undefined | Better HN

0 pointszhte41511y ago0 comments

I don't understand why a scan of a passport or ID of someone signing up is required when it cannot be verified.

The reasons are this:

Banks are legally required to conduct some kind of Know Your Customer where an individual has to physically present themselves so their provided ID is matched against their physical person. So KYC is done by a bank. And I'm paying with a bank / credit card.

In the case of someone opening an account by using a fraudulent card, it is trivial to attach what looks like a mediocre scan of a passport or divers licence.

Notarised IDs are not requested, so there is no way to verify with a lawyer. And Notarisation is expensive, so it will turn almost all customers away.

Closing circle: If the name on the card matches the ID provided and it is not a case of a fraudulent transaction, the individual can be pursued via their bank. This is probably not worth it at a time vs reward level, unless the abuse of the network is such law enforcement should be involved, but is not something for you to do, but for your bank, as correspondent bank, to do.

While obviously a liability in terms of information security and the risk of a breach, requiring such personal information is a precedent: If all companies did so for low value transactions, then this information would end up in thousands of online repositories (and therefore of large scale, opposed to, say, a hostel seeing a handful of customers per day keeping paper records) which would surely have leaks. The risk becomes systematic. Which increases fraud.

Let the banks do KYC. Let the hosting company ensure the network is monitored in the way they desire.

Edit: Having worked in a couple of banks at a middle management level, and covering regulatory, compliance and information security roles, what really helps when regulators or general law enforcement audit or inspect a function, what really matters is showing both internal policies showing banking regulations are drilled into employees, and anticipative policies where regulations are not yet set in stone are also followed. If you don't have internal policy documents on how your network is monitored and a kind of minimum standards dashboard, make one and keep records, as it can be invaluable as defense against accusations nonfeasance, misfeasance or even malfeasance.

0 comments

lazyant11y ago

I've requested scan of ID in the past for suspicious sign-ups, the reasoning is that almost all malicious people would just move on at that point to another target.