OCR Labs wanted to get an unbiased opinion on the Identity Verification industry from all those it touches. In order to facilitate this we reached out to John Marsden, previously of Equifax, iovation, TransUnion and now We Fight Fraud, to interview his industry contacts with no commercial interest to get an honest opinion of how practitioners, consumers and fraudsters see Identity Verification technology and the industry as a whole. In this part 1 of a 3 part series, John explores how practitioners see the space and what they truly value.
Over to you, John...
I have had the pleasure of a lifetime selling and supporting systems designed to deliver trust in an online interaction and often, hit regulatory standards. Concentrating on the subject at hand, I bring some preconceptions, but moreover, my clients over the years have always regarded me with some ‘sales resistance’. Independence can be liberating, what do buyers of Identity Verification (IDV) tools think is critical in their purchase and use of Document based IDV. For once, with no invested interest, I find out what’s important to them and their businesses.
Put very succinctly, by the Fraud Operations Manager at one of the larger UK Challenger banks, ‘I need 24x7 uptime and reliable accuracy’. This need for around the clock uptime is common across industries, always on is essential to Gambling, Retail, Finance and Banking alike. Their businesses are 24x7, even one of the banks cites that it’s normal for hundreds of applications to be received in the early morning hours. Digital is always on, the supplier must be.
The accuracy element is interesting, widely there is an acceptance that 100% accuracy is not expected by the professionals interviewed, as coined by a Head of Data Science at a separate UK challenger bank ‘even the best solutions will never be 100%’ but accuracy in the ability to extract and provide observations for consistent on-going blending into wider pools of data is vital to build out the full story of an account application or a transaction.
Reliability also relates both to the Identity Verification technology and the relationship between buyer and supplier. One of our contributors, a large online gambling operator, bought and pre-paid for deployment in a new territory, whilst the operator could work with the relevant national ID, the required extract of data was not available and the supplier was not responsive to their needs, obviously, not a great situation. An example of both the technology and relationship not living up to initial hopes.
One strategy taken to counter this reliance on a single relationship by one of the Challenger banks was to dual source Identity verification technology, not just for backup, they leverage both capability differences but also the competitive aspects ensure deeper relationships which lead to a reliable supplier, the ability to switch traffic to one suppliers system, and therefore share of revenue, ensures that the suppliers are in competition with regard to coverage and reliability, and of course price. This option is often not open to others as they struggle to position the integrations within other technical priorities of their businesses, even changing suppliers can be complex for some respondents.
Consistency of returned system messages in the return of both the extracted text data and the format of the systems observations could be expected after all IDV technology provides an Application Programming Interface (API). Unfortunately, with so many documents and indeed, mixed technologies (and sometimes providers) behind the scenes, the standardisation of data extracted and returned is not always consistent which means exceptions as erroneous responses are experienced.
Capture and examination of the document image is seen as reliability, “Conversion rates are measured as first time pass, number of retries and the follow up actions on failed transactions’ this acknowledges the key functionality of taking an analogue document and capturing a suitable quality to spot counterfeit and manipulated documents. This single point of capability is vital both from a customer experience point of view and a critical element of reliability. Without good images, the extracted text (OCR or Optical Character Recognition), algorithmic checks and fraud screening becomes fundamentally flawed.
The aspect of reliability also called for the need to cover document types, as suggested above, one of the gambling respondents had a particular need in a particular jurisdiction. Often documents are supported by a vendor using international standardisations such as ICAO (International Civil Aviation Organisation) for Passports, but that leaves critical identity data in many jurisdictions where specific data is present, sometimes in various languages and the corresponding characters. The statement from one participant ‘it needs to work’ directly indicated a supplier who had not understood the requirements for KYC in the region but advertised coverage. I see this as a failure of a vendor, but worthy of some note, especially if you are tasked with choosing a supplier! The challenger banks and Gaming industries tend to be exposed widely to various documents from all regions and as such the coverage needs to be as comprehensive as possible, at pace and volume, problematic document types soon cause operational issues, if not, expose vulnerabilities.
We all understand the fundamental purpose of the system, it builds trust that both the document and the person presenting the document are both real and credible. The customer's experience is critical to business success, whether the situation is an application for a new account or an account event (e.g. changing address), introducing an Identity and Verification process creates ‘friction’. We are asking for the individual to find a document and follow a process, this directly affects the perception of the brand, it is front and centre and establishes trust.
Firstly, lets deal with the customer experience, as pointed out by all 3 challenger banks interviewed, the ability to ensure first pass capture of quality images is a primary measure, moreover, how the consumer is directed to retry is instructed and how much this happens is vital to overall success. The ability for the IDV vendor to provide a software solution both in-app and in browser to best perform this function is at the core of the requirements.
Through Fraud Operations eyes, all the captured detail needs to be integrated into a process which allows operators to view all aspects of the transaction in a single system. ‘Often the depth of data needed to investigate a case is within the supplier's system alone’. Whilst the main aspects are captured in the overall application processing system, the importance and value of the detail is not missed in working through manual referrals. The proposition of additional capabilities, or modules, within the IDV system is attractive, to unite diverse data sources natively in a system. This does raise other questions about the orchestration of the application process, many software vendors offer ‘orchestration’, often with ambitious slides and promises, this often over simplifies the workshop floors requirements for depth.
With regard to fraud controls, the general requirement was the data including all metadata, across the lifecycle of the client and whenever the system is involved (application or account activity) is made available to the clients systems. In most cases, this data feeds directly into a risk assessment of the overall transaction. Especially within the banks, the decision to ‘trust’ is advised by many processes, data and observations, IDV being a core component.
The opportunity to catch fraud through the technology was not missed, to quote ‘They must have a good capture rate of fraud, they must be good at spotting counterfeit and manipulated documents, they need the ability to raise trends. If we are subject to a particular attack we need to know and they need to be able to identify common faces’. This statement, clearly states the expectations, counterfeit (or replica) documents and manipulation require great image capture to spot the smallest of details.
With counterfeit, it is a common belief that the more trained an algorithm is on that document, the better a machine will be at spotting an anomaly, this is often correct, what it does indicate is a need to understand how the IDV supplier approaches counterfeit, and indeed, known lost and stolen documents.
Manipulation too, can be improved by a large base of good data, and the software should be seeing manipulated, duplicated electronic images, as well as identification of signs of physical tampering. The concept of recognising common faces is of much interest, faces offer us an ability to see behind the data. One to many face matching is feasible, processing this matching process is heavily dependent upon how many faces exist in the particular data set being matched. It makes absolute sense for a business to want this ability to see common faces both within their client base and to identify matches to known fraud.
Surprisingly, despite the IDV vendors best efforts, there is cynicism and some concern regarding the biometric comparison with a live face, not least insomuch as the confusion over the techniques to perform this check. Of particular note, one of the respondents was aware that the need to assure themselves that the biometrics and liveness worked across all ethnicities, the issues of machine learnt bias being well discussed of late. One respondent stating ‘The accuracy is just not there right now’, of course, the success of this functionality is reliant on good capture of the facial image on the document, or from the eChip, but moreover, on the capture of the live face.
The respondents did not dwell on the eChip capture, nor the techniques to prove liveness (Turn left, Smile, Stick tongue out etc), which considering the time spent to develop and communicate these features by IDV vendors seems disproportionate.
There was also a clear call for advised intelligence. The Data Scientist’s need for clarity in ML models, retraining changes, trend identification and calibration is echoed within Fraud Strategy, as they need to understand the real life threat and changes to fraud operations, who only too often see a change in trend through their own operations. The client needs to be advised and involved. The ideal for one being options to upgrade or hold models, and the ability to test before adoption. It’s important to understand why this is so important, the knock on effects of changed parameters can have profound changes for the key metrics used across every business, often ‘the work to trace why an anomaly is appearing can be avoided by simply knowing what, when and how the supplier introduces changes’.
The ability to confirm an identity in an online environment has obvious benefits to the majority of businesses operating digitally, however, the concept of customer friction vs ease is ever present. Within Finance it’s absolutely accepted that customer due diligence involves the Identity process, this is also accepted by the consumer population. It is mandatory and enforced heavily for the money laundering regulated sectors, but does the technology have a place within our other digital interactions and where will be the adopters outside of the regulated sectors?
To push this, we approached retail and insurance industries, whilst the tech is used in travel today, the industry is not quite as stable right now as it could be.
The Head of Fraud from a large UK retailer quite clearly sees what might do to protect from fraud, but in the harsh reality of their business, any additional friction at checkout is unacceptable, to quote “Don’t touch our checkout!”. He went on to explore how the technology might help in High Value Transactions, as elevated trust may be required for both sides (buyer and seller) and indeed, the provisions for ‘High Value Dealers’ is regulated under money laundering and as such require customer due diligence to the same requirements as financial businesses, albeit the occurrence of €10,000 transactions (single or linked) is rare for the majority of both retailers and consumers, as is enforcement.
It should be noted here that in other countries, outside of the UK, the concept of using an Identity Card for retail transactions has long been established, even in stores.
In insurance, the use of ID at the Quotation stage is just not a reality, despite efforts to ensure accurate details are asserted on comparison sites, it’s highly unlikely that frictionful Identity processes are sought at that stage. Identity fraud and account takeover is on the rise with motor portfolios as incepting new policies for whatever deceitful reason has become more difficult, not least from the introduction of multi-factor authentication on cards for large and new transactions, this is bypassed with compromised and synthetic identities but also through the use of existing subscribed payments, leading to account takeover as a vector.
The Senior Fraud Manager from a large UK insurance aggregator felt that this is likely to see adoption of Identity Verification at point of sale of policies, at mid-term adjustments to those policies and potentially at the point of claim.
The proposition for insurance in a traditional use sense may be close to adoption, certainly, the ability to improve customer experience through initiation of the ‘form filling’ being advised by the document up front. This is worthy of some thought, after all, a motor policy requires a driving license so why are we asking for a ‘form fill’ when we can ‘hold and read’ increasing the speed and building in trust for good proposers. Summary
All respondents were concerned that their systems worked together, some extremely conscious of the amount of time spent on referrals/reviews and record keeping facilities were all key aspects.
The clients wanted a relationship, a supplier that is accessible, listens and reacts.
The adoption of the technology is mature within the finance sectors, driven by AML Regulation. The future for the technology looks promising as many other sectors grapple with the changing face of identity crime.
The panacea for the respondents, a reliable way to prove identity with minimum friction for the consumer, digital identity was mentioned a number of times. Currently, Document based systems offer near 100% coverage answering the needs of today.
In the next edition, we will explore in more detail how consumers feel about the use of IDV technology, we’ll explore the idea of ‘trust’ and ‘friction’ against the buying decisions professionals make in their purchase decisions.
Thank you, John. Looking forward to the next article!
P.S - If you are experiencing any of the issues raised by the interviewees in this blog please feel free to reach out to us at firstname.lastname@example.org or request a demo. We’re more than happy to chat about the state of the industry and if it's a good fit, show you how our technology could overcome the challenges you are facing.