Understanding where your user is physically located is critical for compliance, trust and safety, and anti-fraud applications. On this week’s State of Identity podcast, host Cameron D’Ambrosi welcomes Isabella Edmonds, Head of Government Relations at Geocomply. They discuss the shifting regulatory and industry landscape, and the role geographic signals should play within a digital identity tech stack.
Cameron D'Ambrosi, Senior Principal at Liminal
Isabella Edmonds, Head of Government Relations, GeoComply
Cameron D’Ambrosi [00:00:54] Welcome everyone to State of Identity. I’m your host, Cameron D’Ambrosi. Joining me this week is Isabella Edmonds, who leads government relations with GeoComply. Isabella, so excited to have you on for today’s conversation.
Isabella Edmonds [00:01:08] It’s a pleasure to be here. Thank you for having me, Cameron.
Cameron D’Ambrosi [00:01:10] So, you know, Giorgio, comply in many ways is one of those companies that I think many folks have actually interacted with but oftentimes don’t necessarily realize it. And, you know, you guys are the little engine that could in many ways powering so many things behind the scenes in a frictionless way to kick things off. For our listeners who are not familiar with GeoComply. And you know where you fit into this digital identity landscape. What’s a quick 15,000 foot overview of the platform?
Isabella Edmonds [00:01:46] Yeah, definitely. So GeoComply is a leader in geolocation security and compliance. So we have solutions that provide geolocation and anti-fraud and compliance solutions for a range of different markets. And we really started more than ten years ago in the highly regulated US online gaming and sports betting industry. So actually it is legal to place bets across state lines. And so there is this need to contain activity to jurisdictions where it was allowed, and that’s really how we started. So what you have now, more than a decade later, is a really robust and sophisticated solution that can tell you where somebody is located down to a few meters, but also cut through the noise and tell you, okay, is this data that we’re collecting accurate or not, which is a really important part. Can I trust this data? Is it being manipulated in any way? So really what we’re seeing now are big needs in other industries beyond just the sports betting in the online gaming, really within sanctions compliance, fraud in financial services, which also include digital assets and crypto, which are a hot topic these days. As you probably know, Cameron.
Cameron D’Ambrosi [00:03:00] Yeah. You know, I think you hit the nail right on the head. You know, in some ways, this conversation, I think, mirrors one that we’ve had. You know, kind of following liminal and before Liminal One World Identities Journey in Digital Identity. Regulatory mandates are often kind of the tip of the spear when it comes to the deployment of new technologies. And you often see high concentration in certain verticals that that have the most stringent requirements and then ultimately end up with, you know, other market segments being fast followers and then oftentimes other industry verticals kind of of their own accord recognizing, you know, I actually have a use for this. And even outside of regulators forcing me to adopt this, I can really get strong value out of it. And I think a lot of those dynamics are playing out currently in some of those areas that you just stated. Obviously, the New York Department of Financial Services. Dropping the hammer, proverbially speaking on Coinbase with regard to their lack of geographic controls. You know, they were just relying on IP address to determine user location and got called out in this consent order specifically for the fact that they were allowing users to use VPNs or other IP obfuscation to hide their location, which would have kind of aided and abetted Coinbase in in recognizing that folks were maybe trying to access accounts, move money to and from sanctioned jurisdictions in conjunction with that. You know, early in this year, we saw Louisiana dropping kind of a first in the nation law that mandates that pornographic websites do mandatory age verification for any user visiting from the state of Louisiana. We’ve seen that platforms are beginning to use IP address for that type of compliance, but I don’t think it’s a stretch to say that, you know, the regulators in Louisiana are going to be taking a look at, is that enough? Like this is so easy to bypass because of VPN. You know, are these sites doing the bare minimum, which is maybe starting to collect some other signals to indicate, you know, where are these users actually physically located? Is it within the jurisdiction of Louisiana? And what does that mean for the age restrictions?
Isabella Edmonds [00:05:46] Yeah. No, definitely. You hit on some really important points there. And really, one of the things I’d love to give, like a brief history of the IP address. IP addresses have been around since the 1980s, and in 2008, Apple actually released its first iPhone with the GPPS. So today we’re relying on IP addresses, which, as you mention, highly inaccurate, very easy to spoof. So you’re not actually getting any really great insights from that piece of information. Right, other than like, yes, they’re using a VPN, but you know, what’s next? Where is that person actually located? So now we give consent to the app that we order groceries from. They know where we’re located because they asked for our geolocation. But when it comes to compliance programs, right now, a lot of financial services and really a lot of companies are relying on IP address for their sanctions, compliance for their fraud and for their digital identity solutions for their KYC and customer due diligence processes. You know, how are we basing these compliance programs on a data point that essentially doesn’t tell you that much about a user? And right now, the compliance problems, the fraud problems, they’re no longer local problems. They are really global because anyone from anywhere can access a platform using these tools that essentially circumvent any jurisdictional, you know, barriers that that might be in place. And the sanctions aspect is just so important. And as you mentioned, this has been a really hot topic this past year. And when we’re looking at sanctions requirements, you know, in the U.S., you cannot accept transactions coming from Syria, North Korea, Cuba, Iran. And where we see the importance of using advanced geolocation and as opposed to a simple IP address are really to an in cases such as Crimea and the island R&D in our regions within Ukraine, you have to create very accurate virtual borders essentially like latitude, longitude by latitude, longitude, pinpoint accuracy to be able to tell that you are not in any risk of any sanctions evasion. And if you’re not cold, not collecting that data and not verifying that that data is being manipulated, you essentially have a huge compliance gap. And that’s what we’re seeing, you know, today with Coinbase and what we’ve seen with Bittrex, Kraken and others that are not really leveraging the data that is available. It’s not you know, it’s not a new technology. We’ve been leveraging this for over a decade. So there are tools that are there are available, but they’re just not being used right now.
Cameron D’Ambrosi [00:08:38] Yeah, I think that’s a great point. And you know, in our kind of pre pre-record conversation, you know, one of the things that I wanted to surface that we were chatting about that I think is so, so important is, you know, what is the point of these limitations that that platforms are putting in place? What is the point of of collecting something like someone’s name or address in text form or asking for their location or asking for their IP address? You know, you’re not really looking for that information, so to speak. What you’re looking to do is is proven assertion like is this Cameron behind this device at this exact moment in time? And the richer the tapestry of signals that you can build, the greater the level of assurance you can reach as to, you know, the truth of that attestation. Obviously, it’s not that hard for someone on the Internet to look up my name, my address, even my Social Security number from whether the dark web, we’re just paying like a background check service to do it. Nor is it that hard to get a VPN to make it look like my computer is coming from anywhere in the world. But if you start layering these signals together, the complexity of being right with all of them gets infinitely more difficult. You know, it’s one thing to have my name. It’s another thing to have my SSN. It’s another thing to have my IP address be one that, you know, looks like an IP that should be me and historically has been associated with me. But then if you can layer in okay, and where is his device located right now, all of that together gets that much more ironclad. And I think, you know, pursuant to the earlier point I was making, we’re seeing that regulatory, you know, box checking, so to speak, is just not going to cut it anymore. The regulators are wise to the difference between, you know, kind of cynically following the letter of the law in an attempt to say we’re in compliance versus compliance with the true spirit of the law and putting in a real, honest, good faith effort as to. The kinds of malicious actors off of your platform that you’re regulated to do so. So, you know, I think geography, geo geolocation data is going to be a critical, critical piece of that equation moving forward. And I think we at at liminal certainly remain bullish on increasing adoption of geographic signals across use cases for applications like trust and safety. And not just when a regulator says, you know, you have to do this in order to protect your platform.
Isabella Edmonds [00:11:21] Yeah, definitely. You you hit the nail on the head. Really, where your users are located is just so intrinsic to who you are online. And and you said it right. You’re all of your data, your Social Security number, all online, floating about for for someone to try to be you. But where you are right now in this given moment in time is really uniquely yours. Right. So, you know, before you would go to a bank in person, present your documents, and now you have all this, you know, online remote KYC and transaction monitoring that has to be done online. But to what we’re seeing regulatory is, you know, as you mentioned. Regulators starting to realize that we have to incorporate other data points online. We can no longer be verifying people online like we did in person. So we really have to be adopting. So your billing address is no longer going to be enough to tell you where someone is because it’s it’s absolutely ludicrous. Right. And that’s, you know, with New York DFS and in what we’ve seen today, you need to be using accurate geolocation and be detecting all of these anonymized. Like VPNs and tor exit nodes to verify that your user is where they say they are. And if they’re leveraging some of these some of these tools, those tools also tell you a story. They tell you, okay, they’re using a VPN. Why are they using a VPN? They’re using a Tor exit node. Have they been trying to access the dark web? Right. All of these risk flags and signals and behaviors and patterns all tell you a part of, you know, a part of the story of who this person is.
Cameron D’Ambrosi [00:13:13] So, you know, what’s next for the space? You know, I’m fond of asking my guests to kind of lay down some markers, some potential predictions, if you will. You know, where do you see the geo compliant platform headed? And what are you seeing out of whether it’s regulators or out of, you know, end clients when it comes to what they look for in a solution and where those expectations are headed more broadly?
Isabella Edmonds [00:13:44] Yeah, definitely. So I think I’d love to start with, you know, some signs that we’ve seen this past few years with and it’d be great to start with oh fact specifically they for the past couple of years they’ve had a bunch of enforcement actions on several companies and as I mentioned, includes Bittrex and Kraken that were recent ones. But all of those enforcement actions have centered around the fact that you need to block out, sanction jurisdictions or you’re going to be penalized. And those really tell you, you know, what OFAC is looking at right now and what you should be having within your compliance programs. You know, it’s it’s no longer going to cut it that you’re relying on an IP address check. You’re going to need something more. So all of those signals that, you know, enforcement actions are telling us, okay, these are these are things that they are looking for and they’re essential, you know, for you to be utilizing the necessary technology like geolocation to block this out. So I think we’ll continue to see enforcement actions from Ofek, but also like we saw today with Nydfs, you know, also state regulators. Right now my DFS has a BitLicense, so this BitLicense is super hard to get. They have really high standards for the companies that they give licenses to. You have to have, you know, state of the art compliance programs, sanctions programs in AML. And as we can see, you know, with Coinbase, if you don’t have those, you’re going to be penalized. And if you want to keep your license and still operate within within New York State. So so we’re definitely going to be seeing, I think, more of that. This is something like Ben, why DFS action? We’ve just started seeing a lot more action in that sense, but it’s also great to touch on, you know, post FCX and this is has also been a very big topic recently. What happened with with FCX is really going to change how we see regulation and we’ve already seen regulators be very vocal about, you know, crypto regulation is coming and we’re not going to be so nice anymore. Right. There needs to be a lot of a a lot of programs and robust compliance programs in place to not only protect consumers, but also protect, you know, the financial systems. With FCX, they had FT.com and FCX US. So in theory these two companies were separate and whatever happened in FCX dot com was not really supposed to affect FCX users. What we see in reality is that they actually didn’t have, you know, that many it was it was very blended, right? Everything was together. So when we saw the collapse, there is probably a very high number of U.S. There’s a high number of U.S. consumers that have been affected at this. So this tells us if you don’t have any adequate geolocation controls in place, you’re putting customers at risk for U.S. customers because there was no restrictions on whether they could access FDX outcome were able to access this use. Products such as yield products that essentially are not you know, they’re not approved, they’re not legal. They weren’t registered US securities in the U.S.. So this is a really you know, it really will pave the way for for crypto exchanges moving forward and really going to impact regulation.
Cameron D’Ambrosi [00:17:25] Yeah, I again, I’m in violent agreement, as they say. You know, I think we have seen a rapid maturity of the space due to, you know, whether you want to talk about the collapse of FDX or, you know, the continued regulatory action and focused attention on the shortcomings of these kind of, you know, I want to say nascent because they’ve been around for a while and certainly I think Coinbase was one of the more mature players. But, you know, these guys have been saying for a long time, like we were, we’re serious. These are serious platforms, we’re serious players. And now they’re kind of being judged on the same standard as as actual banks. There’s no more grading on a curve. And there’s going to be, I think, a lot more pain and a lot bigger fines for the platforms that don’t start taking these obligations very, very seriously.
Isabella Edmonds [00:18:21] Now, definitely. And I think there there has been a lot of, you know, sometimes resistance because of the ethos around crypto. You know, it’s like, oh, you know, it’s supposed to be anonymous and open up the financial system. But, you know, the reality is that fraud scams, stolen identities, account takeover, money laundering, financing of terrorism, these are all things that exist, right? They are realities within the traditional financial space, but they’re also realities within the digital asset and crypto space. And these are likely to continue to exist. Right. So the truth is that the industry, like the crypto industry, will not be able to thrive and grow and have the impact and the potential impact that it has without regulations and compliance standards that do protect their consumers, but that also protect other companies and financial systems. So definitely going to see a lot of regulatory changes. And and as you know, you know, Sam Bankman-Fried was very active. In D.C. He testified several times. So there was a lot of trust there with regulators. And especially he did sponsor a bill that that was we had hoped maybe it would pass. We were going to see that there would finally be some some regulation. But after what’s happened, as you said, a lot of this trust has really been been broken. So I really think that regulators are going to come down with with a lot of more stringent. And we’re going to see different regulatory agencies also imposing different things such as the SEC and the CFTC. We’re going to see a lot of movement there, not to mention OFAC and and FinCEN as well.
Cameron D’Ambrosi [00:20:08] So to bring us to a close, I love to give my guests what I call the opportunity for shameless plug time for our listener base that is is hopefully deeply and wrapped in this conversation and thinking to themselves, how can I learn more about Joe Comply and how should I get in touch? What is the best place for them to go and how should they reach out to either get in touch with you or learn more about the platform and your technology?
Isabella Edmonds [00:20:35] Yeah, definitely. One way, easy way to find us is just through our website. Joe comply dot com and you can also reach out to us within email solutions at Joe comply dot com. So those are two good ways to learn more about us within our website and then email us more directly.
Cameron D’Ambrosi [00:20:56] Fantastic. Well, thank you so much for your time. I greatly, greatly appreciate it. You know, I think this is a topic that is going to be top of mind for many folks. And and sadly, maybe that the people who are not aware of this issue at all and are not tuning into this podcast are the ones who most need to listen to it. So we’ll do our best to to beat the drum and and continue sending folks your way, because, you know, this is an area we think of intense interest and intense growth opportunities.
Isabella Edmonds [00:21:26] Thank you so much for having me.
Cameron D’Ambrosi [00:21:27] Cameron It was my pleasure.
Isabella Edmonds [00:21:28] This was an absolute pleasure. Likewise.
In the latest State of Identity podcast, hosted by Cameron D’Ambrosi, we’re joined by Laura Spiekerman, co-founder and president of Alloy, a global identity risk solution for financial services and a Liminal 2023 Company to Watch. We’ll discuss its pioneering role in the orchestration-centric approach to Digital Identity in Fintech. Spiekerman delves into the challenges Alloy addresses in the fintech space, where compliance and fraud often hinder innovation. Join us to explore the evolving landscape of digital identity in Fintech, trends in fraud prevention, and the critical intersection of customer experience and security.
In the latest episode of the State of Identity podcast series, we delve into the ever-evolving world of customer identity and access management (CIAM). Join host Cameron D’Ambrosi from Liminal as he sits down with Brian Pontarelli, the founder and CEO of FusionAuth, to explore the exciting developments and challenges in the realm of passwordless authentication, user data management, and the quest for seamless transitions in the digital landscape. Bryan shares his expertise and unique perspective, shedding light on the fascinating journey of FusionAuth and its pivotal role in this dynamic landscape. Tune in for a thought-provoking discussion that promises to expand your understanding of CIAM and its critical role in the modern enterprise.
Tune in to the latest episode of the State of Identity podcast series, where Data Security expert Shane Curran, Founder and CEO of Evervault, dives deep with host Cameron D’Ambrosi into the intricacies of data security. Discover why basic encryption methods aren’t enough, understand innovative data security strategies that ensure functionality, learn how encryption safeguards AI model training without compromising customer data, and grasp the significance of prioritizing current cybersecurity threats over quantum computing concerns.
In the latest episode of the State of Identity podcast, host Cameron D’Ambrosi is joined by Gadalia Montoya Weinberg O’Bryan, an ex-NSA crypto mathematician and the Founder and CEO of Dapple Security. Learn about Gadalia’s remarkable journey from the National Security Agency to the forefront of identity-focused cybersecurity. Learn about the limitations of current passwordless approaches, particularly in scenarios involving lost or stolen devices, and delve into the crucial distinction between authenticating the user behind the device rather than the device itself. Gadalia introduces Dapple Security’s unique solution, which involves generating an on-demand passkey using a user’s fingerprint—emphasizing the company’s commitment to user privacy by avoiding the storage of biometrics on the device or in the cloud—and how this approach is a key element in enhancing overall security posture.
In this episode of the State of Identity podcast, host Cameron D’Ambrosi talks with Eric Olden, the co-founder and CEO of Strata Identity. Join us as they discuss the challenges faced by today’s multi-vendor/multi-cloud enterprise technology landscape and how forward-looking executives view identity as an opportunity, not a cost center. They also delve into the importance of moving towards passwordless authentication and the role of identity orchestration in addressing these challenges.
In this episode of the State of Identity podcast, Liminal host Cameron D’Ambrosi and Justin McCarthy, the co-founder and CTO of StrongDM explore the dynamic landscape of digital identity and access management, addressing the challenges and trends that shape the industry. They talk about what it means to move towards a “credential-less” world and discuss the complexities of authentication, authorization, and the role of proxies in bridging old and new technologies. McCarthy highlights the imperative for convergence among various tools, including the essential role of AI, providing a unified approach to access control, governance, and policy enforcement.