Sourcing Better Alternative Data for Customer Due Diligence (CDD)

March 25, 2021 by Jimmy Fong
For some companies, Identity validation and verification is useful. For others, it’s a mandatory part of their KYC process. But there’s more than one way to get the most from your checks.
In this post, we’ll cover the basics, and we will demonstrate why some methods are more effective than others.
Let’s start with a few definitions:
Identification can come from the customers themselves or from your own system. It’s the information customers provide your business (by filling form fields), or the one you collect (IP address, credit card number, etc…).
Identity verification and validation both refer to the process during which your company confirms a user’s identity. It ensures the identification process is valid, that there is a real person behind an action, and that they are who they say they are.
It is particularly important in the context of fraud prevention, where flagging false identities is often the best way to reduce damage to your organisation.
Identity authentication happens after identity verification. While ID validation typically only needs to be checked once, customer authentication may be necessary multiple times. For instance, if a user logs in from a previously unknown device or location.
To summarise, this is what every business should put in place to confirm identities:
Fraudsters and criminals do their best not to tie their activities to real-world identities.
This is precisely why they create fake profiles before abusing your business, whether they want to default on an online loan, create multiple accounts to abuse your promo system or trigger affiliate rewards.
But more importantly, ID verification is increasingly a regulatory and compliance issue.
While this has long been the case in the world of banking and financial institutions, we’re seeing a more pressing need to perform identity-based authentication in a variety of verticals. This includes online stores, OTAs and payment gateways, to name but a few.
An example includes SCA (strong customer authentication) from the PSD2 directive, or the Patriot Act in the US, which states the minimum requirements for identity verification.
“(2) MINIMUM REQUIREMENTS —The regulations shall, at a minimum, require financial institutions to implement, and customers (after being given adequate notice) to comply with, reasonable procedures for—
US Patriot Act Section 326
(A) verifying the identity of any person seeking to open an account to the extent reasonable and practicable;
(B) maintaining records of the information used to verify a person’s identity, including name, address, and other identifying information.”
Confirming an identity is the cornerstone of risk management. The more a customer appears legitimate, the less likely they are to commit fraud or cybercrime on your site.
An efficient identity verification process at the login stage results in the same benefits but also improves the chances of catching ATO attacks when fraudsters log into legitimate users’ accounts.
Then there are the large fines issued for lack of KYC compliance or AML (anti-money laundering) checks.
There are many ways to authenticate a user. You can do so via document verification, biometrics, or multi-factor authentication. These methods serve as identifying a user and approving or declining the authentication depending on the quality of the results.
This is where things get interesting. There are broadly four ways you can deploy eKYC or Customer Due Diligence (CDD) at your company, but not all of them are created equal.
The key point to understand is that it’s generally more affordable and easier to scale when you outsource these services to a third party company. The maintenance is taken care of off-site, which may make life easier for your developers, but may cause data privacy concerns.
Now let’s see what works, what doesn’t and why.
Customers are prompted to submit high-quality images or videos of their real ID documents. These may include driver’s licenses, passports, identity cards, residency permits, or voter ID cards.
Most of the time, a selfie ID must also be submitted alongside other identity verification documents.
Images are then authenticated through a global network of document verification services.
Biometrics are body measurements that should point to a user’s unique features. These include fingerprints, face ID and voice recognition.
From a legal perspective, many countries have yet to adopt biometrics identification as valid, but it’s increasingly becoming commonplace. India, New Zealand, Australia and Pakistan, for instance, now accept biometrics for both identity-based security and identity verification.
2FA, or 2 Factor Authentication and OTP (One Time Password) are both forms of multi-factor user authentication which confirm user identities by linking them with more than one device.
The concept of digital footprint for identity proofing differs drastically from the aforementioned methods. Your customers have digital lives, and they need to submit information on your site to onboard, log in or process a transaction.
Why not extract as much information as possible behind the scenes to confirm their identity? While this was a common practice as part of the OSINT (Open Source Intelligence) method, it’s a resource-heavy and time-consuming task.
The answer is automating the process via:
Last but not least, you can gather social media data linked to the email address and phone number. This is a powerful identity verification tool that lets you gather: social media profiles, including bio, avatar and date last seen on the platform.
When it comes to identity verification, the more data you have, the better. But it’s always a balancing act between gathering information and adding too much friction.
A slow onboarding process, too many obstacles during a transaction, or a stringent authentication system can increase customer churn, and send your users towards competitors.
At SEON, we believe that digital footprint analysis and reverse social media lookup offer the best of both worlds for your identity-checking process, allowing you to make informed decisions, meet legal requirements, and support a smooth customer journey at the same time.
Products
Jimmy is the CCO of SEON and brings his in-depth experience of fraud-fighting to assist fraud teams everywhere.