Managing Compliance, Data Security, and Fraud at Financial Institutions Through a One-Stop-Shop Onboarding Experience
Authors:
Jesse Bikman, David Trost, Maxim Spivakovsky
Executive Summary:
Financial Institutions (FIs) face marketplace pressure to balance lowering the cost of customer acquisition with operational risk and regulatory compliance which lead many FIs to overengineer a complicated and costly data management infrastructure. A new privacy-first data management approach called Open Algorithms (OPAL) enables FIs to extract insights from sensitive data without assuming risks and costs of storing the data in their systems. This reduces the operational costs associated with risk management and data management while lowering the cost of customer acquisition by improving the customer onboarding experience.
Industry wide problems:
Omnichannel Customer Experience
Financial Institutions (FIs) face challenges supporting an omnichannel onboarding experience.
Customers expect traditional FIs to have a top-notch digital onboarding experience, comparable to the purely digital offerings from fintech neobanks. These types of digital customer experiences place an emphasis on self-service and speed to lower the cost of customer acquisition (CAC). However, there are growing fraud and cyber risks associated with the digital onboarding experience for financial institutions. FI leaders face the question: How can we harmonize compliance, fraud protection, and data security, while still giving the customer a good experience?
During the COVID-19 pandemic, customer expectations shifted to accommodate living and working in a primarily virtual world. Traditional FIs were forced to accelerate their adoption of low-friction digital onboarding experiences to remain competitive. When a FI asks a customer to provide additional information outside of the application process to better underwrite a borrower or to screen against fraud, friction is introduced during the onboarding process. This added friction often takes the form of an FI asking for additional documentation such as bank statements, driver license, or verification of income to be shared via email or through a web portal.
Higher Cost of Acquisition due to Manual Processes
Legacy Know Your Customer (KYC) solutions often involve manual processes. Imagine asking a customer to upload a photo copy of their ID during a loan application for review. If an applicant on a website does this at 5:30 PM, they need to wait until the next business day to see if that step of the review process is finished for a loan application. This leads to a potential customer moving on to the next company who does it faster.
Underwriter efficiency increases when an effective KYC Customer Identification Program (CIP) screens applicants prior to underwriting. This is especially true if screening happens through automation. Manual verification carries risk from insider threats¹ as well as from data exposed through insecure IT asset disposition². Additionally, manual verification carries a manual component for generating an audit trail. According to a 2017 Thomson Reuters KYC study, FIs with over $10 billion in revenue spent $150 million on KYC related procedures³.
Fraud
Fraud costs are highest through digital channels (60% through mobile/online channels compared to 26% for in-person channels in 2022, this is up from 57% through mobile/online channels compared to 32% for in-person channels in 2019). The costs of fraud are not limited to the money lost from the act of fraud itself, but multiply in the associated remediation efforts triggered after a fraud event occurs. The cost associated with fraud risk through digital onboarding continues to rise year over year⁴.
Consider lending during the pre-digital age. A person walks into a bank to take out a loan. They show a bank officer their ID, pay stubs, utility bills, etc., and a bank officer makes a judgement that this person is who they say they are, and the documents are legitimate.
Fast forward to the present day. A person is contacted through a targeted ad on a social media app to be a money mule for a money laundering operation. They’re given a payload of Personally Identifiable Information (PII) attributes purchased through a dark web provider from a recent data breach. They will then create a new account on an FI’s website to take out an $8000 loan using their physical address. They give their cut to the money laundering operator, cut ties, and walk away. The FI just lost $8000 despite the applicant applying with a collection of legitimate PII elements that generated a synthetic ID fraud attack.
Challenges with Lenders Storing PII and Sensitive Data
Regulatory Landscape
Regulators such as the Financial Crimes Enforcement Network (FinCEN) mandate that KYC/Anti-Money Laundering (AML) controls are in place for digital onboarding. FIs must maintain five years of data retention to comply with audits which attest to these controls. This creates a push to accumulate data at FIs, which adds costs associated with data management and governance. In 2022, the average cost of a data breach within the Financial Services industry was 5.97 million dollars, not including the previously mentioned regulatory fines⁵.
Regulators have recently begun cracking down on responses to data breaches. The California Consumer Privacy Act (CCPA) represents recent legislation in the United States that follows in the track of the European Union’s General Data Protection Regulation (GDPR). In the event of a breach, maximum fines from the are up to $750 per consumer impacted, per incident without having to prove any damages⁶. In November 2022, California Attorney General Rob Bonta sent a letter to the Federal Trade Commission (FTC) urging the FTC to adopt robust privacy protections against commercial surveillance and data security practices in line with the CCPA⁷.
Companies as well as individuals are being held responsible for data breaches by regulators. Ex-CISO of Uber now faces up to 8 years of prison time in October, 2022 for mishandling a data breach in November, 2016. Consequences for breaches involving PII can be dire for the C-suite⁸.
Increased Reputational Risk
The rush to digitalize the customer experience at and maintain compliance with KYC/AML regulations has positioned FI’s as a treasure trove of PII for cyber criminals. In 2019, FIs were 300 times more likely to experience a cyber-attack compared to other industries⁹. Notwithstanding the costs from regulatory fines incurred by a data breach, there is also the reputational risk to a breached FI caused by media coverage of a breach owing to the perception of poor stewardship of sensitive customer data.
Vendor Sprawl
Vendor sprawl is an issue for FIs who desire a high degree of trust in their KYC processes. As an example, checking a driver’s license can entail working with one vendor to determine if an applicant’s driver’s license name, number, and address matches Department of Motor Vehicle (DMV) records, and working with another vendor for verifying that the face matches the ID for a liveliness check. Working with each new vendor requires lengthy contract renewals, wading through internal fit for purpose initiatives, and ultimately involves factors beyond “do these attribute checks solve our KYC problem and line up with our cost to risk appetite?”
This extends beyond cost and maintaining the infrastructure and individual contracts and gets to points of monitoring adherence to information security guidelines, compliance, and risk reviews, as well as the complexity of ensuring the desired result is met. Considering these constraints outlined above, the Project Management Office (PMO), vendor management division, and traditional Subject Matter Expert (SME) engagement will be required to allocate resources to maintain adequate tracking of contract expirations, application dependencies, and clients impacted if a contract is not renewed or extended.
See the illustrative Gantt chart visual below. To maintain four KYC Customer Identification Program (CIP) vendors, each with different integration types, and functionality that complements other vendors, as well as disparate contracts generates at least three points of friction:
1. Contract renewal delays in negotiation,
2. Integration delays from one vendor depending on inputs from another vendor delayed by a Production change freeze,
3. on-site evaluation for third party risk reviews by the vendor and of the vendor.
The friction reduces when moving from a four vendor KYC CIP solution to a two vendor KYC CIP solution offering the same capabilities. This friction is eliminated when moving to a single KYC CIP vendor with a “one-stop-shop” solution.
Information Security reviews are a critical component in the vendor onboarding process at an FI. Proper risk validations by the FI may bring additional complexity. When a solution from one vendor depends on the input from another vendor who does not adhere to the third-party security standards of the FI, a sub-par integration is generated. The FI is subject to external risk, compliance risk, and reputational risk but also potential unforeseen financial losses and undesired customer impact.
To quantify the impact of selecting an additional vendor on an FI, one must consider several factors
1. Cost of infrastructure and onboarding costs
2. Loss of clients due to an inadequate solution presenting operational and reputational risk
3. Additional headcount to maintain proper tracking, contracting and verifications
4. Complexity of integration due to multiple vendor engagement and dependencies
Operating Costs Related to Storing PII
Storing PII involves significant operating costs. Between the costs to maintain security compliance, the cost to store the data, and the costs around software and data management personnel, a company is in a better position if they are storing less PII to begin with. On average companies spend $520K/year building pipelines for data that isn’t obviously valuable for improving business outcomes, as 87% of those outcomes take days or even weeks to realize¹⁰.
New, improved solution:
One-Stop-Shop
With a one-stop-shop for performing KYC validation, an FI can undergo one vendor review, sign one contract, and hold a single party accountable for maintaining relationships with data providers for performing fraud checks in a Circle of Trust data consortium.
Accurate Data Points from Automated Processes for Fighting Fraud
By sourcing data directly from data providers rather than from aggregators, verification of fraud attributes can be considered trustworthy. Checking the same attributes from different angles adds an extra degree of confirmation to the KYC process in which value from checking fraud attributes across data providers will exceed the sum of the parts. Consider the example given earlier with the driver’s license verification. A digital service which checks the driver’s license information from a fraudster carrying it written on a business card will return validation that the information is in the DMV database.
But does that same service know that it’s not being held on an actual ID by the applicant without performing a biometric analysis to compare the face to the ID? No! A sophisticated onboarding platform should be able to collect information during the application process and check both services. A fraud department should be able to define their cost to risk appetite and design their ideal KYC solution without having to take anything into consideration beyond data elements and price. One platform should enable this level of authentication in a modern system, with “step up” logic enabled to cross check data elements between data providers. A one-stop-shop platform can provide this through automation to provide answers quickly and maintain a complete audit trail.
The OPAL Way Means No Added Baggage from Storing PII
FIs do not need to be in the business of building data “bridges to nowhere.” Staffing is costly and so are operating costs. Regulatory risks and reputational risks from a data breach are high.
Good news: There is a way to store insights without having to store the raw data, while maintaining a transaction history with each data provider such that raw data can be retrieved from the data providers at any point within a defined period of data retention. This is possible with state-of-the-art privacy preserving MIT Open Algorithms (OPAL) approach¹¹.
The following are the fundamental principles of OPAL and the treatment of data:
- Move the algorithm to the data: Share insights instead of sharing raw data.
- Data must never leave its repository: Exceptions to this rule are when a user requests a download of their data, and when there is a legally valid court order to obtain a copy of the data.
- Vetted algorithms: Algorithms should be studied, reviewed, and vetted by experts.
- Default to safe answers: The default behavior of data repositories when returning responses should be that of protecting privacy as the primary objective.
Conclusion
A modern customer onboarding solution should be flexible, with access to multiple data providers through one single contract. It should enable access to algorithms for fighting fraud, without anything extraneous, meaning: If an FI does not need to validate employment status, they shouldn’t need to pay for that service. If an FI is concerned about synthetic fraud, or simply wants to support a step-up process with their risk profile, they should be able to cross-check PII attributes with checks such as driver license verification from DMV databases as well as biometric face check verifications. To reduce the impact of a data breach, the customer onboarding solution should be able to provide insights without storing raw PII.
About FortifID:
FortifID is the world’s first commercial implementation of MIT Connection Science’s Open Algorithms (OPAL) concept for customer (individuals and businesses) decisioning in financial services. The platform maintains a zero-emission raw data ecosystem and shares insights only.
Learn more about how FortifID provides a privacy-first one-stop-shop onboarding and identity verification solution for Financial Institutions at FortifID.com.
Sources
1. Ferguson, C. (2016, March 16). Bank Tellers Increasingly Involved in Identity Theft, Prosecutor Says. Retrieved from https://abcnews.go.com/Business/bank-tellers-increasingly-involved-identity-theft-prosecutor/story?id=37678352
2. Apto Solutions. (2021). A Guide to Asset Disposition — What is ITAD? Retrieved from https://www.aptosolutions.com/what-is-itad
3. Harrop, M. D., & Brewster, L. (2017, October 26). Thomson Reuters 2017 Global KYC Surveys Attest to Even Greater Compliance Pain Points. Thomson Reuters. Retrieved from https://www.thomsonreuters.com/en/press-releases/2017/october/thomson-reuters-2017-global-kyc-surveys-attest-to-even-greater-compliance-pain-points.html
4. LexisNexis Risk Solutions 6th Annual True Cost of Fraud Study: Financial Services and Lending Report — U.S. and Canada Edition 2022. LexisNexis Risk Solutions. (2022). Retrieved from https://risk.lexisnexis.com/insights-resources/research/us-ca-true-cost-of-fraud-study#financialservices
5. Cost of a Data Breach Report 2022. IBM. (2022, July). Retrieved from https://www.ibm.com/reports/data-breach
6. BakerHostetler. (2019). The California Consumer Privacy Act: Frequently Asked Questions. Retrieved from https://www.bakerlaw.com/webfiles/Privacy/2019/Briefs/California-Consumer-Privacy-Act-FAQs.pdf
7. Bonta, R. (2022, November 21). Letter to FTC Re: Docket ID: Commercial Surveillance ANPR. R111004. Retrieved from https://oag.ca.gov/system/files/attachments/press-docs/Letter%20to%20FTC%202.pdf
8. Hay, A. (2022, November 8). What Uber’s Joe Sullivan Case Means for ‘Sacrificial CISOs’. Forbes. Retrieved from https://www.forbes.com/sites/andrewhayeurope/2022/10/06/uber-decision-implications-for-virtual-cisos/
9. Zakrzewski, A., Tang, T., Appell, G., Hardie, A., Hildebrandt, N., Kahlich, M., Mende, M., Muxí, F., & Xavier, A. (2019, June). Global wealth 2019: Reigniting Radical Growth. Retrieved from https://www.bcg.com/publications/2019/global-wealth-reigniting-radical-growth
10. Wakefield Research/Fivetran. (2021). The State of Data Management Report — A Global Survey of Data & Analytics Leaders.
11. Hardjono, T., Shrier, D. L., & Pentland, A. (2019). Trusted Data.: A New Framework for Identity and Data Sharing. The MIT Press.
