Around the world, governments require many businesses, such as financial institutions, to understand who their customers are. These policies are generally known as Know Your Customer (KYC) or customer due diligence (CDD), and are designed to identify and prevent instances of money laundering and other financial crimes.
The key requirement of KYC is identity verification (IDV) — ensuring that a customer or client is actually who they say they are.
IDV used to involve reviewing information submitted on physical forms and documents. But as the world has become increasingly digitized, KYC policies and practices have had to evolve in order to meet customer expectations as well as risks inherent in digital interactions. Electronic KYC (eKYC) is the result of these evolutions.
Below, we define eKYC, take a look at the different signals that eKYC can take advantage of, and review the benefits that eKYC offers both businesses and their customers.
What is eKYC?
Electronic KYC (eKYC) is the process of completing identity verification and other KYC requirements digitally. It can take different forms depending on your industry, use case, business needs, and even customers, but typically involves electronic forms, digital documents, and varying degrees of automation.
Like traditional KYC, eKYC typically occurs during account setup and then in an ongoing manner over time.
What are the different signals you can use when performing eKYC?
In many respects, eKYC can offer businesses a fuller picture of who their customer actually is.
That’s because eKYC can pull from a broader variety of data and signals than is typically available with traditional KYC. Whereas traditional KYC depends on active signals (e.g. user-submitted PII) and third-party data (e.g. watchlist reports), eKYC pairs this data with passive signals and behavioral signals that are difficult — if not impossible — to measure with manual review of physical forms and documentation.
Active signals
Active signals are signals that are provided directly by the individual. Usually, active signals include information such as:
- Name
- Address
- Date of birth
- Social Security number
- Employment information/source of funds
Active signals also include any documents and photos that an individual may submit, such as a government-issued ID, bank statement, selfie, etc.
Additionally, with the move to eKYC, some governments, such as India and Estonia, have begun issuing forms of electronic identification (eIDs), which serve the same purpose as physical IDs.
While the concept of an eID has not yet gained traction at the federal level in the United States, it has been embraced by many states. Arizona, Colorado, Connecticut, Georgia, Hawaii, Iowa, Kentucky, Maryland, Mississippi, Ohio, Oklahoma, and Utah all accept digital driver’s licenses. Depending on the state, these digital licenses may be stored in a secure app or even in an Apple wallet.
Third-party data
Third party data are signals that are not provided, directly or indirectly, by the individual. Instead, they are provided by third parties, such as government entities, private businesses, and other authoritative and issuing databases.
Examples of these datasets can include:
- Government watchlists
- Sanctions lists
- Politically exposed persons (PEPs) lists
- Phone risk reports
- Email risk reports
- Adverse media reports
- and more
Third-party data is often collected in the background during account creation, which is a good opportunity for businesses to enrich what they know about a customer without adding friction to the KYC process. Additionally, many businesses continuously cross-check customer profiles against these sources to ensure that the status of the individual has not changed.
Passive signals
Passive signals are provided by the device that the individual is using to complete the KYC process, typically in the background and without the individual even being aware of the fact. They are sometimes referred to as device signals. This data can include the individual’s:
- IP address
- Location data
- Device fingerprint
- Browser fingerprint
- Various metadata
- Whether or not the individual is using a VPN
Passive signals are an essential piece of eKYC, as they empower you to digitally verify and cross-check what the individual is actively telling you against the data that the device is passively providing. For example, if an individual says they’re in California but their IP address indicates they’re currently in Florida, you may want to dig a little deeper to ensure they’re actually who they say they are.
Behavioral signals
Behavioral signals are provided directly by the individual based on how they interact with an online form or application. Typically the individual is unaware of the fact that these behavioral signals are even being measured, quantified, or analyzed.
Behavioral signals can include:
- Hesitation detection
- Distraction events
- Mouse clicks/keyboard strokes
- The use of developer tools
- The use of copy and paste
- The use of autofill
Behavioral signals can be used for a variety of purposes. For example, behavioral data can help you determine whether a form or application is being completed by an actual human being or a bot. Likewise, it can aid in the detection of issues such as identity theft — for example, if a form is filled out in a suspicious or unnatural way. As such, behavioral signals, like passive signals, are particularly valuable in the realm of eKYC.
What are the benefits of eKYC?
eKYC is beneficial for a number of reasons — largely because it allows for a higher degree of automation that simply isn’t possible when identity verification is completed by human personnel.
For companies, these benefits include:
- Increased processing speed: As soon as customers submit their information, identities can be verified in seconds; much faster than manual review. This can help businesses reduce dropoffs and increase conversions.
- Reduced workload: With less manual review necessary, financial institutions require fewer employees dedicated to KYC, allowing them to shift resources elsewhere.
- Scalability: Because eKYC processes reduce your need to hire and train manual reviewers, it makes it easier for you to grow and scale your business. Likewise, the fact that eKYC happens 24/7 means that your business can continue operating even outside of normal business hours.
- Fewer human errors: Fewer human touches reduces the risk of human error, allowing for more efficient workflows.
And for the end user, the benefits include:
- Convenience: Individuals and businesses can fill out forms and applications without needing to scan physical documents, print physical forms, or visit a physical branch or office.
- Speed of approval: Because electronic data can be reviewed automatically, customers enjoy faster approvals and account creation.
- Privacy: When businesses embrace eKYC, it typically means that fewer actual human beings are reviewing sensitive data, because it’s done automatically by the system. This means customers experience greater privacy overall.
Customize your eKYC process for your business’s unique needs
As discussed above, eKYC can be supported by a variety of different signals. But which of these signals a business needs to collect, and when, will all vary depending on how risky a particular industry, use case, user, or transaction appears to be.
Here at Persona, we know how important it is to balance KYC compliance against a pleasant user experience. That’s why we have built progressive risk segmentation into our identity infrastructure.
Progressive risk segmentation allows you to modify a user’s experience depending on the signals you receive in real time during the verification process. This means that low-risk individuals and transactions can experience a more streamlined verification process, while higher-risk individuals and transactions include additional steps and more friction.
For example, during account creation, if behavioral data indicates that a form was completed using autofill or copy and paste capabilities, it may indicate identity theft. In order to ensure that the person completing the application is actually who they say they are, you may require them to take and upload a selfie, which you can then cross check against their government-issued ID.
Interested in learning more? Start for free or get a demo today.