Selecting a remote identity verification provider
Determining the true identity of a customer can be important for suppliers in industries which are regulated or where there is a need to establish trust between parties. In regulated industries this has been driven by anti-money laundering regulation where the service provider needs to know the identity of their client, the source of their funds and whether they are politically exposed or on any sanctions lists. With the growth and proliferation of Fintech companies we are seeing traditional service providers being disintermediated by industry challengers; the number of business entities operating in this regulated environment is growing rapidly. Increasingly, these businesses need the services of a remote identity verification provider to verify their customers.
Before we look at the various approaches and considerations you need to take, it is important to clarify terminology and the differences between verification and authentication. It is generally accepted that verification is the process of verifying the identity of someone at the start of a relationship. Authentication refers to the process of re-checking credentials of an already established customer. Some methods are only available after registration – for example voice recognition can only be used as part of authentication process, because there would be no pre-existing voice sample to compare during initial registration. Here we are focusing on what happens at the start of a relationship – i.e. during registration and onboarding and how to perform the essential KYC (know your customer) checks.
Innovation in remote identity verification
Traditionally banks, lawyers and accountants would need to see new customers in person and have them bring passport and utility bills to prove their identity. These documents they would copy or image and keep on record for regulatory purposes. With more businesses operating online, often not in the same country as their customers, providing physical documents becomes a significant barrier to doing business. New technology in the form of online databases and smartphones has led to the birth of a number of new remote identity verification solutions. Some are database driven and some biometric – each having different merits. When looking for a remote identity verification solution, first it is important to prioritise your needs.
Selecting which type of identity verification solution meets your business requirements
When selecting the type of verification service to meet your needs, there are a number of factors to take into account. These include the geographic coverage, assurance against fraud and speed of verification. To onboard as many customers as possible and minimise drop-offs a registration process needs to be simple and seamless. There is always a compromise between any potential friction the KYC process introduces and the vital protection the organisation requires against fraudulent and criminal attacks. The risks of getting it wrong can be significant – not only is there the cost of fraud itself, but there is potential for fines and all the adverse publicity that ensues. The balance between simplicity and security depends on the type of industry and the consequence of any risks.
No system is failsafe, even those run by big credit bureaus. This week it was announced that Equifax has been fined £500,000 by the UK Information Commissioner's Office (ICO) for having lost personal identifiable information (PII – i.e. name, address, date of birth, credit history) for 160m customers worldwide. This along with other major data breaches has meant much more customer PII is available to fraudsters. The rapid expansion of social media and the sharing of data means that a lot of PII is now available online for those inclined to look. All this poses challenges for organisations providing means of verifying customers. Many organisations have increasingly global propositions and their customer bases comprise people from around the world. More people are living and working in abroad and may not have established a deep enough credit history or electronic footprint to be verified by online database services. All of which adds to the challenge of proving identity.
To help you understand the benefits and disadvantages of the strengths and weaknesses the various approaches to verifying identity, we have compiled the following table.
Types of remote identity verification
|Database verification||Takes data entered by the customer and checks it against data held by database providers such as voter records and credit bureaus.||API-based.
Can be conducted in background.
|Limited geographic coverage.
Verifying data not the person.
Data could be fraudulently obtained.
Inaccurate results unless precise input.
|Remote identity verification||Verifies government issued identity documents and optionally a person’s biometric features.
Optionally can verify proof-of-address documents.
|Can have good global coverage.
Verifies person behind device if used with Selfie for likeness and liveness.
Less fraud – use of own face deters criminals
|Less seamless than database checks.
More dependent on customer to provide clear verification content.
May need more development and testing on the front end user interface.
Remote identity verification is growing in popularity because the same process can be used to verify customers wherever they are from in the world. It follows a similar process that many people are familiar with if they have ever dealt with a lawyer or an accountant. Importantly, fraudsters cannot hide because they have to use their actual face during the registration process. This is something that they are very reluctant to do and is a major factor in deterring fraud.
If you have decided that for reasons of fraud prevention or geographic coverage you want implement a remote online identity verification service, how do you go about selecting a supplier? The following table gives a number of key considerations.
|Document coverage||Check that the types of ID supported meet all your needs and that the vendor covers the customer geographies that you are targeting.|
|Document checks||It is important to understand what specific checks the vendor is carrying out and how they relate to your risk policy.|
|Biometric checks||Determine whether both facial likeness and liveness are supported and that your customers can easily follow the process. Check the accuracy rates.|
|User data comparison||You may want to check whether the service can compare what the user has entered in the application with the data extracted from the identity document. This will help you to automate the account creation process within your systems.|
|Accuracy||A key part of the consideration should be about the accuracy of the service. We recommend you do user tests. Also check that the service can process poor quality images – e.g. those with glare and shadow.|
|Data output||Apart from the above, it is important to understand the data that the service provider is returning to you. If you are getting a rich set of user data and error codes, you could automate your verification process to make it more efficient and provide a much better customer experience.Ease of use|
|Ease of use||Immerse yourself in the customer experience and check that it meets your expectations.|
|Storing of personal data||Check what happens to your customers’ PII and to what extent it complies with GDPR. If the service provider is retaining your customer information, check the reasons why and establish who has ultimate ownership.|
|Service flexibility||Verify how easy is it to get started? Understand whether the offering is via API or standalone service or both. Check whether it can be white-labelled and whether you can change the workflow to meet your own precise requirements. What specific help can they offer to enable you get up and running as quickly as possible?|
|Response times||Understand the response times versus quality of output and determine what matters to you more.|
|Device compatibility||Determine the range of devices that the service works on.|
|Costs||Establish all the costs that will be incurred including set-up and any customisation fees. Check the verification costs and how they vary with volume. If pre-pay, find out how long the verifications are valid and whether there are any minimum monthly commitments. If you making comparisons, make sure that it like for like.|
In this document we have outlined the key factors in successfully selecting a remote identity verification provider. At the outset, it is important to understand what you are looking for. Do you want to verify documents or individuals? Will you use your own interface or that of the provider? Will it be web based or work via your own apps? Are your volumes growing, stable or unpredictable? Will it complement an existing process? Does the service need to be flexible and can it be configured to meet your specific requirements?
Regulations and requirements are always changing. It is important to pick a provider with the flexibility to adapt to a changing market-place. Make sure that they will meet your KYC needs both now and as your business evolves, whilst not compromising the overall customer experience.
A good provider should offer a multi-factor approach and carry out a number of checks designed to make it hard for a fraudster to defeat all of them. Some vendors will make exaggerated claims about the extent to which a specific feature, for example, can analyse part of a document. It is important to establish the real value of what is being offered and how effective it is irrespective of the quality of the image you receive. Ultimately, your chosen partner should provide a seamless customer experience whilst being able to thwart the majority of fraudsters via a layered approach that will prevent the vast majority of attacks. That way you will avoid introducing friction during customer onboarding as well as potential barriers to growth.