. They are too valuable and when/if lost/stolen/copied, the event is a significant problem for the person. Build this into data retention/deletion policy and processes.

Minimise the number of staff/others who have access to the identity documents, and log/monitor access while they are processed.


Review of Privacy Policy and T&Cs
(stuartharle) #17

This is what I understand is the position. Perhaps someone from Mondo can answer the question.
Mondo isn’t a bank (yet - they need a UK banking licence like Barclays and are getting one) neither is Revolut or Number26 as far as know. Your money is with Wirecard AG under an EU electronic payments licence and the regulations are more lax but there are usually limitations on how much money can be passed through the card. Any money on the card isn’t guaranteed by the regulator’s scheme - if Wirecard goes bust you lose your money.
Until it has a banking licence Mondo can’t accept deposits such as your salary (that is why you top up your debit card with another debit card). The t&cs explain the limitations. I understand that once Mondo is regulated by the UK FCA and becomes a bank then full customer due diligence will apply and two forms of identification, passport, driving licence etc will be required to use it. Just like a high street bank unless Mondo are working on a stressless solution…


(Josh Bray) #18

In the UK. They would be required to keep copies if these documents. It would all be covered by the data protection act. So don’t worry about your data being unsafe


(knows someone who knows Tom quite well) #19

Number26 specifically state that customers are covered under Germany’s depositor protection scheme.


#20

Hi Josh

Great discussion.

I do not know enough about Know Your Customer (KYC) to be definitive about this, but legislation, regulation and industry guidance doesn’t usually state that documents have to be kept. Rather, that there are adequate (risk-based) identity verification and recording processes in place to counter fraud, money laundering, etc.

Thus for example, many employers believe they have to keep copies of people’s visas and passports to confirm someone’s right to work int he UK. But this is not a requirement from the Home Office if you read their guidance. The employer should undertake checks before employment commences, but there is no obligation to keep copies of everything seen, and in any case that becomes an increasing overhead to store, maintain and protect. A better solution would be to have a management approved process that reviews the documents, assesses whether they are adequate, keeps a record of the process & outcome, and the IDs/dates/facts of the documents reviewed and then delete them securely. This reduces operational risk, and the risk to the data subjects themselves.

Unfortunately the Data Protection Act doesn’t prevent data breaches, data misuse, data ageing and use for purposes other than originally consented to.