Every industry fine and regulatory penalty widens the gap between customer-friendly new account set-up processes and financial centers’ anti-money laundering (AML) and Know Your Customer (KYC) compliance methods. Regulators are wearing magnifying lenses, thanks to the rise of cryptocurrency initial coin offerings (ICOs), past banking behaviors, large scale data breaches, and smarter criminals. Consumers are demanding essentially impenetrable security for all the same reasons. Stir customers’ expectations for convenience and simplicity into the mix and banks’ ever-growing compliance challenges appear potentially unsolvable. Banks need a new approach to identity proofing.
Large Scale Data Breaches
In the wake of large scale data breaches, such as Equifax, Yahoo, EBay, Uber, Target, Sony’s PlayStation network, and even the U.S. government’s Office of Personnel Management, Knowledge-based Authentication (KBA) and Personally Identifiable Information (PII) seem increasingly insufficient—if not useless–ways of verify customer identity.
Equifax’s recent federal filing confirmed the 2017 breach was worse than originally reported, affecting an additional 3.6 million people and exposing images of passports and driver’s licenses.
But wait, there’s more: according to Fortune, “As many as 10,801 organizations—including 57% of the Fortune Global 100 …and as many as 3,049 organizations have downloaded the exact same vulnerabilities that hackers exploited to break into Equifax.”
Who’s at risk? Any consumer with PII on file at one of these thousands of firms including tech companies, automakers, financial services institutions, and insurance firms. Free-flowing PII exposes consumers to identity and financial fraud while significantly reducing the reliability of PII for personal identity verification. And without effective identity verification procedures, banks increase their exposure to AML and KYC penalties.
Satisfying Consumers, Risk Managers, and Compliance Officers
Combining sophisticated mobile technologies with the popularity of smartphones and widespread accessibility to reliable government-issued identification satisfies consumers’ trust demands and banks’ risk management protocol.
The complex, anti-fraud elements designed into official government-issued ID gives banks and consumers a useful, accessible weapon against money laundering and fraud. Since an estimated 79 percent of the world’s population has official government documentation, authenticating these materials in the digital channel may improve new customer on-boarding and satisfy AML and KYC laws.
Since banking customers already deposit checks remotely via their smartphones, scanning government-issued documents for identity verification is a simple, and unintimidating, next step. Using smartphones for ID verification saves customers time since they’re no longer driving to the bank or waiting in line to prove their identity. It’s a win for the customers but does digital identity verification help risk managers charged with keeping compliance regulators at bay?
The advanced machine-learning algorithms in today’s digital identity verification technology instantly authenticate the scanned image. Automated facial comparison technology examines a customer’s selfie to validate the photo is a real person and that the real person in the selfie matches the photo of the person on the government-issued ID—even if the individual’s appearance has changed since the ID photo was taken! Known as biometric facial recognition, this two-factor authentication gives risk managers strong identity assurance in the event a regulator starts requesting files. And the customer completes the entire verification process from anywhere they choose, as long as they have a smartphone or tablet with a camera and cellular service.
Digital identity verification:
- Expands account options for new customers with thin PII histories such as young adults or immigrants
- Leverages existing cellular technologies and consumer preferences for doing business via mobile devices
- Delivers a cost-effective AML and KYC compliance tool consistent with the European Union’s new 1 AMLD
Indeed, it’s not just the European AML regulations that recognize, “Accurate identification and verification of data of natural and legal persons is essential for fighting money laundering or terrorist financing. Latest technical developments in the digitalization of transactions and payments enable a secure remote or electronic identification.” Consumers, risk managers, and compliance officers world-wide know using mobile technologies for digital ID document verification and biometric authentication can establish strong identity assurance. Which, in turn, mitigates the risk of fraud, protects consumers’ personal information, and maximizes customer on-boarding in the digital channel, all of which impact growth and profitability.
Compliance, Non-compliance, and Profitability
According to the U.S. Government Accountability Office, non-compliant fines between 2016-2017 equaled $15.2 billion, a $10.2 billion increase over the combined six-year period from 2009-2015.
HSBC’s $2 billion fine for its role in helping Latin American drug cartels launder money through the U.S. financial system, JP Morgan’s approximate $1.7 billion payment to resolve allegations of violating AML laws in connection with its role in Bernie Madoff’s investment scheme, and the U.S. Department of Justice filing civil forfeiture complaints to recover more than $1 billion in funds purportedly misappropriated from a Malaysian sovereign wealth fund then laundered are only three real-world cases behind these exponentially increasing fines.
Billion-dollar fines clearly impact the bottom line, but is the cost of compliance an equal threat to profitability?
An American Bankers Association (ABA) survey reported 46 percent of small banks had to “reduce their product offerings, including loan and deposit accounts.” Respondents also confirmed a falling off in customer service due to higher compliance costs, especially among community banks struggling to meet regulations with fewer staff and smaller budgets. And while some financial institutions cut products and services to meet compliance costs, others are spending more to avoid regulator visits.
Global Radar projected banks would spend $8 billion on AML compliance technologies and tools in 2017 yet according to Trupointpartners, “the industry spends $270 billion a year on compliance-related costs.” Additionally, banks usually spend 4% of total revenue on compliance, although nine out of ten surveyed expect that ratio to increase to 10% by 2022, due to regulatory changes.
Is more spending the answer? According to Thomas Reuters Cost of Compliance Report 2017, “instead of throwing ever more money at multiple compliance issues, responses from nearly 900 compliance professionals worldwide suggest that more of them are looking for improved efficiencies through the deployment of technology and automation. And considering the lack of standards for implementing KYC, and the absence of any mandated technologies to ensure it, banks may continue guessing what to use next—Money? Technology? Internal procedures? —to best hit the moving target of AML and KYC compliance.
Each iteration of AML legislation is more complex in an effort to prevent another 9/11 by blocking terrorists from funding attacks with laundered money. Banks need to know the level of risk associated with each person opening a new account. AML and KYC standards are higher and failure to comply penalties are severe but, the policies themselves are vague and risk managers are still frustrated.
The Financial Action Task Force (FATF), an intergovernmental body, offers a little clarity by suggesting KYC protocols include:
- Verifying the account owner’s identity
- Understanding and obtaining information on the purpose and intended nature of the business relationship
- Ensuring through ongoing analysis that transactions are “consistent with the institution’s knowledge of the customer, their business and risk profile, including where necessary, the source of funds”
Other pieces of the KYC process involve background checks for criminal records, political exposure, and country of citizenship. The extent of these measures should depend on the amount of risk each customer or business transaction presents.
Why Digital Identify Verification is the Best Way Forward
Digital identity verification is “new” compared to traditional means of authenticating users. In addition to PII and KBA, financial institutions still rely on at least one, of not a combination of, these traditional identity verification techniques:
Sanctions check tools compare potential customer lists to government lists of people with criminal track records as well as politically exposed persons entrusted with a prominent public function who, therefore, might be susceptible to bribery or corruption.
Credit data tools analyze a customer’s credit data to calculate the degree of risk they present.
Analytics solutions examine customer transaction data, flagging unusual behavior patterns. A common example is your bank marking a credit card charge fraudulent because it’s the first time they’ve processed a charge from a certain geographical location. You know you’re on vacation, the bank processing software does not.
Data bureaus gather and share information about banking customers, enlarging the databases from which the banks can assess risk.
Regardless of the available identity verification tools, banks face ongoing challenges complying with AML and KYC requirements:
- Complicated verification processes generate higher abandonment rates
- Regulations are dynamic, progressively more rigorous, and poorly defined
- Fines are growing exponentially
- Consumers expect seamless, secure digital experience with instant results
- Large scale data breaches rendered PII and KBA insecure and vulnerable, skyrocketing the risk of fraud
- Regulators are looking wider and deeper for violations
- Fewer and fewer bank branch locations limit opportunities to verify identification face-to-face
Is there one good answer to address every challenge? No. Is there one smart place to start? Yes. Digital identity verification and here’s five reasons why.
- Data breaches are a fact of digital life
In the first half of 2017 alone, there were 918 reported data breaches impacting more than 1.9 billion records. What type of data was stolen or exposed? PII– social security numbers, driver’s license numbers, birth dates –everything criminals need to harm the data the owner and scam the financial institution. PII, and/or KBA for that matter, are no longer reliable identity verification or user authentication tools.
- Fraud is a fact of data breaches
The number of reported suspicious transactions and suspicious new account openings rose from 669,000 in 2013 to almost 1 million in 2016, according to U.S. Treasury’s Financial Crimes Enforcement Network. According to Javelin, new account fraud increased 40 percent in 2016, with more than 1.8 million consumers having a new bank or credit card account opened under their name without their knowledge.
- Identity theft is a two-headed fraud monster
With so much readily available PII and KBA responses, consumers are at greater risk for identity theft and banks have no idea if they’re dealing with real or mythical customers. And even if customers appear at the counter, branch employees are not experts in identity document verification and are simply not trained to spot sophisticated forgeries.
- Consumers are afraid of the other monsters in the digital space
Despite demand for mobile banking, customers still worry their digitally transmitted information will end up somewhere other than the bank. Secure, convenient digital identify verification will go a long way toward repairing customer trust, good will, and loyalty.
- People do not go to the bank anymore
Consumer visits to retail bank branches are set to drop 36 percent between 2017 and 2022, with mobile transactions rising 121 percent during the same period.
Now What? Move Forward with Digital Identity Verification!
The stakes for AML non-compliance have never been higher, making consumer identify verification the mainstay of financial services risk management. Banks—all financial institutions—need to ensure precise and efficient user authentication at the beginning of the sales funnel and customer on-boarding process.
Yes, it’s time to rethink identity. By delivering a fast and easy, digital identity verification process, banks can meet the expectations of today’s consumers, restore trust in digital channels, and be well on their way to transforming themselves digitally for the future of banking.
Steve directs products & user experience strategy for Mitek’s global identity business. With over a decade of experience in FinTech, Steve previously worked on software-as-a-service and mobile solutions for Digital Insight, Intuit, and Hewlett Packard. Steve resides in San Diego and holds an MBA from the Rady School of Management at UCSD.