Embed Size (px)
Citation preview
IDENTITY VERIFICATION SOLUTIONS FOR DIGITAL CUSTOMER ACQUISITION
Bob Meara 28 August 2018
This report excerpt was prepared by Celent for OneSpan. OneSpan has unlimited distribution rights, but had no input on the content of the analysis in the report. www.OneSpan.com
CONTENTS
Executive Summary ............................................................................................................ 1 Key Research Questions ................................................................................................. 1
Identity Verification for Digital Onboarding .......................................................................... 3 Why Focus on Mobile Identity Verification? .................................................................... 5 Balancing Risk and the Customer Experience ................................................................ 6
Digital Identity Verification ................................................................................................... 9 ID Verification ................................................................................................................ 11 Identity Verification ........................................................................................................ 13
Recommendations ............................................................................................................ 16 Leveraging Celent’s Expertise .......................................................................................... 18
Support for Financial Institutions ................................................................................... 18 Support for Vendors ...................................................................................................... 18
Related Celent Research .................................................................................................. 19
EXECUTIVE SUMMARY
In two previous reports, Omnichannel Customer Acquisition 2.0: What It Is and How to Get There and Omnichannel Customer Acquisition 2.0: Vendor Spectrum (Part 2), Celent dissected elements of effective omnichannel customer acquisition methods and compared five comprehensive omnichannel customer acquisition solutions — applications designed to provide a quick path to omnichannel customer acquisition without the need to rip and replace legacy channel or core systems. These solutions include mechanisms for digital identity verification licensed from other vendors. Because of the importance banks place on risk and compliance, Celent chose to specifically examine identity verification in the context of customer acquisition in this report.
KEY RESEARCH QUESTIONS
1 What are key trends in identity verification technology?
2 Which approaches are gaining traction? Why?
Figure 1 highlights the focus of this report in the larger context of the omnichannel customer acquisition solution landscape. Banks often specify a digital identity verification platform when implementing a customer acquisition solution — whether vendor supplied or built in-house. This report does not address day-to-day customer authentication.
Figure 1: Vendor Solutions for Omnichannel Customer Acquisition and Onboarding
Source: Celent
Digital customer acquisition and onboarding is becoming increasingly important to financial institutions in response to changing consumer preferences. Historically, digital onboarding presented a two-fold challenge; achieving adequate risk and compliance objectives while ensuring a low-friction customer experience (CX). This was particularly difficult for the mobile use case because of the small screen size and difficulty associated with manual data entry. Recent hardware and software advancements, however, have turned what was once a mobile liability into a strength.
Digital identity verification solutions are specialized application of image and data analytics, artificial intelligence, machine learning, and expert review designed to ensure
Cha
pter
: Exe
cutiv
e Su
mm
ary
2
government-issued IDs presented for identity verification are authentic and presented by the individual on the ID. This is particularly important for FIs because they typically lack trained document examiners on staff.
Recommendations Vendors of mobile identity verification solutions have made it easy to put up a solution for digital customer acquisition while satisfying KYC requirements. Celent offers several considerations for selecting an appropriate digital identity verification platform based on bank and vendor interviews.
1. Begin with Realistic Expectations. No approach is perfect. No solution is perfect. Satisfying the twin imperatives of risk and UX requires a balancing act and begins with realistic expectations.
2. Ensure Support for All Use Cases. Not just mobile — not just digital. While digital customer acquisition is on many banks’ “A-list” at the moment, Celent strongly advocates banks solve for omnichannel customer origination and select an identity verification platform accordingly.
3. Expert Review Should Be the Exception. Based on results across multiple vendors, it seems clear that the significant majority of account and loan originations will be legitimate and will be facilitated by the presentation of valid IDs. Eroding the customer experience of the majority in order to find the few bad actors should no longer be tolerated.
4. Compare Empirical Results. Vendor RFI responses (or a Celent report) may be a great start to making a vendor selection, but each bank’s final decision should rest on how well the solution performs. Put them to the test.
Cha
pter
: Ide
ntity
Ver
ifica
tion
for D
igita
l Onb
oard
ing
3
IDENTITY VERIFICATION FOR DIGITAL ONBOARDING
Identity management and authentication are complex and intertwined topics with applicability much broader than banking. Entities from various sectors — financial services, government, retail, healthcare, travel, and entertainment (e.g., airlines, hotels, concert venues) — deal with identity and authentication issues as they look to provide physical and digital access to locations and services, authorize payments, manage fraud, and stay compliant with regulations. They do so by deploying a range of tools and techniques, from physical documents (e.g., passports, ID cards, and driver’s licenses) to passwords, PIN codes, and one-time passcodes, to biometrics — see Figure 2. Effective access management is, of course, at the heart of physical and cybersecurity.
Figure 2: Identity and Authentication Are Complex and Intertwined Topics
Source: Celent
Financial institutions also deal with identity and authentication issues on a daily basis in a number of ways. First, just like any business, they need to manage internal security by ensuring only authorized employees have access to the buildings (e.g., access cards) or to the specific parts of internal IT systems.
More importantly, FIs need to deploy identity management and authentication techniques when dealing with their customers — the focus of this research. We distinguish between three types of activities (see Figure 3 on page 4).
First, when the customer wants to open an account, banks have to follow stringent procedures to verify the customer’s identity to comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) requirements. Legal requirements of acceptable practices vary by country, but they typically involve checking qualified identity documents. Some countries, such as India and Nigeria, have national identity schemes. Other
Cha
pter
: Ide
ntity
Ver
ifica
tion
for D
igita
l Onb
oard
ing
4
requirements include proving the customer’s address by providing, for example, a copy of the utility bill (a rather poor form of “proof” but a strangely common practice).
Traditionally, the customer would have to take his documents to the bank branch for a teller to check the validity of those documents and make copies. Increasingly, technology is being used to digitize and simplify the account opening process. For example, document verification solutions can help ensure that documents, such as driver’s licenses and passports, are valid, while facial biometric recognition can establish that the person presenting the ID is the same individual whose portrait appears on the document.
Figure 3: Identity and Authentication in Banking
Source: Celent
Another important step during account and loan origination is device enrolment and provisioning of online access or issuing a payment instrument. For example, an EMV payment card stores secure keys on its chip to authenticate that the card is valid and belongs to a particular customer. Similarly, if a consumer wants to use online or mobile banking or mobile payments, they must enroll into those services. Doing this securely while ensuring that access is granted to correct individuals is crucial; unless this step is done correctly; all subsequent authentication efforts are pointless. Most of the early fraud issues reported around Apple Pay, for example, stemmed from lack of rigor in authenticating the customer when loading the card into the wallet, not from the actual Apple Pay transactions.
The main purpose of deploying identity management and authentication techniques during account opening and account access or transactions is to ensure compliance with regulations and to manage fraud. Identity verification for digital customer acquisition is the focus of this report.
Key Research Question
1
What are key trends in identity verification technology?
Identity verification is quickly moving from knowledge-based to digital authentication.
Cha
pter
: Ide
ntity
Ver
ifica
tion
for D
igita
l Onb
oard
ing
5
WHY FOCUS ON MOBILE IDENTITY VERIFICATION? While there is obvious growth in mobile device usage for financial services globally, this is not the primary reason for mobile identity verification’s importance. Beyond digital identity verification, Celent sees several reasons why mobile is increasingly important. Specifically:
1. Growth in digital customer acquisition is a clear priority for many banks. The industry is over-reliant on the branch for new customer acquisition, and many banks are keen to change that.
2. Knowledge-based authentication (KBA) is increasingly ineffective and imposes considerable friction during account opening. The CX disadvantages of KBA have been historically tolerated because of risk and compliance priorities, but now KBA is a poor mechanism on both counts.
3. Mobile is more than a self-service channel. It is becoming an omnichannel platform for bankers and their customers. This means mobile devices are central to both self-service digital origination and branch and contact center initiated customer origination.
4. As fraud mechanisms become more advanced and fast-changing, banks must up their game. Most frontline staff simply does not have the expertise to effectively thwart identity fraud, nor would it be in a bank’s interest to invest in that. Instead, banks need automated, self-learning mechanisms to be effective. Once again, mobile devices tied to cloud-based solutions are today’s best approach.
While the imperative to grow digital revenue looms large at most banks, it is the device, not the use case, that makes mobile identity verification so important. More than mobile, banks are investing in omnichannel customer acquisition.
Omnichannel Customer Acquisition Celent defines omnichannel customer acquisition as the “front end” of a customer onboarding process consistently delivered across all channels. At least four characteristics distinguish second-generation approaches from first-generation customer acquisition schemes. More on the topic is available in the Celent report, Customer Acquisition 2.0: What It Is and How to Get There, July 2016.
1. Customer-centric workflow across all channels. 2. Optimum use of mobile capabilities. 3. Insight into the customer journey. 4. Low-friction engagement mechanisms.
Customer acquisition is clearly significant because it is a prerequisite to topline sales growth. Offering a 2.0 capability is important because customers are increasingly digitally driven. Omnichannel customer acquisition matters because multiple channels — digital in particular — are influencing the consumer’s choice of banking relationship. Banks therefore need to close the deal whenever and wherever customers make the decision to onboard. To do otherwise is inconvenient for potentially profitable prospects, and disadvantageous for institutions wanting them as customers. Designing for whenever and wherever translates to being equipped for five use cases, with the understanding that customers may begin the process one way and finish using another. Specifically:
1. Desktop: In many markets, most consumers have desktop internet access and shop online. Banks must therefore support desktop origination with a great user experience. This may involve the use of a mobile device in the process, but would begin on a desktop.
Cha
pter
: Ide
ntity
Ver
ifica
tion
for D
igita
l Onb
oard
ing
6
2. Mobile Web: As consumers increasingly shop using mobile devices, banks are compelled to support mobile Web customer origination. This involves more than an adaptive Web-browser interface; it requires thoughtful redesign of the UI, workflow, and use of mechanisms to reduce manual data entry.
3. Mobile in app: This requires a customer to install the bank’s mobile app prior to or during the application process. Although less common than mobile Web, in-app origination approaches are sometimes selected for the improved fraud mitigation efficacy an in-app application can deliver.
4. Branch: Historically, branches were responsible for most new customer origination. Digitally driven, omnichannel customer origination platforms need to equip branch staff with the same capabilities as customers have in a self-service environment.
5. Contact Center: While uncommon, contact center staff originates loans and accounts on behalf of customers. Sometimes, contact center and branch staff pick up where customers left off in the digital channels.
BALANCING RISK AND THE CUSTOMER EXPERIENCE Ideally, identity verification could be effortless for the customer and risk-free for the bank. Since that is not possible, banks must balance these two goals that have been historically at odds (Figure 4).
Figure 4: Modern Solutions Balance Historic Compliance/CX Tradeoff
Source: Celent
Traditional Mechanisms Digital customer acquisition historically relied on KBA models — identity based on “something you know.” These mechanisms have always been high-friction, but used to be reasonably good at deterring fraud. Multiple, large-scale data breaches in the past several years, however, have rendered KBA models increasingly less effective. Table 1 compares the pros and cons of the two primary traditional KBA mechanisms.
Cha
pter
: Ide
ntity
Ver
ifica
tion
for D
igita
l Onb
oard
ing
7
Table 1: Traditional Identity Verification Mechanisms
Method Pros Cons
Credit Bureau Look up • Provide useful information
• Provides definitive match (vs. confidence score)
• Fast results (low latency)
• Straightforward API implementation
• Requires manual entry of name, address and ID number
• Consumers with thin credit files may not be matched
• Reliant on information that may be stolen
• Does not utilize government-issued IDs
• Impacts consumer’s credit file.
• Can’t be used for consumers who have locked files
Database Look up • Utilizes a variety of data from different sources— not reliant on credit bureaus
• Well-suited for certain fraud mechanisms, such as change-of-address
• Straightforward API implementation
• Can be spoofed
• Reliant on information that may be stolen
• Does not utilize government-issued IDs
• May not meet compliance requirements
Source: Celent
Digital Identity Verification Mechanisms As the digital economy expands and cybersecurity risks increase, the frequency and methods for validating identity are changing. Digital identity verification mechanisms ascribe identity based on “something you have” such as a government-issued ID and “something you are,” such as facial biometric, voice biometric, or fingerprint. While not foolproof, digital identity verification mechanisms are wholly superior to KBA approaches because they are more secure and reduce friction. While far from ideal, modern identity verification solutions effectively balance risk mitigation and the customer experience.
Digital identity verification utilizes a specialized application of image analytics, artificial intelligence, machine learning and expert review to perform two key tasks.
1. ID Verification: ensuring a government-issued ID presented for identity verification is authentic. This is particularly important for FIs because they typically lack trained document examiners on staff. Government-issued IDs have a variety of security features designed to help identify falsified documents. These and other document characteristics are analyzed to render a resulting “score” conveying the likelihood that a presented ID is authentic.
2. Identity verification: ensuring the person presenting the ID is the same person whose portrait is on the ID. Identity verification utilizes facial biometrics and, optionally, other information provided by the user or acquired from third party sources in real time. The portrait can be a “selfie” captured on the user’s mobile device or other platform and typically involves liveness tests and other mechanisms to ensure the image has not been acquired surreptitiously.
Beyond identity verification, solutions can be used to further reduce friction during account origination. For example, since ID verification is typically performed early in the
Cha
pter
: Ide
ntity
Ver
ifica
tion
for D
igita
l Onb
oard
ing
8
process, the ID verification application can be used to prefill information that the user would otherwise have to manually enter in an application process.
Many organizations utilize multilayered identity verification so that higher risk individuals or products (lending versus DDA, for example) impose additional identification layers. This can be done at the bank’s discretion and implemented based on configurable business rules utilizing a number of variables to balance risk mitigation with the CX. Figure 5 provides an example of the user experience of digital identity verification in the context of a typical account opening use case. Country and document selection is often automatic, further streamlining an already straightforward user experience.
Figure 5: Example User Experience During Digital Customer Acquisition
Source: Jumio
Doing this reliably and across multiple jurisdictions is a complex and constantly-changing undertaking for several reasons:
• Fraudsters are resourceful, constantly change their approach to thwart fraud detection mechanisms, and utilize increasingly sophisticated techniques to manufacture fraudulent IDs.
• Each jurisdiction has its own documents, document design, and security features. Application algorithms must be tuned for each jurisdiction.
• Serial fraud is on the rise, meaning fraud can be perpetrated multiple times in rapid succession using new mechanisms before applications learn and adjust.
• Data sources available to support identity verification vary by market.
The next section examines the new techniques for digital identity verification and the underlying technologies used.
Cha
pter
: Dig
ital I
dent
ity V
erifi
catio
n
9
DIGITAL IDENTITY VERIFICATION
The last section cited five use cases for omnichannel customer acquisition. Digital customer identity verification solutions also must support each of these use cases. Ideally, a bank would utilize a single vendor to support all uses cases. To do so, solutions must support multiple environments. For example, a customer might apply for a new account using a mobile web or in-app experience using a mobile device. A self-service application at a customer’s desktop would require a new environment called Web-to-mobile handover. It would begin and end on the desktop, but invite a mechanism to involve the user’s mobile device for document and facial biometric image capture. The environment in which digital identity verification solutions operate is significant because it directly impacts available resources, leading to differences in solution efficacy.
Mobile Web: refers to a mobile browser environment. This would be a typical environment for mobile internet self-service originations. Depending on the bank’s branch software environment, some customer origination may occur in a mobile Web environment. Mobile Web environments place constraints on the device camera operation and would therefore exclude on-device processes, such as image analytics. Mobile Web environments are chosen for the superior CX and would therefore likely be excluded for a branch-led origination.
Mobile (SDK): This refers to the end-to-end process all occurring within a native mobile app experience. This environment often produces superior results in latency and accuracy because of the ability to use both in-app and server-based processing. But, a mobile SDK environment cannot support desktop self-service or Contact Center-led originations. Because of the superior fraud detection capability of most solutions operating in this environment, some banks encourage users to download the bank’s mobile banking app prior to originating a new account or loan. Alternatively, a bank could design an origination workflow to include app download only when image quality proved insufficient or if verification efforts did not result in a positive outcome. The latter is a better approach, in Celent’s view.
Web-to-Mobile Handover: This refers to a process for an online desktop or laptop customer origination workflow to invoke a mobile device for ID and/or facial image capture and subsequent verification. Web-to-mobile handover environments are useful for desktop internet, contact center, and branch origination use cases. Typically, it involves a text message being sent to the user’s mobile device. A link in the text opens a mobile Web experience to perform ID and selfie image capture.
Key Research Question
2
Which approaches are gaining traction? Why?
Mobile-first approaches are growing for their ability to leverage device capability and carrier attributes
while improving CX.
Cha
pter
: Dig
ital I
dent
ity V
erifi
catio
n
10
Table 2 lists each use case alongside applicable environments.
Table 2: Full Use case Coverage Requires Supporting Multiple Environments
Use case Mobile Web Mobile SDK Web-to-Mobile
Handover
Desktop Internet
Mobile Internet
Mobile in-app
Contact Center
Branch
Source: Celent
Across environments, digital identity verification solutions reviewed in this report perform two conceptually basic but technically complex functions: they evaluate the authenticity of government-issued IDs, and they ensure that the person presenting the ID is the same person whose portrait is on the ID. Done well, these two functions provide a highly reliable identity verification mechanism. A third function, arguably part of presenter identity verification, consists of liveness tests, designed to thwart the use of static images (which can be stolen) in place of a legitimate selfie taken by the presenter. All three are not strictly required in every situation. Banks may consider each function, in addition to the use of third party data and data verification as parts of a multilayered approach to digital identity verification (Figure 6).
Figure 6: Elements of Multilayered Digital Identity Verification
Source: Celent
Vendor approaches to each of these functions vary. We discuss general differences here without explicit vendor comparisons.
Cha
pter
: Dig
ital I
dent
ity V
erifi
catio
n
11
ID VERIFICATION Practically speaking, ID verification begins with image analytics. Without a usable image, any attempt to verify the authenticity of a government-issued ID would be problematic. That is because many fraud mechanisms are exceedingly difficult to detect, even by trained forensics experts. Moreover, even as IDs contain multiple security features to help verify authenticity, the nature of security features vary between jurisdictions — complicating manual verification.
Some vendors refer to image-based processing simply as OCR, or optical character recognition. OCR is a decades-old technology first used for back office document processing efficiency. It refers to software’s ability to recognize machine-printed or hand-written characters in an image of a physical document. Said simply, OCR plays a small role in the image analytics needed tor reliable ID verification. Here’s why.
Back office imaging uses desktop scanners under precisely controlled conditions, ensuring the best possible image quality and usability. In contrast, images captured using mobile devices at the very least experience much higher variability in light, contrast, focus, and image acuity (hands are not always steady). Moreover, if the device camera is not at a right angle to the document, the resulting image is subject to spatial distortion that can reduce the usability of the resulting image if not corrected.
Moreover, back office document imaging is typically performed on paper documents with low-glare surfaces under carefully controlled lighting. ID documents are typically either plastic or laminated, which can introduce considerable glare in the resulting image — reducing usability for processing. Moreover, some common security features use UV ink that is readily detected by manual review under ultraviolet light. Since mobile device cameras don’t utilize UV light, these security features need to be verified using alternative approaches. Modern image analytics engines are designed to address these difficulties. Figure 7 provides an example of the many embedded security features in a US driver’s license designed to enable the detection of falsified documents.
Figure 7: Illustrative Security Features in a US Driver’s License
Source: public domain
Since image usability is at least somewhat challenging in practice, why not simply capture the barcode on the rear of IDs? Most identity verification solutions do. But, barcodes contain a small percentage of the information available on the front of IDs. Their use can be valuable in saving user keystrokes and are commonly used to compare with information on the front of ID documents as a secondary verification. Thus, the barcode is not a replacement for reliable image analytics. Plus, barcodes are applied to plastic ID cards and are often rendered unusable after several years of use.
Cha
pter
: Dig
ital I
dent
ity V
erifi
catio
n
12
Image Processing While a detailed discussion of image analytics is beyond the scope of this report, it may be useful to highlight some basics of image processing used in digital ID verification and why their consideration is an important aspect of solution efficacy and user experience.
Image capture: Images used for ID verifications must be of adequate quality to be used by image recognition engines. Many variables impact image quality, such as: lighting, background contrast, skew, document positioning in relation to the device camera lens, steadiness, and obscured portions of the ID with the user’s hands or other objects. Some applications provide real-time user feedback based on the above quality conditions during the capture process, ensuring that a suitable image is captured and returned to the application. Device-based applications (typically SDKs for integration with a bank’s mobile app) provide demonstrable improvement in image usability compared to manual capture, but are not useful for mobile Web environments. This translates to improved user experience as well as higher confidence ID verification. Since image capture is manual in mobile Web environments, banks must ensure users are provided some basic tutorial for capturing usable images or risk elevated abandonment rates.
Image processing: Once captured, the “raw” image is processed to improve the reliability of data extraction. This can be done on-device, on a server, or a combination of both. Vendors differ on which approach is recommended, but concede that not all use cases support on-app processing. Some vendors conduct image quality checks and some processing on device, with the balance occurring on the server. This approach is used because usability checks can be done in near real-time and generally offer a superior user experience. Full server-based processing results in a “click and wait” experience. The image is captured, sent to the server, and processed, and only then does the user know if image capture was successful.
Verification Unlike image processing, ID authentication belongs on servers because of the continual learning and updating required to keep abreast of the changing fraud environment. An on-device approach, if desired, would require an untenable frequency of updates. Celent is not aware of any vendor using an on-device approach. Once usable images are available, ID verification requires two basic steps: Data extraction and integrity and ID authentication.
Data integrity and extraction: A usable image is no guarantee that all required data can be extracted from an image without error. Algorithms process data extracted using image analytics and perform integrity checks, such as check digits and field mapping (matching extracted data formats with expected formats, such as date of birth). Comparison of data extracted from the ID front image is typically compared to rear barcode scans. This step increases data integrity as it can be used to “repair” low-confidence fields resulting from the extraction process. All this is done using highly specialized algorithms tuned for specific document types and jurisdictions. Elapsed time is typically a few seconds, depending on connection bandwidth.
ID authentication: Once images and extracted data are available and validated, ID authentication algorithms can to go work utilizing forensic document analysis, security features of documents, including passports, visas, driver’s licenses, and ID cards to examine and confirm as genuine and tamper-free (or not).
• Document classification: Less elegant approaches to ID authentication require the user to specify the document type. Doing so typically selects a template from the platform’s library and is required to properly authenticate the document. More sophisticated platforms automatically determine the ID type with no user action. Apart from eliminating a step in any application workflow, Celent looks favorably on automatic document classification as an indication of a more robust platform.
Cha
pter
: Dig
ital I
dent
ity V
erifi
catio
n
13
• Forensic examination: The number of available tests for any platform is document-specific. During Celent’s research, we found that vendors were typically not precise in their description of the specific tests each platform performs. Rather, they speak in generalities and assert the specifics are “proprietary.” Examples of document forensics include: barcode placement and size, OCR content, microprint text, kineogram validity, hologram validity, portrait placement, and signature analysis.
IDENTITY VERIFICATION Identity verification seeks to establish that the person presenting the ID is the owner of the ID. The principle identity verification mechanism currently utilizes image analytics and facial biometrics to render a “match score” between a presenter’s selfie and the photo ID portrait. In the future, high resolution EMV-based passport photos will likely be an option. For the time being, however, both ID and identity verification efficacy rests with acquiring usable images. Image usability for facial biometrics is more challenging than for OCR because important nuances in portrait characteristics can be visually subtle. Discovering these subtleties consistently and reliably using a small image extracted from an ID document is difficult. Said another way, the ID itself is the weak link in this method.
Facial biometric authentication does not render binary outcomes. Rather, each facial comparison results in a confidence score. The higher the score, the more likely both portraits are of the same individual. Establishing a lower threshold for verification will result in comparatively more fraud attempts going undetected. Conversely, a higher threshold results in a comparatively higher percentage of good customers being inconvenienced. Each institution must arrive at its own balance between UX and security.
A secondary check performed by a variety of vendors in some markets uses carrier data integration. Information received by mobile network operators (MNOs) through an API call (for a fee) can be compared to information captured on the ID document. For example, the name, address, and billing information associated with a provided phone number can be compared with MNO-provided data in seconds. Any mismatch would indicate a potential fraud. MNO data can be acquired in the background, that is, without asking a consumer for her mobile number. Some institutions use carrier data integration to perform these secondary checks in cases where biometric authentication yields a low match score. Doing so keeps the incremental spend focused on lower-confidence cases.
Keeping Biometrics Secure. No one wants their biometrics stolen, and no financial institution wants to be a party to this outcome. For this reason, solutions using facial biometrics as part of a digital customer acquisition solution should be FIDO compliant. The Fast IDentity Online (FIDO) standards specify a Universal Authentication Framework (UAF) protocol designed, in part, to secure an individual’s biometrics. The UAF protocol is designed to support a wide range of use cases, from application log-in to payment authorization. It allows online services to offer password-less and multifactor security. In this application, it is used simply to protect the individual’s identity biometrics.
Typically, biometric templates (mathematical representations of an individual’s facial identity) are stored on device. Vendor authentication protocols never see individual biometric templates. Instead, they analyze data that maps to the customer’s template. The connection between the data and each user’s biometric template rests with the device, which mints a new public encryption key with each action. Using this method, even if an individual’s data was stolen off a server, it could not be used to map back to an individual’s identity without that single-use encryption key (Figure 8).
Cha
pter
: Dig
ital I
dent
ity V
erifi
catio
n
14
Figure 8: FIDO UAF High-Level Architecture
Source: FIDO Alliance Review Draft 28 November 2017 (www.fidoalliance.org)
Liveness: Combatting Falsified Portraits The sole purpose of using facial biometrics in a customer origination use case is to ensure the person presenting the ID for identity verification owns the ID and is present. Establishing that the user is present is key, because many pictures of individuals are available in the public domain. A fraudster could present an acquired portrait of an individual along with her stolen ID to spoof a biometric comparison if it were not for liveness testing. Liveness detection is a presentation attack detection method designed to establish that a selfie is genuine. Said another way, its general task is to detect whether a biometric probe (e.g., selfie or other biometric) belongs to a living subject that is present at the point of biometric capture. Two types of liveness detection, active and passive, are in common use. Understanding their differences is important because hardware limitations across use cases limit which testing mechanism can be used.
Active liveness detection relies on a challenge response interaction between the application and one presenting the ID. The challenge response (typically asking the presenter to close his eyes, then reopen them, turning her head to the left and back, etc.) is verified in real-time using the device camera running in video mode. Active liveness detection is used to thwart video attacks. A video clip could be presented in lieu of a selfie, but it would be exceedingly difficult to create one to respond to randomly presented challenge response scenarios. Active liveness detection, however, is a poor mechanism to combat the use of face masks.
Passive liveness detection relies on natural facial muscle movements while speaking and blinking. The term passive applies because the algorithms use still portraits, not video examination of challenge response behavior. Passive detection is well suited to combat the use of face masks.
While there may be debate around the merits of each mechanism, Celent’s advocacy is simply for banks to utilize identity verification mechanisms that offer both options so that all use cases can be reliably supported.
Collaboration: Combatting Serial Fraud Stolen IDs aren’t the only fraud mechanism. Technically advanced fake IDs can be easily created or purchased today and altered IDs are increasingly difficult to detect, thanks to modern photo manipulation applications. Serial fraud refers to the practice of committing
Cha
pter
: Dig
ital I
dent
ity V
erifi
catio
n
15
similar fraudulent acts in relatively rapid succession. If committed skilfully, the first attempt is exceedingly hard to detect. But, once the fraud is detected, elements of the falsified ID could be used to help combat subsequent fraud attempts. The same picture, for example, might be placed on multiple fake IDs.
The key to combatting serial fraud is collaboration. The issue is not limited to stolen IDs, but the much broader issue of fraud. If banks are to have a fighting chance against cyberattacks, for example, the industry must embrace the idea of sharing intelligence, endorse a CTI community sharing platform(s), formalize exchange standards, and share best practices. That’s because one bank’s detection of a threat is another bank’s prevention of an attack. Establishing a well-governed cyberthreat intelligence sharing model will be challenging for banks, but the rewards will be considerable. The collaborative model could be the industry’s strongest weapon in abating the barrage of cyberthreats. The Celent report Stronger Together: The Bank Imperative for Cyberthreat Intelligence Sharing looks at the importance of a robust cyberthreat intelligence sharing platform alongside integration, specification, and AI-based automation tools.
How would collaboration work in the context of digital identity verification? Simply by storing identity attributes linked to known fraudulent activity. For example, if a portrait used on a fake ID is used subsequently, it is likely that its subsequent usage will also be fraudulent. Several vendors operate collaborative fraud networks and use them in identity verification workflow. The usefulness of these networks is a function of their scale.
Cha
pter
: Rec
omm
enda
tions
16
RECOMMENDATIONS
Vendors of mobile identity verification solutions have made it easy to put up a solution for digital customer acquisition while satisfying KYC requirements. Banks need to evaluate solutions based on empirical data derived from a reasonably large set of known good and fraudulent documents. This section offers considerations for doing so based on bank and vendor interviews.
Begin with Realistic Expectations No approach is perfect. No solution is perfect. Satisfying the twin imperatives of risk and UX requires a balancing act and begins with realistic expectations. Celent offers two perspectives related to expectations.
1. Aim high. One large bank interviewed for this report considered its experience with branch personnel review of identity documents as a litmus test for its digital solution to match. We think this is aiming too low. Establishing a baseline is good practice, but expect to surpass “non-expert” manual review with any viable vendor ID verification solution.
2. Keep learning. This space is rapidly changing, both technically and operationally. In Celent’s view, this means banks need to embrace a culture of continual learning, and solutions should also. Machine learning is a must, as is a cloud-based solution, so the experience of many organizations continually contributes to improving solution efficacy. This concept is well-illustrated in one vendor’s product literature (Figure 9:).
Figure 9: Continuous Learning Is a Must — For Both Platforms and Organizations
Source: Mitek Systems; used with permission
Ensure Support for All Use Cases Not just mobile — not just digital. While digital customer acquisition is on many banks’ “A-list” at the moment, Celent strongly advocates banks solve for omnichannel customer origination and select an identity verification platform accordingly. Digital is a great place to start, but don’t stop there.
Cha
pter
: Rec
omm
enda
tions
17
Expert Review Should Be the Exception Whether and how to use expert review in identity verification remains polarizing. Some vendors will be eliminated from consideration based on a bank’s choice. One bank interviewed for this report considered vendor-supplied expert review a solution requirement, but it had no intention of reviewing all documents. Based on results across multiple vendors, it seems clear that the significant majority of account and loan originations will be legitimate and will be facilitated by the presentation of valid IDs. Eroding the customer experience of the majority in order to find the few bad actors should no longer be tolerated.
Compare Empirical Results, Not Vendor Assertions Vendor RFI responses (or a Celent report) may be a great start to making a vendor selection, but each bank’s final decision should rest on how well the solution performs. Celent encourages both qualitative assessments (have your team experience interacting with each platform’s UI and workflow) and a quantitative analysis based on a large sample of test documents. Do your own test results. Don’t believe vendor-provided metrics. They may not be representative of your specific application and market.
Test each use case. Get specific with vendors. Asserted performance metrics are invariably based on running an in-app environment. Mobile Web results will be less impressive. Ensure you look into both environments fully.
Was this report useful to you? Please send any comments, questions, or suggestions for upcoming research topics to [email protected].
Cha
pter
: Lev
erag
ing
Cel
ent’s
Exp
ertis
e
18
LEVERAGING CELENT’S EXPERTISE
If you found this report valuable, you might consider engaging with Celent for custom analysis and research. Our collective experience and the knowledge we gained while working on this report can help you streamline the creation, refinement, or execution of your strategies.
SUPPORT FOR FINANCIAL INSTITUTIONS Typical projects we support related to digital and omnichannel include:
Vendor short listing and selection. We perform discovery specific to you and your business to better understand your unique needs. We then create and administer a custom RFI to selected vendors to assist you in making rapid and accurate vendor choices.
Business practice evaluations. We spend time evaluating your business processes. Based on our knowledge of the market, we identify potential process or technology constraints and provide clear insights that will help you implement industry best practices.
IT and business strategy creation. We collect perspectives from your executive team, your front line business and IT staff, and your customers. We then analyze your current position, institutional capabilities, and technology against your goals. If necessary, we help you reformulate your technology and business plans to address short-term and long-term needs.
SUPPORT FOR VENDORS We provide services that help you refine your product and service offerings. Examples include:
Product and service strategy evaluation. We help you assess your market position in terms of functionality, technology, and services. Our strategy workshops will help you target the right customers and map your offerings to their needs.
Market messaging and collateral review. Based on our extensive experience with your potential clients, we assess your marketing and sales materials — including your website and any collateral.
Cha
pter
: Rel
ated
Cel
ent R
esea
rch
19
RELATED CELENT RESEARCH
Delivering an Omnichannel Customer Experience Part 2: Vendor Spectrum March 2018
Stronger Together: The Bank Imperative for Cyberthreat Intelligence Sharing March 2018
Anatomy of Omnichannel Delivery in North America July 2017
Delivering an Omnichannel Customer Experience: Why a Single Platform Is the Way Forward June 2017
A Survey of Retail Banking Channel Systems in North America: Omnichannel Emerges February 2017
Omnichannel Customer Acquisition 2.0: Vendor Spectrum (Part 2) September 2016
Omnichannel Customer Acquisition 2.0: What It Is and How to Get There July 2016
Convenience, Security, or Both? Setting Out a Vision for Authentication July 2016
Getting to Digital: Assessing Banks’ Progress May 2016
Retail Banking Channel Systems in North America: The Quest for Omnichannel Continues January 2015
Defining a Digital Financial Institution: What “Digital” Means in Banking December 2014
Emerging Technologies in Retail Banking: The Long Road to Customer Centricity August 2012
Copyright Notice
Prepared by
Celent, a division of Oliver Wyman, Inc.
Copyright © 2018 Celent, a division of Oliver Wyman, Inc. All rights reserved. This report may not be reproduced, copied or redistributed, in whole or in part, in any form or by any means, without the written permission of Celent, a division of Oliver Wyman (“Celent”) and Celent accepts no liability whatsoever for the actions of third parties in this respect. Celent and any third party content providers whose content is included in this report are the sole copyright owners of the content in this report. Any third party content in this report has been included by Celent with the permission of the relevant content owner. Any use of this report by any third party is strictly prohibited without a license expressly granted by Celent. Any use of third party content included in this report is strictly prohibited without the express permission of the relevant content owner This report is not intended for general circulation, nor is it to be used, reproduced, copied, quoted or distributed by third parties for any purpose other than those that may be set forth herein without the prior written permission of Celent. Neither all nor any part of the contents of this report, or any opinions expressed herein, shall be disseminated to the public through advertising media, public relations, news media, sales media, mail, direct transmittal, or any other public means of communications, without the prior written consent of Celent. Any violation of Celent’s rights in this report will be enforced to the fullest extent of the law, including the pursuit of monetary damages and injunctive relief in the event of any breach of the foregoing restrictions.
This report is not a substitute for tailored professional advice on how a specific financial institution should execute its strategy. This report is not investment advice and should not be relied on for such advice or as a substitute for consultation with professional accountants, tax, legal or financial advisers. Celent has made every effort to use reliable, up-to-date and comprehensive information and analysis, but all information is provided without warranty of any kind, express or implied. Information furnished by others, upon which all or portions of this report are based, is believed to be reliable but has not been verified, and no warranty is given as to the accuracy of such information. Public information and industry and statistical data, are from sources we deem to be reliable; however, we make no representation as to the accuracy or completeness of such information and have accepted the information without further verification.
Celent disclaims any responsibility to update the information or conclusions in this report. Celent accepts no liability for any loss arising from any action taken or refrained from as a result of information contained in this report or any reports or sources of information referred to herein, or for any consequential, special or similar damages even if advised of the possibility of such damages.
There are no third party beneficiaries with respect to this report, and we accept no liability to any third party. The opinions expressed herein are valid only for the purpose stated herein and as of the date of this report.
No responsibility is taken for changes in market conditions or laws or regulations and no obligation is assumed to revise this report to reflect changes, events or conditions, which occur subsequent to the date hereof.
For more information please contact [email protected] or:
Bob Meara [email protected] AMERICAS EUROPE ASIA
USA
200 Clarendon Street, 12th Floor Boston, MA 02116
Tel.: +1.617.262.3120 Fax: +1.617.262.3121
France
28, avenue Victor Hugo Paris Cedex 16 75783
Tel.: +33.1.73.04.46.20 Fax: +33.1.45.02.30.01
Japan
The Imperial Hotel Tower, 13th Floor 1-1-1 Uchisaiwai-cho Chiyoda-ku, Tokyo 100-0011
Tel: +81.3.3500.3023 Fax: +81.3.3500.3059
USA
1166 Avenue of the Americas New York, NY 10036
Tel.: +1.212.541.8100 Fax: +1.212.541.8957
United Kingdom
55 Baker Street London W1U 8EW
Tel.: +44.20.7333.8333 Fax: +44.20.7333.8334
China
Beijing Kerry Centre South Tower, 15th Floor 1 Guanghua Road Chaoyang, Beijing 100022
Tel: +86.10.8520.0350 Fax: +86.10.8520.0349
USA
Four Embarcadero Center, Suite 1100 San Francisco, CA 94111
Tel.: +1.415.743.7900 Fax: +1.415.743.7950
Italy
Galleria San Babila 4B Milan 20122
Tel.: +39.02.305.771 Fax: +39.02.303.040.44
Singapore
8 Marina View #09-07 Asia Square Tower 1 Singapore 018960
Tel.: +65.9168.3998 Fax: +65.6327.5406
Brazil
Av. Doutor Chucri Zaidan, 920 – 4º andar Market Place Tower I São Paulo SP 04578-903
Tel.: +55.11.5501.1100 Fax: +55.11.5501.1110
Canada
1981 McGill College Avenue Montréal, Québec H3A 3T5
Tel.: +1.514.499.0461
Spain
Paseo de la Castellana 216 Pl. 13 Madrid 28046
Tel.: +34.91.531.79.00 Fax: +34.91.531.79.09
Switzerland
Tessinerplatz 5 Zurich 8027
Tel.: +41.44.5533.333
South Korea
Youngpoong Building, 22nd Floor 33 Seorin-dong, Jongno-gu Seoul 110-752 Tel.: +82.10.3019.1417 Fax: +82.2.399.5534
