By Bryan Richardson
Would you give your social security number to a bank in Libya?
Managing bank account opening and maintenance processes has long been a very painful experience for treasury departments.
Thanks to the well-intentioned Bank Secrecy Act of 1970 and the more recent Patriot Act of 2001, bank documentation has become increasingly burdensome. In particular, Know Your Customer (KYC) requirements of the Patriot Act place a heavy burden on banks with a host of mandates for customers, including verifying that they are not or have not been involved in illegal activities like fraud or money laundering; and verifying a prospective client’s identity among others.
Naturally, these requirements mean that millions of people must be burdened in order to battle against a very small number of nasty people. Not only are the documentation demands excessive, but the actual information requested for signers on bank accounts is often just what identity thieves long to get their hands on. People generally don’t think much about giving such information to large US banks, but when these requests are made by banks in developing countries, corporate executives might become a bit concerned.
Too much information?
For companies doing business in such remote places and needing a local bank account, this is a common worry for treasurers as well as the account signers themselves.
In a February peer group meeting of treasurers who do business in the far corners of the earth, the members discussed their concerns over giving out confidential information of account signers to banks in developing countries.
Those concerns focus on two key areas, the identity security of the individual and the liability of the company on behalf of their account signers. In light of the types of information being given, it is no wonder people worry. In a recent survey of the peer group mentioned above, one third of members have handed over social security numbers and three fourths have given copies of drivers’ licenses (see the chart below).
So concerned are some companies that they have been compelled to provide a disclosure document to prospective bank account signers in the company outlining the risks involved with this responsibility. Not surprisingly, some employees pass on signing authority when they realize the risks on this opportunity. More surprising is that not one of these treasurers reported any fraudulent activity perpetrated against any account signer. This is mostly due to luck.
No one would argue that the intent of these documentation requirements is not worthwhile. But a more efficient solution would be welcome.
Until recently there has been no alternative to complying with local bank demands for identification documents. But one company has developed and deployed an effective model for validating and securing account signer’s personal information literally once for all banks. The company is IdenTrust and their product is called the Trust Network. IndenTrust has recruited banks to join their network for the purpose of representing customer identity to one another. For example, it is reasonable to assume that if bank A, following Patriot Act requirements, confirms the identity of an individual, why can’t they confirm that individual to other banks?
IdenTrust works with their member banks to issue individual certificates based on globally recognized and regulated Know Your Customer (KYC) rules. All IdenTrust members adhere to a Rule Set developed and agreed to by 55 financial institutions from around the world that provides non-repudiation and limitation of liability. Thus, member banks can rely upon certificates issued by other members to authenticate an individual.
how it began
IdenTrust was developed by a consortium of banks in 1999 for the purpose of creating an identity clearinghouse. “It’s a similar model to the Visa and MasterCard role in the world of credit card transactions,” said Joe Norburn, Managing Director at IdenTrust. “IdenTrust doesn’t issue identity certificates. Those are issued by banks. We just administer their activity on behalf of the banks.”
Further, IdenTrust has approached over 170 countries to collect their bank account opening requirements which have been incorporated, and to the extent possible, standardized into the IdenTrust database. This information is being used in the development and deployment of its eBAM (electronic bank account management) product which is anchored in the Trust Network framework. The result of this effort is that when an IdenTrust user wants to open a bank account in one of these 170 countries, there is a single source for documentation requirements. The product works as follows:
1) Customers register with an IdenTrust member bank by supplying their identity information.
2) The member bank validates ID.
3) The member bank sends an activation package to the customer.
4) The customer gets a digital certificate to be used with any member bank.
The net result, in theory, is that you give your personal information to one trusted bank that now represents you to all banks who are members of the network.
Where is it going?
There is a significant link between eBAM and digital identity in that eBAM, for all of its merits, offers little benefit if the digital identity component is not established. Consequently, IdenTrust is working to spread eBAM utilization in order to facilitate more proliferation of the digital identity, even beyond banking relationships. Ironically, while the infrastructure is in place and all parties hate the current processes, momentum toward eBAM and digital identity has been slow to take off. There are two reasons for this lag.
First, corporate treasury functions seem to be still familiarizing themselves with the process, benefits and hurdles. Second, because corporate momentum has been slow, bank momentum has also been slow, even though the large global banks have continued to invest in the new approach.
“The reason eBAM hasn’t taken off is because company’s haven’t been asking for it from their banks,” said IdenTrust CEO Karen Wendel at a recent treasurers’ peer group meeting. IdenTrust just added a large African bank to their network, that addition was driven by a large corporation putting pressure on the bank, IdenTrust said.
Other players are starting to see the opportunities with digital identity and are beginning to develop alternative solutions to the IdenTrust model. One of the most recent entrants is SWIFT with their 3SKey product. It is a very different approach from IdenTrust’s which illustrates two important points. First, long overdue solutions to this cumbersome and archaic activity are on the horizon. Second, competing solutions that work in isolation to one another may limit the some of the benefits.
A consistent and universal solution would be more welcome than a “religious war” on digital identity standards. May the best solution win.