One of the things we’d like to achieve with it being open source is actually a community that will contribute and collaborates on new practices that are best for both the companies and their customers and less for criminals.
It feels to me that the community to collaborate on something that is wanted by no one, costs money for no reason and is imposed on the world's businesses by a government of a single particular country ... is quite small.
Again, good points! this is exactly what we want to take off of the dev/CTO shoulders when going into the CRO’s office, we might need to do a better job communicating what the project is about.
- You can choose where to store the data, you can either keep it in the vendor's hand if it's more comfortable for the CRO or use your own AWS and GCS for specific geographies (e.g. GDPR). for those who have access to the data we have RBAC built-in into the back office, we’ve seen that most companies are actually building their own back office since identity verification providers usually won't give something operational for manual approvals - so getting one that is built with best practices in mind and maintained by a community is a big benefit in a security aspect.
- Each company that deals with such processes have its own regulatory framework they are under and they are obliged to assign personnel to build and maintain a policy and make sure the company acts according to it it.
- You can orchestrate that entirely, using whatever data source you need, by using an existing integration or adding a new one.
- This is a big plus for having a community that is spread across multiple geographies and can help build local solutions that will make the system global (stuff like which data you need to collect, how much time data should be stored, in what area it should be stored, and which vendors works best with specific data).
It makes sense, I didn’t really mean my comment as a dismissal of your product btw; I understand that you’re trying to build a set of tools that cover the whole range of what a company might need to do KYC — you’re not really competing with onfido in that sense, as the next onfido could use your product as a building block (or acquire you).
Solid points. from what we’ve seen it defers between different companies.
Each company has its own preferences, some find it less optimal to send IDs to a 3rd party, and some don’t want to host it themself, and this is why we built it to be entirely modular.
It means you can either use a vendor in the backend (for fraud, file storage, AML, or anything else) or do stuff on your own, we want to make sure the underlying infrastructure won't break when you mix and match those. we do it by standardizing the data and how all modules talk with each other.
From what we’ve seen it really depends on what service the company is giving, who are the customers, and sometimes the size of the company.
We used Onfido for quite a while, we think you guys are great. I think the solutions you're comparing here are different in more ways than where it is hosted.
For example, This project is about not being tied to a specific vendor, all modules are completely vendor agnostic.
let’s say that you start with one vendor and after a while, you either are not satisfied with the results and want to switch a vendor without changing your internal operations workflow or maybe you have a new geography to cover and you need another vendor for it that will fit the rest of the tools you are using, with this project you can use the same tools to send your document to whichever vendor you want.
We built it for customization from the ground up, and since it's open source - it's at the code level. we expect to see UI packs, flow and vendor compositing, liveliness challenges, etc all developed in the community and for the community to use.
Its true, a document and a selfie are not enough in some cases. there are a couple of technics to make a better guess if the selfie was live but they are not good as liveliness checks.
We already started to work on a liveliness step with a customizable challenge, meaning the developers can configure what action the user should perform in this step (like turning the head in a specific direction, perform hand gestures, and more).
The mobile SDK's will have more sophisticated tools to detect fraud, we will write about it soon.
Thanks!
We are trying to take those stuff away from developers and have it built in the infrastructure - such as built-in RBAC, access logs in the backoffice, and integrations to s3 and GCS that are controllable at per-user level.
I think the sort of thing that would really help would be the ability to write data retention policies into the flow and have them enforced by the system.
For example, when adding a step that says the user needs to upload Photo ID, requiring the developer to set a retention policy on that, like 30 days, or minimum of 90 days and the time it's used, or retaining until the account is closed. Then automatically deleting after that point.
Being able to also generate a report of all of these policies, simplified down together, would be really handy. If you're updating a privacy policy you probably want to tell your lawyers how you handle data, and having the tool provide a summary of all the policies would be useful.
This only addresses the deletion and retention part. There's more around export and update, as users have the right to correct any data you hold about them if they believe it is incorrect or out of date. That could actually re-trigger the flows too!
Thanks, yeah you’re right, we’ll add it to our GitHub readme page.
And for the rest, I’ll just add here that KYC/B stands for “Know your customer/business” and it is common in the onboarding process of financial services, healthcare, gambling, education, etc. in which a company is gathering information/documents and verifying who they give service to.
