Do You Know Your Customers? Identity Verification in Financial Services

Do you know who your customers are? This sounds like a trick question, but it isn’t. Although organizations are required to have Know Your Customer (KYC) and Anti-Money Laundering (AML) checks baked into their interactions with customers, the degree of certainty around a customer’s identity isn’t always as high as it should be. Identity theft is a pervasive problem, and it leads to many challenges for banks, lenders, insurance carriers, and other financial service providers. As the trusted Identity and Access Management (IAM) solution provider for 9 of the top 9 largest U.S. banks and 7 of the CMA9 in the UK, let our experts walk through the importance of identity verification.

Fraud and Loss Prevention

Reported instances of fraudsters using stolen identity information to open new bank accounts under a victim's name grew by 32% in 2022 in the U.S. according to the FTC to over 110,000 cases – in each of these situations, the bank’s KYC/AML process failed. Meanwhile, in the UK, instances of credit card ID theft, where a criminal either opens a new card using a stolen identity or takes over a genuine account in good standing, were up 101% YoY midway through 2022 according to UK Finance, with a reported gross loss of £21.4m in the first half of 2022.

Building Brand Trust and Credibility

These financial crimes are costly to consumers and the financial service industry alike. For financial services providers, a failure to verify their customers’ identity in situations such as these carries a reputational cost, too – so it’s important to get it right.

Regulatory Compliance

KYC processes help financial providers meet legal obligations to prevent criminal activity like money laundering and the funding of terrorist organizations. Important KYC regulations from around the globe include:

• United States: In the US, The Financial Crimes Enforcement Network (FinCen) established the Customer Due Diligence (CDD) Rule “to improve financial transparency and prevent criminals and terrorists from misusing companies to disguise their illicit activities and launder their ill-gotten gains.”
• UK: KYC and AML regulations are enforced by the Financial Conduct Authority (FCA). An important KYC rule set forth by the FCA is the Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017. This regulation outlines comprehensive requirements for customer due diligence.
• Australia: AUSTRAC (Australian Transaction Reports and Analysis Centre) is Australia's financial intelligence agency and regulator. It plays a crucial role in preventing, detecting, and responding to criminal abuse of the economic system. According to the AUSTRAC website, “if you are a reporting entity, you must have an Anti-Money Laundering and Counter-Terrorism Financing (AML/CTF) program specifying how you comply with AML/CTF legislation.”

As KYC practices are adopted around the globe, financial providers can improve security and regulatory compliance by implementing the appropriate identity verification tools.

Secure Customer Experience

Since KYC is predicated on thorough identity verification practices, it naturally lends itself to more secure customer experiences. Yet, due to the granular, dynamic nature of KYC practices like continuous monitoring, it also lays the groundwork for improved UX along the way. As Forbes explains, KYC “eventually helps CX agents create personalized customer experiences by gathering comprehensive data and thereby being able to troubleshoot individual issues.”

The financial costs of fraud are easier to quantify than the reputational costs, and unfortunately, they are quite significant. Financial service providers spend over $4 resolving each $1 of fraud, with the actual amount varying slightly depending on the type of organization. Banks spend the most, with mortgage firms close behind, but regardless of the specific organization, the cost is significant enough that stopping fraud before loss occurs is imperative.

At Ping Identity, we’ve written previously about an integrated approach to fraud prevention, as well as ATO fraud in financial services and how to prevent losses due to scams and social engineering. Identity proofing can be a powerful tool in a financial service provider’s toolkit, helping defend against new account fraud, application fraud, card ID theft, and account takeover.

By implementing high-quality digital identity verification tools, an organization can protect itself and its customers while delivering a smooth customer experience that ensures users feel both happy and protected.

As KYC standards continue to evolve, identity solution providers continually develop new tools to verify user identities in this dynamic landscape. These solutions authenticate consumers’ identity by matching something they provide, like a facial biometric or ID document, against a verified data source, such as government records or biometrics stored on a registered device.

Important identity verification methods in use today include:

• One-time passcode (OTP): A time-sensitive code sent to a registered device used as an additional layer of authentication.
• ID Documents: Verification of a person's identity by checking government-issued documents like passports or driver's licenses.
• Biometrics: Authentication through unique physical characteristics, such as fingerprints or facial recognition to verify identity.
• Knowledge-Based Authentication (KBA): Identity verification by asking the user personal or financial questions that only they should be able to answer.
• Geolocation: The use of GPS data from a user's device to verify their physical location as part of the identity verification process.

Leveraging identity verification throughout the customer journey allows financial services organizations to manage financial risk, identity risk, and compliance risk. While implementing a KYC process as part of customer onboarding is the obvious first step and ensures regulatory compliance, identity proofing brings value at various customer relationship stages.

Account Opening

When a new customer initiates their very first interaction with a financial institution, checking their identity is typically a part of the customer onboarding process. Checking a new customer’s stated identity against an official document such as a state-issued ID or passport should include not only matching the name and face on the document but also verifying the validity of that document. This greatly decreases the likelihood of a fraudster opening an account with a stolen or synthetic identity, and gives the financial institution confidence in the new customer’s intentions.

Borrowing Money

When a customer wants to borrow a significant sum of money, checking their identity should be a prerequisite for the release of funds. In some cases, the financial institution may be seeing the customer for the first time – for example, if the customer is applying for a mortgage through a lender that isn’t their main financial institution. In other cases, the customer may be well-known to the lender, but the request for funds could still be fraudulent if the account has been taken over. Whether verifying the customer’s identity for the first time, as in the case of account opening, or re-verifying an existing customer’s identity again before allowing them to access significant funds, identity proofing at this point in the customer journey can greatly reduce misappropriation of funds.

Wire Transfers

There are a variety of reasons that a customer may suddenly choose to make a large transfer, but checking their identity before sending the money through is frequently a good idea. Many financial institutions already step up authentication and require MFA before allowing large transfers, but re-verifying the user’s identity at this point can be a better way to shut down fraudsters. While this doesn’t protect against every type of fraud (see our breakdown of scams and social engineering for additional tips), identity proofing is a very effective way to stop fraudulent transfers that have been initiated as part of an account takeover.

In-Person Check Cashing

Many use cases center around purely digital interactions, but digital identity proofing can be very effective in stopping certain types of fraud that occur in bank branches every day. Whether the individual who comes to cash a check is an existing customer or not, utilizing an identity proofing tool to verify the legitimacy of that person’s ID document can mitigate the majority of in-person check fraud. In fact, Ping's estimate based on existing customer solution performance is that identity verification can reduce this sort of fraud by over 90% if implemented correctly.

Service and Support

Customers may require support for a broad range of reasons, and identity verification can help ensure that the employee offering the support doesn’t accidentally aid a fraudster in committing a financial crime. For things such as password resets, call center services, account closures, and disputes, it is imperative to know that the identity of the person requesting support matches the identity of the customer who owns the account. This protects customers against account takeover and stops fraudsters before they can do lasting harm.

Promoting Customers’ Financial Well-Being

This broad category of activities includes things such as opening college savings accounts, opening, renewing, or updating wealth plans and investments, and interacting with affiliate programs. In certain situations which the financial services organization considers sufficiently high risk, verifying the customer’s identity before proceeding can help protect both the customer and the financial institution.

Decentralized identity revolutionizes how financial service providers approach identity verification by giving customers control over their personal information. Digital wallets are the key to decentralized identity as they allow users to store verifiable credentials in digital wallets. When it comes time to authenticate, users only share necessary information with a verifier, who then verifies credentials without relying on a central authority.

Common use cases for decentralized identities in the financial services industry include:

• Customer Onboarding
• Improved Data Privacy
• KYC and AML Compliance
• Personalized Services

Financial institutions are drawn to decentralized identity since it takes the burden of data oversight away from business and puts it into the hands of consumers. As the identity landscape evolves, the relevance of decentralized identity will likely grow among institutions and consumers alike.

Banks come under particular scrutiny when it comes to implementing KYC practices. Yet, changing technologies and regulations make the situation more complex than just verifying identities. Banks must also provide the smooth user experiences that today’s digital-first customers expect - while also complying with strict regulations like the CDD Rule and MLR 2017. Examples include:

• Online Banking: Online banking presents unique KYC challenges due to the lack of face-to-face interaction - thus making it harder to verify identities. Similarly, banks struggle to offer uniform login and authentication processes across different devices
• Mobile Banking: Customers using mobile devices in unsecured environments make mobile banking more vulnerable to bad actors. Similarly, SMS phishing attacks are a constant concern for mobile banking platforms.
• Instant Bank Verification: Instant bank verification is tough for KYC as it requires real-time data processing and identity verification, leaving little room for error in detecting fraudulent activities. This need for speed has the potential to compromise compliance in certain situations.

Lenders such as mortgage brokers and auto finance companies also face unique challenges with KYC. They must balance rigorous KYC checks with a smooth application process to maintain positive customer experiences, while also combatting emerging fraud threats and remaining compliant. Examples include:

• Risk Assessment: Maintaining KYC standards while assessing risk is demanding for lenders due to the sheer amount of data they must cover to make sound evaluations. This notion only grows more complex when lenders operate across several regions and regulatory environments.
• Loan Approval: Loan approval requires lenders to thoroughly verify a borrower's identity and financial background quickly and efficiently. Balancing thorough due diligence with the need for fast decisions adds complexity, particularly in preventing fraud and ensuring regulatory compliance.
• Monitoring Existing Loans: Monitoring existing loans requires lenders to continuously verify borrowers' identities and financial status to detect fraud or changes in risk long after a loan is issued. Managing such large volumes of data can be a logistical challenge for even the most seasoned lenders.

Given the amount of risk it can mitigate, identity-proofing is a must for financial service providers. However, not all solutions are created equal. A good identity verification solution should allow you to quickly, reliably, and confidently ascertain two things: that the real-world identity exists, and that the person undergoing the proofing is the actual owner of that identity. The verification process should not be cumbersome for the customer – ideally, it should be carried out in real-time and be just as easy as presenting an ID document to a teller in person.

Biometrics such as voice or facial recognition are a key part of identity proofing, but it is important to ensure that the tool in question has been tested for racial bias and can accurately match individuals of all skin tones, as some of the solutions on the market do this poorly. When it comes to identity documents, the solution should be able to verify the validity of the user’s government-issued ID, whether it is physical, like a passport, or digital, like a mobile driver’s license. Finally, a good identity verification tool should be able to match the face of the user to the face on the document – without bias – and perform a liveness check to decrease the likelihood of fraud. This liveness check prevents spoofing by confirming that the individual is alive and physically present at the time of the verification.

When financial service providers implement these capabilities, they must think about the appropriate moments in the customer lifecycle to incorporate the identity verification process. When interacting with financial services providers, most customers will typically expect to verify their identity at least once, but even if the process is easy, it should not happen too frequently. ID proofing is a valuable component of the larger fraud prevention and risk management process, and it works best when it is integrated with other tools for fraud detection, authentication, and authorization. This integrated approach allows financial service providers to challenge users when it’s needed without overwhelming them with unnecessary security steps. Getting the balance right may take some trial and error, but the results are worth it. Our experts can help here.

Want to learn more about this topic and Ping’s approach to identity verification? Check out our identity solutions for the Financial Services industry.