Know Your Customer: that’s a sound management practice for any business. And for financial organizations in the U.S., it’s a legal requirement mandated in the Bank Secrecy Act of 1970 and the USA PATRIOT Act of 2002.
But in this age of remote account opening and cyber fraud, even the best-intentioned companies have trouble really knowing their customers.
Who, exactly, are they really transacting business with on that smartphone, tablet, or PC, which might be thousands of miles away?
Do companies understand those customers—really have enough insights about them—so they can make the right decisions, rejecting fraud operators, offering the right mix of products and services to legitimate customers, and building long-term, profitable relationships?
The Mueller Indictment against 13 Russians and Its Lessons for KYC Authentication
Case in point: The Department of Justice’s indictment on February 16, 2018 of 13 Russian nationals and 3 companies for interfering the 2016 presidential election. Included in the indictment were details about how a U.S. citizen, Richard Pinedo, helped the Russians funnel money through bank accounts opened with stolen IDs.
According to a statement filed by the DOJ on February 12, Pinedo sold bank account numbers over the internet. He obtained the numbers either by opening accounts himself or by purchasing them in the names of other people over the internet. Many of those purchased accounts were created using the stolen identities of U.S. citizens.
Pinedo helped the Russians defraud PayPal (referred to as “Company 1” in the DOJ’s February 12th filing) in part by helping them circumvent one of its security measures.
PayPal employs a well-known method of verifying the owner of a bank account. It makes “de minimus trial deposits”—that is, tiny deposits, typically adding up to about $1—and asks the account owner to confirm these amounts. Pinedo used his access to the accounts to relay the de minimus deposit amounts to the Russian nationals.
Having bypassed this industry standard security measure, the Russians were then free to use PayPal to funnel funds to campaign activities in the U.S.
What might have thwarted or at least complicated Pinedo’s efforts? Requiring a photo ID along with account number information.
In other words: better customer identity intelligence. Better data correlated from multiple sources about who those customers and would-be account holders really are.
In this case, PayPal might have been able to thwart Pinedo and his Russian colleagues by requiring real-time ID authentication at account opening.
Multi-factor authentication—a security best practice—requires users to provide at least two of three different types of information:
- Something you know, such as a password or account balance
- Something you have, such as a hardware token
- Something you are, such as a fingerprint
Authenticating by trial deposits does verify that somebody has access to a specific bank account. But if the account has been opened with stolen credentials, authentication by trial deposits will not detect the fraud. This technique has no way of determining if the person with access to the account is really who they say they are.
Simply put: de minimus trial deposits are too “minimus” for knowing your customer and preventing fraud.
This DOJ indictment is newsworthy in lots of ways, including the light it shines on shortcomings in widely practiced customer identification technologies.
Beyond Rudimentary Anti-Fraud Measures:
Customer Identity Intelligence
The point here is not to single out PayPal, a company that is well known for its anti-fraud measures. It’s rather to point that the need for Customer Identity Intelligence generally.
And Customer Identity Intelligence offers as much benefit to a company’s VP of Sales as it does to the company’s compliance officer.
Customer Identity Intelligence enables companies to know customers anywhere, anytime, on any device, and make the most profitable decisions based on that knowledge.
Accelerated Insight for Customer Identity Intelligence
At Accelitas, we’ve created a real-time web services platform to deliver Customer Identity Intelligence to businesses of all kinds. Our Accelerated Insight Platform® features two web services specifically designed to address the challenges of authenticating consumers on mobile devices, confirming their identities while delivering a fast, frictionless customer experience.
- AI Extract reads government-issued IDs such as driver’s licenses and passports, extracts barcode and text data, and uses extracted data to auto-form-fill account applications, dramatically reducing the amount of time consumers have to spend typing on their smartphones and tablets.
- AI Authenticate applies patented AI techniques to analyze IDs for fraud and instantly authenticates IDs, returning an indication of whether a submitted ID is real or fake. AI Authenticate also tokenizes IDs, so they can be instantly recognized in future transactions.
- AI Verify performs advanced data analysis on submitted consumer information to verify identifies for KYC/CIP compliance and return financial risk/confidence scores in real time. As part of its analysis, AI Verify returns the most recently reported address—a detail that can be used as a challenge question to prevent identity theft. Analyzing AI Verify results helps organizations detect trends in identity theft and other types of fraud.
Using these services, businesses can open accounts for mobile users with a high degree of confidence that consumers are really who they say they are. Accelerated Insight helps thwart fraud operators who turn to mobile services to steal funds or transfer funds surreptitiously as part of a nefarious campaign.
Interested in learning more about Accelerated Insight and Customer Identity Intelligence? Let’s talk.
