Establishing identity in a digital world.

A few weeks ago, I met an old acquaintance, one of the founders in a startup that's into smart due diligence for collateral verification and analytics for fraud prevention.

With the digitalisation of almost everything and everyone, creating digital connections is far more easily doable than in a disconnected and physical old. As they deal with determining the identity of a person to ascertain ownership of the asset, they do come across scenarios of no digital identity and no digital records. That's when establishing the connection is challenging, and only a tech solution cannot help; human intervention is required.?

How can it be further reduced and brought to a minimum - is their goal.?

An interesting (for me) challenge during our conversation was the case of multiple same records and how to?determine the legitimate one with the information available.

Scenario - Two people (or could be more) having the same first name, middle name, and last name turned out to be not such a rare issue as thought. With no supporting identity proof (except that the local folks could give their statement as witnesses), how can a digital KYC process establish the link between the owner and the asset?

(If there is no data, could it qualify as a data science problem?)

While such cases could be more prevalent for individuals, identity verification for a business could be spared of this challenge, or it would be, in?a real?sense rare case. With this closing thought,?we moved to some other topic.

Quite an intriguing discussion, but was left open.

A few days ago, came across a GST fraud case; a typical case of fake invoicing to pass on ITC credit. The?news article mentioned the name of the entity and its location. The left-open discussion surfaced. Despite knowing the outcome, decided to test this assumption by probing further into the fraud case and using the publicly available data for the business (GST and MCA).?

Some findings -?

1. The news article had the name of the fraudster company mentioned. On searching the company by name, found?several results; with the same, different GST Registration numbers were different, but all referring to the same PAN. Location of one GSTIN matched with that mentioned in the news article. As the PAN was same for all results found, I concluded it's the company I should be looking at.

However, instead of inference, it could have a straightforward conclusion if the GSTIN was also published in the news article. As per GST rules, businesses are supposed to display their GSTIN prominently in their offices/premises. So kind of public information already. Publishing GSTIN is useful for others to check and see if they are dealing with such fraud parties unknowingly.

2. The GST filing history of this GSTIN was a perfect example of a fishy business?- irregular. All the late filings clustered around one day and, in some cases, no filing.

On the GST portal, one can also get if the GSTIN has been paying full taxes?(as per GSTR 3B ) as declared (in GSTR1). Anyone can see this information for any GSTIN post-login. Should this information be treated as publicly available or private is an area of debate. Given the usefulness of this data, I strongly advocate that it should be publicly available and made available via APIs. This will help to check this data programmatically without the need to log in?GST web portal and curb the malpractices and illegitimate ways of getting data by web scraping.

So for the fraud GSTIN, I did not check if the payment of taxes to the Government was in line with the tax liability declared; it's highly probable that there would be discrepancies. Ultimately fake invoices are done to pass off credit to the purchaser, and the invoice-generating supplier doesn't intend to pay taxes.

3. GST registrations are state-wise.?So a company can have many GSTINs. Fraudsters who want to pass on fake invoicing tend to have many GSTINs for this purpose. As expected, there were 10-12 GSTINs for this company. Mostly all were cancelled within a few months of their registration. The filing pattern of all GSTINs belonging to this company has been irregular and less. Again an indication that something isn't right.

4. Another good source of public data for companies is MCA portal. Status of companies, whether active or struck off, details of charges, directors and other directorship held by them are quite useful while evaluating a company's health. The Balance Sheet and P&L statement can also be obtained by paying some fees. These data sets are not yet available via APIs. And hope we get there soon.

For this company, I stuck to the freely available information. The address on the GST system and MCA does match.?So, its the same company (proved again).

5. The company has two directors, and they do not hold directorship in another company. So no more legally registered entities to look at on the MCA portal. However, fake invoicing could still be done from other fictitious?entities, especially as proprietorships. But then some trace on the GST system should be available.?

GSTIN public information does provide Legal and Trade?names. So a check on the legal name could reveal?if these directors have any other GST registrations taken in their individual capacity. I wasn't expecting any (because there were no other companies) but found one. The status was Inactive.?

Connecting the dots can be further expanded to see other registrations, such as Udhyam for MSMEs, Stock Exchange filings for listed companies and more. So the assumption gets validated that establishing a company entity is possible with publicly available data.

And that's what many fintech and KYC solution providers have been trying to do. If data collection, storage and retrieval are designed to make it programmatically consumable, things become easy, efficient and speedy.

Data users and aggregators should follow fair and legitimate practices of getting and making data available. The use of portal credentials to scrap data or bypass certain steps will surely attract trouble and even ban running operations. Be mindful that regulators and regulations are also evolving to suit the needs of the digital world.

After the identity of the entity, the next would be the document. With e-invoicing and private IRPs coming into the picture, a document will also get a unique identity - IRN and QR code. Fake invoicing will become difficult.