Before we go into the main topic on the challenges we need to put into perspective some basics about Identity Proofing and our take on it.
What does Identity Proofing Mean?
Identity Proofing refers to the ability to verify the identity of an individual or a business with a reasonable level of accuracy. Identity Proofing is performed both online and offline. The techniques for achieving reliably proofing can be somewhat different with different levels of accuracy in each scenario. The real motivation behind it is to both comply with regulatory requirements, and protect your business from fraudulent actors. The proliferation of identity data breaches has rendered many identity verification services less reliable when used in isolation, so the concept of identity proofing usually implies a set of mechanisms that work together to raise the protection level against fraud.
What are the best mechanisms to perform online identity proofing or the best methods to validate an online identity?
There are several mechanisms and methodologies that must work together for increasing the accuracy of the identity proofing and identity verification process. These mechanisms include:
- Government issued document validation
- Face matching (e.g. selfie)
- Identity verification
- Geolocation and IP address risk analysis
- Phone data verification
- Email reputation analysis
- Social media analysis
The trick is in building a user experience that balances the use of these techniques. This is one of the major reasons for using a robust orchestration layer. Now, let’s talk about the challenges we are seeing the market and our clients face that drive going into an orchestration layer to validate online identities and achieve identity proofing.
The Challenges for Identity Proofing
Without a doubt the most important challenge is dealing with multiple point solutions. This represents a challenge in many dimensions:
- Vendor relationships
- Data Normalization
- Effectiveness degradation
Let’s break it down.
The cost associated with maintaining a vendor relationship is steep. There is:
- Integration/setup — each one has its own set of APIs and user interfaces.
- Procurement — each one has its own contract with different termination clauses, SLAs, etc.
- Minimum volumes — in most cases each vendor has a minimum requirement of volume to get you to the price you want.
Now multiply that by at least 3-5 times for the average compliance operations. To put this into perspective, in the recent AITE Group Report: “Fraud, Authentication, and Orchestration Hubs: A Path to Greater Agility”, the group interviewed executives at Financial Institutions. They responded that vendor management can add at least six months to the implementation process.
Then, there is the issue of making sense of the data. The values coming from a vendor’s API need to be put together into a system that can make sense of it. In order to accomplish it you need to normalize the data. And use a “similar” normalization across all vendors.
The value that vendors of a point solution provide may degrade over time, and new vendors may arise with better capabilities. As you probably know getting out from a contract is sometimes expensive, and many times practically impossible. Trying to justify to your boss or executives that all the investment on a particular solution is going to be lost is at the very least a difficult conversation. Now, effectiveness degradation doesn’t necessarily imply that the vendor performs poorly, but it may be that is no longer applicable to your business needs. Our platform offers a single API to access our orchestration layer with 30+ vendors of data and technology. Every integrated vendor goes through a careful process of integration into our unified identity data model that allows us to leverage abstraction layers where we can swap providers when these perform poorly for given use cases. This is, in most cases, transparent to our clients, they can test performance of every vendor’s solution with a simple configuration change. Imagine that you want to test five different vendors to see which one provides the best verification data, how long do you think this process will take you if you go to each vendor separately? Well, you can perform this exercise at no additional cost other than the cost of the queries to these vendors. That is simply powerful!
Build vs Buy – Limited Technical Resources
We have had this conversation with so many of our clients. Many believe they can build and maintain a platform of their own. Unavoidably their biggest challenge is to secure the technical resources required to execute on it. Success depends on the organization’s commitment to dedicate technical resources for long periods of time. In our experience, compliance officers get very frustrated in this process, and almost never get what they want in the long run. While they may get an initial project that is barely sufficient for their operations, rarely they get what they need to be efficient. Most organizations struggle to maintain the IT infrastructure required for their business requirements. Adding requirements to build and maintain the needed platform to manage risk and compliance on top of it is a tall order for most organizations. Technical resources are better focused on the business needs, not on being a mini development organization charged with beating technology vendors at building fast, complete and innovative software. Our job is to provide you with a solution so you can spend your technical resources on your business. Of course, there is a need for technical resources to integrate our Platform, but those are far less than those required to build and maintain your own. Furthermore, when you work with a vendor like us, you are also leveraging the inputs and insights from many other organizations that have requirements just like yours, and in many cases that are pushing us to deliver far beyond your own requirements.
Leveraging Internal Data
This is perhaps one of the most difficult aspects to accomplish for any institution. Chances are that you have systems in place where there is data that would be great for informing your compliance and risk analysis. Sometimes these are legacy systems that are not easy to interact with. Many times these systems are inherited from acquisitions or organic growth and you may not know enough about how they are put together or how to get the data out. Some clients have migrated into digital onboarding and they have built it on top of open systems where data access is (now) available. As we face these challenges along with our clients, we have developed two frameworks that are instrumental in achieving the business context their risk and compliance operations require. Modern platforms with open APIs allow for intake of data that can inform and enhance risk and compliance modeling. In particular, one of these frameworks is intrinsically connected with our supervised machine learning algorithms, which makes these techniques far more accurate. Read Graph Intelligence: A Machine Learning Approach to Measure Risk
Putting It All Together
The biggest challenge, technically speaking, is putting all the information together into a single framework where you can make sense of all the pieces. This is not an easy task for many reasons, but fundamentally because you have to think about how to build an scalable system that can handle large amounts of data and can come to decisions in real time. But also that it can evolve as things change. Furthermore it is the only way to properly take advantage of big data technologies like machine learning, statistical modeling, and the latest AI techniques you’ve been reading so much about. Orchestration and corroboration hubs like IdentityMind fulfill this function and enable an ensemble of risk modeling techniques, going from topology modeling, link analysis, statistical-based analysis, heuristics, and machine learning, and leaving room for whichever new technique is necessary. Structured APIs play a significant role in data normalization to achieve real time evaluation and analysis. While there is certainly power in unstructured data analysis it has its limitations in real-time evaluation.
Keeping Up With Risk and the Business
Another challenge we have seen our clients face is how to keep up with ever evolving risk and the evolving requirements of the business. New risks cause new solutions, and new solutions may imply upending the whole process again. Compliance and risk professionals have a hard time justifying the changes, and even if they are able to, it is hard to justify dedicating resources “again”. Furthermore, shifts in business models may imply hard adjustments into the compliance practice, entering into markets that are far more risky, where your current solutions and systems may be inadequate. Once again, orchestration layers are built to support these changes and processes. In our platform we have 30+ providers of data and technology, and with at least 10 more in the pipeline. The technical addition of a partner into our platform is somewhere between 4 to 8 weeks, and that is vetted and integrated into the same data model, the same abstractions, and the risk modeling tools that are part of the platform. This is quite different for firms. The process of onboarding a point solution, a new data source, a new technology can take months to our clients, between the integration and making it work with the rest of their systems. Read: Identity Proofing with IdentityMind
Addressing Identity Proofing Challenges and Compliance As a Competitive Advantage
Building a business is hard. Building a serious business is really hard. Your business, with some exceptions, is not about risk and compliance software. That is our business. There is no reason for you to spend your precious technical resources in building complex platforms that unavoidably will not achieve the scope and efficiencies your risk and compliance teams require to help you grow your business. Compliance is a serious matter with great consequences if not done properly. The human cost to cover for the technology gaps can be significant, and many times a non-starter for certain organizations that are rapidly growing. Efficient compliance and risk operations can become a competitive advantage. They can allow you to take on business challenges that others may not, enter in risky markets, expand internationally, offer services to risky demographics. All of these are possible with the proper technology support. Technology that is available to you.