According to a new study by Javelin Strategy & Research, 2017 registered an eye-watering 16.7 million victims of identity fraud – setting a new record high. The damage caused by these breaches is hard to calculate, but the California-based Advisory Firm estimates that around $16.8 billion was stolen as a direct result of identity fraud last year.
The fact that these figures are not causing heated public debates and protests on the streets is worrying. It suggests that we have resigned ourselves to the loss of our own privacy and accepted the inevitability of our information becoming public knowledge.
Even more worryingly, information is requested of us more than ever. Data showing passport numbers, social security numbers, credit card information and our home addresses are being collected and stored not only by governments but also by startups.
In the US, the Financial Crimes Enforcement Network (FinCEN) proposed new KYC (Know Your Customer) requirements in 2014, forcing all financial institutions to follow much stricter due diligence guidelines. In Europe, recent KYC regulation requires financial companies of all sizes to collect a copy of their users’ passport or ID card. In Germany, online video identifications have even been introduced for prepaid SIM cards in an effort to fight money laundering.
With the rise of cryptocurrency, serious questions need to be asked regarding the sanity of storing vast quantities of highly sensitive information in a centralized and unencrypted way.
We will look at this issue in more detail later, but for now, we should make sure we understand the fundamentals.
Understanding KYC and AML
Know Your Customer (KYC) and Anti Money Laundering (AML) have become ever more pertinent issues for institutions and customers alike.
KYC typically refers to the ability to obtain and store sensitive information about customers, in order to minimize the risk of the business relationship being used for illegal purposes.
That’s quite a mouthful, but everyone who has heard the story of Frank Abagnale (Catch Me If You Can) will have a basic idea of how easy it used to be to pretend to be someone else and misuse money for illegal purposes.
Although related, money laundering describes the introduction of illegally obtained money back into the financial system. A simple example of this would be a drug dealer who uses his money to buy casino chips, later cashing out again and effectively obtaining “clean” money.
Both KYC and AML are designed to make this as difficult as possible in today’s world.
In 1970, the Currency and Foreign Transactions Reporting Act was passed by the United States Congress. This was the first meaningful step down the road of what we now know as KYC and AML. The Act required banks and other financial institutions to introduce basic record keeping regarding the identities and addresses of their customers.
This was followed by a slew of legislative attempts to make identity theft and money laundering tougher on criminals.
As a result, today all US-based financial institutions must collect at least the following information about all their customers:
- Date of birth
- Residential or business address
- Identification number
- Principal place of business
- Identification number
Understandably, there is a belief in the crypto-scene that technology can provide a better solution.
Understanding the criticisms of KYC and AML
The key to understanding the criticism around KYC and AML is the outdated technology stack used by institutions.
Although the merits of fighting identity theft and money laundering are clear, the way governments are going about it is misguided. In the current setup, companies with poor security infrastructures are forced to amass vast amounts of personal information.
To make matters worse, this data is typically stored in a centralized and unencrypted way. As a result, malicious actors simply need to hack into one admin account to potentially cause severe damage.
There are countless examples of this happening. In March 2018, the travel booking website Orbitz discovered a potential data breach, exposing the credit card information of over 880,000 customers.
In August of the same year, hackers managed to obtain personal information of 2 million T-Mobile customers. Only a few months previously, the popular fitness app MyFitnessPal was breached, exposing the personal data of over 150 million customers.
How much of the data was collected in the name of KYC and AML is up for debate, but the point remains that companies – and political parties – have proven themselves unable to securely store customer information.
Clearly, encryption and decentralization need to become the new industry standard.
Understanding the impact of Crypto
Privacy has always been at the heart of cryptocurrency. A free individual, so the philosophy goes, should be able to use the internet to transfer, store, and exchange value in a private manner.
Additionally, the technology underlying crypto is the perfect antidote for the ailments afflicting KYC and AML today. Blockchains are not only decentralized but are also encrypted. Projects like Sia and Storj for example, have built software on top of the blockchain which provides a completely new level of data security.
It’s unsurprising that specialized KYC solutions have been built on the blockchain. KYC-Chain is a prominent example, offering businesses the opportunity to manage KYC procedures in a compliant and efficient manner.
Interestingly, sister-company SelfKey has developed a system which allows individuals to retain ownership of their personal data while controlling exactly how much information is shared with institutions. By using distributed ledger technology, SelfKey can protect highly sensitive personal data much better than companies relying on an older technology stack.
A slightly different approach is taken by Nuggets. According to the whitepaper, a technique called “Zero Knowledge Storage” is used to bind information on the blockchain. In this setup, an individual would be able to prove their identity without having to provide the typically required information.
To get familiar with Zero Knowledge in crypto, I highly recommend checking out our piece on Zero-Knowledge Proofs. To get a basic understanding of the concept right away, you can imagine turning on a basketball game and seeing that the score is displayed as 10:12. You don’t need to see each scored bucket to know who is winning. In this example, you have zero knowledge of who has scored, but you know which group of players is winning.
Translated back to crypto, this concept means that information can be verified without the information itself being shared.
Understanding the impact of KYC and AML on Crypto
So far we have talked primarily about the impact that crypto is having – and will continue to have – on KYC and AML.
Importantly, KYC and AML are becoming topics of increasing significance for crypto.
As ICOs have continued to grow in popularity, the attention given by regulators has also increased. Consequently, the “Wild West” days are over, and now a certain level of KYC and AML if required for all coin offerings.
Most prominently, US-based investors have been largely banned from participation in ICOs. As such, ICOs now need to vet all investors in order to ensure they are located in countries where participation is legal. Failure to do so can have disastrous consequences for the ICO and the investor.
Ironically, most token sales now require the provision of an identification document in order for an investor to pass the KYC requirements. With this setup, we are back to square one: Small companies with poor security infrastructures storing highly sensitive customer data in a centralized and often unencrypted way.
The hope is that specialized KYC solutions soon become the industry standard, not just for regular companies but for ICOs as well.
Finally, it’s worth touching upon Cardano and how they are attempting to breach the gap between cryptocurrencies and the traditional financial system. Unlike most of the top 20 cryptocurrencies, Cardano has made “Regulation” one of its key features.
More specifically, Cardano recognizes that the context around financial transactions is important. Institutions need to know who they are dealing with, and individuals need to be able to share that information. That is why Cardano plans to give users the ability to add Metadata, which may contain specific information required by the company or institution.
Importantly, the information shared is at the user’s discretion.
The aim of this article is to emphasize the following two statements:
- KYC and AML are very important.
- But forcing companies and institutions with weak security infrastructures to collect and store sensitive information is a mistake.
Luckily, the solution is already being built. As discussed above, distributed ledger technology has the power to provide institutions with the customer information they need, while safeguarding the identity and privacy of the individual.
Finally, crypto offers us the opportunity to take back ownership of our identity, not just for KYC purposes but for our entire online existence. Data breaches, like the ones listed above, are unacceptable, and the idea that companies can share and sell our personal information is anathema.
KYC may well be crypto’s first mainstream application.