KYC: How to Avoid Fraud in Your Fintech App
October 8, 2019
Nowadays, people can run the world via their mobile phones. We can communicate with friends, perform task management, financial operations, order or buy things, and so on. Nearly every aspect of our lives is becoming easier and more convenient.
From this perspective, the unstoppable growth of the digital banking system inspires me the most. People are ready to give financial institutions or branchless banks their money without visiting the official branch. Such organizations are called challenger banks in the UK. From the other side, banks are ready to open an account for a person whom they have never seen before. The risk from both sides is enormous. However, billions of customers use the services of neo banks and trust them with their funds.
By the way, not only the banking sector is undergoing the digitalization of their products. Investment, insurance, credit, and loan/leasing companies are optimizing the process of registration and execution of their services for their users too.
A few years ago, I wasn’t even thinking about the virtualization of the banking system. Almost two years ago, we started to work on a new product in the UK financial institution – Dozens. We created this fintech application from scratch. The name of our company is Dashdevs, we are an outsourcing company that was completely involved in the process of the product development. We are a fintech consulting organization with a deep understanding of the technical background. From our side, we dove deeply into the process of selection and communication with the vendors. We needed to think about a lot of stuff. My position on this project is a product owner. However, when this project started, I didn’t have any experience in fintech or regtech. It was a little bit hard and unusual for me because I couldn’t find any systematized information about fintech from the product perspective. However, I’ve received a lot of insights based on my own experience. At his point in my life I’ve already cooperated with a few fintech companies and gained a lot of useful knowledge, and being a product owner myself, I decided to write several articles specifically for future and current fintech product owners.
This article is dedicated to the very first step of account creation – Know Your Customer/Consumer (KYC) procedure. This is the most crucial step because you need to prevent fraudulent activities from taking place during the account creation process.
First of all, we need to clear up two different terms that are usually used together:
- Know Your Customer/Consumer (KYC) is the procedure of a business verifying the identity of its clients. Basically, during this process, financial institutions are assessing potential risks of criminal intentions for the business relationship. During this step, we need to block anyone identified as a politically exposed person (PEP), sanctioned people, cybercriminals, and fraudsters. With PEP, everything is complicated because we need to consider the person who performs an entrusted public function or holds a public office. In addition, they check anyone closely tied to that person.
- Anti-Money Laundering (AML) fights against money laundering that is used in illegal arms and drug trafficking, financing of terrorists, and in the proliferation of weapons of mass destruction. There are lists of people who have been proven to be connected to the activity described above. That’s why, during the registration process, you need to eliminate the possibility of registration of such bad actors. In many government regulations, it is required that financial institutions establish such checks and procedures. In order to do this, they need to control all people and businesses who try to open an account. Financial organizations have to monitor the transaction, identify suspicious activity, and notify the authorities when suspicious transactions occur.
Fraudsters will attack all newborn financial institutions. This is because they usually have some holes in the registration process that allow criminally minded individuals to create accounts and perform illegal activities. There is a list of preventative measures that you can take to identify the person who is applying for the services of the bank that you are working with/for.
Possible checks of KYC:
- Identity check uses the photo of a real document, recognizes data on it, and checks if it is authentic and that it belongs to the user. This step requires using artificial intelligence (AI), machine learning (ML), computer vision, Optical Character Recognition (OCR), and Natural Language Processing (NLP).
- Liveness check is another way to prove the identity. There can be a few ways to authenticate this step: photo, video, and/or live-streaming. A photo liveness check requires the user to submit a selfie. There can be additional requirements such as holding a piece of paper in their hand with the current date written on it. A video liveness check asks the user to conduct a live video. During this process, the end-user needs to do some random actions - say the custom expression, move his/her head from side to side, move their eyes, and so on. The basic requirements are being in a quiet place, good lighting, and being the only one person in the video. A live-streaming check is the most expensive of the user authentication for a business and is sometimes the most inconvenient for the user. On some steps of the registration, the software application asks the user to give access to the camera. The bank employee makes a video call to the user via the banking application. Bank officers ask basic questions to prove that the person really is the individual that they are claiming to be. Usually, people don’t expect such a video call, and they are not prepared.
Address proof helps prove that the user belongs to the place that he/she had mentioned. Primarily, the user needs to send some actual bills (telephone/utilities bill). Usually, this kind of check is used as an additional verification step. By the way, some financial institutions have a particular requirement for Commercial addresses. They don’t allow users to use such addresses.
Typically, the government doesn’t require any specific KYC checks or a proper flow for user verification. Nevertheless, it is in the best interest of the company to avoid any fraudulent activities from transpiring in their system. That’s why fintech companies use a few different kinds of checks and a limited number of providers on the market for them to protect themselves.
I think the first question you may ask yourself is, what is the best option for my business? I prepared a list of items that may help you define what checks are necessary:
- What documents are you going to accept? Basically, you need to understand the goal of the user identification process and choose the most appropriate list. Sometimes the market’s regulatory system within which your product is located will give you guidance (e.i. Passport, Driving License, or National ID only).
- What is critical to check? All Products require submitted documents to be verified and authenticated. You definitely need to check that the person has not been sanctioned, is a PEP (Politically Exposed Persons), or is on any cyber-crimes lists.
- What countries do you plan to operate in? This question is critical for the Product vision and the selection of the provider. Every jurisdiction has different requirements and particular lists of documents that need to be submitted. .
- Do you want to be able to change different settings for the identity check in different countries? This feature is used in many financial institutions that work with different markets. For example, some countries only have an identity and photo check. But for the high-risk countries, they set up video liveness checks and proof of addresses.
- What are the non-functional requirements for the check? One of the most usual KYC requirements is to check the geoposition of the device at the moment of verification. It can help you detect if someone tries to impersonate real users.
- Is the product going to work only with individual users? The processes of KYC and KYB (Know Your Business) are different. One service provider can work only with KYC and another only with KYB.
- Are you going to have only mobile solutions or you are going to have web apps for the product with the same stack of functionality? You need to remember that not all PC/laptops have a webcam (or a good webcam) for liveness checks. The user can’t easily change their position. From another perspective, some KYC providers have only mobile SDK that they can’t be used for web applications.
After you define what checks need to be done, you need to create wireframes of the KYC flow in your software application. I don’t suggest starting with the full design because the KYC service provider will have a significant impact on your vision of the best user flow. We had a lot of issues with some of our providers along the way. Another big architectural problem that arises when working with a few KYC providers for one product is that you need to sync them on your platform. I have prepared a few questions for your KYC provider that can help you avoid unexpected surprises:
- What documents are you working with? You may find out that the vendor accepts only a few options.
- How does the provider check the identity of the user? You need to understand what processes exist under the hood to evaluate the results of the provider. There are three basic options: check holograms, checksums on the documents, or check in the government databases. The last one is more expensive for the provider, but more precise.
- What countries is the KYC vendor working in? Each country is an additional source for the vendor.
- Does the provider do KYC and AML using their own resources or do they have partners? You may be faced with a situation where you are working with the vendor company, which does nothing by themselves. They are using the resources of another vendor. It may increase the cost of the service for you.
- Do they have SDK for mobiles? SDK stands for software developers kit. They can be native for IOS/Android, or hybrid for React Native, Cordova, Xamarin. It is a small application inside of your fintech application with some predefined flow. Some SDK can have integrated OCR and check for photo quality. These additional features are going to validate a user’s photo before sending it off for the main check. It improves the user experience and helps the user pass through the identity verification process for the first time. Overall, if your provider has SDK - ask more about all the functionality it has.
- What can be customized in the SDK? It is better to know the answer to this question before you start to create the final design. You may be really disappointed when realizing that nothing can be changed in the SDK. However, nowadays, KYC vendors have begun allowing some small changes that make the application look consistent. For example, customization of the background colors, color/size of the buttons, and text labels can be applied. Pay additional attention to the provider advertisement. You may have a “Powered by …” label in your app.
- Does the provider have an API for mobile and web applications? In some cases, the requirements for verification can’t be accomplished with an SDK. API stands for Application Programming Interface. The API allows you to send some requests to the vendor for verification according to your preferred user flow, but not as is designed by the API.
- Can the API and the SDK of the same vendor be used together for the mobile application? This is another tricky question for the KYC provider. You may receive the NO answer. You’ll need to choose one or another.
- What are the supported devices for an SDK? Depending on the country you are going to work with, the list of the most popular (the most used by your target audience) devices can differ. You need to check that the SDK has no limitations for the list of devices.
- How many development environments does your vendor have? Usually, it is better to have at least two: a test environment and a production environment. A lot of providers have only one environment - production. It means that you are paying for every test check of your QA team. Believe me, sometimes they can be really active.
- Does the vendor have full SDK and API documentation of a production environment? If you want to have a smooth development process, it is better to give them full documentation. Some of the requirements might not be so obvious for the developers, and it will make their heads spin.
- What are the possible responses from the KYC vendor for the check? The most common approach is to have a few kinds of answers like – Positive, Negative, False Positive, and False Negative. However, some providers may give you a Yes/No answer. By the way, it is great if your provider can send you the reason for failure in the server side response too.
- Can we change the fuzziness levels for the verification checks? Fuzziness is a coefficient that is used for comparison of the names. It may be from 0 to 1. Basically, this level defines if Alexander and Aleskandr are the same names.
If you select the vendors for both KYC and AML processes, and you think that your headache is over, then you are in for a bit of a surprise. If you are using a few providers, you need to synchronize them. There must be some sequence of checks. However, this is not the most painful. Now you need to think about your compliance and support teams.
They need to have a dashboard where they can see the results of all KYC checks. As a sequence, they need to be able to
- contact the user and ask for additional information,
- upload additional documents,
- restart KYC checks,
- block the user,
- and so on.
Fraudsters are tricky. They are always trying to gain access to your system from different sides. They use different phone numbers, emails, documents, name spellings, and so on. So, you need to have an additional check that verifies if the user who is trying to register has not been already blocked in your system.
KYC and AML services are just the beginning of your journey to the exciting world of Fintech.
Hope this article can help you secure your fintech application from fraud and cybercriminals.