January 7, 2022
The process of vetting customers to weed out criminals is a vital component of any financial services risk and compliance program. Here, we'll take a deep dive into what Identity Verification is, how it works, and what organizations need to do to perform it effectively.
According to the United Nations, $2 trillion is laundered globally every year. Of that, less than 10% is detected, and less than 1% of laundered funds are ever recovered.
To deal with money laundering and fraud, regulations require companies to dig deep into their customers’ history and conduct identity verification to make sure they are who they say they are.
Understanding the rules and regulations can prevent criminals from using businesses to launder money or conduct fraud. This can also save companies money in non-compliance penalties.
There’s a lot of information available out there on customer identity verification. But, unfortunately, this can be overwhelming and time-consuming to review.
To make risk management and compliance simpler for you, we have created this “ultimate guide” to everything you need to know about identity verification.
Let's dive in.
Money laundering occurs when criminals convert “dirty money” – or money from criminal activities – into clean money by integrating it into the economy. Criminals can do this by using real businesses and fake invoices. They can also use cash to purchase real estate or other high-value products.
Money laundering and criminal activities can also increase identity fraud and data breaches.
One of the critical strategies to combat fraud and money laundering is to verify all customers who are using a financial platform. Identity verification helps to ensure that a person is who they claim to be. This is especially important for financial institutions where individuals open bank accounts, apply for loans, or use other financial services.
Identity verification is a requirement for all financial institutions and investment-broker dealers under the “Know Your Customer” (KYC) regulations for anti-money laundering.
Identity verification is not just limited to financial institutions. In this global economy, all businesses need to conduct their due diligence on customers to protect themselves from fraud and data breaches.
Some companies require a short video to verify identity.
For instance, Airbnb requires travelers and hosts to identify themselves. According to their website, “Hosts may ask their guests to provide a government ID to book their place or experience. And sometimes we’ll ask for an ID to help us check that someone is who they say they are.”
This protects the company, but it also encourages trust between the customer and the business. This is why many companies turn to Identity verification software like Unit21.
These tools make it easier for businesses to verify good customers and identify “bad” customers.
With thousands of customers, it’s challenging to conduct manual identity verification. Digital identity verification, a process typically used by B2C businesses, brings customer identification into this remote world.
Businesses can use digital identity verification to identify their customers and identify fraud quickly.
Many tools allow for digital identity verification, including biometric or face recognition and digital identification documents. With global customers, in-person customer identity verification is almost impossible. Digital identity verification allows you to protect your business and comply with regulations.
KYC or “Know Your Customer” is a set of standards used by the investment and financial services industry to verify customers as part of a broader anti-money laundering policy. These minimum standards were established by the Financial Crimes Enforcement Network (FinCEN) in 2002.
FinCEN was created to implement and enforce guidelines to protect the financial system from illicit use, money laundering, and terrorist financing. The regulations implemented by FinCEN require any company with exposure to customer risk to develop a KYC strategy.
KYB or “Know Your Business” is an extension of KYC. The idea with KYB involves the verification of a business. You want to make sure you verify the business registration details, location, and ultimate beneficial owners.
It’s easier to launder money through corporations because the corporation can mask the identities of the criminals involved. For example, money launderers can use nominee directors to hide the valid owner of the company. Knowing the beneficial owners of the corporation can help combat money laundering.
KYB can help identify fake businesses or shell companies. Money launderers can use these companies to integrate dirty money into the economy. To address this issue, KYB protects organizations from unknowingly being used for terrorist activities or money laundering and helps them mitigate fraud in their accounts.
Identity verification is vital for various reasons. For example, it’s a key strategy in fighting financial crime and limiting fraud. It also has a broader economic impact as it increases trust in companies and brings stability to a country because financial crime doesn’t stop at the borders.
Many companies transfer funds across borders to create further distance and anonymity. Hence, the process of identity verification is paramount in exposing these bad actors and the corporations they may be hiding behind.
The most crucial benefit of identity verification is that it can help fight against financial crime.
Conducting ongoing identity verification and submitting suspicious activity reports to the government can help provide the data needed to continuously fight financial crimes like money laundering, tax evasion, and terrorist financing.
Identity verification can limit synthetic identity fraud and unemployment fraud, which are growing concerns in today’s economic climate. Credit card fraud can cost businesses millions of dollars. This is even more prevalent with the rapid adoption of online shopping during the pandemic.
Where a customer disputes an amount, banks charge a “chargeback fee.” This fee can range from $20 to $100 but can cost companies 2 to 3 times the transaction amount.
The use of identity verification makes it much more challenging for a fraudster to commit these types of fraud.
Identity verification can create and encourage trust between the customer and businesses.
A trustworthy economy encourages stability and investment into the country because businesses are comfortable with the anti-money laundering policies at their financial institutions.
Lenders that perform identity verification can also lend more money without increased risk. If they can identify previous financial history and assets owned through the identity verification process, they can provide more loans encouraging economic growth.
Another benefit of identity verification is that businesses can avoid fines for non-compliance.
In 2019, global penalties for non-compliance with identity verification were $10 billion. Twelve of the top 50 banks were fined for non-compliance with KYC. Not only does the company have to pay monetary fines, but it must deal with the reputational damage that can arise from media coverage of non-compliance.
Investors and customers want to believe in the company they are investing in or buying from. Therefore, non-compliance with KYC rules can result in distrust and negative brand associations, which are bad for business.
As more businesses engage with customers online rather than in person, the need for KYC programs has increased. Any company that deals with money movement should consider implementing a KYC program to protect client information and the business from identity fraud.
Businesses that use credit cards should also implement a KYC program to protect their company from the cost of chargebacks, including the retail and manufacturing sectors.
Businesses in the financial service sector understand the benefits of a KYC program, but those are not the only ones who need to implement a KYC program. The healthcare sector deals with confidential data as well. Therefore, additional identity verification requirements can protect businesses in the healthcare industry and their customers.
The reality is that any business that operates online should implement a KYC program to protect their customers, build trust and protect their business from identity fraud.
There are three requirements for KYC under the US Patriot Act. First, each element of KYC helps to know more about the customer, which can help combat money laundering. According to Transparency International, more transparency and data can help fight financial crime.
The Customer Identification Program (or CIP) requires that financial institutions, such as banks take the necessary steps to verify that all customers who enter into a formal agreement with them are who they say they are. The requirement went into effect on June 9, 2003, a mandatory component of the Bank Secrecy Act (BSA). It is often referred to as the “Know Your Customer” program.
Each company conducts its CIP; you can get different requirements from different companies.
Generally, you want to ask an individual for a driver’s license or passport. In addition, you may want to get articles of incorporation, partnership agreements, or trust deeds for other entities. Financial statements may also help support the verification process.
With Customer Due Diligence, you must assess the customer's level of risk. With CDD, you can effectively manage your risk and protect yourself against criminals and terrorists.
You can conduct essential due diligence for all customers to verify their identity and assess their risks. Remember that crucial due diligence includes knowing the beneficial owners of the company. In addition, you want to make sure you understand the business to see any anomalies in the future.
For low-risk customers based on past behaviors and patterns, you can conduct simplified due diligence, the lowest level of due diligence that can be performed on a customer profile. This is less intensive and will take less time.
You should consider implementing additional procedures for enhanced due diligence for high-risk customers. Enhanced due diligence (sometimes shortened to “EDD”) is a “Know Your Customer” process that does a deeper analysis of the customer’s activities and risks to identify risks that can’t typically be detected by basic customer due diligence.
You want to use this process to detect suspicious behavior. Then, you can assign a risk rating to the customer that can determine what level of due diligence they require.
The KYC process is not just a point-in-time test. You need to monitor the customer continuously and conduct ongoing due diligence for the program to be effective. Continuous monitoring means ongoing reviews of customer transactions to ensure no suspicious activity. This act allows you to stay ahead of criminals and satisfy regulatory requirements.
Digital verification can include a wide range of methods that each work differently. As technology changes, so do the methods available for identity verification. These methods compare the data from the individual or company against a verified data set to determine if someone is who they claim to be.
The following are the main methods of digital identity verification being used by companies today.
An ID Document Verification is a simple system that checks the ID documents to ensure they are legitimate. This can include a driver’s license, passport, or other government identification.
Essentially, the verification documents are captured, extracted, and analyzed. This can help determine whether the document is real or fake. If the verification data is already available, authentication can take seconds.
With smartphones, this is even simpler. All the customer needs to do is take a picture of their identification document. Then, the software will scan and analyze the image to determine whether the ID document is authentic.
Depending on the document, the software will look for visible security features like watermarks, holograms, and their positioning. Fonts, spacing, and templates can be analyzed and used to authenticate the document digitally.
This system allows for real-time authentication, resulting in faster transactions without waiting around for identity verification. It can also lead to increased customer satisfaction.
Some commonly accepted KYC documents for identity verification include a passport, driver’s license, and SSN card.
US passports have special security features like a laser engraved black-and-white photo, a new perforated alphanumeric passport book number throughout, and a multi-layered plastic data page. These features make counterfeiting or altering more difficult.
For proof of address, use utility bills less than three months old or bank account statements less than three months old.
For corporations, KYC documents include certified articles of incorporation or financial statements. For other entities, partnership agreements or trust deeds can be used for verification purposes.
Another method of identity verification typically deployed by organizations in the business-to-consumer space is biometric verification. This type of verification uses a photograph of a person holding an ID document to confirm that the person matches the photograph in the ID.
Everyone has unique features, including fingerprints, facial patterns, and voices. Biometric verification uses these features to identify individuals. In addition, they provide stricter standards for verification that are harder to fool, unlike usernames, passwords, and emails.
As biometrics are unique to each person, they can be harder to replicate or forge. Nevertheless, 87% of companies would consider using biometric authentication in the future. For example, American Airlines tests a biometric boarding for customers that uses facial recognition to scan and verify a customer’s identity.
Companies like Binance that are dealing with the transfer of large amounts of cryptocurrency use a video, instead of a selfie, of the individual holding their identity documentation. They also use voice verification to confirm no identity fraud when transferring funds out of the account.
In a “selfie check,” the software compares the face in the ID document with the selfie and returns a similarity score. Next, the selfie is analyzed for tampering or abnormalities that confirm that it's not fraudulent.
It’s important to note that biometric verification requires ideal lighting and perfect settings to run accurately. Poor document photo quality, aging of the person, and poor lighting conditions can make a massive difference in the accuracy of biometric verification.
Beards, glasses, and makeup are a regular part of your customers’ lives. They can, however, impact biometric verification. For example, the more extreme makeup and styles can confuse biometric verification software.
Applying makeup randomly is not enough. Key facial points need to be hidden or changed to fool the system.
While biometric verification compares a selfie to a government identification, liveness detection takes it a step further. It uses videos and movements to determine whether the selfie is genuine or the person is real. They can even check if a fingerprint is real by checking blood flow detection and active sweat pore detection.
This method can protect against spoofing attacks where a criminal can use face masks or other means to impersonate someone else. In addition, criminals can use someone else’s static photo for comparison against the trusted source. Therefore, short videos can help verify the customer’s identity more securely.
The company or app will require the customer to take a short video on their phone. Then, the customer will have to record particular movements or say something random. For example, the customer will be asked to turn his head left or right, blink their eyes, or speak a randomly generated number.
New technology must be shifting to accommodate identity fraud. For example, criminals use fake selfies, pre-recorded videos, and 2D or 3D masks to fake authentication and fool the software.
The liveness detection software can use voice, movement, and texture analysis to determine if the person is real or a pre-recorded video. Certain software can even use pupil tracking and iris recognition to combat fraud.
Liveness detection is becoming more common because of increased public acceptance, more accuracy in its use, and widespread use of smartphones with cameras that can facilitate the use of this software.
KBA is a verification method that uses knowledge-based questions to verify the identity of the customer. The questions rely on information already in the customer’s file. You can have a static KBA based on a pre-agreed list of questions or a dynamic KBA that is generated from the information in the customer’s file.
A static KBA can be less secure because the secret questions can be answered by knowing enough about an individual’s personal life. Static KBA includes familiar questions like mother’s maiden name, first car, or pet’s name.
In 2008, during the 2008 presidential election campaign, someone was able to hack into Sarah Palin’s Yahoo email account by looking up her biographical details such as her high school and birthdate. With more information online, a static KBA can be easily hacked.
The problem with static KBA is that it’s easy to discover personal information online. Criminals can also purchase KBA answers on the black market. This method can be seen as intrusive for many customers.
Dynamic KBA is a higher level of authentication that uses different questions for different customers. None of the questions are public, so they can’t be hacked into the same way as a static KBA. The questions are based on credit reports and transaction history.
For example, banks use dynamic KBA to conduct identity verification. Some questions they made use of in a dynamic KBA include:
Dynamic KBA usually requires some type of relationship between the customer and the business to be successful. It’s known as “out of wallet” questions because the customer needs to answer based on the transactions and accounts in their online “wallet.”
Generally, the customer will be limited in the amount of time and number of attempts they must answer before being blocked.
Another method of identity verification is to use databases of information pulled from social media and other sources. The database method can also rely on information from credit bureaus that have customer information on file, including name, date of birth, and Social Security numbers.
This method uses the same principles as KBA but relies on a more extensive database of information to verify identity. It allows for verification when there isn’t a robust business-customer relationship over a long period. Rather than a risk score, this method can provide a definitive match faster.
As with similar methods, the problem with this method is that it’s difficult to know whether the individual providing the answers is the right person because of the increase of identity fraud and false online identities.
Most are probably familiar with the one-time passcode (OTP) verification as it’s a standard method of proof used for access to online banking. This method was first used by credit cards, debit cards, online bill payment, and email account access. Even companies like PayPal, Questrade, and Venmo started to use OTP verification.
OTP verification transmits a single-use passcode via text or email to the customer during the verification process. The customer inputs the code into the app to verify that they are the right person. The passcode is only valid for a certain period, after which it expires.
Some companies use a hard token to provide the code or external authenticator apps like the Microsoft Authenticator.
The OTP verification method is more reliable than simple password access. But more recently, the OTP verification method is not seen as secure because it is easy for criminals to intercept text messages.
Most companies will not use a foreign phone number for OTP verification. Many people are remote working in different countries or traveling for work in a global market. Using a phone number makes it difficult for customers to access their account if they change their SIM cards when traveling.
Companies like Mastercard and Visa have moved to a one-time link, which is more secure.
A trusted identity network uses the customer’s existing credentials with other providers to verify identity. This allows for smoother access when opening new accounts. For example, you will see this method when you have a Google or Facebook account. It will enable you to open new accounts with various other providers using your Google or Facebook account.
The idea here is that Google or Facebook has already verified your account. They use two-factor verification to protect the customer. Leveraging that trusted identity network, other companies can allow customers to open accounts using their email and password from Google or Facebook.
Customers will not have to remember multiple usernames and passwords. Using simple passwords increases security risks, and this method avoids that risk. It’s easier to access many different systems using your email address.
The problem is that it places a lot of burden on the security of these trusted identity networks like Google and Facebook. So if there’s a breach in one of those accounts, it will have a ripple effect on all other businesses that rely on those trusted networks.
Every company has a different process for verifying customer identity, but there are some key steps you need to be aware of that can support your KYC obligations.
Before you take action, conduct a thorough review of your needs. You need to understand who your customers are, what risk levels you are comfortable with, and what level of security you would like.
To put the best system in place, you need to have a solid understanding of your customer demographic. For example, do you have a lot of senior citizens as customers who will have trouble with new software? Do you have a lot of foreign customers?
These questions need to be addressed to determine your security and verification needs. You will also need to understand the various types of fraud you could run across in your business. If you deal with credit card payment for a product or service, you will need to consider credit card fraud and identity theft, for instance.
Once you define your identity verification system, you need to find the method that works for you. Then, with the right technology at your fingertips, you can implement a verification method that will fit your organization’s needs.
Whether you’re looking for biometrics verification for added security or a two-factor verification system, working through the pros and cons, you will be able to choose the best option for your ID verification needs.
You also want to make sure your customers are aware of the change. Consider implementing video tutorials and detailed guides to help them transition to the new verification process.
If the customer has any issues, make sure that you have top-quality customer service available for their immediate access.
It’s not enough for a company to identify the customer’s identity. The verifying party must dig deep into the person’s past and look for signs of terrorist financing and other suspicious activity throughout their life. This is not a one-time task but an ongoing process.
Understanding what the customer does on a deeper level can help organizations determine unusual or suspicious activities. This can be accomplished by setting up workflows to screen customers for different purposes.
Watchlist screening, fraud screening, and business verification screening are just a few of the identity verification checks that companies must consider incorporating into their overarching program.
There's a lot of data that may not be easily accessible to verify the identity of a person or entity. A crucial initial step is to choose the best identity verification software to fit your needs. However, there’s a lot of information available that you need to be aware of.
At this time, a critical initial step is to find the correct identity verification solution that fits your needs. You’ll need access to an identity verifier to get started performing identity verification.
A public or private database of records can provide you with several identifiable data points about people that can be cross-referenced with the information you have on hand about your customers.
Unit21 offers this information through partnerships with several leading identity verification providers. As a result, our customers can quickly and efficiently identify their customers and manage the process from within an interactive dashboard to provide transparency across the organization.
Unit21 bolsters the partner solutions by providing additional analytics and reporting, allowing organizations to automate portions of their identity verification process. Here are some notable features of a highly effective identity verification solution (all of which are part of the Unit21 Identity Verification product):
After you have a solution in place to alert your team of potentially risky customers, you’ll want to make sure that you have a system for assessing the risk of your customers. By labeling them as high or low risk, you can determine how much due diligence you need to do regularly.
Once a customer has been identified, a company is responsible for maintaining a verification record.
Make sure that you have updated and accessible records on an ongoing basis. If you run into any compliance issues, you’ll want evidence to support your verification process to avoid any penalties or fines.
Once you have a customer identity verification process in place, you can leverage that information to support your customers and build long-term relationships.
Showing your customers that you care about their privacy and security will build trust and improve your brand reputation. Implementing an identity verification program is the first step towards building trust among your customers.
When conducting your due diligence, you want to keep these red flags in mind. Incorporating these factors into your process can help you find suspicious activity sooner.
The Office of Foreign Asset Control (OFAC) publishes lists of individuals and companies owned or controlled by targeted countries and those involved with terrorism and narcotics traffickers.
Other countries also have databases that list whether the person or business is on a government sanction list. For example, the UK has the Financial Conduct Authority register that lists regulated businesses.
Using these databases to ensure that your customer is not on any government sanction list can help protect your business from money launderers and criminals.
A Politically Exposed Person (PEP) is someone with a prominent public function. These individuals can have a higher risk of bribery and corruption because of their position. Therefore, you want to make sure that PEPs are flagged so you can conduct enhanced due diligence on an ongoing basis.
A general review of media and newspaper articles on individual and business customers can help highlight concerns. Incorporating an adverse media search can help you flag high-risk customers sooner.
In 1970, the United States Congress passed the Currency and Foreign Transactions Reporting Act, commonly known as the Bank Secrecy Act (BSA). The BSA includes record-keeping requirements for individuals and financial institutions. FinCEN was created in 1990 to detect and enforce financial crimes such as money laundering and terrorist financing.
The USA PATRIOT Act was passed 12 years later with significant enhancements to the BSA. It gave greater authority to FinCEN to collect data, including beneficial ownership information from companies and financial institutions. It now collects data from over 27,000 financial institutions.
The USA PATRIOT Act allows FinCEN to create regulations setting out processes that financial institutions must follow for opening new accounts. This includes strategies for identity verification, including verifying the identity of any person who wants to open a new account to the extent “reasonable and practicable.”
In 2016, they also set out additional rules for due diligence, including the obligation to verify beneficial owners.
You should keep in mind certain things when implementing procedures for identity verification. These are best practices that can help you make the process more efficient.
Identity verification is essential for new business relationships. You want to make sure to carry out the KYC and due diligence obligations before establishing any business relationship.
Companies should verify the customer identities and create risk profiles.
This can help maintain consistency and provide the necessary framework for future customers and ongoing due diligence. In addition, when you have a consistent framework, any anomalies will stand out, allowing you to flag suspicious activities faster.
Dealing with false positives can be a cumbersome process. Choosing an identity verification service that helps you reduce false positives will support your business in the long run.
The initial work to establish a risk profile by implementing a thorough due diligence process at the start of the process can set the foundation for a solid and successful business relationship.
Companies should ensure that this is taken care of at the initial stages of any business relationship. At this stage, if the customer does not provide sufficient documentation, the company must conduct additional due diligence.
As part of your risk management policy, consider where you’re storing this information. While it must be a digitally secure location, you should easily access the customer’s risk profile in case of future regulatory audits.
Monitoring is a necessary part of risk management for current and ongoing relationships; This means reviewing transactions on an ongoing basis to ensure that it matches the risk profile. If certain transactions don’t fit the risk profile, they need to check those transactions in more detail.
Companies also need to stay responsive to suspicious factors that may require them to change the risk profile for the customer. Finally, ensure all documents and data are recorded and kept for easy access.
Not all transactions are the same. However, companies can better tackle money laundering by adopting some general principles of enhanced due diligence. In this way, they will not get overwhelmed by the KYC and reporting obligations.
Companies should take extra due diligence when going through transactions with large amounts of money. FinCEN reviews these transactions regularly. Companies don’t want to be offside any rules because they didn’t take extra care when dealing with these large transactions.
With cryptocurrency, this is an even more critical step because of the anonymity offered by cryptocurrency. The federal government is spending more time auditing and reviewing cryptocurrency transactions. Companies should take extra care because any suspicious activity can lead to significant reputational damage for the company.
Any transactions from high-risk countries or politically exposed persons have a higher money laundering risk. For these customers, companies must get additional forms of identification.
Companies should also identify the source of their finances or wealth. They must ask more questions to understand the purpose of the transaction.
Senior citizens are at higher risk for fraud. Therefore, companies should take extra care to review any large transactions from senior citizens or customers who have undergone health conditions like a stroke. This can help you increase customer satisfaction and create a reputation for security.
Businesses across varying industries must have identity verification and KYC programs in place due to regulations to safeguard businesses and their customers. The process of vetting customers to weed out criminals and other bad actors is a critical component of any financial services risk and compliance program.
And while each organization will have a slightly different system for identity verification, the goal is ultimately to reduce fraud and avoid hefty fines. When thinking about identity verification for your organization, remember these vital final notes:
Unit21’s Identity Verification solution is a game-changer for risk and compliance teams responsible for building and maintaining successful KYC/KYB and AML programs.
Our platform allows teams to manage identity and document verification, watchlist and sanctions screening, adverse media monitoring, and more – all in an interactive dashboard that provides transparency across the organization.
Our no-code solution features custom workflows to cater to your specific use cases, synthetic identity checks to ensure that entities submitting spoofed or falsified personal identifiable information can be easily identified, and link analysis - a visual representation of your data that will enable you to take a step back and view the whole picture, drawing links between entities and events that would otherwise be impossible to unveil, allowing our customers like Chime, Intuit, and Coinbase to defend against fraud with better data and better processes.
Ready to learn more? Contact us to request a demo of our identity verification solutions today.