KYC revisited part 2

In the previous article, we discussed how important it is to have an identity document and how PKI helps countries to prove its authenticity. Today we continue our journey and will compare other methods of identity verification and talk of their strong and weak sides. 

So now you know the identity document is authentic and integrity is not compromised. The only thing left is verifying if the person is the same as in the document and is present at that moment.

The verification of the person is the same as in the identity document and can be handled by video conferencing or by Face Verification or Liveness check.

The advantage of video conferencing is that you also see the person is alive and genuinely present and using face verification, you only know it’s the same person. 

The liveness check verifies if it’s the same person and proves the person is genuinely present.

Face recognition can accurately answer the question, “Is this the right person?” it doesn’t answer the question, “Is this a real person?” 

Facial liveness works with facial recognition to determine if a biometric sample is being captured from a living subject that is present at the point of capture. As such, it stops fraudsters from using presentation attacks to spoof a facial recognition system. A presentation attack is fraudulent activity when a criminal tries to impersonate another person using a photo, video, live face, or sophisticated facial mask.

Should you use face verification/liveness verification or a video conference to establish it’s the same person and alive? 

Since 2005, human and machine performance has been systematically compared as part of face recognition competitions. Gathered reported results of still and video imagery. The cross-modal performance analysis (CMPA) framework is introduced to analyze performance across studies. 

The CMPA framework is applied to experiments that were part of the face recognition competition. The analysis shows that algorithms for matching frontal faces in still images are consistently superior to humans (comparison of human and computer performance across face recognition experiments). 

For KYC, the frontal faces in still images are used. This conclusion is from 2014. Since then, the algorithms have improved in accuracy and speed. More recent research confirms these findings (face recognition accuracy of forensic examiners, superrecognizers, and face recognition algorithms)

.

Who is this person?

When you investigate the market, you see several approaches to this. These approaches have all different impacts on the organization of it and can be grouped into methods. All these methods use familiar passports and ID cards for identification purposes.

Method 1 scans the passport and compares the Machine Readable Zone (MRZ) and the content of the Visual Area.  MRZ it’s the area These must contain the same data. If this is not the case, then the passport must be rejected. As you can imagine, this method is the most labor-intensive and costly method. This method also provides the lowest assurance levels.

Additional services to comply with the assurance levels are needed to correct this. Mostly video conferencing is used, asking a customer to hold a passport in front of the camera and skew it. Hence, a hologram or other security feature becomes visible.
On the other end of the video camera, a person is looking intelligently at the screen and judging if the person is who he claims to be, using the black and white passport picture and seeing if security features appear.

*Average is about 20 minutes per transaction, High is more than average and can be days to even weeks!

Method 5 and 6 are similar methods, but their outcome differs. Method 5 relies on the accuracy of AI. AI supplies you with hypotheses and opinions. The result is that I looked at it with a reasonable assurance that the passport was genuine. 

The method 6 using PKD, on the other hand, proved mathematically the passport is authentic and not compromised. So it’s not an opinion but a fact. It’s the only solution capable of verifying passports remotely and proofing that the passport is authentic, and integrity is unchanged. 

Another difference is that method 5 mostly depends on the phone of the user. The question is if you can trust the user’s phone, you never know what the customer has installed on his phone or what happened with it. Method 6, on the other hand, used mostly a trust center with a known environment out of the reach of adversaries and kept secure. The phone is used as a verifiable “scanner”.

The conclusion is that only method 6 hands you enough assurance to automate the onboarding process with as little manual labor as possible. The results of these verifications can be grouped into processes called Doc.

Result 3 means that the authenticity could not be established, and integrity was changed. The result of this process is mostly a rejection of the customer. 

Result 2, suspicious activity reports (SAR), means that the authenticity could not be established, but the integrity was OK, resulting in a Doc2 process where mostly a human takes a look at it and interacts with the customer before approving or rejecting. 

The Result1  with The Doc1 process is where the money is being made. Here the authenticity of the passport is established and the integrity is unchanged. So we know the passport is real.

When the liveness check of method 6 also proves the customer is genuinely present, we also know the person is whom he claims to be. 

Most onboarding can be handled this way, creating happy customers who can open a new bank account in mere seconds without the intervention of inquisitive people.

Only a relatively small part of the onboarding need to use process Doc2, where some manual labor is needed to either reject or request additional information to enroll.

Use case

Now imagine a bank using method 6. How can that be utilized? 

First, the numbers.

Cost savings

• Regulatory cost savings over four years
• Reduction in onboarding times
• Saving in audit costs with out-of-the-box functionality
• Decrease in KYC and AML cost reductions

Regulatory cost savings over four years

Identifying and verifying consumer identity is one of the most challenging and time-consuming compliance tasks for financial institutions. 

They must make sure that clients genuinely are whom they claim to be. You need to verify the identity, suitability, and risks involved with maintaining a business relationship and ensure they do not launder money.

Recent examples from around Europe show how costly it can be to fail proper AML/KYC checks and neglect reporting obligations, both in fines and corporate reputation. 

Banks must carefully monitor their politically exposed persons (PEPs) accounts and transactions and use AML systems and high-risk monitoring controls to detect suspicious activity and abnormal behavior. In addition, suspicious activity reports (SARs) should be filed to financial intelligence units while avoiding prejudice towards an investigation.

Resource optimization

Using a fully automated onboarding solution using PKD-based decisions and multi-level assurance during onboarding frees up 95% of the manual labor needed to comply. 

So you can optimize your compliance workforce, the tasks they are performing, and the locations they are working from. This also involves optimizing the use of offshore or near-shore centers in cheaper areas; implementing cost-effective outsourcing and contractor utilization strategies; developing centers of excellence with the interface to functions; and optimizing across the workforce, leveraging talent inefficient, non-siloed ways.

The subsequent impact is significant and can reach reduced compliance resources required and increase overall group-wide productivity.

Reduction in onboarding time

The long onboarding time are often a reason to abandon the process. The number of people breaking off onboarding because of complexity or too many questions has risen to 68%! So an excellent reason to have a very good look at your onboarding process. 

When the person is using Mob.id as an identity wallet, the new customer onboarding takes about 60 seconds. After that, the stored credentials are used, and additional information is requested, i.e., Address, phone, and email. 

However, there is a note. For a person to onboard, assuming he is using an authentic passport that isn’t compromised and liveness detection is OK, and the risk analysis (PEP and Watchlist) are OK too, then the registration is fully automatic. However, when one of the settings results in a warning, a Doc2 situation, a person must judge and make the final decision. About 5% of all onboardings will be Doc2. Doc2 has the same cost estimate as manual onboarding, € 40,00 per transaction.

Saving in audit costs with out-of-the-box functionality

It is imperative that every step in onboarding a new customer is documented using logging. Not only what has happened and when but also what is being used. So when you use identity document verification as a process, then it is imperative that you prove why you accepted it. All this is in audit trails for every registration. This makes life easy to look for anomalies, thus saving audit costs.

KYC and AML cost reductions

It is estimated that around 120 million new bank accounts will be opened across Europe each year. We assume the cost for onboarding using AI and manual/video verification is € 40 per transaction. So with 120 million transactions, the cost would be around € 4,8 billion.

The cost of using the AI-based method for identity document verification over a period of 4 years is estimated to be € 19,2 billion in Europe. The other methods (methods 1 – 4) create higher costs. 

Method 6, a PKI-based verification, reduces the cost to € 2,00 per transaction. It’s estimated that the cost would be around € 240 million per year and € 960 million over four years. So the cost savings would be about € 4 billion per year and a bit shy of € 18 billion over four years.