This is part 2 of a series of blogs created from those identity verification touches; practitioners, consumers and fraudsters.
OCR Labs wanted to get an unbiased opinion on the Identity Verification industry from all those it touches. In order to facilitate this we reached out to John Marsden, previously of Equifax, iovation, TransUnion and now We Fight Fraud, to interview his industry contacts with no commercial interest to get an honest opinion of how practitioners, consumers and fraudsters see Identity Verification technology and the industry as a whole. If you missed part 1 of the series focused on practitioners then you can read that here.
Over to you John for part 2...
So, how do consumers feel about the processes we as a business community have pulled together to establish trust and often, to meet regulatory compliance?
It’s clear that age, experience, background and indeed, profession influences the way we feel about most things, not least risk decisions.
That in itself, indicates something deeper going on in the consumers digital choices than just selecting the product or service. Every time we use a brand, a web site, or a network, we are evaluating risk and looking for trust. This aspect of our online lives is encouraged, we ‘Take Five’. Take five is a UK initiative funded by Industry and Government to promote consumer awareness and therefore protect from fraud at the frontline. Their guidance is ‘stop, challenge and protect’, figuratively, ‘taking five’ to think about what you are doing before committing to an action.
We recognise that providing images of documents which we traditional use to prove our identities, which contain our precious Identity data and then take a video providing our face is one of those times you should ‘take five’, as the guidance suggests. It is clear that all the respondents interviewed recognised a risk in the moment of Identity Verification.
There is value in understanding how your customers will be influenced by the process. Often, in commercial terms an applicant is already a valuable asset. Marketing spend and promotions have attracted the potential customer, to see a percentage ‘bail out’ of the process at the critical stage is both a common experience and a loss to the organisation. The hope is the consumer might return and complete the process, but you can guarantee a large % of lost business and the loss of the lifetime revenue associated with this customer.
The below is the results of five interviews conducted with individuals not associated with the provision of such ID Verification processes, but commercially active and they have taken part in a digital ID process, involving Driving Licence and/or Passport. They are all UK born and resident, if you like, the modern-day version of the Tinker, Tailor and Candlestick maker. We interviewed a 60-year-old Structural Engineer, a 38-year-old Academic, a Highways Planning Officer at 49 years of age, a Property Solicitor of 40 and finally a 24-year-old Account Manager for a Software Business.
Almost a random sample, but selected by myself and therefore already biased, still in this we see common themes and some clear learning.
Friction vs Ease
Is ease right all the time? Certainly, consumers have repeatedly shown a ‘lack of clicks’ is preferred in retail checkouts.
Even in retail, the consumer is getting used to being challenged when the transaction risk is elevated and it’s distinctly easier than ever for a digital consumer to follow a step-up challenge process. The consumer is expecting the right amount of friction.
In some ways, some of my own interactions seem too easy. I acknowledge that my bank has a superb handle on me, knowing my device, my home IP based attributes, my swipe and type, they are looking for malware and anomaly everywhere, so I get why I can transfer large sums of cash unchallenged or large purchases - I still would like a challenge, just to let me know I have that control. In my mind, any transaction over say £1,000 would work for me - I really don’t mind - the risk to me justifies the friction.
Certainly, asking a consumer to find a government issued Identity document, photo that and then take a selfie with often strange behaviours displayed to prove liveness is a process heavy on friction and only due when the reward is right. It is not appropriate to go through a document based Identity process to perform a relatively low value purchase for example, but where an Account, Loan or Business Relationship is established, it may be right.
Consumers do understand the need to Identify, moreover the Identity Verification process overtly demonstrates that an organisation has established a level of trust with the user base which offers the consumer some comfort that a level of trust can be conveyed on to other users, this aspect of trust is examined below.
Not one consumer felt that it was too much hassle to find their documents for the facilities being applied for. All of the respondents recognise that the processes and facilities they were using were ‘relevant’ for such activities, citing that they ‘needed’ the facility. In essence, they are unlikely to offer their passport for shopping purchases and relative low risk activities. To put this in some context, the interviewees had applied for Universal Credit, obtained Digital COVID passports, applied for bank accounts, opened corporate accounts, and opened Bitcoin exchange accounts.
Trust - A Two way street...
In all interviews, the aspect of trust was manifested, the decision to share Identity data playing a large element in this aspect of trust. All interviewees needed to be reassured that they were sharing their Identity with an organisation which they trusted to deal with their data in the right way, whilst the consumer is not performing an audit, they rely more on reputation and expect regulatory governance as part of that reputation. The brand matters. Reputation conveys trust and as such those brands are trusted to deal with the consumers data and information in a reputable manner.
The younger respondent was without a doubt, more engaged in a digital life. They had sought business relationships online with less known brands and particularly in Cryptocurrency, however, the thought process around should I trust my Identity to these organisations still played in their mind during the process, the choice here was advised by the organisations online reputations.
One of the consumers interviewed explained a process where a web browser journey redirected them to download a provider’s app, this app was branded as the IDV provider not the business the interviewee was trading with. This app was difficult to use, and he abandoned and forced the company to take an exceptional route and validate his identity manually. He did not trust the app; he did understand the risks of the data being exchanged and was not prepared to persevere with a shadow over this third party provider.
This introduction of a third party was also described in the HM Government Verify journey, where several providers were presented, the individual downloaded an app from this provider to complete part of the process - which was document and face capture. This caused a number of concerns, not only the burden of choice of a provider at a moment of undetermined risk, the download of an app without any instruction as to how long that was to be kept was significant, as far as the respondent was concerned her identity was held on that app, increasing perceived risk.
When asked if they were concerned with a ‘break’ in their journey (web browser moving to app), that was not the issue, it was the introduction of another party (brand) into this relationship where sensitive data was being given away which caused concern.
There is more than one lesson here, the biggest for me being, that the marketeers are right about brand, why would you bring in an untrusted third party at a critical stage of the relationship with that consumer and secondly, it needs to work (see blog 1). It needs to be easy to use, of course, to deal with the complexity of the wild with multiple device types and documents, to engage the consumer correctly.
Any organisation and indeed, those within the Identity industry understand that there is a lot more going on behind the scenes with regard to fraud prevention technologies used than the consumer knows or should know. After all, no one wants to disclose their security posture to the masses, that’s like putting up a big sign outside your house, telling the public your front door key is under the mat! To the consumer, a little friction demonstrates a commitment to some standards, which can be trusted.
The clearest example of this discussed, was actually in relation to opening bank accounts. Because each bank account is set up with full due diligence to regulatory standards, the account status itself conveys some level of trust, especially where the consumer can confirm the name on the account. This makes sense in cultural history, the bank being a trustworthy institution. It’s not that long ago when Bank References were a common occurrence. Regardless of how this trust basis is forged in our culture, the fact that the consumer was subjected to a friction-full procedure underpinned this understanding of ‘trust’.
This concept of ‘trusted networks’ is worth some thought, Brands such as Airbnb, who offer ID Verified status (Other providers exist and do similar!). So, would the respondent be more prepared to trust an ID Verified profile over and above those who are yet to verify their Identity - A host can decide to take bookings from unverified IDs on Airbnb, which is at their risk, although I suspect most Hosts feel similar to the interviewee - IDV processes do establish a level of trust.
In reviewing these experiences, the actual usability of the solution contributes to both friction and the feeling of ‘trust’, although that lies deeper in the engagement with the consumer.
Three of those interviewed dismissed the retries in the capture process (both document and face) as almost acceptable - ‘I had to do the photos a couple of times but it was OK’. Of course, the app provided from a 3rd Party Brand was as cited as not working at all.
A comment was made during interview, regarding the ‘Mug Shot’, not just an interesting turn of phrase, but when probed, the ‘selfie’ process being used called for a typical ‘Mug Shot’ - turn your head to the left and then to the right approach, this was via the previous HM Government Verify programme, even I can see a reason for consumer concern there, albeit a passing thought for the consumer, it’s not an association most brands would wish to make.
In a number of cases discussed, the results from the authentication event were not provided instantly, only the youngest respondent (24 years) raised any concerns about a delay in the account opening or the delay in processing. In one case, a respondent was told it might take up to 8 hours, to be approved in 5 minutes, exceeding expectations. This respondent also cited that he ‘would not have trusted a faster process’.
The observations above are not based on a scientific sample or around a particular segmentation, it provides some insights of what might be important to consider. It shines a spotlight on a particular event, proving identity online in the absence of a digital identity programme.
What is clear is that the consumer does consider the risks of identity crime, they will evaluate a business in respect of this risk. The providers who stay consistent in brand, look and feel convey a deeper level of trust to the consumer. We are increasingly, educating the consumer to take a moment to consider the risks they face from fraud, so we can expect a consumer to evaluate this risk.
The consumer accepts the process where relevant and appreciates the raised security it demonstrates.
The next natural progression for this technology, leads to facial biometric authentication. Once we trust a face with an Identity, using the face to authenticate seems natural….doesn’t it?
Thank you, John. Looking forward to part 3!
P.S - If you are experiencing any of the issues raised by the interviewees in this blog please feel free to reach out to us at firstname.lastname@example.org or request a demo. We’re more than happy to chat about the state of the industry and if it's a good fit, show you how our technology could overcome the challenges you are facing.