Progressive Know Your Customer (KYC)
Weak identity verification (IDV) is the main cause of inefficient Financial Crimes Programs, as 90% of all fraud comes from fully verified identities. The solution is Progressive KYC programs that strike a balance between increasing onboarding conversion and minimizing financial crime risks and false positives. KYC goes beyond IDV’s basic identity confirmation, helping businesses understand and continuously monitor a customer’s behavior and risk.
Poor identity verification causes financial institutions to generate Suspicious Activity Reports (SARs) that are false positives or wrongly target the victim instead of the perpetrator. This not only burdens the operational team with excessive report filing, but also introduces unnecessary friction for legitimate users.
Friction is the idea of a speed bump in the user experience to both establish trust and drive criminals away. To optimize conversion at onboarding, you want to introduce as little friction as possible to provide a better experience to your good users, and add more friction progressively when a higher risk pattern or anomaly is detected.
Four phases of progressive KYC:
- Pre-screening: This is a low friction way to filter out malicious actors before they enter their data using passive checks for suspicious device attributes and behavioral patterns.
- Identity checks: Using machine learning to analyze identity information, you can use risk scores to detect the likelihood that a stolen or synthetic identity is being used.
- Step up verification: If a risk is flagged, you can use tools like DocKYC to verify documents, selfie liveness to verify a real person is present, deep fake detection to combat the use of GenAI to spoof an identity, or manual human review for added security.
- Perpetual KYC: This happens after onboarding and is key to stopping any malicious users that got in through the front door by monitoring for risk events like changes in geographical location, payment credentials, linked bank accounts, or transaction patterns.
FinCEN data on SARs makes ugly reading
FinCEN recently published identity-related trend analysis that reviewed filing submissions from January to December 2021. According to the analysis, approximately 1.6 million, or 42% of 3.8 million total BSA reports were identity-related.
Here are some key findings:
Most attackers have impersonated others to defraud victims.
- 69% of identity related BSA reports indicate that attackers impersonated others as part of efforts to defraud victims.
- 18% of identity-related BSA reports describe attackers using compromised credentials to gain unauthorized access to legitimate customers’ accounts.
- 13% of identity-related BSA reports report attackers exploiting insufficient verification processes to advance their schemes
Depository institutions have filed the greatest number of identity-related BSA reports.
- 54% of identity-related BSA reports were filed by depository institutions
- Money services businesses are the next largest category of filer, filing 21% of identity-related BSA reports
Fraud was the most reported typology.
- Of 14 commonly reported typologies, the most reported were general fraud
The impact of identity-related exploitations by BSA report volumes and cited U.S. dollar values are significant and vary by type.
- Attackers most frequently use impersonation tactics, followed by compromise during authentication, and finally, circumventing verification to evade detection.
Weak identity verification and KYC controls have created a system where:
- Financial crimes professionals are reporting illicit activity on a victim, not on the actual perpetrator
- A tremendous amount of time and resources are being allocated to reports that shouldn’t have been generated in the first place
The solution to the problem
Reciting static identity data is no longer sufficient as a standalone mechanism; the proliferation of data breaches, synthetic identities, and the introduction of AI requires a layered approach.
Phase one (least amount of friction):
- Collect device signals (e.g. location, device type, emulators, SSID information)
- Collect behavior signals (e.g. typing speed, phone orientation, long/short term memory)
Phase two (moderate friction):
- Elements a user can prove possession of through OTP or link verification:some text
- Phone: has it been ported recently? What is the tenure of line? Has the user allowed access to the contact list? If so, does it appear to be legitimate?
- Email: Does the name associated with the email string map to the user’s identity? Is the user using a disposable email?
- Identity checks - Name, Address, DOB, and SSN (e.g. verifying the accuracy of the provided data, comparing the location of where the user is vs what their identity records show, SSN issuance date related to their DOB, SSN issuance state to address history mismatch, PII linked to other fraudulent applications)
- ID theft machine learning scores (e.g. velocities against a specific identity package, attribute linking)
- Consortium data that shares information on the known good/bad
- Synthetic ID machine learning scores (e.g. SSN issuance compared to DOB, phone characteristics including VoIP detection) some text
- It is important to note that until June 2011, the first five digits of the SSN were based on the region of birth and a group number assigned to simplify sorting. The last four digits were unique to the individual and were assigned based on several parameters. Following 2011, the Social Security Administration moved to random generation of the SSN as the prior approach made it easy to guess an individual’s SSN if some basic data points were known. or identity verification causes financial institutions to generate Suspicious Activity Reports (SARs) that are false positives or wrongly target the victim instead of the perpetrator. This not only burdens the operational team with excessive report filing, but also introduces unnecessary friction for legitimate users.
Phase three (high friction and ideally should be risk-based):
- eCBSV -The Social Security Administration created eCBSV, a fee-based Social Security number (SSN) verification service. eCBSV allows permitted entities to verify if an individual's SSN, name, and date of birth combination matches Social Security records.
- Doc IDV + Selfie + Liveness detection - the objective here is to verify the authenticity of a government-issued document and to confirm that the person behind the device matches the photo on the identification document. While there are many solutions that solve this problem, Sardine leverages our advanced DI/BB signals to detect deep fakes.
Phase four (post account creation):
Identity verification should not end at the top of the funnel.
- Payment credentials:
- Comparing the identity associated with a Bank Account linking event to the user’s verified identity information
- AVS information on a debit/credit card - does the address match the user’s physical location? Is it a prepaid or high-risk BIN?
- Transaction patterns:
- Is the user’s transaction activity anomalous compared to the broader user population, their demographic, or previous patterns?
- Is the user transacting from a High Intensity Money Laundering and Related Financial Crime Area (HIFCA)?
- Ongoing device checks not just at onboarding, but throughout the user journey; bad actors can make errors and change devices/locations which provides an opportunity to flag anomalies
Summary
Having strong KYC processes is the most important thing a company can do to improve their compliance program. By blocking more bad actors at the gate, you’ll see less payment fraud and transaction monitoring alerts, which will result in fewer SAR filings and case management work for your compliance team.
Additionally, data about the user and their journey on your platform will help you identify hand-offs of accounts, which is crucial in stopping money mules and fraudsters taking over dormant accounts to launder funds on your platform.
If you have any questions about building a progressive KYC program or need help with better tooling, contact one of our compliance experts. We’ve built and run programs at large fintechs and have helped several financial institutions strengthen their risk controls. We would be happy to answer any questions you have.