While using an ID document and a corroborating selfie for modern identity verification is becoming a widely accepted way to verify new customers, the bigger question remains: how do we verify all of our existing customers?
It’s an important question and there are surprisingly few best practices published.
What is Account Remediation?
Account remediation is the process by which a company reviews and updates all existing customer documents to ensure it has the most up-to-date, complete, and identity-verified information. Sometimes, remediation is a regulatory requirement (e.g., when financial institutions need to identify incomplete or outdated information to satisfy compliance mandates), while other times, it’s needed to ensure an organization’s customer base is protected from cybercrime, such as account takeover.
Why is Remediation Required?
Here are some common instances where remediation plays a crucial role.
Know Your Customer (KYC) Remediation:
Regulators not only expect financial institutions to perform adequate KYC on new clients, but they also expect that the KYC files of existing clients meet quality standards and are reviewed periodically. KYC remediation, sometimes known as “re-KYC,” is the process of updating and verifying customer information to ensure compliance with KYC regulations. Periodic reviews and re-KYC are done annually for high-risk customers, every two years for medium-risk customers and every three to five years for lower-risk customers. Typically, regulatory agencies are less concerned with low-risk customers, but some banks will trigger reverification based on high-risk behavior. This process is crucial for complying with current regulations and effectively combating illegal financial activities, such as money laundering or terrorist financing.
Out-of-Date Data:
Account remediation is often performed to update out-of-date data such as an expired ID or change of address. For example, you may allow new customers to use an expired driver’s license, a temporary ID, or some other government-issued document, such as a visa or resident card which are subject to frequent renewals. Account remediation is a means to reverify these users to capture their current ID documents and address. This process can also help you resolve data discrepancies, like if a customer opens a second account with information that is different from the information used to open their original account. Lastly, remediation helps ensure that you can actually contact the customer. When older ID documents are on file, it may be more difficult to reach customers since their contact details are outdated.
AML Screening History:
Financial institutions and other regulated industries are required to vet new and existing customers for money laundering. These institutions keep detailed transaction histories showing how they’ve screened politically exposed persons (people who are more likely to be involved in bribery or corruption) and people from sanctioned countries. Regulated companies often want to consolidate these historical look-ups in one platform instead of having them sitting in two separate repositories. Remediation can help correct deficiencies and improve systems and procedures to ensure full compliance with AML regulations.
Establishing a Biometric Baseline:
In order to leverage biometric-based authentication, organizations need to capture a baseline biometric template (e.g., a selfie) for all existing customers. More and more organizations are abandoning knowledge-based authentication and even SMS-based authentication because of security concerns such as account takeovers and man-in-the-middle attacks — especially for high-risk transactions. Organizations may need to recapture their user’s biometric templates on occasion, especially in cases when biometric retention is only allowed for a few years. When the retention period expires, a new biometric template needs to be reestablished in order to enable biometric-based forms of authentication.
Change in Underlying Identity Verification Technology:
When companies move from one identity verification vendor to another, they often want to leverage a single platform for their verification needs. All new transactions will be run through the new vendor’s platform but they will also want to migrate old verification transactions to the new platform so they’re managing a single platform. When this happens, they need to reverify existing customers especially when key identity ingredients are missing from the user’s profile. For example, some organizations may have long relied on data-centric sources (e.g., credit bureau information) for identity verification and have no ID documents or selfies on file. Often, organizations need to recollect the existing credentials of their customers that have been reverified by the latest and greatest verification technology of the new provider. When newer, AI-based models are used, organizations are usually able to catch more identity fraud that was missed during the initial verification process.
Developing a Communication Game Plan
Remediation is hard work and often a time-consuming process. That’s why you need to develop a communication plan with plenty of lead time for communication with your customers. Oftentimes, banks will inform their customers six or more months in advance to support their re-KYC efforts. This lead time is also required for reverifying customers whose ID documents are set to expire. When ample time is given to the customer, the entire process is considerably more manageable.
The communication plan also needs to provide the rationale for remediation in easy-to-understand language (devoid of jargon). Whether the rationale is for compliance, fraud mitigation, or a combination of the two, let your customers know why you’re making them go through the process.
Three Approaches to Remediation Outreach
If and when you need to collect more data, you’ll need to notify the affected users. Whether done through emails, in-app notifications or during high-risk transactions, these communications should clearly spell out what the user must do to retain their account, as well as consequences (e.g., account suspension or deletion) for failing to supply the new/updated information within the given timeframe.
1. Email Current Users
One fairly popular approach is to simply email your current users and include a link for them to verify themselves. The link would launch an online experience, similar to onboarding, where your customer uploads a link of their ID document and a corroborating selfie (which includes a liveness check). Once the user is verified, you will have a complete record of the user. The big problem with this approach is that only a small percentage of your users will opt to verify themselves unless there’s a compelling reason to do so.
2. Website or Application Notifications
Another way to verify existing customers is to require identity verification when users log into your website or access your application. This method allows you to systematically verify your active users and capture their ID document and biometric data (via the selfie and liveness check). But, here again, you will only be capturing a portion of your current customers — those who are active and visiting your website or logging into your app.
3. High-risk Transactions
There’s a third type of remediation that organizations often have to initiate for dormant accounts and remediation laggards. With dormant accounts which never went through the identity verification process, you may need to trigger the verification process when they become active and start performing high-risk transactions such as a password reset or initiating a withdrawal. The other scenario that requires this type of on-the-fly remediation is laggard accounts. Laggard accounts are those accounts that never remediated despite your best efforts. You may need to force them to undergo an online verification when they attempt to perform these types of higher-risk transactions. This approach ensures that your users (and their accounts) are being protected when they are most at risk. It’s imperative for organizations to ensure that the person being verified during these transactions is, in fact, the actual account holder.
Thinking Through the Remediation Experience
Regardless of the rationale for the remediation, you need to create a fully customizable process based on information you need, your risk appetite, and the requirements of the regulators. Once the impacted accounts have been identified, they must be brought up to compliance — whether that means bringing existing data fields up to date, collecting new data from customers, or collecting new required supporting documents (e.g., IDs, tax forms,).
The importance of account remediation extends beyond mere regulatory compliance. It serves as a vital component in the fight against money laundering and fraud. By ensuring that customer information is accurate and current, organizations of all stripes can effectively monitor transactions, detect suspicious activities, and help protect their accounts from account takeover, thereby contributing to a safer and more secure financial ecosystem.
Jumio now offers a new batch upload process which supports most of the remediation use cases discussed in this post. This new functionality provides organizations with self-service capability to batch upload transactions for faster, easier, automated processing and decision-making. If you are interested in Jumio batch upload functionality please contact us.