For decades, the only real way to verify someone’s identity online was to compare self-reported information, usually captured on an online form, to a third-party database or credit bureau. So, if Tom Jones at 125 Willow Street in Saratoga, California provided that information online along with his given Social Security number, then obviously that person must be Tom Jones.
Unfortunately, gone are the days where Tom Jones alone knows those bits of data. Thanks to large-scale data breaches and the dark web, cybercriminals also have access to that information. Naturally, criminals can still acquire this PII using highly targeted tactics such as social engineering and malware, or even by looking through a victim’s trash or recycling bins.
In fact, Gartner, the world’s leading information technology research and advisory company, no longer considers data-centric approaches a viable form of identity proofing because there is no test that the individual claiming the identity is, in fact, the authentic possessor of that identity. The identity assurance achieved with this capability used in isolation is relatively low, relying only on “something you-but-not-only-you know.”
That’s why we believe Gartner is predicting a pretty seismic shift over the next two years. According to the 2020 Market Guide for Identity Proofing and Affirmation:
“By 2022, 80% of organizations will be using document-centric identity proofing as part of their onboarding workflows, which is an increase from approximately 30% today” says Gartner.
Data-Centric Solutions Continue to Play an Important, Albeit a Diminishing Role
Per our understanding, While Gartner may not consider data-centric approaches a viable form of identity proofing, it remains in vogue because of regulatory KYC requirements and online friction. A critical element to a successful Customer Identification Program (CIP) is risk assessment, both at the individual and institutional level.
While most regulatory bodies provide high-level guidance for CIP, it’s still up to the individual institution to determine the exact level of risk and policy for that risk level. But, most KYC regulations set forth minimum requirements to open an individual account, including:
- Date of birth
- Identification number (e.g., Social Security number)
Depending on geography and jurisdiction, there may still be compliance requirements in regulated industries to check static data sources in order to tick the CIP box.
Concerns About Friction
But, there’s another fundamental factor at play that keeps many enterprises addicted to non-document approaches: friction. Pinging a credit bureau or public database is quick, easy and inexpensive. It can also be done in the background as the consumer is completing their online application. Compared to ID-centric approaches, data-centric approaches involve virtually no friction. As soon as you ask a user to take a picture of their ID and a corroborating selfie, you are introducing some level of friction. Because of this concern, and the impact it may have on conversion rates, many organizations consider checking of static data to be “good enough.”
According to Gartner: “This good-enough estimation plays into the fact that checking of static data is typically much less expensive than document-centric identity proofing.”
The Cost Benefit Pendulum is Shifting
Organizations must weigh the benefits of higher levels of identity assurance against the costs and friction associated with document-centric approaches. Historically, the benefits of taking a data-centric approach outweighed the costs, but this is changing. The damage that a bad actor can inflict on a brand varies by industry and includes:
There are a number of different types of fraud that can be perpetrated by a criminal if they’re allowed to create an online account, including, but not limited to:
- Sleeper Fraud: An individual applies for a credit card, establishes a normal usage pattern and solid repayment history, then maxes out the card with no intention of paying the bill.
- Account Takeover: Criminals gain access to someone’s bank account to make unauthorized withdrawals and purchases via credential stuffing attacks.
- New Account Fraud: A hacker uses another person’s personal information and good credit rating to open an account and borrow money using fake credentials.
When criminals succeed in creating illegitimate new accounts in the names of others, it means they have control over complex networks of mule accounts, transferring money between them in order to distance themselves from their everyday criminal activities.
Trust & Safety
In the sharing economy, where strangers are transacting with strangers, the entire ecosystem is based on trust. Whether it’s ride sharing, home sharing or an online marketplace, consumers need to feel safe in order to use the service. But, this also applies to the drivers, the homeowners and the online merchants that they won’t be victimized by physical harm or financial fraud.
When an organization is victimized by a bad actor and the news hits the media, it can be an existential threat to the entire enterprise. At that point, it’s all about the PR response and helping to mitigate the damage. This is not only a major distraction to the organization, but it can threaten their very commercial existence.
The fines now being levied against organizations who have been lax with their CIPs are paying a bitter toll in terms of regulatory fines. In December 2019, German telecoms provider 1&1 was fined €9.55 million by the Federal Commissioner for Data Protection and Freedom of Information (BfDI) for having insufficient authorization procedures in place. All someone needed was the name and date of birth of a 1&1 customer to access extensive personal information regarding said customer. On top of this, massive fines are being handed down to banks who continue to struggle in their obligations to combat financial crime, with AML fine values in 2020 already surpassing 2019.
Increased Familiarity Breeds Adoption
Another reason the pendulum is shifting to document-centric approaches is because the amount of friction to capture a government-issued ID and selfie is lessening. The process itself is increasingly a ubiquitous experience. Thanks to the widespread adoption of Apple’s Face ID and Android facial recognition, face-based authentication is increasingly familiar and comfortable. And it’s getting a whole lot faster. Just a few years ago, it might take several minutes for an identity verification provider to return a go or no-go decision for an online applicant — now the process is measured in seconds.
Gartner themselves are fielding more client inquiry calls about identity proofing, as is evidence of the gradual, but ongoing move away from relying on data-centric methods alone. “Results from a recent Gartner poll of 105 respondents (via Research Circle, a Gartner-owned online community), showed that 61% used data-centric methods for identity-proofing needs, and 33% used document-centric methods. Of those using data-centric methods, 10% planned to move to document-centric methods in the following 12 months. It’s important to note that this poll was taken before the COVID-19 pandemic caused global lockdowns and increased the focus on digital channels.”
Together, the rising costs of onboarding criminals associated with data-centric methods, coupled with the increased usability and identity assurance of document-centric solutions is what’s driving this seismic change. But, it’s the breakneck speed at which this transformation is happening is what’s really most jaw-dropping.
To learn more about the interplay between document and identity centric approaches from two real-world chief compliance officers, check out this pre-recorded 30-minute webcast: Data vs. Document-Centric Approaches to Identity Proofing.
Download a copy of the Gartner 2020 Market Guide for Identity Proofing and Affirmation.