In person, identity verification is easy. Ask for a photo ID, check to make sure the hair is the same color and the age looks right, shine it under a purple light if you want to be extra sure it’s real. Online, it’s a little more difficult. As the famous 1993 New Yorker cartoon states, ” On the Internet, nobody knows you’re a dog.” Although we’ve come a long way in online identity verification since 1993, it’s still an imperfect process. This is how identity verification in online account opening and lending works:
Step 1: Verify that someone with the applicant’s name, address, and social security number exists.
To complete step one, most online identity verification systems call out to one of the big three credit bureaus,Experian, Equifax, and TransUnion, who then search for an identity match within their vast repositories of consumer credit data.
Calling out to the credit bureaus is the cheapest way to complete step one, but unfortunately people with thin credit files, usually young people, recent immigrants, or people who for some reason have very rarely used mainstream financial services, often cannot be matched. To address this problem a number of companies, including LexisNexis, IDology, and RSA, offer services that search for matches in alternative sources of data, including utility and phone bills, property deeds and rental payments, and other public records. Andera has offered an optional alternative data “waterfall” service to its clients for several years.
The two main regulations requiring identity verificaiton in account opening and lending
A good account opening and lending system will also perform a couple perfunctory but mandatory checks while calling out to third party data to find an identity match: they will check to make sure the applicant is not listed on the Office of Foreign Assets Control watch list, or applying from IP address located in a sanctioned country.
Step 2: Verify that applicants are who they say they are with knowledge-based authentication questions, better known as out-of-wallet questions.
This second step performs the same function as a debit card pin or a credit card signature, making sure that an identity thief with a stolen wallet can’t open accounts and apply for loans willy-nilly. Out-of-wallet questions in account opening and lending are similar to the security questions we select when we enroll in online banking or other sensitive online services, but whereas those questions and answers are chosen by the customer when he or she first enrolls, deposit and loan applications need to present out-of-wallet questions without prior knowledge of the applicant.
Like step one, most online identity verification systems complete step two using services provided by the big three credit bureaus or alternative data providers. Third party data is used to randomly generate questions that would not typically be found in a wallet. Here are some sample out-of-wallet questions taken from Andera’s application (click to enlarge):
Because out-of-wallet questions are randomly generated, they are also imperfect. Sometimes questions are created using the wrong data; for example, in Netbanker’s recent post on Google’s new pay-by-email-attachment service, Jim Breune notes that he was presented with an out-of-wallet question that appeared to be about his brother. Sometimes questions are just too difficult; you may simply not remember the name of that minor street located a few miles away from an address you lived at 20 years ago. We estimate that between 5-15% of applicants who are who they say they are fail out-of-wallet questions on our system.
If applicants fail identity verification in online account opening and lending, either in the first or the second step, the financial institution can choose either to fail the applicant or to send them into manual review. Manual review processes vary; usually the financial institution asks the applicant to upload, email, mail or fax a copy of their photo ID, and then either approves the account immediately, or follows up with a call to ask additional questions, or requires the applicant to physically come into a branch. Because online identity verification is very fallable, it’s important to put some thought into your institution’s manual review process. To see what Ally Bank did wrong, read this article.
The most interesting aspect of identity verification is how much choice the financial institution has. Do you want to stick with standard credit data identification, or spring for alternative data? Do you want to hard fail applicants who incorrectly answer out-of-wallet questions, or send them into review? Once in review, how are you going to handle the process? The online identity verification process you choose will depend on your institution’s risk tolerance, available human resources (for manual review), and compliance policies.
For more information you can:
- Download our whitepaper on the 7 Reasons Applicants Quit
- Watch our video on our Alternative Data Waterfall Service
- Read one of our blog posts about alternative data, here and here
- Google it 😉