In a bid to protect EU consumers from online fraudsters, pirates and counterfeiters, the EU’s Digital Services Act looks set to introduce a provision obliging online marketplaces to know who their third-party traders are – the so called ‘Know Your Business Customer’ provision, or KYBC.
But why is the Commission limiting KYBC to online marketplaces when an obligation for all online intermediaries to verify their business customers has proven to be one of the most effective tools to prevent illegal and abusive online activities and services and essential to create a safer and more transparent internet for all users?
Our experience in Denmark with DK Hostmaster demonstrates that verification of business customers is a simple and effective way to create a safer and more legal Internet for all users. It can be easily applied to all relevant intermediaries who provide business infrastructure services, including but not limited to providers of domain names, hosting services, advertising and payment services.
DK Hostmaster is a small organization, authorized to administer Denmark’s .dk domain names. DK Hostmaster observed back in 2017 that nearly 7% of active .dk websites were operating so-called ‘scam shops’ selling counterfeit products – and that these illegal sites were set to increase five-fold by 2018. Furthermore, the operators behind these sites were unidentifiable. This anonymity effectively shielded them from prosecution and added to the time consuming and costly process for DK Hostmaster to confiscate the domain names.
In response to these findings, DK Hostmaster introduced a mandatory identity verification procedure for business customers applying for .dk domain names based on the Danish verification system NemID. The verification takes place when a customer applies for a domain name and where there is a suspicion that the information related to a domain registrant is not correct. This can be done either on DK Hostmaster’s own initiative or as a result of a notification from a third party stakeholder or authority. The requirement is that there is a reasonable suspicion.
A number of publicly accessible databases exist at national level such as the NemID in Denmark, against which business user details can be verified. Similar databases exist at European level, including the European Business Register (EBR) and the Ultimate beneficial owners register (UBO register). They render KYBC obligations easy to implement, with minimal administrative burdens, as part of a business sign-up process. Once in place, the verified details actually relieve the intermediary of the burdensome process of trying to track down anonymous operators offering illegal products and services.
This procedure immediately reduced the number of .dk sites operating illegal activities from 700 in 2016 to 8 instances in 2019. The outcome in Denmark has been that false webshop/scam sites have almost disappeared from the .dk zone on the internet. To the extent illegality still occurs, it is quicker, easier and therefore cheaper for DK Hostmaster to address it and reclaim the domain name.
DK Hostmaster demonstrates that verification can be carried out simply as part of a business sign-up process, by checking publicly accessible databases that already exist at national level – just as would happen in the offline world where a business is seeking to rent physical retail space.
If the EU is serious about ensuring that ’what is illegal offline is also illegal online, KYBC requirements should really be applicable to all relevant intermediaries who provide business infrastructure services, including but not limited to providers of domain names and hosting services. Such a requirement will help to significantly curb the presence of illegal internet services and ensure that one of the main objectives of the DSA – consumer safety – is actually met.
This is not a major departure from the existing regime. Under the EU E-Commerce Directive, intermediaries are already obliged to know their business customers’ names and email addresses – but without a requirement to verify those details, the current system is open to abuse.
DK Hostmaster is currently going a step further and considering further increasing its possibility to withdraw domain names, where illegal or abusive behaviour (e.g. spam) nevertheless appears and is notified by ‘trusted notifiers’. Europe should show the same level of ambition in protecting European citizens and ensuring a safe and trustworthy online environment.
The DSA offers a real opportunity to build trust online and ensure the safety of consumers. A broad KYBC provision applicable to all relevant intermediaries could set a baseline of transparency online that could do more than anything else to achieve the EU’s goal of ensuring that what is illegal offline is also illegal online. We hope that the EU co-legislators will draw inspiration from the best practices of the DK Hostmaster example.