Digital identity management initiative: 9 key questions to ask

a person using facial biometric technology via their phone to scan their face as a form of identity verification

Organisations are under increasing pressure to reliably identify their customers as the first line of defence against scammers, fraudsters, traffickers, and terrorists.

Identity theft has profound emotional impacts on customers, affecting both the organization’s bottom line and reputation. In an increasingly digital world, establishing “reasonable certainty” about customer identities is crucial. Digital identity verification management plays a vital role in addressing these challenges.

Due to COVID, organizations shifted to 100% online verification, asking customers to submit a photo with their ID, posing fraud risks.

Fortunately, as awareness of security threats grows, many organisations are now bolstering their temporary processes – moving beyond common and penetrable defences like secret identity questions.

Cutting-edge security tech presents challenges. Organizations must balance security, stability, and function. Nine key questions aid in choosing suitable technology.

1. Who to engage: identity broker vs identity service provider.

While the market continues to evolve, technology providers can be grouped into two main types:

  1. Digital Identity Brokers who enable your customer to have control over who they use to verify their identity, and
  2. Identity Verification providers who provide a mix of identity document capture so your organisation decides precisely how and who will verify your customers’ identity.

2. ID capture technology: 100% automated or hybrid?

Identity document capture technology varies in development. Identity verification providers differ in their approaches, particularly in machine learning use.

Automated identity document capture utilizes technologies without human intervention, capturing, classifying, extracting customer information, and checking against other sources. Although it facilitates a faster end-to-end process, your organization needs an ‘exceptions’ process for handling damaged or unreadable documents.

Conversely, hybrid capture utilizes a mix of machine learning and human intervention, allowing for rapid handling of any exceptions needing manual verification. That said, the process for your customers is likely to be slower than a 100% automated process and can also pose greater data security and sovereignty risks.

3. Which source checks – and from who?

After capturing a customer’s identity document and extracting relevant information, the system checks it against one or more lists. However, these “source checks” alone do not safeguard against identities sold on the dark web. Teaming them with other Verification of Identity (VOI) methods is essential to protect against card-not-present fraud.

Identity Management Providers use third parties like Australian Government service idmatch, Dow Jones, LexisNexis, Thomson Reuters, and Sanction Lists for checks.

4. Will personally identifiable information be kept secure at every step of the journey?

Recent events have shown that the loss of customers’ personally identifiable information can be disastrous. Once trust is broken, winning it back is nearly impossible. To ensure confidence in keeping your customer’s information secure, it’s important to ask questions like:

  • Does the organisation approach security “by design”?
  • Does the organisation send the data offshore for processing?
  • Is the data encrypted in transit and at rest?
  • Does the organisation undergo regular third-party penetration tests?

5. To biometrics – or not?

Biometrics offer quick, frictionless verification, ensuring a ‘real human’ in digital transactions. They enhance fraud protection, AML, and CTF measures.

Specifically, facial biometrics are critical to substantially reducing card not present fraud by matching the person’s face completing the transaction against the ID provided. However, not all biometrics are equal, and tricking static or single images is much easier than a series of movements.

Video calls meet industry-specific “face-to-face” verification standards, but balancing this with client experience is crucial, as video calls may limit an organization’s ability to verify customer identity ‘anywhere, anytime.’ Using a random pattern of head and facial movements can act as a middle ground, as this method is still able to confirm that there is a ‘real human’ on the other end.

6. How will the technology fit into your existing customer journey?

To ensure a frictionless customer experience, when co-creating solutions, it’s important to ask:

  • How will you handle cross-device continuity?
    Can your organization’s brand white-label it?
    Is a download necessary?
    Does it require an account?

7. How ‘reasonably certain’ does your organisation want to be?

Ensuring customer identity involves judgment, whether done by humans, computers, or a hybrid, necessitating decisions on accuracy, speed, and intervention.

Balancing false negatives and false positives varies for each organization, and the level of risk accepted differs. Thus, it’s crucial that your business’s ID verification process aligns with your risk appetite.

Verification methods vary based on product, value, customer segment, or location. Some organizations avoid business with unverifiable identities.

8. Are your organisation’s governance functions fully considered in the initiative?

Navigating governance for emerging technologies requires clarifying their functions and limitations to instill stakeholder confidence in effective checks and balances.

  • Informed consent: How and where will you ensure that your customers understand how their personally identifiable information is being captured, stored, and used?
    Privacy Policy: What tweaks are needed to reflect any changes in capturing and storing personally identifiable information?
    Third-party source checks: do third-party data sources require any additional obligations? e.g. idMatch: DVS Business User agreement

9. How will you measure and monitor success?

Track metrics for identity management tool, aligning performance, security, and technology with organizational risk appetite for customer defense.

Metrics to assess could include completion rate, match rate, false-positive rate, and false-negative rate.

Implementing a Digital Identity Management Initiative requires processes that reflect your business’s unique circumstances and needs. An engaged team ensures early questions and technology alignment with customer expectations.

By Ches Rafferty, Scantek CEO.

First published in Business It, December 16 2021, and Gov Tech Review, January 11 2022.

Get in touch