Is Shareable Identity the Answer to Australia’s Ballooning KYC Burden?
The Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) Amendment Bill 2024 aims to strengthen Australia's fight against money laundering and terrorist financing. This bill expands the scope of the AML/CTF Act 2006, increasing the number of entities required to comply with its provisions (Tranche 2 entities). With this expansion comes new changes and challenges:
Key Changes
Expansion of Reporting Entities: The number of reporting entities could increase fivefold, covering more sectors like real estate, law, accounting, and financial services.
Enhanced Compliance: These entities must implement robust AML/CTF measures, including customer due diligence and transaction monitoring.
Key Challenges
· Risk of Multiple Data Silos: With more entities needing to comply with an AML/CTF program, the demand for customers' personally identifiable information (PII) will surge. Customers will face significant risks of their PII being stored in multiple data silos across various organisations as each service provider asks for PII. This practice increases potential attack vectors for cybercriminals, with identity theft becoming an increasingly common crime.
Identity theft | Cyber.gov.au
· Lack of Customer Control: With the increased demand to provide PII repeatedly, customers will find it difficult to keep track of where their data is stored and will not have the capacity to revoke access when needed.
Your rights | Consumer Data Right
· Risk to Business With the increased demand to provide PII, businesses are faced to increased Cyber Insurance costs, along with civil penalties under the privacy act for mishandling personal information, reputation damage in the event of a breach and operational costs in handling personal information.
Chapter 7: Civil penalties — serious or repeated interference with privacy and other penalty provisions | OAIC
Consumer Data Rights
Consumer Data Right is an opt-in service, which means businesses must gain explicit consent to use your data. Consumer Data Right has been set up by the Australian Government to benefit Australians. It is co-regulated by the Australian Competition and Consumer Commission (ACCC) and the Office of the Australian Information Commissioner (OAIC).
Your rights | Consumer Data Right
The Privacy Act
Organisations and agencies sometimes need personal information about an individual to carry out their work. Australian privacy law sets out what personal information they can collect and what they need to tell you.
An organisation may only collect your personal information that is reasonably necessary for their work. An agency may only collect your personal information that is directly related to their work. They don’t need your consent unless the information is sensitive. Some aspects of biometric information are considered sensitive and may be required in determining your identity.
Australian Privacy Principles | OAIC
Solutions – Shareable Identity
Shareable identity platforms leverage technologies like zero-knowledge proofs to enable customers to share only necessary PII with service providers while enabling businesses to verify identities and comply with regulations. Customers typically manage their PII in a centralised application, granting consent to share specific information with designated service providers.
A) Benefits of Shareable Identity
Centralised Management: Customers can manage their PII in a single application, sharing it securely with service providers as needed. Customers gain unprecedented control and privacy of their own information.
Privacy Protection: Customers can revoke access to their PII at any time, reducing the risk of data breaches and ensuring compliance with privacy principles like data minimisation and the right to be forgotten.
Efficiency with KYC, AML/CTF Compliance and Risk Assessments: Streamlines processes for both customers and businesses, reducing redundant data collection, removing the need for separate data silos and reducing data breach risks and potential legal liabilities.
By embracing shareable identity solutions, organisations can demonstrate their commitment to privacy and data protection, fostering trust and confidence among their customer base.
Example: Use of Shareable Identity for a SMSF
· The process of setting up a self-managed super fund (SMSF) involves multiple service providers, each requiring the collection and verification of personally identifiable information (PII). This repetitive process not only burdens the customer but also increases the risk of data breaches due to the storage of sensitive information across multiple data silos.
· Consider the following scenario: When establishing an SMSF, you may need to engage with an accountant, a lawyer, a bank, a financial advisor, let alone a myriad of other financial product offerors. If you plan to invest into real estate then you will use an agent and a conveyancer. Each of these service providers will require you to provide your PII, such as your name, date of birth, country of birth and other identifying details, to meet their Know Your Customer (KYC) and AML/CTF compliance requirements.
· Without a shareable identity solution, you would need to provide your PII to potentially upwards of eight different service providers resulting in your sensitive information being stored in multiple data silos. This not only increases the risk of data breaches but also makes it challenging for you to manage and revoke access to your PII when necessary, which is an important aspect of privacy compliance.
B) Potential Challenges with Shareable Identity
Implementing shareable identity solutions presents several challenges despite their significant benefits. These challenges can be categorised into technical, regulatory, and cultural barriers.
Technical Challenges:
Secure Infrastructure: Developing a secure and robust infrastructure to handle sensitive personal information.
Interoperability: Ensuring seamless integration with existing systems and processes across various organisations, which may have different data formats, protocols, and security requirements.
Regulatory Challenges:
Data Misuse Concerns: Addressing potential misuse or unauthorised access to personal data is essential to prevent identity theft and fraud.
Public Trust: Ensuring high levels of security and privacy to gain public trust and acceptance.
Cultural Challenges:
Resistance to Change: Overcoming resistance from individuals and organisations hesitant to adopt new digital technologies or processes, especially concerning sensitive personal information.
Education: Educating stakeholders about the benefits and safeguards of shareable identity solutions to encourage widespread adoption.
Outlook on the Future of Shareable Identity Solutions
Shareable identity solutions have the potential to revolutionise customer identification processes, enhance data privacy, and mitigate data breach risks. As regulatory frameworks like the AML/CTF Amendment Bill (2024) leads to expansion with the Tranche 2 entities, the need for efficient and secure identity management solutions becomes critical.
A) Benefits for Organisations
Reduced Administrative Burden: Streamlining the collection and verification of personally identifiable information (PII) across multiple touchpoints.
Enhanced Security: Leveraging technologies like zero-knowledge proofs for centralised, customer-controlled identity verification, minimising data breach risks and ensuring privacy compliance.
B) Benefits for Customers
Greater Control: Managing and consenting to the sharing of PII through a single, centralised application, with the ability to revoke access at any time.
Improved Privacy: Enhancing privacy and confidence in the organisations they interact with.
C) Industry Impact
Shareable identity solutions can transform industries requiring extensive customer due diligence, such as financial services, legal services, and real estate. These solutions can reduce redundancies, minimise operational costs, and provide a seamless customer experience.
Conclusion
The future of shareable identity solutions holds immense promise for both organisations and customers. By fostering collaboration, embracing innovation, and prioritising data privacy, data security and consent, stakeholders can create a more secure, fairer and efficient identity management landscape. Organisations should assess their readiness for shareable identity solutions, evaluate existing identity management processes, and explore integration paths. Early adoption can provide a competitive edge and demonstrate a commitment to customer privacy and data security.