5 steps to customer identity security in a socially distanced world

2020 is turning out to be a transformational year for most every organization. Financial institutions and other businesses are having to reinvent themselves in so many ways, including a pivot to more virtual customer interactions. Making this work goes beyond physical reconfigurations for social distancing. How do you verify your customers’ identities when they interact with you online, while not scaring them away with a painful process?

At Deluxe Exchange 2020, two leaders from Equifax’s Identity, Fraud and Compliance Group discussed how to authenticate customer identities without adding a damaging amount of friction for customers. Hrishi Talwar, Vice President of Product, and Linda Touch, Vice President of Marketing said that with a thoughtful approach, you don’t need to choose between security and happy customers.

Customer identity is central to your success

Hrishi noted that validating a customer’s identity may be less important for simple transactions. But for a more sophisticated and long-lasting customer relationship like those with a bank, credit loan agency, a utility company or many enterprises, identity authentication is a must.

Online identities have become essential. Some businesses are collecting this information today. To many consumers, there is a creepiness factor to this, but at the end of the day, these elements are being used for their benefit. Without them, we would all have to walk around with pay stubs and passports to prove our identities. With them, we call all do this from a safe distance.

Hrishi observed that there are three identity-related questions to ask throughout your customer's life cycle, when you may be prospecting, looking for a new customer, servicing that customer, onboarding, offboarding and collecting:

• How do I find the right customer? This is about finding the best prospects for what your institution or business has to offer. It's identifying who they are in relation to their needs.
  
• How do I know this customer is real?  This is about verifying that they are who they say they are. Businesses use data to identify this digital identity and verify the veracity of the information. Make sure they're not a bot, or someone who has stolen that data or that identity.
• Should I do business with them? Based the information that you’re collecting about this digital identity, should you accept the transaction? Should you allow the address change? Should you upsell or cross sell to a new service or product?

Solution: Identify the good, the bad and the ugly

Hrishi and Linda’s recipe for success boils down to quickly identifying “good” identities – those with a low likelihood of being fraudulent – and adding additional levels of verification for those that are increasingly suspect (“bad” and “ugly”).  

Most customers will be “good” – you can do some work ahead of time to pre-validate them and set up a user-friendly authentication approach that makes it painless for them to be certified. You make it easy for that consumer to do business with you. Hopefully, all consumers identify themselves as good.

The “bad” individuals are flagged when you get a signal that tells you something may be wrong. Is the person’s email address suspicious? Are there problems with their domain? Initiating additional checks for these customers keeps you safe, but also adds a little bit of friction into the process to scare away a casual intruder.

The “ugly” contacts surface as the person continues to fail your additional tests. Introducing even more friction deters these bad actors. You don’t want them as customers. This experience pathing helps you preserve the positive experience for most of your customers that are “good,” while driving away the small minority looking for trouble.

5 steps to strong and customer-friendly identity security

Linda shared five steps that can help any organization implement a safe and customer-friendly identity verification process. Solution providers like Equifax can help you explore and deploy these solutions in a way that best fits your organization’s customer base and business model.

1. Diversity your data

Expand your customer dataset with a more comprehensive view of their digital identity. This way you can be highly confident that the person you are dealing with is real and “good”, without a lot of effort required on their part.

In an in-person identity relationship, you might look at name, address, date of birth and social security number. With a digital identity, you can't see that person, so you need to look for their digital trail. Only fabricated identities don’t have one.

A digital trail includes device data, phone data, biometrics, online activities, job history and associated income. When you start to take those data points and add them up, you begin to see a more complete picture of the person.

2. Deploy analytics

Analytics is how you turn data points into enriched intelligence. Look at how to combine those data points to explain something. Linda offered an example: Residential information can be more than a street address. It can also include the length of time they lived at an address and the number of addresses they’ve called home over a given period. Analytics can help you layer your data sources to provide relational context that tells you even more about your customers.

Artificial intelligence is now being used for identity verification. Embrace machine learning, and enriching data so it provides a better picture of who you're dealing with in the digital world.

The more you layer and correlate insights, the more you can trust in the ownership of that information. You're building a highly reliable view of their identity.

3. Orchestrate and optimize

As identity data volume grows and your layered-in analytics expand, you need to find a way to organize all of that and decide when and where you're going to use it. Linda’s recommendation is to enlist the help of an industry platform like the one offered by Equifax to manage the process.  These platforms will continually ingest the information and help decide what to do with it. It will trigger an appropriate action as you interact with prospects and customers.

Once you’ve proven to yourself that a customer is real and trusted, you can assume that they are safe. As you bring additional data in your feedback loop will monitor for changes in their behavior. Bringing that feedback back into your decision-making process is important because you're continually learning.

You can utilize ongoing information to address new potential incursion attempts, whether from customers having been in the middle of attacks launched at them, phishing attempts or other activities. Orchestrating and optimizing is all about better utilizing all those data points over time.

4. Use multi-factor authentication

Nobody wants to have to go through a friction-filled process. If you trust your authentication process, you can eliminate most of the pain for most of your clients.

Applying multi-factor authentication gives you the additional validation you need, with very limited action from your customer. If you trust them, you can ask, "How would you like to authenticate yourself? Would you like an email sent? Would you like a text message sent?”

For those that you cannot authenticate, trust their device or trust their email address, use your orchestration rules to follow a more friction-filled process that might mean asking them questions. It might mean asking them for documentation. By inserting these steps at this point in the process, the friction will only impact a small percentage of your customer base.

5. Create a feedback loop

Once these steps are in place, implement an ongoing feedback loop to keep things on track. This will tell you what policies need to be changed and which data is most effective in signaling identity threats.

Benchmark within your own company and against your peers. Look at authentication pass and fail rates, consumer dropout rates, abandonment rates and how visitors are responding to the friction you’ve built into your process.

A robust feedback loop will validate your process and signal when changes are needed. Use that information to continually adjust and monitor business policies and fraud strategies.

3 tools to help

Hrishi shared three industry tools that can help expedite the implementation of stronger and more customer-friendly identity security. They are used by many consumer-facing financial institutions and other businesses today. Consider them as helpful building blocks to move beyond a traditional “username and password” security approach.

1. Document verification

Anyone can buy a fake driver's license on eBay for 16 dollars. Without training, your staff will not be able to tell that it's not a valid driver's license. Document scanning and verification tools validate the document, confirm watermarks and make sure that the data on the back of the license matches the data on the front of the license and matches a DMV record.

Document verification tools add a layer of trust with your consumer and saves them having to go to the DMV, pull driving records or provide any other proof of the license’s validity. These tools can help with W2s and tax filings as well.

In addition to identifying fake documents, these solutions can provide authentication of consumer photos within the documents. By evaluating random pictures of a consumer’s face, some systems can validate through blinks, head movement and other natural motion that this is a real person.  Once confirmed as real, the photo can be confirmed to match what is on the document – regardless of hair and beard changes, or if the person is wearing a hat.

2. Multi-factor authentication

Hrishi observed that one-time passcodes are better than using simple username and password combinations, but not as safe as multi-factor authentication.    

One-time passcodes rely on text messages. People do all sorts of sophisticated attacks to intercept text messages, route them to other people to enter in the pin code.

With multi-factor authentication, messages to the consumer are hidden in a link. The consumer clicks the link and the system takes the steps needed to verify their identity, independent of the device they happen to be using. 

Since trust has already been established with all the data points and devices on that consumer's identity, validation can proceed painlessly and securely, in real time. It's a lot easier than typing in a one-time passcode. It also reduces the number of times your visitors get locked out of their accounts.

3. Account verification

Account verification solutions allow you to verify accounts in real time and save your customers from unneeded friction and stress. These solutions eliminate the need for asking the consumer sometimes difficult-to-answer questions about their personal history – “When did you live at this address? – that are part of traditional account verification. These questions are more than just annoying for your visitors. They are easily fooled by determined bad actors, who know these answers better than your customers.  

By verifying a consumer's identity and matching it to a random account that only the consumer knows, today’s account verification solutions add a layer of security beyond a username and password. A request to enter the last four digits of a visa credit card is much simpler and less painless, too.

These systems establish authorized users – those entitled to use an account, a shared credit card, or a bank account. Because some accounts are shared and some are not, account verification needs to be parsed at an individual level – not just to the account level.  The orchestration step above helps make this feasible.

Knowledge is power. The better you can truly know who is and isn’t your customer, the safer your institution will be. Given the dramatic changes in our pandemic-infused world, these steps to confirm identities online can greatly reduce your business risk. With the right process, you can make the experience positive for your desired customers at the same time.

The information provided in this blog does not, and is not intended to, constitute legal or financial advice.