Note: this is a summarized excerpt from our ebook “The identity professional’s guide to getting (and staying) compliant - with the regulations that affect your business.”
If you’re in charge of your company’s compliance program, you’ve probably found things getting more complicated recently. There are endless new regulations. New penalties. New threats to be aware of. The list goes on! What’s driving all of this complexity?
Below, we take a closer look at some reasons that we believe compliance is becoming so complex. We also offer advice you can use to design and implement a flexible IDV program capable of adapting to this complexity.
Want a deeper look at these factors and the steps your business can take to get and stay compliant, regardless of what the regulators and lawmakers throw your way? Download our recently published Identity professional’s guide to getting (and staying) compliant - with the regulations that affect your business.
Why is regulatory complexity exploding in recent years?
Compliance has always been a complicated issue, but it’s definitely become more complex recently — especially where identity and age verification are concerned. Here at Persona, we believe that this is largely due to four reasons:
- More industries are being regulated
- More businesses are going global
- There’s more fraud
- Privacy is increasingly in focus
1. More industries are being regulated
In certain industries — like the financial industry and adult entertainment industry— identity verification and age verification are the name of the game. But for many other industries, new requirements have spawned in recent years from legislators looking to protect online users from fraud and harm.
Consider, for example, the following industry-specific regulations passed in recent years. Each requires some form of identity or age verification:
Social media: In the US, a number of laws requiring social media platforms to perform age or identity verification on their users are under consideration at the federal level, including the Protecting Kids on Social Media Act. Add to that state-specific legislation like the CA AADC in California, HB 465 and SB 194 in Utah, HB 3 in Florida, and similar laws in other states. Internationally, there are laws like the Online Safety Act in the UK and the Digital Services Act in the EU to consider.
Online marketplaces: The INFORM Consumers Act requires all online marketplaces operating in the US to verify certain key information (like their contact information, banking details, and tax ID number) about high-volume sellers that use their platforms. The DAC7 in the EU has similar requirements for online marketplaces operating in any EU member state.
Online delivery: Online businesses that deliver age-restricted goods (like alcohol or tobacco) must comply with a variety of state-specific IDV laws requiring verification either at the point-of-sale, during delivery, or both.
Adding to the confusion is the fact that many businesses no longer operate entirely in a single industry. Many social media companies, for example, now offer financial services in the form of person-to-person money transfers. Others run online marketplaces for their users, or offer online gaming as a part of their platforms. And others yet may allow users to post age-restricted content.
All of this cross-industry expansion blurs the boundaries, making it even more difficult for businesses to know which regulations they must adhere to.
2. More businesses are going global
In the past, many online businesses would focus on core markets in a specific geography before going international. But this isn’t really the case anymore. Today, many online businesses and applications are international from the start — or are soon after launch.
Consider ChatGPT, for example, which was launched by OpenAI in November of 2022. Less than 2 years later, the application is available and supported in 188 countries and regions. And when Meta launched its Twitter competitor Threads in 2023, it was immediately available to users in more than 100 countries.
This drive to scale makes sense from a business perspective. But it also makes compliance more difficult, because IDV and age verification requirements can vary significantly from country to country.
3. There’s more fraud
Many of the regulations that require companies to perform identity verification exist for one reason: To reduce fraud and create a healthier online ecosystem for consumers. The INFORM Consumers Act, for example, which requires online marketplaces to perform seller verification, was designed to reduce the sale of counterfeit goods; and most KYC and KYB regulations impacting the financial industry are designed to reduce instances of money laundering.
But fraud trends today are vastly different from what they were even just five years ago. While there are many factors contributing to this fact, a lot of these changes can be tied back to the development and distribution of generative AI tools which have empowered fraudsters to launch larger and more sophisticated attacks, faster than ever before.
Today’s online businesses now need to contend with a variety of threats that simply didn’t exist in the past, including AI-generated images, IDs, and videos that fraudsters use to try and bypass selfie, document, and ID verification. Add to that AI-generated voice and text that’s being used to increase instances of phishing, promo abuse, and account takeover fraud, and it’s clear that businesses have more on their plates.
4. Privacy is increasingly in focus
Today’s online businesses collect more data from their customers and users than ever before — including sensitive PII. In the process, many businesses have found themselves in the crosshairs of fraudsters looking to steal that valuable data, which can be used to generate synthetic IDs, steal a person’s identity, and everything in between.
As larger and larger data breaches and data leaks make the headlines each year, governments around the world have begun enacting data privacy laws that require businesses to take steps to protect and secure user data. Examples include the GDPR in Europe, CCPA and CPRA in California, and COPPA in the US, amongst others.
While essential, data privacy laws only add to the regulatory complexity that businesses must adhere to. It’s not enough to collect a customer’s or user’s identity information and proof; now, in many cases, there’s a legal requirement to keep that data safe.
What do most teams do?
Confronted with the challenges outlined above, it’s only natural that many compliance professionals will feel a pressure to bring their businesses into compliance as quickly as possible. They might even be tempted to go with the first IDV solution that promises compliance “out of the box.”
In our opinion, that’s a mistake.
Why? Because fraud and compliance isn’t something that you can solve once and then never think about again. It’s not something that is ever truly done. The challenges you’re focused on now might be urgent, but the simple fact is that they’re unlikely to be the same challenges that your business is focused on in a year or two — much less in 5 or 10.
With this in mind, most online businesses would be best served by building an IDV program that meets their needs today — while being flexible enough to change and adapt as regulations, business objectives, fraud trends, and customer expectations continue to evolve.
So what’s the solution?
If that sounds great, but you don’t know where to start, don’t worry: You’re not in this alone. It can be difficult to know what questions to ask or how to get the ball rolling on such a far-reaching initiative. That’s why we’ve spent the past few months pulling together our newest ebook — The identity professional’s guide to getting (and staying) compliant — with the regulations that affect your business — with a detailed, step-by-step process you can follow.
The first step? Understanding what the regulation is there to do.
When you find yourself staring down the barrel of a new regulation, it’s natural to start looking for the requirements — what your business needs to do to comply with the regulation. But it’s also important to look for the law's intent: What the regulation is actually trying to achieve.
Consider, for example, the following three laws, each of which requires businesses to perform some form of identity or age verification: The INFORM Consumers Act, Bank Secrecy Act (BSA), and the UK’s Online Safety Act.
Each of these laws requires businesses to perform some form of identity or age verification. But verification itself is not the goal of the regulations. Instead, when we look closer at the INFORM Consumers Act, we see that the law is trying to reduce instances of counterfeit fraud. When we look at the BSA, we see that it’s trying to limit money laundering. When we look at the Online Safety Act, we see that it’s trying to protect children and teens from harmful content.
Understanding a law’s intent is important, because it gives you additional context that you can use to inform your strategy. It can also help you anticipate where regulations are going to go in the future, allowing you to take preemptive steps to protect your business.
The second step? Keep reading!
Ready to move on to the rest of the steps? Download the ebook for free today, or reach out for a demo to see how Persona can help.