from Hacker News

Wise (formerly Transfer Wise) are asking me to send them photo of my ID

by gwnywg on 12/3/23, 5:44 PM with 74 comments

Hi HN,

I wonder if anyone here knows how is Wise handling photos of ID when they request one.

I'm Wise customer since 2012, used it without any problem multiple times and was happy with the service I was receiving.

A few days ago I received an email asking me to send a photo of my ID and also photo of my face.

I understand they are doing this to fulfill some regulations but on the other side I can't stop thinking what damage will it cause if they fall a victim of hackers attack and photo of my ID is stolen from them. In the country where I live you can take a loan based on information from ID.

Please share if you have gone through that process or if you know what they do with those photos once they confirm the photo of face matches with the photo on ID. I asked them through e-mail and will post here if I hear back.

--edit--

I should have mentioned photos are uploaded through Wise web app, not through the e-mail, sorry if my explanation was confusing.

by traceroute66 on 12/3/23, 6:28 PM
Speaking as a long-standing Wise customer who was asked to revalidate ID within the last 12–18 months ....
If Wise are asking you to email your ID, then that request is NOT kosher. Period.
A real email from Wise would invite you to login to the Wise website and upload it.
You do not even have to follow a specific link, because they flag your account so that whenever you login you are instantly prompted to upload ID. Infact the same flag will put a temporary block on your account until such time as you have submitted ID and they have validated it.
So, it follows that if you can independently visit the Wise website, and you can login, and you are NOT prompted for ID, then you have hard confirmation right there that the email you received is not kosher.
IN ADDITION: I would invite you to go to your Wise profile settings and add a custom "email ID" (or whatever they call it) that way you know for sure if a Wise email is kosher because only you and they know the ID that will show at the top of any genuine email they send you.
by Fischgericht on 12/3/23, 6:25 PM
This is called "Perpetual KYC" (Know-your-customer), it didn't exist back when you signed up. Depending on your risk score, your data needs to be validated every 5 years, every 3 years or even annually.
So, this is the new normal.
(I also just had to do it yesterday.)
I still love Wise and I am happy to go through this KYC stuff. Because in exchange they pretty much accept paying everywhere, where other payment providers would block your payment. I often have the situation that credit cards from my local (German) bank reject purchases made abroad, and every time I am so happy that Wise always works.
by paulette449 on 12/3/23, 7:00 PM
Over Black Friday I tried to buy two pairs of shoes from Vessi. This would've been my third order from them with the same delivery details in 24 months. They told me my order was flagged for random security check and asked me to send them a copy of my driving license / passport by email. I told them that these were an incredibly sensitive documents with which a bad actor could literally take over my life, reminded them that I was a repeat customer, and asked them if they could send me any independent verification of their cybersecurity chops. They responded with a templated response telling me that the order would be cancelled if I didn't send them my license/passport. I told them to go ahead and cancel it. They've lost me as a customer. I'm not sending those documents to a shoe store with no ability to even confirm there is any security behind the scenes.
by mmxmb on 12/3/23, 6:24 PM
Yes, I’ve received a similar email from them in the past. It’s not the first time a financial services company asked me for these documents in the recent years. I assume they need it for their KYC/AML checks.
In my case, I believe it was triggered by a specific transfer I received. But I didn’t want to ask for details why that happened, since that’s usually considered a red flag by a financial services provider.
by solardev on 12/3/23, 6:15 PM
I had to do the same thing when I signed up a while ago. I thought they'd just scan it and trash it, but apparently not... their privacy policy says they do collect the photograph, national ID info, etc. And then they'll do their best to protect it: https://wise.com/gb/legal/global-privacy-policy-en
> Additional information you give us for security, identification and verification purposes may include your [...], photograph, [...], proof of residency, passport and/or National ID. If you fail to provide any of this information, it might affect our ability to provide our Services to you.
> As part of our identity verification process we collect, use and store biometric data, namely: We extract face scan information from photos and videos [...]. We will retain biometric data for the period necessary to complete the identity verification process, and in any case no longer than 1 year after collection, unless required by law or legal process to keep it longer.
Their US Facial Scan privacy policy has a bit more detail, and apparently they outsource that to a company called Onfido (https://onfido.com/): https://wise.com/us/legal/facial-scan-notice
I'm not sure if that same method is used internationally.
But yeah, it's an overall risk for sure. You'd hope they'd be a bit more cautious being a financial institution and such, but you never know. If it gets leaked, it'd probably be very hard to deal with a situation like this internationally.
by voussoir on 12/3/23, 11:04 PM
I had an account with privacy.com for about four years, then in July of this year they disabled my account and requested I upload photo ID and a selfie. I told them that if a four-year-old account with no issues has suddenly "failed to validate security checks", that's their problem and not mine. So, my account is still suspended and I've never used it again.
I was on their free plan anyway, so I can't say they "lost a customer". But I think asking users to upload a selfie is humiliating and I don't want to take part in it.
by TekMol on 12/3/23, 6:16 PM
I think in most countries, and ID is to identify yourself with it. Not to copy it by giving someone a photo of it. If you give someone a photo, they could identify as you with that photo, breaking the whole concept of an "ID".
What happens if you don't give them a photo of your ID? Do you already have funds from you? Are they in the same country as you? I would be surprised if they could legally blackmail you into giving them a photo of your ID.
by i_have_an_idea on 12/3/23, 6:31 PM
Due to AML regulations, banks and e-money institutions are required by law to perform KYC procedures on their customers. That invariably means storing and verifying your govt issued ID.
If you don't want to provide your ID, then that essentially limits your options to:
1) cash
2) crypto (assuming you never interface with exchanges/banks)
3) use e-money services up to the cumulative amount that triggers the KYC process. I forget what that is, but probably a few hundred dollars.
by n8ta on 12/3/23, 6:39 PM
I use wise ~1 time / yr. Last time I started a transfer they required ID first. I uploaded two photos and my account was immediately locked since my bday on ID did not match my wise acct (typo). Quick email to support and it was unlocked 2 hrs later. Was able to complete my transaction after that without issue. Fine experience overall if inconvenient.
by nonrandomstring on 12/3/23, 6:38 PM
Treat this as an additional cost.
It's no different than the overhead of a delivery charge, fuel to drive to a event, a sales tax or any other cost you need to factor into a decision or purchase.
Problem is that high probability [0] of data loss doesn't seem a tangible harm you easily attach a dollar value to. You should think about this and try, even if you are wrong, to get a sense of what that really means to you as a loss prospect [1].
If the company is "doing it because of some regulation" that's their problem not yours. You will find alternatives. Meanwhile their claims to need your ID photo is simply their cost of doing business in that market, and if that loses them customers, then things are working as expected.
[0,1] Probably higher than you think
by KaiserPro on 12/3/23, 6:32 PM
Your location is the biggest determinant of this. I'm in the UK and was asked to re-validate my ID recently.
I had to provide my ID when I signed up about 4 years ago.
This is part of the theatre of stopping small scale money laundering. Any laundering not using HSBC[1] is considered bad form.
[1]https://www.fca.org.uk/news/press-releases/fca-fines-hsbc-ba...
by imarkphillips on 12/3/23, 8:12 PM
Yep. Wise are one of the more agressive banking providers with their KYC. Twice yearly is becoming normal for Wise. (7 year customer here too)
But its normal for banks to do this. One of my banks (our group has over 10 accounts on 4 continents) even sent a KYC renewal the day after my French residency permit expired. Had to upload and tdo the selfie thing with the new permit to get access to the account again.
I echo the other comments that you should use the official banking apps for doing your KYC/KYB process.
by EricRiese on 12/3/23, 8:13 PM
I feel like the way this sort of thing should work is you'd have a class of entities that you would trust to be identity providers, like banks, credit unions, ID.me, maybe cell providers and maybe Google/Apple/Microsoft if you so choose. Then another class of entities like Wise or regular merchants could verify your identity via some sort of OAuth connection with a cryptographic handshake underneath.
by tkiolp4 on 12/3/23, 6:41 PM
But do they need to keep your ID in their dbs? I would imagine a simple check would suffice and then they could discard the uploaded ID. They could check every year. I really don’t trust internet companies in general, and having to upload my passport in many websites worries me. Last time it was Hetzner. I also use Wise. What’s next? Amazon?
by lxgr on 12/3/23, 6:15 PM
Of course online services need your photo ID! How else are they going to make sure the person standing in front of them is really you? /s
This pattern is up there with “SSN as an authentication bearer token” and needs to stop yesterday (but I’m not holding my breath for that).
by lutorm on 12/3/23, 6:58 PM
In Sweden, you can't open a bank account without showing your face and ID. I just had to do this for my Wise account, too, and it seems par for the course for the quite intrusive money laundering rules in the EU these days.
by sireat on 12/3/23, 6:52 PM
Every money transmitter/service/bank/financial institution/western facing crypto exchange/auction house/betting place at some point in time(at certain transcational threshold (ask a black box for the threshold)) will ask for ID/some sort of KYC.
Now you can of course decline, but it will severely limit your options.
by daft_pink on 12/3/23, 6:25 PM
It's a money transfer service. They have strict regulatory requirements.
I've used them for a long time and I feel they are honest.
by latchkey on 12/3/23, 6:44 PM
Wow, that's all?
Wise made me send them $20 to prove myself before they would allow me to accept money from a friend whom I loaned $500 during covid (also through Wise).
Of course, I could withdraw it afterwards, for another small fee.
If only there was an easy decentralized way to send money around the world without all this KYC bullshit... I know that there are criminals in the world abusing the system and we all have to pay for it, but still... there should be a way to mark yourself as "global entry" and stop presuming that you're a fraudster...
by hn_throwaway_99 on 12/3/23, 6:44 PM
As some comments have stated, this is a compliance requirement related to "perpetual KYC", or Know-Your-Customer.
I'm just commenting due to how extremely idiotic these regulations are. It won't be too long in the future when we get a major breach where millions of drivers license images and selfies are leaked, because these regulations force all of these individual financial institutions, many with dubious levels of security competence, to secure this data.
As a perfect example, when Stripe first came out with their Identity product (which takes ID and selfie images, and had a great UI and API), a lot of people were really surprised that, unlike Stripe's credit card processing APIs which never give the developer access to the customer's full credit card number (and is a major benefit to using something like Stripe - developers can delegate most of their PCI responsibilities), this was not the case with Stripe Identity: developers have full access to ID and selfie images.
In Stripe's defense, they explained they had to build it this way: KYC regs require these financial institutions to keep this raw data for compliance. These regulations really need to be updated so that institutions can instead delegate to a certified provider something like "This provider verified the customer's ID and selfie with this information..." The regs should also be updated so that nobody is forced to store these images indefinitely - it's just a recipe for disaster.
by audnaun252 on 12/3/23, 6:10 PM
they should have this verification flow in-app. emails seems a bit phishy
by YWall39 on 12/3/23, 7:27 PM
Most hotels I go to demand to make a copy of my passport. I am sure they have zero security. Why not give it to Wise? What is the concern?
by tardibear on 12/3/23, 5:55 PM
Was the email really from Wise?
by dotcoma on 12/3/23, 6:08 PM
Asking for a photo via email seems a bit too low-tech for me…
by rangestransform on 12/3/23, 6:54 PM
As an aside, why do we tolerate government deptutizing companies not subject to the constitution for the sake of ”””””””””anti money laundering”””””””””?
by ChrisArchitect on 12/3/23, 7:56 PM
Ask HN: