Skip to content

Our Privacy Statement & Cookie Policy

All Thomson Reuters websites use cookies to improve your online experience. They were placed on your computer when you launched this website. You can change your cookie settings through your browser.

Risk and Fraud

Identity verification: An in-depth overview

· 10 minute read

· 10 minute read

← Blog home

Jump to ↓

What is identity verification?

Understanding the implications

The framework of identity verification

Choosing the right solution

 

 

We all know the old maxim “what you don’t know can hurt you,” but you can also say that “who you don’t know can hurt you.” Identity theft costs individuals, businesses, and governments billions each year. And it’s not letting up. 

 

Identity verification matters because it serves as the fundamental guardian of financial assets and sensitive data in our increasingly digital world, where identity theft and fraud pose growing threats to individuals and organizations alike.  

Explore the methods and the current best practices of identity verification, examining how businesses and government agencies can validate that people are who they say they are in both digital and physical environments—thus protecting both themselves and the people they work with.  

What is identity verification?

Identity verification is the process that an organization undertakes to confirm that an individual who seeks to do business with the organization is truly who he or she claims to be.  

Again, it’s not news that more and more interaction between organizations and users is being conducted online. Users are persons and entities—customers, clients, vendors, and beneficiaries — accessing an organization’s digital presence, almost always via a website. While the pace of digital interaction has increased steadily during the current millennium, the recent pandemic put that pace into overdrive, accelerating the need for rigorous digital verification processes.  

Many people use the terms “identity verification” and “identity authentication” interchangeably. In fact, these terms aren’t identical. Identity verification is what the organization does while identity authentication is what the user does to prove that the person is the true “holder” of the identity. Verification establishes a legitimate user’s identity, while authentication prevents unauthorized users (fraudsters and other cybercriminals in particular) from accessing the organization’s digital infrastructure. Both are needed to ensure identity security.  

From the organization’s perspective, identity verification imparts several crucial benefits:  

  • Protection against fraud and identity theft. Identity security interconnects with cybersecurity. 
  • Being compliant. Meeting regulatory compliance requirements, such as U.S. and global know-your-customer (KYC) and anti-money laundering (AML) regulations. 
  • Building trust. By ensuring the security of digital transactions through digital identity verification, companies can make their customers feel comfortable with making digital transactions.  
  • Fraud prevention. Reducing fraud risk also reduces operational expenses.  

Industry use cases

Verification is critical in sectors where the risk of identity fraud and theft is particularly high. This isn’t to say that businesses in other sectors aren’t targeted by identity fraudsters. Even smaller businesses are vulnerable. All that noted, the sectors most at risk include:  

Financial services

Banks, mutual funds firms, and brokers and dealers in securities all need to meet federal Financial Crimes and Enforcement Network (FinCEN) regulations regarding customer due diligence (CDD), KYC, and AML. Financial services firms should verify users’ identities whenever they open accounts to protect against fraudulent transactions and account takeover, among other risks.  

Government

Identity verification is absolutely necessary to ensure that government benefits and services are being given to those to whom they’re entitled (and who often desperately need them). ID verification also is used for border control and by law enforcement.  

Corporate

Employee and vendor verification protects company and customer data, including intellectual property and other proprietary information. Identity verification also controls access to certain sensitive parts of a business’s facilities.  

Healthcare

Healthcare entities need to be sure that the people receiving treatment and medications are actual patients. Insurers must verify the identities of those receiving payments. In addition, the Health Insurance Portability and Accountability Act (HIPAA) requires identity verification from anyone requesting an individual’s protected health information (PHI).  

E-commerce

Customer verification is essential to prevent fraud in transactions and to ensure accurate payment processing and customer account security.  

Understanding the implications

As with any fraud risk mitigation strategy, effective identity verification isn’t a simple process. It comes with several different types of challenges:  

  • Business operations challenges
  • Technical challenges
  • User experience challenges
  • Regulatory challenges

Business operations challenges

An effective identity verification program has significant upfront costs and requires appropriate resource allocation. There also are costs associated with maintaining the program. What’s more, organizations need to spend time and money training employees in proper verification techniques 

Technical challenges

Related to these challenges are the organization’s IT requirements involving identity verification. Most notable of these are integrating ID verification processes and digital platforms into the organization’s network.  

User experience challenges

Users don’t like to wait, and they hate having to jump through seemingly innumerable hoops just to make a single transaction. Or if the functionality does not work. Website designers and other IT professionals refer to this as user friction or UX friction. Organizations should balance thorough identification protocols with ease of access.  

Regulatory challenges

Organizations need to comply with industry or legislative regulations created to prevent money laundering and terrorism financing. Examples include:  

  • KYC and AML regulations established by FinCEN and other government entities.  
  • Customer Identification Program (CIP). U.S. financial institutions should be familiar with this federal requirement established in 2003. It requires them to create identity verification programs conforming to specific guidelines.  
  • Electronic Identification, Authentication and Trust Services (eIDAS). This European Union (EU) regulation was established in 2016 to oversee electronic identification and trust services for digital transactions within EU countries. In 2020, the EU promulgated the Fifth Anti-Money Laundering Directive, which set up new AML rules. Like eIDAS, these rules primarily affect EU member countries, organizations in non-EU countries that have European operations and/or customers may be required to conform with them.  

 

business woman working from a tablet

 

The framework of identity verification

The process of identity verification starts with initial identity proofing, the process of ascertaining a user’s identity for the first time. For most organizations, this occurs during the onboarding of a new account. From there, the organization engages in various verification strategies.  

Methods of identity verification

The verification process typically includes one or more of these approaches:  

In-Person Verification

This method requires the user to submit verification documents in person. For document verification, the organization may request that these documents be notarized, or that a witness be present who can vouch credibly for the user’s identity. Valid documents may include a driver’s license, a passport, or other type of government ID card that includes a photo.  

Database Verification

Here the organization accesses and analyses identity documents provided by public records (phone numbers, address, date of birth, etc.), employment histories, credit lists, and various national and international watchlists. The organization may also scrutinize a user’s social media accounts.  

Knowledge-Based Authentication (KBA)

If you’ve ever provided the name of your first pet or your favorite vacation spot to access an account, you’ve experienced KBA. It uses security questions the user chooses during the account onboarding process. A variation that is considered more secure is dynamic KBA, which asks questions that the user hasn’t chosen ahead of time.  

One-Time Password (OTP)

This is a familiar form of two-factor authentication, where the organization sends the user a special code via text or email to receive account or network access. The code is used only once, and it’s usable for only a brief period of time. OTPs can also be sent to a user’s mobile app or a third-party authenticator app. Since email accounts can be compromised, they’re considered less secure than other “recipients” of OTPs.  

Biometrics

Biometric data bases verification on a user’s physical characteristics. Methods include fingerprint scanning, facial recognition, voice recognition, and iris scanning.  

Liveness Detection

This term refers to techniques that determine whether the source submitting biometric identification is actually a human being and not a person or program using a fake identity, a type of fraud known as spoofing. Typically, the organization analyzes facial recognition data—the user is often required to take and submit a selfie during onboarding. There are two types of liveness detection: active, which requires the user to perform a “sign of life,” that is, an action (such as a nod or wink) that a spoof can’t replicate; and passive, which uses multiple algorithms to identify spoofing.  

Best practices of identity verification

As organizations continue to bolster their identity verification rules and processes, they need to stay abreast of best practices. Besides enhancing cybersecurity, user experience optimization, and maintaining regulatory compliance, identity verification best practices include:  

  • Regularly re-verifying users’ identities 
  • Establishing and maintaining multi-layered identity verification processes 
  • Continually updating IT systems and verification protocols  
  • Setting up response plans in case of fraud due to false identities 

Choosing the right solution

The need for organizations to establish and maintain rigorous identity verification processes will continue to accelerate. To mitigate the risk of false identities, businesses, and government agencies will need to incorporate the most current methods to stay ahead of fraudsters, hackers, and other cyber-criminals, who also are constantly developing “innovative” ways to break into IT systems to steal financial assets, sensitive data, government benefits, and customer identities.  

 

Thomson Reuters® CLEAR ID Confirm is an option to help your organization identify identities. Verify individuals and businesses with customizable risk criteria, confidence scoring, and extensive public records data to enhance your identity verification workflow

  • Configure to meet your needs: Customizable identity verification settings to meet your organization’s individual needs. Receive administrative control over definition build and assignment. Determine whether identity risk exists in your investigation.
  • Manage risk with a risk score: The scoring set by your organization allows you to determine which data is most relevant to a specific case. Easily find out if your subject of interest has an acceptable level of risk. Configure scoring options with threshold or minimum score, match types, weighting fields, and numeric or yes/no scores.
  • Use multiple data sources: Fully equipped with credit header data, OFAC lists, FEIN information, international records, and work affiliations information, covering customer and vendor verification needs.

 

Preventing account takeover: New threats and tools in digital authentication

 


Thomson Reuters is not a consumer reporting agency and none of its services or the data contained therein constitute a ‘consumer report’ as such term is defined in the Federal Fair Credit Reporting Act (FCRA), 15 U.S.C. sec. 1681 et seq. The data provided to you may not be used as a factor in consumer debt collection decisioning, establishing a consumer’s eligibility for credit, insurance, employment, government benefits, or housing, or for any other purpose authorized under the FCRA. By accessing one of our services, you agree not to use the service or data for any purpose authorized under the FCRA or in relation to taking an adverse action relating to a consumer application.

More answers