When it comes to selecting an identity verification solution for your business, you probably have a checklist of criteria you are using to guide your purchasing decision. Cost, security, reputation, and whether or not the solution provides specific features often rank among the most important of these qualifications.
Each of these characteristics is of course important. But if you were to ask us, we’d add another quality to the top of that list: Flexibility.
Unfortunately, many solutions approach identity verification with a one-size-fits-all mentality. The reality, however, is that IDV needs can vary significantly depending on a variety of factors, including:
- Your business model: What products or services does your business offer, and what role does verification play in supporting this?
- The risks associated with your customers and the actions they take: Who do you serve, and what do you empower your customers to do?
- Your stakeholders: Based on your business model and customers, who are your relevant stakeholders, both internally and externally?
A flexible identity verification solution empowers you to build the IDV process that best accounts for these factors while addressing your business’s unique challenges, goals, and needs.
Below, we discuss each of the factors listed above in greater detail and take a closer look at why flexibility in identity verification is so important.
The risk factor
At the end of the day, identity verification is all about managing risk. But that risk is not static: It can vary — sometimes significantly — from user to user, action to action, and application to application. A flexible IDV solution allows you to tailor your processes based on the level of risk present at any given time.
Who's being verified?
Especially during the account creation process, it’s important to gauge the unique level of risk presented by each new user that wants to open an account. A segmented IDV flow allows you to collect certain information, use that information to determine whether a user poses low, moderate, or high risk, and adjust the remainder of the IDV process based on that initial assessment.
For example, in the first step of the account creation process, you might choose to collect basic information, such as the user’s name and date of birth. This information can then automatically be screened against a number of reports, such as sanctions lists, politically-exposed persons lists, adverse media reports, etc.
If a match or potential match occurs, you might decide to perform enhanced due diligence and require them to provide additional information, documents, or ID. On the other hand, if a match doesn’t occur, the user might be allowed to go through a simplified due diligence process.
Other information, such as a user’s device fingerprint, geolocation data, and IP address can all similarly be collected and used in the background to gauge a user’s risk.
A lot of different factors might cause you to deem one user riskier than another. For example, if a user’s geolocation data indicates that they are in a country that is known for money laundering, this increases that user’s fraud risk. Likewise, a user who is trying to create an account while using a VPN to obscure their location might be a fraud risk.
What actions are being completed?
Just as each user presents their own unique level of risk, so does each action or transaction they complete while using your services.
For example, consider a customer using a marketplace platform to make a $5 purchase vs. a $5,000 purchase. One of these purchases clearly presents more risk than the other — both in terms of consumer risk (for example, a user account being hacked) as well as in terms of regulatory risk (for example, a bad actor attempting to launder money). Treating them equally doesn’t make much sense.
Likewise, imagine a user who opens an account and immediately changes their shipping address vs. a user who maintains the same address for six months before changing it. The first case is much more suspicious than the second and likely deserves to be treated differently.
In either case, you might allow a user to complete a low-risk action or transaction with little-to-no friction while introducing increased levels of friction for more risky actions or transactions. Ideally, the amount of friction introduced will be proportionate to the risk involved.
How are you leveraging verification in your business?
Finally, it’s important to note that one business may leverage verification for a variety of purposes or at a variety of junctures in its relationship with users.
For example, an online marketplace might have an extensive verification process for all users who sign up as sellers on the platform, and a less stringent verification process for those who sign up simply to be buyers, or who wish to browse the platform. Meanwhile, buyers who take advantage of in-app financing options like Buy Now, Pay Later (BNPL) might be required to complete additional verification due to the regulatory requirements involved. The marketplace might also leverage a simplified form of IDV that doesn’t inconvenience legitimate users, like selfie verification, to prevent fraud such as account takeover (ATO) attacks when it detects abnormal activity, like a user signing into their account from a new device.
Because each of these junctures carries different risk profiles or regulatory requirements, the IDV processes should ideally be tailored based on that risk in order to balance friction against conversion instead of just applying the same blanket approach to each application.
The stakeholders of identity verification
When designing your IDV processes, it’s also important to remember that your business is not the only stakeholder that has an interest in the verification process. Your users and the government (or regulating bodies governing your industry) are also potential stakeholders, and it can be helpful to keep their concerns in mind.
Additionally, it’s worth noting that these stakeholders can change and evolve depending on factors such as your business model, customer base, and the specific products or services that you are offering.
As the individual being verified, your user has a large stake in the identity verification process.
Generally speaking, customers tend to be most concerned about convenience and security. They want to be able to complete the IDV process as quickly and easily as possible in order to begin leveraging the website, app, or service they are signing up for. At the same time, verification may require them to submit highly sensitive data — such as their Social Security number, date of birth, or a photo of their ID — and many users may be concerned about how this information is collected, transmitted, and stored.
As the business performing the verification, you of course maintain a large stake in your verification processes.
Businesses implement identity verification for a variety of reasons, and it’s important that you have a clear sense of what your why is before you select any solution. Are you primarily concerned with complying with regulatory requirements? Are you looking to reduce levels of fraud on your platform? Are you trying to build customer trust in your service and brand? Or are you trying to achieve something else entirely?
Once you know your why, it becomes easier to weigh it against other considerations, such as a desire to maintain high conversions.
Finally, the government can be a significant stakeholder in your verification processes — if your business is subject to anti-money laundering (AML) and/or Know Your Customer (KYC) laws or data regulations such as GDPR, HIPAA, or CCPA/CPRA.
Businesses dealing with age-restricted commerce, such as marketplaces that sell or deliver alcohol and other regulated goods, are also subject to KYC rules.
In most cases, the government and other regulatory bodies are primarily concerned with IDV for the purpose of limiting various financial crimes, such as money laundering, financing of terrorism, identity theft, tax evasion, etc. They are also concerned with ensuring that restricted goods do not end up in the hands of minors or other individuals who should not have access to them.
Flexibility is your friend
A flexible verification solution will allow you to meet the expectations of the various parties that hold a stake in your IDV processes — your customers, your own business, and the government or regulatory bodies — while also accounting for different types and levels of risk.
Here at Persona, our Verifications solution was designed with flexibility in mind. Our infrastructure embraces a “building blocks” model that makes it easy and intuitive for businesses to build the exact verification process that they need. Tailor your processes based on risk, regulatory requirements, and application.