In a global health crisis like Covid-19, online trade has become an essential service. But getting started is not as easy as it seems, especially if you are considering expanding across borders. With over 40 countries in Europe, all doing things their own way, you really have to do your homework if you want to figure out how each country operates. Practically, technically and legally.
So, let’s imagine you’re trying to do this on your own. How would you do it, step-by-step?
In order to sell anything, especially to people you will never meet in person, you need to follow requirements to assure and prove customers’ identities digitally. You need to:
These are difficult tasks to perform and are governed by separate, national laws, and very often, these are in different languages. So developing your own solution to cover all of these tasks is not easily done.
The same headaches existed - and have been solved - for payments. When paying for a product or service, directly integrating with your bank or Visa is today completely unnecessary. You don’t need to set up an API for each bank. In order to save time, you use a service which has already done the work integrating with your payment sources such as PayPal, Stripe, or Klarna. Even global companies use third-party payment services to provide their customers with the easiest process possible. Not only is it easier for them, but it also provides their customers with peace of mind.
Depending on the business you hope to move across borders, there are different levels of assurance required to prove identity. If you are handling very low-risk purchases, a customer could simply login with a low-level Google account. But if you need to look a customer up in public records or business registries, or find their credit score, you need to know their identity in real life, not just their internet identity which may not even be real. You need a high-level of assurance which deals with highly trustworthy identification methods such as an eID (electronic identification).
There are also legal requirements, and internal requirements, which can dictate which level of assurance you need. And these change from country-to-country.
For example, there are legal requirements for financial institutions to meet with anti-money laundering (AML) regulations. Companies are also obliged to do background checks on their customers. These are called Customer Due Diligence (CDD) or KYC (Know Your Customer). These check everything from the customer’s address to if they are a politically exposed person. In some situations, you need a high-level of assurance of your customer’s identity.
The trust service you provide would have to identify this person with 100% certainty. But in order to find out if the identification methods you use comply with the level of assurance needed in each country, you have to do a significant amount of research.
Most countries have their own eID provided by their own service providers. Some countries such as Germany, Norway and the Netherlands actually have more than one! If trying to do business in these countries, you must implement these eIDs in your solution. With nearly 30 countries in the EU, you may have to implement nearly 30 completely different eIDs.
Even if this has been completed, each country has many different local laws and regulations you also need to comply with. This can be incredibly complex.
You need a common API to connect to numerous eIDs, registry lookups, social logins, and other technologies. This takes lots of time and money to integrate yourself.
As a developer, you not only need to know which type of eIDs to implement, but also how to integrate them into your solution. In order to do this, you need to use encryption schemes and algorithms such as hash and signing algorithms. As these are not commonly used by developers, you will have to quickly learn how to implement them correctly without any fault at all.
And even if you are able to develop these correctly, there is the issue of how each country returns data using API-calls. Each country can have different formats for customers to return data, such as names and dates of birth. Some countries may return data with the first name, then the last name. Others with the last name, then the first name. It’s all very confusing! Countries return dates of birth in different formats too. For example, many countries in Europe format their dates as ‘Day, Month, Year’. But there are countries such as Germany or France which can format their dates as ‘Year, Month, Day’.
This means you regularly have to parse the data from each country. You will have to spend time and money to sort out reams of data in order to normalise across borders. As a burgeoning business, you just don’t have time for that.
Using a trust service provider such as Signicat normalizes this data across every market you want to enter, now, or in the future. It will provide it in exactly the same format, depending on the type of data they represent. For example, no matter how the data is formatted by the country, Signicat will format the date by ‘Year, Month, Day’, so you don’t have to sort through the data. By providing even just two input parameters in Signicat’s solution, such as the organization number and the country, this allows you to access only the data you need.
Using Signicat’s solution means you implement eIDs, digital identities and login processes in just one way. Not one for every single country, in a way that complies with local laws and norms. And you get to choose your preferred language too.
So when it comes to gathering data on customers, it is unnecessary to create your own solution. Just as with payments, all the hard work has already been done for you. Signicat gives one point of integration to validate data, so you have more time to focus on expanding your business.
Rune is Vice President of Technology at Signciat
December 16 2020