For businesses that conduct identity verification for new users and customers — whether because they’re required to do so by law or simply want to realize some of the other benefits that verification offers — it can be tempting to think of verification as a one-time thing.
A customer opens a new account, you verify their identity. End of story, right?
The truth is that initial verification is, in most cases, just the beginning of the verification story. For a variety of reasons, it probably makes sense for you to periodically reverify your users throughout your relationship with them.
Below, we define reverification, walk through how it works, and take a look at the different types of reverification you may want to leverage in your business.
What is reverification?
Reverification is the process of re-verifying the identity of a customer or user who has already verified their identity.
When does reverification take place? Ultimately, that will depend on the specifics of your business, your user expectations, the industry you operate within, and any laws or regulations you are subject to.
That said, some common points where reverification can be a good idea include:
- When key account information is changed: When a user changes important account information, such as their password or contact information, it may be innocent, but it can also be a sign of account takeover or fraud.
- When a document has expired: If your business engages in document verification during your initial onboarding process, it’s important to ensure these documents stay up to date.
- When a user initiates a high-risk action: If a user attempts to engage in any kind of activity that carries risk of money laundering or other financial crimes, reverification can be a good idea. Examples might include when a customer attempts to make a large transaction, transfer a large sum of money to another account, or make a transaction that appears to be designed to evade AML detection.
- When a borrower wants to apply for a new loan: If an existing borrower wants to borrow a new loan (or refinance an existing loan), key information such as the borrower’s income and credit report will likely need to be reverified to ensure they still qualify.
- When an account is reactivated after a period of dormancy: If an existing user has not logged into their account for a long period of time, reverifying their identity when they reactivate their account can be a good idea to prevent account takeovers.
- When you detect suspicious activity: When you detect suspicious activity, reverification can help you distinguish between legitimate and fraudulent transactions. For example, a user logging in from a suspicious IP address or geolocation data that indicates the user is logging in from an abnormal jurisdiction (or one with a high risk of money laundering).
- If your business experiences a data breach or fraud: If it is possible that user data has been compromised, you may want to reverify user identity to root out cases of potential fraud or account takeover.
- When laws and regulations change: If your business is subject to laws and regulations that dictate identity verification requirements, such as AML and KYC regulations, you may need to periodically reverify existing users when these laws change.
In most cases, reverification is an automated process that is triggered if and when certain criteria (such as those discussed above) are met. It is not typically a manual process, though it may involve manual review as necessary.
For more information about how reverification works specifically within Persona, click here.
Why is reverification important?
If your business is subject to Know Your Customer (KYC) regulations, reverification isn’t something that’s just nice to have — it’s a requirement. Along with identity verification and customer due diligence (CDD), continuous monitoring is the third required piece of KYC programs. While continuous monitoring is often taken to refer to transaction and activity monitoring, it also includes periodic reverification and ongoing screening against various lists (such as adverse media reports, sanctions lists, and politically exposed persons lists).
But even if your business isn’t subject to KYC regulations, reverification and ongoing monitoring just make sense. Verifying someone’s identity only gives you a snapshot of who they are at that moment in time. Reverification makes it possible to stay on top of any changes or evolutions that happen over time.
Types of reverification
Reverification can take many different forms, depending on your needs and the specific information that is being reverified. This includes:
1. Document reverification
If your identity verification process involves document verification, it will likely be important to periodically reverify these documents.
Examples of documents that may need to be reverified include:
- Proof of address
- Proof of income
- Proof of employment
- Proof of insurance
- Proof of ownership
- Proof of professional certification
- Proof of education
- Business documents
- and more
For documents that have expiration dates, document reverification typically occurs when the existing document has expired or is approaching expiration. For those that do not expire, many businesses reverify according to a pre-set schedule (for example, every 6 or 12 months, etc.) or when a user attempts to make changes to their account information.
2. Government ID reverification
As with the documents discussed above, government-issued IDs may also need to be reverified. This often occurs when the system notes that an ID has expired, when a customer proactively updates an ID that is about to expire, or when suspicious activity may indicate that an account has been taken over by a bad actor.
Examples of government IDs that may need to be reverified include:
- Driver’s licenses
- Mobile driver’s licenses (mDLs)
- Permanent residence cards
- US military cards
- and more
3. Selfie reverification
Selfie verification has become a common component of many companies’ identity verification processes. It works by requiring a user to take and upload a selfie, which is analyzed for liveness detection and compared against either a photo ID, such as a driver’s license, or a previously taken selfie.
This same process can be used for reverification purposes. Often, selfie reverification is helpful in instances of suspicious activity, or when you believe a user account may have been in some way compromised. Likewise, many delivery apps that handle age-restricted goods (such as tobacco or alcohol) leverage selfie verification to ensure that the customer is of legal age each and every time an order is placed — as required by law.
4. Continuous reports
When a business initially onboards a new customer or client, a part of the verification process often involves screening that individual against certain lists and reports. This might include sanctions lists, watchlists, politically exposed persons (PEPs) lists, adverse media reports, and more.
Of course, these lists are always changing. Someone who is not on a sanctions list today may find themselves on a sanctions list tomorrow, pending political developments, etc. Periodic reverification of users should therefore involve rescanning them against these lists.
As a note, businesses subject to KYC regulations are required to engage in continuous monitoring, which includes continuous reports.
Challenges of reverification
Reverification plays an important role in protecting both your business and users from the risk of fraudulent activity. Unfortunately, it does not come without its challenges, which you will need to be cognizant of as you design your reverification processes. One such challenge is friction.
Reverification, by necessity, introduces friction at key moments when a user interacts with your business. It’s this friction that helps root out bad actors and prevent fraudulent activities from occurring. Unfortunately, this friction can occasionally frustrate legitimate users who may not understand why they are being asked to reverify their identity.
The good news is that reverification doesn’t need to be a heavy lift. In many cases, selfie reverification can be an efficient and effective means of confirming whether an account has been compromised — and one that can be completed in just seconds. Likewise, documents and IDs — especially digital IDs — can often be reverified in seconds when doing so becomes necessary.
Likewise, reverification is at this point almost expected by customers, especially when it comes to highly sensitive activities such as banking, investing, and healthcare. In many instances, a lack of reverification can actually lead a customer to lose trust in a business’s safety and security protocols.
Reverification and your business
Here at Persona, we’ve built our Verifications solution to be highly customizable. Use Dynamic Flow to design the reverification process that makes sense for your business, whether that involves document verification, selfie verification, database verification, or other strategies. Set the internal logic that triggers reverification for your users, as well as the follow-up required when reverification fails.