• United States




Why it’s time to break these 4 identity verification rules

May 14, 20185 mins
Access ControlData and Information SecurityIdentity Management Solutions

Digital transformation of financial transactions combined with advances in fraud techniques are making these traditional approaches obsolete, as well as a barrier to online commerce.

number 4 four with binary grunge background
Credit: Getty Images

Digital identity verification has not changed for more than a decade. Often relying on static data held by the major credit bureaus, much of which has been repeatedly stolen and is readily available to fraudsters on the black market. These traditional approaches deliver poor accuracy and often force businesses to manually review up to half of all digital new account opening applications. Some even manually review every application!

Meanwhile, legitimate customers continue to be erroneously denied, fraudulent applications continue to get approved, and everyone continues to be frustrated. The promise of full digital customer acquisition and onboarding is being impeded by antiquated identity information models.

The only way to break this cycle is, well… to break the established rules.

By rules, I mean the status quo of commonly followed procedures for verifying identities that are inhibiting performance and stifling innovation. 

Here are the top four “rules” that need to be broken.

The more rules, the better

In IT, we now generally recognize that traditional rules-based models are struggling to keep pace with digital workflows. With nearly 2.5 quintillion bytes of data produced per day, it’s impossible for humans to keep pace, too. This is especially true for online identity verification where relying on human-created rules just isn’t working very well. Humans are limited by their own knowledge, biases and capabilities.

Discerning subtle patterns and nuances across thousands of interactions to accurately identify fraud is extremely complex. While rules-based systems can detect a respectful measure of fraud, they also miss a large percentage and frequently misidentify legitimate transactions as fraudulent. This leads to a great deal of manual review, which is not only costly, but often disrupts the customer experience.

Improving performance of human-built rules engines often requires continuously writing a large number and more complex sets of rules in an endless cycle. Humans can’t keep up, but robots can. Artificial intelligence and machine learning techniques can be used to sift through large data sets to uncover patterns people can’t see.

To err is human, so the saying goes, which is why we need to trust the data and get humans out of the loop.  Getting rid of clunky, error-prone rules systems and automating digital identity verification is the path to greater accuracy. With all the data constantly being generated, machines are beginning to know us better than we know ourselves.  

Static data sources are sufficient

In a digital world, static sources like credit bureau databases have become too limited to achieve any type of meaningful accuracy for identity verification. Given the level of personally identifiable information (PII) constantly being exposed in the weekly stream of corporate breaches, it’s obvious that relying solely on what is essentially stolen data for identity verification no longer is reliable. If the data used to verify identities is the exact same as the data being used by criminals to impersonate identities, how can it work? 

A better approach is to combine the common static data elements with other online, offline and social media sources. One type of data is rarely enough to identify a person, but many pieces of data webbed together create a more holistic picture of identity. One of the byproducts of digitalization is that most individuals are continuously creating a massive digital footprint daily. From web browsing to emails to social networks, the trails we create are unique to each of us and virtually impossible to spoof. 

Using online and social identity information for identity verification can deliver extremely accurate results. For example, it is much easier for a fraudster to buy stolen PII on the dark web, than to recreate an individual’s entire social network. Beware the fake friend requests or invites!

Identifying first-time users requires manual review

Verifying the identity of an individual that’s never done business with an organization in the past, especially through remote channels, is perhaps the most difficult challenge in fraud prevention. While many highly effective technologies are available for authenticating returning users, traditional approaches for validating new customers are fraught with problems. In fact, they invariably lead to very high manual review rates, with significant false positives and false negatives.

Many companies now rely on their online channels to acquire new customers, but still use traditional identity verification mechanisms, to risk score applications, which effectively sabotages these efforts. Low accuracy rates result in good customers being erroneously rejected. Meanwhile, attempts to increase acceptance rates can create so much friction that prospects will often abandon the application process.

Breaking the previous rules can reverse this cycle.

The rules can’t be broken

Breaking from long standing approaches and techniques is never easy, especially those related to risk management and fraud prevention, even when they are clearly outdated. Identity verification is no exception. It’s important to keep in mind that digital transformation is affecting all the systems and business processes that rely on identity. Building a state-of-the-art performance automobile, while powering it with 10-year-old engine doesn’t make sense. Neither does “not” breaking these four rules.


George Tubin is Vice President at the identity verification and fraud prevention company, Socure, and he is a recognized expert in online and mobile banking and payments security and cyber-fraud prevention. He was previously a senior research director with the leading financial services research firm CEB TowerGroup (acquired by Gartner, Inc.) where he delivered thought leadership and insights to leading financial services institutions, technology providers, and consultancies on business strategies, technologies, and market trends in retail, Internet and mobile banking, and fraud management.

George has held several positions at BayBank, BankBoston, and Fleet (now Bank of America), including director of e-commerce planning and development and vice president of planning and analysis for the consumer and small business banking divisions. He has also been a senior security strategist for financial services at IBM Trusteer and ThreatMetrix.

George has appeared in print, radio and televised media, including The Wall Street Journal, Newsweek, CIO Magazine, American Banker, CNN Money Online, Bank Systems and Technology, USA Today, NPR Nightly Business Report, and Associate Press Television News syndication. In addition, George has been a chair and featured speaker at dozens of major industry conferences and webcasts, and has authored dozens of research notes and articles for numerous media outlets.

George received an MBA from Babson College and holds a Bachelor of Science degree in industrial engineering and operations research from the University of Massachusetts, Amherst.

The opinions expressed in this blog are those of George Tubin and do not necessarily represent those of IDG Communications, Inc., its parent, subsidiary or affiliated companies.