Banks and other financial institutions are all required by the PATRIOT Act to conduct a thorough review of new customers to undercut terrorist financing and combat money laundering. These Know Your Customer (KYC) checks are essential for regulatory compliance, but too many organizations rely on these as the sole method to verify the identity of the person they’re doing business with.
The problem is KYC checks are not enough to prevent fraud and should not be used in place of a comprehensive, layered set of fraud checks.
This message was driven home by the massive Equifax data breach of a few weeks ago, which exposed sensitive information of 143 million American consumers. KYC checks verify that the customer’s name, birthday, address, and Social Security number all match—yet these are exactly the data sets that were exposed in so many recent breaches. (And, of course, millions of consumer’s private information is already on the black market for purchase.)
KYC checks are a good starting point to verify that those four pieces of information are associated with one another, but they don’t actually tell you whether or not you’re interacting with the actual person whose identity has been presented. This is especially true as more and more financial transactions take place online, where impersonating an identity is much easier than in face-to-face interactions. That’s why, now more than ever, financial institutions need additional layers of fraud protection.
Along with performing a KYC check, financial institutions need to look at these four data points for fraud prevention:
Phone: Two-factor authentication (where the institution texts a customer a code) is an important tool for verifying that a customer owns the phone number he or she is starting an account with. However, while two-factor authentication can tell you whether or not the person applying for the loan has access to the phone number they inputted, it’s impossible to tell whether or not that person is actually who they’re claiming to be. Looking at third party name-to-phone linkage data is invaluable here to confirm or deny the connection.
Email: Likewise, it’s impossible to know whether or not a customer owns specific email simply by sending a confirmation email to their account. By also verifying how long ago an email was registered and whether it’s registered to the name provided can give confidence that the email account wasn’t just created on the fly by a fraudster.
IP address: Understanding whether or not the application is actually being submitted from the same address that’s on the application is a clear and very straightforward way to verify where the person who filled out the application actually lives. If the IP address is coming from 10 miles from the address on the application, somebody might be applying at work or on their mobile network. If it’s 600 miles away they could be on a business trip, but that still may raise red flags. If it’s 4000 miles away, that’s even more suspicious.
Device ID: Device ID is a very common way to look at whether or not the person is applying from a trusted laptop or phone. Third-party data can tell your institution whether or not a device ID is flagged for fraudulent transactions or—suspiciously—whether it’s never been seen on anyone’s network before. (The latter could mean that it may have been wiped.)
By using these additional layers of identity verification, you can be more confident in the identities of your customers instead of just relying on a simple compliance KYC check.
Some KYC companies that will bundle a fraud prevention product alongside their KYC regulatory compliance solution. However, if that fraud check is fundamentally based on the same data elements that are key for the KYC check, the reality is it’s not doing any better of a job of checking for fraud than the KYC check alone.
In order to protect your organization, you need to ensure you’re using a new data set—a new layer of identity data—as opposed to simply using more of the same.