For those in governance, risk and compliance (GRC), there are numerous threats and concerns that need constant attention. The risk of fraudulent schemes, security lapses and/or compliance failures is ever-present and clear strategic vision along with precise operational measures are necessary. In the last few years, RegTech solutions have won over compliance skeptics and have risen to almost a quarter to 76 percent. RegTech is effective for compliance, risk mitigation and fraud prevention; fraud risk and compliance systems can use and combine data from different GRC tasks to deliver compelling, holistic results.
Know your customer
One compliance requirement that is universal for financial services and highly recommended for other sectors is Know Your Customer (KYC). To help prevent fraud, mitigate risk and/or comply with Anti-Money Laundering (AML) laws, knowing who your customer is, and the risk they pose, is a foundational step.
Performing identity verification (IDV) checks helps ensure that the prospective customer is, in fact, who they say they are. At its most basic level, IDV ensures that a real person, with that identity data, does indeed exist. For compliance purposes, performing IDV at customer onboarding and at key times in the customer lifecycle is often enough to satisfy identity requirements. If the identity is further investigated to ensure that there is no known connection to money laundering, the account may pass compliance scrutiny.
However, frequently GRC personnel are doing more than simply checking the box and tasked with protecting operational integrity and the reputation of the organization.
Know your criminal
While AML laws are there to protect society from the ill effects of money laundering, a different set of considerations to protect the organization are well advised. The risk of fraud is growing; the total amount for identity fraud in the U.S. alone (2019) is estimated at $16.9 billion and that is just one fraud type. One article points to 41 different types of fraud, and while not all might be applicable to a specific organization, it does indicate the variety and depth of fraudulent activity that needs consideration.
Likewise, the threat of cybercrime is increasing, and the annual cost to the global economy from cybercrime is estimated to rise to $6 trillion by 2021. Viruses, ransomware, phishing and many other digital hazards pose significant threat of fraud. Cybercrime can also cause compliance failure, either from the act itself, from non-reporting or by weakening control systems to hide illicit activity.
It’s imperative that GRC understands the sophisticated digital nature of financial crime and deploy technology and processes able to mitigate the risk. Being able to effectively sort normal accounts and account behavior from potential problems is a cornerstone of successful GRC activity.
Deeper layers of identity
There are additional layers of identity that enable more actionable insight into the true nature of an account holder. While verifying the existence of an individual does offer a foundational layer to start from, the ability to add in different identity information for a risk-based approach allows customization of workflows to better suit the situational demands of GRC.
Beyond verification, identity authentication and identity reputation help deliver the next level of trust and assurance for securely transacting business.
Authentication establishes whether the person presenting the identity data or document is actually the holder of that identity. Biometric authentication evaluates one or more distinguishing biological traits to uniquely identify a person. Combining ID document verification (proof of possession of a legitimate identity document) with a selfie (liveness check) provides two additional layers that help deliver authentication for online channels.
The ubiquity and usefulness of mobile phones enables mobile network operators (MNOs) to collect significant numbers of identity data points including name, mobile number and address, along with device information, geolocation, usage and billing data. When cross-referenced with other identity data points, mobile ID data helps corroborate the individual, plus it offers real-world data patterns that can pinpoint inconsistencies. Patterns such as out-of-location, traffic spikes or unusual behavior can be set to trigger a fraud flag for further investigation.
Many other data patterns are potentially usable as fraud flag triggers:
- Spikes in activities
- Exceeding thresholds
- Out of area or unusual cross-border activities
- Changing purchase patterns
- Consumer alerts
- Credit reports
- IP address discrepancies
As opposed to analyzing only one source of data, the more data channels and data points that are analyzed, the more capabilities for spotting questionable patterns emerges.
It’s not only about detecting fraud patterns. A key performance factor is the occurrence of false positives, which requires extra scrutiny and can lead to significant losses in revenue. Consider the significant issue of false declines, wherein legitimate transactions are declined. A 2019 report by the Aite Group “predicts losses due to false declines will grow to $443 billion by 2021 – dwarfing the losses from fraud itself.”
Integrating intelligence into GRC workflows for onboarding, transactions and KYC remediation helps prioritize the level of necessary due diligence.
Connecting existing verified identity credentials is another identity layer that can add further credibility and trustworthiness to a profile. A verified identity has already been vetted and generally has a historical profile. If the assurance level of the credential is high enough, and the profile has not been flagged, existing system IDs are a powerful addition to the GRC toolkit.
One example is a bank ID. Banks have historically had strong identity procedures and are required to follow strict KYC procedures. This is the idea behind KYC utilities — central repositories that store KYC data and documents — that would seem to offer advantages in terms of better coverage, data consistency and dissipated costs. However, careful consideration on issues of sharing personally identifiable information (PII) and competitive information is necessary. In the end, each institution must determine their risk profile and be accountable for their own compliance and fraud risk program.
Fine tuning workflows
As identity becomes increasingly important to the success of GRC and the number of data channels and points expands, the opportunities to mix and match information to fine-tune systems improves. However, these opportunities can only be realized if integrated into systems that are robust, scalable and, above all, dynamic.
Perhaps extra scrutiny on a certain type of account or transaction is warranted. Or, a new fraud technique is gaining traction and needs close watching. Maybe a new regulatory alert on new legislation requires recalibrating the collection of information. Whatever the change scenario, having systems that can collect numerous data points and quickly adapt helps deliver holistic risk-mitigation solutions.
Lack of identity insight is at the core of many GRC issues. Having dynamic systems that can quickly analyze identity information is a key tool for mitigating the risk of fraud and assisting compliance.