In March 2013, the US Financial Crimes Enforcement Network (“FinCen”) published a statement saying that companies which facilitate buying and selling of “virtual” currencies like Bitcoin constitute “money service businesses” and are subject to reporting obligations designed to prevent money laundering and other financial crimes.
A couple of months later, the seizure by US authorities of Liberty Reserve has shaken money service businesses around the world, whether they deal in “real” or “virtual” currencies.
Two days later, the largest Bitcoin exchange, MtGox, tightened their anti-money laundering (AML) controls, posting the following statement on its website:
Attention Users: From May 30th 2013 all withdrawals and deposits in fiat [real] currency will require account verification. However withdrawals and deposits in Bitcoin (BTC) do not require verification.
What MtGox is attempting to do here is meet one of the most fundamental requirements of AML legislation around the world: know your customer. It is so fundamental that it too earns its own three-letter abbreviation, KYC.
So, how does an online business like MtGox verify the identity of its customers? After all, you can’t walk into the local MtGox branch with a fist full of paperwork. Instead, you must upload a scan of “proof of identity” (passport, national ID card or driver’s licence) and “proof of residency” (a utility bill or tax return).
MtGox are not alone in this approach. More and more online money service businesses are attempting to get on the right side of AML rules by performing verification in this way.
Here in Australia, there are still some Bitcoin brokers which do no verification whatsoever, including BitInnovate (who helped me buy my first Bitcoin) and OmniCoins. Australia’s AML regulator, AUSTRAC publishes a list of “designated services”, which make business subject to reporting obligations including customer verification. The list includes
exchanging one currency (whether Australian or not) for another (whether Australian or not), where the exchange is provided in the course of carrying on a currency exchange business
So I strongly suspect that all local Bitcoin brokers too will soon be demanding scans of your driving licence and electricity bill.
But is the MtGox approach to customer verification a good idea? I don’t think so. I believe it is a bad idea for MtGox and a bad idea for their customers.
It is a bad idea for MtGox because scans of fake identity documents are very easy to come by. For example, one vendor at the online black market Silk Road offers custom UK passport scans with the name and photo of your choice, complete with a scan of a matching utility bill.
It’s a bad idea for the customer too, because it exposes them to increased risk of identity theft. Although my intentions were not criminal, I chose BitInnovate when I bought Bitcoin precisely because I did not have to provide any personal documents. How well do you know MtGox or any other online money service? How confident are you that they will be able to keep their copies of your documents secure? Securing data is hard. Every other week it seems that there are stories of hackers gaining access to supposedly secure password databases. I have no doubt that scans of identity documents will also find their way into the wrong hands.
So what is the alternative?
Third party identity management.
Using a passport or driver’s licence scan is effectively outsourcing identity verification to the passport office or motor registry respectively. Before the days of high quality scanning and printing, these documents were difficult to forge. A better solution is to retain the idea of outsourcing, but adapt the mechanism to today’s technology.
Here’s how it could work.
A number of organisations would establish themselves as third party identity managers. These organisations should be widely trusted and, ideally, have existing experience in identity verification. Obvious examples are banks and government agencies such as the passport office.
Then if I wanted to open an account with MtGox, its website would provide a list of identity managers it trusted. Scrolling through the list, I may discover that my bank is on the list. Perfect! When I first opened an account with my bank I went through an identity verification (IDV) check (ideally, this would have been done in person and, even better, the bank would have some way to authenticate my passport or driver’s licence*), so my bank can vouch for my identity. I can then click on the “verify” link and I am redirected to my bank’s website. Being a cautious fellow, I check the extended validation certificate, so I know it really is my bank. I then log into my bank using multi-factor authentication. My bank now knows it’s really me and it presents me with a screen saying that MtGox has asked for my identity to be validated and, in the process, has requested some of the personal data my bank has on file. The page lists the requested item: name, address, email address and nationality. I click “authorise” and find myself redirected to MtGox and a screen saying “identity successfully verified”.
MtGox is now more confident of my true identity than they would be with scanned documents and I have kept to a minimum the amount of information I need to provide to MtGox: no more than is required to meet their AML obligations.
This authentication protocol is a relatively straightforward enhancement to the “OAuth” protocol used by sites like Twitter and Facebook today. OAuth itself is subject to some controversy, and it may be better to create a new standard specifically for high trust identity management applications like this, but the tools exist to put identity management on a much safer footing.
* Today, unfortunately, banks and other private sector entities are not readily able to authenticate passports or driver’s licences. Once government agencies are able to provide this service, the options for third party identity management will be even greater.