Stories and insights from the world of digital identity
Compliance at Yoti and why it matters to you
Updated 29th November 2019 to reflect change of SOC 2 classification from SOC 2 Type 1 to SOC 2 Type II. We do things differently to most tech companies. We’re proud of the fact that we always put compliance and our community first and we like to shout about it. The way we handle security and compliance is key to protecting your data. If we didn’t get that right, how could we expect anyone to trust us? And without trust, why would anyone use our app? So, with that in mind, here’s a run-through of the three main compliance accreditations we hold and why you should care. (Don’t worry, we know this stuff can be quite dry so we’ve kept it short). ISO 27001 What is it? It’s an international standard for information security management. Quick fact: although ISO 27001 is now best practice for security around the world, it was originally published in 1995 right here in the UK. What does it mean for you? ISO 27001 is about protecting all kinds of data. Not just personal data. So that’s everything from how we monitor who enters our offices to how we pick any suppliers or partners we work with. It basically means we’ve been proven to take security seriously in all areas of the business. SOC 2 Type II What is it? SOC2 (Service Organisation Controls) is all about companies being able to trust each other when providing and outsourcing services. There are five different criteria that an organisation can be examined on: security (which we have), confidentiality, processing integrity, availability and privacy. Our independent auditors examined the operation of our security controls over a continuous, six-month period and found no exceptions. What does it mean for you? SOC 2 is one of the most respected and rigorous auditing standards for security in the business world. It’s considered the gold standard and is adhered to by governments, major banks and the biggest tech companies. And receiving a flawless report is almost unheard of. So when we say that security and privacy are our priority, you know we really mean it. PAS 1296 What is it? It’s a Publicly Available Specification (PAS) for Online Age Checking. It sets out regulatory best practice for the sale of age restricted goods or access to age restricted services. We have done a self assessment against PAS 1296 and had this reviewed by a third party. What does it mean for you? It’s all about trust. Trust that an age check performed using Yoti is reliable. For example, if you’re a parent whose child uses Yoti for proof of age accessing child-only forums or online games, you can be confident that environment is only accessed by others their age.
Fighting financial crime with Yoti and Synectics Solutions
Our advanced identity verification technology is set to enhance the onboarding experience for financial services and help tackle identity fraud. Our partnership with Synectics Solutions is set to deliver simple, private and secure eKYC checks when people apply for financial services products. Synectics Solutions For over 27 years Synectics Solutions has been at the forefront of developing leading-edge, data driven solutions for its clients, to help them create effective risk management systems and reduce their losses to fraud and other financial crime. Synectics’ clients have saved over £4.8 billion collectively through the use of these market leading link analysis, fraud prevention and predictive analysis solutions – National SIRA, Orion and Precision. Yoti identity verification Synectics Solutions have integrated our state-of-the-art identity verification solution to enable their customers to digitally verify their identity from anywhere in the world. The product integrates seamlessly into existing business flows so that customers can easily verify themselves on a website, app or in terminals. End customers simply take a photo of their official ID document and perform a liveness test to prove they’re a real person, and Yoti does the rest. Using a combination of expert AI and our team of super recognisers, Yoti checks their ID is authentic and matches it to their biometric template created during the liveness test. What does this mean for regulated financial services? Yoti’s partnership with Synectics Solutions offers regulated financial services institutions the ability to: Verify the identity of customers from over 175 nationalities to a high level of assurance through government-approved photographic ID documents. Allow customers to prove who they are remotely and securely from anywhere in the world. Digitally transform the approach to customer onboarding and customer due diligence. Reduce onboarding friction in order to deliver products and services faster than before. Enhance regulatory compliance through best-in-class technology. Russell Mackintosh, Head of Partnerships at Synectics Solutions said: “We’re delighted to announce this partnership with Yoti as it further demonstrates our recognition that improving methods of authenticating and identifying genuine customers lies at the heart of addressing issues of fraud and financial crime for our clients. “As a company we’re committed to continually investing in the services we offer and Yoti’s [service] provides access to the leading edge ID&V technology to help our clients improve their ability to authenticate genuine customers faster and more effectively.” Gareth Narinesingh, Commercial Director at Yoti said: “Our partnership with Synectics Solutions is a key proposition for UK-regulated financial services. Verified identities delivered through our platform compliments best-in-class data services provided by Synectics Solutions. “Financial services clients now have an end-to-end solution for onboarding new and remediating existing customers. This will lead to better and quicker customer outcomes for good actors, whilst employing much tighter controls around keeping out bad actors. This will be good news for both compliance officers and heads of retail banking and consumer finance businesses.” Get in touch If you work in financial services and are interested in optimising your business with Yoti’s identity verification services, please get in touch with Gareth Narinesingh here and you can also read further on identity verification for financial services.
Yoti joins the world’s most innovative companies in the REGTECH100 2020
We are very proud to announce that Yoti has been selected as a REGTECH100 company. RegTech The REGTECH100 is an annual list that recognises the world’s most innovative technology solution providers who are addressing the challenges of delivering regulatory requirements within financial services. The regulatory technology industry has seen huge growth in recent years as it strives to meet the needs of financial institutions as they navigate unrelenting regulatory challenges. The key players The REGTECH100 list was born to help senior management and compliance professionals navigate and evaluate which solutions are most likely to have a lasting impact on the industry. In their own words, this list is comprised of the companies every financial institution needs to know about as they consider and develop their mission critical RegTech and digital transformation strategies. We are really proud that Yoti has been selected as one of the world’s top 100 companies that are shaping the future of the compliance, risk management and cybersecurity in 2020. Yoti driving innovation with digital identities Yoti’s identity verification solutions are making strides in financial services. Our recent partnerships with Synectics Solutions and Kompli-Global create a digital KYC journey that fuses electronic identity verification with best-in-class data services for enhanced financial crime and anti-fraud prevention. The cyprotcurreny platform Crix has also recently innovated their onboarding process with eKYC checks with our Yoti Doc Scan product. Whether it’s buying crypto-currency, authorising a payment through multi-factor authentication or verifying your identity for a bank, our innovative technology provides financial institutions with the ability to: Verify the identity of customers from over 175 nationalities to a high level of assurance through government-approved photographic ID documents. Allow customers to prove who they are remotely and securely from anywhere in the world. Digitally transform the approach to customer onboarding and customer due diligence. Reduce onboarding friction in order to deliver products and services faster than before. Enhance regulatory compliance through best-in-class technology. Mission critical In the words of Mariyan Dimitrov, head of research at RegTech Analyst, “Employing RegTech solutions to modernise the compliance function is now mission-critical for financial institutions globally.” If you work in regulatory financial services and are keen to learn more about Yoti’s identity verification services, please get in touch with our Commercial Director for Financial Services, Gareth Narinesingh.
Digital ID, smart ID and identity in South Africa
This is the first field diary entry from Tshepo, one of our Yoti Digital Identity Fellows. His year-long research project is looking at the digital identity landscape in South Africa, with a specific focus on the national smart ID identity programme from a human rights perspective. *** South African SmartID Cards play a crucial role in identifying and eliminating digital identity fraud in South Africa. Future developments here will likely have repercussions for the entire African continent, given that South Africa is the most developed country in the region. My Fellowship will examine South Africa’s national digital identity programme from a human rights perspective, and will propose safeguards and policy recommendations for those involved: public officials, lawmakers, representatives from judicial and human rights institutions, technologists, officers of development institutions, and members of the private sector. National Digital ID programs Countries all over the world are increasingly focusing on issues related to digital identity, and these are now at the center of many policy discussions. As a consequence, increasing numbers of governments have either proposed or are implementing programs relating to digital identity on a national level. These programs are directly administered by the government or implemented through government support and aim to provide a single identity to all residents, which in some cases is limited to national citizens and excludes expatriates. Biometrics are often the focal point of these national ID programs, as establishing the identity of a person involves gathering, storing and processing biometric data. Advocates vs critics Advocates of these programs say that national-level initiatives such as these provide several benefits. They allow the national government to provide services seamlessly and efficiently to its citizens and residents. They also believe that national ID programs are crucial for state welfare, poverty alleviation drives, fraud elimination and higher inclusivity. These programs are also the foundation of national security efforts. Critics, however, believe differently. They argue that these programs do not guarantee more benefits, better government services, or enhanced administration for the public. Instead they create serious issues because of the way they are planned and implemented. There are grave concerns, in particular, in areas relating to cybersecurity, data protection and privacy. There is also the risk of social exclusion, something my colleagues on the Yoti Fellowship Programme are researching. Multiple forms of ID To make it possible for these national ID drives to achieve their goals, several critical issues must be addressed. Governments must design a framework that takes technical, legal, and social factors into account. This framework should accommodate anonymity, informed consent and choice for its users. Centralised national ID schemes also focus on providing just one form of ID for each person and do not allow for multiple ID forms that could be better in many respects. Multiple ID forms can increase competition and lead to the provision of better services for users. Multiple IDs also have the potential to empower the cardholders by giving them a choice of which identity method they use in differing circumstances. My Fellowship will focus on schemes that allow only one ID card per person, and will investigate the effects and consequences of this approach for its users. Digital Identity in South Africa The population of the Republic of South Africa is around 51 million people. South Africa shares its borders with six other countries, and it has an extremely ethnically diverse population. A green ID book is mandated for citizens as well as permanent residents over the age of 16. This bar-coded ID serves as proof of user identity for several important situations such as opening a bank account, applying for a driver’s license, a passport application, voting registration, and more. Unfortunately, the green ID book has proved to be highly vulnerable to theft and fraud, creating security problems which affect both the people and the government. The Department of Home Affairs (DHA) launched the SmartID card system in part to address these concerns, and in part as an investment drive to update and modernize technology in the country. On 18th July 2013, the DHA commenced the replacement of green ID books with these new SmartID Cards. Since the new cards have a host of advanced security features they are resistant to tampering and forging. Despite these features, the cards are not foolproof, and several fraudulent marriages and other digital identity scams have been exposed by local media. The government of South Africa claim that the new cards are durable and secure thanks to the choice of high-quality polycarbonate material. Other physical features including laser engraving, holograms and personal information are also designed to make fraud more difficult. It is expected that these cards will dramatically reduce the incidence of identity theft and fraud in South Africa. Research questions My research will seek answers to the following questions to help determine the performance of these cards in relation to ID fraud prevention: Have ID-related frauds declined in South Africa, following the introduction of the new SmartID cards? What new technological developments might be available to further boost the security of these cards? How can these cards be used to improve government services to the public? Fellowship goals The following are the goals for my fellowship: Assessing the effects of national identity programs on human rights. Suggesting policy recommendations and safeguards to key stakeholders like cardholders, government officials, lawmakers, judicial bodies and human rights organizations. Identifying and analyzing fraud cases. Examining trends concerning the old green books and new SmartID cards to evaluate the consequences of the ID program. Next steps The research carried out during my Fellowship is the first of its kind, and is aimed at determining whether the promise of SmartID cards has been met. If you have a question for Tshepo or are interested in his research, you can reach him here. To follow his whole research project, you can find an archive of his monthly field diary entries here.
How we built privacy into the Yoti app
A look at our biometric technology
As our everyday lives become more digital, traditional IDs lag behind. They reveal more information than necessary, don’t make it easy to prove your identity remotely, and are easily lost and expensive to replace. That’s why we built Yoti app – to give everyone access to a digital ID built for a digital world. It makes the everyday easier and enables you to share less data and securely store your personal details in a privacy-centric way. We use biometric technology because it’s currently the most secure way of proving that you are who you say you are and that your ID documents belongs to you. Today, our Data Protection Officer Emma Butler explains everything you need to know about how we use biometric technology at Yoti. Why biometrics? To be a trusted identity platform, we have to make sure that individuals can’t create fake identities. We have to take steps to check it’s really you and to make sure you can’t upload someone else’s document. This is where the biometrics comes in: fraud prevention, security, safety. If we explained in minute detail exactly how everything works, people would be able to game the system, get round our checks and create fake identities. So we are as transparent as possible without compromising anyone’s security. So what are the biometrics then? This is where it gets complicated. Biometrics is defined in different laws in different countries, but not always in the same way. Also, regardless of what the law says, people have their own ideas about what it is. Most experts agree that biometrics is the measurement and analysis of your unique physical characteristics and behaviour. Some identify you, some authenticate you, some just distinguish person A from person B, and some estimate things about you, like your age, gender or mood. People typically think about biometrics as being your face, your fingerprint, your voice, the way you walk, the way you use your phone and so on. Legally, the common factor in most laws is that you are identified (it is determined who you are) or authenticated (you are who you say you are) through your unique physical characteristics or behaviour. Biometrics at Yoti Not all Yoti uses of your ‘biometric’ data identify or authenticate you. However, to make things easier to understand for our users, we have called all the physical characteristics and behaviour data ‘biometrics’. After all, we’re an app. A mobile phone screen is all the space we have. We can’t get into the legal and technical weeds on a small screen, and user testing has shown that users don’t read screens containing lots of information. So we simplify where we can, we provide the right information at the right time, and we always direct you to longer, more detailed information in our privacy notice for those who want it. We also have FAQs and a friendly, responsive user support team. Are you real? When you set up your account, we check you’re a real person. We also check you are not impersonating anyone else, such as wearing a mask or holding up a photo. We call this ‘liveness’. These security checks are known as ‘anti-spoofing’ and we work hard to stay one step ahead of the fraudsters who look for devious ways to pretend to be someone else. The anti-spoofing technologies analyse your face and your movements, but they don’t identify or authenticate you. We have two possible liveness tests. One is automated and one relies on a human being in our security centre to carry out the check. If the automated one isn’t sure enough that you are human, we ask you to do the other test. Biometric template During liveness we take a scan of your face and create a ‘biometric template’. This is just a string of ones and zeros. This is held securely and not shared with anyone. We check against this template when we need to check it’s really you and that it’s your ID document. Is that your ID? We carry out checks to make sure your document is real, is valid and belongs to you. Most of these checks are on the document. We use facial verification technology to match the face in the ID document photo to the biometric template from the liveness check. This technology authenticates you by determining if the two images are the same person. This is often called one-to-one (1:1) authentication. If the technology isn’t sure enough, a human being in our security centre checks the two images and decides. We currently use Cognitec technology for this. Cognitec are a leading provider of this technology and approved by NIST. Is that really you? When you want to take certain actions in the app, we ask you to do a liveness test again or take a photo. We use the same facial verification technology and processes described above to compare your image to the biometric template to make sure it’s really you. Some organisations who use Yoti with their customers may also want this extra level of security. For example, a bank may want more security if you want to move a lot of money to another account. When they set up with Yoti they can request this and it works in exactly the same way. When you just take a photo we call this ‘selfie authentication’. Research and development (R&D) None of these technologies exist by magic. They all have to be researched, developed, tested and improved. This is where the R&D team come in. They develop, test and improve new and existing security-related technologies. They also have to make sure the technologies are trained on a diverse and representative dataset so that they work for everyone. Face detection: this is a simple technology that works as described – it detects faces – human faces to be precise. The technology is trained on what a human face consists of and what it looks like in general terms. This technology is an integral part of any face-based technology to make sure that the technology only activates when a human face is presented. Face match or facial verification: this is what we use to check it’s really you and check it’s your ID document. Essentially the technology is presented with an image which it compares to the image and biometric template attached to your account. It determines if these are the same person. If the technology isn’t sure enough, a human being in our security centre compares the two images and makes the decision. Anti-spoofing: these technologies check you are a real human, and check you are not trying to impersonate someone else, such as by holding a photo in front of your face or wearing a mask. Our liveness step when you create an account in the app is a key part of this. As explained above, these technologies analyse a face and its movements. They don’t identify you or authenticate you. We can’t provide too much detail about exactly how these technologies work or people would be able to devise ways to get round the checks. Age estimation: this technology analyses a face and estimates its age. It doesn’t identify you or authenticate you. This allows you to have an estimated age on your Yoti account so you don’t need to add an ID document to prove your age. It also means we can offer this privacy-friendly technology to other organisations who need to check their customers’ age. Usually organisations who need to check your age ask you for lots of personal information or credit card details. They also sometimes check that information against third parties, such as credit reference agencies. Our technology means organisations can offer anonymous age checks. This is particularly important to people where they need to prove their age to access age-restricted or age-specific content online. Or where they want to buy age-restricted goods without having to hand over an ID document. It also helps retail staff who have to check ID documents and may not have the training to spot fakes, or who may receive abuse for checking in the first place. How do I opt out of R&D? If you don’t want your data used in our R&D you can opt out in the app settings. It’s that simple. Opting out means no further data is sent to R&D and existing data that R&D had available to them is also deleted. If you decide to delete your account, this also deletes the R&D data. It’s important to know that if your data has already been used in a project to train software, it is impossible to undo that activity. Developing biometrics the right way To make sure we develop our biometric technology in the right way, we have internal governance measures such as an internal Ethics and Trust Committee and are advised by our Guardian Council of expert professionals in data privacy, human rights and last mile tech. The accuracy and bias mitigation of our age estimation algorithm has been reviewed by Dr Alison Gardner from Keele University and IEE and our approach has been shared with regulators and civil society bodies in roundtable sessions. You can find its current accuracy levels in our regularly-updated Yoti Age Scan white paper. Further reading We think this poster on facial recognition by the Future of Privacy Forum is brilliant for an overview on biometric technology. You can also find some great materials on the Biometrics Institute and Gemalto.
Get up to speed on what kind of company we are