What Is Identity Proofing And How Does It Work?

As individuals and businesses become increasingly dependent on online financial transactions, identity fraud has become a costly issue. Without the proper precautions, it’s all too easy to hack into personal accounts and websites, allowing cyberthieves to steal billions of dollars in assets each year.

That’s why identity proofing has become so important in fraud prevention efforts.

Identity verification requires multiple authentication methods. Ideally, identity proofing should begin during user onboarding, and the process should continue throughout the customer relationship to reduce instances of fraud. Simply put, identity proofing is essential to the financial industry.

What Does Identity Proofing Mean?

Identity proofing includes methods of determining claimed identity versus actual identity, since hackers can gain basic account information and claim to be a legitimate account user. Without more complex verification measures, they can easily gain access to sensitive personal and business information.

These digital identity verification procedures range from self-reported information like address and Social Security numbers to more sophisticated processes, such as biometric verification, which includes fingerprint and facial recognition.

Many organizations have moved past self-reported customer identity information to techniques such as biometrics due to major data breaches that have exposed sensitive information of users across the globe. Identity proofing adds an additional layer to verification.

Types Of Identity Proofing

The main types of identity proofing include the following:

Knowledge-based Authentication

This type of authentication is based on a user’s personal knowledge. It largely depends on the creation of security questions. Some common questions include your maternal grandfather’s name, the make and model of your first car and the name of your elementary school.
Theoretically, this information is not known by many outside of your closest family and friends. However, some hackers have developed ways to access it.

Identity Document Verification

Using your unique ID information is another way to verify your online identity. Most commonly, ID verification involves providing your driver’s license or state ID. Some institutions with your Social Security number already on file may ask for the last four digits of your number.

Biometric Verification

Biometric verification is a more secure way to authenticate your identity. These methods include fingerprints, facial recognition and iris authentication, and they require the user’s physical presence to unlock their accounts.

Some organizations use a biometric selfie as another way to verify identity and prove the user is not an imposter or a bot.

Out-of-Band Proofing

Out-of-band proofing is a verification method that requires more than one way to prove identity. It’s a form of two-factor authentication, which means the user must enter their username and password, then input a code they receive via email or SMS.

A cyberthief would need to access two separate forms of communication to hack your account.

Identity Proofing Process: How Does Identity Proofing Work?

The identity proofing process involves multiple steps to better protect user identity.

Data Collection

First, the organization must collect your data. They do this through an identity and access management system (IAM) that begins during your account enrollment and adapts during the life of your account. An IAM includes a database of users’ identities and various access privileges. Many people can access only their own account, while management members can access multiple accounts.

The IAM also contains features that monitor and modify access privileges, sometimes deleting them entirely. It can also audit a user’s login and access history. In general, an organization’s IT department manages the IAM.

Data Validation

When financial institutions seek to validate your company’s data, they first check if your organization is real. This includes verifying documents, credit history and (in the U.S.) your employer identification number (EIN). A clear and positive online presence with reviews by consumer protection agencies is another helpful sign that your company is legitimate.

Any company with only a superficial online presence or paper trail is more likely to be fraudulent.

Customer Identity Verification

The process for customer identity verification can differ depending on the institution. Naturally, financial institutions are more careful during this process, since mistakes can cost millions of dollars and potentially implicate them in criminal activity, such as money laundering.

After proving you and your company are legitimate, financial institutions verify your authority to make company decisions. For instance, banks require corporate accounts to include a list of authorized signers and to provide signature cards for them.

Online users of financial accounts must provide multiple layers of ID authentication, including usernames, account numbers, passwords and multi-factor authentication (MFA). They may also expect proof that you’re a human (rather than a bot) when logging in, which may be as simple as identifying pictures with a traffic light or other object.

Continued Authentication

The customer’s identity authentication process does not remain stagnant during the time you are an account holder. They may require you to frequently change your password, verify your phone numbers and email and change your security questions. Password requirements may also become more elaborate, preventing you from choosing an easy-to-guess version.

Periodically, financial institutions require multi-factor authentication, even if you’ve opted out on a particular device. That means entering a security code sent via SMS or email, as well as your username and password.

Occasionally, you’ll also be asked to verify your name, address, and phone number to make certain nothing has changed. In addition, if the organization’s system detects potentially suspicious activity, perhaps due to entering the wrong password too many times, you may be asked to re-register your account.

Data-Centric Vs. Biometric Identity Proofing Approaches

While organizations certainly need to continue with a data-centric identity proofing approach, particularly during onboarding, biometric identity proofing adds a more sophisticated level of security.

The minimum requirements to maintain KYC (Know Your Customer) and AML (Anti-Money Laundering) compliance include self-reported data such as name, birthdate, address and phone number during the onboarding process. This information is then checked against various data sources including bank records, credit bureaus and other organizational information to prove identity. This process proves that such a person or company exists, but it does not always prove that the applicant is not an imposter.

In contrast, ID-centric, biometric approaches require the user to send current photos of themselves and their ID documents. And with advanced solutions, liveness detection ensures the person submitting the ID is physically present. A smartphone and an internet connection are all it takes for identity verification. Non-legit applicants typically abandon the process when asked to provide these authentication forms.

Fraudsters can far more easily gain data-centric information from their targets than replicate biometric data. The person must be present to send the requested information, so hackers usually can’t proceed. Plus, most cyberthieves go for low-hanging fruit — accounts with poor security that require minimal time to access.

Some users may balk at biometric measures because they can take several seconds to process, or they don’t like the idea of submitting this type of data. However, financial institutions must be more vigilant than other organizations simply because the risk of fraud is too great. For instance, in 2020 alone, the FTC received 2.2 million fraud reports from consumers.

Plus, since the pandemic began, fraudster threats against businesses have risen dramatically. Increased security is the only way to protect consumers and businesses against cybercriminals, particularly in the financial sector. User experience is important, but cybersecurity is vital. Fortunately, you can find programs that protect both.

What Can Happen without Proper Identity Proofing

The consequences of lax identity proofing measures are grave. They include:

  • Money laundering: This process moves ill-gotten gains through financial organizations and cash businesses to make them seem legitimate.
  • Loss of customer trust: Once your organization is hacked and consumer identity information leaked, you lose consumer trust. Your business may even fail if the breach is large enough.
  • AML compliance fines: If your organization is not compliant with AML standards of ID protection, it will face stiff fines. These penalties are often in the millions of dollars. In 2020, regulators hit companies with $2.2 billion in fines.
  • Damaged reputation: Once a company is breached, it becomes front-page news, and its reputation takes a big loss in confidence.

Biometric Identity Proofing Without Compromising User Experience

Jumio offers an advanced identity proofing solution that does not compromise user experience. Since identity theft and account takeover have soared in recent years, your company needs help authenticating online identities. Fortunately, Jumio’s KYX Platform leverages biometrics to make eKYC and identity proofing simple and accurate.

Jumio harnesses the power of AI and other ground-breaking technologies to verify new users and existing customers. We can help you stay in compliance with AML and KYC regulations with our ID proofing services. Contact us now for more information.

email

Get the latest updates from the Identity and Beyond blog, delivered to your inbox.

    Yes, I would like to receive periodic updates from the Jumio blog as well as marketing communications regarding Jumio products, services, and events. I can unsubscribe at any time.

    Jumio values your privacy. To learn more, visit our Privacy Statement.