Subscribe to our blog
Get ahead with our award-winning insights on the latest developments in the fraud and compliance landscape. Enter your email below to receive our blog posts directly to your inbox.

Post Written by

Online lenders have built their business using new underwriting and credit scoring algorithms that use alternative data sources to complement or even replace traditional data sources.
However, these demographics don’t typically have the same rich records as other customer groups.
That makes it harder to understand who they are and harder still to determine their potential risk.

What can online lenders do to assess: 1) whether they are who they say they are, 2) their credit worthiness, and 3) if they are fraudsters? Validating their identities is fundamental for regulatory purposes, for protecting against identity theft and account fraud-related scenarios.

In this post, we will focus on progressive identity verification as a strategy for addressing identity validation.

Progressive Identity Verification

One of the most critical moments for online lenders and many online businesses, is new customer onboarding. For online lenders this first contact with potential new customers is when they’re applying for a loan. Identity verification can help.

The idea behind progressive identity verification is simple: you assess the fraud risk of potential borrowers through security tests, identity checks and authentication methods that vary depending on the applicant’s circumstances and the business risk model. For instance, if the user is making a request after hours from an IP address outside of the user’s typical location, then additional security checks and authentication measures apply.

Of course, it is also important to have a system that can increase the number of users who are automatically onboarded, so that you can dedicate more time and resources on a reduced number of users who don’t meet the minimum requirements of your risk management policy.

However, even though that first contact is critical, you should complement the initial customer identity verification process with additional security tests and eventually, behavioral analysis. These extra security steps will help you detect early signs of account takeover and block serial fraudsters.

Three Steps to Define your Progressive Identity Verification Strategy

1) Analyze Business Goals and Regulatory Requirements

You need to take into consideration several points related to your business goals and compliance requirements when designing and implementing your progressive identity verification strategy:

  • Your company’s revenue and growth goals. Every additional identity verification test that you add to your onboarding process impacts your customer acquisition. If done right, it may increase your customer acquisition rate. Doing it wrong has the opposite effect.
  • Your business reputational risk. It’s very difficult to estimate and it’s even more complicated to recover from the negative effect caused to your business reputation when your company name gets associated with the wrong people.
  • Regulatory compliance requirements. There are pieces of information and identity verification checks that are required to meet the regulatory requirements of the countries and regions where you’re operating.
  • Your business bottom line. An automated, efficient and secure online customer onboarding process will help you bring down operational costs, reduce your business exposure to enforcement actions due to lack of compliance, and prevent fraud losses.
  • Your fraud risk tolerance. It’s not possible to eliminate all the fraud risk associated with your business model. You need to balance business goals with your risk management strategy, and define the risk thresholds that you’re willing to accept.

2) Define Your Risk Levels

Before selecting the identity verification tests and security checks that you want to incorporate into your customer onboarding process (we’ll review this subject over the next section), you need to define the risk levels that you’ll be using on your progressive verification strategy.

When defining the risk levels, you should take into consideration the following points:

  • Start as simply as possible. The basic risk levels: e.g. low, medium and high.
  • All your customers should pass through the security tests included on the low risk level, and all potential borrowers who pass the security tests can be approved automatically or with minimal manual intervention.
  • Users who fail the low risk tests should undergo additional verification (medium and high risk level).
  • The security checks performed on the low risk level, should help you meet all the compliance regulatory requirements needed in the countries/states where you operate, while ruling out fraudulent activity.
  • Users who pass the tests from the low risk level should:
    • Match for all the pieces of information (parameters) provided during the online onboarding application (names, phone, email, addresses, ID data).
    • Not trigger any signs of suspicious activity during the fraud risk analysis of the device, geolocation and online behavior.
    • Not have a bad reputation for any of the parameters captured when compared against your own internal database, watch or black lists, and external databases.
    • Respond correctly to additional identity verification methods that you decide to incorporate to the low risk level, like knowledge based authentication or “Out of Wallet” questions.
  • Identity verification methods like “out of wallet” questions may be better applied for medium and high risk levels, as these introduce friction into the customer sign-up process.
  • In addition to incorporating identity verification checks and security tests to measure the fraud risk of new customers when creating their accounts, is also important to analyze closely the behavior of new customers, or returning customers when using your system.
    • Compare new user’s behavior against your historic data for all your previous applications. Define a profile for your good customers, and another for the bad ones, and compare new applications against those and profiles.
    • Apply the same strategy regarding behavior analysis for current customers engaging and using your system, against defined profiles. Look for signs of account takeover and serial fraudsters.

3) Select Identity Checks and Security Tests

We recently published a document including best practices for online lenders looking to reduce fraud risk from their online onboarding process.

This document includes multiple identity checks and security tests that you can incorporate into your online onboarding process, and map to the risk levels that you define for your progressive identity verification strategy.

There are more than thirty tests grouped into the following categories and sub-categories:

  • Under the identity verification category you’ll find identity checks used to verify the information provided by the potential borrower against trusted sources of identity data. The best practices that you should follow and some of the tests that you should perform are (you’ll find many more tests on the document):
    • Match application information to trusted sources of information
      • Is the home address risky?
    • Check phone records
      • Examine the actual type of phone the applicant uses to make sure it’s not considered unsafe
    • Verify email addresses
      • Has the email address enough activity on the Internet?
    • Verify billing information
      • Does the billing name and billing address match private databases or public records?
  • Under the Signs of Identity Theft or Serial Fraudster category, you’ll find security checks that review in more detail the previous history of any of the parameters captured during the onboarding process, including the user device, bank account or payment instrument, against your own database or other industry databases, including our own database of trusted digital identities (eDNA). Some of the best practices and the security tests associated with this category are:
    • Examine device history
      • Identify the number of devices associated with the application’s user account
    • Confirm funding payment instrument or bank account
      • How many user accounts are tied to it?
    • Check your black list
      • Are any application parameters on your watch or black list?
  • Under the Analyze Geolocation category, you’ll find security tests that will help you analyze the fraud risk associated to the location and device where the user is connecting from, and correlate this information with other pieces of information captured during the onboarding process, like phone number, payment instrument data, and billing/shipping address. Some of the best practices and the security tests associated with this category are:
    • Review the IP address
      • Get the city, country and ISP associated with the applicant’s IP address
    • Do the math between IP address location and user’s addresses
      • Calculate the distance in miles between the IP and billing and shipping addresses
    • Confirm the proxy
      • Is the user coming from a known non-corporate proxy, or is it using an anonymous proxy?

Download the document to learn the other security tests and identity checks that you should be using.

We provide all these tests and many more through our platform, and we can help you customize and implement your progressive identity verification strategy adapted to your business needs.

If you need help with your current KYC process, please make sure to read our KYC Compliance Fundamentals guide.


Once you analyze your business goals and regulatory requirements (#1), define the risk levels (#2) and select the identity checks (#3) that you’ll be using, you need to map the security tests selected to each risk level of your progressive identity verification strategy.

We hope you find useful the information provided with this post. Feel free to send us your feedback to: [email protected]