eSIMs: The KYC Challenge & Self-Service Identity

Tim Barber · July 30, 2018

In many countries around the world there is a regulatory requirement to capture and authenticate name and address data for every mobile phone subscription; be it contract or pay-as-you-go [PAYG], with or without a new device included in the deal (e.g. SIM only). Typically, this ‘Know Your Customer’ [KYC] regulation needs a document check of a valid government issued form of Photo Identification; Passport, Driving Licence, or ID Card for example.

With traditional SIM cards this was relatively easy because every order, even SIM only, required either physical presence in a retail store (with documents in hand), or a physical delivery to a specified address, where the courier is able to check an ID at the point of delivery. In future, with the introduction of eSIMs, there may not be a requirement for a physical delivery when someone registers onto a network - and therefore no opportunity for physical interaction with the customer for ID verification or authentication.

The Future of eSIMs

Most mobile operators are working hard to move as much of the customer journey to self-service via fully automated on-line channels, so the idea of new customers using fully automated provisioning via eSIMs rather than coming to a store for an identity check is highly attractive. For those working to a regulatory regime that requires a robust KYC check this creates a bit of a problem. To overcome this challenge, mobile operators need to consider all aspects of the customer journey, from proposal right through to the document authentication process.

Example Existing Customer Process

Step 1 of any registration process should be an ‘existing customer’ check. If you are dealing with an existing customer, and an ID document is already on file, then simply initiate the User Authentication Process, using previously authenticated data from within your customer identity systems. For stronger KYC, this can include a multi-factor authentication process, for example entering an existing username/password combination followed by a one-time-password sent to a registered mobile device.

Diagram - Customer Known

A typical 'existing customer' process should look a little like this

Example New Customer Process

If on the other hand you are dealing with a new customer, then the process required will be slightly more complex. Legally required data such as name and address is gathered before initiating an ‘Attribute Assurance’ Process - verifying data are genuine through comparison with e.g. a credit bureau, or a bank account verification. Following Attribute Assurance, an ‘ID document’ process takes place, verifying the user against a digitally scanned form of government photo ID, checking both that the ID is genuine, and the person using it is authentic. With customer consent, a copy of this identification can be archived before activating the eSIM.

Diagram - Customer Unknown

What a new customer registration process might look like in an eSIM world.

Intelligent Authentication from ForgeRock is designed to enable innovative customer journeys that bring your Digital Transformation strategy to life. To find out more about ForgeRock's market leading Customer Identity and Access Management platform for Communications and Media click here.

To read the article in full, see Tim Barber's post on LinkedIn.