Event Recording

Risky business - Verifying identities in a digital world

Log in and watch the full video!

Knowing who you are doing business with online has been and still is a major challenge. But why do you really need to know, and what are the pitfalls? The presentation will look at some of the important challenges of identifying, validating and authenticating people online.

Log in and watch the full video!

Upgrade to the Professional or Specialist Subscription Packages to access the entire KuppingerCole video library.

I have an account
Log in  
Register your account to start 30 days of free trial access
Subscribe to become a client
Choose a package  
So I will talk about KYC, onboarding, verifying identities, and this is little bit follow up on, on, on the discussion we had. So we'll start. Who are you? I mean, I, I mentioned, I look at this like an avatar and, and how do you know who you are online? And this one is now getting very old, but still really relevant. I mean, on the internet, nobody, your dog, it's still the same challenge as we've had for so many years. And, and do people understand what a challenge is? I mean, I had overheard this, somebody asked, why do I have to prove who I am? I'm not gonna steal anybody's money. I'm gonna transfer money outta my account. It's sort of implicit that people think they are being recognized. And even on this one, my wife was on a support call with apple and she was asked, well, can't you just log in with your husband's account. So not recognizing the importance of the identity of this. And I think this was amusing as well, where I was joining a slack channel. And I said, hi, thanks for letting me in our workforce. Simat in Norway. And then somebody said, prove it, right. It's just a statement. And it's all about, you know, how do you know who people are online? Is the core challenge share.
The next question is go, why do I need to know who you are? A lot of cases where you don't obviously, but there are cases where you are and why do you need to know that? Well, it could be for regulatory reasons. If you are a bank, your insurance real estate, et cetera, are coming also into the anti-money laundering gambling. They are regulated. They have to know who people are to prevent money laundering. So that's an important part. So if you are under one of those regulations, well, it's an no brand. You have to know who your customers are and I'm using customers. Often. We talk about people, but you get our business customers as well, which makes the process even more complex. So another reason would be fraud prevention. I mean, impersonation scam have, has doubled during COVID. So you need to know who people are to prevent these frauds and also a risk or accountability. I mean, if you're a car rental company and somebody wrecks the car, well, you want to hold somebody accountable for that. Or if you're letting out your house in Airbnb and even people meeting on Tinder where you want to be sort of not 100% recognizable, but still you want to be held, have the other person held accountable. If you are, you know, you are frauded or something. So there are several reasons to why you would need to, to verify somebody's identity.
So what is identity assurance? What we are talking about, how do you know who somebody is online? And if you look at a very high level KYC process and this, this is in generic and, and sometimes we can confusing AML and KYC. Well, because AML, the anti-money laundering director requires a KYC, but as you saw, there may be other reasons to do a KYC and know your customer or know your business process. So typically that four steps, the first one is the identity proofing. And I'll touch on that a little bit more. That's determining who is this individual or this business. Then you want to do some core due diligence. You want to do some background, check, get some more information. Is this person, a political exposed person? If it's a business who are the ultimate beneficiary owners, et cetera. So you're doing some background check.
The third step is doing a risk assignment determining, okay, who is this? Or are we willing to take on this customer? Is there some risk involved in this, in this customer that we need to be aware? Maybe we need to go back and do some more checking, et cetera, to make the decision. And then finally they have the ongoing monitoring, which for a bank typically would be transaction monitoring. So if I certainly started transferring money to some third countries that are defined, that would be a trigger or if a certainly started to send a lot of money. So monitoring my behavior in a way would be one trigger. And then you would typically go back and do step one and two again, you would need to re-verify the identity. Maybe somebody had stolen it, or maybe I was, you know, certainly become a political exposed person, came under a pressure or something. So that's why you need to go back and revisit identity proofing and, and accord your diligence from time to time. So this is the sort of basic process. And of course you do audit trail on this and, and reporting, et cetera, around this
Identity proofing consists of two different things. One is finding evidence that the real world identity really exists. Is this a real person that's simpler in, in some countries like the Nordic, we have a national identification number. It's a unique identifier that everybody has. So that will determine by looking up in the central registry, which if that is a real person, and second is confidence that this user is exactly present right now. So it's these two steps
In Europe. We're using E ID a lot. And, and especially in the Nordex where we use them almost daily, they can be part of this. But again, the challenge as I touch on new panel is that, well, how do you know it's really generic using the bank or generic and not somebody in, in my vicinity? So this can be part of it because they, at least they prove that there's a real identity here, but typically you would do something like this. And I think Mike mentioned on this, you would, would show your face with some liveness detection and you would show some identity document scanning NFC, or doing some optical reading also with liveness test. So in this case, you determine, well, this is a real identity document. It's not a copy, not a photo ring. And a photo compare that with a photo with liveness test would, could be then either, you know, having to smile or say something or whatever to know it's a real human. And this gives a very strong proof that that individual is actually present at that time. And it's a real person.
Then you have the, the due diligence looking up the information, which is another challenge. I mean, you have a lot of different repositories containing information about people, about businesses. One challenge is that most of these are made for human consumption. Still they're made in the days where you asked for a printout, you got a print of this and you can look at it. And a lot of information, for example, signing rights is still written in free text. So it's difficult to, to understand who really has signing rights. I mean, I've seen some of those and you know, it's hard to understand who really has signing rights. Then you have the, you know, challenges that we have been working with attributes for a long time. I mean the last name, the first name, what, what are the attributes called? What's the syntax, for example, dates, we know the European American, but they're still, you know, even in Europe, different way of writing dates, how is the quality and, and which attributes are available. And on top of that, all of these systems use different kind of protocols. So we do have a challenge in looking up this information, but it's getting better. And that's something we are working on simplifying this model to make it easier to look up in, in all these different Tripos.
So onboarding or KYC is all about balancing. I mean, it's a cost. Mike mentioned $450 to determine an identity. It's the compliance, what you need to follow. And it's abandonment rates because we have seen that. One of the challenges is that a lot of people abandon when this becomes too complex,
We did a, a report that we've done several years. So the 2020 reports show that we had 63% abandonment rates for onboarding for financial services. So six outta 10 people, you manage to attract your website. They decided that they're not gonna be customer anyway. So this is a huge number. And why did abandon well, a number of reasons. And I mean, if you have to provide physical info or if it takes very long, you provide too much personal information. All these things together makes people leave. So if you process is too complex, people are not gonna sign up. And if we convert this to this 63% to money, this is a lot of money that this results in, in loss of these loss, new customers, then we ran into other challenges with onboarding as well. Our definitions, for example, I mentioned U BS in, in, when you onboard a business, you need to know who are the people behind the organization who are the ultimate beneficiary owners. The challenge is that this is defined in different ways in different countries. So in the same example on the laughter, this person has ownership in a company which has ownership in another company, according to Norwegian law, the person a is a UBA of company, Y but not in Germany and similar with pep. If, if a person is a pep, somebody living in the household is a pep in Norwegian law and not in German law. So this is another challenge with this digital onboarding that needs to be resolved.
And then who's doing the transaction. And again, this is touching on the discussion from a legal point of view, the owner of the avatar, the owner of the bank is doing the transaction. Although, as I mentioned in Norway, the law has changed putting more liability on the banks on this, because it could be somebody else. And that's what's was recognized by, by changing that law, somebody else using your avatar and as mentioned, this is one of the big challenges. How can we make that binding stronger and biometrics? Well, interesting. I, I just love this tweet. Some of you, I seen it before, wake up to find my phone and you can find it. And then you find your three year old in the living room watching these thing plus, and you ask him, you know, how did you unlock your phone? Well, I just used your finger, dad.
I used your right thumb. So even a three year old can, can hack by it's. It doesn't really give definite proof by itself. So that's another challenge. So there are challenges in, in involved in this digital onboarding, not saying, we, we shouldn't, you know, go ahead. We need to do this, but we need to be aware of the challenges and seek out experts on, on how to do it. And I, I think I'll just gonna leave you with this again, high level process, starting with the identity proofing, where you determine is this, does this individual really exist and is that individual present? So you need to do that process, taking a photo of the identity paper, et cetera. Then the core due diligence where you do look up determine, is it a pep? What about UBO cetera, looking into all these registers? Third step is the risk assessment.
Now, based on the information you have is this sufficient to onboard this individual or business, or is the risk too high. And then of course you need to do the on ongoing monitoring of transactions or whatever you're doing. As I mentioned, more and more organizations are coming into, or under the ML directive, I mentioned real estate gambling insurance art was mentioned as well as one of those. So monitoring the transactions reporting, and then with any suspicious activity, well, you may need to go back and revisit identity proofing and revisiting the, the core due diligence. So that was my take on an introduction to the, the KYC process. So I hope that was valuable. So I'm not sure if we do have any questions then.

Stay Connected

KuppingerCole on social media

How can we help you

Send an inquiry

Call Us +49 211 2370770

Mo – Fr 8:00 – 17:00