For online companies, there is nothing more important than the user onboarding process.
You spend enormous amounts of money on attracting users to your site, with many businesses dedicating entire departments to optimizing that site so that traffic converts into users.
But importantly, once the user clicks on registration or signup, or installs your app, comes the onboarding process.
Obviously, companies want onboarding to be as fast and frictionless as possible, while still staying compliant with the regulations in their industry and market.
For most, fraud and risk is just an afterthought at this stage. After all, fraud happens on the payment side, they might think, so why bother your users with security checks?
Nothing could be further from the truth. The onboarding phase is crucial not only in your customer journey but also for fraud and risk reasons.
A good onboarding experience can make or break a product.
Similarly, a cleverly designed onboarding process that gets the right amount of information from the user at just the right time can give you an edge over cybercriminals without adding extra friction or costs.
On paper, a fully online business model has huge advantages. You can target a global market, operate 24/7, and have more control over the data. But there’s an area where traditional brick-and-mortar setups win: verifying people’s identities. This is exactly the challenge of the modern digital customer onboarding process.
Let’s see why it works, when it’s risky, and how to make it as smooth as possible without attracting fraudsters.
What Is Digital Customer Onboarding?
Digital customer onboarding is the process through which businesses incorporate or acquire new users online. It can take place on websites or in-app but, crucially, not in-branch or on-premise, since it is digital.
Since staff members don’t get to interact with these users in person, it is vital to establish security procedures to ensure the users are truly who they say they are.
With the increase in smartphones with quality cameras, we have grown accustomed to taking selfies or providing pictures of our ID documents during onboarding. While in financial services this is expected and mandatory, in other areas it can be considered overkill. Your users are hungry to use your service but won’t necessarily trust you with their sensitive details.
What we are talking about is biometric identification, a form of hard KYC. Hard because historically it’s hard to beat, and hard because it’s an extreme amount of friction for your users.
How Does Digital Onboarding Work?
Digital onboarding is a form of acquiring customers that fully takes place online. The user simply signs up through your service using their device, providing the necessary details step by step. Not only is the onboarding flow designed with usability in mind, but it also serves to meet know your customer (KYC) and customer due diligence (CDD) compliance standards.
In its simplest form, digital onboarding allows you to turn visitors into service users or customers in exchange for providing their personal details on signup, allowing you to verify their identity.
Who Uses Digital Onboarding?
Digital onboarding can be used by any business that wishes to serve customers online, but it’s absolutely crucial for e-tailers, online merchants, and online-only financial institutions, who have no other means of signing up users. It’s also used in employee onboarding to manage remote workers, to save time on paperwork and/or to handle employee data digitally.
The Challenges of Digital Onboarding
It is accurate to say that businesses that want to stay on the right side of the law aren’t rewarded for their efforts. More often than not, customers who find too many obstacles during the signup process will abandon it.
This is known as customer churn and it’s increasingly a battleground for the new wave of modern online businesses.
As the always-on economy shows no signs of slowing down, customers expect to be able to sign up for new services as easily as possible. Adding too many verification steps becomes an obstacle that sends them towards more lenient competitors. Yet, legislation and best security practices call for caution.
KYC Software Is Typically Expensive
To make matters worse, companies that rely on traditional KYC services find that their money is quickly going down the drain, as each customer identity verification can cost between $10 and $100.
Even alternative digital onboarding solutions that focus on identification, such as Stripe Identity, only reduce the cost to $1.5 per KYC check, which is still pricey if you have a high volume of applications. Especially if most of them are fraudulent. You are essentially wasting checks on invalid users that bring nothing to your business.
Identities Are Easy to Falsify
Fraudsters do their best not to tie their real-life identities to online accounts. This is why they steal other people’s identities or create synthetic identities by combining real and fake data.
Traditionally, the only companies that needed to verify people’s identities were financial institutions because failing to identify that someone incurred risk meant they could end up lending money to criminals using fake or stolen data and ready to disappear without repaying.
But as more companies offering payouts have moved online, fraudsters have established novel methods for beating ID checks. They will use throwaway or freshly minted emails and phone numbers when signing up to different services, which allows them to use these as springboards for other schemes.
Biometrics Are Easy to Beat
To meet digital onboarding checks, fraudsters will:
- use stolen user information, acquired via phishing or bought on darknet marketplaces in the form of “fullz” – packages that include someone’s name, address, and credit card number
- forge ID documents (using Photoshop or other editing software)
- combine real and fake data to create synthetic IDs
A rise in rent-an-ID service is also occurring. This is when someone willingly sells their identity documents to criminals who need them to commit their crimes. By allowing fraudsters to use their identity online, the person becomes complicit and receives a small commission.
Everyone’s ID details are valuable. Fraudsters often make use of identity details from deceased people and even children because the latter have positive credit scores by default.
What’s more, the growing popularity of AI-based technology – such as deepfakes, which allow criminals to create a falsified video or audio recording of people without permission – raises new questions about the relevance of ID-based authentication.
While this may sound like science fiction, biometrics technology has worryingly been shown to be relatively easy to beat, even with more low-tech methods.
For instance, Kraken Security Labs has demonstrated that anybody’s fingerprints can be faked for under $5, by simply using a close-up photo of their fingers. Automated facial recognition can be beaten by printing a photo of the individual, per Naked Security.
The takeaway? Biometrics are good for identification but have their own risks from a security standpoint.
How to Set Up a Digital Onboarding Process for Fraud Detection
The digital onboarding process is quickly becoming an important battleground for online companies. Maximizing traction with high acceptance rates is key. If people cannot register fast and easily enough, they will go and do this with a competitor.
So what does a frictionless onboarding experience look like? It has to be all of the following.
- Easy: Nobody wants to have to fill long forms and answer in-depth questionnaires to access a new service these days, whether it’s an online store or to apply for a new debit card.
- Fast: No long delays to accept an application. That means having a clear understanding of the steps required and giving expectations of how long the whole thing should take.
- Seamless: Lengthy safety measures can put off new customers by creating churn. Asking customers to provide additional documents or a selfie, or even to have a video chat conversation in order to complete onboarding can be a barrier for those who want to quickly sign into a banking account.
Whatever your user onboarding flow is, you will be capturing a wealth of information about your user at each step.
Instead of forcing through all of your users at a mandatory hard KYC chokepoint and relying on an expensive third-party verification service, you can use the data they provide to build user profiles.
What’s more, you can apply risk scoring at every step of the process to assess whether or not to allow the user to continue. If they are determined to be risky, you can trigger a stricter security check or manual review. If they are determined to be too much of a threat, you can block them completely – or any combination of these.
This approach is called dynamic friction, and it’s the bread and butter for many of our clients.
Think of your typical user journey on registration. Ideally, they should gradually reveal more and more about themselves in a game of establishing mutual trust.
- When they arrive on your website or app, you will see their IP and device information.
- When they sign up or register, they will provide you with a point of contact – an email address or a phone number.
- You will send them an activation link, which they might use from a different device you will also find out about.
- You can ask them to provide a password.
- And finally, you ask them to provide their card number, name, and/or address.
This checklist will be more or less the same across verticals, with some details omitted in certain industries. But the point is that risk checking each of those details at the step you receive them should give you a clear view of who you’re dealing with, which allows you to satisfy customer due diligence requirements even before you’ve asked for a selfie and an ID!
The Solutions: eKYC, Digital Footprint Analysis and Dynamic Friction
So, how can businesses get a better idea of who they’re onboarding without sacrificing user experience, cost, and security? At SEON, we believe you need a three-pronged approach to digital onboarding.
Electronic know your customer (eKYC) tools have improved in sophistication and ease of use in recent years. You can now integrate them directly into your platform and submit and receive data via API calls. In most cases, you’ll need to send:
- a full name
- a scan of an official ID document
The online KYC tool will then perform a real-time check to see if the name and IDs match exciting records, or at least give you an idea of how risky the onboarding looks based on their own parameters.
In some cases, you’ll want to learn more about users without asking them for any verification. This is absolutely doable thanks to a process called digital footprint analysis, also referred to as “KYC based on alternative data”.
You start by collecting data points about the users as soon as they land on your website. This can be based on an IP address or the kind of device they used to connect to it, thanks to device fingerprinting. To perform this analysis, you will only need basic information such as:
- an IP address
- an email address
- a phone number
The phone number option is particularly interesting as 2FA is increasingly becoming the norm. This pushes fraudsters to use fake phone numbers or virtual numbers, which can be detected by your fraud prevention platform.
With the right data enrichment tools, you can extract enough information to immediately find red flags about bad users. For instance, you might find the below suspicious:
- users without social media presence
- users using VPNs, suspicious proxies or Tor
- those on unrecognized devices
- those whose IPs have appeared on spam blacklists
All this data can help create a risk score, which will give you an idea of how likely the person is to be real or not. You can use that score to automatically approve or decline the onboarding process with much more confidence.
- Device information: Not only are some devices riskier than others, but repeat offenders can be easily caught by device connections. Similarly, device information can reveal anomalies such as clashing time-zone or language settings compared to who the user claims to be.
- IP information: When it comes to fraud, proxies, VPNs, and Tor are the name of the game. By detecting them early on, you can block bad attempts easily – and filter out repeated or automated attempts.
- Email information: By performing a reverse email lookup on social platforms and checking against the Have I Been Pwned database of leaked emails, you can quickly evaluate whether the user is an existing person or not. Fraudsters will more often than not use throwaway emails registered for the purpose of identity theft, while good users will have a social media “portfolio”, depending on the target market.
- Phone information: While it’s not recommended to rely on SMS for two-factor authentication, a phone number can still be used in risk scoring. You can use CNAM/HLR lookups to determine whether or not it’s a virtual carrier or, better yet, find out the registered name for that number.
- Password: Password hashes can yield surprising user connections, whether it’s a phrase that is common in a given language or the favorite passphrase of a fraudster. You can also use password hashes to protect your users from account takeovers by checking them against known leaked passwords and forcing users to choose a more secure alternative.
- Address information: The address can be compared to the user’s IP address to determine if the distance between the two is feasible or not.
- Card information: It’s increasingly common to ask for user payment details upfront, rather than at checkout, as it makes for a better transaction experience. You can use this step to verify whether or not the card has funds on it with a trial charge, but you can also perform a BIN lookup to gain information about the cardholder.
By layering the above steps one after another, applying risk scores to each detail, by the time your user finishes registration, you will know exactly who you’re dealing with and whether or not you should let them on your platform.
This creates a powerful defensive moat around your services even before the users first hit a transaction page. The best part? Good users will not notice a thing as all these checks run in the background without any friction, while fraudsters will see their attempts fail repeatedly, frustrating them enough so they give up!
3. Dynamic Friction
But what happens when the risk score isn’t conclusive and you do need to ask for extra information? This is exactly the process we call dynamic friction and, to explain it, it helps to break down the idea of KYC into light and heavy processes.
The advantage of using the dynamic friction method is that you can use the light KYC stage to filter out a lot of unwanted users. Those who are clearly fraudsters using stolen IDs will not make it to the next stage.
If, however, they make it through but still pose a risk, you can then ask for heavy KYC verification, as we outlined above.
Which Tools Should You Use to Complete a User Profile?
Whether it’s for your own KYC procedure or to reduce applications that use fraudulent data, you’ll need to enrich data about users as much as possible.
At SEON, we have a series of tools designed for the job. These include our IP analysis module, for anything related to the connection type; our device fingerprinting solution, which looks at a configuration of software and hardware (device and browser, for instance); our email and phone analysis data enrichment modules, which can aggregate data from open source databases to gain a 360° view of customers.
The phone and email analysis tools are particularly useful thanks to our reverse lookup feature, which gathers info from 35+ online networks including someone’s user picture, bio, social network presence, and date last seen online.
Our clients use that data to estimate underwriting risk, to speed up manual reviews, and even for debt collection.
Conclusion: Better Digital Onboarding = Flexible Security Measures
Circling back to our point about friction, we can now see that balancing security and user experience is key in onboarding. Yes, you want to grow your user base as quickly and easily as possible but you don’t want the door to be open so wide that anyone can enter.
The answer, therefore, lies in flexible and adaptable security tools for your digital onboarding. Balancing light and heavy KYC processes will help reduce fraud without creating obstacles for those with a clean record.
While there is always an element of trial and error to balancing security and setting up an easy onboarding process, we believe fraud analysts have a large role to play in this important aspect of interacting with your customers.
This is why we have created a wide range of tools that provides organizations with full control over risk thresholds during the onboarding experience, including automated flagging at the identity verification stage and machine learning-assisted decision making for identity proofing.
This is where the key balancing act lies: Add too many verification steps and you can be certain never to pay an AML or KYC fine. But make it too stringent and users will look elsewhere. The key is to deploy a better KYC procedure that gives you full control over the amount of friction without sacrificing security.