Frederic Ho, Jumio VP of Asia-Pacific, recently spoke with Manuel Stagars of the FinTech News Network about identity verification — the business and technology behind it, the role artificial intelligence plays, the current state of identity verification in Asia, and more. Click play to listen to the full podcast.
Summary highlights from the conversation:
The concern about identity theft and identity related fraud is very high these days. The use of technology and AI to do with this space really is to have a platform that makes it very difficult for a fraudster to create a fraudulent identity when he’s opening an account with an organization. Now, we talk about different things including of course facial biometrics capture with the selfie and comparing that to the photo in the ID, that is one way to establish the ownership of the document. The process behind the capture of the selfie is equally important to ensure the person is present, and these are additional layers of technology for liveness detection. I think that enterprises who are experimenting with building these systems by themselves, they then struggle to track between pushing everything very quickly, which will have a problem with their false reject rates, or they pull things too tight, and then you’ve got a terrible false acceptance rate. Finding the difference between the two has been a nightmare.
Manuel Stagars: Hi Frederic, and many thanks for taking time for this conversation.
Frederic Ho: Hi Manuel, many thanks for inviting me.
Manuel: We just heard it in the intro; you’re the vice president Asia-Pacific of Jumio in Singapore, so let’s jump right in with a brief description of what Jumio does.
Frederic: Jumio is a U.S. company, we are in the business of online identity verification for ten years now. We are really addressing a market need, where companies are leveraging business opportunities in the digital economy, and where you are signing up customers, opening accounts, for users that you have not seen face to face. The need to then establish the true identity of these users becomes very important. So, principally, at Jumio, we provide that service to verify the identity of individuals that you onboard into your business services, and we perform the verification work to ensure that the user is who they say they are.
Manuel: Who in general needs identity verification? What are the main markets?
Frederic: Business on the web has been around for many years, and to a much later extent when the regulated industries that provide financial services who really need to establish trust within the system on the person who you actually onboard, that’s when the industry started to move toward a need to establish whether the individual subscribing to the service is who they say they are. I see this really growing with financial services, the fintech industry, where they provide new services that are different from traditional banks, as well as other industries in telecommunications, hospitality, who leverage on digital channels to now expand businesses. There are areas that drive the need for online identity verification today.
Manuel: Is it mainly online businesses or is it also devices, for example phones recognizing who uses them?
Frederic: It is primarily online as a channel. The device itself has a certain need to of course establish security layers as well. Essentially, what we need to verify is the person behind the device. Are they who they say they are and how do we prove it?
Manuel: OK. Can you still do online identity verification without AI in a reliable way today?
Frederic: The challenge to that would be user experience. The banks and regulated industries are very familiar with KYC (know your customer) processes. When business was mainly in branch, we are talking about a much smaller volume. Customers come into a branch, you process the application, and you have a result in a couple of days. In digital channels, expectations are different. Users expect five minutes completion time for processes. Accounts are open and they get to do what they want to do, such as transmit some money or trade stocks. In general, AI is required to automate processes that would otherwise depend on human manual effort to provide those areas of work. From a scalability perspective, the digital economy needs different approaches to user experience and accuracy to deliver the quality of work.
Manuel: You mentioned efficiency, accuracy. Let’s touch on safety for a second, because there are also people committing fraud not just a bank not knowing who the customer is but somebody willingly identifying themselves as somebody else. How does it work if somebody wanted to game an online system with a stolen identity to impersonate somebody else, how would they be able or not able with a verification system based on AI?
Frederic: The concern about identity theft and related fraud is very high these days. With all the news we hear about data leaks, tons of user data is available on the dark web. There is always big concern that these data would be used to register and open fraudulent accounts where uses stolen data to create false accounts for bad purposes for money laundering, movement of illegally obtained funds, and so on. The use of technology and AI to deal with this space really is to have a platform that makes it very difficult for a fraudster to create a fraudulent identity when he opens an account with an organization. We talk about different things, including facial biometrics capture with the selfie and comparing that to the photo within the ID, but that is one way to establish the ownership of the document, whether it’s a passport, a driver license or ID card. In the process behind the capture of the selfie it is equally important to ensure the person is present. There are additional layers of technology for liveness detection where the user performs certain actions during the selfie capture that establishes that he was the person who submitted this selfie. We’re trying to reduce the opportunity for the fraudster would be to perhaps point his mobile phone at a still image or a YouTube video of someone else’s face and use this to pretend he is someone else, where he has a stolen ID card and create a fake identity. There are many practices where we have teams and expertise within Jumio to quickly identify these behaviors and safeguard a lot of the potential frauds that may appear from our clients who use Jumio and trust us to provide that first layer of defense as they sign up customers online.
Manuel: Does it go beyond the sign up process, let’s say somebody opened an account, but then somebody else would use the account later? Does the Jumio system sill prevent that kind of abuse?
Frederic: The scenario is exactly as you described. Upon enrolment, we captured a profile of the user’s face that we keep as part of his data. Now, subsequently, the user may enter the system and perform a higher risk transaction, perhaps he would want to change his address. Maybe it was related to a large amount of money. Now, our clients would then have the opportunity to challenge the user again by asking him to take a picture of his face again, and we would do a comparison of the latest selfie captured with the profile we have stored to establish it is still the same person. Using this approach, we could prevent a lot of account takeover scenarios where accounts are already hacked with data that is perhaps from the dark web, but they would not be able to transact or perform some of these risky activities since we have a layer of authentication that would challenge them and force them to use biometrics that we had captured to then authenticate the session itself before they can proceed. So you’re right, this is an important area where financial institutions and other industries need the ability to handle account takeover situations. Today, technology like SMS passcode, OTP, is used in this area. There are serious gaps in these approaches. Examples are man in the middle attacks. They may have limited usability to prevent the new types of fraud and fraudulent behaviors that we face. We believe as an industry, biometrics, your selfie, your 3D profile is one of the most secure approaches to prevent identity fraud in the area of repeat transactions where authentications are necessary.
Manuel: You say biometrics; with this you mean the picture of the face?
Frederic: We rely mainly on the face biometrics. Of course in the industry there could be a combination of voice and other aspects including fingerprints that complement each other.
Manuel: Being based in Singapore, do you see a difference between Asia and the rest of the world when it comes to online identity verification?
Frederic: I have notice the difference regions have different perspectives. In Asia, there is a higher level of concern toward fraud, and I refer to online identity fraud. We have encountered a larger percentage of such occurrences compared with the clients we have in the Americas and Europe. In these other markets, the Americas and Europe, the emphasis is really on user experience. This is what the market wants. I think Jumio delivers on both accounts: We have the best user experience and won the 2018 Digital Experience in the UK for onboarding with Monzo Bank, a neo bank out of the UK that is going global now. Together with Monzo we won the best user journey for onboarding. In Asia, we are called into projects where identity document fraud is a problem. This relates to many companies that do online lending, where you have to make it easy for end users to open an account and make a loan and make an assessment. The problem is that if these accounts are fraudulent, you never see your money again. We are seen as the number one company to provide that level of defense to help companies avoid financial losses.
Manuel: Let’s speak for a bit about metrics to assess the efficiency of online verification systems. There are two metrics in place, FAR and FRR. Can you briefly explain what they mean?
Frederic: FAR means false acceptance rate, and FRR false reject rate. These metrics are mostly related to the biometrics industry, where we are talking about face recognition technologies, having correctly matched a face against a profile or have wrongly conducted a match. The business around online identity verification extends beyond that. It is not only about facial comparison, but also about the ability to check if an identity document is manipulated, so the authenticity of the document is also important. FRR and FAR became a common term that companies would then measure if they are providing a good enough service for their customer onboarding, but yet having the ability to prevent fraudulent applications from coming through. Now, what we have noticed is that given the growth of the digital economy, every enterprise would have a strategy to leverage on this new growth area to expand businesses. When you think about online identity verification, the first impulse would be to think about what we commonly are familiar with the security companies to provide such services. We think about the big companies in identity management, access management, cyber security. A big caveat is that these companies aren’t really front-facing solutions dealing with identity verification. So a lot of the first attempt at looking for solutions tends to be searching through biometrics and facial comparison technologies in the market, where I would then have the user take a picture of themselves and then compare that with the photo within the ID and using that to establish that this is the identity of the user I onboard. But there is no work then behind it to prove that the document itself was not manipulated. If I had stuck a photograph over it, facial matching software would return that this is a match, and that the fraudster is the person in the document. So FRR and FAR are as good as the facial comparisons to establish identity but a lot of other processes are necessary to do the due diligence check that the document presented was indeed authentic. We see that regulators are very concerned about this aspect. As they amend policies to permit non face-to-face business relations in their countries, they do ask vendors and companies applying for operating licenses to prove they have done due diligence in this area and there’s where a lot of the problems arise. Companies start to look for different ways to achieve greater security and due diligence on this onboarding. Ultimately, it is a lot of work to be done. There is the need to check the ID, there is data extraction to be done, there is comparison of the selfie with the photo ID, there is a need to establish the person is present, which is the liveness detection and you need all of these processes in a very small window of time. We’re talking about minutes, because the user is there waiting for his account to be opened. Enterprises experimenting with providing these systems themselves struggle between pushing everything very quickly, which will have a problem with their false reject rates, or they’re pulling things too tight, and then you have a terrible false acceptance rate. Drawing the balance between the two has been a nightmare and is no easy work. This is where Jumio presents itself as having the skills and expertise to deliver against what online identity verification really needs to be instead of looking at FAR and FRR statistics. It is difficult to build a balance without deep investments in technology and skillsets.
Manuel: The utility of a system goes far beyond good metrics in FRR and FAR.
Frederic: That’s correct. I believe we’re all suffering from the same problems about image quality, dependency on an algorithm to do facial comparison. We all suffer from challenges with regards to age gaps, where the photograph is a couple of years older than the selfie captured. So all this presents real world operational issues when we depend on this to establish the person is the one who they say is in the document itself. That’s where that level of expertise behind it to complement the technology is so critical at Jumio.
Manuel: How easy or how difficult is it to convince a client that they need a new verification solution if they already have one that may work and may hit good metrics but still is not up to the latest specs like you just described?
Frederic: In many cases their own business conditions and business needs drive the clients to look for ways to improve their own processes. I’ve spoken to many clients who have internal teams that provide verification work when they onboard a new user. As the market competition increases, where a competitor would now provide the sign up in a much shorter time than them, then they would now have to provide similar level of service and keep hiring more staff and increasing staffing costs. At a certain point business growth makes it no longer financially feasible to keep increasing staff just to handle verification work. That’s when they tend to approach companies like ourselves to help them grow their businesses. So you can imagine that a fintech company of ten men providing lending, and as business grows, they hire hundreds of staff to do account opening and verification. They will quickly realize that this is not even their core businesses, so why are they doing that? So business itself drives requirement to look at better service level and scalability toward their core business offering. Of course the other area is just about the nature of encountering higher levels of fraud. In the end they have no ability to deal with the volumes of fraud they encounter without affecting user experience. That’s when they look at vendors and technology to assist them in this area. The way we see businesses these days, they are no longer restricted to single markets. we’re talking about borderless markets, selling across regions, capturing the global customer base. Where identity verification work is concerned, it has got to be dealing with the ability to service anyone with a valid identity document regardless if he is from the Americas or anywhere in Asia.
Manuel: Fascinating. You mentioned the user a few times, and you mentioned that they may be impatient if it takes too long and the user experience may not be satisfying in some cases. What are the general misconceptions of users and customers with identity verification?
Frederic: User experience is definitely a key area that our clients want to fine tune in their system to achieve good results. I think the whole online expectation is that I would conclude my sign up process within minutes these days. But in that process itself, I need to provide you with the information and that is typically a picture of the ID that I took with my phone and a picture of me, a selfie. The conditions under which I take these pictures could be where lighting may not be sufficient or there is some glare or the picture quality is just not perfect. When these pictures are returned to our clients, if they are not good enough for a machine to automatically extract the data by an optical character recognition engine, maybe it is still visible to the human eye. What do you do then? Do you kick the picture back to the client and say “Please repeat”? Or do you find other ways of processing this without further inconveniencing the client? We see a lot of technologies today that require a certain quality before it progresses to the next stage. This means the user has to repeat these steps until the expected picture quality is achieved and that kills a lot of conversion. After the second attempt, a user may not even want to complete the enrolment. My clients are very concerned in terms of the user journey. Sometimes the conditions cannot be controlled, picture quality is not perfect, but the vendor who is processing this must take into account all these different environmental factors and still deliver against what we can in terms of verifying the document, the selfie, and processing the entire verification.
Manuel: I had this experience a few times, because I have an old smart phone with a camera with a low resolution that is often insufficient in terms of picture quality. Sometimes I cannot install a specific app, which creates a lot of work on my end but also for whomever I’m signing up with because they sometimes have another channel to verify the identity, which is very labor intense.
Frederic: Yes, it is. Especially for the Asian market, there are so many different handsets in use with various qualities. Our clients really want to go for the largest coverage possible. We are not trying to skip certain market segments because we cannot handle a certain camera resolution. We must still verify these images and will perform this work and let our clients have the largest coverage possible.
Manuel: Is there always a combination of a fully automated system and a human component or could you automate a system for identity verification without any human interaction and still service everybody?
Frederic: The strength is in automation, where machine learning and AI deliver the speed and the quality of work to complete. We do have a human verification team in situations where we need to return a good result and response to the customer. For example, even for simple things like data extraction, we guarantee a hundred percent accuracy of data extracted against the ID document itself. Our clients would have to employ staff to do a second level of text if we were not able to guarantee these results as one hundred percent accurate. We provide this service so they don’t have to. This is why our clients values us for the service we return.
Manuel: In recent weeks or months, are there any developments that have surprised you?
Frederic: I wouldn’t say surprised specifically, but I see a lot of continuity in terms of the market driving in greater extent to embark on the digital channels for their business. As a trend in the Asia region, the movement toward virtual banking starting with Hong Kong and many other countries now having virtual bank licenses issued by the regulators, and the greater change in policies requiring companies to launch non face-to-face business relations. These new policies and regulations do put increasing new challenges on companies to comply with. So in this space I’d say the Asian market is very active and the scenarios keep changing all the time. This is an area to really watch currently and in the coming years.
Manuel: How long, in your view, will it take until governments also conduct their business without face-to-face interaction, just with online identity verification?
Frederic: I think it is already here. The European markets have already launched neo banks, digital banking services two or three years back. Asia has been very active in this space, the rise of the fintech markets gave them an avenue to experiment with better services, lower cost, which addresses a larger part of the population. We talk a lot about the unbanked market, and Asia has a big proportion of this. Having a mobile phone is all you need to now subscribe to a service that previously you had no access to. These are the areas that are really driving the changes.
Manuel: But for example if somebody wanted to open a company in a country or wanted to get a new passport, do you think it would be possible at some point to do this with an online system, fully without face-to-face as well?
Frederic: I believe with the approach maturing and of course technology advancing to secure the identity of online applications; these definitely will be learnt experiences from the fintech markets, from the virtual banks, from the telecommunications industry to launch services. I believe it would be the de facto mode of business. We want to reduce the number of branches and investment in physical offices and really move customer business over to digital channels for account opening. This is where we get scale and can better plan in terms of enrolments and to really grow the business.
Manuel: Clearly, there are many benefits to online identity verification, but do you also see any developments in this space that you find troublesome?
Frederic: I think that in three to five years from now, identification as a service will be what companies would expect. A lot of the effort today occurs when we first provide online onboarding, we think about options where customers would invest to set up an on-premise system and bring in teams to manage the verification work. In three to five years, I believe everyone would expect that this is an API service, where I would just make a call to a provider and I would be able to deliver this within minutes or even faster. The future of identity verification services is really moving toward the cloud as an outsourced service.
Manuel: Do you see any potential concerns that somebody could have with a world where everything in identity verification runs in the cloud as a service done by somebody else through an API?
Frederic: Regulators today have got to protect user privacy. Of course we are very familiar with GDPR and PSD2 standards established by the European governments, they are the standard today that many other regulators are studying to see how they may adapt their own in-country policies. We fully comply with GDPR standards today. In every country we operate, there will be guidelines to protect citizen privacy. We are designed in a way that would be able to deliver against specific requirements in terms of data handling, processing, data management, and we believe that we can work with the regulators to deliver a cloud-based verification service without compromising the privacy of citizens.
Manuel: Frederic, what’s on the horizon for you and Jumio in the coming years?
Frederic: There are so many more industries that are really exploring digital channels for their business growth. My number one wish would be to have our teams reach out and cover these different industries who now explore and discover new ways to grow their business, yet in a way that would not expose them to identity fraud. We see of course hospitality, hotels where you can check in without ever going to a front desk. You arrive at the hotel and take a picture of your passport and your selfie and you prove your identity and thereby collect a key and access your room. A lot of hotels these days really are turning toward these options for a fuss-free check-in process to the hotels. We see usage for a lot of the property rentals and hospitality services where you want to negate fraud. In the past there were instances where I have a unit I would like to rent, but I would put a fake address, and when tourists come down to the actual location, this residence does not exist.
Manuel: You mean AirBnB fraud?
Frederic: Yes, it could be in a scenario like this. We could provide a service to verify the identity, where the renter and the person who owns the property are who they say who they are, which reduces fraud at this level. Ultimately the most basic level on a big and common topic today is fake news. There are also discussions where if you verify and remove the mask of the person providing comments online, then there would be of course a lower possibility for someone to spread lies on the web. If verification could provide that level of checks against the person who is providing their feedback online, this would explore new ways in terms of managing the amount of fake news on the Internet as well.
Manuel: You just mentioned some applications with fake news and the sharing economy, where do you see, on a scale of importance, where do you see identity verification in the wider context of this digital transformation that is happening in the world, for instance in relation to the Internet of Things or autonomous vehicles?
Frederic: It definitely has a large usage. It starts with enrolment into services, and it goes back into authentication always proving you’re still the same person. I can imagine there are vehicles in the future where I open the door to a car just with my biometrics and even start the engine. There are also many cases where there are online e-commerce, where there could be items that need age verification. Perhaps I’m purchasing alcohol online and have that delivered to my doorstep. The need to verify my age would again be something that has practical application.
Manuel: It really start with identity. Many people tell me this in this space; they say you can’t do anything in a digital economy without identity. Personally, do you have a personal dream for the identity verification space that you’d like to see happen?
Frederic: My dreams really is to talk to the fintech clients, which I already do every day. There are so many business ideas where young people come together with technical skills where they believe they can turn the market upside down with a new offering. This is where the excitement of what I do is. We take care of their work in customer enrolment. With that strategy they really can focus on their business ideas and technical skills to deliver against their vision.