Wise (formerly Transfer Wise) are asking me to send them photo of my ID

This is called "Perpetual KYC" (Know-your-customer), it didn't exist back when you signed up. Depending on your risk score, your data needs to be validated every 5 years, every 3 years or even annually.

So, this is the new normal.

(I also just had to do it yesterday.)

I still love Wise and I am happy to go through this KYC stuff. Because in exchange they pretty much accept paying everywhere, where other payment providers would block your payment. I often have the situation that credit cards from my local (German) bank reject purchases made abroad, and every time I am so happy that Wise always works.

Due to AML regulations, banks and e-money institutions are required by law to perform KYC procedures on their customers. That invariably means storing and verifying your govt issued ID.

If you don't want to provide your ID, then that essentially limits your options to:

1) cash

2) crypto (assuming you never interface with exchanges/banks)

3) use e-money services up to the cumulative amount that triggers the KYC process. I forget what that is, but probably a few hundred dollars.

I think in most countries, and ID is to identify yourself with it. Not to copy it by giving someone a photo of it. If you give someone a photo, they could identify as you with that photo, breaking the whole concept of an "ID".

What happens if you don't give them a photo of your ID? Do you already have funds from you? Are they in the same country as you? I would be surprised if they could legally blackmail you into giving them a photo of your ID.

Of course online services need your photo ID! How else are they going to make sure the person standing in front of them is really you? /s

This pattern is up there with “SSN as an authentication bearer token” and needs to stop yesterday (but I’m not holding my breath for that).

Wow, that's all?

Wise made me send them $20 to prove myself before they would allow me to accept money from a friend whom I loaned $500 during covid (also through Wise).

Of course, I could withdraw it afterwards, for another small fee.

If only there was an easy decentralized way to send money around the world without all this KYC bullshit... I know that there are criminals in the world abusing the system and we all have to pay for it, but still... there should be a way to mark yourself as "global entry" and stop presuming that you're a fraudster...

Most hotels I go to demand to make a copy of my passport. I am sure they have zero security. Why not give it to Wise? What is the concern?

Was the email really from Wise?

Asking for a photo via email seems a bit too low-tech for me…

I had to do the same thing when I signed up a while ago. I thought they'd just scan it and trash it, but apparently not... their privacy policy says they do collect the photograph, national ID info, etc. And then they'll do their best to protect it: https://wise.com/gb/legal/global-privacy-policy-en

> Additional information you give us for security, identification and verification purposes may include your [...], photograph, [...], proof of residency, passport and/or National ID. If you fail to provide any of this information, it might affect our ability to provide our Services to you.

> As part of our identity verification process we collect, use and store biometric data, namely: We extract face scan information from photos and videos [...]. We will retain biometric data for the period necessary to complete the identity verification process, and in any case no longer than 1 year after collection, unless required by law or legal process to keep it longer.

Their US Facial Scan privacy policy has a bit more detail, and apparently they outsource that to a company called Onfido (https://onfido.com/): https://wise.com/us/legal/facial-scan-notice

I'm not sure if that same method is used internationally.

But yeah, it's an overall risk for sure. You'd hope they'd be a bit more cautious being a financial institution and such, but you never know. If it gets leaked, it'd probably be very hard to deal with a situation like this internationally.

I feel like the way this sort of thing should work is you'd have a class of entities that you would trust to be identity providers, like banks, credit unions, ID.me, maybe cell providers and maybe Google/Apple/Microsoft if you so choose. Then another class of entities like Wise or regular merchants could verify your identity via some sort of OAuth connection with a cryptographic handshake underneath.

But do they need to keep your ID in their dbs? I would imagine a simple check would suffice and then they could discard the uploaded ID. They could check every year. I really don’t trust internet companies in general, and having to upload my passport in many websites worries me. Last time it was Hetzner. I also use Wise. What’s next? Amazon?

As some comments have stated, this is a compliance requirement related to "perpetual KYC", or Know-Your-Customer.

I'm just commenting due to how extremely idiotic these regulations are. It won't be too long in the future when we get a major breach where millions of drivers license images and selfies are leaked, because these regulations force all of these individual financial institutions, many with dubious levels of security competence, to secure this data.

As a perfect example, when Stripe first came out with their Identity product (which takes ID and selfie images, and had a great UI and API), a lot of people were really surprised that, unlike Stripe's credit card processing APIs which never give the developer access to the customer's full credit card number (and is a major benefit to using something like Stripe - developers can delegate most of their PCI responsibilities), this was not the case with Stripe Identity: developers have full access to ID and selfie images.

In Stripe's defense, they explained they had to build it this way: KYC regs require these financial institutions to keep this raw data for compliance. These regulations really need to be updated so that institutions can instead delegate to a certified provider something like "This provider verified the customer's ID and selfie with this information..." The regs should also be updated so that nobody is forced to store these images indefinitely - it's just a recipe for disaster.

Ask HN:

Speaking as a long-standing Wise customer who was asked to revalidate ID within the last 12–18 months ....

If Wise are asking you to email your ID, then that request is NOT kosher. Period.

A real email from Wise would invite you to login to the Wise website and upload it.

You do not even have to follow a specific link, because they flag your account so that whenever you login you are instantly prompted to upload ID. Infact the same flag will put a temporary block on your account until such time as you have submitted ID and they have validated it.

So, it follows that if you can independently visit the Wise website, and you can login, and you are NOT prompted for ID, then you have hard confirmation right there that the email you received is not kosher.

IN ADDITION: I would invite you to go to your Wise profile settings and add a custom "email ID" (or whatever they call it) that way you know for sure if a Wise email is kosher because only you and they know the ID that will show at the top of any genuine email they send you.

Over Black Friday I tried to buy two pairs of shoes from Vessi. This would've been my third order from them with the same delivery details in 24 months. They told me my order was flagged for random security check and asked me to send them a copy of my driving license / passport by email. I told them that these were an incredibly sensitive documents with which a bad actor could literally take over my life, reminded them that I was a repeat customer, and asked them if they could send me any independent verification of their cybersecurity chops. They responded with a templated response telling me that the order would be cancelled if I didn't send them my license/passport. I told them to go ahead and cancel it. They've lost me as a customer. I'm not sending those documents to a shoe store with no ability to even confirm there is any security behind the scenes.

Yes, I’ve received a similar email from them in the past. It’s not the first time a financial services company asked me for these documents in the recent years. I assume they need it for their KYC/AML checks.

In my case, I believe it was triggered by a specific transfer I received. But I didn’t want to ask for details why that happened, since that’s usually considered a red flag by a financial services provider.

I had an account with privacy.com for about four years, then in July of this year they disabled my account and requested I upload photo ID and a selfie. I told them that if a four-year-old account with no issues has suddenly "failed to validate security checks", that's their problem and not mine. So, my account is still suspended and I've never used it again.

I was on their free plan anyway, so I can't say they "lost a customer". But I think asking users to upload a selfie is humiliating and I don't want to take part in it.

I use wise ~1 time / yr. Last time I started a transfer they required ID first. I uploaded two photos and my account was immediately locked since my bday on ID did not match my wise acct (typo). Quick email to support and it was unlocked 2 hrs later. Was able to complete my transaction after that without issue. Fine experience overall if inconvenient.

Treat this as an additional cost.

It's no different than the overhead of a delivery charge, fuel to drive to a event, a sales tax or any other cost you need to factor into a decision or purchase.

Problem is that high probability [0] of data loss doesn't seem a tangible harm you easily attach a dollar value to. You should think about this and try, even if you are wrong, to get a sense of what that really means to you as a loss prospect [1].

If the company is "doing it because of some regulation" that's their problem not yours. You will find alternatives. Meanwhile their claims to need your ID photo is simply their cost of doing business in that market, and if that loses them customers, then things are working as expected.

[0,1] Probably higher than you think

Your location is the biggest determinant of this. I'm in the UK and was asked to re-validate my ID recently.

I had to provide my ID when I signed up about 4 years ago.

This is part of the theatre of stopping small scale money laundering. Any laundering not using HSBC[1] is considered bad form.

[1]https://www.fca.org.uk/news/press-releases/fca-fines-hsbc-ba...

Yep. Wise are one of the more agressive banking providers with their KYC. Twice yearly is becoming normal for Wise. (7 year customer here too)

But its normal for banks to do this. One of my banks (our group has over 10 accounts on 4 continents) even sent a KYC renewal the day after my French residency permit expired. Had to upload and tdo the selfie thing with the new permit to get access to the account again.

I echo the other comments that you should use the official banking apps for doing your KYC/KYB process.

In Sweden, you can't open a bank account without showing your face and ID. I just had to do this for my Wise account, too, and it seems par for the course for the quite intrusive money laundering rules in the EU these days.

Every money transmitter/service/bank/financial institution/western facing crypto exchange/auction house/betting place at some point in time(at certain transcational threshold (ask a black box for the threshold)) will ask for ID/some sort of KYC.

Now you can of course decline, but it will severely limit your options.

It's a money transfer service. They have strict regulatory requirements.

I've used them for a long time and I feel they are honest.

they should have this verification flow in-app. emails seems a bit phishy

As an aside, why do we tolerate government deptutizing companies not subject to the constitution for the sake of ”””””””””anti money laundering”””””””””?