Know Your Customer (KYC) on-boarding processes that involve the capture and verification of data from an electronic document and owner verification using automated facial image matching have become more prominent in recent years. They are convenient and efficient for all parties involved and save both human and financial resources. During the COVID pandemic, they provided for on-boarding without prohibited physical interactions. Increasingly, they are considered secure and trusted. They are, however, not foolproof.
My employer, the International Civil Aviation Organization (ICAO), is the international organization responsible for issuance of the technical specifications for international electronic travel documents that are frequently the source of Electronic Know Your Customer (eKYC) data. We have decades of experience devising these specifications, developing new regulatory standards pertaining to the use of electronic documents, and advising on processes for the latter’s use at borders and in travel. Through this work, we have accrued massive experience in how to ensure security and protection against fraud, including in modern use cases involving remote and online identity attestation. Based on this experience and the knowledge gained from interactions amongst experts in the travel domain for many years, I proffer the following tips that the eKYC community would do well to heed as they pursue continued implementations in their work.
- Get your trust anchor management right
Electronic verification of data authenticity and integrity is the foundation of the eKYC process. It relies upon the availability and use of root of trust public keys that must themselves be genuine. This places stringent requirements on the sourcing of the keys in order to ensure authenticity as well as their storage to ensure integrity through to the point of usage. Within the international civil aviation community, the ICAO Public Key Directory is a source of trust anchor public keys obtained by ICAO through diplomatic exchange and thus considered particularly credible and assured. As the Public Key Information (PKI) ecosystem for electronic travel documents is decentralized, sourcing from complementary sources is possible and encouraged as a means of corroborating trust. ICAO has published internationally agreed guidance material and deployed extensive capacity building to promote the secure storage and dissemination of keys up to the points of use. In the border community, establishment of trust to the satisfaction of governmental authorities is a key consideration. eKYC implementers must similarly assure trust to the satisfaction of regulators, users, and other stakeholders. Proper trust anchor management will be a key consideration.
- Cooperate and continuously learn
ICAO facilitates a community of practice around electronic document issuance and verification that enables on-going exchange and learning regarding challenges in electronic document reading and verification, as well as trends in fraudulent activities. Implementing eKYC software and processes can never be a one-and-done exercise, but rather requires continuous update and evolution. Updates might have to be made to handle issuance of new documents that do not conform to international standards, for example. Some aspects of the service offering, especially liveness detection, will require updates to deal with rapidly evolving threats. Implementers of eKYC must establish their own communities for information exchange. Ideally, like in the case of travel, they will bring together regulators and industry to facilitate frank and open dialogue that continuously enhances the security posture of the entire community and provide for some form of peer-to-peer oversight of different implementations.
- Don’t forget fallback options in processes
eKYC will never eliminate the need for physical interactions. Policy makers and implementers should never seek this to be the case. When ICAO issued guidance for usage of new digital travel documents recently, availability of the paper document as a fallback basis for identity attestation featured significantly. Just as border management officials always offer processes for physical checks alongside routes involving automation, so too must eKYC implementers do in terms of alternatives. These alternatives ensure accessibility for those who may lack the necessary tools, those who may not possess the technological expertise for their use, and those who may encounter problems. Just as importantly, however, they can ensure security of the end-to-end process because some efforts to automatically overcome problems can introduce loopholes that fraudulent actors can exploit. Rather than seeking to manage every defect encountered in documents or offering continued opportunities to move past problems in any given automated process, referrals to manual KYC checks should be a part of the process. Any lack thereof is a fault in the process, and not some form of indicator of excellence.
eKYC offers wonderful economic, social, and business benefits but must be implemented properly. Consideration of these tips should help you to achieve these benefits in a manner trusted by regulators, users, and other stakeholders, which is, ultimately, key to success.