Voice of the Industry

A better future for identity and KYC – what's new in digital onboarding in 2024

Friday 7 June 2024 08:00 CET | Editor: Raluca Ochiana | Voice of the industry

Mirela Ciobanu, Lead Editor with The Paypers, explains how verifiable credentials, reusable identity verification solutions, AI, and fraud insurance tech can address challenges in fraud prevention, data privacy, security, and regulatory compliance.

 

‘Man, it seems crazy that we’re doing all kinds of unbelievable things with science and technology and yet, the best way to prove who I am on the Internet is to take a photograph of my government-issued document and a selfie.’ Riley Hughes, the CEO and Co-founder of Trinsic 

‘Despite investing in various fraud prevention and compliance solutions tools, businesses are still shouldering the burden of lost liability for fraud on their own balance sheets.’ Sunil Madhu, Founder & CEO of Instnt 

‘Generative AI is the icing on the cake that most people haven’t built yet.’ Simon Taylor, Head of Strategy & Content at Sardine 

The surge in smartphone usage, widespread Internet accessibility, the rise of bigtech companies, the growth of ecommerce activities, and advancements in technology have fuelled the demand for seamless digital onboarding experiences in financial services. Customers and businesses alike now expect financial products and services that are accessible anytime, anywhere, and at minimal cost. However, the pursuit of rapid service delivery has also ushered in new challenges, particularly in combating fraud, ensuring data privacy and security, and maintaining regulatory compliance. 

For banks, fintechs, and PSPs, getting the digital onboarding experience (implicitly the KYC and KYB processes) right fosters trust, enhances user experience, and serves as a competitive differentiator. Seamless digital onboarding based on cutting-edge technology solutions can attract and retain customers, driving loyalty and profitability. 

Similarly, for SMEs and businesses eyeing global expansion, robust digital onboarding solutions are indispensable. By facilitating scalable and user-friendly onboarding experiences, businesses can effectively navigate cross-border complexities and offer a seamless user experience across multiple markets. 

However, achieving these desired outcomes is far from easy.

In essence, digital onboarding represents a delicate balancing act between contextual demands, operational challenges, and customer expectations. Success in this endeavour depends on how technology and human expertise manage to navigate the intricate web of regulatory requirements and technological advancements. 

This article will explore verifiable credentials and the application of reusable identity verification solutions. It will also examine the use of AI and data in identity verification (IDV), fraud prevention technologies, and the latest innovations in generative AI, considered a panacea for the KYC process. 

The context 

Keith Mabbitt, Chief Customer Officer at OneID, highlights several challenges that businesses encounter (especially in the UK) when relying on traditional forms of identification for their Know Your Customer (KYC) processes. 

Firstly, the susceptibility to fraudulent documents poses a significant risk, as physical IDs can be easily tampered with. Moreover, traditional methods are often non-inclusive, as approximately 13% of UK adults lack a passport and 25% do not possess a driver’s licence, limiting access to certain services. 

Additionally, the conventional KYC process is characterised by a slow and cumbersome experience, involving the manual finding, scanning, and uploading of ID documents, followed by verification, either by software or human agents. This complexity not only leads to a slower onboarding process but also contributes to higher costs. Consequently, the intricate and costly nature of traditional KYC procedures results in high abandonment rates, with approximately 68% of onboarding attempts being abandoned due to poor user experiences. 

Financial services and regulated entities are also concerned about the high level of fraud and fincrime, especially with the emergence of GenAI. GenAI can generate fake ID documents using techniques like image synthesis and data augmentation. Through image synthesis, GenAI algorithms learn from datasets of existing IDs to create realistic images resembling genuine documents. Data augmentation involves modifying elements like backgrounds, text, fonts, and holographic features to produce diverse ID samples. Additionally, GenAI learns from genuine ID templates to ensure new documents adhere to standardised formats and layouts. 

Verifying the authenticity of remote individuals has become crucial, particularly for high-risk use cases, such as in banking, employment, and legal proceedings. When done correctly, remote identity verification can confirm that an individual is the right person, a real person, and authenticate that person in real-time. 

However, this doesn’t happen for free, as fraud and compliance costs have escalated significantly. Identity verification company, Alloy report finds 25% of financial companies surveyed lost over USD 1 million to fraud in 2023. Also, the global cost of financial crime compliance topped USD 274 billion in 2022, up from USD 213.9 billion in 2020, says Lexis Nexis. The rising cost of compliance (especially for businesses that are expanding globally and that are scaling up operations) are also associated with complying with various and global KYC and KYB regulations that differ significantly across regions and countries.

To mitigate fraud (and minimise friction during the onboarding process), many financial institutions and regulated entities tap into data analytics solutions. But working with data and making sure it is accurate, properly collected (according to different global legislations), and stored can be very challenging. 

An important aspect related to the use of data is complying with user data privacy and security. Data privacy concerns have been raised by the EU’s Artificial Intelligence Act (AI Act). The AI Act establishes a thorough regulatory structure for artificial intelligence, organising AI systems into different risk categories and imposing specific requirements on those deemed high-risk. Remote biometric identification systems, particularly those integral to KYC processes, are expected to fall into the high-risk category outlined by the AI Act. This classification stems from their considerable impact on individuals’ privacy and data protection rights. 

The silver lining 

To make up for these challenges, there have also been notable trends and best practices in the KYC, KYB, and IDV space that equip businesses to continue their operations and offer the best digital onboarding and customer verification experience. Banks, fintech, and PSPs can navigate the complexities of digital onboarding and foster sustainable growth in the financial ecosystem by integrating advanced technologies (AI, ML, biometrics, blockchain, data analytics, graphs, NLP, etc.) and risk-based methodologies. Also, different global initiatives and standards (e.g. Open Banking, eIDAS 2.0, Open ID, ISO, W3C) are enabling the creation of different solutions that can be successfully used in IDV. 

Enter verifiable credentials 

What are verifiable credentials? 

To manage passwords and logins, the concept of Single sign-on (SSO) was developed in the late 1990s. 

Single sign-on (SSO) is an authentication scheme that allows a user to log in with a single ID to any of several related, yet independent, software systems. Wikipedia 

One decade later, the idea of Open Authentication emerged. However, a crucial aspect missing from Open Authentication is trust. Simply presenting an identity does not guarantee its authenticity or reliability. To address this issue, the World Wide Web Consortium (W3C)* introduced two open standards: Verifiable Credentials and Decentralised IDs (DIDs). These standards aim to enhance trust in digital identities by enabling verification processes that go beyond mere presentation. 

Decentralised identifiers (DIDs) are a type of globally unique identifier that enables an entity to be identified in a manner that is verifiable, persistent (as long as the DID controller desires) and does not require the use of a centralised registry. Wikipedia 

When referring to the formal W3C Verifiable Credential Data Model Standard, ‘Verifiable Credential’ is written with uppercase letters (‘VC’). However, we also use lowercase (‘vc’) when discussing ‘verifiable credentials’ in a general sense. Verifiable credentials encompass a wide range of attestations issued by trusted parties, enabling users to access various services and resources throughout their lifetime.

Verifiable credentials serve as documents containing stored information, with schema definitions customisable to the user’s needs. These credentials typically include basic attributes such as name, email, phone number, and address, and can extend to encompass more sensitive data like digital passport or driver’s licence information. 

Taking a broader view, even a credit card aligns with the concept of verifiable credentials. Issued by a trusted entity like a bank, it can be authenticated by merchants and used for transactions, adhering to similar principles of validation and authorisation. 

The proof is in the pudding - verifiable credentials use cases 

Healthcare 

The concept of a medical staff passport is straightforward: it’s an identity wallet used by healthcare providers to validate their credentials. Initially, the focus is on verifying the provider’s identity against official documents. Then, when obtaining medical credentials, these are cross-referenced to ensure accuracy, resulting in a higher level of trust in subsequent interactions. 

Banking 

In October 2023, Instnt introduced Multipass, a solution that uses open standards like Verifiable Credentials and Decentralised ID to offer decentralised, self-sovereign identity. Multipass integrates with banks and other businesses through a toolkit provided by Instnt. Once integrated, the app can receive, store, and send verifiable credentials with user consent. 

When a customer completes verification for a new account, Instnt generates an electronic pass delivered to the user’s mobile device via the business’s application. Users accept and store the pass on their device while Instnt ensures its authenticity. 

Customers can selectively share information with businesses, plus, the pass serves as an authentication credential, eliminating the need for traditional passwords. 

Ecommerce 

When a user browses a merchant’s website, such as Winelivery, to buy alcohol, the traditional process involves submitting documents like a driver’s licence to prove their age. However, with verifiable credentials, users can simply present a pass. This pass, devoid of personal details like date of birth, serves as confirmation of approval from a trusted entity, such as a bank. 

Mapping different risk levels with verifiable credentials in the KYC process 

Verifiable credentials play a crucial role in establishing different levels of risk within the KYC process. 

These credentials can be tailored to enable varying levels of assurance, which represent the certainty with which a claim to a particular identity can be trusted during authentication. 

For example, a verifiable credential may include information specifying the level of assurance or risk associated with the pass. In one scenario, the verification process may have confirmed only basic details such as name, email, and address, warranting a lower level of assurance, perhaps designated as level three. Conversely, for a different product or service, a more rigorous verification process may be conducted, including verification of additional details like phone number and driver’s licence, resulting in a higher assurance level, such as level five.

Additionally, these verifiable credentials contain an expiration date timestamp for the KYC envelope. This timestamp indicates when the individual was last verified and KYC-ed. After a certain period, the verification expires, necessitating re-KYC-ing. The issuer can define the duration of validity for the KYC verification. 

All pertinent information, including assurance levels and expiration dates, is stored within the pass itself. Therefore, the infrastructure required involves both the capability to issue the pass securely and the means to store pass data securely within a mobile application or similar platform. 

The delicate balance between innovation and interoperability 

A significant hurdle in achieving results with verifiable credential solutions is the delicate balance between innovation and interoperability, according to Riley Hughes, the CEO and Co-founder of Trinsic. Many of these solutions are built on the W3C Verifiable Credential Data Model or a similar framework. The challenge lies in the conflicting objectives of speed and standardisation. On the one hand, when launching a product, there’s a need to move quickly, iterate, and incorporate cutting-edge technologies to deliver the best possible product. On the other hand, achieving interoperability requires adherence to agreed-upon standards, which can slow down the development process. This creates tension between the desire to innovate rapidly and the need for compatibility with other applications. 

Some other challenges in adopting VC mentioned by Sunil Madhu, Founder & CEO of Instnt relate to several things like trust, taking responsibility in case of fraud, vendor lock-in, etc. Trust is a very complex thing, as it is based on cultural and regional factors. People may not feel comfortable using their bank credentials to gain access to a website. In some countries, where people trust banks, they will be more likely to use a bank credential. 

Fraud insurance technology

An ongoing concern in identity verification is the allocation of liability. When a trusted entity like a bank conducts the initial verification and a fraudulent transaction occurs later, who bears the responsibility for the losses? This disconnection between the verification process and subsequent fraud incidents raises critical questions. To tackle this challenge, Instnt offers a solution: fraud insurance technology. They provide insurance protection, guaranteeing up to a hundred million dollars in aggregate for fraud loss insurance. This means that if an entity accepts a pass issued through Instnt and fraud occurs, they are relieved of liability, as Instnt assumes responsibility for the losses. 

The use of AI and data in identity verification (IDV) 

To enhance security and customer experience, companies need to be prepared to adopt technology. During a podcast discussing the disruptions in KYC, Simon Taylor, Head of Strategy & Content at Sardine mentioned that one key lesson he gleaned from his experience at Sardine revolves around the importance of acquiring (more) data and ensuring its quality to consistently train and retrain superior AI models. 

Why data is important, especially in the context of using generative AI to perpetrate fraud? Because the most reliable signal currently is device and behaviour data as it is the most difficult to manipulate. While one could deepkafe a face and voice, or forge a passport, replicating typing cadence, habits, and unique quirks of users is exceptionally challenging. Obtaining more extensive and higher-quality data is essential because while many analyse typing cadence, other crucial factors may be overlooked. Improving data quality and quantity is key to enhancing AI and data science models.

To acquire the necessary data, organisations may explore options like purchasing or sourcing data externally, or even generating synthetic datasets for training purposes. Yet, the challenge lies not in building these datasets, but in maintaining their quality and relevance over time. Simon underscored the importance of every organisation having its own dedicated data science and engineering teams, stressing the need to leverage both internal and external data sources effectively. 

In the realm of AIvendors, Simon observed a tendency for many to operate as black boxes, limiting transparency and hindering organisations’ ability to fully understand and use the underlying data. He emphasised the importance of explainability and fine-grained access to data, advocating for a more transparent approach akin to what organisations would develop in-house. 

Conclusion 

In conclusion, the imperative for new, contemporary identity verification solutions rooted in open standards and an extensive use of data analytics (with enriched, explainable, and transparent data sets) cannot be overstated. The potential benefits of such advancements are manifold. For banks, fintechs, and PSPs, optimising the digital onboarding journey not only cultivates trust but also elevates the overall user experience, serving as a potent competitive advantage. By streamlining onboarding processes with state-of-the-art technology, these institutions can attract and retain clientele, thereby bolstering loyalty and profitability. Similarly, for SMEs and enterprises eyeing global expansion, robust digital onboarding solutions are indispensable. By providing scalable and intuitive onboarding experiences, businesses can adeptly navigate the intricacies of cross-border operations, ensuring a seamless user journey across diverse markets.

* The World Wide Web Consortium (W3C) is an international community that works together for the long-term growth of the Web. 

This editorial was initially published in the Emerging Technologies and Trends in Identity Verification, KYC, and KYB Report 2024. The report dives into the latest practices and technologies that enable financial institutions and regulated entities to reduce fraud, build trust, navigate evolving regulatory and compliance requirements, and cut operational costs. You can download your free copy here

About Mirela Ciobanu

Mirela Ciobanu is Lead Editor at The Paypers, specialising in the Banking and Fintech domain. With a keen eye for industry trends, she is constantly on the lookout for the latest developments in digital assets, regtech, payment innovation, and fraud prevention. Mirela is particularly passionate about crypto, blockchain, DeFi, and fincrime investigations, and is a strong advocate for online data privacy and protection. As a skilled writer, Mirela strives to deliver accurate and informative insights to her readers, always in pursuit of the most compelling version of the truth. Connect with Mirela on LinkedIn or reach out via email at mirelac@thepaypers.com.


Free Headlines in your E-mail

Every day we send out a free e-mail with the most important headlines of the last 24 hours.

Subscribe now

Keywords: KYC, KYB, identity verification, generative AI, banks, fintech, PSP, SMEs, digital onboarding, fincrime, identity fraud, compliance, artificial intelligence, customer experience, Open Banking, EIDAS, money laundering, biometrics, verifiable credentials, decentralized identity, ecommerce
Categories: Fraud & Financial Crime
Companies:
Countries: World
This article is part of category

Fraud & Financial Crime