ekyc

1.introduction.tex (7984B)

---

 \chapter{Introduction}
 
 In order to comply with legal requirements, certain industries must verify the identity
 of their users. For instance, the banking industry is subject to anti-money
 laundering/terrorist financing laws. Similarly, casinos must ensure that their
 customers are of an appropriate age, as do shops selling alcohol.
 
 All these practices and mechanisms put in place by these industries are collectively known as \textbf{\gls{KYC}},
 an acronym for \textit{Know Your Customer} This work will focus more specifically on the IT version of \gls{KYC},
 known as \textbf{\gls{eKYC}} for \textit{electronic KYC}.
 
 To successfully complete an eKYC, three key challenges must be addressed: the first is user authentication,
 the second is the authentication of identity information, and the third is non-usurpation of identity,
 which ensures that the identity in question belongs to the user.
 
 In order to facilitate the provision of the \gls{eKYC} procedure by third parties and to avoid the repetition
 of the same process in each project, this work introduces the creation of an eKYC-as-a-Service platform.
 
 \section{Problematics}
 
 In recent years, the development of remote tools has made it necessary to use \gls{eKYC}
 on a larger scale than was previously necessary for face-to-face identity verification.
 
 The emergence of Twint \cite{TWINT}, a financial intermediary subject to Swiss anti-money
 laundering laws \cite{LEFin}, is a case in point. Twint offers its users the possibility of
 opening an account without tying it to a bank, which means that anyone in Switzerland
 can open an account anywhere.
 
 The same can be said of telephone operators, which are subject to regulation \cite{LTC}, and
 which also allow users to open an account themselves without going anywhere, thanks
 to eKYC.
 
 The market is developing, but there is no open-source service using a standard
 protocol, such as \gls{OAuth2} (see section \ref{OAuth2-API}), to simplify its use with the ecosystem of
 tools needed for interoperability.
 
 \section{Roles}
 
 The project encompasses a number of user/machine roles, which are defined below.
 
 \begin{table}[H]
     \centering
     \setupBfhTabular
     \begin{tabular}{llp{.7\textwidth}}
     \rowcolor{BFH-tablehead}
     \textbf{Role}&\textbf{Type}&\textbf{Description}\\\hline
     \gls{KYCID}     & Machine & Authorization and Resource Server developed in this work performing \gls{eKYC} procedure\\\hline
     Client    & Machine & Third party application delegating its Customer's \gls{eKYC} procedure to \gls{KYCID}\\\hline
     Customers & Human  & Any user who needs to be authenticated during an \gls{eKYC} procedure\\\hline
     Operator  & Human  & Person responsible for installing/maintaining the \gls{KYCID} application (see section)\\\hline
     Admin     & Human  & Person responsible for validating customer profiles
     \end{tabular}
     \caption{Project Roles}
 \end{table}
 
 \section{OAuth2} \label{OAuth2-API}
 
 OAuth2 is a network communication protocol based on HTTP (Web) that allows resources
 (scopes) to be authorised for access to a third-party client application.
 
 OAuth2 is also a framework (see section \ref{OAuth2-Framework}) which defines a security model.
 
 OAuth2 is the second iteration of OAuth, which has therefore been able to mature technically
 and become more robust thanks to this test of time because, since its creation,
 it has been particularly attacked.
 
 \section{SMS Challenge for eKYC} \label{EKYC-SMSChallenge}
 
 To perform an identity verification (\gls{eKYC}), this work has proposed 2 methods:
 
 Firstly, the indirect method, which consists in delegating the verification to a telecom operator and in verifying only 2 things:
 that the user is in control of the number and that the number is Swiss.
 Thanks to this, we can indirectly verify the identity of the user.
 
 \begin{figure}[H]
     \centering
     \includegraphics[width=0.6\textwidth]{phone-ekyc}
     \caption{\gls{eKYC} by SMS challenge}
     \label{fig:PhoneNumber-EKYC}
 \end{figure}
 
 The process is in 3 steps: The customer enters his telephone number; Then,
 a secret code will be sent by SMS to this number; Finally, the customer can enter
 the code received to complete the challenge.
 
 \begin{figure}[H]
     \centering
     \includegraphics[width=0.75\textwidth]{phone-ekyc-process}
     \caption{Process of SMS Challenge for eKYC}
     \label{fig:PhoneNumber-EKYC-Process}
 \end{figure}
 
 \section{Document and Face challenge for eKYC} \label{EKYC-DocumentAndFaceChallenge}
 
 The second method is more direct. It consists of verifying the identity card or passport directly.
 To do this, we will use the user's webcam/camera to scan the ID card or passport.
 
 On the back of the card or passport, there is a zone called \gls{MRZ} for machine-readable zone.
 This is a standard used in particular in aviation to scan via \gls{OCR} (optical character recognition) and
 thus extract all the information electronically.
 
 \begin{figure}[H]
     \centering
     \includegraphics[width=0.75\textwidth]{mrz}
     \caption{Specimen Machine Readable Zone (MRZ)}
     \label{fig:MRZ}
 \end{figure}
 
 However, there is a potential issue: the images of cards or the cards themselves could be stolen.
 Therefore, it is necessary to implement measures to mitigate this risk of theft.
 To address this, we utilise a face challenge, which requires users to submit selfies in three
 different positions (head to the left, to the front, and to the right).
 
 \begin{figure}[H]
     \centering
     \includegraphics[width=0.75\textwidth]{face-challenge}
     \caption{Face challenge exemple}
     \label{fig:MRZ}
 \end{figure}
 
 Consequently, an administrator can verify the photos to ascertain the legitimacy of the document and
 ascertain that all photos (document and face challenge) were taken with the same camera at the same time,
 among other criteria. If all criteria are met, the profile will be approved.
 
 This method provides direct information on the identity of the customer, in contrast
 to the indirect method. However, it is a deferred method that necessitates human intervention.
 
 \section{Product vision}
 
 This work concerns the creation of a product designed to address the problem.
 The product is a web service, named \gls{KYCID}, which stands for Know Your Customer's ID.
 It allows third-party applications (clients) to carry out their eKYC procedures by delegating
 the work to the service.
 
 From the customer's perspective, using the service will be like a simple \gls{OAuth2} authorisation code flow 
 connection. Once the \gls{access token} has been granted, it will be possible to
 request an \gls{endpoint} with identity-related information.
 
 From the customer's perspective, the process will be straightforward: they will simply click on button in client app
 to be redirected to web page on the platform's website, where they will carry out the eKYC procedure.
 Once completed, they will be redirected back to the customer and will have all the necessary information.
 
 The eKYC procedure will be a linear process with optional steps listed below:
 
 \begin{enumerate}
 \item Obtain the user's consent for the client to access the requested \gls{scopes}.
 \item Enter the email address.
 \item Register if an account does not exist.
 \item Verify the email address (a code will be sent by email) if the account is not verified.
 \item Perform eKYC SMS Challenge procedure (see section \ref{EKYC-SMSChallenge}) if it has been requested in the \gls{scopes} by the client.
 \item Should the client request it, the eKYC document and face challenge procedure (see section \ref{EKYC-DocumentAndFaceChallenge}) must be performed.
 \end{enumerate}
 
 The registration of customers will be carried out by an operator with a technical profile (typically Mr Emanuel BENOIST) and does not necessarily require a graphical interface to perform this task.
 
 In order to export a CSV file for the purpose of invoicing the service, the service provider must keep track of authorisation
 requests made by each client.