The worlds of identity verification, compliance and fraud detection are increasingly intertwined. This is why so many online organizations need to rely on myriad solutions that must be stitched together to help ensure the user experience isn’t too disjointed, time-consuming or onerous.
Jumio
We asked dozens of Jumio customers to walk us through their onboarding experience, and there seem to be some trends in terms of how they are designing the user journey.
Low-Friction Checks
Modern organizations can exploit simple tactics that require no action on the part of the user beyond completing an online application. These include:
- Address Verification: One of the simplest checks is to determine whether the physical address exists in the real world and that the applicant resides at that address. Firms can ping third-party databases and credit bureaus in real time without the user’s knowledge. But, thanks to large-scale data breaches, data-centric approaches like these can be spoofed by leveraging stolen data from the dark web.
- Phone-Based Checks: A number of fraud signals can be derived from a new user’s phone number. Some vendors will send an SMS message to the phone to ensure the number provided belongs to the applicant. But more information can be gleaned from the phone number including the age of the SIM, the IP address and porting information. Some vendors can link the phone number to data from the carriers and telecom infrastructure providers to reveal the identity data of the registered owner of the phone number.
- Email Checks: Many organizations will automatically email the prospective customer to ensure legitimacy of the provided email address. But third-party databases can also be pinged to check the account’s age and other characteristics.
- Behavioral Analytics: There are a variety of solutions designed to determine if the person is a human being or a bot by looking at clickstream analysis, application completion time and typing cadence.
- IP Address Mismatches: Another simple check is to determine whether the IP address of the user’s phone or computer matches the physical region of the self-reported information entered on the application.
Many of our customers correlate these digital attributes with real-world identities to help increase the levels of identity assurance.
Identity Verification
While these fraud signals are helpful and can weed out many unsophisticated fraudsters, online identity verification is often required to verify remote users with higher levels of assurance. In this context, identity verification refers to the combination of capturing a government-issued ID and a corroborating selfie that includes a liveness check to make sure the user is physically present during the account creation process. This approach serves as a powerful disincentive to would-be fraudsters.
Because this document-centric approach involves testing for genuine presence, it meets Gartner’s definition for identity proofing when deployed correctly.
Not surprisingly, Gartner anticipates significant growth in this category: By 2023, 75% of organizations will be using a single vendor with strong identity orchestration capabilities and connections to many other third parties for identity proofing and affirmation, which is an increase from fewer than 15% today.
AML Screening
A large number of global GDP (2% to 5%) is affected by money-laundering activities. As a result, regulatory authorities are getting more vigilant in establishing compliance mandates to deter the risks of money laundering and terrorist financing across many sectors, including non-banking industries. Not only identity is verified but the previous record is checked to make sure that the entity was not involved in any historical criminal activity.
AML screening solutions verify each new customer against a number of politically exposed persons (PEPs), sanction lists and criminal databases that are issued by global law enforcement agencies, and also monitor customers on a regular basis to ensure they don’t become financial crime risks after onboarding.
Transaction Monitoring
Transaction monitoring software allows banks and other financial institutions to monitor customer transactions on a daily basis or in real time for risk. By combining this information with analysis of customers’ historical information and account profile, the software can provide financial institutions with a whole-picture analysis of a customer’s profile, risk levels and predicted future activity, and it can also generate reports and create alerts for suspicious activity. The transactions monitored can include cash deposits and withdrawals, wire transfers, peer-to-peer transfers, ACH activity and more. The overwhelming majority of the transaction alerts are often false positives, so it takes special AI/ML software to scale the solution without hiring an army on analysts.
Ongoing Authentication
While it’s critical to prevent bad actors from creating new accounts, it’s just as important to ensure that users logging into those accounts are the legitimate account owners. Data breaches, the dark web and credential stuffing attacks have emboldened fraudsters to perpetrate account takeover attacks on a massive scale.
Account takeover is made possible because people use the same password across multiple websites. So any website that relies on a simple username and password could easily fall prey to account takeover. That’s why a growing number of organizations are exploring biometric-based approaches to user authentication. If the organization has already captured a biometric (e.g., a face-based biometric template) during the onboarding process, it only makes sense to repurpose that same biometric for ongoing authentication. This means that when a high-risk transaction is initiated (e.g., a wire transfer or a password reset), the user only needs to retake a selfie and go through a liveness check to quickly unlock their digital identity.
When you look at all these identity proofing and monitoring technologies and use cases, it’s not surprising that some enterprises will deploy 10-20 different solutions to protect their ecosystems. Because the lines between identity proofing, KYC/AML compliance, user authentication and online fraud detection are blurring, Jumio continues to build on its KYX Platform and is developing an orchestration layer to manage the workflow and the entire user journey. Download this guide to learn more.
