Sometimes, businesses need to acquire undeniable evidence that their customers are who they claim they are. This could be an airline checking in a passenger, a bank verifying the recipient of a high-dollar transaction, or any other service where identity fraud carries high risks. Verifying such evidence is called identity proofing, and this practice is often required in AML and anti-fraud measures.
This article clarifies identity proofing and its compliance and security implications for businesses.
Identity proofing is the process of verifying a customer’s identity. The goal is to confirm that A) the customer exists and B) the customer is who they claim to be. Identity proofing or, legally speaking, “identity verification” is part of the due diligence processes required by AML regulations worldwide.
An identity is a combination of characteristics that belong to a person. According to the AML guidance for the financial sector, these characteristics include:
A single characteristic is not usually enough to distinguish one person from another, but a combination might be. Other characteristics about an individual accumulate over time, such as:
Companies can verify customers’ online and in-person characteristics by obtaining documentary and/or electronic evidence.
Companies should apply a risk-based approach to verifying customers, by considering the money laundering and fraud risks inherent to the customer’s profile and applying proportionate measures. This takes the following factors into account:
Effective identity proofing helps companies prevent identity theft and ensure AML compliance, which is essential for regulated businesses. In 2019, global penalties for non-compliance with AML regulations amounted to $10 billion.
Typically, identity theft occurs due to data breaches, which take up to 9 months for organizations to detect. Long detection times significantly impact the security of personal data and cause financial and reputational damage to companies. In 2020, losses incurred by identity theft cases totaled $712.4 billion.
Businesses need identity proofing to protect themselves as well. Business (or corporate) identity theft can also occur, whereby criminals steal a company’s identity and use it to buy goods and services by establishing credit lines with banks or retailers. Stolen identities can be used to open card accounts, initiate wire transfers, or commit tax fraud.
Identity proofing can also help businesses prevent multi-accounting fraud, which is often prohibited across multiple online industries (e-commerce, gambling, gaming, dating, travel, and food delivery). Businesses face high costs when users repeatedly register multiple accounts to take advantage of free trials, discount codes and other bonuses or continue using the service after getting banned.
Weak identity proofing methods are often solely based on email address or phone authentication—two checks that reveal nothing about the user’s true identity. Considering the severe legal and financial consequences of identity fraud, it may be reasonable to go beyond email/phone number verification and employ identity proofing services to identify and verify users accurately.
Regulated financial institutions must conduct user verification in accordance with local AML law. However, non-regulated industries with an online presence, such as marketplaces, booking, and dating services, typically demand effective identity verification processes, even if regulators don’t require it. The reason is to protect themselves from fraud, which may cause significant financial losses and damage their reputation.
Different businesses have different identity proofing requirements, depending on the risks and requirements. For example, one may only need a phone number and email to sign up for a hotel booking service. But, to check in to a flight, a passport is required.
Identity proofing methods vary depending on whether verification is performed in person or remotely. In the latter case, verification is conducted through digital means such as biometric verification, face recognition, and ID document verification.
According to UK government guidelines, there are three types of authentication methods:
This type of verification includes facial recognition (liveness check), voice recognition, iris & retina scanning, and fingerprinting. These methods offer customers a high level of convenience, as no passwords need to be remembered and no questions need to be answered.
Liveness is a biometric facial authentication technology that helps businesses ensure that users are truly present during identity checks. The technology determines if a user’s face is genuine (rather than a mask, video, photo, or other forms of impersonation) by:
The liveness check, or face authentication, is the most convenient and secure verification method. All users have to do is to look straight into the camera, which is easier than a manual entry of passwords. It makes verification user-friendly, increasing customer conversion since users don’t need to make extra movements.
One of the most common examples of face authentication technology is Apple’s FaceID. The system conducts a secure authentication check, enabling the user’s device to be unlocked or payments to be authorized quickly, no passwords required.
Some companies require a video to verify identity. Countries like Germany, Estonia and others actually require this by law.
Video identification allows users to confirm their identities in a live video interview with an identification operator. In most cases, the video identification procedure includes two stages: data collection and data validation. During data collection, the operator asks questions, requests documents, and may ask users to change their body position or perform other actions depending on the requirements and jurisdiction.
This method is highly fraud-proof; the only drawbacks are its complexity and relatively high costs.
Two-factor or multi-factor authentication enhances the security of existing accounts by adding an additional step to the sign in process. Such authentication may include code being sent to the user’s email or mobile phone. This way, companies can easily verify that existing accounts haven’t been compromised. Moreover, two-factor authentication is useful for creating accounts and resetting passwords.
However, this authentication method typically requires users to have their mobile phones with them during the process. Mobile phones can get lost, and fraudsters can easily steal verification codes. Therefore, face authentication is more effective as an additional level of regular account access.
KBV is an identity verification method involving security questions. These questions are generally designed to be simple and highly personal for the user, but nearly impossible to answer for anyone else. They might include past addresses, vehicle ownership, schools attended, and credit card accounts, etc.
KBV was a popular identity proofing method between 2005 and 2015, but numerous data breaches revealed its susceptibility to fraud.
In the age of technology, in-person verification is slowly becoming a thing of the past. Digital identity verification allows businesses to onboard customers safely, increase conversions, and comply with regulations at the same time. To get this done, there are various digital identity verification tools to choose from, including facial biometrics and document verification.