Developing robust identity and verification (IDV) checks: how fraudsters are taking advantage of existing technology
This piece was published in UK Finance
The duty to know customers is not only a regulatory requirement but a key step in ensuring we continue to build a secure and resilient world. Getting the identification of customers right is a crucial step in this process.
However, vulnerabilities have been exposed in identity and verification(IDV) solutions, with inherent technological weaknesses or data/processing limitations including:
- Document manipulation: the ability to identify manipulated and forged identity documentation.
- Copy recognition: the ability to detect copy submissions, such as photocopies and deep-fake videos.
- Incompatible data: the ability to identify when a customer presents ‘mismatched’ data – for example, using a passport of an individual with similar facial characteristics.
So why are some IDV solutions falling short?
Advances in technology and sophisticated fraud techniques mean that previously embedded IDV solutions are often out of date and require further development to mitigate against today’s financial crime and fraud challenges. For example, the ability to create a fraudulent identity is becoming increasingly easier and is now readily accessible.
This can be done with free photo applications being capable of producing high levels of digital manipulation. This opens up the potential for lower-level criminals to commit fraud, while strengthening the attacks of professional criminal networks.
Many solutions developed at the start of the digital financial crime journey have failed to keep up with advancements by criminal counterparts. From our experience, some solutions show weaknesses in their ability to adequately detect fraudulent documentation and impersonation attempts. The root cause for this is an inability to recognise manipulated fonts and a lack of depth perception awareness.
These vulnerabilities can present significant risk to financial services institutions where the regulatory obligations remain. It’s important for firms to be aware, in order to mitigate these risks ensuring their service provider’s underlying attributes and capabilities remain up-to-date and relevant.
How do firms consider overcoming these challenges?
The IDV landscape is continually evolving. Selecting the right provider, together with ensuring a successful deployment of a tailored IDV solution, is not a one-time event. There are three areas firms should consider:
- Vulnerabilities within current processes: a firm’s Customer Due Diligence (CDD) processes should be continually reviewed and monitored. Testing should be carried out to identify vulnerabilities against new fraud techniques such as the use of deep-fake technology. By understanding gaps in current processes, firms can identify the right IDV solutions for their specific needs.
- Penetration-testing of IDV solutions: solution providers should be regularly penetration-tested (pen-tested), considering both technological advances and behavioural changes in criminals. For example, the introduction of new passport styles to incorporate near field chip (NFC) technology or the move towards white collar crime during Covid-19 which saw an increased number of fraudulent loan and grant applications.
- Use of behavioural biometrics: by building in behavioural analysis to the process, firms can go one step further in verifying identity. They can utilise technology to identify suspicious patterns of behaviour and creating a profile of the user’s true identity. With specialist IDV vendors providing sophisticated behavioural analysis, the opportunity to add additional controls to the know-your-customer (KYC) processes is key.
What is the wider impact of IDV?
Card ID theft remains a key concern in the fight against fraud, with UK Finance latest Fraud report showing application fraud totalling £10.9 million in 2021. While there is a need to continually educate the public in protecting themselves against identity fraud, the onus remains on financial services firms to build robust controls and processes to deter against and catch suspicious activity.
Inadequate identity verification not only impacts financial services firms who have a regulatory requirement to properly identify their customers, but adversely affects the wider population and community. This is by opening vulnerable people up to increased risk of fraud.
The growth of the metaverse and the introduction of the UK Digital Identity and Attributes Trust Framework and regulations such as the Online Safety Bill means that IDV and the use of biometrics is becoming an increasingly important conversation.
The June 2022 Ryder Review, an independent legal review into the governance of biometric data, highlighted that in light of increased use of biometric data, new laws will be required to enforce proper data governance. This will ensure that companies are using it safely and legally.
As the digital world continues to evolve, and as technological advancements offer both opportunities and challenges, financial services firms need to ensure that they remain on top of IDV. Firms must continually review and improve identity verification controls to make sure that they are robust and futureproof in the fight against financial crime – protecting both the security and safety of the firm and the wider global community.