Why strong Digital Identity Verification is Key to meeting AML requirements
As banks and payments companies endeavor to meet anti-money laundering (AML) regulations to avoid hefty fines for non-compliance, easily identifying customers in the digital channel becomes paramount to their success. Some “old school” methods that worked in the past aren’t working anymore. Sarah Clark, GM of identity at Mitek, joined Karen Webster to discuss what process and technology can do to help meet AML requirements to truly authenticate who people are.
Though money laundering is a dangerous and enormous aspect of fraud, it’s often overshadowed by high-profile data breaches and other cybercrime activities.
However, both regulators and authorities around the globe are cracking down on businesses who are failing to adequately prevent money laundering activities. Despite the fact that many institutions are investing heavily in their anti-money laundering activities, bad guys are still slipping through.
Clark explained that many businesses continue to fall short in this area because the status quo of AML solutions are no longer cutting it.
Why Good Processes Alone Can’t Make AML Stick
In the U.S. specifically, identity verification has long relied on credit-based data — the existence of credit history along with knowledge-based authentication (KBA) questions — in digital channels or by showing a physical, government-issued ID in person.
But Clark noted that there’s now a heightened level of scrutiny on the status quo method of relying solely on credit-related data that an individual inputs and their ability to answer knowledge-based questions.
Essentially, the identity verification process can be a major friction point.
Not only can verification questions be challenging for a real person to answer, they are unfortunately very easy for fraudsters — who can simply purchase or just research this type of personally identifiable information (PII) data online — to get the answer right.
As Clark noted, data is available everywhere, making it increasingly difficult for institutions to establish an account relationship with individuals to make sure that they aren’t diverting money to support malicious activities.
The identity verification required to achieve compliance with AML regulations is a tedious process, and the entire method itself is extremely vulnerable, due to the proliferation of compromised data available to cybercriminals online.
Which is why, Clark said, it’s time for a change.
Getting Implementation Right
Even when it comes to in-person interactions, Clark explained that sometimes there are egregious gaps with respect to the identity verification processes an institution has in place and what actually happens when an employee is attempting to authenticate an individual’s identity face-to-face.
Clark shared an example of an organization where the identity verification tools and process being asked of the employees were very cumbersome, so the employees just weren’t doing it for the money transfers taking place — the process was in place, but it wasn’t implemented well across the organization.
Which proves the point that the processes in place are really only as good as the employees on the front lines who are able to implement them.
Organizations must consider if there are easier methods by which to comply that provide better user experiences, not only for the end user in self-service scenarios but also for retailer branch scenarios as well.
“It’s an interesting place where our product is playing — the concept that someone in a retail location accepting money transfers or in a branch location can leverage an iPad to collect a physical ID and go through authentication without a paper process makes things much easier and, in turn, will increase compliance,” Clark said.
Using technology, specifically mobile tools, to verify identity is what Mitek utilizes to help businesses fill the gaps with customer self-service onboarding through a digital channel.
For an end user signing up for something from their mobile device or desktop, being able to seamlessly scan and authenticate their physical ID as part of the onboarding process can deliver an improved user experience, as well as confirmation that the organization is compliant in their due diligence to check for an authentic government-issued ID.
The Physical Side of ID Theft
Cybercriminals are predictable in the sense that they also move toward the weakest or most vulnerable links in a system.
According to Clark, the weakest links in identity verification for meeting AML requirements today are systems that rely exclusively on credit-based data and answers to KBA questions. Fraudsters can easily steal authentic data or create synthetic identities in order to work around the existing identity authentication methods.
As fraud moves away from point of sale, Clark said the landing spot of choice is application fraud — applying for an account using a fraudulent identity that’s either stolen or synthetic.
Though much of this takes place online, fraudsters have also become quite sophisticated at creating forged or fake physical methods of identification that, when done right, contain such small deviations from the authentic versions that even the human eye may not be able to tell.
Let’s just say, things have come a long way since creating fake IDs just to get into a nightclub.
Clark said that because of this physical aspect of ID fraud, one of the biggest risk factors has become the human factor.
But technology is helping to take the risk associated with the human element out of these financial interactions.
“I think what’s really exciting about that and how that converges with the technology under our solutions is that the technology can be better than humans,” Clark said.
“With all of the advances in deep learning, it’s not only better for processes to have technology do certain things, but the results should generally be more reliable as deep learning continues to mature,” she noted.
By using machine learning and deep learning, technology can help to avoid mistakes that humans would likely make, such as being able to tell a forged physical ID from an authentic one. A machine that’s well-trained can look at the question of whether an ID is authentic much more reliably than a human can, Clark added.
This is why having algorithms in place that can look for those subtle differences between fake and authentic physical IDs, as well as read the enhanced security features, can make identity verification more secure.
“Just adding ID scanning for an authentic ID will have a very positive impact on preventing a lot of this account opening fraud that’s actually been accelerating quite rapidly,” Clark said.
The Proof is in the Initial Identification
As identity verification continues to advance, it’s expected that mobile will play a greater role in the space.
Though the pilot programs are out there for digital driver’s licenses and even encrypted versions of government-issued IDs on mobile devices, it’s a vision that Clark said is not only complex but still many years down the road.
“As providers of the core technology that can authenticate ID documents, the next obvious step would be for us to not just offer that as an experience that can be plugged in by individual banks and payment companies, but to offer that as an end-to-end service ourselves,” she pointed out.
She also noted that the market is maturing with respect to moving away from KBA questions for authentication and moving toward scanning IDs and layering in other methods for identity verification in addition to the IDs, such as biometrics.
The European Union’s Fourth Anti-Money Laundering Directive now accepts that electronic means of ID verification are as valid and trustworthy as in-person methods, while also noting that electronic ID documents have advantages in terms of account opening, payment processing and the monitoring of high-value transactions.
The Financial Conduct Authority requires banks to maintain high standards for identity verification of new customers, and if they adopt digital identity services to undertake verification, these also must meet stringent governance standards.
But no matter how much authentication evolves, one core concept remains: Before a digital identity can be truly verified, an individual must be identity-proofed.
Even with the popularity of biometric authentication and the momentum in the space, there still has to be an identity-proofing step. For now, physical identity documents and proving an individual’s authenticity are still the best way to do that, Clark explained.
Biometric authentication — much like any other form of identity authentication — is only as good as the initial identity proofing and validated identity attached to that biometric, which is associated with a physical identity that proves someone is who they say they are.
Clark said that both now and going forward, improving authentication and AML activities will require looking at the vulnerabilities and creating recommendations to make the ecosystem more secure with respect to knowing who is getting access to financial instruments and what their intent is.