Best Practices to Digitize High-Value Transactions While Managing Risk
Learn how to determine the right level of identity verification for each type of transaction so you can manage risk without complicating the agreement process.
As the world becomes increasingly digital, companies need to be able to provide the convenient online experiences and transactions customers expect. But as fraud increases and regulatory requirements tighten, it’s essential to ensure that impostors won’t expose your organization to risk. Balancing these priorities is a key challenge for banks, retailers and anyone else who does business online.
In this blog, we’ll talk about best practices to determine the right level of identity verification for each type of transaction so you can manage risk without alienating customers or complicating the agreement process.
The tension between security and customer experience
Customers want to do business online. Within the financial sector, 6 out of 10 customers are interested in joining a digital bank, while 70 percent want to transact in digital channels across the lifecycle. Similar preferences have taken hold across the economy, from retail to healthcare to equipment leasing and automotive sales. While these digital channels offer numerous benefits to both customers and businesses, however, they also greatly increase the possibility for fraud and impersonation. Verifying a customer’s identity in person is one thing—but doing so when the customer is at the other end of an internet connection poses a far greater challenge.
Identity verification isn’t just a concern for businesses and their customers; increasingly, it’s also a focus for regulators around the globe. Established Know Your Customer (KYC) standards and Anti-Money Laundering (AML) rules are now being complemented by new mandates and programs such as New Zealand’s Digital Identity Services Trust Framework Act, the UK’s One Login system, Switzerland’s new Swiss eID and updated guidance from the U.S. Federal Financial Institutions Examination Council (FFIEC).
Customers understand that banks and other businesses need to make sure they’re who they say they are—at least in principle. After all, identity verification doesn’t just protect the business; it also protects the customer from fraud committed in their name so they don’t become accountable for fake accounts, bogus transactions or other fallout from ongoing identity theft. On a fundamental level, identity verification helps build the trust needed to do business together.
But even with this understanding, at the end of the day customers remain highly focused on the quality of their own experience. They’re highly sensitive to processes that feel intrusive or excessive. Accustomed to instant gratification, they’re impatient with delays and can be quick to abandon a transaction and seek a better experience elsewhere. In fact, more than two-fifths of banking customers name an easier user experience as the reason they’re trying non-traditional financial services industries.
For businesses, the challenge is how to show customers that they take their security seriously while also respecting their time and convenience. Adopting a maximum-security-all-the-time posture will bloat cost while alienating customers. Instead, businesses should find the right level of identity verification for each transaction. The measures used should seem reasonable to customers and avoid adding excessive friction in the context of their current task. Similarly, the cost of identity verification, in terms of both time and money, should be proportional to the transaction being protected while also ensuring that risk is being managed effectively.
Assessing the risk posed by each type of transaction
Identity verification can take many forms, from a simple SMS access code to biometric analysis. Choosing which method to use for a given transaction involves making a judgment about the level of verification needed based on factors such as type of agreement or transaction, customer relationship and relevant compliance needs.
Broadly speaking, identity verification use cases can be grouped by risk level.
Low risk
These transactions and agreements involve small monetary amounts with no possibility for lasting or ongoing damage. The risk they pose can be thought of as analogous to shoplifting: more of an annoyance than a threat. Basic levels of verification are generally sufficient here. Examples include:
Logging into an existing subscription service account
Stopping payment on a check
Making an account-to-account transfer involving a single customer
Handling a dispute or issue
Medium risk
These transactions and agreements can expose customers and businesses to greater financial losses and ongoing fraud and call for a higher level of verification. Examples include:
Logging into an existing e-commerce account
Changing account settings and passwords
Making ACH payments or withdrawals out of institution
Granting third-party web access
Highest risk
These transactions and agreements pose the greatest hazard for businesses and customers—and they can also be the most attractive targets for fraudsters. They can involve large dollar amounts, potential identity theft, and onerous regulatory fines. For these cases, businesses should seek a high level of certainty that customers are who they say they are. Examples include:
Account opening and onboarding
Lending, leasing and financing
Insurance applications
Auto test-drive and sales agreements
Patient onboarding and consent forms
Employee onboarding
Cross-border transactions
Claims management
Dispute notices
Wire transfers
Equipment financing
Removing or changing the name or address of an owner or beneficiary
In assessing the risk of a given transaction, businesses may also want to take into account the customer lifecycle. Onboarding a new relationship calls for the most rigorous verification for compliance and security purposes. With a known customer, it can be sufficient to authenticate the customer’s credentials at a lower level.
Finding a risk-based balance among identity verification, cost and customer experience
Based on the risk levels described above, you can choose corresponding verification methods with an appropriate impact on cost and customer experience.
For low risk transactions and agreements, identity verification should involve minimal friction for the customer and minimal cost for the business. Possibilities include:
Email address verification – Customers enter their own email address, which is then compared to the email address on file.
Access code verification – Customers provide a code received by either a phone call or an SMS text message. For medium risk transactions and agreements, moderately increased friction and cost are an acceptable trade-off for the higher level of identity verification required. Possibilities include:
Knowledge-based authorization (KBA) – Customers are asked personal questions such as past addresses or vehicles owned based on information gathered from commercially available databases. (Keep in mind that KBA may be less useful for younger customers who may not yet have generated the needed credit history or public information to be queried on).
ID verification – Customers are verified using their government-issued photo IDs such as passport, driver license or residence permit.
For highest risk transactions and agreements, businesses should go further to be certain that the person they’re interacting with is the actual flesh-and-blood customer. Possibilities include:
In-person verification – The customer schedules an in-person appointment to be validated by an agent of the business.
Video call – The customer joins a trusted referee of the business for a video call, presents the requested identity documents to the camera and answers a few questions to verify their identity.
Selfie verification – The customer takes and submits one or more self-portrait photographs or videos to be reviewed by an agent, typically in tandem with additional techniques such as database verification and document verification.
Provide an additional layer of protection with liveness verification
As fraudsters seek new ways to impersonate users, they sometimes try to undermine even the highest level of identity verification methods through the use of photos, videos, 3D masks or generative AI-powered voice impersonation. Liveness verification is becoming an increasingly common way for businesses to ensure that the customer is both real and present at that moment. For example, passive facial liveness analysis can be used to determine whether a face is genuine without requiring movement. Active facial liveness screening calls for the customer to perform specific actions in a predetermined order, or to enter one-time passcodes or randomized PINs.
Liveness verification methods can also incorporate biometric checks to increase security without adding friction, helping ensure a convenient customer experience even in high-risk interactions. For example, AI can be used to compare the photo on the signer’s identity document with the video selfie they are asked to take as part of the verification process and can detect any indication that a fake webcam or emulator is being used.
As digital interactions transform every area of business, a mature and comprehensive approach to identity verification has become a baseline requirement for every organization. By evaluating the risks posed by each type of transaction and agreement your business participates in and choosing verification methods with a corresponding balance of security, cost and customer friction, you can protect your business and its customers while ensuring convenient, high-quality experiences.
Learn more about Docusign identity verification solutions.