What Is Identity Proofing? Identity proofing, authentication and management are becoming increasingly complex and essential aspects of running a successful enterprise. Organizations need to get identity right if they want to comply with regulatory requirements and combat fraud. It's also becoming table stakes for making your customers feel safe and recognized. 63 percent of consumers expect businesses to recognize them online, and 48 percent say they're more trusting of businesses when they demonstrate signs of security. Identify proofing is the process organizations use to collect, validate and verify information about someone. There are two goals — to confirm that the identity is real (i.e., it's not a synthetic identity) and to confirm that the person presenting the identity is its true owner. The identity proofing process also relates to and may overlap with other aspects of identity management. Identity proofing vs identity authentication Identity proofing generally takes place during the acquisition or origination stages of the customer lifecycle — before someone creates an account or signs up for a service. Identity authentication is the ongoing process of re-checking someone's identity or verifying that they have the authorization to make a request, such as when they're logging into an account or trying to make a large transaction. How does identity proofing work? Identity proofing typically involves three steps: resolution, validation, and verification. Resolution: The goal of the first step is to accurately identify the single, unique individual that the identity represents. Resolution is relatively easy when detailed identity information is provided. In the real world, collecting detailed data conflicts with the need to provide a good customer experience. Resolution still has to occur, but organizations have to resolve identities with the minimum amount of information. Validation: The validation step involves verifying that the person's information and documentation are legitimate, accurate and up to date. It potentially involves requesting additional evidence based on the level of assurance you need. Verification: The final step confirms that the claimed identity actually belongs to the person submitting the information. It may involve comparing physical documents or biometric data and liveness tests, such as a comparison of the driver's license to a selfie that the person uploads. Different levels of identity proofing may require various combinations of these steps, with higher-risk scenarios calling for additional checks such as biometric or address verification. Service providers can implement a range of methods based on their specific needs, including document verification, database validation, or knowledge-based authentication. Building an effective identity proofing strategy By requiring identity proofing before account opening, organizations can help detect and deter identity fraud and other crimes. You can use different online identity verification methods to implement an effective digital identity proofing and management system. These may include: Document verification plus biometric data: The consumer uploads a copy of an identification document, such as a driver's license, and takes a selfie or records a live video of their face. Database validations: The proofing solution verifies the shared identifying information, such as a name, date of birth, address and Social Security number against trusted databases, including credit bureau and government agency data. Knowledge-based authentication (KBA): The consumer answers knowledge-based questions, such as account information, to confirm their identity. It can be a helpful additional step, but they offer a low level of assurance, partially because data breaches have exposed many people's personal information. In part, the processes you'll use may depend on business policies, associated risks and industry regulations, such as know your customer (KYC) and anti-money laundering (AML) requirements. But organizations also have to balance security and ease of use. Each additional check or requirement you add to the identity proofing flow can help detect and prevent fraud, but the added friction they bring to your onboarding process can also leave customers frustrated — and even lead to customers abandoning the process altogether. Finding the right amount of friction can require a layered, risk-based approach. And running different checks during identity proofing can help you gauge the risk involved. For example, comparing information about a device, such as its location and IP address, to the information on an application. Or sending a one-time password (OTP) to a mobile device and checking whether the phone number is registered to the applicant's name. With the proper systems in place, you can use high-risk signals to dynamically adjust the proofing flow and require additional identity documents and checks. At the same time, if you already have a high level of assurance about the person's identity, you can allow them to quickly move through a low-friction flow. Experian goes beyond identity proofing Experian builds on its decades of experience with identity management and access to multidimensional data sources to help organizations onboard, authenticate and manage customer identities. Our identity proofing solutions are compliant with National Institute of Standards and Technology (NIST) and enable agencies to confidently verify user identities prior to or during account opening, biometric enrollment or while signing up for services. Learn more This article includes content created by an AI language model and is intended to provide general information.
Kathleen Peters, Chief Innovation Officer, Decision Analytics for Experian, was recently featured on the Eliances Heroes podcast as part of the new weekly segment, the “Experian Identity Report.” In the introductory show, podcast host David Cogan, spoke with Kathleen about why identity is so important to our society. Listen to the podcast for the full discussion and see the transcript below. Learn more about Experian Identity David Cogan: How critical is it? Well, I’ll tell you. Payment fraud will exceed $206 billion in the next five years and let’s face it. Managing one’s personal identity is very complicated on its own and if the business enterprise managing customer identities in a strategic and secure way and scale across countless interaction is extremely complicated. And it’s only going to get more complex with the future from what I understand and all the technology that’s coming out if not by the day, by the hour. And that’s why we’re bringing this to you. Interviews with the world’s leading experts on the game changing impact of identity and the need to use reliable data to make confident decisions that securely accelerate customer engagement and that’s why we’re honored here today to have with us Kathleen Peters, Chief Innovation Officer, Experian Decision Analytics North America. Kathleen Peters: Thanks so much David, it’s great to be here with you. DC: $206 billion of payment fraud in the next five years? I mean who’s going to want to turn on their computer after this. That is a serious number. What do we do? KP: It’s really important that we get our arms around this both as consumers as well as businesses because we want to engage online. So much of what we’re doing is digital. It especially started in COVID when we were having our groceries delivered and everything else and even our grandparents are having to do their banking transactions online. The world is changing, and fraudsters take notice of that as well. Fraudsters are opportunistic and when they see a bunch of folks doing stuff online that they’ve never done before, they’re seeing that as an opportunity too. DC: You know the days of people horseback riding and overtaking trains are long gone and now it’s all digital. KP: It’s a lot easier these days. DC: Why is identity so important to our daily digital lives and in business? KP: It’s a great question, David. And as a consumer myself, you, and I when we transact online whether that’s to have food delivered, or I’m buying something for my kids or I’m even paying a bill, I want to be able to trust that my information will be safe, that my privacy will be protected and that my experience will be as smooth as possible. I think that’s what we all want. So as consumers and as businesses, how do we enable all the opportunities this new digital world is presenting to us in a way that we are safe and also businesses can transact with us securely and have confidence on who’s engaging with them online. DC: Let’s talk about identity. What really makes identity so challenging to manage at a business enterprise level especially with how complex the business portion is? KP: Absolutely. It really comes down to there are so many elements that comprise our identity. It’s multidimensional. So historically, when we think about identity, we probably think about the things that were on our DL or passport the kind of information that’s pretty static – name, address, SSN, date of birth – those kinds of things. Once we get online, that identity becomes a little more challenging. We’re not necessarily physically in front of the business that we’re engaging with so the business needs to determine if the person is who we say we are. There’s a famous Far Side comic from years ago where a dog is sitting in front of the computer and he says “On the internet, no one knows you’re a dog.” And that still rings true in that you need to be able to ensure that the customer that’s coming to your business online is a real person and not a bot, is a person with good intent and not a fraudster. You need to look no farther than some of the recent controversies around Twitter and Elon Musk’s on-again, off-again, on-again intent to buy the company. A few months ago he had pulled back because he wanted to know definitively how many users on Twitter are humans versus bots and sometimes determining that can be really hard. And that comes down to managing all these new definitions of identity. DC: That’s very important. The thing is businesses and consumers want to know really what to be able to do. So, what kinds of things is Experian able to offer to help with all of that? KP: We’re in a great position as Experian because we have such a depth and breadth of identity data. We have the analytics horsepower and really touchpoints that are really unique when it comes to thinking about identity. So we’ve been talking about these traditional identity elements and digital, online identity. When you think about it, Experian also really understands your financial identity. So when you bring those things together and a consumer is looking to maybe understand what their financial identity means, their credit score or even how to improve their credit score, Experian’s there. We’ve got a robust direct to consumer business, we’ve got offerings like Boost and Go that help people establish and build their credit. We’ve got marketplaces for cards, insurance, etc. And then when consumers want to open a new account at a financial institution, or a fintech, or a retailer, or even maybe buy some crypto or log into a business, Experian can bring that wealth of capability to help our clients, help businesses, separate those good consumers with good intent from the fraudsters and do that very quickly and efficiently so that consumers can have a great experience and build that trust with who they’re engaging with. DC: Kathleen, that’s really amazing. Alright, now with all of that going on, what is Experian doing now with innovating for the identity space? KP: This is a real passion of mine David and this is where I spend a lot of my time. We’re always looking ahead to see what is the new data, new capabilities that can help us improve that consumer experience and engagement, help clients find the right consumers online to engage and target, and really allow our clients to grow their businesses safely. So, we’re building some products in house, where we’re connecting new pieces that might be new to Experian like linking some of that traditional identity data with particular payment instruments. Is this Kathleen’s credit card? Is this my bank account? When I come and try to do transactions online. But we’re also partnering with new companies. There are a number of startups that are being formed that have been in business looking at new ways to stop fraud and new ways to help identify and authenticate users online. So, as we innovate, we’re building some things in house, we’re partnering, we’re investing in young companies, and sometimes we’re even acquiring. So, bringing together that breadth of data, analytics, really trying to think about what will be the next way that we’ll think about identifying ourselves online is some of the ways we’re innovating. DC: Well, we’re very fortunate to have you and your company here to be able to do that because it’s growing by leaps and bounds. I’m amazed by the number $206 billion which is probably going to go higher, so we’re very fortunate that Experian is around and really identifying this issue and trying to do something now. What do you think our audience will learn about these weekly, critical chats about identity with Experian experts? KP: These are going to be great conversations that we’re going to be able to share and talk about how rapidly things are changing and evolving and how this really relates to our daily lives and the things that are going on in this very dynamic economic climate, digital climate, the way things are changing the way we’re engaging. I think people are also going to learn a lot about Experian’s mission around financial inclusion and opportunity creation. We’re a very mission driven company and we’re the consumer’s bureau, so we want to do this journey in partnership with consumers so that you can take an active part in protecting yourself, understanding what’s going on, helping us fight fraud, but also just really be able to take advantage of all of these new opportunities in a safe way.
Since 2002, lenders have been aware of the importance of Know Your Customer (KYC) and the associated Customer Identification Program (CIP) requirements. As COVID-19 has changed procedures and priorities for businesses and consumers across the board, it’s more important than ever for institutions to ensure their CIP process includes ongoing monitoring of identity risk. What is CIP? Standard KYC programs include a Customer Identification Program to verify and validate identities along with due diligence to assess the risks associated with each identity. CIP defines the process by which a business collects data to establish a reasonable belief that the identity is valid, and that the individual is eligible to participate in our financial system. While this process works in conjunction with other fraud mitigation tactics, they serve different purposes. A good CIP program emphasizes the customer experience, regulatory compliance, cost control, and smart growth. Fraud mitigation focuses on ensuring that an eligible identity is being presented by its true owner, rather than as part of a scheme to acquire goods and services with intent to default on repayment obligations. Businesses who focus on solely on fraud mitigation rather than complying with KYC and CIP regulations run the risk of potential harm to business reputation, and of course, financial penalties. Fenergo found that as of the end of 2019, global penalties for AML and KYC non-compliance totaled $36 billion. CIP vs. Fraud Mitigation Many financial institutions equate a CIP program with efforts to mitigate fraud. It’s understandable, as both processes include emphasis on the accuracy of an identity as it’s presented by a consumer. It is assumed that only the true owner of the identity would possess the detailed information necessary to meet CIP requirements and therefore would not likely be committing fraud. There was a time—prior to large scale thefts of stored information, personal details shared through social media and other behavior changes that made personal information very public—when this would have been true. Unfortunately, those days have passed and even an amateur criminal with limited experience and resources could find current, accurate identity information for sale online, information good enough to pass the CIP test and be considered a legitimate consumer. The real challenge is that when they go through CIP, many real consumers may inadvertently provide true information that doesn’t meet the verification standard. This is a result of consumer lifestyle changes outpacing the sources of data used to verify the information they’ve provided. It makes sense; in most years roughly 13% of American adults change their address. New homes, job changes and changes in marital status impact a large number of people every day. Adding to the confusion—it’s life’s changes that prompt people to borrow and purchase. The result is that many of the people that are more likely to fail CIP verification are the very people trying to legitimately access financial services. The result is that CIP verification often isn’t a challenge for those intending to commit fraud, but it can be for genuine consumers. The challenges of CIP In a recent internal study, Experian reviewed the ability to pass a standard CIP strategy that assessed the accuracy of the name, current address, date of birth and Social Security number provided by a large sample of consumers. We then compared legitimate consumers to those later confirmed to have been identity thieves impersonating a victim. Consistently, the identity thieves were at least as proficient at passing CIP as their true-consumer counterparts. In a second step, we applied a fraud score that looked for identity theft by assessing the past uses of the identities, their consistency, velocity and many other characteristics unrelated to the accuracy of the data. The difference between CIP verification and a fraud risk assessment was striking. Across the entire range of fraud risk, the percentage of records that passed CIP verification remained the same. That said, CIP still plays a very important role in risk mitigation. In fact, CIP and fraud prevention are inextricable in financial services. Just as a CIP verified identity can still be fraud, a record that may appear to be low fraud risk may not pass CIP. Since both processes have existed side by side for nearly two decades, each presumes that the other is in place and both are necessary to detect and prevent fraud. Striking a balance CIP verification and fraud mitigation strategies are both necessary and important to protecting assets and the broader financial system from fraud. It’s important to leverage a layered approach where both eligibility and risk are assessed, and next steps for verification include resolution of identity discrepancies alongside verification that ensures an identity is not being misused for fraud. Experian can help you confidently verify customer identities, understand and anticipate customer activities, and implement ongoing monitoring. If you’d like to set up a review of your current strategy or learn more about how we can help you with CIP and fraud mitigation to strengthen your ability to know your customer compliantly, let us know. Contact us
Experian’s Chris Ryan and Bobbie Paul recently re-joined David Mattei from Aite to discuss how emerging fraud trends and changes in consumer behavior will have long-term impacts on businesses. Chris, Bobbie, and David have combined experience of more than 60 years in the world of fraud prevention. In this discussion, they bring that experience to bear as they review how businesses should revise their long-term fraud strategy in response to COVID-19 and the subsequent economic shifts, including: The requirements to authenticate a digital customer Businesses’ technology challenges Differentiating between first party and third party fraud The importance of businesses’ technology investment How to build a roadmap for the next 90 days and beyond Experian · Make Your Fraud Plan Recession-Ready: Your 90 Day and Beyond Plan
The COVID-19 pandemic and resulting rush to transition to a remote lifestyle made it clear that many businesses need a refreshed digital authentication and fraud prevention strategy that includes an investment in technology and provides consumer assurance. This is particularly important when it comes to identity, as many of the standard in-person verification methods and tools are currently unavailable. The meaning of identity is growing and shifting Technology trends are intersecting with social trends to create heightened awareness, and a whole new public conversation has emerged around customer trust and privacy. Attitudes and ideas are changing—even to the point of what we mean by “identity.” An identity is no longer just a name, date of birth, and SSN. Now, there are digital manifestations everywhere you look: screen names, email addresses, mobile phone numbers, device identifiers, and the other “exhaust” we leave behind as we travel the internet. This leads to concerns about what an identity is, who owns it, and who manages and protects it. Businesses have to be able to prove to their ability to protect their customers’ identities through investment in technology and a robust fraud strategy. Consumer attitudes are changing Several years ago, consumers were excited by all the new digital capabilities and the speed, ease, and convenience they provided. Last year, Experian found that consumers still wanted those things, with 70% willing to provide more information to businesses if there was a perceived benefit. However, they also wanted more security in the balance. In Experian’s most recent Global Identity and Fraud Report, we found that 74% of consumers say that security is the most important factor when deciding to engage with a business. Consumers are particularly more tolerant of friction during the enrollment process—as a means of building trust. But, when they return to the app or website, they want to be recognized. This means achieving a balance by using layered technologies, some of which are active and visible to the consumer, and some of which are invisibly working in the background to confirm the identity of returning consumers. Consumer attitudes vs. regulatory pressure The drivers behind the business changes are twofold: shifting consumer attitudes and regulatory changes. While regulations are becoming stricter on a national and global level, they’re not keeping pace with technology and social change. The digital world is evolving at a rapid pace, opening up more new ways for companies to collect information about consumers and use it to identify and verify, and also to target goods and services. With all of this data available, it’s important for businesses to use the tools in the market to help protect identity information. Next steps in technology The bottom line is, businesses can’t wait for regulations to dictate how best to protect information. Instead, they should be looking to technologies like physical and behavioral biometrics to help provide identity authentication and protection – layering those solutions with information from the user and from third parties to give a holistic consumer view. Businesses should adopt a platform approach for identity and fraud in order to be able to adapt quickly, whether to incorporate new kinds of technology or to prevent emerging types of fraud. By investing in technology now, even in the midst of the COVID-19 pandemic, businesses can build the flexibility needed to respond to future crises and help offset future fraud losses. In turn, those fraud-loss savings can then be used to help grow the business in the future. Learn more about Experian’s commitment to helping businesses maximize their investment in technology to safeguard against fraud. Learn more
This is the next article in our series about how to handle the economic downturn – this time focusing on how to prevent fraud in the new economic environment. We tapped two new experts—Chris Ryan, Market Lead, Fraud and Identity and Tischa Agnessi, Go-to-Market Lead, Decisioning Software—to share their thoughts on how to keep fraud out of your portfolio while continuing to lend. Q: What new fraud trends do you expect during the economic downturn? CR: Perhaps unsurprisingly, we tend to see high volumes of fraud during economic downturn periods. First, we anticipate an uptick in third-party fraud, specifically account takeover or ATO. It’ll be driven by the need for first-time users to be forced online. In particular, the less tech-savvy crowd is vulnerable to phishing attacks, social engineering schemes, using out-of-date software, or landing on a spoofed page. Resources to investigate these types of fraud are already strained as more and more requests come through the top of the funnel to approve new accounts. In fact, according to Javelin Strategy & Research’s 2020 Identity Fraud Study, account takeover fraud and scams will increase at a time when consumers are feeling financial stress from the global health and economic crisis. It is too early to predict how much higher the fraud rates will go; however, criminals become more active during times of economic hardships. We also expect that first party fraud (including synthetic identity fraud) will trend upwards as a result of the deliberate abuse of credit extensions and additional financing options offered by financial services companies. Forced to rely on credit for everyday expenses, some legitimate borrowers may take out loans without any intention of repaying them – which will impact businesses’ bottom lines. Additionally, some individuals may opportunistically look to escape personal credit issues that arise during an economic downturn. The line between behaviors of stressed consumers and fraudsters will blur, making it more difficult to tell who is a criminal and who is an otherwise good consumer that is dealing with financial pressure. Businesses should anticipate an increase in synthetic identity fraud from opportunistic fraudsters looking to take advantage initial financing offers and the cushions offered to consumers as part of the stimulus package. These criminals will use the economic upset as a way to disguise the fact that they’re building up funds before busting out. Q: With payment stress on the rise for consumers, how can lenders manage credit risk and prevent fraud? TA: Businesses wrestle daily with problems created by the coronavirus pandemic and are proactively reaching out to consumers and other businesses with fresh ideas on initial credit relief, and federal credit aid. These efforts are just a start – now is the time to put your recession readiness plan and digital transformation strategies into place and find solutions that will help your organization and your customers beyond immediate needs. The faceless consumer is no longer a fraction of the volume of how organizations interact with their customers, it is now part of the new normal. Businesses need to seek out top-of-line fraud and identity solutions help protect themselves as they are forced to manage higher digital traffic volumes and address the tough questions around: How to identify and authenticate faceless consumers and their devices How to best prevent an overwhelming number of fraud tactics, including first party fraud, account takeover, synthetic identity, bust out, and more. As time passes and the economic crisis evolves, we will all adapt to yet another new normal. Organizations should be data-driven in their approach to this rapidly changing credit crisis and leverage modern technology to identify financially stressed consumers with early-warning indicators, predict future customer behavior, and respond quickly to change as they deliver the best treatment at the right time based on customer-specific activities. Whether it’s preparing portfolio risk assessment, reviewing debt management, collections, and recovery processes, or ramping up your fraud and identity verification services, Experian can help your organization prepare for another new normal. Experian is continuing to monitor the updates around the coronavirus outbreak and its widespread impact on both consumers and businesses. We will continue to share industry-leading insights to help financial institutions differentiate legitimate consumers from fraudsters and protect their business and customers. Learn more About Our Experts [avatar user="ChrisRyan" /] Chris Ryan, Market Lead, Fraud and Identity Chris has over 20 years of experience in fraud prevention and uses this knowledge to identify the most critical fraud issues facing individuals and businesses in North America, and he guides Experian’s application of technology to mitigate fraud risk. [avatar user="tischa.agnessi" /] Tischa Agnessi, Go-to-Market Lead, Decisioning Software Tischa joined Experian in June of 2018 and is responsible for the go to market strategy for North America’s decisioning software solutions. Her responsibilities include delivering compelling propositions that are unique and aligned to markets, market problems, and buyer and user personas. She is also responsible for use cases that span the PowerCurve® software suite as well as application platforms, such as Decisioning as a ServiceSM and Experian®One.
If you’ve seen an uptick in photos of friends and celebrities looking older with wrinkles on your social media feeds, you’re not alone. A new free photo editor has taken the internet by a storm, featuring an AI-powered image-altering application that allows users to see their “future self.” All you have to do is upload a single photo (or few) from your camera roll to be enhanced. While this may seem like harmless fun, the app is now making headlines over increased privacy concerns about what occurs behind the scenes once users submit their selfies. Red flags were raised when multiple alleged negative implications were connected to the app – including the app’s ownership and the potential risk that the app downloaded a user’s entire photo album onto their database. In fact, the privacy concerns also prompted Democratic Party officials to implore federal agencies, including the FBI, “to look into the potential national security and privacy risks the phone app poses to the United States.” Since then, the app’s creators have addressed these concerns, stating most of the photo processing occurs in the cloud and most photos are deleted within 48 hours. Additionally, the only photos uploaded are ones that have been personally submitted by the user. Regardless, a database of user-submitted photos could be seen as a goldmine to fraudsters. In a time where personal and biometric data (including facial recognition) are some of the key ways to validate security, it’s important for consumers to be aware of how and where they’re sharing their data, whether it’s for an age-progression photo app, or their financial accounts. Consumers, businesses, financial institutions – everyone – should exhibit caution and take measures to ensure personal information remains secure and is not being used for nefarious reasons. While consumers may be aware that businesses are collecting data, companies should take steps to form digital trust with transparency. This could be achieved by: Educating consumers on how their data is being used Effectively communicating privacy policies and service terms more concisely Helping consumers feel in control of their information To learn more about research that indicates a shift to advanced authentication methods (including biometrics), fraud trends and how to combat them, download our e-book. Download Now
Whenever someone checks in for a flight, airport security needs to establish their identity. Prior to boarding the plane, passengers are required to show a government-issued ID. Agents check IDs for validity and compare the ID picture to the face of the person standing in front of them. This identity proofing is about making sure that would-be flyers really are who they claim to be. But what about online identity proofing? That’s much more challenging. Online banks certainly want to make sure they know a person’s identity before giving them access to their account. But for other online services, it’s fine to remain anonymous. The amount of risk involved in the engagement directly ties to the amount of verification and assurance needed for the individual. Government agencies care very much about identity. They won’t — and shouldn’t — issue a tax refund, provide a driver’s license or allow someone to sign up for Social Security benefits before they’re certain that the claimant’s identity is verified. Since we increasingly expect the same online user experience from government service providers as from online banks, hotel websites and retailers, this poses a challenge. How do government agencies establish a sufficient level of assurance for an online identity without sending their customers to a government office for face-to-face identity verification? To answer this challenge, the National Institute of Standards and Technology (NIST) has developed Digital Identity Guidelines. In its latest publication, SP 800-63-3, NIST helps government agencies implement their digital services while still mitigating the identity risks that come with online service provision. The ability to safely sign up, transact and interact with a government agency online has many benefits. Applying for something like unemployment insurance online is faster, cheaper and more convenient than using paper and waiting in line at a government field office. And for government agencies themselves, providing online services means that they can improve customer satisfaction levels while reducing their costs and subsequent bureaucracy. CrossCore®, was recently recognized by the independent Kantara Initiative for its conformance with NIST’s Digital Identity Guidelines for Identity Assurance (IAL2). Our document verification solution combines authoritative sources, machine learning and facial recognition technology to identify people accurately using photo-based government identification like a driver’s license or passport. The best part? Users can verify their identity in about 60 seconds, at whatever location they prefer, using their personal smartphone.