Know Your Customer. Know Your Employees.

In the fintech world we spend a lot of time thinking about Know-Your-Customer (KYC) and anti-money laundering (AML) regulations because of the colossal expense of implementing them and the massive penalties for getting them wrong. It has been clear for years that the system is broken in many ways, but it is not only broken when it comes to dealing with customers, it is also broken when it comes to dealing with employees. Are those new employees really who they say they are?

KYC

If you are involved in moving money in any way at all, you will be aware of the Financial Crimes Enforcement Network (FINCEN). It is a bureau of the U.S. Treasury that was created in 1990 to combat money laundering, terrorist financing and other financial crimes through the collection, analysis and dissemination of financial intelligence. It works to achieve this mission by administering and enforcing the Bank Secrecy Act (BSA) and other anti-money laundering (AML) laws and regulations. When it comes to moving money, frankly, the cost of shifting the electrons around is nothing compared to the cost of compliance and many new businesses have set sail only to founder on the reef of due diligence.

In many ways, compliance is a moat that protects incumbents from competitors. As any fintech entrepreneur knows, it is a headache to deal with compliance and the costs continue to escalate. Digital identity must be one of the keys to getting these costs under control and indeed earlier this year FinCEN’s acting Deputy Director Jimmy Kirby spoke about the need for digital identity, stating that FinCEN is “pragmatically focused” on protecting the U.S. financial system from illicit finance threats. According to Kirby, financial institutions must establish with confidence who their customers are on the front end and throughout the customer relationship (my emphasis). It’s not good enough to do the Know Your Customer (KYC) check and then forgot about it, which is why the costs of compliance are high and digital solution are desperately needed.

(This is why what Laura Spiekerman from Alloy calls the “perpetual KYC approach” is so important. Automated recurring checks based on specific triggers that might include an update to a customer’s personal data or a transaction that sets off a risk alert).

That’s for onboarding customers, of course. But it appears that some companies do not apply the same rigour when it comes to figuring out who employees are or onboarding new business partners. The key point is that identity information isn’t needed only to support due diligence around customers: Know Your Employee (KYE) is just as important an opportunity as KYC, Know Your Customer’s Customers (KYCC) and Know Your Business (KYB) and so on. All of these need to be established with continuing confidence and all of them are currently a mishmash of scans of utility bills, pictures of driving licences and pointless box ticking.

When it comes to employees, for example, some of those new hires might not only be exaggerating on their resumes (which I will write more about in another piece), they might be acting on behalf of foreign powers! The Feds have charged a North Korean Foreign Trade Bank (“FTB”) representative for money laundering conspiracies designed to generate revenue for the Democratic People’s Republic of Korea through the use of cryptocurrency. According to court documents, North Koreans applied for jobs in remote IT development work and pass employment checks by using fake, or fraudulently obtained, identity documents. These workers then request payment in cryptocurrency and whisk their earnings back to the motherland.

(Running an enterprise in the Metaverse will mean some pretty serious thinking about employee identification, credentials, authorisations and relations!)

KYE would clearly benefit from digital infrastructure. The last time I was asked for documents for an employment check — to tick a box confirming that I had the right to work in the U.K. despite having been born in the U.K., having more than one paid employment in the U.K. and paying tax in the U.K. (don’t ask) — about a month ago, I was required to send a picture of my passport by e-mail to an HR department. Now, while HR departments are famed for their strong cybersecurity practices, I was a little concerned about my personally identifiable information (PII) being exposed, especially when digital alternatives have been demonstrated!

Digital identity hopefully provides a way forward here even though as Jelena Hoffart points out in a recent piece about employee identity management, KYE is very different from KYC because of risk tolerance. While advances in digital identity management around customer identification, authentication and authorisation add to the corporate toolbox, there is a fundamental difference in deployment because the tolerance for consumer fraud is non-zero, the optimal tolerance for internal corporate crime is zero. Companies can reuse KYC technology (eg, digital onboarding) for employees but in a more rigorous process.

KYE

It is interesting to see how KYE is moving forward though. I recently took part in a digital identity design sprint day hosted by National Australia Bank in Melbourne and it seemed me that the most attractive of the use cases explored (in the context of commercial opportunities that might arise from using bank-issued digital identities) was indeed KYE. There were some startups there aleady delivering services in this space and looking to improve their offerings by integrating digital credentials of some kind and we know that the approach works. Meeco, for example, worked with a digital identity exchange, state government and an engineering and technical services company, in a pilot to demonstrate the commercial benefits of digital identity and verifiable credentials in workplace onboarding. Instead of presenting originals of physical documents, or digitsed copies of physical documents,the employees digitally asserted their identity and provided a digital driver licence, in the form of a verifiable credential, all from a wallet application on their phone.

Given the scale of the KYE problem it is a clear that a shift to verifiable credentials for employee onboarding is a win-win and it makes sense to provide candidates and employers with the necessary infrastructure to provide specific characteristics (eg, this person has a valid welding certificate) without giving away personally-identifiable information.

(The European Union right now has four large scale EU Digital Identity Wallet pilot projects runing and intends to launch such a wallet to 450m European citizens next year. This will give those citizens to store digital identity credentials including their national ID, driving licence, qualifications and bank details.)

Hopefully, with new energy going into digital identity wallets, verifiable credentials and (custodial) self-sovereign identity this specific problem of KYE can be tackled quickly, efficiently and to the mutual benefit of all stakeholders and serve as a vanguard for mass market digital identity solutions.