Mapping the Identity Verification Technology Stack in Financial Services
Market map of companies providing identity verification for digital account onboarding in financial services
Identity verification companies help financial institutions make real-time decisions to either approve or reject a prospective customer who signs up for an account. Identity verification processes are not new, though. Since the 1990’s, banks have been required to verify the identity of each prospective account holder in a process called Know your Customer (KYC).
However, in the last several years, a new crop of identity verification startups focused on digital account openings emerged, catalyzed by:
- Explosion in the number of DTC challenger banks: Emerging challenger banks sought out alternatives to incumbent providers, which had not innovated since the 90’s (Experian, Equifax, Transunion and Lexis Nexis)
- Unbundling of financial services: Consumers now have 30 to 40 financial services accounts, each requiring KYC
- Shift to digital account openings: The pandemic accelerated the decline in bank branches in favor of digital banks and digital account openings
- Rise of real-time payments and instant settlement: As real-time payments and instant settlement becomes a standard feature rather than a competitive advantage, fraud deficiencies will be exacerbated
Fast forward to today, these new identity verification companies provide arguably the most critical infrastructure supporting financial institutions. Because aside from the regulatory imperative to verify customers’ identity for KYC, financial institutions have a business imperative to care about and verify the identities of their users. Why?
- The financial stakes are high for regulatory non-compliance and unchecked fraud. KYC non-compliance led to $4.3B in fines levied against banks in 2013 and 2014. Fraud also costs banks and lenders $700B+ annually, with 25 people in the U.S. falling victim to identity theft every minute. PayPal’s disclosure of 4.5M illegitimate accounts on their platform further underscores how easily conducting fraud at scale is due to digital account opening.
- But the stakes are even higher when it comes to competition with other financial institutions. The more users that a financial institution can approve for an account, the more customers who can generate revenue. And once users are transacting on the platform, they tend to be extremely sticky with high retention rates. Financial institutions are integrating with many identity vendors because they want to approve the incremental user who may otherwise be rejected for an account. For example, the 18- to 24-year-old cohort have thinner credit files making them harder to verify. At the same time, they are the ideal customers for challenger banks because they are digitally savvy, have not built deep relationships with incumbent banks, and are entering their high-earning years. This cohort also tends to have high conversion rates from top of funnel to paying customer.
Right now, challenger banks are spending enormously on paid social channels to differentiate amongst an explosion of competitors with a convergence of features. Improving identity verification increases funnel conversion rates and lowers customer acquisition costs (CAC), at a time when financial institutions need to acquire customers more efficiently. Creating a frictionless, superior user onboarding experience by utilizing a best-in-class identity stack is a competitive advantage for financial institutions competing for the same customer.
Siloed Approach to Identity
Identity information exists in disparate data silos across credentialling institutions including the government, social security administration, sanctions watchlists, and credit bureaus. This forces each financial institution to build a custom identity stack, aggregating individual consumer data across these siloes to make an informed decision on the authenticity of a customer applying for a bank account.
Furthermore, each financial institution is conducting their own primary check on a consumer’s identity. For example, to open a Chime, Wells Fargo and Coinbase account, the consumer provides each the same identity credentials. In turn, each financial institution pays ~$1 to verify the identity of each consumer who opens an account, even if that same consumer has a verified identity at another institution.
Digital Account Onboarding Journey
Financial institutions we spoke with are integrating 10+ identity verification companies to build this custom stack and reach across these data siloes. So, to understand how these vendors fit together, we’ve mapped each to a step in the customer onboarding journey, from account opening to login to activity.
1. Account Opening
When a user attempts to open an account with a financial institution, she is required to enter a legal first and last name, home address, date of birth and identification number as dictated by regulators to satisfy the minimum KYC requirements. The financial institution may collect other information such as a phone number or household income, balancing optional data collection for personalized insights and security with the friction each question adds to onboarding. Figure 2 shows the first several onboarding screens collecting this information at consumer fintech app. I like the “why we need this” button to educate the user and prevent abandonment. These questions can be understandably intrusive to a user who is not aware that the information is mandatory.
Know Your Customer (KYC)
On the back end, KYC companies check the entered identity information of every prospective account holder against public data sources such as credit reports, electoral records and census data. Vendors differentiate by breadth of data and the ability to correlate across proprietary identity graphs to provide actionable insights. It’s important to understand that KYC does not prove the person entering the information is that person (they may have stolen the identity), just that the identity they are using is likely a real person. Leading vendors include Socure and Prove though most players across the identity stack provide basic KYC against public data as a lowest common denominator feature. Plaid also recently announced a compelling offering after acquiring Cognito in January. Other players in this space, such as Truework, differentiate by focusing on employment and income verification. Monnai focuses on verification for global consumers.
Document Verification
Financial institutions may need additional assurance of some identities, for example, if the user has a thinner credit file or displays atypical behavior. Document verification prompts a user to take a photo or video of a passport or driver’s license which is then matched with a selfie taken by the same user. Document verification companies utilize AI to verify that the ID is legitimate and has not been tampered with and that the ID picture and selfie are of the same person. Unlike KYC checks, document verification provides more security that the identity provided is real and that the person opening the account is that same person. In the days of opening an account at a physical bank branch, it was easy to verify a person against their ID. Document verification pioneers, including Onfido and Jumio, can provide the same assurance during digital onboarding.
AML and Identity Theft Fraud Detection
To comply with AML regulation to prevent financial crime, financial institutions must screen every prospective account holder against sanction watchlists and politically exposed persons (PEP) lists. A PEP is an individual in a prominent function that can be abused for money laundering, corruption or bribery and is subject to higher scrutiny. ComplyAdvantage and Unit 21 are leading AML fraud detection companies.
At this stage, a potential user can pass KYC checks (e.g. provided a legitimate name, address, DOB, ID) and pass sanctions and PEP screening related to AML fraud (e.g. not on a watchlist). The verification process resembles a decision tree where 100% of users are required to undergo KYC/AML checks, but not necessarily all are routed to additional fraud checks. However, utilizing a stolen or synthetic identity can result in an approved KYC/AML decision, so fraud checks are especially critical.
A financial institution can check for stolen or synthetic identity by reviewing behavioral and biometrics data, with the help of companies like SentiLink, Sardine, SEON and others. For example, if a user submits a form multiple times using different identity credentials, the application will be flagged as high-risk for a stolen identity. Other indicators of identity fraud include: use of a VPN, fake email address (is the email registered on social accounts like Facebook or Spotify?), incorrect device information or location data, and lacking access to the phone number on file. SentiLink specializes in detecting synthetic fraud, which can be as insidious as creating a fake identity and applying for credit. Surprisingly, the act of applying for credit will create provisional credit reports at the bureaus. Once credit is granted the fraudster will boost their credit via the purchase of authorized user tradelines.
2. Account Login
Once a user is approved to open an account, financial institutions want to ensure customers can seamlessly login while keeping fraudsters out. Passwordless authenticators such as Stytch, Transmit Security, and Auth0 (acquired by Okta) aim to reduce friction at account login by instantly authenticating users via biometrics, QR codes or magic links (one-time use link sent via email or text). According to Transmit Security, $26B is lost annually from account takeovers.
3. Account Activity
All organizations that move money are required to continuously monitor account activity for suspicious behavior. They do so by identifying outlier events (e.g. payments or business arrangements) using rules-based checks to flag transactions for manual review. Unit 21 and ComplyAdvantage are leading partners for transaction monitoring off-chain, while Chainalysis is the pioneer for monitoring on-chain.
Transaction monitoring tools beyond the scope of checking for AML are typically internally built because the institution itself has more proprietary data to detect fraudulent patterns than an outside vendor at this point.
The landscape we have described here categorizes companies based on their core competency or first-to-market offering, while recognizing there is overlap between categories as companies expand their portfolio to be the “one stop shop.” We also acknowledge that the landscape is not exhaustive, instead focusing primarily on U.S.-based venture backed companies competing with incumbent providers such as Experian, Equifax, Transunion and Lexis Nexis.
Trends and TAM
Financial institutions we spoke with are integrating 10+ identity companies, painstakingly selecting the best-in-class vendor of each capability, underscoring the importance of a comprehensive identity technology stack. As a result, orchestration vendors like Alloy have emerged, offering one API integration for access to a “starter pack” of identity solutions re-sold from other vendors — the Plaid of identity. The orchestrator controls the client relationship making them extremely sticky.
In parallel, we expect to continue seeing companies, like Socure, with the ambition to be the full stack identity player, by adding new capabilities to capture wallet share and verify 100% of users at the top of the funnel. However, we believe there will always be a degree of duplication of capabilities within the stack because identity verification and fraud is best served with a layered approach, so this is not a winner take all market.
The global TAM of identity is ~$18B, per KBV Research, though the U.S. credit bureaus make almost that in revenue today, so we think this understates the true scope of identity. Based on our estimates in Figure 3, the TAM for account opening identity verification within the U.S. is ~$9B alone. TAM is fueled by the unbundling of financial services, where consumers today have 30 to 40 accounts across checking, savings, high-yield, credit cards, debit cards, stock-trading, crypto trading, P2P payments, BNPL, etc.
Outside of account opening for financial services, there is exponential TAM opportunity within every use case that requires identification of a consumer. Bad actors don’t belong in the online ecosystems of the gig economy, tenant screening, payments, lending, ecommerce, background checks and elsewhere.
Looking Forward
Today, each financial institution verifies the same consumer, over and over again. However, we are excited about innovation happening to mitigate reverifying credentials. For example, several of the largest banks are cooperating on a recently launched federated approach called Authentify, to enable the sharing of trusted and verifiable bank data. According to the press release:
While on a participating business’ website or app, consumers can choose to be redirected to log into their online or mobile banking experience. The consumer can then share their bank-trusted data with that company, helping them streamline their identity verification process.
And one soon-to-launch company, Portabl, will enable consumers to collect and manage credentials from synced financial institutions and enable financial institutions to receive pre-verified KYC data. Along this same thesis of empowering consumers to take their verified identity and positive record with them, we’re eager to understand how the emergence of distributed ledger technology, coupled with the rise of DeFi, will shape the future of identity — a focus of another deep-dive here.
As investors, we’re excited to continue to watch this space develop, as the companies we identified above, and others yet to emerge, innovate to keep fraudsters out of our financial ecosystem and continue to make identity verification seamless.
