Sometimes, businesses need to acquire undeniable evidence that their customers are who they claim they are. This could be an airline checking in a passenger, a bank verifying the recipient of a high-dollar transaction, or any other service where identity fraud carries high risks. Verifying such evidence is called identity proofing, and this practice is often required in AML and anti-fraud measures.
This article clarifies identity proofing and its compliance and security implications for businesses.
What is identity proofing?
Identity proofing is the process of verifying a customer’s identity. The goal is to confirm that A) the customer exists and B) the customer is who they claim to be. Identity proofing or, legally speaking, “identity verification” is part of the due diligence processes required by AML regulations worldwide.
An identity is a combination of characteristics that belong to a person. According to the AML guidance for the financial sector, these characteristics include:
- full name;
- residential address;
- date of birth.
A single characteristic is not usually enough to distinguish one person from another, but a combination might be. Other characteristics about an individual accumulate over time, such as:
- physical appearance;
- employment;
- address types (home, business, etc.).
Companies can verify customers’ online and in-person characteristics by obtaining documentary and/or electronic evidence.
- Documentary evidence. This might be an official identification document, such as a passport, driving license, or residence permit. To be considered evidence, such documents should contain the customer’s full name, photograph, date of birth, or residential address. Obtaining documentary evidence is often the easiest way to verify someone’s identity, but it may require several additional steps.
Companies should be aware that some documents are more easily forged or counterfeited than others. Therefore, obtaining digital evidence is considered more secure than document verification alone. - Electronic evidence can be obtained through the following methods:
- confirmation from another institution that has already verified the user, such as a bank, digital ID service, or qualified electronic signature provider.
- checking reliable electronic sources such as a credit file or aggregator of open information. Such references usually contain both positive and negative data and identify high-risk conditions—for example, known identity fraudsters or presence on global watchlists. Checking such sources may be necessary to prevent impersonation fraud in line with the company’s risk-based approach. However, the business should carefully analyze the trustworthiness and coverage of these sources before using them.
Companies should apply a risk-based approach to verifying customers, by considering the money laundering and fraud risks inherent to the customer’s profile and applying proportionate measures. This takes the following factors into account:
- the nature of the product or service required by the customer (and any other products or services to which they can migrate without further identity verification);
- the nature and length of any existing or previous relationship between the customer and the company;
- the nature and extent of any assurances from other regulated businesses that may be relied on;
- whether the customer is physically present.
Why identity proofing matters
Effective identity proofing helps companies prevent identity theft and ensure AML compliance, which is essential for regulated businesses. In 2019, global penalties for non-compliance with AML regulations amounted to $10 billion.
Typically, identity theft occurs due to data breaches, which take up to 9 months for organizations to detect. Long detection times significantly impact the security of personal data and cause financial and reputational damage to companies. In 2020, losses incurred by identity theft cases totaled $712.4 billion.
Businesses need identity proofing to protect themselves as well. Business (or corporate) identity theft can also occur, whereby criminals steal a company’s identity and use it to buy goods and services by establishing credit lines with banks or retailers. Stolen identities can be used to open card accounts, initiate wire transfers, or commit tax fraud.
Identity proofing can also help businesses prevent multi-accounting fraud, which is often prohibited across multiple online industries (e-commerce, gambling, gaming, dating, travel, and food delivery). Businesses face high costs when users repeatedly register multiple accounts to take advantage of free trials, discount codes and other bonuses or continue using the service after getting banned.
Weak identity proofing methods are often solely based on email address or phone authentication—two checks that reveal nothing about the user’s true identity. Considering the severe legal and financial consequences of identity fraud, it may be reasonable to go beyond email/phone number verification and employ identity proofing services to identify and verify users accurately.
Who needs identity proofing?
Regulated financial institutions must conduct user verification in accordance with local AML law. However, non-regulated industries with an online presence, such as marketplaces, booking, and dating services, typically demand effective identity verification processes, even if regulators don’t require it. The reason is to protect themselves from fraud, which may cause significant financial losses and damage their reputation.
Talk to our experts to learn how digital identity verification tools can take your business to the next level.
Identity proofing methods
Different businesses have different identity proofing requirements, depending on the risks and requirements. For example, one may only need a phone number and email to sign up for a hotel booking service. But, to check in to a flight, a passport is required.
Identity proofing methods vary depending on whether verification is performed in person or remotely. In the latter case, verification is conducted through digital means such as biometric verification, face recognition, and ID document verification.
According to UK government guidelines, there are three types of authentication methods:
- Biometric authentication—something the user is;
- Two-factor authentication—something the user has;
- Knowledge-based verification (KBV)—something the user knows.
Biometric authentication
This type of verification includes facial recognition (liveness check), voice recognition, iris & retina scanning, and fingerprinting. These methods offer customers a high level of convenience, as no passwords need to be remembered and no questions need to be answered.
Liveness is a biometric facial authentication technology that helps businesses ensure that users are truly present during identity checks. The technology determines if a user’s face is genuine (rather than a mask, video, photo, or other forms of impersonation) by:
- shielding for the depth and texture of images;
- detecting natural emotions and muscle movements.
The liveness check, or face authentication, is the most convenient and secure verification method. All users have to do is to look straight into the camera, which is easier than a manual entry of passwords. It makes verification user-friendly, increasing customer conversion since users don’t need to make extra movements.
One of the most common examples of face authentication technology is Apple’s FaceID. The system conducts a secure authentication check, enabling the user’s device to be unlocked or payments to be authorized quickly, no passwords required.
Some companies require a video to verify identity. Countries like Germany, Estonia and others actually require this by law.
Video identification allows users to confirm their identities in a live video interview with an identification operator. In most cases, the video identification procedure includes two stages: data collection and data validation. During data collection, the operator asks questions, requests documents, and may ask users to change their body position or perform other actions depending on the requirements and jurisdiction.
This method is highly fraud-proof; the only drawbacks are its complexity and relatively high costs.
Two-factor authentication
Two-factor or multi-factor authentication enhances the security of existing accounts by adding an additional step to the sign in process. Such authentication may include code being sent to the user’s email or mobile phone. This way, companies can easily verify that existing accounts haven’t been compromised. Moreover, two-factor authentication is useful for creating accounts and resetting passwords.
However, this authentication method typically requires users to have their mobile phones with them during the process. Mobile phones can get lost, and fraudsters can easily steal verification codes. Therefore, face authentication is more effective as an additional level of regular account access.
Knowledge-based verification (KBV)
KBV is an identity verification method involving security questions. These questions are generally designed to be simple and highly personal for the user, but nearly impossible to answer for anyone else. They might include past addresses, vehicle ownership, schools attended, and credit card accounts, etc.
KBV was a popular identity proofing method between 2005 and 2015, but numerous data breaches revealed its susceptibility to fraud.
Choosing the proper identity proofing tools
In the age of technology, in-person verification is slowly becoming a thing of the past. Digital identity verification allows businesses to onboard customers safely, increase conversions, and comply with regulations at the same time. To get this done, there are various digital identity verification tools to choose from, including facial biometrics and document verification.
