Speaking as a long-standing Wise customer who was asked to revalidate ID within the last 12–18 months ....

If Wise are asking you to email your ID, then that request is NOT kosher. Period.

A real email from Wise would invite you to login to the Wise website and upload it.

You do not even have to follow a specific link, because they flag your account so that whenever you login you are instantly prompted to upload ID. Infact the same flag will put a temporary block on your account until such time as you have submitted ID and they have validated it.

So, it follows that if you can independently visit the Wise website, and you can login, and you are NOT prompted for ID, then you have hard confirmation right there that the email you received is not kosher.

IN ADDITION: I would invite you to go to your Wise profile settings and add a custom "email ID" (or whatever they call it) that way you know for sure if a Wise email is kosher because only you and they know the ID that will show at the top of any genuine email they send you.

This is called "Perpetual KYC" (Know-your-customer), it didn't exist back when you signed up. Depending on your risk score, your data needs to be validated every 5 years, every 3 years or even annually.

So, this is the new normal.

(I also just had to do it yesterday.)

I still love Wise and I am happy to go through this KYC stuff. Because in exchange they pretty much accept paying everywhere, where other payment providers would block your payment. I often have the situation that credit cards from my local (German) bank reject purchases made abroad, and every time I am so happy that Wise always works.

"So, this is the new normal." You're right - I've had to do a few KYC checks recently with banks, lawyers, and accountants, and in the past I've had to do it for a personal finance application for an "interest-free deal" from a furniture store. Here in NZ there's legislation that mandates the KYC checks as part of anti-money laundering laws.

Unfortunately, I've already had sensitive information breached because of this - twice! One was from a large financial institute in Australia called Latitude - I didn't even know that I had ever interacted with them, but they are the parent company of a bunch of these interest-free credit card deals.

So yes, this is the new normal but it's not good.

More to the point, regular banks are subject to this as well (although Wise keeps insisting it's not a bank, fooling exactly nobody) and require people to show up in person for identity verification every so often. At least mine was pompous enough to demand that.

I'm fine to do this in person, but you are right, regular bank is at risk of having my data stolen. The only difference is I can't function without bank, I am able to function without Wise... that's probably what makes me thinking if it's OK to take the risk here.

Reading other commenters I think it should not be a big deal, maybe the itch I feel is part of my weirdness..

It depends on your circumstances and local laws too. In the US there are laws limiting your liability for fraudulent use of your funds, credit cards, etc. I don't keep money in wise for more than a few hours, and once it's in my real bank account, it's relatively safe. Not that I have much money to begin with lol.

And in my case, I need Wise to get paid. So the choice is between "slight risk of identity theft" and "not being able to pay rent".

> although Wise keeps insisting it's not a bank, fooling exactly nobody

I think it has to do this, at least in the UK (where they're domiciled). The UK has very strict regulations on financial products, and especially around using the word 'bank', so they probably need to be absolutely profuse in letting customers know they're not a bank.

Yep, other banks and neobanks did that to me as well - local bank, Revolut, etc. all had requirements for ID.

> although Wise keeps insisting it's not a bank, fooling exactly nobody

Well its not a bank because you don't get deposit protection with Wise (if you are in a country that has such things).

> I am so happy that Wise always works.

Always works is a bit strong. I have a few horror stories.

Certainly Wise are not as good as they used to be back in the day.

I still use them, mostly because they are probably the safest fintech outfit compared to the others that operate out of, e.g. Hong Kong. But I'll still never forgive them for some of the dumb shit they've done on some of my transactions in recent years (sadly I can't discuss in public because, well, you know, security).

What I can say publicly are more generic things like how transactions can be so lethargic these days, i.e. operationally they are clearly batching and netting far more aggressively, which is clearly entirely for their operational convenience ... who cares if your transaction doesn't go through for 4–8 hours, right ?

Re: batching.

If I send from non-wise account in currency A to currency B directly to a non-wise B-denominated account it can take hours/days.

If I add and convert the balance first to currency B within wise and then send it's there in seconds.

Over Black Friday I tried to buy two pairs of shoes from Vessi. This would've been my third order from them with the same delivery details in 24 months. They told me my order was flagged for random security check and asked me to send them a copy of my driving license / passport by email. I told them that these were an incredibly sensitive documents with which a bad actor could literally take over my life, reminded them that I was a repeat customer, and asked them if they could send me any independent verification of their cybersecurity chops. They responded with a templated response telling me that the order would be cancelled if I didn't send them my license/passport. I told them to go ahead and cancel it. They've lost me as a customer. I'm not sending those documents to a shoe store with no ability to even confirm there is any security behind the scenes.

Yes, I’ve received a similar email from them in the past. It’s not the first time a financial services company asked me for these documents in the recent years. I assume they need it for their KYC/AML checks.

In my case, I believe it was triggered by a specific transfer I received. But I didn’t want to ask for details why that happened, since that’s usually considered a red flag by a financial services provider.

I had to do the same thing when I signed up a while ago. I thought they'd just scan it and trash it, but apparently not... their privacy policy says they do collect the photograph, national ID info, etc. And then they'll do their best to protect it: https://wise.com/gb/legal/global-privacy-policy-en

> Additional information you give us for security, identification and verification purposes may include your [...], photograph, [...], proof of residency, passport and/or National ID. If you fail to provide any of this information, it might affect our ability to provide our Services to you.

> As part of our identity verification process we collect, use and store biometric data, namely: We extract face scan information from photos and videos [...]. We will retain biometric data for the period necessary to complete the identity verification process, and in any case no longer than 1 year after collection, unless required by law or legal process to keep it longer.

Their US Facial Scan privacy policy has a bit more detail, and apparently they outsource that to a company called Onfido (https://onfido.com/): https://wise.com/us/legal/facial-scan-notice

I'm not sure if that same method is used internationally.

But yeah, it's an overall risk for sure. You'd hope they'd be a bit more cautious being a financial institution and such, but you never know. If it gets leaked, it'd probably be very hard to deal with a situation like this internationally.

Thanks, I'll dive into sources you shared. At the moment I'm glad I'm not dependant on my Wise account...

I had an account with privacy.com for about four years, then in July of this year they disabled my account and requested I upload photo ID and a selfie. I told them that if a four-year-old account with no issues has suddenly "failed to validate security checks", that's their problem and not mine. So, my account is still suspended and I've never used it again.

I was on their free plan anyway, so I can't say they "lost a customer". But I think asking users to upload a selfie is humiliating and I don't want to take part in it.

I think in most countries, and ID is to identify yourself with it. Not to copy it by giving someone a photo of it. If you give someone a photo, they could identify as you with that photo, breaking the whole concept of an "ID".

What happens if you don't give them a photo of your ID? Do you already have funds from you? Are they in the same country as you? I would be surprised if they could legally blackmail you into giving them a photo of your ID.

>I would be surprised if they could legally blackmail you into giving them a photo of your ID.

AML/KYC laws mandate that they "blackmail" you into giving your ID, otherwise they risk being prosecuted for failing to comply.

Define "giving your ID".

I can imagine that there is a law which mandates that you make sure to know with whom you are dealing. And looking at their ID would be an appropriate way to do that.

Identifying someone by receiving a photo of an ID would be absurd. As that very act makes the photo of the ID not able to identify someone anymore. As everyone who receives a photo can now also "identify" as that person.

>And looking at their ID would be an appropriate way to do that.

How does that work for companies like Wise, which don't have a nation wide branch network?

>Identifying someone by receiving a photo of an ID would be absurd. As that very act makes the photo of the ID not able to identify someone anymore. As everyone who receives a photo can now also "identify" as that person.

That's why KYC verifications have been increasingly moving to picture of ID + video.

    How does that work for companies like Wise

Just because the existing laws do not fit a company's business model does not mean that other laws exist.

So I still think there is no law that mandates forcing users to send copies of their ID over the wire.

>So I still think there is no law that mandates forcing users to send copies of their ID over the wire.

In this particular circumstance though, that's a distinction without a difference. If you're a customer of wise (or any other financial institution that doesn't have a retail presence), KYC laws basically mandate that you upload your documents, because there's no alternative.

Well, all this nonsense is just what happens when the provider of analog IDs (usually a federal, state, or local government) does not step up and provide a digital equivalent.

Online photo ID verification just does not make any sense at all: Identity documents usually have physically hard to forge features that just make no sense in a remote context, and that’s not even factoring in generative AI.

Looking at an ID document without a person standing next to it (whether online or in person) is one level of ridiculous beyond that.

But all of this is brought to you by the industry that thinks an SSN is a bearer authentication token, so I’m not too surprised.

True but there have been reported cases where even a fake ID obtained through such KYC helped catch criminals (I struggle for link, it was part of some story). It's still evidence.

Sure, but evidence after the fact is usually little consolation.

As an individual, my first concern isn't whether the bank/company/whoever got fooled by scammers is eventually made whole and/or the fraudsters are prosecuted: I just don't want my identity to be that easily forgeable in the first place!

And that would solve the larger societal problem too: Make identity theft much more difficult and there won't be as much need for zero-liability provisions, a dispute mechanism for fraudulent credit record entries, law enforcement chasing perpetrators (which is often futile if they're abroad and using unwitting accomplices/money mules) etc.

I wrote the fake ID helped catch criminals, how is that evidence after the fact? Maybe I misunderstood your phrasing

> I just don't want my identity to be that easily forgeable in the first place!

That usually means biometrics and more power into the hands of the government (or whoever hacks it)

How does it mean more biometrics? Many governments already issue plastic ID cards; it's possible to embed a smart card chip in these and use the ID as a secure remote authentication method with almost any smartphone.

Such an infrastructure needs to be neither centralized nor government-run: If you prefer state/local governments to be in charge of ID, or even private notary-like entities, you totally can.

> smart card chip

> Make identity theft much more difficult

Stronger guarantee makes it a more attractive target. If some magic token is an absolute proof that it is you then lose that token and go prove to someone that you is you. Just lose your card and if I find it then I am you and you're done.

Due to AML regulations, banks and e-money institutions are required by law to perform KYC procedures on their customers. That invariably means storing and verifying your govt issued ID.

If you don't want to provide your ID, then that essentially limits your options to:

1) cash

2) crypto (assuming you never interface with exchanges/banks)

3) use e-money services up to the cumulative amount that triggers the KYC process. I forget what that is, but probably a few hundred dollars.

> use e-money services up to the amount that triggers the KYC process. I forget what that is, but probably a few hundred dollars.

Just FYI this is not viable because the limit is cumulative. So you can't just fly under the radar with a bunch of small transactions. Once you hit the KYC limit, ID becomes mandatory.

It's also a crime to organize transactions in this way https://en.wikipedia.org/wiki/Structuring

Did you read the article that you linked?

There is nothing illegal about using an e-money service for a few small transactions. When you eventually reach the cumulative amount that triggers the KYC process, you are under no obligation to complete it and refusing to do so is not "structuring".

Of course, they will suspend your account until you're in compliance with their KYC process.

I didn't mean to imply that it's per transaction.

> That invariably means storing and verifying your govt issued ID.

I get the verifying part, but why is storing after the verification needed?

Record retention schedule for compliance. Auditors and regulators will come ask for it (or rather, a sampling demonstrating you are retaining the records).

(this is a component of my work at a fintech)

Any reason to not store a hash or something? Both you and the govt should have matching info on a person.

Because that is not the retention requirement unfortunately. I’d love for the US gov to allow identity proofing with Login.gov so we get a Boolean or tokenized response and that’d be sufficient (with the record of that response being our obligation to retain), we’re just not there yet.

That'd be great for everyone. A citizen would be able to view and revoke tokens.

I use wise ~1 time / yr. Last time I started a transfer they required ID first. I uploaded two photos and my account was immediately locked since my bday on ID did not match my wise acct (typo). Quick email to support and it was unlocked 2 hrs later. Was able to complete my transaction after that without issue. Fine experience overall if inconvenient.

Treat this as an additional cost.

It's no different than the overhead of a delivery charge, fuel to drive to a event, a sales tax or any other cost you need to factor into a decision or purchase.

Problem is that high probability [0] of data loss doesn't seem a tangible harm you easily attach a dollar value to. You should think about this and try, even if you are wrong, to get a sense of what that really means to you as a loss prospect [1].

If the company is "doing it because of some regulation" that's their problem not yours. You will find alternatives. Meanwhile their claims to need your ID photo is simply their cost of doing business in that market, and if that loses them customers, then things are working as expected.

[0,1] Probably higher than you think

Your location is the biggest determinant of this. I'm in the UK and was asked to re-validate my ID recently.

I had to provide my ID when I signed up about 4 years ago.

This is part of the theatre of stopping small scale money laundering. Any laundering not using HSBC[1] is considered bad form.

[1]https://www.fca.org.uk/news/press-releases/fca-fines-hsbc-ba...

Yep. Wise are one of the more agressive banking providers with their KYC. Twice yearly is becoming normal for Wise. (7 year customer here too)

But its normal for banks to do this. One of my banks (our group has over 10 accounts on 4 continents) even sent a KYC renewal the day after my French residency permit expired. Had to upload and tdo the selfie thing with the new permit to get access to the account again.

I echo the other comments that you should use the official banking apps for doing your KYC/KYB process.

I feel like the way this sort of thing should work is you'd have a class of entities that you would trust to be identity providers, like banks, credit unions, ID.me, maybe cell providers and maybe Google/Apple/Microsoft if you so choose. Then another class of entities like Wise or regular merchants could verify your identity via some sort of OAuth connection with a cryptographic handshake underneath.

Isn't that basically Plaid?

But do they need to keep your ID in their dbs? I would imagine a simple check would suffice and then they could discard the uploaded ID. They could check every year. I really don’t trust internet companies in general, and having to upload my passport in many websites worries me. Last time it was Hetzner. I also use Wise. What’s next? Amazon?

For compliance you need ability to prove you did actually validate the ID and not just ticked a checkbox.

Of course online services need your photo ID! How else are they going to make sure the person standing in front of them is really you? /s

This pattern is up there with “SSN as an authentication bearer token” and needs to stop yesterday (but I’m not holding my breath for that).

In the country where I live we have a system which allows me to prove my identity online without having to show my ID (actually I must admit I'm quite impressed by this system). But sadly, Wise is not taking advantage of that..

What system is this, I would love to know more about it.

Quite a few European countries have had something this for a while now.

There is an initiative (mandatory, for all member states!) to make these interoperable, which will hopefully make them more useful for applications like this.

In Italy we have SPID https://www.spid.gov.it/en/ I believe it is similar to login.gov in US.

Is that used by any private companies at all, i.e. can you open bank accounts or other sensitive private accounts with it?

login.gov is unfortunately only accepted by government services, and as far as I can tell only federal ones too – at least NY state has their own thing... (NY.GOV ID)

In Sweden, you can't open a bank account without showing your face and ID. I just had to do this for my Wise account, too, and it seems par for the course for the quite intrusive money laundering rules in the EU these days.

Every money transmitter/service/bank/financial institution/western facing crypto exchange/auction house/betting place at some point in time(at certain transcational threshold (ask a black box for the threshold)) will ask for ID/some sort of KYC.

Now you can of course decline, but it will severely limit your options.

It's a money transfer service. They have strict regulatory requirements.

I've used them for a long time and I feel they are honest.

Wow, that's all?

Wise made me send them $20 to prove myself before they would allow me to accept money from a friend whom I loaned $500 during covid (also through Wise).

Of course, I could withdraw it afterwards, for another small fee.

If only there was an easy decentralized way to send money around the world without all this KYC bullshit... I know that there are criminals in the world abusing the system and we all have to pay for it, but still... there should be a way to mark yourself as "global entry" and stop presuming that you're a fraudster...

Some time ago I had to deposit £20 in order to open an account in another country, which I could accept :) but them storing photo of my ID... makes me feel bad. I would send it if it was used as mean to confirm my data and then erased. If they store it I'm trying to evaluate risk I'm taking...

Most companies farm the ID check out to a third party. At this point, I just assume my ugly picture is going to be leaked or sold. If you don't want this, then you should look at other ways of sending money around the world.

As some comments have stated, this is a compliance requirement related to "perpetual KYC", or Know-Your-Customer.

I'm just commenting due to how extremely idiotic these regulations are. It won't be too long in the future when we get a major breach where millions of drivers license images and selfies are leaked, because these regulations force all of these individual financial institutions, many with dubious levels of security competence, to secure this data.

As a perfect example, when Stripe first came out with their Identity product (which takes ID and selfie images, and had a great UI and API), a lot of people were really surprised that, unlike Stripe's credit card processing APIs which never give the developer access to the customer's full credit card number (and is a major benefit to using something like Stripe - developers can delegate most of their PCI responsibilities), this was not the case with Stripe Identity: developers have full access to ID and selfie images.

In Stripe's defense, they explained they had to build it this way: KYC regs require these financial institutions to keep this raw data for compliance. These regulations really need to be updated so that institutions can instead delegate to a certified provider something like "This provider verified the customer's ID and selfie with this information..." The regs should also be updated so that nobody is forced to store these images indefinitely - it's just a recipe for disaster.

Someone should do "Uber for Notaries Public"

they should have this verification flow in-app. emails seems a bit phishy

Most hotels I go to demand to make a copy of my passport. I am sure they have zero security. Why not give it to Wise? What is the concern?

Where I live, anyone who has access to my ID can take a loan in my name... Hard to believe, but there are some people who are paying loans they have not taken..

I do wonder if that could happen where I live. Regardless, it is hard to stay in hotels without them copying passports, a local law. Happened to me last month in both Switzerland and Italy. And in one I saw them them leaving piles of passport copies on a table for anybody to pilfer.

Was the email really from Wise?

Yes, I also checked in the inbox (in their web app), the request is legit

Scam or incompetence. Photos can be doctored up the wazoo of course, even invented outright.

Not to mention, no one cares a bit about securing other’s data.

Asking for a photo via email seems a bit too low-tech for me…

I signed it up for a while ago, but IIRC it was an in-app or web-based signup process. You'd line up your license in the frame, etc.

This other comment has a bit more detail: https://news.ycombinator.com/item?id=38509331

They use a subprocessor called Onfido, at least in the US: https://onfido.com/

Onfido is a well-known name in KYC. I don’t understand why they are not making the request via Onfido’s app or website.

I don't remember the process exactly, but is it possible they're just whitelabeling Onfido?

Ask HN:

My bad, I forgot (and can't edit anymore..)