Adopting a continuous KYC mentality

The expansion of digital payments presents new challenges for data security.

facial recognition - biometric security identification
Thinkstock

Now more than ever, implementing know-your-customer (KYC) procedures to verify a customer’s identity—procedures that continuously monitor changes in customer data—is important as more consumers and businesses alike join the digital economy.

When onboarding new clients or users, banks and financial apps use outdated methods of authentication—such as knowledge-based authentication (KBA)—to verify a user accessing the service based on static and dynamic data that is compiled from public information, and from private data gathered through credit reports and transaction history. These knowledge-based questions are easy to guess or find through public records, social media, or on central servers. The data and questions, coupled with the need to present any required documentation, are a time-consuming experience that prove burdensome for users. 

Fraudsters move wherever the money goes, and with the expansion of mobile and digital payments (i.e. Apple Pay, Venmo), ill-intended actors will adapt to more sophisticated methods to obtain personal and financial data. Currently, bankers view data security as among the top challenges in payments today. As the industry projects $31.3 billion in global card losses in 2018, financial institutions must push to out-innovate the fraudsters, according to Accenture.

This past month, it was revealed that Zelle, a mobile payments app trusted by more than 30 U.S. banks, offers no fraud protection for its users. Customers, believing the service was secure, have reportedly lost thousands of dollars using Zelle for transactions involving sellers they did not know, for items such as concert tickets on Craigslist. Zelle, and the banks that back it, are under no obligation to help—Zelle is only meant to be used by users who trust each other, and once the buyer authorizes the transaction, nothing can be done to recover stolen money.

Similarly, in India, the entire population was pushed into the digital economy when its unified ID program, Aadhaar was implemented, and not everyone is tech savvy. Aadhaar links every citizen to every type of service and documentation, from driver’s licenses, insurance and medical records, to mobile numbers and banking. Through the Aadhaar-linked Unified Payments Interface (UPI), which allows users to conduct transactions among more than 30 banks using their smartphones, citizens are given a one-time password (OTP) for customer verification.

But this system is not foolproof. In one instance, a fraudster called his victim, acting as a representative of the entity managing Aadhaar’s database (Unique Identification Authority of India) to persuade them to link their Aadhaar with their Permanent Account Numbers. From there, the crook obtained his victim’s OTP, went to the Aadhaar website and was able to change their phone number to his own, and accessed the victim’s bank account. Since better real-time KYC protocols are not in place, banks are unable to differentiate between customers and fraudsters. 

The problem with current KYC standards

In early October 2017, the Reserve Bank of India (RBI) instituted guidelines for Prepaid Payment Instruments (cards, etc.), and new KYC regulations for digital wallets to prevent fraud during digital transactions. The goal in mind was to allow customers to seamlessly transfer money between different wallets and banks while still complying with KYC standards. The new regulations set balance limits on wallets specifically for the purchase of goods and services, while placing a separate limit for transferring funds.

The cost to keep up with current KYC standards are a strain for businesses. Customers are still required to bring passports and several other forms of identification to their bank of choice in order to prove that they are who they say they are. This is time-consuming for both customers and businesses, and expensive to process. Mobile banking apps like Monzo are working to change that, by asking clients to send a photo of their ID along with a video selfie for authentication, rather than requiring they bring a passport to a physical location. But even those processes are not always frictionless for the enterprise, as they still require staff to verify photo IDs, documentation and run location checks. Some banks are entrusting authentication engines that deploy AI algorithms that will complete all these tasks in seconds, based off behavioral models they continuously build.

Governments, financial institutions and entities in other industries will need to adopt a continuous KYC mentality from the beginning to understand what their consumers need, in order to make processes as seamless as possible, while adhering to government regulations that protect customers from fraud. With any enterprise, it is important they get to know their customers over time. KYC must be an ongoing process that begins when they sign up for an online account, through the onboarding process, and continues throughout the course of the entire customer relationship.

This article is published as part of the IDG Contributor Network. Want to Join?

NEW! Download the Winter 2018 issue of Security Smart