Ever since we started working on Digital Identities in 2012, our focus has been knowing and mitigating the risk of transactions. There is the risk in:
- Financial transactions (payment, deposits, transfers) where there is movement of money
- Onboarding transactions (new customer) where you need to understand whether you should do business with an individual or an organization
- Activity transactions (logins, password changes) where mundane actions may indicate larger concerns
Intuitively, whether you are a compliance officer, regulator, or fraud manager, it makes sense to know as much as you can about your customer. A digital identity helps you know more about your customer in a frictionless manner. In practice, this is considerably different from some current solutions in the marketplace.
The use cases below should enable to put the conversation in the right context.
Know Your Customer (KYC)
As we discussed in a previous blog post, the implementation of KYC has been minimized to identity data validation. However, the intent of KYC is to understand the user such that you can measure the risk of doing business with an individual or business. This is clearest example on the value of comprehensive strategy on digital identities.
When you solely onboard a client online there is higher risk and enhanced due-diligence is typically required because:
– You can’t only rely on the data presented– You can’t guarantee the person typing is the person whose data is presented– You don’t know if the customer is authorized to use the data presented
Furthermore, it is even harder to understand what are the true intentions of a customer. Globalization not only brought us clients from all over the world, it brought us the possibility that anyone can use the financial system globally to launder money, finance terrorism, and participate in other nefarious activities. While true that none of these are new concepts for criminals, the Internet and new business models have made it more accessible, more available, and much easier to carry out.
Digital Identities and Individual Footprints
KYC can not only be about identity data validation, especially when 60% of identity data can be purchased reliably on the Dark Web. Digital identities have to go much further than simple identity attributes; they have to encompass the digital footprint of the individuals, and that is a big task. We are talking about compiling digital personas for individuals through social networks, behavior analytics, affiliation and affinities, document validations, and biometrics, where each component has a risk model and when you combine them it conveys an up-to-date picture of the individual and the risk they present. In addition, it has to be up-to-date, you need to be able to modify and evolve the description of the identity in real time, as fast as digital transactions happen.
The Internet has changed how people act and the speed in which they act, however it has also brought us the possibility of better and faster information. There are many services available that give reasonable insights into the risk of a potential client without violating their privacy.
Transaction Monitoring for AML
Almost every country has regulations that require businesses to report suspicious financial activities of customers or businesses, either when they exceed certain thresholds or deviate from normal patterns of operations. Transaction analysis has been at the forefront of uncovering suspicious activities for quite some time now, and financial crime analysts are trained in the art of “following the money”.
Digital identities are again relevant because they aggregate behaviors of individuals and businesses in ways that transaction analysis can’t. The information available to financial institutions from online transaction is limited because in most cases it lacks the digital details like devices, IP geo location, social network handlers, affinities, etc. Furthermore, it lacks the context of the individual performing the transaction.
One of the greatest things technology has given us in the last years is the ability to sift through large amounts of data with machine learning and AI techniques. Transactions should no longer be analyzed without the context of the individual behind them, and that individual is only complete when looking not only at the physical attributes but also at their digital footprint.
Understanding the user reduces false positives. Financial crime analysts and compliance officers spend an incredible amount of time reviewing false suspicious reports and alerts. The first step in the analysis is understanding who the user is, and how much is known about them. A clear view of the user makes compliance operations more effective. Reducing the operational clutter allows them to focus on the real cases.
Furthermore, risk based approaches can also impact how you monitor transactions, so understanding well the identity and therefore the risk it may pose to your business helps to apply proper risk-level policies to your clients likely reducing the amount of alerts to handle.
Sanctions and PEP Screening
Speaking of time consuming compliance activities, sanctions screening is tedious because of the large number of false positives. The reason is simple, you don’t want to miss the real bad guy, and because of that, systems are built to cast a wide net, and they end up with large numbers of false positives. If you miss a real entity, the fines can be substantial, but more importantly, you may miss someone funding terrorism and that can have terrible consequences.
The key is once again to quickly understand as much as you can about the actual individual or business you are evaluating vs the one that is on the sanctions list. You need to be reasonably sure fast. The digital footprint of users, their affiliation and affinities, negative news, can help paint the picture and decide whether is someone you need to be worried about or not.
PEPs are usually thrown into the Sanctions mix. Though the operational requirements if a true PEP is identified are quite different, the overall process of evaluation is very similar.
This is where IdentityMind started, protecting ecommerce merchants from rejecting too many transactions, and reducing chargebacks by understanding digital identities. We also have written in detail about the ROI case for digital identities in a previous blog posts, you can read more about it by clicking below.
In ecommerce, repetitive users are usually a very normal part of the customer base. The value of understanding who the user is regardless of what device is used, what payment instrument (e.g. credit card, PayPal, digital wallet, bank account) is being used, what shipping address products are shipping to, or if purchasing digital goods versus shipping goods is fundamental. In the majority of the cases, you want to streamline their transactions. In certain instances, you can have zero time in reviewing transactions from these users. Understanding who they are helps you greatly reduce the false positives, and provide a better user experience to your most important clients.
Now, it is important also to quickly identify account takeover — see below — and make sure you are not confusing a fraudster with a good user.
Getting through the good users faster also reduces the scope of the transactions you need to review, and that makes your fraud team more efficient and work on all those projects that are usually on hold because they are spending their time on manual reviews.
Account Origination Fraud
While some of the KYC concepts apply for preventing account origination fraud, the digital aspects of the account creation online allow for evaluating specific risk indicators. By tracking many parameters about individuals you can identify serial fraudsters. Interestingly, in the same way you can recognize good users, you are also digitally identifying fraudsters.
The “beginner” fraudsters are easy to recognize through simple parameters like devices. More serious fraudsters go past this and the common attributes are harder to keep track off, therefore the more attributes you track as part of the digital identity of the user, the more likely you are going to be able to catch the real fraudsters.
The more sophisticated fraudsters are sometimes very difficult to catch by looking only at your data. Either you or your provider should be able to provide consortium data, like IdentityMind does.
Without an understanding of the digital aspects of an identity, a reasonable methodology for authentication, and behavioral profile, it is incredibly hard to reliably prevent account fraud. Understanding the identity of your users involves knowing their identity and how they generally behave.
Many companies rely on a single aspect like authorized devices, but this causes unnecessary friction to good clients who have to re-authenticate when they operate from different devices.
Knowing much more about your client can better protect from account takeovers as well as improve customer experience.
The discussion on Digital Identities has changed in the past few years, and it has especially changed in the last 12 months. Financial institutions are starting to deploy initiatives specific to digital identities and the value on many aspects is becoming apparent, not only in customer experience, but in risk and compliance. There’s still a long way to go, but we are getting there.