ESRA experts discuss the ongoing digital identity revolution, and what it means to all of us.
At a recent ESRA event, we convened a panel discussion to navigate the the digital identity revolution and the challenges faced. Important topics, including “Who are the parties involved?” and “How do you enforce the transaction?” were described by a leading group of experts.
John Gunn, VASCO’s Chief Marketing Officer, moderated the discussion. The participants were:
How do companies address this issue on a global scale?
“Identity verification during onboarding is a huge challenge today,” Clark said. “There’s a perfect storm with this challenge. The first is everything being digital and heightened user experience expectations. You have to be able to onboard people in real time.
“The second is that we have measure rises in fraud with new accounts. It’s a well-recognized rise in fraud. There were 80 million attacks on financial institutions by fraudulent accounts in 2015, and it’s estimated that 3% of all new accounts are fraudulent. That has doubled over the past two years.
“The third challenge is increased regulations, especially for industries like financial services. The good news is that adjacent to the challenges is the rise of new technology that can combat those issues. The first thing I would point to is that because of the rapid rise in data breaches, fraud has risen because data is lost all the time – 5.2 million records are lost or stolen, on average, every day.
“So it’s imperative to embrace new technology that goes beyond asking for your name, Soecial Security number, and birth date. So utilizing new methods that go beyond that, such as embracing who you are or what you have. One of the areas I have a lot of experience with involves scanning documents through a mobile device. That type of technology leverages advances in machine learning, AI, and computer vision. It’s very mature. You can have an end user scan a document with the camera on their mobile device and authenticate their identity in real time.
“You can layer that with other ‘What you have’ factors, such as device ownership. So you know they own a specific device and they have their ID on hand. These types of solutions can be inclusive. In the US, we have lots of credit data that the rest of the world doesn’t, so that can be a challenge in the rest of the world.”
What about beyond the US?
Kvitnitsky explained: “The general data providers, such as the credit bureaus, only cover about 30% of the world’s population. How do you address the rest of them? You have to look elsewhere, such as governments. Many people are surprised when they find out that China often performs better than all parts of Europe because the Chinese database covers 95% of their population. Same with India.
“In other places, mobile carrier data provides a solution, such as places in Africa, where a lot of data exists on paper in filing cabinets. But they usually have mobile phones, or the government knows exactly who they are and where they live. That actually makes the emerging markets perform very well.
“We’ve seen a lot of our traditional financial institutions use those databases in those markets. India, for example, got rid of all hard currency about a year ago, so all payments are digital there now. In China, every phone provider, every app provider, starts with the government.”
Credit bureau data has been devalued because of recent breaches. What else can companies do to establish trust and identity?
“I would say that trust starts with three core tenets,” Fraser replied. “It starts with allowing them to use their own device, which seems safe and secure because it has a password, fingerprint technology, and face recognition. In comparison, an ATM could be compromised.
“The other one is having a familiar process. As I work with companies, I dislike it when the user experience team wants to build a set of requirements around an e-sign process without consideration for the major players. That could be a two-month process. That pales in comparison to the billions or trillions of transactions that have gone through the major e-sign players out there. There’s no need to reinvent the wheel. A financial transaction should feel the same as one with your cable provider.
“The last one is to make it feel secure for the end user. If you’re authenticating someone with a shared email that multiple people have access to, that’s not good enough. If they can find a loophole in the process, they won’t trust you.”
Fraud is still increasing. Banks and others are spending more and more to combat it. Next year, losses will be $2.2 billion. What do organizations stop spending on and start spending on to offset those losses?
Clark commented, “Digital account opening fraud is rising. It’s a result of EMV pushing fraud from point-of-sale to pother techniques, such as better synthetic IDs. It’s imperative to have a stronger front door, so if you create an identity verification process today, it would be different from five years ago.
“What you wouldn’t spend more money on is knowledge-based identity authentication questions. They’ve diminished in effectiveness quite severely. No financial institution believes it works, but it hasn’t changed as quickly as it should. It shouldn’t be a cornerstone of a process.
“You also wouldn’t invest in manual processes because they’re not fast enough nor reliable enough. You want a layered approach that combines what works with what you have and who you are factors, such as collecting data off an ID document and corroborating it with various sources. Even things like carrier data or taking a selfie and comparing it to the ID photo.”
Businesses have a trade-off between stopping fraud losses and serving customers. How do they strike a balance?
Fraser responded: “I look at it from an end user’s perspective first and from the back end second. If someone is opening a bank account with $100 in it, you probably don’t need a blood sample. I always like to encourage my partners to tell me what they did in the paper process. They will literally be okay with a printed document mailed to a printed address, get back a scribbled piece of ink, and they’ll give you a $100,000 line of credit on it.
“And then with a digital transaction, you know what device they have, you have the location services on the device to know where they are, they knew the PIN number to authenticate themselves, and then the client says that’s not good enough.
“Then also look at the risk of the transaction. If somebody is depositing a check into an account that’s $2,000, that’s very different from someone wiring $12,000 to some place in West Africa. So look at the transaction and balance providing a sufficient user experience so you don’t have the drop-off rates because the 1% or 2% fraud rate might be worth it so you don’t have 10%, 20%, or 30% drop-off in the new account opening process.”
So what tools are used to do that?
Fraser responded, “A lot of the tools that Clark mentioned. You can use knowledge-based authentication. You can leverage the device itself, there’s retinal scanning on some phones, there are different ways to authenticate and collect evidence that you can use later to verify people. So if someone says it wasn’t them, you can look at the photo they provided.
“There’s a car insurance company that uses photos to keep people from suing them over liability coverage. So it’s about using the right tools, assessing the risk of the transaction, and erring on the side of the customer experience.”
What are the best practices for identity verification?
Kvitnitsky said: “I agree that it’s a risk-based approach. You can either not onboard anyone via mobile devices and be completely risk-averse, such as half of the top ten banks in the US, or do nothing and let everyone in. A lot of start-ups say they don’t worry about risk or compliance because they’re too small, for example. And then there’s everyone in the middle.
“To open a cryptocurrency account, you have to hold up your passport next to your face to verify who you are. That’s not a great onboarding experience because it can be difficult to get a clean photo. But there are a lot of flags you can track. For example, last year there was a woman who was the queen of tax fraud, and she had about 1,000 tax returns sent to the same address, so the velocity of that data helped catch her.
“You can start on one end of the spectrum with a simple check, such as document verification, and then you can add in things like a text message to verify that they’re there and put a timer on it. Or you could do a selfie check, like Mitek does. Knowledge-based authentication isn’t very effective, and I would argue that the bad guys are better at it. I can’t remember all the addresses I’ve lived at in the last ten years, versus a bad guy who has my data, thanks to Equifax.
“If it’s a financial transaction, you have to verify the person, regardless of the amount. This is public information: In 2012, PayPal missed about $30,000 in transactions and were fined $7 million because they didn’t verify those people. That can take many companies underwater very quickly.”
How will mobile platforms evolve the ability to verify people?
Clark said: “Mobile in the world of identity is becoming synonymous with your identity, on many ways. It’s become sophisticated in terms of fingerprinting the device, its reputation, and so forth. And it will become more sophisticated in the future. If done right, mobile should be your main channel for initial and ongoing verification processes.
“Selfie capture is one example. If you’re capturing a selfie, as part of that experience, because of the richness of the stream, there’s a way to tell that that’s a live user. It makes mobile an amazing channel for all kinds of transactions. If you don’t have a way to use mobile, that’s something you should seriously look at because it’s a good way to onboard the most end users and verify them.”
How does mobile verification apply to the world of financial institutions?
Fraser said: “I agree with Clark that mobile is more secure. Right now you can’t use Snapchat or Instagram on your computer. Outside of financial services and healthcare, the rest of the world has adopted this. It’s time to stop being 10-20 years behind the rest of the world and adopt these new technologies. The fact that 50% of the top ten financial institutions don’t allow new account openings on mobile is shameful. The other FIs, along with credit unions and smaller FIs, will catch up to them.”
In an environment where the biggest demand is from young users who don’t have long credit histories and may have just gotten their mobile devices, how do you address that?
Kvitnitsky responded: “I’ll use Canada as an example. In that country, a law was just passed that said if a credit file isn’t at least three years old, you can’t use it. If you’re not in your mid-20s, you’re off the map for getting a new account.
“So it becomes about using alternative data, such as carrier data. In the US, they allow their data to be used for a lot of things. Governments, especially in southeast Asia, are a good place to start.
“With a mobile device, you can track where the person is coming from. If they say they’re in San Francisco but the IP address is in Russia, that’s a red flag. Risk isn’t created equal among all countries. Our clients worry about Asia Pacific and eastern Europe because that’s where a lot of fraud comes from. On mobile, you can send them a text message or ask for a fingerprint or a selfie.”
What are your thoughts on the regulatory environment and how it will impact identity verification in the next one to two years?
Clark said: “The European regulations tend to be ahead of the US, but these things normalize over time. The European regs are a sign of what’s to come in the US. The main ones are the anti-money laundering regulations which require knowing your customer. In Europe, they have the AML-4 directive, with the AML-5 directive soon to follow, and without going into the weeds on this, the story is that more and more transactions are requiring customer due diligence.
“There are good reasons for that. Even though it’s about anti-money laundering, it’s based mainly on counter-terrorism efforts. For example, the Paris bombings were funded by prepaid cards, so guess what’s in the new European regulations? You must do identity verification for people buying prepaid cards. More and more transactions are coming into the fold, including cryptocurrency and others.
“We expect those due diligence trends to happen in the US too. It’s in the best interest of your organization to have a strong front door and use the right technology for that.”
Fraser added: “I agree with the front door piece, but I don’t think Europe is ahead of the US. I would argue that the amount of regulation needed makes me think about the future and look toward the technology that could solve this, rather than constantly chase. I’m looking for a future where we’re not constantly implementing regulation but getting ahead of it with technology that will stop it.”
Kvitnitsky concluded: “Governments don’t agree on a lot of things, but they do agree that money laundering is bad. About 2% of the global GDP is laundered, which is $1-2 trillion a year that results in missing tax revenue. I think a lot of regulations are good, and the US is way behind. There’s nowhere else in the world where you can Google someone’s name and find out where they live, find their data of birth, their family history, and so forth.
“Our company took the approach of meeting the strictest regulations in the world. It’s our opinion that Australia and other parts of Asia Pacific are the strictest. So when a lot of laws in Europe came through, that was great for us. People have a right to their data and how it’s used in Europe.
“There was a dingle woman in Europe who asked Tinder for all the data they had on her. They gave her a 200-page report, including food preferences, the men she liked, and so forth. A lot of people say they care about data, but it’s probably scary when they get it. I’d like to see the US catch up on that.”
An audience member asked: “One of my pet peeves about identity and authentication. When it comes to banking, it’s annoying that the level of security needed to get into my online accounts is really not good enough. I’ve asked banks to implement two-factor authentication. With everything going on in fraud, what’s holding back North American banks and financial institutions from using this kind of technology?”
Clark responded: “Complexity is quite severe, between legacy platforms and the disconnectedness of their user information and their internal processes. In general, a lot of banks and financial institutions have a layered approach to authentication that’s not visible to a lot of people. You might think they just want a password, but there are multiple passive layers that underlie it, such as behavioral biometrics, the device fingerprint, and so forth.
“Just about every financial institution is doing a lot with biometrics in some form of a pilot, as well as two-factor authentication,. It’s common to have a single gate to get in and look at your money, but if you want to transfer anything, it’s common to have a two-factor solution. But that needs to happen much more quickly. By 2020, biometrics will be the pervasive means for authenticating account access because it’s more secure.”
There were no other questions, so Gunn asked about a final topic.
Some US states are testing mobile drivers licenses. How will that change how identity is verified?
Clark replied: “They’ll be used as part of the process. Some European countries are ahead of that, such as the Netherlands, where you need an e-ID to get some government services. It’s just another way for a bank or someone else to get your identity by tapping into those repositories, but it will take a long time because of privacy considerations, fragmented data, and so forth. Physical IDs will be relevant for many years to come, but e-IDs will be a great resource eventually.”
How will e-ID use be implemented?
“I expect it will be an opt-in process,” Fraser said. “As long as they put it in the end user’s hands, I’m excited about that kind of technology because it puts the customer at the center of it and gives them some comfort.”
Kvitnitsky added: “I think what will slow it down is that DMVs have their own IDs. It’s like dealing with different countries. We deal with about 30 state DMVs, and the other 20 aren’t even digital yet. We are far away from a digital drivers license in the US because only a few states are close to ready for it.”