More than ever before, banks are striving to increase new account enrollments through faster, easier and lower-cost, digital channels. Yet, the current regulatory and cybersecurity landscape creates a layer of complexity. Consumers want the convenience of signing up through digital channels, but financial institutions must comply with stringent anti-money laundering (AML) and Know Your Customer (KYC) regulations that typically send new customers out of their preferred (digital) channel for identity verification.
Today’s AML and KYC regulations are placing more pressure on financial institutions to verify their customers’ identities. Yet, at the same time, large-scale data breaches like the recent Equifax breach (and many others before it) have made identity verification methods that rely heavily on personally identifiable information (PII) and knowledge-based authentication (KBA) less secure and more vulnerable than ever. Consequently, the risk of fraud is skyrocketing. The number of reported suspicious transactions and suspicious new account openings rose from 669,000 in 2013 to almost 1 million in 2016, according to U.S. Treasury's Financial Crimes Enforcement Network. According to Javelin, new account fraud increased 40 percent in 2016, with more than 1.8 million consumers having a new bank or credit card account opened under their name without their knowledge. And both these statistics come from before the recent Equifax breach that exposed the PII of more than 143 million consumers! The fraud numbers are sure to only increase.
Regulatory and Cybersecurity Pressures Are Making Identity Verification a Challenge
Ever since the terrorist attacks of September 11, 2001, the U.S. government has made each iteration of AML legislation more complex in an effort to prevent terrorists from using laundered funds to launch future attacks. With each iteration of the legislation, the standards are higher and the penalties for failure to comply are harsher. To avoid steep fines, banks are expected to know who is opening an account and the level of risk that each person presents. However, even today, many of the details remain vague, making it difficult for banks to effectively comply.
At the same time, fines for non-compliant banks have been increasing significantly. According to the U.S. Government Accountability Office, the U.S. government fined banks $5.2 billion in total between 2009 and 2015, but between 2016 and January 2017, more than $15 billion in fines were announced! Indeed, the banking sector has seen several multi-million and even multi-billion dollar fines levied against non-compliant financial institutions in recent years. HSBC paid nearly $2 billion in 2012 for its role in assisting Latin American drug cartels launder money through the U.S. financial system, JP Morgan paid approximately $1.7 billion in 2015 to resolve allegations it had violated AML laws in connection with its role in Bernie Madoff’s investment scheme, and in 2016 the U.S. Department of Justice filed civil forfeiture complaints seeking to recover more than $1 billion in funds that were purportedly misappropriated from a Malaysian sovereign wealth fund and subsequently laundered.
How can financial institutions avoid fines in this constantly shifting landscape of regulations? The Financial Action Task Force, an intergovernmental body, recommends that KYC measures should include the following:
- Verifying the account owner’s identity
- Understanding and obtaining information on the purpose and intended nature of the business relationship
- Ensuring through ongoing analysis that transactions are “consistent with the institution’s knowledge of the customer, their business and risk profile, including where necessary, the source of funds”
Other pieces of the KYC process involve background checks for criminal records, political exposure and country of citizenship. The extent of these measures should depend on the amount of risk each customer or business transaction presents.
In an effort to meet compliance with these requirements, banks are increasingly investing in new KYC and AML technologies and tools. In fact, banks are projected to spend $8 billion on AML in 2017, and an ABA survey found that 46 percent of small banks said they had to reduce their products and services because of compliance costs. However, there’s no standard for implementing KYC, nor are there mandated technologies to ensure KYC is carried out. With the harsh fines possible, banks have a strong incentive to comply, but what they should do is unclear, and there are a variety of options to choose from. Banks are clearly trying, but what they have been doing thus far hasn’t been working.
Traditional Approaches to Identity Verification are No Longer Sufficient
The most traditional form of verifying customer identities is having a new customer go to a branch location to have their personal identification documents verified by a branch employee. However, in an age when banks are closing hundreds of branch locations and consumers expect to be able to conduct their transactions – from beginning to end – through digital channels, expecting them to journey to the branch is not realistic. In fact, consumer visits to retail bank branches are set to drop 36 percent between 2017 and 2022, with mobile transactions rising 121 percent during the same period. Furthermore, branch employees are not experts in identity document verification and are simply not trained to spot sophisticated forgeries.
In addition to physically checking a new customer’s ID documents in the branch, banks commonly employ other KYC technologies and techniques, including:
Knowledge-based authentication (KBA)
New customers must provide personally identifiable information (PII) when they enroll and must provide a combination of passwords, PINs or answers to personal questions as they log into their accounts. However, in many cases, it’s not difficult for fraudsters to find KBA answers and consumer PII (such as birth dates) listed publicly or shared on social media. Furthermore, in the wake of recent, large-scale data breaches like the one that occurred at Equifax, consumers’ PII is easier to obtain that ever before.
Sanctions check tools
These compare potential customer lists to government lists of people with criminal track records as well as politically exposed persons (individuals entrusted with a prominent public function who, therefore, might be at higher risk for potential involvement with bribery or corruption.)
These tools analyze a customer’s credit data and calculate the amount of risk they represent.
“Big Data” analytics solutions, whether provided by an external vendor or internally engineered, can analyze customer transaction data and flag unusual behavior patterns such as atypical location. However, these tools are not perfect and can often make customers’ lives more difficult. For example, if a customer is traveling and didn’t notify their bank in advance, their transaction might be declined because it is deemed “fraudulent” even though it wasn’t.
These are solutions that involve collaboration between several institutions that share information about their customers. Therefore, they work as a tool to enlarge databases and gather information about banking customers.
Of the tools and techniques described above, the most commonly relied-upon method for identity verification both during new account enrollment and for ongoing user authentication is knowledge-based authentication. However, as large-scale data breaches become increasingly commonplace, approaches relying on KBA and PII are far less reliable than in the past. In the first half of 2017 alone, there were 918 reported data breaches impacting more than 1.9 billion records, with PII comprising the majority of the breached data. And, of course, everyone is aware of the recent Equifax data breach, which exposed sensitive PII including social security numbers, driver’s license numbers, birth dates and more, of more than 143 million people. With so much consumer PII readily available for fraudsters to use, it has become clear that relying on PII and KBA is no longer a viable method for identity verification or user authentication.
Given this new state of affairs, banks should expect to see an increase in identity theft cases among their customers and be prepared to face a higher risk of synthetic identity fraud. That’s because the social security numbers and other PII exposed in the Equifax breach is the exact type of data that traditionally forms the foundation of synthetic identity fraud. This creates a two-sided problem, where consumers are subject to identity theft and businesses don’t know if they’re dealing with legitimate customers. As a result, trust in the security of digital channels – and digital banking – is being eroded. This is a systemic problem that will be repeated over and over due to the widespread reliance on passwords and PII for identity verification, and the never-ending tide of data breaches.
The system needs a reset, but what’s next? Banks looking to comply with AML and KYC regulations must quickly move toward other methods of identity verification.
New Mobile Technologies Provide a Solution for Identity Verification in Digital Channels
Fortunately, new mobile technologies make it possible to have strong identity verification in digital channels while assessing customer risk and delivering a superior user experience. With the growing prevalence of smartphones (77 percent of U.S. adults now own one), banks can comply with AML and KYC regulations, as well as mitigate risk by leveraging consumers’ personal mobile devices for ID document verification. Leveraging the same technology that is already in place for enabling mobile remote check deposit, banks can also have customers use their smartphone camera to scan their government-issued IDs for verification.
The combination of smartphones and government-issued identity documents creates a powerful and credible weapon for banks to fight against money laundering by joining the trust people place in physical IDs with the convenience of the digital channel. Not only do government-issued IDs employ many sophisticated anti-fraud techniques designed to prevent forgeries, an estimated 79 percent of the world’s population has official government documentation. Consumers are accustomed to visiting a bank branch show their identity documents for verification in order to open a new account, though many dislike the inconvenience. With new mobile technologies, rather than requiring a new customer to make a special visit to a branch location, banks can simply ask them to scan and submit their ID for verification using their smartphone camera.
Using digital identity verification technology with advanced machine-learning algorithms, the bank can instantly determine whether the ID is an authentic, government-issued document or a forgery. They can even go a step further by having the consumer also use their smartphone camera to take a selfie. Using automated facial comparison technology, the bank is able to verify that the individual is actually a real person and that the person in the selfie matches the person pictured on the ID. The algorithms can even take into account potentially challenging ID photo quality and that the ID holder’s appearance may have changed since the ID photo was taken. This combination creates strong identity assurance through two factors of authentication: something the customer has (the ID) and something they are (biometric facial recognition). Best of all, all this is done quickly and as easily as the snap of a camera, without the customer needing to leave their home.
This approach to identity verification also works particularly well for the un-banked and underbanked, as well as young people or new immigrants, who often have thin credit files and therefore little PII history to verify their identity upon. Because 79 percent of the worlds’ population have government-issued identity documents, even if an individual has a thin credit file, they are still likely to have an ID – making digital identity verification a more viable option for authenticating these individuals in the digital channel. By comparing their ID documentation with facial recognition technology, banks can have strong identity assurance even for those individuals without much PII history for verification.
Digital identity verification technologies are also becoming increasingly popular around the globe as an accepted solution for AML and KYC compliance. With the passing of the 4.1AMLD in the European Union, governing bodies have adopted a warmer approach toward digital identity verification, understanding that it is the most cost-effective way of responding to the demands of an increasingly mobile-first consumer population that wants an easy to use and secure identity proofing experience. The new AML regulations support the use of such technologies, stating: “Accurate identification and verification of data of natural and legal persons is essential for fighting money laundering or terrorist financing. Latest technical developments in the digitalization of transactions and payments enable a secure remote or electronic identification.” This essentially paves the way for financial institutions to embrace digital identity verification over traditional processes driven by PII.
A New Way Forward
Given the increasingly rigid AML and KYC regulations and the fact that PII and KBA are no longer viable solutions in the wake of large-scale data breaches, banks need to immediately begin exploring new solutions for identity proofing. Using mobile technologies for digital ID document verification, biometric authentication, geolocation and carrier network data, banks can establish strong identity assurance while still providing consumers the seamless digital experience they have come to expect. With verified digital identities, banks have the assurance that their new customers are who they say they are. Moreover, they can mitigate the risk of fraud and enroll more new customers through the lower-cost, self-service digital channel, which helps drive top line growth.
It's time to rethink identity. By delivering a fast and easy, mobile-based, digital identity verification process, banks can meet the expectations of today’s consumers, restore trust in digital channels, and be well on their way to transforming themselves digitally for the future of banking.
About Sarah Clark
SVP, Global Product Management. Sarah combines a proven track record in driving highly complex B2C and B2B products to market success with a passion for business growth and product strategy. Sarah thrives to strengthen Mitek’s position as the global leader in mobile identity verification.
Before joining Mitek, Sarah successfully managed the product strategy and business development for startups in the payments, e-commerce and technology markets, serving as Head of Product at Incomm’s Qpay and Director of Product at iWire. Sarah holds a BS in Mathematics from Duke University and further developed her managerial skills at Harvard Business School.