Recently, I was assigned the task of conducting a preliminary technical review of five financial platforms under consideration for acquisition. In this role, I engaged with representatives from these investment platforms to evaluate the condition of their systems.
Equipped with a comprehensive questionnaire aimed at assessing the quality and thoughtfulness of these platforms, my attention gravitated towards the automation of user document verification. Adhering to Know Your Customer (KYC) requirements, financial platforms are obligated to verify user-uploaded documents, ensuring accuracy and authenticity, while checking for theft or expired validity. This intricate process is well-understood by those involved in the development and support of such platforms.
A particular focus was directed at the automation of document verification through an undisclosed third-party service provider. This provider, operating on a service offer basis, proposed to verify user passport details and check for reports of theft or loss. To conduct this analysis, complete user passport details were required in an open format via API access.
The challenge arises from the fact that platforms are not authorized to transmit personal data to third parties. Even if attempts are made to secure user consent for data transfer to this service provider, whether through a checkbox or hidden consent clause in the financial platform's user agreement, the legitimacy of such actions remains questionable.
Users, at the very least, should have the ability to review the privacy policy of the API service used for KYC verification on the financial platform. This information should be transparent, ensuring users unequivocally understand that their data is accessed by a third-party organization for specific purposes under specific conditions. Personally, I would be hesitant to have my passport data sent to such a non-specialized service provider.
A specialized service provider relies on its reputation as a KYC service. Conversely, a non-specialized service provider may not fully grasp the responsibility involved in handling sensitive information, given their involvement in various (non-KYC) services provided through APIs, including document verification.
How could the process be secured for such a service provider? The solution lies with another provider offering similar KYC services via API. They do not receive any personal data from the financial platform but still conduct verification. This is achieved by transforming all user personal data into SHA512 hashes before being sent via API. Passport data at this service provider is stored in the database as hashes, akin to how modern services protect user passwords from leaks. The service provider then compares the received API hashes with the hashes of lost passports in its database, returning the verification result.
This unique solution mitigated the risk of potential data leaks, covering both API-supplied data and personal data of invalid passports in the service provider's database. Encrypted data intercepted during transmission would be futile to hackers due to the implemented algorithm. Even the owners and developers of the KYC service provider cannot decrypt the data, as it consists solely of unique hashes.
I intentionally refrain from naming specific brands to maintain impartiality.
What are your thoughts on this approach? Feel free to share your preferences regarding KYC service providers and the reasons behind them.
CEO at FinMV.com
Top comments (0)