Although consumers and businesses are moving their financial activities online, digital onboarding is hampered by regulations, legacy systems and a disjointed approach for applying customer due diligence (CDD) and know your customer (KYC) controls in online or in-app environments. This article looks at how compliance teams can adapt to a digital environment and perform e-KYC—completely digital customer verification.
Rules, for example those originating from the Financial Action Task Force guidance on digital identity, say customers need to prove their identity online by using official documents and authoritative data records. In addition, CDD and KYC require that financial services providers understand the affairs of the applicant sufficiently to set expectations on how they will use a service, especially a financial one. At each stage of the onboarding process, the applicant wants to know that they are valued by the business and that their time and personal information are safe. On the other hand, existing customers are likely to be frustrated or irritated by requests for information they have previously provided.
However, in most cases, removing control programs to avoid friction can be detrimental; if a fraudster can take over an account and apply for a product without appropriate checks, the real customer may be harmed. On occasion, having some customer friction in the process can be beneficial. Customers can have peace of mind knowing that security measures are being implemented to protect their information.
Compliance Can Mitigate Costs
Involving the compliance team early in the project is not commonplace, but this approach means that confidence in the applicant can be maximized as soon as possible. In turn, this can reduce the number of failed or abandoned applications. Compliance can mitigate losses without any sales friction by being integrated into the process, where needed, and based on the information available at the time.
Organizations should change their mindset from compliance as a cost of doing business to compliance as a means of optimizing their proposition to the customer and avoiding fines, reputational damage and financial losses.
The Applicant’s Identity and Data Should Drive the Process
The applicant, their identity and their data are key to understanding the process. Therefore, businesses that architect their procedures around them will see better conversion rates and lower risk.
Applicants appear from many different routes: They may be new customers for an organization that have been actively marketed to or new customers who have found the organization unsolicited, they could be customers from another part of an organization or existing customers that are being upsold or cross-sold products. Depending on the source, the business may have no information, some information, an identifier in an existing customer database or a full set of data. Therefore, the onboarding process must be flexible enough to cope with these variations.
An applicant-focused onboarding process should be designed to request only the necessary information at the right time. In fact, the functions of “identity proofing” and “credit and affordability” within financial institutions (FIs) could overlap much more to reduce customer friction and improve efficiencies.
Unsurprisingly, customers would expect to reuse their existing authentication mechanism such as a password or SMS one-time passcode, but if that is not possible, it should be explained to them.
A consistent journey through the application procedure builds customer confidence and results in the capture of higher quality data. At the same time, as the applicant moves through the process, the business builds up confidence in their identity and information. In some cases, analysis of the flow may develop a better order to prompt the user for data or identify another source where data can simply be looked up.
The Key Steps to E-KYC
The onboarding process for a regulated entity that must perform CDD, KYC or fraud prevention for a new customer starts with basic data: contact information, including email address.
The next step is to gather any identity evidence necessary, such as a passport number or official name, and check the identity against public lists of politically exposed persons and sanctioned companies or individuals.
Matching the ID to the Applicant
Having proved the claimed identity exists, the next stage is to prove that it belongs to the applicant. For example, matching the face to the photo in a passport establishes the official identity of the application.
Criminals attempting to open accounts using a stolen identity try to undermine the integrity of digital onboarding with recordings or a photograph of the legitimate identity holder. The key to detecting these is to identify when a recording or photograph is in use, which is known as a “liveness” check. With the increasing sophistication of tools to create fake images and videos, liveness is fast becoming a critical factor to detect fraudulent account opening. Liveness detection in digital channels generally falls into the following three categories:
- Passive: An assessment of the applicants “selfie” image often using machine learning that looks for signs that the applicant is present rather than being represented by a photograph or video.
- Active: An assessment where the system requests the applicant to carry out certain activities, such as looking up and down or blinking, in order to prove that they are in fact present.
- Live video link to an operator: A system that requires an operator at the bank or FI to interact via a video link with the applicant―it is not an automated process, unlike the two methods above. This is a less scalable, more expensive option that adds friction to the customer’s experience but is a regulatory requirement in some countries.
Fraudsters operating at scale cannot have a completely unique dataset for each fraudulent application, as some data elements are reused across applications or reused with only minor variations. For example, the same mobile phone number might be used across multiple applications or names might be reused with slightly different spellings. Using data matching and analytics to spot similarities between applications will frequently uncover links to other known frauds, or at least prompt some relevant questions to the applicant.
Compromised Account Checks
Any system relying on people can never be totally secure. Customers store their login details unencrypted, reuse passwords, and lose mobile phones and security tokens. Therefore, it is vital that techniques are used to spot telltale signs of a compromised account, including geolocation, device identification and behavioral data.
Source of Wealth and Source of Funds
Part of preventing money laundering is understanding the applicant’s source of wealth. Answering such questions during the onboarding process, so this information is already available as needed (e.g., point of sale for credit or investment), can avoid abandonment at an early stage and help explain why these questions are being asked.
Re-Authentication in Future Transactions
The last step before opening the account is determining how a customer will be re-authenticated in future interactions. Existing customers may already have methods in place, but it is good practice to allow them to update authentication factors to increase security or to update a biometric that might change over time, such as a facial scan or voice recognition, although machine learning or artificial intelligence techniques can compensate to some degree. In some cases, it is only at the point of enrollment that customers confess having lost security tokens or changed mobile telephone numbers. Therefore, it is a good opportunity to verify or update the means customers will use to prove who they are.
The Applicant Should Be the Central Focus of Each Business Discipline
What is obvious throughout the onboarding process is how vital it is to get good, accurate data from applicants from which to make decisions. Data, which the business already holds, could be verified if it is changed, but applicants may ask why they are being prompted again for more static data. It is only as the applicant makes their way through the onboarding process that the questions and data required becomes apparent. It is important to build a flexible process that can adapt to each applicant’s circumstances.
Through this approach, the applicant becomes the focus for the internal disciplines of the business:
- Customer experience serves to ensure good customer outcomes in a streamlined manner.
- Compliance is implemented to ensure legal obligations and regulations are met efficiently.
- Information technology (IT) security focuses on sessions, applications, and endpoint security and resilience.
- Software engineering must ensure systems are robust, secure and maintainable.
- Fraud management focuses on balancing losses and liability against preventative measures.
- Business owners are focused on increasing cost-effective generation and protection of revenue.
Only by bringing these skills together, with an emphasis on improving the customer’s journey, can a business build smart onboarding processes and benefit from happy customers, reduced risk, compliant procedures and increased revenue.
Erik Stretz, principal consultant, FICO, Bensheim, Germany, firstname.lastname@example.org