While more and more businesses are selling their products and services over the Internet, they are increasingly being required to definitively assess whether their online customers are who they say they are.
This is especially an issue in processes where money, property or delicate information is exchanged, such as banking and financial services. But, this is increasingly a concern for other industry segments including the sharing economy, travel and hospitality services, online gaming, and even email hosting companies.
Even dating sites are having to contend with fake profiles being created by bots. Consider the case of Ashley Madison where 90%-95% of the accounts were fake and the impact this has on its (cheating) clientele. Clearly, identity verification impacts online companies of all types and has far-reaching implications when it’s not done correctly.
Effective online identity verification is generally needed to address one of three pain points:
- Reduce fraud. Accurate identity verification can have a dramatic impact on fraud detection by ensuring that government-issued IDs are authentic and unaltered and by validating that the person associated with that ID is physically present.
- Reduce abandonment rates. For most companies, there’s an implicit trade-off between fraud detection and conversion rates. By increasing the number of fraud checks, you increase your assurance that the person is who they say they are, but increase the abandonment rates because of the extra friction.
- Reduce compliance risk. Given the increased number of compliance mandates, including KYC (know your customer), AML (anti-money laundering), GDPR, and PSD2, there’s real financial penalties for not getting identity verification right.
Given the high stakes, your choice of an online identity/ID verification solution is no longer a trivial business decision. So, it pays to do your research and not fall into these common traps:
8 Killer Mistakes in Choosing an Online Identification Verification Provider
1. Ignoring the size of the vendor’s fraud database
Online identity verifications are sitting on a treasure trove of data. Think about it. Every time an ID is flagged as fraudulent (e.g. it’s been doctored or digitally manipulated), it is stored within the vendor’s database. Solutions that have captured millions and millions of fraudulent IDs across large global brands have a leg up against small vendors. For example, if John Solomon from Indiana is flagged as fraudulent for XYZ company that information is stored. So, if John Solomon tries to set up another account on ABC company, he will have already been flagged by XYZ and will be rejected. This network effect can be powerful, but it relies on large scale to be truly useful. NOTE: Not all companies elect to store their data with the verification provider and this obviously limits their ability to leverage that data for future online verifications.
2. Failing to appreciate the power of machine learning.
The process that identity verification solutions use to determine which IDs get accepted and which ones get rejected is a bit of a black box. IDs are captured and verification decisions made. Most modern online verification solutions, in fact, use a variety of techniques including machine learning, computer vision, and human review. And like the fraud database, size matters when it comes to machine learning. The larger the dataset, the smarter the algorithms. These machine learning models are created and leveraged for a number of purposes including blur detection and image alignment. But, this requires a large volume of successful and failed online verifications to train the algorithms. Make sure to ask how many online verifications they’ve performed and how they’re leveraging that data to educate and fuel their ML algorithms.
3. Falling for the allure of 100% automation.
Many modern IDV (ID verification) solutions rely exclusively on automation and machine learning. While this sounds state-of-the-art, this approach has inherent limitations. The fact is only humans can see patterns that automation and machine learning can’t. For example, some automated solutions that rely 100% on machine learning cannot “see” holes (i.e., expired IDs that have been hole punched). Human review should catch and deny these IDs 100% of the time, but many automated solutions will mistakenly approve them. Machine learning can also inform the human review process by flagging specific IDs that have common characteristics with known fraud patterns. For example, if passports from Romania captured via a desktop webcam have historically been associated with higher incidences of fraud, all Romanian passports can be subsequently flagged for extra attention by live verification experts.
4. Assuming that provider has true global coverage.
Many online ID verification providers get away with claiming they have global coverage by virtue of the fact that their technology can read a barcode or the MRZ (machine readable zone) of international passports. But, this doesn’t mean they can support all versions of government-issued IDs (such as ID cards) or older versions of those IDs. Truly global solutions will not only read the barcode, but have the ability to scan the front of an ID to ensure the data presented matches the data read from the barcode. These solutions will also have trained verification experts and computer vision protocols that are proficient in all regional ID document types and are well versed in their inherent fonts, font sizes, and security features.
5. Failing to test before buying.
It’s surprising how many companies adopt a new IDV solution without ever testing, really testing, the solution. In fact, many vendors will balk at performing any tests before the actual purchase. In these cases, you should vote with your feet and exit stage left. But, when you decide to do a test, make sure to take advantage of a large dataset, not just a few transactions. Ideally, this would include thousands of transactions that represent a fair cross-section of your online verifications. For example, this should include a high percentage of legitimate IDs/identities, a percentage of legitimate IDs captured under less-than-ideal circumstances (e.g., bad lighting), and a small percentage of fraudulent IDs, to simulate real world transaction volumes. A good solution will pass the valid IDs, even when the ID is tilted or shot in bad light, and flag the fraudulent IDs.
6. Ignoring the user experience.
In the banking industry, four out of ten consumers say they have — at some point — become frustrated enough with an online application to just give up (source: Signicat, The Battle to On-Board, March 2016). Because conversion rates matter, more and more companies are exploring ways to reduce abandonment rates by simultaneously improving the user experience and fraud detection. To their credit, most identity verification solutions deliver a definitive “yes” or “no” as to whether accept or reject an online transaction. But, sometimes that decision is delivered too quickly when the verification process is 100% automated. For example, if the government-issued ID, presented by the customer, is captured in poor lighting or is slightly blurred or tilted, most automated solutions would reject the transaction out of hand. Jumio, however, returns additional information that can be used to enable the customer to course-correct. For example, if the photo taken is blurred or tilted, the customer is given the opportunity to auto-correct during the actual transaction which dramatically improves conversion rates.
7. Trusting the vendor’s claims around verification accuracy.
Unfortunately, when it comes to verifying the accuracy of IDs and identities, caveat emptor should be your guide. Precious few solution providers discuss how they measure up from an accuracy perspective. What you really should know is:
- How well can the solution catch fraud (catch fake or doctored IDs, pictures used instead of an actual selfie, etc.)
How well does the solution convert users (i.e., verify your good users)
- If they provide the stats, then the next question is how did you derive those stats. Without auditing the verification history, the only way to know if they’re getting it right is by having their customers catch and notify them of incorrect verifications. Look for solutions that audit 5-10% of transactions to ensure that their verification engine is correctly flagging fraudulent IDs and green-lighting your good customers in a timely manner.
8. Thinking the mobile experience is the only real use case.
For companies looking to cast the widest possible net, including different demographics that may not be comfortable with newer technology, it just makes sense to ensure that your identity verification solution offers the broadest number of channels to your users. Many ID verification solutions only support smartphone image capture (via native iOS and Android applications) and exclude other channels such as desktop webcams. By excluding webcams, these vendors are excluding large market segments who are more comfortable on their desktop and laptop computers. Jumio is an omnichannel provider that offers API-based, mobile web and native mobile implementations.
While this list is by no means exhaustive, it’s a good start and will help you assess the accuracy, maturity and experience of the vendor. To learn more, we encourage you to read Jumio’s: The Buyer’s Guide to Online Identity Verification.
In this informative guide, we will walk through the trade-offs companies often have to make between deterring fraud and increasing conversion rates. We will explore the steps businesses can take to mitigate risks and the identity proofing technologies that can be brought to bear to establish trust, detect fraud, and increase assurance that someone is who they say they are.