In nearly every online space — from online banking and shopping to social media and remote hiring — companies need a way to verify the identity of the person they’re interacting with.
Having an effective, efficient system for confirming customer, business, and employee identities helps protect your organization against fraud, particularly as digital fraud cases increase in number and sophistication.
But how do you prove someone is who they say they are?
That’s where identity proofing comes in. Keep reading for an explanation on identity proofing and how it differs from identity verification, plus strategies for carrying it out.
What is identity proofing?
Identity proofing is a method of verifying someone’s identity. The National Institute of Standards and Technology defines identity proofing as “the process of providing sufficient information to establish an identity.”
Identity proofing involves gathering someone’s personal information (e.g. name, date of birth, and physical address), as well as collecting identity documents (e.g. passport and ID) and performing face-matching.
Companies then review this information for authenticity and consistency.
Identity proofing vs identity verification
Many companies use the two terms interchangeably, but there’s a subtle difference between identity proofing and identity verification. Identity proofing and identity verification involve similar steps, but they have slightly different goals.
The goal of identity proofing is to establish a connection between the pieces of identity information a user submits and ensure the legitimacy of their claim. Identity proofing is typically a one-time interaction done at the point of onboarding using government-issued IDs and face-matching.
The goal of identity verification, on the other hand, is to prove that a person is who they claim to be. Identity verification is an in-depth due diligence process that involves multiple verification steps. In addition to the steps you do with identity proofing, identity verification also requires looking at passive signals, like user behavior, to ensure that someone is who they claim to be.
What’s more, identity verification is ongoing — it requires consistently gathering and analyzing data to re-verify someone’s identity over different situations.
Why is identity proofing important?
Identity proofing is key to preventing fraud and ensuring compliance in your business. Let’s break these two reasons down:
Identity proofing can prevent fraud
Fraudsters rarely conduct business under their own names, so successful identity proofing can help keep fraudsters off your platform. You can use identity proofing as part of an identity verification strategy to guard against a range of different types of fraud, including marketplace fraud, internal fraud, account takeover fraud, and synthetic ID fraud.
Plus, when you verify your users’ identities, it facilitates trust and safety on your platform, ultimately leading to a better user experience.
Identity proofing is often required
Many regulatory organizations and government bodies require companies to implement some form of identity proofing or identity verification into their business. Here are a few different laws that could apply to your business:
Anti-money laundering (AML) laws
Anti-money laundering (AML) laws require certain types of financial institutions to implement a risk-based approach to verifying a customer’s personally identifiable information to prevent fraudsters from laundering money.
There are three AML laws in the United States: 1) the 1970 Bank Secrecy Act (BSA), 2) the 2001 USA Patriot Act, and 3) the 2020 Anti-Money Laundering Act. There are over 25 different types of organizations that need to comply with those laws, including FDIC-insured banks, credit unions, insurance companies, credit card companies, casinos, certain fintech companies, online gaming facilitators, money service businesses, and cryptocurrency platforms.
The European Union (EU) also has six key anti-money laundering directives (AMLDs), which require any institution that handles financial transactions in EU member states to conduct minimum due diligence checks, including identity verification, when entering new business relationships.
Seller verification laws
Many marketplaces have to confirm information about their sellers in order to host them. The INFORM Consumers Act, for example, requires online marketplaces to collect certain information about sellers who earn a specific amount of revenue so regulators and investigators can more easily investigate suspected fraud.
In the EU, DAC7 requires anyone who operates a digital platform in the EU — including marketplaces, websites, and apps that connect sellers to buyers — to gather and report personal and business information on income from sellers who use their platforms for commercial services. Platforms that sell to individuals based in the EU are also subject to DAC7 reporting requirements.
Age verification for social media
Though there’s no universal legal requirement for age verification on social media, many social media platforms use age verification to protect the safety of minors online — and to ensure age-appropriate online experiences.
There are a growing number of different data protection regulations — some more general and some designed with minors’ safety in mind — that social media platforms have to abide by, depending on the jurisdiction they fall under:
- The General Data Protection Regulation (GDPR)
- The Children’s Online Privacy Protection Act (COPPA)
- Kids Online Safety Act KOSA
- Online Safety Act (OSA)
- California Consumer Privacy Act (CCPA)
- California Privacy Rights Act (CPRA)
- Colorado Privacy Act (CPA)
- Virginia Consumer Data Protection Act (VCDPA)
- Brazil General Data Protection Act or Lei Geral de Proteção de Dados (LGPD)
HIPAA
The 1996 Health Insurance Portability and Accountability Act (HIPAA) is a patient privacy law that protects patient medical records and protected health information (PHI) from improper access and use.
Medical companies, some tech companies, and certain public officials use HIPPA verification, which is the process of verifying an individual’s identity to ensure they have the legal right and authority to access someone’s PHI. HIPPA doesn’t require covered entities to use specific types of identity verification, but they do need to create and implement some form of identity proofing and identity verification.
Identity proofing methods
There are multiple technologies and strategies businesses can use for identity proofing, including:
Government ID verification
Government ID verification is when you request, analyze, and validate someone’s government-issued identification, such as a driver’s license or passport. In the process, you check that the ID itself is legitimate and that the personal information the ID contains is consistent with the user’s claims.
Document verification
You can use document verification to verify the authenticity and accuracy of a document someone provides, like a bank statement, piece of mail, employment record, or school transcript.
In the process of document verification, you’ll check to make sure the document is legitimate and that the information within the document is consistent with the information on the user’s government ID.
Database verification
Government agencies maintain issuing databases with records of IDs and other official documents. Database verification is the process of cross-referencing the information on someone’s ID with the information contained on a government database.
Selfie verification
Selfie identity verification is the process of analyzing a selfie that someone takes and submits to see whether the photo is consistent with the user’s government ID photo. Selfie verification uses liveness detection (more on that below) to confirm that an actual person is taking the photo upon request instead of just submitting a previously taken picture or print.
Liveness detection
Liveness detection uses a sensor and a series of algorithms that analyze a variety of data in order to determine whether the subject of a photo or video is a live person or not. Liveness detection can weed out deepfake images and AI-generated selfies, which fraudsters can use to create synthetic IDs.
Reports and screenings
Reports and screenings are another security measure to help you detect potential fraudsters. Here are two to consider:
- PEP check: A politically exposed person (PEP) is someone in a public, high-ranking position who might be linked to fraudulent crimes. A PEP check is an anti-money laundering screening that helps you determine whether or not someone is a politically exposed person and what their risk is for money laundering.
- Adverse media screening: Adverse media screening is the process of searching for negative information about a person or business you intend to work with. Adverse media screenings, which you can add to an automated Know Your Customer (KYC) program, clue you in to suspicious behavior and help you make a more informed decision about whether or not to work with a particular person or entity.
Build a robust identity proofing strategy with Persona
Identity proofing plays a critical role in a comprehensive fraud prevention strategy, but every identity proofing method provides a different level of assurance. How much assurance you need depends on a handful of factors, including your industry, regional compliance regulations, use case, and AML risk assessment.
In general, though, it’s a good idea to leverage multiple identity proofing and identity verification strategies to defend your business from identity fraud. And the right platform can help.
Persona makes it easy to build a robust identity proofing framework — one you can customize for different use cases and add to as your business evolves.
Dynamic Flow is a flexible identity tool that lets you create the right identity experience for every type of user. You can collect all the information you need for identity proofing and adjust for friction based on real-time risk signals.
Need more guidance? Check out these five key considerations when choosing an anti-fraud tool, or learn how a unified identity platform can solve fraud and compliance problems.
If you’re ready to get started, contact us or schedule a demo anytime.