eSIMs: The KYC Challenge & Self-Service Identity

In many countries around the world there is a regulatory requirement to capture and authenticate name and address data for every mobile phone subscription; be it contract or pay-as-you-go [PAYG], with or without a new device included in the deal (e.g. SIM only). Typically, this ‘Know Your Customer’ [KYC] regulation needs a document check of a valid government issued form of Photo Identification; Passport, Driving Licence, or ID Card for example.

With traditional SIM cards this was relatively easy because every order, even SIM only, required either physical presence in a retail store (with documents in hand), or a physical delivery to a specified address, where the courier is able to check an ID at the point of delivery. In future, with the introduction of eSIMs, there may not be a requirement for a physical delivery when someone registers onto a network -  and therefore no opportunity for physical interaction with the customer for ID verification or authentication.

The Future of eSIMs

Most mobile operators are working hard to move as much of the customer journey to self-service via fully automated on-line channels, so the idea of new customers using fully automated provisioning via eSIMs rather than coming to a store for an identity check is highly attractive. For those working to a regulatory regime that requires a robust KYC check this creates a bit of a problem. To overcome this challenge, mobile operators need to consider all aspects of the customer journey, from proposal right through to the document authentication process.

Example Existing Customer Process  

Step 1 of any registration process should be an ‘existing customer’ check. If you are dealing with an existing customer, and an ID document is already on file, then simply initiate the User Authentication Process, using previously authenticated data from within your customer identity systems. For stronger KYC, this can include a multi-factor authentication process, for example entering an existing username/password combination followed by a one-time-password sent to a registered mobile device.


Diagram - Customer Known

A typical 'existing customer' process should look a little like this


Example New Customer Process  

If on the other hand you are dealing with a new customer, then the process required will be slightly more complex. Legally required data such as name and address is gathered before initiating  an ‘Attribute Assurance’ Process - verifying data are genuine through comparison with e.g. a credit bureau, or a bank account verification. Following Attribute Assurance, an ‘ID document’ process takes place, verifying the user against a digitally scanned form of government photo ID, checking both that the ID is genuine, and the person using it is authentic. With customer consent, a copy of this identification can be archived before activating the eSIM.


Diagram - Customer Unknown

What a new customer registration process might look like in an eSIM world.



Intelligent Authentication from ForgeRock is designed to enable innovative customer journeys that bring your Digital Transformation strategy to life. To find out more about ForgeRock's market leading Customer Identity and Access Management platform for Communications and Media click here.

To read the article in full, see Tim Barber's post on LinkedIn.


Who Is Tim Barber?

Who’s Tim? In his past, he worked with some big names like Pitney Bowes Software, Experian, and SurfKitchen. These days he serves as the VP of the Communications and Media Industry here at ForgeRock where his mission is to understand what major problems and cool opportunities telecoms and media companies are working on, figure out how ForgeRock can help them, and then lead them down the path to success. Sound easy? Well that’s just Tim’s childhood magician skills being put to work.

Recent Posts:

API Security: Awareness and Moderation are Key

A Buddhist approach towards addressing the uncertainty of API Security

2500 years ago, light was shed on the philosophy of moderation. It was the key to health and happiness as taught in Buddhism. Similarly, this approach also applies to our reckless world of technology.

ForgeRock Identity Cloud: Early Access Program

We started a journey last December with the release of the ForgeRock Identity Platform 6.5, which helps customers transition millions of users from on-premises to cloud-hosted services in minutes.

API Security: Applying the Separation of Concerns Design Principle

You may have been wondering what a clever person like Edsger Dijkstra would have considered the best way to approach API security. You aren't the only one.