Identity assurance

You do it all the time, often just by pressing a button via social media, saying Become a customer using your Facebook ID. And then you are signed up as a customer in a web store. On the other hand, signing up to a financial institution like a bank often proves really difficult and you have to provide a lot of information.

This causes a lot of users to abandon the sign-up process for financial services, as can be shown in our survey The battle to on-board (download your copy here) which was done earlier in 2016. According to the survey, over 40% of the users had one time or another abandoned an attempt to become a financial customer. This means losing a lot of potential business.

Part of the issue is that financial institutions are under strict regulatory requirements like KYC (Know Your Customer), which are in place to prevent money laundering and terrorist financing. However, this should not prevent banks from doing a step-wise on-boarding of new customers. Focus on the customer journey and make it simple to get signed up, and to get the relationship going.

This could even be as simple as using a sign-up button on social media. Obviously, Facebook will not be sufficient as a KYC process, so there would have to be some limitations on the financial services available to the customer. There could for example be a ceiling on the available funds in the account, or a limit to how much money could be transferred per month. Combining social media identities would also help increase the assurance level.

This would be a low risk for the banks, and these accounts would be closely monitored. As soon as the user attempts to perform additional functions, the user will be taken through an identity assurance step-up process.

In markets where public eIDs exist, for example BankID in Norway and NemID Denmark, this could be used as part of the assurance process, getting the user fast on board, with relatively little effort. However, many countries lack such infrastructure, and need to look for other ways to on-board customers.

The eIDAS regulation (EU 2014/910) talks about the degree of confidence in electronic identification means in establishing the identity of a person, and uses three assurance levels: low, substantial and high. eIDAS does not give details on how the levels are achieved, so this is still work in progress. Also, eIDAS does not define the purpose of the levels, so it is up to the bank to determine which are the limits and functionality for each of these levels.

Even though this article focuses on the strong security requirements for financial institutions, the applicability is not limited to such institutions. Any type of organization which needs a user identity assurance has to consider the balance between user convenience, cost, risk and compliance.

Also, remember that KYC is not absolute. It establishes a high degree of confidence (which would correspond to eIDAS level high), but it is still possible for a user to present fake identity papers. It is easier to get hold of a fake ID paper than to create a fake Facebook account, which is 10 years old, and has friends and activity. However, it should be noted that there is a risk of account highjacking and social engineering to get access to these accounts.

Signicat offers several methods for identity assurance (see side-bar), which can be combined to achieve reasonable assurance. If, at the end of the process, the assurance can still not be established to a reasonable degree, it will be taken to a manual process. The first part of this process is that a bank employee inspects the received data. If required, the employee may schedule a video conference with the user.

What is important is that the bank does not establish a “wall”, which the user must climb to get in. Make the initial on-boarding simple, and then step-up the assurance level as required.

For similar stories, please check out our Web Fraud Prevention and Online Authentication Market Guide 2016/2017 here to get access to an insightful outline of the global digital identity and web fraud ecosystem.

About John Erik Setsaas

John Erik Setsaas has worked with identities for over 20 years. He has in-depth knowledge in the areas of security and identity management. His is Identity Architect at Signicat AS, working with identity assurance, authentication, digital signatures and seals.

About Signicat

Signicat is one of the leading providers of electronic identity and electronic signature solutions in Europe. The company, founded in 2007, delivers online trust based services to the public and private sector globally. The solutions are used by banks and financial institutions, insurance companies, government agencies and large corporations as well as small and medium sized businesses.