In 2022, an average Internet user spent 403 minutes online each day.
The average person is expected to spend a quarter of their life connected to the Internet, and 31% of American adults revealed that they are constantly online. Statista estimates that global e-commerce sales will reach $58.74 trillion by 2028. This connectivity impacts our daily habits, from how we communicate and perform business, banking, shopping, and even how we monitor our health.
Criminals and malicious actors are optimizing this digital transformation and the rates of cyber crimes have reached unparalleled heights in 2022, overall threatening public safety and economic security.
As our lives become more undeniably digital, adopting cutting-edge KYC (know your customer) compliance practices are essential for those who conduct business online.
What is KYC?
KYC, or “Know Your Customer,” is a process used by financial institutions and other regulated companies to verify the identity of their clients.
You may already be familiar with some common KYC practices.
- Government-issued ID (such as passports or driver’s licenses)
- Utility bill or bank statement to verify the address
- Selfie or photo ID verification
- Social Security number or tax identification number
- Credit report or background check
- Biometric verification (such as fingerprints or facial recognition)
- Phone or email verification
- Signature verification
- Address verification
- Employment verification
- Sources of funds or wealth verification
ID verification is a process of verifying the identity of an individual through the use of official identification documents such as a passport, driver’s license, or national ID card.
This process is typically used by businesses, financial institutions, and government agencies to ensure that an individual is who they claim to be and to prevent fraud or identity theft. ID verification is important because it helps to establish trust and security in transactions between individuals or businesses. For example, when opening a bank account or applying for a loan, the financial institution will require ID verification to ensure that the individual is not using someone else’s identity to obtain financial services.
ID verification can also be important in preventing illegal activities such as money laundering, terrorist financing, or human trafficking. By verifying the identity of individuals involved in these activities, law enforcement agencies can track down and prosecute criminals.
Overall, ID verification is a crucial tool in ensuring safety, security, and trust in our daily transactions and interactions with others.
Companies may need age verification for a number of reasons, including:
1. Legal compliance
Certain products or services may be restricted by law to people of a certain age, such as tobacco, alcohol, gambling, or firearms. Age verification helps companies ensure that they are not selling restricted products or services to minors.
2. Protecting minors
Age verification can help prevent minors from accessing content or services that may not be suitable for their age, such as online gambling, violent video games, or adult websites.
3. Preventing fraud
Age verification can help prevent fraudulent activity by ensuring that people are who they claim to be. For examples. someone who is underage might try to use a fake ID to buy restricted products or services, but age verification can help prevent such activities.
4. Marketing purposes
Companies may use age verification to target their marketing efforts better. For example, they may use the information collected during age verification to send advertisements for age-appropriate products and services.
Overall, age verification is important for companies because it helps ensure that they are in compliance with the law, protecting minors, preventing fraud, and improving their marketing efforts.
How Identomat verifies someone’s age
As rates of fraud significantly rise, age-restrictive companies and industries need to do all that they can to ensure that they are well-protected from bad actors.
Our software optimizes machine vision and artificial intelligence and relies heavily on extensive document libraries to authenticate an individual’s ID. The software will extract the image and the date of birth from the scanned government-issued ID, and then will analyze and compare it to the information stored within official databases, and process the data collected during the liveness check as well.
This is a crucial fraud prevention method for age-gated businesses at risk of being defrauded, and Identomat’s solution aids these businesses by following complex compliance checks and required industry regulations.
Liveness Check: What is it and why do we need it?
Liveness detection is the process of determining whether a person presenting a biometric sample (such as a face or fingerprint) is actually present and alive, as opposed to a criminal attempting to use a static image or a recording.
There are two main types of liveness detection: active and passive.
Active liveness detection involves asking the person to perform a specific action, such as blinking, moving their head, or speaking. The idea is that a live person will be able to perform this action, whereas a static image or recording will not. Active liveness detection is considered more secure, but it may also be more intrusive and can cause more user friction.
Passive liveness detection, on the other hand, does not require the person to perform any specific actions. Instead, it relies on analyzing various properties of the biometric sample, such as lighting, texture, and motion. Passive liveness detection is considered less secure than active liveness detection, as it may be more easily fooled by sophisticated spoofing attempts. However, it is also less intrusive and can be less frustrating for the user.
Both active and passive liveness detection can be used alone or in combination to increase security.
Face templates rely on data corresponding to an image or images of an individual’s face that is unique to that face, for use in a face recognition system.
Face Match is a process where a person’s identity is verified through the use of facial recognition technology. During the process, a photograph or video of the person’s face is compared to a reference image, such as a passport photo, to confirm that the person is who they claim to be.
Face match KYC can be used to verify the identity of a person in a variety of situations, such as when opening a bank account, applying for a loan, or purchasing a product or service online. Our face match feature can be customized, so you can integrate the software any way you need and have the choice to deploy it anywhere you’d like.
Address verification vs Address validation
By capturing a digital image of an address at the point of entry, your business can avoid the issue of poor or invalid data collection.
Through the clearance of an authoritative directory, like USPS, address validation ensures that a postal address exists and ensures that mail can indeed be delivered there, while address verification will analyze, compare, and enhance address data.
This tool will compare the records of your clients (or prospective ones) against a global reference database.
Address verification is important for businesses for a variety of reasons, including:
1. Ensuring accurate delivery
Accurate address verification is essential to ensure that mail and packages are delivered to the correct address. When addresses are not verified, delivery errors can occur, leading to delays, missed deadlines, and increased costs.
2. Reducing fraud
Address verification can help prevent fraud by confirming that the address provided by a customer or client is legitimate. This can help to prevent identity theft, credit card fraud, and other types of fraudulent activities.
3. Complying with regulations
Some industries are required by law to verify the addresses of their customers, such as financial institutions, insurance companies, and health care providers. Failure to comply with these regulations can result in fines and other legal consequences.
4. Improving customer service
By verifying addresses, businesses can ensure that their customers receive the products and services they need in a timely, efficient manner. This can help to improve customer satisfaction and loyalty.
Identomat’s Proof of Address (PoA) or Proof of Residence (PoR) solution aims for accuracy, to catch fraud attempts, and not block real, but challenging, matches. Our module allows you to capture automatically and validate your customer’s addresses by having them upload their bank statements or utility bills, and then our system will check it for forgery and compare it to their IP location.
Overall, address verification is a critical component of many business processes and can help to ensure accurate, efficient, and secure transactions.
Phone verification is a process used to confirm that a phone number belongs to a real person or organization. It is often used as a security measure to prevent fraud or abuse, or as a way to verify the identity of a person who is attempting to sign up for a service or access a system.
There are several different methods that can be used for phone verification, including:
1. SMS verification
This involves sending a code via text message to the phone number in question, and asking the user to enter the code to confirm their identity.
2. Voice call verification
This involves making a phone call to the phone number in question and asking the user to press a specific key or speak a code word in order to confirm their identity.
What does it mean to be video verified?
To be video verified typically means that a person’s identity has been confirmed through a video verification process.
This process usually involves the person submitting a video of themselves while holding up official forms or identification, such as a driver’s license or passport, and answering some questions or performing specific actions to prove that they are the person depicted in the ID.
Video verification is often used by companies and organizations to confirm the identity of their customers or users, particularly in situations where security and privacy are important, such as when creating a new account or when making high-value transactions.
Video verification can be more secure than other forms of verification, as it allowed the verifier to confirm that the person is who they claim to be in real-time, rather than relying on static photos or documents that can be easily forged or stolen.
What data is provided in video verification?
For some industries and businesses, the authentication process will require clients to engage in video chat.
This video chat will be with either a compliance officer or a company representative. First, the agent will request the individual to hold their ID up toward the camera, which the interface will capture automatically. Then the agent will ask different questions while AI works to verify the image and data provided. Meanwhile, the interview and the session are fully video recorded, before it is lastly stored in a company’s system.
2FA, MFA, and Biometric authentication
For most, trying to remember a password at a moment’s whim is tiresome and impracticable. 2FA (2 Factor Authentication), MFA (Multi-factor Authentication), and biometric authentications are practices that offer convenience for your customers and employees while increasing security measures to protect their sensitive information. These protocols are established to protect a user’s password as well as the resources that they can access.
Two-factor authentication (2FA) is a security process that requires users to provide two different authentication factors to gain access to a system or an account.
The first factor is usually something the user knows, such as a password, PIN, or security question. The second factor is something the user has, such as a physical token, smart card, or mobile device that can receive a one-time password (OTP). The idea behind 2FA is that even if an attacker manages to obtain the user’s password or other first-factor information, they would still need to possess the second factor to gain access.
There are several different types of 2FA, including SMS-based codes, mobile apps, hardware tokens, and biometric authentication. Each method has its own strengths and weaknesses, and organizations should carefully consider their specific needs and risks when selecting a 2FA solution.
Multiple factor authentication (MFA) is a security process that requires users to provide more than two authentication factors to gain access to a system or an account and introduces a biometric component.
The different factors of authentication include:
1. Something the user knows, such as a password, PIN, or security question.
2. Something the user has, such as a physical token, smart card, or mobile device that can receive a one-time password (OTP).
3. Something the user is, such as biometric authentication, like fingerprint or facial recognition.
These layers make it much more difficult for an attacker to gain unauthorized access to a user’s account or system, as they would need to have access to multiple authentication factors.
MFA provides an additional layer of security compared to traditional single-factor authentication methods, such as using only a password.
Implementing an MFA requires careful planning and consideration of the specific risks and needs of an organization. It may involve selecting and integrating different authentication factors, as well as designing appropriate policies and procedures to manage the authentication process. Protecting this sensitive data, such as financial or personal information, is often required by industry regulations or compliance standards.
To shield your company with the highest level of security combine traditional multi-factor authentication with biometric liveness detection.
Biometric authentication refers to the process of using unique physical or behavioral characteristics of an individual to verify their identity. These characteristics can include things like fingerprints, facial features, iris/retina patterns, voice, and even DNA.
The process of biometric authentication involves capturing the biometric data of an individual, which is then compared to a pre-existing record of that individual’s biometric information stored in a database.
If the captured data matches the stored data, the individual is granted access or verified. The use of biometric authentication has become increasingly popular in recent years due to its convenience and security. It eliminates the need for users to remember passwords or carry around physical tokens, and it can be more difficult for someone to fake or steal biometric information compared to traditional forms of authentication.
However, there are also valid concerns around the privacy and security of biometric data, as it is highly personal and can be used for malicious purposes if it falls into the wrong hands.
Therefore, it is important for organizations implementing biometric authentication to ensure proper security measures including data encryption, decentralized storage, and confidential computing are in place to protect the biometric data of their users.
Watch our biometric authentication in-action
Identomat demoed its Biometric MFA solution at FinovateSpring in May 2022. The video recording of the on-stage demo can be viewed here.
The demo showcased a solution for a self-service secure password recovery use case. This particular implementation first creates a person’s biometric profile by extracting PII (personally identifiable information) data points from an individual’s government-issued ID and biometric information from their liveness check session.
Identomat’s identity-proofing software will then compare the picture on the photo ID to the person’s selfie extracted from the liveness video and determine if it’s a good match or not. If approved, their user profile with their biometric pattern is successfully created.
If the individual ever needs to reset their password, they receive an email with a link to self-reset the password. However, the password reset dialog is not available until the individual passes the liveness check, during which the biometric pattern is compared with the saved one. If it is a precise match, the user can continue the password reset process, but if it is assessed to be a poor match, the user is denied and redirected to the alternative methods.
Identomat strikes the delicate balance between convenience and privacy.
KYC and Crypto
Cryptocurrency is a digital or virtual form of currency that operates independently.
It is based on blockchain technology that enables secure, transparent, and immutable transactions. Like traditional forms of currency, crypto can be exchanged and used for online purchases, but is not issued nor regulated by governments. KYC in crypto refers to the process of verifying the identity of individuals or organizations that use cryptocurrency.
It is a legal obligation in most jurisdictions and its purpose is to prevent money laundering and financial crimes, especially within countries with strict AML laws. Due to these strict regulations, most providers will not allow customers to conduct crypto-related transactions (buying, trading, withdrawing) without passing KYC verification.
The Global AML/CFT Compliance Rule (GACR) has a set of recommendations that includes criteria such as KYC and anti-money laundering (AML) requirements for cryptocurrency businesses, as crypto remains attractive for money laundering.
Lack of compliance with KYC regulations can result in account suspension or closure, and the crypto service provider will incur legal fines and penalties.
KYC Procedures in Cryptocurrency
Although procedures may vary from the service provider and the jurisdiction where the provider operates, some common procedures include:
1. Account registration
A user creates an account with the crypto service provider and provides a name, email address, and password.
2. ID verification
The user submits a government-issued ID (passport, driver’s license) and possibly a live selfie.
– Government ID and user’s selfie are compared for a similarity score
– Passive/active liveness checks can be conducted for increased security measures
3. Address verification
The user provides proof of their address (e.g. bank statement, utility bill) for verification.
4. Additional documentation
Users can be required to submit further documentation (e.g. bank statement, tax ID number) depending on the provider for additional risk scoring.
5. Background check
The user’s background will be checked through sanctions, PEP lists, global watch lists, and possibly media sources.
6. Account approval
The user’s risk score is generated from all measures above and they become approved or denied for account activation.
Major regulations for crypto
Financial Action Task Force (FAFT)
Financial Action Task Force (FATF) recommends all service providers implement risk-based AML (Anti-Money Laundering) and CFT (Combating the Financing of Terrorism) measures, including KYC.
The Bank Secrecy Act (BSA)
The Bank Secrecy Act (BSA) is a US law that requires financial institutions, including cryptocurrency service providers, to comply with AML and KYC regulations. It also requires providers to file Suspicious Activity Reports (SARs) for transactions that appear to be unusual.
The Financial Crimes Enforcement Network (FinCEN)
The Financial Crimes Enforcement Network (FinCEN) states that crypto exchanges are defined as money service businesses (MSBs) under federal regulations. Accepting and transmitting anything of value (including both real and virtual currencies) makes a person a money transmitter, and they must comply with BSA regulations.
The Fifth Anti-Money Laundering Directive (5AMLD)
5AMLD is an EU law that requires cryptocurrency service providers to conduct customer due diligence, including KYC procedures. Additionally, it requires them to register with national authorities and report suspicious transactions.
The Japan Virtual Currency Exchange Association (JVCEA)
The Japan Virtual Currency Exchange Association (JVCEA) is a self-regulatory organization in Japan that sets standards for cryptocurrency service providers. Its guidelines require service providers to implement risk-based AML/CFT measures, including KYC procedures.
Customer due diligence (CDD)
After establishing a customer’s identity, the next goal for enhanced verification is to detect risk. The collected identity gets cross-checked with online databases, news sources, politically exposed person lists (PEPs), government records, watch lists, and sanctions to assess the risk of money laundering and terrorist financing.
According to the U.S. Treasury’s Financial Crimes Enforcement Network, the four core requirements of customer due diligence in the U.S. are:
1. Identifying and verifying the customer’s identity
2. Identifying and verifying the identity of beneficial owners with a stake of 25% or more in a company opening an account
3. Understanding the nature and purpose of customer relationships to develop customer risk profiles
4. Conducting ongoing monitoring to identify and report suspicious transactions and update customer information
Enhanced Due Diligence (EDD)
Regulations often require conducting enhanced due diligence (EDD) by collecting more comprehensive information from prospective customers.
More and more companies are searching for functionality in managing this information. Identomat has a built-in custom questionnaire builder to deploy such data collection forms to end-users via web and/or mobile UI as part of the same process as the identity verification steps or as a standalone step.
Some common questions in KYC questionnaires include:
- What is your full name?
- What is your date of birth?
- What is your occupation?
- What is your residential address?
- What is your nationality?
- What is your contact information (phone number and email)?
- What is your source of income?
- What is your net worth?
- What is the purpose of your account?
- What is your expected account activity?
- Are you a politically exposed person (PEP)?
- Are you a resident for tax purposes in any other country?
- Do you have an existing relationship with other financial investigators?
- Have you ever been convicted of a crime or engaged in illegal activities?
- Do you have any know association with individuals or entities involved in criminal or terrorist activities?
Traditionally, a customer would communicate with human agents while conducting EDD, but Identomat’s solution works effectively on both web and mobile devices and allows self-service data entry and automatic capture.
What is AML?
For some industries, regulation isn’t just a mere suggestion- it is a requirement. Enhanced due diligence (EDD) helps companies comply with laws and regulations designed to prevent money laundering and other financial crimes, ensuring that the institution knows the true identity of its clients and the nature of their financial dealings. Firms need to take additional steps in their screening process, to confirm that an applicant isn’t recorded on any government sanctions lists, politically exposed person (PEP) lists, or any known terrorism lists.
Money laundering is a crime that involves the process of converting illicit money into legal status.
It’s a severe offense that can affect law enforcement and the economy.
The process begins with criminals taking their ill-gotten gains and turning them into something they can use legally. This could be used to buy property, stocks, or other securities (such as mutual funds) or to launder large amounts of cash through legitimate business transactions.
Money launderers also use front companies to launder money through legitimate business transactions. For example, criminals may invest in real estate using shell companies as fronts for their criminal activities. They then sell these properties at a profit and use the proceeds to purchase other real estate or other assets for laundering purposes. All these actions are called Financing of Terrorism or Money Laundering.
1. Denied Persons List
A list of individuals and entities that have been denied export privileges.
2. The Entity List
Identifies foreign parties that are prohibited from receiving some or all items subject to the Export Administration Regulations (EAR) unless the exporter secures a license. These parties present a greater risk of diversion to weapons of mass destruction (WDD) programs, terrorism, or other activities contrary to U.S. national security and/or foreign policy interests.
3. Unverified List
A list of parties that the Bureau of Industry and Security (BIS) has been unable to verify. No license exceptions may be used for exports, reexports, or transfers (in-country) to Unverified parties.
4. Military End User List
Identifies foreign parties that are prohibited from receiving items unless the exporter secures a license. These parties have been determined by the U.S. Government to be ‘military end users,’ of the EAR, and represent an unacceptable risk of use in or diversion to a ‘military end use’ or ‘military end user’ in China, Russia, or Venezuela.
5. The Consolidated Screening List
The Consolidated Screening List (CSL) is a list of parties for which the United States Government maintains restrictions on certain exports, reexports, or transfers of items. If a company, entity, or person on the list appears to match a party potentially involved in your export transaction, additional due diligence should be conducted before proceeding.
A quick history of AML
The Patriot Act — Oct 26, 2001
In light of the terrorist attack that took place on September 11, 2001, the American Congress passed The Patriot Act.
Act III of the legislation, entitled the ‘International Money Laundering Abatement and Anti-Terrorist Financing Act of 2001’ detailed the intent, “To deter and punish terrorist acts in the United States and around the world, to enhance law enforcement investigatory tools, and for other purposes.”
(The U.S. National Archives )
Section 314 encourages the sharing of information between law enforcement, regulators, and financial institutions.
(Courtesy of Dow Jones)
Section 314(b) allows financial institutions, having notified the U.S. Department of the Treasury, to distribute information to other institutions to assist in the identification and reporting of suspected money laundering and terrorist activity to the government.
(Courtesy of Dow Jones)
Section 3111 grants the Secretary of the Treasury the authority to target specific money laundering and terrorist financing risks upon finding that reasonable grounds exist for concluding that a foreign jurisdiction, institution, class of transaction, or type of account is of “primary money laundering concern.” In practice, this can mean a country or foreign bank can lose its correspondent banking privileges if found to be “primary money laundering concern.”
(Courtesy of Dow Jones)
Section 326 establishes a set of minimum standards for financial institutions, including verification of the identity of those seeking to open an account, the maintenance of records used to verify an individual’s identity, including their name, address, and other relevant data, and the consultation of lists known or suspected terrorists or terrorist organizations.
(Courtesy of Dow Jones)
Section 351 makes amendments to the reporting of suspicious activities, including the expansion of immunity from liability for reporting suspicious activities. It also expands the prohibition regarding the notification of those subject to a Suspicious Activity Reports (SARs) filing.
(Courtesy of Dow Jones)
Section 352 instructs financial institutions to create anti-money laundering programs and details the minimum requirements, including the creation of internal policies, procedures, and controls, the designation of a compliance officer, recurring employee training program, and the existence of an independent audit department to test the program’s performance.
(Courtesy of Dow Jones)
The objective of KYC and AML procedures
The purpose of KYC is to verify the identity of individuals and organizations who use financial services to identify and mitigate potential risks.
It helps financial institutions establish users’ identities and ensure that they do not impose any risk regarding financial crimes, money laundering, and fraud. KYC helps build trust and credibility for different organizations and ensures that their platforms are safe and trustworthy. It is also part of legal regulations at national and global levels, and organizations must comply to avoid incurring large fines and penalties.
When does KYC and AML begin?
Whether you are a company that struggles with refined identity proofing systems, or a customer, trying to reach into the server, it is essential to know that by these “introductory” processes, the person’s identity is verified, evaluated, and secured by the two leading technologies: KYC (know-your-customer), and AML (anti-money-laundering) regulations.
The KYC process typically begins when a new client opens an account. Your AML system is a vital part of protecting your customers but also an essential part of protecting your business.
The client will be asked to provide proof of personal information, such as their name, address, and government-issued identification. The institution will then use this information to verify the client’s identity. This may include checking government databases, credit reports, or other sources of information.
Besides verifying the client’s identity, the institution will also conduct a risk assessment to determine the level of risk associated with the client’s account. This may include analyzing the client’s financial transactions, assessing the client’s country of origin, or looking for any red flags that may indicate a higher risk of fraud or money laundering.
Once the institution has completed the KYC process, it will continue to monitor the client’s account for any suspicious activity. If any unusual transactions or patterns of behavior are detected, the institution may take additional steps to investigate and mitigate the risk by conducting full identity proofing.
Identity proofing: The process of providing sufficient information (e.g., identity history, credentials, documents) to establish identity.
While biometric technology increases security measures, they are prone to spoof attacks where fraudulent biometrics attempt to fool the system, including 3D, printed, and curved masks, silicone and paper masks, CrazyTalk video avatars, and pre-recorded videos of real subjects.
Is KYC necessary for the future of the digital economy?
Absolutely! Automation is prioritized in our fast-paced world, and as more businesses and people adapt to digital standards, that comes with unprecedented risks.
In 2021, the Federal Trade Commission reported more than $0 billion worth of fraud losses, an increase of more than 70% in a single year.
The idea behind KYC is that by understanding who their customers are and what their financial backgrounds look like. By verifying the identity of their customers, these companies can ensure that they are not doing business with criminals or other individuals who may be using their services for illegal purposes.
The number and levels of malicious incidents have increased dramatically since the onset of the COVID epidemic, introducing a staggering 238% increase in cyberattacks against banks.
While many businesses believe that they are too small to be affected by a cyber incident, cybercriminals are targeting financial service providers of all sizes. Small firms are 300x more likely to be targeted than other companies, according to the Boston Consulting Firm. Forbes states that 35% of all data breaches impact the financial services industry. Companies that embrace KYC and AML technology and act on security measures now will set themselves apart.
In 2021, the IC3 received a record number of 0 fraud complaints from the American public.
Customers notice when a business is actively trying to shield them from risk. KYC helps companies to better understand their customers and their financial patterns, which can help them to provide better service and to identify potential fraud or other risks. A KY-enabled system can detect when a customer makes an out-of-character purchase and alerts the bank and the account holder. These practices reduce financial risks and help the organization maintain accurate and updated customer profiles while building trust with its clients.
How Identomat’s solution prevents money laundering & streamlines compliance
Our KYC/AML solution allows financial institutions to verify the identity of their clients or prospective customers. Gathering information about the individual, such as their name, address, and identification documents, and verifying this information to ensure that the customer is indeed who they say that they are.
KYC plays a critical role in preventing money laundering because it helps financial institutions identify and assess the risk of their customers.
By verifying their customers and understanding their financial activities, organizations can identify suspicious or unusual transactions that may be indicative of money laundering. With KYC, institutions can note red flags and investigate the source of the funds and determine whether the transaction is legitimate or suspicious.
How can KYC impact my business?
While due diligence is a requirement for several industries, KYC is a good business practice as well.
According to Reuters 85% of corporations that did not have a good KYC customer experience resulted in 12% of their customers changing banks.
Onboarding clients is a huge undertaking, and KYC makes the onboarding process more efficient for businesses and their customers. Verifying its sources allows businesses to make smart decisions and refine their investment objectives better. By adopting a KYC solution, businesses can increase their number of connections worldwide and offer stronger protection for their customer’s data.
By thoroughly verifying the identities of their clients and assessing the risks associated with their accounts, KYC is an excellent approach to safeguard a business and its customers, while preventing fraud and fending off corruption.
Turn KYC from a Regulatory Burden to an Advantage