Two weeks ago we were granted a patent in our core technology, Electronic DNA™, eDNA™ for short, the engine behind the creation of Trusted Digital Identities. We are thrilled!
eDNA™ describes an internet identity (individual or a merchant) by looking at attributes and how these attributes relate to each other. eDNA™ also captures the behavior, good or bad, and aggregates it as a reputation score.
We utilize eDNA and Trusted Digital Identities to help the financial industry prevent fraud, comply with regulatory requirements, and detect suspicious activity related to Anti Money Laundering, in real-time.
The results of applying our technology in this market speak for themselves:
- 60% fraud reduction in CNP transactions
- 85% manual review reduction
- 90% reduction in fraudulent account opening
- 85% reduction in time for reviewing sanctions and PEP screening results
- 50% reduction of false positives for sanctions and PEP screening
When we started down the path of creating eDNA, we spent countless hours discussing what makes a digital identity a real identity. Our premise was that the more you know about the user behind a transaction, the easier it is to assess the risk of that transaction.
We decided to focus on those industries where understanding the risk of an online transaction was centered on knowing the identity. And, while the core technology can be used in a variety of industries, we focused on financial services because we felt that that focus would produce a stronger solution. Lastly, we felt that helping the online market make better decisions was the best fit, and this meant solving the problem from the online merchant and financial institutions perspective.
In continuing down this path, we needed to define what a trusted identity was. Where we ended up was that an identity was a combination of attributes that were connected, where such connections are validated, and kept up to date. For example, an email address is connected to a name, a phone number, and a physical address. But in order for these attributes to define a real identity, versus a synthetic or fake one, they need to be validated. You could, for instance, send a text message to the phone with a code to be input into an email message, thus connecting the phone and email address, and verifying the phone number belongs to the user. Now you would know that those parameters are indeed connected. Additionally you need to understand how current those parameters and relationships are. For example, associating a user to an old address or an expired document can open the door for identity theft and fraud.
And, a user can have multiple email addresses (e.g. personal and work), multiple phone numbers (e.g. mobile, landline, work), etc. If every combination of validated connected parameters is an identity, then a user can have multiple identities that may or may not be related. Though in practice we know that most “good” users’ identities are indeed connected somehow.
There are a couple of additional dimensions we needed to consider:
- Online users have devices to connect to the internet (e.g. smart phone, tablet, computer) and devices have IP addresses. So an online identity is also connected to one or more devices.
- Given that we are focusing on financial transactions, then identities also have some form of payment information. It could be a credit card, a bank account, a digital wallet, etc.
- Financial transactions frequently include a billing address, and with the purchase of physical goods, a shipping address.
So, an online identity, for the purpose of evaluating a financial transaction, has a very rich set of attributes that are connected, validated and current. By keeping a record of these identities and how they are connected, then you can identify a user. This is the first part of our eDNA technology.
Now, some companies claim they can proxy an identity based on a single parameter, most prominently, device fingerprint. This is too narrow for an identity proxy. Outside the technological limitations of a fingerprint when it comes to generic devices, spoofing, and ultimately collisions, it is simply too little information to convey the identity of a user. Most users have multiple devices and it is relevant to associate those devices to the same user, both for detecting good and bad users.
Another approach commonly used to proxy an identity is following multiple attributes but not the context on which those parameters are used. That is, the usage of identity attributes together is very different than some of the attributes used independently. Think about identity theft or compromised credit cards. Context is important – let’s address identity theft in one very common example. In the case of tax return fraud, a fraudster files taxes on behalf of a real user and the refunds go to the fraudster’s bank account. In this example, the fraudster has all the information about the user, and it is very complicated to discern in real time whether this is not the user because all the information checks out! However, the information is used in the context of a bank deposit, so it is key to go beyond the user information and validate that the bank account is owned by the user or at least authorized to be used by the user. Context is everything. Next, let’s imagine that your credit card is stolen. In all likelihood the information needed by the bank to validate it for a CNP transaction is easily available to the fraudster. But likely the device, the shipping address, the geo location, the merchant type, etc, are different than how the card and the billing address have been previously used.
These examples address the second part of our technology: how to assess the risk of a transaction.
Being able to recognize identity theft and the usage of key identity parameters outside its normal context means you can address two major use cases in online fraud. We know that there are many other cases. Friendly fraud for example is very difficult to deal with. In friendly fraud the identity information isn’t the problem. The issue is with the intent of the user: the user’s intent is to commit fraud not by stealing a credit card or an identity, but by exploiting the CNP system, where the consumer is largely favored.
For those instances you need a concept that can aggregate user behavior and use it to inform the risk decision. We called this reputation. The reputation is a score that basically describes the risk associated to a given identity. This is the second part of eDNA™ and this patent. How to use aggregated behavior that can be used for measuring the risk of a transaction. Let’s put this in practical terms.
Say that Jerry really likes tennis shoes. So Jerry goes to myreallyniceshoes.com and buys shoes and then claims he never received such shoes. Then Jerry calls the bank and refuses the charge for the shoes. The bank, in all likelihood will side with Jerry and issue a credit to Jerry, while issuing a chargeback to the online store. But Jerry isn’t satisfied and goes to notsoniceshoes.com and buys another pair. Jerry isn’t stupid, he uses a different card from a different issuer, and the same thing happens. Now Jerry has a couple of pair of shoes that he never paid for. Well, this happens much more frequently than you would imagine.
If our system were helping assess risk in these transactions, Jerry’s reputation would be tainted from the chargebacks, and hopefully the second, third, and fourth store Jerry wants to take advantage off would have been warned. The reputation score can represent this type of behavior and help the industry in sharing information that otherwise would be hard to share.
While the examples I just used are focused on identifying fraud, the more and better value you can derive is actually in recognizing good users. Most transactions are good, and good users have by far greater ROI than those that are bad. So the more transactions you can accept the better your business will do. The reputation will help you quickly decide and streamline the risk operations for good users, the more you can recognize good users, the smaller the set of suspicious users you need to look at. This reduces the cost of operations, and improves the user experience for the users you really care about.
These same concepts translate quite well for prevention and detection of suspicious activity in money laundering, account origination, and many other key functions of the risk analysis and regulatory requirements that financial institutions care about.
We took a unique approach in addressing some of the key issues with online transactions. And, we are extremely proud and grateful of being granted this patent.