Sign-in process result

[Nathael]

When the sign-in process is successful, the user gets the main dashboard view. If the account is disabled due to KYC process failed / refused, the user gets an error message indicating that the account got disabled due to the KYC process information provided (TODO : message to be defined).

[slamazelo]

Don't think this is the good thing to do : when the kyc process failed, the user received a mail and a message in its account interface. So, he is informed about it. Even if we can block the access to the dashboard after that, the big question is : what to do with his personal datas ? we have two possibilities : destroy the kyc account (but this is a little bit violent), or let the user have the choice to destroy the account. And I don't understand why everybody with a kyc in progress can see the dashboard, but not the refused kyc. Can you give precision about the kyc failing criterions ?

By the way, there is another question : what to do with the tech account (login, mdp, email). for security reasons, if we want to ban some undesirable user, we must destroy the kyc account and preserve the tech account ? don't you think so ?

[Nathael]

The ICO website is here mainly for the purpose of collecting funds. When the KYC process fails after the user has been given (or not) a chance to provide valid / aditional information, it means that the user is considered a fraud, a spam, or abuse of any kind. All data must be kept (KYC process and account / login info) for possible future reference. Be the user must be denied login. Someone trying to cheat in the ICO process may endanger the ICO process (money laundering and the likes).

[slamazelo]

You just have to make the difference between the electronic account (for which we have a process of ban and disabling), and the KYC account (accepted/refused). If you want to ban someone, there is no reason, and no legal possibilities to keep the data of the KYC process in the DB. But you can ban accounts created (Accounts management).

[Nathael]

The reason for keeping the data is for KYC process purpose. Should someone try to register multiple times with the same ID card but different account information, then the new account should also be disabled, and maybe reported to authorities. As for the legal part, this should be taken under account, but should be handled by the lawyer. Maybe we must add a message with KYC process information at the beginning of the process, and a checkbox which the user must check before validating to access the KYC process, meaning acceptance of the terms and conditions, including use of provided information for the whole KYC process, even if the KYC process ends with a refusal.

ICO is not a simple act of buy goods on the Internet, it is much more like buying actions and financing a company, and is thus subject to french law, which implies that stakeholders be identified and so on (which is the purpose of the KYC process). Detecting frauds implies that we keep track of fraudulous attempts (my point of view, to be validated by lawyer).