Digital identity management — 9 key questions
Organisations are under increasing pressure to reliably identify their customers as the first line of defence against scammers, fraudsters, traffickers and terrorists. Identity theft doesn’t just hit your organisation’s bottom line or reputation — the emotional impacts for your customers are far-reaching and personally devastating. But in an increasingly digital world, how can anyone be ‘reasonably certain’ that their customers are who they say they are?
In response to the pandemic, many organisations with physical locations were forced to quickly switch to 100% online verification processes and a common workaround was to ask their customers to take a photo of themselves with their ID, providing an easy access point for fraudsters.
Fortunately, as awareness of security threats grows, many organisations are now bolstering their temporary processes — moving beyond common and penetrable defences like secret identity questions.
However, the vast array of cutting-edge security technologies come with their challenges and organisations must find the right balance between security, stability and function. In order to ensure you’re choosing the right technology for your organisation’s needs, nine key questions should be considered.
Who to engage: identity broker vs identity service provider
While the market continues to evolve, technology providers can be grouped into two main types — digital identity brokers who enable your customer to have control over who they use to verify their identity and identity verification providers who provide a mix of identity document capture so your organisation decides precisely how and who will verify your customers’ identity.
ID capture technology: 100% automated or hybrid?
Not all identity document capture technology is developed in the same way, and while most identity verification providers provide the same services, the underlying approach to how they do this can be vastly different. The most significant differences are in the degree of machine learning used, spanning from 100% automated to significant human intervention.
Identity document capture that is 100% automated utilises technologies that require no human intervention to capture, classify, extract customer information and submit for checking against other sources (where applicable). While automated capture facilitates a faster end-to-end process, it does require your organisation to have an ‘exceptions’ process for handling documents that are damaged or unable to be read for any reason.
Conversely, hybrid capture uses a mix of machine learning and human intervention, which means that any exceptions needing manual verification can be handled rapidly. That said, the process for your customers is likely to be slower than a 100% automated process and can also pose greater data security and sovereignty risks.
Which source checks — and from whom?
Once a customer’s identity document has been captured and relevant information extracted, it is checked against one or more lists; however, these ‘source checks’ do not protect against the identities of real people that have been sold on the dark web, and should be teamed with other verification of identity (VOI) methods to protect against card not present fraud.
Common third parties commonly used by identity management providers for these checks include Australian Government service ID Match, data services such as Dow Jones, LexisNexis and Thomson Reuters, or sanction lists which includes a compilation of individual sanctions from various governments and agencies including the UN and the EU.
Will personally identifiable information be kept secure at every step of the journey?
Recent events have shown us that the loss of customers’ personally identifiable information can be disastrous, and once trust has been broken, it is nearly impossible to win it back. In order to ensure confidence that your customers’ information will be kept secure, it’s important to ask questions like:
- Does the organisation approach security ‘by design’?
- Does the organisation send the data offshore for processing?
- Is the data encrypted in transit and at rest?
- Does the organisation undergo regular third-party penetration tests?
To biometrics — or not?
Biometrics are fast and frictionless — ensuring a ‘real human’ is on the other end of the digital transaction — and can bolster your organisation’s protection against fraudsters while also strengthening your anti-money laundering (AML) and counterterrorism financing (CTF).
Specifically, facial biometrics are critical to substantially reducing card not present fraud by matching the person’s face completing the transaction against the ID provided. However, not all biometrics are created equal and static or single images are much easier to trick than a series of movements. Video calls are the gold standard for meeting industry-specific ‘face-to-face’ verification requirements, but this needs to be balanced with client experience as video calls may limit an organisation’s ability to verify customer identity ‘anywhere, anytime’. Using a random pattern of head and facial movements can act as a middle ground, as this method is still able to confirm that there is a ‘real human’ on the other end.
How will the technology fit into your existing customer journey?
To ensure a frictionless customer experience, when co-creating solutions, it’s important to ask:
- How will cross-device continuity be handled?
- Can it be white labelled with your organisation’s brand?
- Is a download required?
- Is an account required?
How ‘reasonably certain’ does your organisation want to be?
Being reasonably certain that a customer is who they say are requires a level of judgement — whether your organisation decides to do this with humans, computers or a hybrid of the two — and a series of decisions around accuracy, speed and human intervention.
There is a delicate balance between false negatives and false positives and the level of risk that each organisation is willing to accept will be different, so it’s important the ID verification process deployed by your business aligns to your risk appetite.
It may even vary depending on the product, value, customer segment or location. On the extreme, some organisations choose to not do business with individuals whose identity cannot be verified digitally.
Are your organisation’s governance functions fully considered in the initiative?
Old ways of thinking about governance and control can be challenging to apply to emerging technologies. Helping stakeholders understand what the technology does — and does not — do can help provide them with confidence that appropriate checks and balances are in place. The three critical areas that governance teams should consider are:
- Informed consent: Where and how will you make sure that your customers know how their personally identifiable information is being captured, stored and used?
- Privacy policy: What tweaks are needed to reflect any changes to capture and store personally identifiable information?
- Third-party source checks: Do third-party data sources require any additional obligations? eg, ID Match: DVS Business User agreement.
How will you measure and monitor success?
Criminals don’t sit still and your technology shouldn’t either — regularly tracking key metrics will allow you to evaluate the performance and security of your identity management tool to ensure your technology reflects your organisation’s risk appetite and provides the best defence of your customers.
Metrics to assess could include completion rate, match rate, false-positive rate and false-negative rate.
When it comes to implementing a digital identity management initiative it’s essential the processes deployed reflect the unique circumstances and needs of your business. An engaged team that understands the value of the initiative and are invested in the process of implementation will ensure the right questions are asked early on in the process and the technology chosen is able to facilitate the identity verification experience that your customers expect.
Building secure AI: a critical guardrail for Australian policymakers
While AI has the potential to significantly enhance Australia's national security, economic...
Building security-centric AI: why it is key to the government's AI ambitions
As government agencies test the waters of AI, public sector leaders must consider how they can...
State government agencies still struggling with securing user access
Audit reports have shown that Australian government agencies in four states experience challenges...