KuppingerCole's Advisory stands out due to our regular communication with vendors and key clients, providing us with in-depth insight into the issues and knowledge required to address real-world challenges.
Unlock the power of industry-leading insights and expertise. Gain access to our extensive knowledge base, vibrant community, and tailored analyst sessions—all designed to keep you at the forefront of identity security.
Get instant access to our complete research library.
Access essential knowledge at your fingertips with KuppingerCole's extensive resources. From in-depth reports to concise one-pagers, leverage our complete security library to inform strategy and drive innovation.
Get instant access to our complete research library.
Gain access to comprehensive resources, personalized analyst consultations, and exclusive events – all designed to enhance your decision-making capabilities and industry connections.
Get instant access to our complete research library.
Gain a true partner to drive transformative initiatives. Access comprehensive resources, tailored expert guidance, and networking opportunities.
Get instant access to our complete research library.
Optimize your decision-making process with the most comprehensive and up-to-date market data available.
Compare solution offerings and follow predefined best practices or adapt them to the individual requirements of your company.
Configure your individual requirements to discover the ideal solution for your business.
Meet our team of analysts and advisors who are highly skilled and experienced professionals dedicated to helping you make informed decisions and achieve your goals.
Meet our business team committed to helping you achieve success. We understand that running a business can be challenging, but with the right team in your corner, anything is possible.
My name's bill Sprole, I've been active in the international data space for about 20 years. Now, started off in international data quality and moved over a period of time into international address verification. And now I'm in the international identity verification space with a company called global data consortium. What we do is we offer an E KYC product that integrates about 90 different localized data providers from across 50 countries around the world to provide rapid realtime E Y C services. But you really don't want to know that much about me.
You can go to LinkedIn or you can go to my medium blog, read all you want about my background. More interestingly, for the presentation today I drew from two resource books. I would encourage you all to take a look, take a read. If you have not read either of these books, they're great reads around the issues of trust privacy and customer data. And yeah, I would definitely encourage you to do that. And to answer the question, some of you may have around, if you've seen me today, you've seen me looping around. I've been asked about 10 times, at least what's this brace. What happened to me?
The reason I'm sitting down today is I tore my patella tendon about nine weeks ago. And I'm still recovering, but I do have 90 degree inflection on the knee now. So we're getting better. It was good enough to be able to take the five hour fly here from North Carolina. So there you go, enough of that and let's get into what we're gonna try to cover today.
So digital platforms really, you know, their jobs are interesting these days, first and foremost, you work hard to establish and build trust with users, whether you're a peer-to-peer platform or a one to many platform, but you have to balance that establishment of trust by also balancing the use of customer data and managing the privacy around that information. And then all of us from a global perspective are trying to figure out what best practices to implement around the use of customer data. So there's some very interesting challenges out there.
I'm gonna cover talk about all of these topics along the way today, before I go further, since we're dealing with post lunch, I'm gonna do, I'm gonna run a little experiment here and wake everyone up. So by show of hands, I'd like to know how many of you actually flew here from another destination for the conference today, hands up, all right, and get 'em up high. I don't put 'em down yet. We're not done. How many of you actually traveled here with more than one more than one government issued identity card? Very impressive.
So if you lo so more than one, so you're carrying your passport and another identity card corridor, driver's license and another photo identity card. That's beautiful. All right. That's one, fair enough. All right. Hands down now. That's great because the fact of the matter is most of us don't understand how tenuous our ability to travel and do anything anymore is without that identity, most people, I fully expected a preponderance of this room to only have one ID with them and not think about the fact that if you did not have that ID, when you went back to the airport, where were you gonna go?
Nowhere until you could replace that. So I appreciate you all answering those questions for me and that he, that helps me with the future presentation I'm working on. So onward work balancing trust in privacy is a bit like the ancient art of push hands in Chi Tai Chi. There is an inherent relationship between the two, but each are always pushing against each other. Whether you are looking at fourth and now fifth MLD anti-money laundering act and implementing that you're having to balance that against privacy shield or GDPR. And the push me pull you exercise of that is driving.
Most of us crazy from a digital platform perspective. Many companies decide to follow Tyrion Lancaster's example and say sometimes doing nothing is the thing to do. I actually worked with a soccer company in, in North Carolina many years ago ahead of the Brazilian world cup. And they were having an inordinate amount of online fraud come out of both Brazil and Germany in the run up to the games. And the CFO CEO arrived at the conclusion of know, best thing for them to do to counter out that fraud was to in essence, stick their heads in the sand and do nothing.
They shut off the access to the site, to both Brazil and Germany. And ultimately they lost out on this share of about 16 billion in online transactions that were associated with that particular world cup. So while sometimes doing nothing is one path. What you end up losing out on is a lot of opportunity. Global flows revenues, you know, we're talking 2014, 30 trillion, you know, the number of participants in cross border eCommerce.
These are people who are buying tickets, buying products, maybe transiting from a tourist perspective, you're looking at between 350000001.1 billion people in 2014, clearly that number has done nothing but grow up to this point. So if you're a merchant and you decide to do nothing, you are making a choice. If you're a digital platform and you decide to do nothing, you're making a very cognitive choice to lose out on a sizeable chunk of global revenue. So the interesting issue of trust is really around verification.
A lot of people, you know, well, many of you may not be old enough to remember Ronald Reagan making this, this statement, but some of us are, and it's amazing how verification has, you know, this conference clearly covers it. Many other conferences cover the issue of verification and trust are interlinked and how we deal with that.
Whether we're doing a $500,000 vacation rental in Croatia or a $1 digital transaction is the question story I'll tell on that front around verification and how the world I, I was listening earlier when we were talking about the emerging markets and the comparative, Try the other, ah, fair enough as if my voice didn't do enough for most people. All right. Can you better hear me now? I think everybody could hear me before.
So the story I wanted to mention was in digital technology and the application of technology and trust and verification these days, if you have traveled recently internationally on Delta airlines, you will note that no longer do you actually have to bring a boarding pass where they're physical or on your mobile device at all. So this whole, I heard earlier in some of the sessions, the whole idea of tying ID to mobile device, but Delta's actually eliminated that. And they're into process eliminating that nationwide.
And what they've done is you will step up to a monitor and it will snap a quick photo of you, and it will compare your ID to the CBP customers and borders protection database. And that will act as your board, your boarding card clearance for any international flight. You go through Atlanta or JFK. You will see that happening in real time today. So technology is far yeah, is moving and evolving very fast. I think all of us have different methodologies for the way we would go about verification, but that evolution is happening at a rapid rapid scale.
So there are two flavors of verification that I like to speak to and just hit on briefly. So obviously there's compliance base government regulation, regulated trust. If you will, for anti-money laundering purposes, peer-to-peer money movement. The idea you may wish to let a customer simply sign up with a name and email and move any amount of money that they want and eat the fraud.
But compliance regulators say we're not going to do that for money laundering purposes, terrorism purposes, compliance rules, mandate that you verify that information at, you know, two plus two is determined that we're now using in the industry. And that's two independent reference sets against two independent elements. So name and address against two independent reference databases. And that's the flavor of what we're dealing with with government mandated trust today. But then you also have business trusts and that those are risk adjusted models based off of fraud.
Things that we've talked about a bit today here in the conference and other things where businesses measure their tolerance for fraud and risk against what level of trust they're willing to assign to the customer. The combination of these two into your workflow is ultimately as a business, what you want to get to, and we'll cover that in the best practices area. So it's all about walking that tight rope. How much do you trust the user and information you're providing you versus the friction of verifying the information that are giving you?
What I'd like to talk through today are four key areas of best practice around how you can do this. Number one. And this is I think the first time I've at least heard this today, and someone can correct me if this has not been mentioned, but the fact is no one technology solves the problem. You must apply a approach. I was at lunch.
We, I was talking with someone and we were talking about ID verification and what's the ultimate ID verification. How do you verify someone to a hundred percent?
Well, the only true way you can do that is to go to their hometown, where they were born and talk to five people who knew them when they were growing up. And even then you would be careful to claim that as a hundred percent ID, the rest of it's all statistical. If you think about what's going on on the Texas border today, for instance, you have people who have been 20 year residents, they've served in the military. They were born, however, to midwives in small towns on the Texas border. And they're going in to renew their passports and CBP is actually rejecting their passport renewals.
Now, based off of the fact that they're not a hundred percent certain, that they're actually us citizens, they're actually going and requesting that these people go back and find rental records from their parents, mind you when they were children of apartments or some utility bills that show that their parents and family were actually residents of south Texas during that time. So your identity and please Google it. It is a thing.
So, you know, the idea of a hundred percent identity is nonsense in today's world. So for digital platforms, you have to look at the risk reward model. How do you actually address this? How do you deal with this? You could start with an E K Y C solution, which just does a very instant check against something like name, address, name, phone, and verifies that against independent databases around the world. That's what my particular company, that's what we do, but it's not the end all be all.
If you feel as if you didn't get enough information in that type of a check, you can then move into something called a document verification. We're all familiar with that. That's where you're taking the photos of documents and verifying that, yes, this looks like a real document. You can leverage biometrics. You can leverage right up to face to face verification of information. But the key point I wanna make here is that no one solution solves the problem. You have to apply a stack approach to apply best practices here. So unlike most vendors, I'll say we're not your end all be all.
We'd love to do business with you, but you really do want to apply a stack approach. Now. So item number two, I would cover as a best practice is around. How do you deal with data privacy regulation? Obviously there are numerous data privacy rules around the world, whether it's safe, Harbor privacy shield here in the us, whether it's GDPR in Europe, whether it's the privacy act in New Zealand, we're dealing with multiple data, privacy regulations being implemented around the world. So how do you as a business look at that and say, do I implement this on a country by country basis?
Or what I would suggest to you is that you apply a one size fits all model to your data, privacy workflow process. What many companies are doing today. And what we see in our business is that many companies are basically following GDPR standards and implementing those, regardless of whether their customers are in Europe, Brazil, or anywhere else in the world, they're applying that standard to their data privacy policy.
That's what I would encourage you to do as a best practice from what I'm seeing so that you, as an organization then only have to follow one workflow process as opposed to many workflow processes. The third item I would cover is, and actually somewhere something was missing. But the third item I would actually cover is the issue of consent and what I would strongly recommend as a best practice on consent is that you collect consent at the very beginning of every transaction that the customer has. One of the processes we run into in our business is on a country by country basis.
Consent is required in some countries and not others and customers are passing us data without actually having built that into their workflow. And then they're actually having to go back redo fields to actually adjust for that. So what I would suggest for digital platforms is you capture implied consent at the very beginning of every transaction. You make it like a tick box, just like you see in most websites today where cookies, all websites are informing you, that they are using cookies.
If you actually bring in the consent at that point in time, regardless of country, that you're checking, you've at least gotten the implied consent from the user. And you've covered that particular issue of customer data, privacy privacy. The fourth key item I would suggest is collection of data in global formats. So some years ago I actually did a project with American airlines, their royalty group I'm well, outside of the boundaries of my M D a at this point with that particular is project. So I could talk about it.
They had collected a huge amount of data from Latin America, from their user base in Latin America. And they had shoved that data into their old mainframe system. And they recognized that the majority of the data they had collected around name, address, and contact information for their customers was junk. They couldn't do a mailing to those customers. They could not get in contact with them. They had collected really bad data. So we went through a process where we went through a data cleanse process with them and corrected all of that information or a significant percentage of the data.
What was fascinating at the end of that process is that American airlines didn't chose to try to shove it back into the mainframe and ultimately ended up corrupting the data all over again. So what I mean by that is, for instance, in most Latin American countries, you have four names as opposed to two, which most us systems are set up for. So you think about first name, middle name, maternal name, paternal name. And I see a lot. Exactly. Some countries you've got exactly. So the whole point of, for, for their systems was that they were set up for first name, last name.
So you had basically, you know, people making decisions to corrupt the data, make it as inaccurate as possible. And then they actually wanted to make this data actionable, rather silly in the great scheme of things.
So what I, where I'm going with that is that you should look at globalizing your data input fields. If you are actually capturing data, the way the customer is used to entering their data from a global perspective, the odds are you're gonna get a better verification on the other side, whether you're using E K Y C or any other process, one of the things we're seeing and that we're rolling out as a company from a technology perspective, this is the only sales oriented slide I'll roll out to you. Is that something we call intelligent translation?
So we recognize that most us companies are, are collecting their data in English. So what they're, what we do in our product is we actually verify information in local country dialects. So how do you take an English name and actually verify, you know, so a Chinese ID, for instance, taking that first feel that customer input feel where we had zwei in China on J K road Beijing there's that would not verify in any Chinese ID database, we would get a zero verification to that.
However, if you actually translate that name into a native character base, the numerics would stay the same translate. The address accordingly odds are we're gonna get a much higher hit rate using our localized ID provider in that particular country. So this is a product we're actually in build mode now to try and roll out in some countries, it will work well in others.
It won't, but the goal there is just to get a lift rate of anywhere between 30 and 50%, because currently what we see in most solutions, you get 0%. So this while entering your data in highly localized formats, if you can is important, if you can only capture it in English, I would encourage you to leverage translation technology where you can and try to get it in as local a data structure as you possibly can. So those are the four best practices I wanted to bring forward and I've run through everything relatively quick, just so they don't have to keep bending my knee.
But if you've got any other questions or anything, I encourage you to check our website out and actually check my blog out. I spend a lot of time speaking on this subject online. And with that, I'm gonna actually open it up to hopefully some interaction and questions. Any questions? Blair is GDPR. The most stringent of all the privacy guidelines out There, actually some of the independent European countries tend to be a bit more stringent.
What we're seeing actually out of Ireland right now looks as if it's going to be more stringent than traditional GDPR standards, which is rather interesting because the population in Ireland compared to say Germany or per compared to the, you know, UK so forth and so on, little bit skewed, but they are looking as if they are rolling out a much more stringent regime, but GDPR is sort of the common thread and actually EU from a court perspective, none of this has been prosecuted fully yet, but what companies are doing is rolling out GDPR.
And they're looking at saying we did this regardless of what the local country requirement is, as it relates to the EU. And just to be, be clear, I had this conversation with someone actually again, over lunch while GDPR applies to the EU, they are working hard. The C N I L, which is the French data privacy organization is actually pushing hard to basically say GDPR applies to any French citizen, regardless of where they are. So if a French interesting comes to your website, whether it's based in Brazil, based in the us or elsewhere, they are covered by GDPR.
As far as the French government, the data privacy organization is concerned. Got Follow up. You don't mind.
Well, I was gonna say also California, California, as I've been told are, and to the extreme amount of detail by our lawyer. So there's companies already trying to see if we can get a rewrite of it. So that's coming Interesting from a consent standpoint is a checkbox enough these days.
Well, if you it's the wording, it's all the language, I mean, is a checkbox enough? What do you do? Collect a fingerprint and so forth. Companies can only do so much at this point in time. And the way we, what we're seeing is basically you have to put the right wording in the field and allow for the user to opt into it, not opt out of it. Yeah. But If it's six pages of consent and the text is six points, what's the Value. What's the value. Indeed. Everyone's trying to tick the box to say, they've followed the rules until these rules are fully prosecuted in the courts.
You're not gonna know exactly what's needed. No company is gonna know we're still too early in this it'll be another three years, five years before we truly know, assuming it takes that long to get through the courts and the associated process and Google and some of the larger cup Facebook, they're all doing that job for us at some level. Yes.
So Paul, You know, better, Should I choose not to answer this one? Please say this now? No. So obviously these regulations are one thing, but the implementation and understanding the, I would say how stringent they are in terms of monitoring is another thing. So what are you saying in the industry, for example, GDPR, how the thought is monitoring. It are people really responsible in terms of, for reporting any misuse, any, any abuse of these, you know, regulations where, where does the responsibility and the reporting and, you know, monitoring lies.
And again, I would tell you that all of that's a big unknown at this point. So the whole idea of yeah, what most people think about in GDPR for instance, are two things, you know, consent and the right to be forgotten.
We, we all know this. So in the right to be forgotten, how far does that go? So if I collect your information and we, we, we perform a transaction online. If I still have you in my billing system, does that does the right to be forgotten, apply inside of the billing system? If I've collected your information for marketing, if I've collected your information for audit. Yeah. At what point. Yeah. And so it goes back to that, push hands issue, compliance and regulation.
Fourth, AML requires you retain that information. In some cases, for up to six years, we've actually got customers who are, we've built custom systems to allow retention of their data because the fourth AML MLD requires that. So that goes completely against the whole idea that the customer can be forgotten after they perform a transaction. So all of this has to be worked out and unfortunately it's gonna end up being worked out through the court system and further issuance of regulation. The fifth money laundering act is due out, I think some point next year.
And I have no doubts that, you know, they'll write the six soon thereafter and so forth. The pendulum is probably swung as far in one direction with the fifth, and it'll probably swing in a different direction at some point. But I think what's gonna be more interesting is to see the next iteration of GDPR come out and see where that goes. Does that answer the question? Yeah. Yeah. Okay. Yeah. I think just a, a quick comment that the California bill actually was a compromise.
And if you want to get a flavor for what went on behind the scenes, the New York times about three weeks ago, published a really nice article on the citizen activists that had proposed to put something on the California ballot direct to the water that would've been a far more stringent set of requirements. And, and so just for, for those of you who are in this community, you know, in some sense, there is a backlash brewing for, for, from consumers and privacy activists that are, that are saying the hell with waiting for national regulations on this, they're taking measures direct to ballot.
And, and you're gonna see this, what happened in California, play out over and over in, in some of these other states as well. So one thing I'd point out on that is that it, it, it's going to get very interesting around government regulated privacy, because that will actually throw the business value equation off because if it becomes too onerous for me to verify you, if I cannot verify you, then I have to accept the potential for fraud in a transaction. If I cannot actually follow compliance regulations around money transfer, what do you do?
Well, you go back to Tyrion Lancaster. And in some cases you do nothing, put your head in the sand. And so you've seen where web, you know, digital platforms here in the us shut themselves completely off from Europe when GDPR went into effect back in may. And what you'll probably see if this, depending on how adjudication of the California law goes, you may see the same, who knows, but there is a pendulum that has to swing on that in order for true commerce to take place from a global cross border perspective.
Yeah, I, yeah, I think the observation though, is to, is to see that when businesses are given a choice of doing it right, and doing it easy, unfortunately choice is often made in the wrong direction and it comes back to bite them in the ass as, as it has with many of these guys, that Hundred percent, a hundred percent other questions, thoughts, please. William, do you see any viability in P anonymous identity?
So the minute, well, so first of all, again, let's go back to the reason why things like fourth anti anti-money laundering initiatives, or, you know, why are these initiatives and compliance rules being launched? Because we're actually trying, I say we, governments are actually trying to protect the consumers and, you know, from the form of, you know, you know, financial frauds, terrorism and so forth. So the whole idea that those regulations are going to go away in the near term would also imply that, you know, the Bernie Madoffs of the world are gonna go away.
You know, terrorism financing is going to go away and so forth. And I don't live in that world where I envision that happening, at least in my lifetime or the next generation's worth. So I can't see how pseudo anonymous really plays.
Well, I think we've seen a bit of that even in the crypto space where again, you know, the governments are very lo to deal with this and when they're actually not low, they're basically saying, well, we're gonna basically not let this in because there is no such thing as anonymous. We're going to kill the idea of anonymous, because we need to know who's moving money where, so that we can actually trace those flows. And it's not, again, just about terrorism. It's about, you know, fraud, financial fraud across the board and actually financial.
Fraud's a huge, huge issue if you really think about it. Great.
Well, we're at the top of the hour. Thanks bill. Excellent presentation. We go ahead and convene our next panel.
