content
Share the article
Subscribe for updates
Sardine needs the contact information you provide to us to contact you about our products and services.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.

Progressive Know Your Customer (KYC)

Krisan Nichani
General Manager, Compliance
#
 min read
April 12, 2024

Weak identity verification (IDV) is the main cause of inefficient Financial Crimes Programs, as 90% of all fraud comes from fully verified identities. The solution is Progressive KYC programs that strike a balance between increasing onboarding conversion and minimizing financial crime risks and false positives. KYC goes beyond IDV’s basic identity confirmation, helping businesses understand and continuously monitor a customer’s behavior and risk.

Poor identity verification causes financial institutions to generate Suspicious Activity Reports (SARs) that are false positives or wrongly target the victim instead of the perpetrator. This not only burdens the operational team with excessive report filing, but also introduces unnecessary friction for legitimate users.

Friction is the idea of a speed bump in the user experience to both establish trust and drive criminals away. To optimize conversion at onboarding, you want to introduce as little friction as possible to provide a better experience to your good users, and add more friction progressively when a higher risk pattern or anomaly is detected. 

Four phases of progressive KYC:

  1. Pre-screening: This is a low friction way to filter out malicious actors before they enter their data using passive checks for suspicious device attributes and behavioral patterns.
  2. Identity checks: Using machine learning to analyze identity information, you can use risk scores to detect the likelihood that a stolen or synthetic identity is being used.
  3. Step up verification: If a risk is flagged, you can use tools like DocKYC to verify documents, selfie liveness to verify a real person is present, deep fake detection to combat the use of GenAI to spoof an identity, or manual human review for added security.
  4. Perpetual KYC: This happens after onboarding and is key to stopping any malicious users that got in through the front door by monitoring for risk events like changes in geographical location, payment credentials, linked bank accounts, or transaction patterns.

FinCEN data on SARs makes ugly reading

FinCEN recently published identity-related trend analysis that reviewed filing submissions from January to December 2021. According to the analysis, approximately 1.6 million, or 42% of 3.8 million total BSA reports were identity-related. 

Here are some key findings:

Most attackers have impersonated others to defraud victims.

  • 69% of identity related BSA reports indicate that attackers impersonated others as part of efforts to defraud victims. 
  • 18% of identity-related BSA reports describe attackers using compromised credentials to gain unauthorized access to legitimate customers’ accounts. 
  • 13% of identity-related BSA reports report attackers exploiting insufficient verification processes to advance their schemes

Depository institutions have filed the greatest number of identity-related BSA reports.

  • 54% of identity-related BSA reports were filed by depository institutions
  • Money services businesses are the next largest category of filer, filing 21% of identity-related BSA reports 

Fraud was the most reported typology.

  • Of 14 commonly reported typologies, the most reported were general fraud

The impact of identity-related exploitations by BSA report volumes and cited U.S. dollar values are significant and vary by type. 

  • Attackers most frequently use impersonation tactics, followed by compromise during authentication, and finally, circumventing verification to evade detection.

Weak identity verification and KYC controls have created a system where:

  • Financial crimes professionals are reporting illicit activity on a victim, not on the actual perpetrator
  • A tremendous amount of time and resources are being allocated to reports that shouldn’t have been generated in the first place

The solution to the problem

Reciting static identity data is no longer sufficient as a standalone mechanism; the proliferation of data breaches, synthetic identities, and the introduction of AI requires a layered approach.

Phase one (least amount of friction):

  • Collect device signals (e.g. location, device type, emulators, SSID information)
  • Collect behavior signals (e.g. typing speed, phone orientation, long/short term memory)

Phase two (moderate friction):

  • Elements a user can prove possession of through OTP or link verification:some text
    • Phone: has it been ported recently? What is the tenure of line? Has the user allowed access to the contact list? If so, does it appear to be legitimate? 
    • Email: Does the name associated with the email string map to the user’s identity? Is the user using a disposable email? 
  • Identity checks - Name, Address, DOB, and SSN (e.g. verifying the accuracy of the provided data, comparing the location of where the user is vs what their identity records show, SSN issuance date related to their DOB, SSN issuance state to address history mismatch, PII linked to other fraudulent applications)
  • ID theft machine learning scores (e.g. velocities against a specific identity package, attribute linking)
  • Consortium data that shares information on the known good/bad
  • Synthetic ID machine learning scores (e.g. SSN issuance compared to DOB, phone characteristics including VoIP detection) some text
    • It is important to note that until June 2011, the first five digits of the SSN were based on the region of birth and a group number assigned to simplify sorting. The last four digits were unique to the individual and were assigned based on several parameters. Following 2011, the Social Security Administration moved to random generation of the SSN as the prior approach made it easy to guess an individual’s SSN if some basic data points were known. or identity verification causes financial institutions to generate Suspicious Activity Reports (SARs) that are false positives or wrongly target the victim instead of the perpetrator. This not only burdens the operational team with excessive report filing, but also introduces unnecessary friction for legitimate users.

Phase three (high friction and ideally should be risk-based):

  • eCBSV -The Social Security Administration created eCBSV, a fee-based Social Security number (SSN) verification service. eCBSV allows permitted entities to verify if an individual's SSN, name, and date of birth combination matches Social Security records.
  • Doc IDV + Selfie + Liveness detection - the objective here is to verify the authenticity of a government-issued document and to confirm that the person behind the device matches the photo on the identification document. While there are many solutions that solve this problem, Sardine leverages our advanced DI/BB signals to detect deep fakes.

Phase four (post account creation):

Identity verification should not end at the top of the funnel. 

  • Payment credentials:
    • Comparing the identity associated with a Bank Account linking event to the user’s verified identity information  
    • AVS information on a debit/credit card - does the address match the user’s physical location? Is it a prepaid or high-risk BIN? 
  • Transaction patterns:
    • Is the user’s transaction activity anomalous compared to the broader user population, their demographic, or previous patterns?
    • Is the user transacting from a High Intensity Money Laundering and Related Financial Crime Area (HIFCA)? 
  • Ongoing device checks not just at onboarding, but throughout the user journey; bad actors can make errors and change devices/locations which provides an opportunity to flag anomalies 

Summary

Having strong KYC processes is the most important thing a company can do to improve their compliance program. By blocking more bad actors at the gate, you’ll see less payment fraud and transaction monitoring alerts, which will result in fewer SAR filings and case management work for your compliance team. 

Additionally, data about the user and their journey on your platform will help you identify hand-offs of accounts, which is crucial in stopping money mules and fraudsters taking over dormant accounts to launder funds on your platform.

If you have any questions about building a progressive KYC program or need help with better tooling, contact one of our compliance experts. We’ve built and run programs at large fintechs and have helped several financial institutions strengthen their risk controls. We would be happy to answer any questions you have.

content
Heading 2
Share the article
Tagged topics
Compliance
Product
About the author
Krisan Nichani
Krisan Nichani is the General Manager of Compliance Product at Sardine, bringing 14 years of expertise in risk, compliance, and fraud prevention. He previously served as Head of Risk and Compliance at Step, Civic Technologies, and Gyft.
General Manager, Compliance

Krisan Nichani is the General Manager of Compliance Product at Sardine, bringing 14 years of expertise in risk, compliance, and fraud prevention. He previously served as Head of Risk and Compliance at Step, Civic Technologies, and Gyft.

Keep reading

Simon Taylor
Simon Taylor
April 30, 2024

Boost Checkout Conversion by Screening for Fraud Pre-Authorization

Merchants spend incredible energy engaging users to visit their store and get to the checkout, only to lose out due to high fraud risk in an era where first-party fraud rates are rising, and conversion rates continue to fall. There is a better way. Get ahead of fraud before it ever reaches your checkout page. Pre-authorization fraud screening. And it's a game-changer for boosting conversion rates.
Fraud
Product
Kazuki Nishiura
Kazuki Nishiura
April 11, 2024

Data-Engineering Led Fraud & Compliance Platform

Pull domain specific machine learned features into your models for fraud prevention and BSA/AML compliance. Save time and effort building features, but retain the flexibility as if you'd built the features in-house.
Fraud
Product
Zahid Shaikh
Zahid Shaikh
April 9, 2024

Transaction Monitoring: How AI improves performance and efficiency

Transaction monitoring suffers from high false positive ratios and excessive manual reviews. Using AI, you can improve the performance of your financial crimes program by making monitoring, case management, and activity reporting more efficiently. From generating SAR narratives, to creating new rules and policies without projects, GenAI can help compliance ops teams to do more.
Compliance
Product