As fraud grows more sophisticated, bad actors are constantly finding new ways to take advantage of legacy verification solutions. Companies need to adapt their risk and fraud strategy to meet this threat head-on and protect themselves, their reputation, and their customers from identity fraud.
A key part of any fraud prevention strategy is evaluating multiple signals during the identity verification process. With a diverse set of verification methods and a multi-layered approach, you will have much more data to determine when someone is attempting to use a fabricated, stolen, or synthetic identity. One of the most important methods to consider implementing in your business is validating user data against issuing databases.
Below, we explain what issuing databases are and walk through their strengths and potential vulnerabilities. We also take a closer look at a number of domestic and international issuing databases you may want to consider incorporating into your identity verification process for more comprehensive coverage.
What are issuing databases?
Issuing databases, also known as issuing data sources, are databases managed by organizations that offer critical services, such as government programs or driving privileges. These databases bind physical identities to these services with high assurance and are the most accurate as they are the original source of information.
The most common organizations that offer issuing databases are government entities like the Internal Revenue Service (IRS). Other organizations include those who issue public records, such as when somebody registers to vote or becomes involved in the court system. Utility and telephone companies are also considered issuing sources.
Issuing database vs. authoritative database
Issuing databases are different from authoritative databases. Authoritative data sources also hold important personal information, but they don’t create or issue it. Instead, they pull information from issuing databases. Authoritative sources include credit bureaus (e.g., Experian, Equifax, and TransUnion), financial institutions, and other data aggregators.
How identities get corrupted despite issuing and authoritative databases
A significant part of identity verification relies on the information stored in issuing and authoritative databases. When organizations request an individual’s personal information and run it against a database, they’re relying on the accuracy of the database itself. But if there is even one flaw in the chain, bad actors will be able to find their way in, corrupting identities along the way.
So how is personal information corrupted in these databases in the first place?
One break in the chain can occur if organizations depend on utility companies as an issuing source. Depending on the security measures in place, a bad actor may be able to easily create a fake account record or spoof a bill or document that appears legitimate. These situations can make a fake identity appear real, so these databases are often less reliable.
As another example, banks and lenders are constantly checking personal information and making verification decisions. To enable faster conversions without worrying about system access or uptime, they might choose to use authoritative databases rather than issuing sources. Fraudsters can take advantage of this shortcut by leveraging synthetic fraud.
With synthetic fraud, bad actors combine pieces of real information with fake information. The result is a synthetic identity that can be particularly difficult to detect. If they can manage to create a record of this “Frankenstein identity” in an authoritative database, it becomes much easier for them to access credit in the future.
As fraudsters find new ways to circumvent safeguards, it’s becoming more essential for organizations to implement a wide range of identity verification methods. Understanding identity assurance levels and using multiple issuing databases to verify identities are two ways your business can decrease the likelihood of fraud.
What are identity assurance levels?
Identity assurance levels measure the level of certainty that information used to verify a person’s identity can be trusted to match the person’s “true” identity. These levels have been defined by the National Institute of Standards and Technology (NIST), which has also issued digital identity guidelines that businesses can follow in building their IDV processes.
For organizations that verify identities online, the most relevant assurance level is IAL2. This level uses digital documents to support the real-world existence of an identity and verifies that the correct person is associated with it.
The IAL2 standard rates each type of supporting digital document on its reliability. Some documents offer stronger verification assurance than others due to factors such as the issuing source. For example, a passport is rated as “Superior,” a driver’s license can be “Strong” or “Fair,” and “Weak” documents are those where data is commonly leaked or easily spoofed, such as a Social Security card.
The IAL2 standard provides guidance around what documents are required to truly verify an identity. For example, one Strong or Superior document verified by an issuing database will meet the criteria. But two Strong documents or one Strong and two Fair documents matched against authoritative databases are needed to get the same level of verification assurance.
Issuing databases used for verification
Your organization can take advantage of several issuing databases to verify identities and reduce fraud. The best approach for your business will depend on your business model, your offerings, and the users you most often engage with.
AAMVA (American Association of Motor Vehicle Administrators) verification
One option for verifying users against issuing databases is AAMVA. With this method, you can use the DMV’s database to verify driver’s license data and confirm that the name, birthdate, expiration date, and barcode are legitimate.
Benefits: AAMVA verification is extremely simple, convenient, and accurate — as a government entity, the DMV has the most up-to-date information about every driver’s license issued. This makes AAMVA a handy source of truth that gives you the ability to verify that the information is real and actually exists inside an objective, issuing database. And as driver’s licenses are one of the most common forms of ID used for verification, verifying that the information contained within a license is legitimate is an effective way to catch fake identities.
Caveats: There are several states where AAMVA verification is not available, so organizations operating in these locations must use another method. This includes California, Alaska, and Utah.
Plus, this type of verification is not foolproof: It only tells you whether or not the information on the license matches the information held in the database. It unfortunately cannot tell you whether the license itself is real, if the license is fake with accurate data overlaid on top of it, or if the license is being used by a bad actor. It also cannot verify whether the photo or signature contained in the license match what is contained in the database.
Sample use case: AAMVA can be a great way to provide a bit of extra assurance for risky individuals. For example, if your system detects a risk signal or red flag while an account is being created — such as multiple accounts being created from the same location or device — you can use AAMVA to double check and confirm the information they're providing matches a real person.
eCBSV (Electronic Consent Based Social Security Number) verification
eCBSV can help you confirm if the full name and birthdate provided by a customer match the information associated with a Social Security number in the official database. It also confirms the person associated with the number is alive.
Benefits: eCBSV verification is especially helpful at detecting synthetic identities. As synthetic IDs frequently use stolen SSNs, SSN verification is a quick and effective way to ensure the person actually exists.
It can also help you expand your coverage and offer your product or service to more people, as eCBSV extends beyond US citizens and is ideal for verifying those with thin or no credit history. If someone is new to the country or does not have a detailed financial past, eCBSV can quickly verify that they are a real person. This makes verification easier for those often excluded from traditional KYC processes.
Caveats: Currently, eCBSV is only available to financial institutions, not all organizations. It also requires explicit customer consent. It’s also important to note that the results of the check are returned on a pass/fail basis. If a check fails, you won’t be notified as to which information is inaccurate. This can make follow-up to reduce false negatives more difficult.
Sample use case: eCBSV is ideal for verifying those with thin or no credit history. For example, if you’re a neobank serving historically underbanked populations, you can use eCBSV to fight fraud and verify that someone who does not have a detailed financial past (but does have an SSN) is a real person.
TIN (Taxpayer Identification Number) verification
With TIN verification, you can confirm that a name and a TIN exist as a pair in IRS records, which means you can be fairly confident that a user is a real person.
Benefits: This method is helpful in identifying both businesses and synthetic identities, especially those based on fake names. TIN verification also provides coverage for immigrants, foreigners, and other individuals without SSNs, for whom eCBSV verification might not be available. These groups have been historically excluded from services that require online verification since they don’t always have the needed documents to verify who they are. TIN verification makes the internet more inclusive for them.
Caveats: This is a simple verification system with limited verifiable elements. It only looks at name and Taxpayer ID; items such as address or birthdate are not included. For this reason, it may be less reliable than other methods.
Sample use case: TIN is best reserved for verifying businesses or individuals who aren’t covered by other verification methods. For example, you could use TIN verification for someone without an SSN rather than exclude them from your service altogether.
International issuing databases
Many governments around the world maintain issuing databases that businesses can query for identity verification purposes. Below, we take a look at a few examples.
Serpro verification for Brazil
Serpro is an issuing database maintained by the Brazilian federal government. It contains information found in a Brazilian ID, including a person’s name, date of birth, national ID number (CPF), and photo. Businesses operating in Brazil can leverage Serpro verification for greater assurance during the IDV process.
Benefits: Brazilian IDs are vulnerable to fraud for a number of reasons. First, they are currently made out of paper and lack many advanced anti-fraud measures, which makes it easy for them to be forged, duplicated, or manipulated. Likewise, unlike IDs issued by other countries, there is no single means of determining if an ID is fraudulent. Serpro verification offers an additional layer of protection that, when paired with other verification methods, makes it more likely that a business will spot forged or altered documents.
Caveats: As with other issuing databases, Serpro verification can only tell you whether the information contained within an ID matches the official record. It cannot tell you if an ID was stolen or copied.
Sample use case: Serpro verification is ideally suited to businesses operating in Brazil that are looking for an automated way of adding additional assurance to their identity verification processes. Zro Bank, for example, uses Serpro verification to scale customer onboarding while also decreasing the need for manual review.
Document Verification Service (DVS) for Australia
The Document Verification Service (DVS) is an issuing database maintained by the Australian Department of Home Affairs. It can be used to verify a variety of government-issued documents and IDs, including Australian birth certificates, driver’s licenses, passports, visas, Medicare cards, Centrelink concession cards, certificates of registration by descent, change of name certificates, Immicards, marriage certificates, death certificates, and more.
Benefits: DVS verification allows businesses to quickly determine whether the information in a government-issued document matches the official record. And because most businesses that leverage DVS do not need to store copies of their customers’ identity documents, this verification also removes some of the privacy and security risks that would be associated with that storage.
Caveats: DVS verification results in a “yes” or “no” answer as to whether the document matches the official record. Without additional details about which information is incorrect, follow-up to avoid false negatives can be difficult. Likewise, DVS verification does not check facial images.
It’s also worth noting that certain populations within Australia face structural barriers that make it difficult for them to obtain government-issued IDs and documents. While alternative forms of documentation are accepted for identity verification in such cases, these documents are not contained within the DVS.
Sample use case: AUSTRAC, the government agency responsible for enforcing compliance with Australia’s AML and KYC requirements, notes that DVS verification is well-suited to verifying that a document is current, accurate, and not lost or stolen.
Decrease fraud through issuing databases with Persona
There’s no silver bullet to identity verification. Businesses must use multiple strategies in tandem with each other to maximize their chances of catching bad actors and reduce the risk of fraud.
Because issuing database verification relies on data that is highly authoritative, it can be a powerful piece of your IDV strategy. But like other methods, it has its limitations. Sometimes, the information stored within an issuing database will not be broad enough to verify an identity to the level you need. And certain issuing databases may only be queried by specific types of businesses, leaving them out of reach for other kinds of corporations.
For this reason, they are best leveraged alongside — instead of in place of — other verification methods. By pairing issuing database verifications with government ID verification, document verification, selfie verification, and other methods, it’s possible to build a truly comprehensive IDV strategy.
If you’re having trouble implementing verification in your business, Persona can help. Issuing database verifications are just some of the many verification options we offer, and our identity infrastructure is fully customizable to meet your and your customers’ needs.