Core to the policies financial service organizations institute to protect their customers and businesses from fraud is their Know Your Customer, or “KYC” process.
This involves running identity verification checks on customers during onboarding and beyond, and forms the foundation from which a risk management team can derive the probability of future fraudulent activity on their platform.
Unfortunately, most companies do not draw a distinction between validating the identity of their customers based on their actions in the real world in addition to the identity of a given customer as it relates to the information they provided when opening an account. The latter are those behaviors, digital interactions, and characteristics that help predict future fraud that traditional KYC checks can not.
In this post, we’ll outline standard KYC checks, where they fall short, and how combining traditional checks with first-party behavioral data allows a deeper understanding of who customers are. This understanding ultimately brings more effective prevention measures against fraud and criminal activity.
KYC Checks: A Breakdown
As a means to curtail fraud and abide by regulatory laws, KYC procedures involve data and document collection to identify individuals deemed a risk, including those blacklisted for financing or those connected with money laundering and illegal schemes.
A typical KYC framework incorporates a business’s own customer policy (including consent for data types gathered during onboarding), procedures to gather/validate data under that consent, continuous assessment of that risk through due diligence, and continuous updates on those records.
Commonly collected data during onboarding can include PII (name, date of birth, physical address, phone number, social security number), verification of PII (government-issued ID, proof of address), and biometric data (e.g. facial ID verification).
Data science teams owning this process often augment the customer profile by integrating ID verification services which cross-reference globally pooled datasets across customer bases and applications. Many of these services run further checks through ML models, scanning for inconsistencies in provided data, global scans of PEP (politically exposed persons), negative media coverage on individual names, and signs of forgery in digital documents.
Standard KYC checks are, without a doubt, necessary to build a sense of who a customer is and what risks may come from their onboarding. Though as mentioned, they often lack behavioral data collection which furthers that context through gathering data on what a customer does specifically within a service.
Completing the Identity Picture
Similar to how traditional KYC checks seek to establish identity and history about who a customer is outside a service, first-party behavioral data gathering can establish a customer’s history through their normal interactions, letting a risk analyst minimize their assumptions about a customer without infringing on their experience.
While document forgery and identity theft are unfortunate common practices, behavioral data is incredibly difficult to fake. These datasets can then be combined with third-party identity verification services and applied to models predicting fraud, tuned across any typology a company may experience.
Properly executed with customized fraud models, first-party behavioral data gathering can help build statistics on both individual customer histories and aggregate customer behavior specific to an application or service.
If we take bank account opening fraud as an example, an average new customer might be assumed to be unfamiliar with navigating the account opening flows, but familiar with the data they are inputting (such as a name, phone number, or date of birth). Collecting the right kinds of data and building specific fraud models around account opening fraud serves teams in a way that isn’t possible with ID verification alone.
Combining ID verification with behavioral data
To combat account opening fraud, a data science or risk team can combine third-party ID verification with first-party behavioral data acquisition to construct a decision tree like this:
- Customer opens account by filling out data form and submitting digital records
- The company calls ID verification API to run checks on data gathered:
- cross-check PII for inconsistency
- cross-check individuals for blacklists / negative press
- validate document authenticity
- Company calls behavioral data gathering SDK to collect data that includes accelerometer readings, device orientation, pointer, text/focus change events, individual keypress events, etc. See SDK data model.
- The company validates behavioral data using pre-defined heuristics relevant to account opening fraud: application fluency score, device fluency score, data familiarity score, and expert usage (keyboard shortcuts, minimal keystrokes).
- Customer numerical scores and pre-defined heuristics are combined to slot customers into pre-defined buckets:
- Simplified due diligence – low risk
- Basic due diligence – uncertain risk
- Enhanced due diligence – further risk mitigation
- The company takes predefined action based on the customer bucket.
A Complete Approach to Risk Mitigation
First-party behavioral data acquisition is a way for companies to take their knowledge of the customer a step further, earlier on in the verification process. And because this data collection does not rely on the completion of security checks (ie CAPTCHAs, 2FA prompts, security questions), it can occur at any point in the user’s historical timeline or interaction funnel.
When combined with ID verification and KYC processes, behavioral data collection serves to strengthen the risk data ecosystem that serves as a foundation for uncovering a diverse set of fraud typologies.
Whether it’s commonly experienced fraud types, or synthetic fraud types specific to a service, through fine-grained behavioral data gathering, data science can build and tune the most appropriate risk models for the highest level of efficacy and predictability.