Both governments and financial services need data to achieve a level of confidence to proceed with a certain function.
Q: What is the difference between verification and authentication when dealing with identity? Where should the focus be on the part of companies?
Ben Jordan: Simply put, authentication is granting permission or access. Verification is the confirmation of information. In terms of where focus should be placed, it really depends on the nature of the transaction. A merchant selling an item that’s in demand and has high resale value may wish to authenticate an individual in order to prevent fraud. For verification, not only is the identity requested but its validity is checked by confirming one or more data attributes. This is especially important for high-risk merchants or merchants in a highly regulated market sector, such as iGaming, adult or merchants specializing in selling high-value goods.
Q: How can companies meet the KYC standards and the EU 3rd Directive requirements for financial due diligence?
BJ: First, with the fourth EU Anti Money Laundering Directive currently being transposed by EU member states, any non-face-to-face merchant or those dealing with high-value goods should be aware of their regulatory obligations. If a company is currently compliant with the 3rd AMLD, there should be minimal operational impact when the 4th AMLD comes into effect next year. The key will be having a robust system in place to trigger enhanced due diligence at the appropriate point in the customer journey. Ensuring staff is trained on how to spot risks and having a process in place — with a clear audit trail, if needed — for reporting suspicious activity is also important. Incorporating identity data and document processes into your on-boarding process will help in meeting the risk-based approach, which continues to be favoured by the 4th EU AMLD. Having a solid identity provider protects the business from heavy penalties. If anyone thinks compliance is an expensive business function, noncompliance is significantly more so!
Q: As a company that operates on a global level, what is the main challenge that comes from different regional identity regulations or directives?
BJ: Of course, the multi-jurisdictional nature of most businesses has key challenges. The main challenge for most businesses is simply one of cost. Having an internal audit function, MLRO, staff training or a legal team reviewing any jurisdictional changes is costly but vital. Depending on the business, outsourcing certain compliance functions to well-established companies can offer significant operational savings, as well as enabling a new business to hit the ground running — provided outsourcing is permitted by the relevant regulatory body.
Q: You work with both financial services companies and governments. What are the main identity security risks to which both sectors are open?
BJ: It is a case of sensitive data movement. Both governments and financial services need data to achieve a level of confidence to proceed with a certain function. The risk appetite for both governments and financial services will vary depending on the function that needs to be performed and the granularity of data required to complete a specific function. Having superfluous data stored or transferred cross jurisdiction is simply not attractive to either sector. Instead, verify and authenticate what is needed in each data transaction to perform that function with confidence.
Q: What new approaches can financial institutions implement with regards to data security?
BJ: Ensuring you can complete mandatory requirements on a global level is first and foremost. There are extra steps that can be taken to go above and beyond what is required. The Financial Action Task Force and the 4th AMLD promote a risk-based approach, rather than prescribed. Taking the extra step to validate customers is an incredible opportunity to safeguard the future profitability of a financial institution. Take a customer’s digital footprint, for example. While not a standalone method for compliant verification, if you already have sufficient data to check if a customer has a social presence, such as a LinkedIn or Facebook profile, this is often viewed by regulators as going the extra mile. Age verification providers, like Aristotle-Integrity, can assist by providing an existing robust suite of omni-channel solutions to ensure compliance and operational continuity.
Q: What are the main causes of identity fraud and what steps should merchants and consumers take to prevent it?
BJ: From a consumer standpoint, take time to become knowledgeable of the risks. If you receive a call from a company or bank asking for information, offer to call them back and ensure you call the bank or company from a number you source. Do not throw away documents that contain your personal data without taking precautions to make sure it is not going to easily end up in someone else’s hands. With a bank statement alone it may be possible to obtain a library card. With a library card and a bank statement it may then be possible to obtain credit at a high street retailer.
For a merchant, properly trained staff is key. Does the person sound significantly older or younger on the phone than their actual listed age? Does an email contain numerous spelling mistakes when all previous emails were perfectly written? Have there been numerous recent account changes prior to a high value transaction? Having customer-facing staff made aware they are on the frontline of protecting the business against fraud should never be underestimated. Offering to call a customer back on their listed number if something doesn’t make sense can significantly reduce risk. Mismatches between an IP address and customer location is also a risk component that should not be under estimated, as are failures in the identity verification process.
Full interview can be viewed here.
About Ben Jordan
Ben Jordan is the European Business Director for Aristotle and a risk management professional who has extensive experience in both online gaming and financial sectors. He has over ten years’ experience in the gaming sector, working in Costa Rica, London, the Isle of Man and Malta. Ben is Aristotle’s representative to the Digital Policy Alliance and on the PAS 1296 steering group for regulation/legislation of age restricted goods and content in the UK. Prior to Aristotle, Mr. Jordan was Senior Security Manager for PokerStars responsible for the Risk and Fraud mitigation best practice within the online space.