Recently, I was tasked with conducting a preliminary technical review of five financial platforms considered for purchase. My role involved interacting with representatives from these investment platforms to assess the state of their systems.

Armed with a comprehensive questionnaire designed to measure the quality and thoughtfulness of these platforms, my attention was drawn to the issue of automating user document verification. According to Know Your Customer (KYC) requirements, financial platforms must verify user-uploaded documents for accuracy and authenticity, checking for theft or expired validity. The nuances of this process are often understood by those involved in the development and support of such platforms.

Special attention was given to the issue of automating document verification through a third-party service provider, the name of which will remain undisclosed. This service provider, operating based on a service offer, offered to verify user passport details and check whether the passport was reported as stolen or lost. To conduct this analysis, complete user passport details were required in an open format through API access.

The problem lies in the fact that platforms are not authorized to transmit personal data to third parties. Even if attempts are made to obtain user consent for data transfer to this service provider through a checkbox or hidden consent clause in the financial platform's user agreement, the legitimacy of such actions remains questionable.

Users, at the very least, should have the ability to view the privacy policy of the API service used for KYC verification on the financial platform. This information should be transparent, and users must unequivocally understand that their data is being accessed by a third-party organization for specific purposes under specific conditions. Would I want my passport data sent to this non-specialized service provider? Most likely not.

A specialized service provider relies on its reputation as a KYC service. In contrast, a non-specialized service provider may not fully comprehend the level of responsibility when dealing with such sensitive information, given its myriad of other (non-KYC) services provided through APIs, including document verification.

How could the process be secured for such a service provider? The answer lies with another provider of similar KYC services via API. They do NOT receive any personal data from the financial platform but still conduct verification. How is this possible? Before being sent via API, all user personal data is transformed into SHA512 hashes. Passport data at this service provider is also stored in the database as hashes, similar to how modern services store user passwords, protecting them from leaks. The service provider then compares the received API hashes with the hashes of lost passports in its database and returns the verification result.

This unique solution from the service provider eliminated the risk of potential data leaks, both from API-supplied data and personal data of invalid passports in the service provider's database. Encrypted data intercepted during transmission would be useless to hackers due to the algorithm. Even the owners and developers of the KYC service provider cannot decrypt the data, as it consists only of unique hashes.

I deliberately refrain from mentioning specific brands to maintain impartiality.

What are your thoughts on this approach? Share which KYC service providers you prefer and why.

Michael Piskunov
CTO at FinMV.com