November 7, 2016 - Digital Onboarding is becoming more important as banks and fintech companies are more and more becoming mobile-first companies. What is the background and the impact of this trend?
The relationship between banks and consumers is changing. We are moving from a world where consumers visit their local bank office to a digital world: with internet banking and mobile applications, much of the face-to-face contact has disappeared. After all, banks have the ambition to provide a fully digital workflow, both from a customer service and a cost perspective. Some banks are already following a mobile app-only strategy. At the same time, the need of the bank to know who their customer is has increased: To provide trust, the bank needs to know who their customer is, and more and more regulations force banks to check for signs of fraud, such as money laundering or tax evasion. In this article, we will discuss the background of these trends, why they are in conflict, and how this conflict can be resolved.
A few years ago, onboarding consisted of a form on a website, and an invitation to visit the local bank office to sign the forms. Banks have gone through a full digital transformation, but opening a bank account has changed little: even though a physical signature may no longer be required, the customer still needs to visit the bank office to allow the bank to perform identification and verification (ID&V). During this visit, the account manager will inspect the provided identification to verify its authenticity, and verifies the identification is actually the client’s.
Digital Onboarding describes methods of onboarding that completely eliminate the need to visit a physical bank office. These methods typically leverage the general availability of smart phones, and the features these provide, such as digital cameras and near-field communication (NFC) antennas. In the digital onboarding process, the customer fills in a form on their smart phone, performs some form of ID&V – for example by taking a photo of an identity document and taking a selfie – and submits the application. The customer can then immediately use their bank account, and a few days later, they receive their debit or credit card by mail.
The case for Digital Onboarding
The expectations consumers have for digital interactions have changed. Before, the internet was seen as a way to make existing interactions easier. These days, any non-digital interactions are a nuisance – why should opening a bank account be harder than registering a social media account? We are moving to a mobile-first world, where the mobile application is the medium to communicate with a company. The way banks interact with their clients therefore has to change.
Fintech companies, founded in this new digital age, understand this. They choose to completely forgo the physical bank offices, and use mobile apps instead. Existing banks will have to adapt to compete with these offerings, or risk to lose the race. This competition will be especially strong in Europe, where the Revised Directive on Payment Services (PSD2) forces existing banks to provide access to their infrastructure to third parties.
The struggle of banks
At the same time, banks need to have good Know Your Customer (KYC) processes, in the form of Customer Due Diligence (CDD). One reason for this are stringent regulations, such as anti-terrorism and anti-money laundering regulations. Furthermore, some countries require foreign banks to keep track of their citizens’ assets, such as the US with the FATCA. A third reason is to prevent identity fraud, which can result in significant losses for the bank. Finally, good KYC/CDD processes are also an asset, as they allow the bank to provide federated identity services such as BankID (Sweden, Norway and Finland) and iDIN (The Netherlands).
The struggle is to embed these KYC and CDD processes in a customer-friendly onboarding process. The bank needs to answer two questions during the process. First, is the document real, and not a forgery or an existing photo? Second, is the user registering for the bank account actually the person on the identity document? Here, we will focus on the first question, and will discuss how a high level of assurance can be reached by using a smartphone.
How can we verify a document is real, without having physical access to the document? Luckily, the object central to the digital transformation – the smartphone – provides us with solutions. First, every smartphone on the market today has a camera, which can be used to photograph the document. Secondly, many recent smartphones contain a near-field communication (NFC) antenna, which can be used to read out the chip embedded in many identity documents.
Using the camera, the user can take a photo of the identity document, which can then be validated on various levels. This can be both a manual process, where the data and security features of the document are checked by hand, or a (semi-)automated process, where a computer handles most of these steps.
An automated solution can use several features of the documents. First, the solution can recognize the document type (for example, ‘Dutch Passport, model 2011’), and compare the layout to that expected for the document. Second, it can read the machine-readable zone (MRZ) of the document using optical character recognition (OCR). This information is used to check its internal consistency, and to confirm that the content matches the data provided by the user. A final consistency check uses OCR to read all the fields on the document, and compares these to the MRZ data. Unfortunately, OCR is not perfect, and these consistency checks sometimes result in false rejections. When a document is rejected, human intervention will be required to confirm that the document is indeed a forgery.
More and more solutions also use automatic detection and validation of ID document security features (e.g. kinegrams). However, just like with biometrics, document verification suffers from problems of balancing the false rejection and false acceptance rates. Adding more checks will lower the false acceptance rate, but might also make the false rejection rate unacceptably high. One possible way to deal with this problem is by using artificial intelligence (AI) techniques, to help tune the individual factors in the overall risk score.
The embedded chip can be used for a more secure form of ID document verification. To allow this, the chip needs to support two security features: passive authentication (PA) to detect chip data modification, and active authentication (AA) to detect cloned ID document chips. In passive authentication, the document sends all the data on the document in digital form, with a digital signature from the originating country. This signature is then validated using a public key from that government, thereby verifying the integrity and authenticity of the chip data. This means the data cannot be changed, but it can be copied to create a clone of the original chip. To prevent ID document chip cloning, most modern documents support active authentication, where the chip signs a challenge provided by the reader using its private key. The signature can be verified using the public key certificate stored on the chip, which is validated during the passive authentication step.
Digital Onboarding is becoming more important as banks and fintech companies are more and more becoming mobile-first companies. At the same time, banks need to perform identification and validation of the customer to comply with Know Your Customer and Customer Due Diligence regulations and processes. To do so, several smartphone-based solutions are available. These solutions leverage the device camera to photograph the document, and sometimes use the near-field communication antenna to directly retrieve information from a chip embedded in the document. Each of these solutions increases the level of assurance that the document is valid, but also risk turning away customers when their valid document is rejected.
UL can help
Are you working on providing digital onboarding to your customers? We can help you in each step of deploying remote customer identification and verification, from determining requirements to end-to-end process validation. To learn more, please contact us at firstname.lastname@example.org.