The worlds of identity verification, compliance and fraud detection are increasingly intertwined. This is why so many online organizations need to rely on myriad solutions that must be stitched together to help ensure the user experience isn’t too disjointed, time-consuming or onerous.
We surveyed dozens of our customers and asked them to walk us through the entire onboarding experience of new users, and there seem to be some trends in terms of how these organizations are designing the user journey.
Modern organizations can exploit simple tactics that require no action on the part of the user beyond completing an online application. These include:
One of the simplest checks is to determine whether the physical address exists in the real world and that the applicant resides at that address. Firms can ping third-party databases and credit bureaus in real time without the user’s knowledge. But, thanks to a spate of large-scale data breaches, data-centric approaches like these can be spoofed by leveraging stolen data from the dark web.
NOTE: In its 2020 Market Guide for Identity Proofing and Affirmation, Gartner refers to these data-centric methods as identity affirmation. “Data-centric approaches alone do not meet the Gartner definition of identity proofing, because there is no test that the individual claiming the identity is, in fact, the authentic possessor of that identity. The identity assurance achieved with this capability used in isolation is relatively low, relying only on ‘something you-but-not-only-you know.’”
Learn What Gartner Says About Fraud Detection and Authentication
Market Guide for Identity Proofing and Affirmation
When a new user provides a phone number on the online application, there are a number of fraud signals that can be derived from the number. Some vendors will send an SMS message to the phone to ensure the phone number provided belongs to the applicant. But there’s more information that can be gleaned from the phone number including the age of the SIM, the IP address and porting information. Some vendors can link the phone number to data from the carriers and telecom infrastructure providers to reveal the identity data of the registered owner of the phone number.
Many organizations will automatically email the prospective customer based on the self-reported email address to ensure the email address is legitimate. But third-party databases can also be pinged to check on other characteristics of the email such as the age of the email account.
There are a variety of solutions designed to determine if the person is a human being or a bot. If the online application has 13 fields and it’s completed in less than one second, chances are pretty good that it’s a bot completing the form. Other behavioral characteristics look at the clickstream analysis or typing cadence to help sniff out bots.
IP Address Mismatches:
Another simple check is to determine whether the IP address of the user’s device (phone or computer) matches the physical region of the self-reported information entered on the application.
Many of our customers correlate these digital attributes with real-world identities to help increase the levels of identity assurance.
While these fraud signals are helpful and can weed out many unsophisticated fraudsters, online identity verification is often required to verify remote users with higher levels of assurance. In this context, identity verification refers to the combination of capturing a government-issued ID (e.g., passport, ID card, driver’s license) and a corroborating selfie that includes a liveness check to make sure the user is physically present during the account creation process. This approach serves as a powerful disincentive to would-be fraudsters.
Because this document-centric approach involves testing for genuine presence, it meets Gartner definition for identity proofing when deployed correctly.
Not surprisingly, Gartner anticipates significant growth in this category: By 2023, 75% of organizations will be using a single vendor with strong identity orchestration capabilities and connections to many other third parties for identity proofing and affirmation, which is an increase from fewer than 15% today.
A large number of global GDP (2% to 5%) is affected as a result of money-laundering activities. Regulatory authorities are getting more vigilant in establishing compliance mandates to deter the risks of money laundering and terrorist financing across many sectors, including non-banking industries. Not only identity is verified but the previous record is checked to make sure that the entity was not involved in any historical criminal activity.
AML screening solutions are performed to verify each onboarding customer against a number of politically exposed persons (PEPs), sanction lists and criminal databases that are issued by global law enforcement agencies. AML screening does not end when a new account is created. Customers need to be monitored on a regular basis to ensure that customers who were originally onboarded don’t become financial crime risks afterward, so users need to be continuously re-screened to mitigate money-laundering risk.
Anti-money laundering transaction monitoring software allows banks and other financial institutions to monitor customer transactions on a daily basis or in real time for risk. By combining this information with analysis of customers’ historical information and account profile, the software can provide financial institutions with a whole-picture analysis of a customer’s profile, risk levels and predicted future activity, and it can also generate reports and create alerts for suspicious activity. The transactions monitored can include cash deposits and withdrawals, wire transfers, peer-to-peer transfers, ACH activity and more. The overwhelming majority of the transaction alerts are often “false positives”, so it takes special AI/ML software to scale the solution without hiring an army on analysts.
While it’s critical to prevent bad actors from creating new accounts, it’s just as important to ensure that users logging into those accounts are the legitimate account owners. Data breaches, the dark web and credential stuffing attacks have emboldened fraudsters to perpetrate account takeover attacks on a massive scale. According to research by Security.org, 22% of U.S. adults have been victims of account takeovers, which amounts to over 24 million households, and the approximate average value of financial losses from account takeovers of financial accounts is nearly $12,000.
Why KYC Isn’t Enough
A Guide to Fighting Fraud and Financial Crime from Onboarding to Ongoing Monitoring
Account takeover is made possible because people use the same password across multiple websites. So any website that relies on a simple username and password could easily fall prey to account takeover. That’s why a growing number of organizations are exploring biometric-based approaches to user authentication. If the organization has already captured a biometric (e.g., a face-based biometric template) during the onboarding process, it only makes sense to repurpose that same biometric for ongoing authentication. This means that when a high-risk transaction is initiated (e.g., a wire transfer or a password reset), the user only needs to retake a selfie and go through a liveness check to quickly unlock their digital identities.
When you sit back and look at all these identity proofing and monitoring technologies and use cases, it’s not surprising that some enterprises will deploy 10-20 different solutions to protect their ecosystems. Because the lines between identity proofing, KYC/AML compliance, user authentication and online fraud detection are blurring, Jumio continues to build on its KYX Platform to help businesses improve conversion rates, meet compliance mandates and deter fraud. Customers, users, patients, employees … whoever the “X” is in your business, Jumio’s single end-to-end platform delivers the assurance you need to know, then trust.
Because of the range of potential KYX technologies, Jumio is developing an orchestration layer to manage the workflow and the entire user journey. Each market segment has its own risk scoring requirements based on specific use cases. These orchestration capabilities put the business customer in control of the type of checks that are most appropriate and the sequence of those checks in order to optimize fraud detection, reduce manual review costs, and improve their ROI. This critical functionality helps organizations off all stripes ingest a variety of risk signals and manage the workflow — lessening the complexity while also streamlining the entire customer experience.