Steve Roylance, Vice President of Identity Services, Ubisecure, recently participated in the 40th IACA Annual Conference in Halifax and proposed a model where an organisation managing vetted identity information, such as a business registry could become an Identity Provider (IdP). Here are his thoughts.
Unleashing the true power of a business identity.
Business Identity ‘attributes’ are available in many alternative flavours such as business name, phone number, web site, physical address, email etc. Any of these single, stand-alone attributes may be combined with others to provide greater levels of assurance. Used in combination, attributes help to differentiate the one, from the many. It is the testing of the ownership or control of these attribute(s) which forms the basis of Know Your Customer (KYC) due diligence. The fundamental advantage some attributes have over others is rooted to their trustworthiness and uniqueness. Ultimately, the trustworthiness depends on the source of the attribute and proof of any claim to it . Ideally, all attributes should be tested in order to provide true business confidence. Some simple example attributes, which most readers will be familiar with, are email and mobile/cell numbers. In a growing number of registration workflows, emails are now checked either during the registration process directly or shortly afterwards prior to authorising account creation. This ensures correctness, integrity and availability. Equally mobile/cell numbers may be confirmed through SMS messaging which allows the possibility of two factor authentication in the future.
Fulfilling KYC and AML requirements
But how can someone exercise their business identifier to fulfil KYC requirements? Whether the number is a local one, allocated by a state or country Business Registry/Company Registry or a Global number such as an LEI (Legal Entity Identifier) issued by an LOU (Local operating Unit), the answer is fairly simple. A Business Registry can use Customer Identity and Access Management (CIAM) protocols such as OpenID Connect (OIDC) and OAuth 2.0 to transform its static register of numbers, into an active source of business identities. The technology to allow claims to be verified is not only readily available, but tried and tested. As the importance around establishing a true and trustworthy business identity continues to grow, so too does the demand for efficiency and accuracy. (See becoming an Identity Provider (IdP)).
A Service Provider (SP) such as a Bank, Certification Authority, connected Government service (Taxation) or even an out of jurisdiction Business Registry needing to perform KYC for foreign filing purposes, is able to collect trusted attributes. As they are taken directly from the originating registry it ensures consistency and accuracy by mitigating human error, but also more often, allows timeliness and business relevance. Mandatory KYC and Anti Money Laundering (AML) regulations are being addressed by SPs using a range of methods. These methods may or may not be fully effective. For example, as landlines are replaced by Voice over IP, the only “out of band” mechanism open to the SP to verify the connection between the Principle claiming the association to the business name/number is to use regular post (snail mail). Other methods which rely on the collection and storage of Personally Identifiable Information (PII) are not now recommended best practice, especially with GDPR (General Data Protection Regulation) due to affect all participants of the KYC process by May 2018.
Investment drives the business identity eco system
By investing in CIAM technologies, the Business Registry is able to realise all the advantages a comprehensive CIAM system can provide, such as supporting Single Sign-On to connected Government, addition of multi factor authentication technologies, step up authentication, etc. Business Registries can positively effect the efficiency of their state, or country, ecosystem and even if they do charge a fee for the authentication(s), significantly reduce the costs SPs are currently forced to incur – the net result – a stimulus to the business eco system – unleashing the true power of the business identity.