The ability to add new customers online while protecting your business from fraud and meeting regulatory requirements is both a necessity and a competitive advantage to any company providing financial services. Traditional financial institutions, remitters, and FinTech companies on-board clients online; especially considering that globalization allows all companies to expand their client base, foregoing the geographical and brick and mortar boundaries that once upon a time constrained your business from growing. Document verification is fundamental to address the identity verification requirements to serve millennials, foreign nationals, foreigners, etc.
Before we get to the fun part – integrating a document verification service into your on-boarding processes – let’s start at the beginning: what is Document Verification, and what is the typical purpose it serves?
Document verification is, for the most part, an automated process to validate an identification document (e.g. passport, drivers license) provided by a consumer for the purpose of asserting the validity of their identity information. This type of service is also called id verification.
For example, imagine that you want to apply for a new credit card online. The on-boarding process will ask you to provide identity data. This data is used to establish your identity. The validation process usually involves reaching out to third party databases and risk systems to attempt to validate that this data belongs to you. There are instances in which the database to validate your provided data isn’t available. For example, international users, in these cases, one could ask the customer to provide an identification document and then “trust” that the data in the document is real. The document validation looks at the document for making sure it isn’t fake, and to extract the data in the document to compare against other information provided and third party data providers.
Documents may have versions, some of them several. Document verification providers compare the image of the document to a stored “template” of the document. If the template doesn’t exist, then the document won’t be validated. The purpose of the verification is to know whether the document is authentic, and has not been tampered with. All documents have a minimum of security features, the validation process looks at these features. The depth and richness of such validation depends on the provider and the document. Some documents’ security features require the front and the back of the document, or multiple images of the same document.
The document verification process, although straightforward, can also be influenced by a few general considerations:
- Image Quality. Recognizing a document and extracting data from it depends on the quality of the document image. Quality is (loosely) defined in terms of resolution, clarity, angle, and completeness. Obviously the better the quality the higher the chances of successful recognition and data extraction. The quality of the image is also related to the camera you use: smart phones have better cameras than your laptop or a web desktop camera. So if you can capture an image with a smartphone, you will likely get a higher image quality than the typical desktop camera.
- Data Extraction. It is the process of extracting data from the document itself. There are ID verification providers that focus on data extraction, and not so much on the verification.
- Automated vs. Manual Review. Most providers have automated capabilities for the evaluation of documents. Some also have a manual review process for those cases of uncertainty, which means that providers have a team of analysts that manually go through the documents themselves. Manual reviews tend to be slower, more expensive, and have higher security risks as reviewers may not flag counterfeits and are more likely to make mistakes. However, manual review is a needed process, given that, in many cases, the automated process may fail, sometimes due to technology, and some times due to image quality.
- Regulations and Regulators. Some countries’ regulations do establish identity document verification as a requirement for the KYC process. However, most countries favor a risk based approach, and examiners would consider id verification as a valid process for KYC.
Now that we’ve covered the basic definitions, we can move on to explain how our platform integrates Document Verification as part of the online on-boarding process.
Over the years, we have been offering and reselling [within our platform] online id verification from different data providers. We understand quite well the challenges of implementation, reliability and interpretation of the results that all our clients are facing, and how operationally daunting this can be for anyone looking to realize its benefits during the customer online on-boarding process.
IdentityMind Document Verification
Our platform offers the document verification service as an integral part of the online on-boarding process. It is delivered within the context of account protection and Know Your Customer (KYC) specifications.
IdentityMind’s platform aggregates a variety of providers, each with different strengths and weaknesses.
We have built an abstraction layer on top of our id verification providers to normalize their output in a way that is more effective for the functions needed during the on-boarding process.
The abstraction layer also implements an algorithm to direct the request to the best provider based on the configuration and the nature of the document being evaluated. For example, some providers support some geographies better than others, and only few support face match and liveliness test. In addition, the abstraction layer also can cascade to a different provider if the first one fails to provide a response.
The abstraction layer focuses on three [very important] things:
- Reaching the necessary operational efficiencies from automated document validation.
- Normalizing the responses of multiple providers while providing a framework that takes advantage of their functionality.
- Enabling customer growth as the demand for new documents and new demographics affect your account on boarding requirement, risk prevention and compliance programs.
Key Use Cases
Now that we’ve discussed the concept and purpose of an integrated document verification process for customer on-boarding, and how essential it is to successfully grow your business online by reaching new geographies and serving other demographic segments, let’s take a look at how it actually works.
The best way to explain how our platform operates is in the context of use cases. The following are the most common ones across our client base.
Positive Identification is certainly the most important use case. We want to make sure that the document is authentic, valid, and the data contained in it matches the data provided by the customer.
Some of the data may not be as important for a full match (e.g. address), while others like name, last name, DOB, are very important. While not an identification item, you may want to consider whether the document is expired or not. An expired document is a risk condition that should be further evaluated.
Some of the id verification’s security tests that you can run through our platform for positive identification are:
Positive Identification — Extra Credits
We are always trying to push the envelope when it comes to showing that users are who they say they are, and that we are dealing with real users.
Some identity document verification providers offer a couple of extra functionalities that help to prevent synthetic identities and identity theft. The first is doing a face match that compares the picture in the document with one provided by the client, this could be provided as a file image, or as a “selfie”. The second, is a liveliness test that reasonably assess that the person providing the images is a real person.
Given that these activities can be perceived as further friction in the identification process, they could only be used when there are other risk conditions. For example when the name doesn’t quite match, or the image is fuzzy, or the IP address geo-location is in one country, but the document is from a different one.
The additional id verification’s security tests that you can configure using IdentityMind for positive identification purposes are:
Kind of the opposite as above. While it is difficult to describe exactly what can be considered as a failed identification, a series of failed validations should be considered risky.
A failed security test (DV:3) has to be used in conjunction with DV:21 Document is Decisive (see below).
DV:3 may fail due to several reasons. A common case is because the image is fuzzy. While the document can be recognized, perhaps the data in it can’t be read. In these cases, we need to look at the results of security test DV:21.
These tests will tell us if the reason for DV:3 failing can be handled by asking the client to submit a better image (indecisive) or the document itself is believed to be faked or having been tampered with (decisive). The latter case is obviously a strong case of concern and in all likelihood should be considered fraudulent.
The following security test will help you spot high risk users, when combined with the results obtained from other id verification tests:
Many clients have certain restrictions as to where they can do business. The first check you should do is that the document type and the location is consistent with your business. In order to do this the platform can perform the following checks:
1. The country extracted from the document doesn’t match the provided country in the API (if present). The API allows you to specify which country to expect from the document.
2. The document type does not provide the information needed to establish an approved locality. For example, if say your business is required to exclude certain states in the US where gambling isn’t allowed. If the user submits a US passport, which is a supported document, it isn’t possible to establish the state, and therefore another type of document is required. The API accepts what type of document is expected.
Unfortunately, no matter how good your process is, the whole validation is dependent on the image provided. Depending on your on-boarding process you may want to iterate a few times before turning to customer support.
We want to say it’s mostly because customers don’t follow guidelines when taking the picture, and take crappy pictures – that certainly happens – but they also like to upload random images they find on the Internet, as a [rebellious] way of saying “You are asking too much of me!”. This will, of course, make the process harder, and unfortunately there’s not much anyone can do about it. In all certainty, these are the kind of users you don’t want to deal with anyways.
Now, back to the point. In most cases, the clients will upload a low quality image, and you want to handle this process in the best available automated way. For these cases look at the following document verification security tests:
An unprocessed document describes an image that can’t be recognized as a document, and as such no assumptions can be made on it.
There are nuances to each one of these use cases, and depending on your application you may vary slightly how rigorously you apply them, given your risk tolerance and your regulatory needs.
How We Can Help
We have talked at length about the challenges on online on-boarding and account fraud. You can find links to relevant posts below. Additionally, we have also discussed about the need for efficiencies when preparing your platform for expanding your services based on RegTech like our platform.
If you are in the process of adopting or evaluating an online document verification service and have questions about the information in this blog post, or have other use cases that you want to explore, please feel free to reach out to us at [email protected].
If you are a current IdentityMind client and want more information you can always reach us through our Client Success Team.