KYE: Know Your Employees
It’s one thing to know your customers, another to know your employees.
Dateline: Las Vegas, 25th October 2023.
In the financial services world we spend a lot of time thinking about Know-Your-Customer (KYC) and anti-money laundering (AML) regulations because of the colossal expense of implementing them and the massive penalties for getting them wrong. It has been clear for years that customer due diligence (CDD) system is broken in many ways, but it is not only broken when it comes to dealing with customers, it is also broken when it comes to dealing with employees.
If you are involved in moving money in any way at all, you will be aware of the Financial Crimes Enforcement Network (FINCEN). It is a bureau of the U.S. Treasury that was created in 1990 to combat money laundering, terrorist financing and other financial crimes through the collection, analysis and dissemination of financial intelligence. It works to achieve this mission by administering and enforcing the Bank Secrecy Act (BSA) and other anti-money laundering (AML) laws and regulations. When it comes to moving money, frankly, the cost of shifting the electrons around is nothing compared to the cost of compliance and many new businesses have set sail only to founder on the reef of due diligence.
In many ways, compliance is a moat that protects incumbents from competitors. As any fintech entrepreneur knows, it is a headache to deal with compliance and the costs continue to escalate. Digital identity must be one of the keys to getting these costs under control and indeed earlier this year FinCEN's acting Deputy Director Jimmy Kirby spoke about the need for digital identity, stating that FinCEN is “pragmatically focused” on protecting the U.S. financial system from illicit finance threats. According to Kirby, financial institutions must establish with confidence who their customers are on the front end and throughout the customer relationship (my emphasis). It’s not good enough to do the Know Your Customer (KYC) check and then forgot about it, which is why the costs of compliance are high and digital solution are desperately needed.
(This is why what Laura Spiekerman from Alloy calls the "perpetual KYC approach” is so important. Automated recurring checks based on specific triggers that might include an update to a customer’s personal data or a transaction that sets off a risk alert).
Cryptocurrency players are subject to the same concerns as mainstream financial institutions and I don’t doubt they take the rules just as seriously. Coinbase, for example, say that during onboarding individuals and entities must provide identifying information, including their name and country of residence, which is then checked against lists of sanctioned individuals or entities. They also use "geofencing controls" to prevent access to Coinbase from places including Crimea, North Korea, Syria and Iran and say that they routinely subject their sanctions compliance program to internal testing and independent audits by third-parties.
That’s for onboarding customers, of course. But it appears that some companies do not apply the same rigour when it comes to figuring out who employees are or onboarding new business partners. The key point is that digital identity isn’t only needed to support due diligence around customers: Know Your Employee (KYE) is just as important an opportunity as KYC, Know Your Customer’s Customers (KYCC) and Know Your Business (KYB) and so on. All of these need to be established with continuing confidence and all of them are currently a mishmash of scans of utility bills, pictures of driving licences and pointless box ticking.
When it comes to employees, for example, some of those new hires might not only be exaggerating on their resumes, they might be acting on behalf of foreign powers: The Feds have charged a North Korean Foreign Trade Bank (“FTB”) representative for money laundering conspiracies designed to generate revenue for the Democratic People’s Republic of Korea through the use of cryptocurrency. According to court documents, North Koreans applied for jobs in remote IT development work and pass employment checks by using fake, or fraudulently obtained, identity documents. These workers then request payment in cryptocurrency and whisk their earnings back to the motherland.
The problem of KYE is about to take another turn, because building a new business in the Metaverse will mean some pretty serious thinking about employee identification, credentials, authorisations and relations!
KYE would clearly benefit from digital infrastructure. The last time I was asked for documents for an employment check — to tick a box confirming that I had the right to work in the U.K. despite having been born in the U.K., having more than one paid employment in the U.K. and paying tax in the U.K. (don’t ask) — about a month ago, I was required to send a picture of my passport by e-mail to an HR department. Now, while HR departments are famed for their strong cybersecurity practices, I was a little concerned about my personally identifiable information (PII) being exposed, especially when digital alternatives have been demonstrated!
(This is not an idle concern, as the fallout from the Optus data breach in Australia has clearly demonstrated. People can get up to no end of mischief with a copy of your passport and your personal details.)
Digital identity hopefully provides a way forward here even though as Jelena Hoffart points out in a recent piece about employee identity management, KYE is very different from KYC because of risk tolerance. While advances in digital identity management around customer identification, authentication and authorisation add to the corporate toolbox, there is a fundamental difference in deployment because the tolerance for consumer fraud is non-zero, the optimal tolerance for internal corporate crime is zero. Some customer fraud is tolerable as a cost of doing business, employee fraud is not.
Companies can reuse KYC technology (e.g., digital onboarding) for employees, of course, but it must be as part of a more rigorous process.
It is interesting to see how KYE is moving forward though. I recently took part in a digital identity design sprint day hosted by National Australia Bank in Melbourne and it seemed me that the most attractive of the use cases explored (in the context of commercial opportunities that might arise from using bank-issued digital identities) was indeed KYE. There were some startups there already delivering services in this space and looking to improve their offerings by integrating digital credentials of some kind and we know that the approach works.
(Meeco, for example, worked with a digital identity exchange, state government and an engineering and technical services company, in a pilot to demonstrate the commercial benefits of digital identity and verifiable credentials in workplace onboarding. Instead of presenting originals of physical documents, or digitised copies of physical documents, the employees digitally asserted their identity and provided a digital driver licence, in the form of a verifiable credential, all from a wallet application on their phone. )
Given the scale of the KYE problem it is a clear that a shift to verifiable credentials for employee onboarding is a win-win and it makes sense to provide candidates and employers with the necessary infrastructure to provide specific characteristics (e.g., this person has a valid welding certificate) without giving away personally-identifiable information. The European Union right now has four large scale EU Digital Identity Wallet pilot projects running and intends to launch such a wallet to 450m European citizens next year. This will give those citizens the opportunity to store digital identity credentials including their national ID, driving licence, qualifications and bank details and there is no reason why Australians (and for that matter Americans) should not aspire a similar infrastructure in the same timescale.
Hopefully, with new energy going into digital identity wallets, verifiable credentials and (custodial) self-sovereign identity the specific problem of KYE can be tackled quickly, efficiently and to the mutual benefit of all stakeholders, in which case it can indeed serve as a vanguard for mass market digital identity solutions.