Federated Identity Management: A consensus based approach towards solving the KYC problem

Why there is a need to develop a new method of addressing the KYC problem.

A Tangential Stroll

Ask anyone who has ever owned a mobile phone (or two) and an email address (or two) and they will tell you, managing contacts can be a pain in the ass!

Despite all the advances made in apps, OS, APIs, data sharing, etc. contact management remains to be a stone under everyone’s shoe.

I’ve always wondered why it is so difficult to sync contacts and remove duplicate entries, etc. Turns out, just like each contact app is different in nomenclature and fields, so is the world on the whole.

Addresses, Telephone, ZIP Codes, State/Provinces etc. and the whole method of addressing each other varies from country to country.

I don’t cite all this from a theoretical view point, but rather from experience. Consider the following four issues I faced recently:

1. I worked for fintech startup for a year. When I left, I literally spent a day, going through my emails, and writing emails to all my contacts that I would no longer be working at XYZ and now you can reach me at the following email address/contact number. Despite this, a lot many people did not bother to update their contact databases, not everyone uses LinkedIn and many forgot how to get in touch with me (despite having told them so).
2. I had no way of forcing a change of the contact number, email, etc. that they have of me.
3. I wanted to offer some reference bridge. Faisal Khan, independent consultant (as the latest update) and they can see that I was once holding the position of ABC at XYZ Inc. (a reference for them to say, “Oh yeah! That Faisal!”)
4. Likewise, I wonder the same in reverse. I sometimes send an email out, only to find out, it bounces back or the person is no longer working there. I can find them through LinkedIn (if they are on it) and then need to send them a message to obtain their latest coordinates for communication.

All this is wasted hours and computer cycles. Anyway, it is what it is, and not much changes are expected. I’ve resigned to the fact, that LinkedIn perhaps remains the best source, yet surprisingly a very minority of people don’t update or use LinkedIn.

Switching Gears…

Before I talk about the grand ol’ idea of a Federated Identity Management System, let me digress for a few minutes.

Recently I was registering for Bitcoin wallets and trading accounts on various different websites, where I was plagued with the problem of providing my contact information over and over again. What was even more frustrating, the KYC documents that I had to upload.

The passport scan is easy, one two websites, my scan size was too large, more than the permissible file size, so I reduced it, then the analyzing software could not make head or tail of the uploaded image, so I had to scan again, keeping the file size a hairline below the cut-off-limit and it worked. Boy they sure made me work for it.

Then I hit a brick wall. Not once. Not twice, but four, five and six times.

Almost every website wanted a proof of address. Now I live in a joint-family house, the bills are in the name of my late mother/father. I don’t own a landline, so no bills there. I don’t own or use credit cards, so no CC bill. The gas bill is in the name of the address, there is no cable bill, so how do I provide proof of address.

• I have a mobile phone bill (post-paid), but it is not accepted by any of the companies.
• I have an internet bill in my name, again not accepted.
• I have a wifi dongle bill that comes in my name to my address, again, not accepted.
• I have electronic copies of my bank statement, again not accepted.

I literally called my bank up, got them to print a statement out, stamped it and got it signed off, only to have it rejected. The statement was printed on standard computer paper and not on any “white sheet with Colored Bank Logo and address” on it.

That too was rejected. W.T.F.

At this time I gave up in disgust and walked away.

In UAE for example, everything is P.O. Box based. The official PO Box and Physical address could very well be the same, but the declarations are different. There are subtle differences as how street addresses are addressed by each geographic territory. I’m sure the addressing taxonomy is very different in Maldives to that in Japan to that in Kenya.

In most cases, the address on an ID could suffice, but that is not accepted, because people move all the time, but the address on the ID is not updated. What about the people who don’t move or have up to date IDs?

The list can go on and on.

What we need is a new way to address KYC.

Questions leading towards an Idea.

Within the financial services (payments & banking) industry KYC remains a huge issue. Why? Because just like legacy system, today’s KYC being done by banks, is still very legacy. All what is being done is simple extraction of data as listed on these IDs and documents and running them against various databases, etc.

So let me ask a couple of pertinent questions & suggestions, bear with me on this:

• In the real world, we use references all the time. People willing to vouch for people (take the employment arena where references play an important role), why not take references when it comes to KYC?
• Why not make these references digital in nature?
• Just as we have OAuth for single sign-on on multiple website, why don’t we have an OAuth equivalent for all the documentation that we have?
• Why cannot my identity be accepted as a digital token?
• Why aren’t the social media signals used for KYC verification?
• Why can’t my GPS coordinates be used from my phone &/or Wifi? to look at metrics that would confirm that this person lives here, because that is where most of his time is spent, at such and such coordinates.
• Why can’t the people I communicate or transact with confirm my identity? Or at least contribute towards confirmation.
• Why cannot my history of interaction on the Internet/Web be applied towards a scoring system that would confirm my identity?
• Why cannot the businesses whom I use (Banks, Insurance, Vehicle Registration, Mobile Carrier, Internet Service Provider, etc.) alsocontribute towards a score that would validate me?
• Why can’t my signature contribute towards my identity (Sign2Pay is one such company and is certainly working on this — with success).
• What about state owned biometric databases?
• What about Biometrics themselves?

Google has undoubtedly has a very complex and detailed formula for SEO and Page Ranking, better known as its page ranking algorithm. One that has 100,000s of people trying to second guess as to how it works.

At first it was easy, to hack it. Today, it is much more difficult. Over time, Google has perfected the Page Ranking Algorithm and continues to modify it in view of the ever changing landscape.

The end result is a very complex formula that addresses a relatively simply problem.

The Consensus Based Approach Towards KYC

Enter Blockchain!

So what I am about to summarize here, is in no way a blueprint. I’m sure there are many areas I haven’t touched on, and perhaps various scenarios that are contradictory.

The goal here is to give birth to a thought.

The possibility of having a digitally concentrated, consensus way towards KYC, that is secure, convenient and plug-and-play in today’s digital world.

I call this the Federated Identity Management

• The KYC would be a token. Much like the tokenization at play in the new EMVCO standards for payments.
• The tokens would be secure, encrypted in some manner and be distributed and held in the Blockchain.
• Various parties can contribute towards the confirmation (or denial) of an identity token.
• Each contribution has a weight and score
• The more legit a company (like a Bank or Internet Giants, like Facebook, etc.) the more weight it has
• Individuals also have a weight / scoring mechanism towards which they can contribute, i.e. my friends, family and colleagues each can aid in my credibility score
• 3rd Party Address Verification Tokens will come into play. Just as PayPal used to send a 6 digit code to a physical mailing address, it makes sense that these token can be used again for AV (Address Verification) again and again.
• As the owner of the identity token I can upload various documents that would remain in the Blockchain, and be available to all those to whom I grant access to use (the documents can be my ID card scan, Passport Scan, Address Verification Tokens, etc.)
• Various factors would determine my GPS locations, etc. and add more weight and score as to where I physically am located and as vouched by other institutions and individuals.
• My contact details would be up to date in this token.
• Contact Management apps can connect to the Blockchain and obtain up to date information on my contact details (telephone, email, address, etc.)
• Government entities can contribute towards score & weight when it comes to my token.
• Pictures can be compared to the official documents with pictures on Facebook, Twitter and other social media to obtain a positive confirmation score that becomes part of the overall scoring mechanism of the identity token.
• Trust based scoring. So if Bank of America trusts your scoring 90+ percent, it makes sense for another Bank in the same country to trust your scoring for banking with equal confidence.
• Different verticals will have different scoring mechanisms. Cross-border payment companies may have a different trust score based on your token information than say social media or bitcoin wallets.
• The more users of your token, the more genuine you are. Each user themselves has a genuineness Bank of America’s genuineness score ismuch higher than say Corner Coupons!

This is the general idea. I would love to hear more from people in the comments section on their views/thoughts on the above.

Whilst the above is my idea, it is not a unique idea by any stretch. We all know that the Blockchain has multiple and fascinating use cases, I just happen to be advocating one.