Questions to consider when implementing GlobalGateway
Digital identity networks are only as good as the identity data sources and technology partners behind them. Data quality is the single most important factor in regulatory compliance and risk mitigation verification.
The GlobalGateway identity network connects with hundreds of independent third-party data sources to validate and verify information that you collect from customers or businesses. We offer our clients access to a marketplace of unique and trusted data sources to automate due diligence processes for identity and business verification in order to comply with Anti-Money Laundering (AML) and Know Your Customer (KYC) requirements. Implementing an effective identity verification and/or business verification solution can be complex for customers in one country, let alone in multiple countries.
At Trulioo, we help to ensure that the verification workflows are efficient and right for your business from the beginning. With hundreds of clients worldwide, we can help your business with frictionless onboarding, fraud prevention, improved risk profiling and adherence to cross-border AML and KYC compliance requirements.
Below is a list of frequently asked questions about the Trulioo identity and business verification platform, GlobalGateway.
Learn more about the processes, marketplace and solutions of the current identity verification landscape with our Buyer’s Guide.
We work with international data source providers, all of which undergo thorough risk assessments to ensure that they meet required regulatory and security standards. From initial vetting to onboarding, rigorous checks are in place, including determining business history and conducting an information security review to ensure the integrity of the data.
The following data sources are commonly used for online identity verification:
- Citizen: Data sourced from either a utility- or government-issued database that is enhanced and updated with other source files like public data, change of address, postal data, property data and data pooling with other organizations
- Consumer: Data sourced from direct marketing campaigns
- Credit: Data derived from a registered credit agency or bureau that manages consumer credit
- Electoral roll: Government-collated and issued data for all citizens in a country who are enrolled to vote
- Government issued: Government-collated and issued databases or information. This includes national insurance numbers, driver’s licenses and passports
- MNO: Active data from leading mobile network operators
- National ID: Government-collated and issued data for countries that have a singular, national identification system with an associated number
- Property files: Data issued by the government or other accredited sources detailing ownership of property within a given country
- Public data/resident files: Mixed sources that may include utility, consumer and other public information
- Utility: Data issued for a national utility provider, which includes telephone, gas, electricity or water
- Tele-connect: An automated telephone number verification service, which details whether a landline or mobile number is valid and is connected/disconnected
- Watchlists (OFAC, DFAT, EU, etc.): Watchlists and country sanction program list screening against a range of lists
- Other identity validation: Validation of national identity numbers, social security numbers, national health numbers or other key country indicators of identity. Also includes validation of the unique reference number at the bottom of the global passport machine readable zone (MRZ), which specifies that it is valid and also includes the person’s name and date of birth
We provide identity verification services to organizations in more than 195 countries. As a result, each data source is unique, as are the collection methods when establishing a file. What is consistent across all data providers is adherence to providing notice and requesting opt-ins from users before collecting any data, as well as adherence to security and privacy best practices in protecting this information.
GlobalGateway provides access to a global network of data sources, integrated via API into our system. Data sources have varying time frames that govern their data updates, primarily on a daily, weekly or quarterly cycle. Given the direct link to our data source providers, all updates are reflected in real time within GlobalGateway.
Coverage depends on the country and when the file is accessed. Since we’re constantly updating sources and continuously acquiring newer data sources to improve match rates, the percentage of coverage changes frequently.
GlobalGateway has many countries with population coverage in excess of 80% (Category 1), which is achieved by checking multiple data sources. Our country categorization is based in part on the percentage of population covered for each country.
Countries in GlobalGateway are routinely enriched and new countries added. A three-category classification system shows the verification strength of each country (Category 1, Category 2 and Category 3). The classification system is based on how many data sources GlobalGateway has for the country and how much of the population is covered by the data sources for the country.
We’re committed to transparency and share detailed information on sources once a prospect begins to evaluate our services and initiates a non-disclosure agreement.
This is a critical question, and of course depends on the data source and the country. One great way to gain specific answers for this question is to download the GlobalGateway brochure. You can see the list of data sources in our portal, with each data element required and verified for each source. Our data sources can verify the following types of data elements, among many others:
- Full Name
- First name/given name
- Last name/surname
- Street number/house number/civic number
- Street name/street type
- Postal code
- Date of birth
- Phone number
- Passport number
- Driver’s license or similar government ID document
- National ID number
- Watchlist screening
- Facial comparison
- Full Name
We don’t retain customer personally identifiable information (PII).
We are ISO-27001 certified and comply with the highest international standards for data protection. For more information, visit our ISO-27001 page.
A verification match is based on the configured rule for your implementation. The rule may include data elements like first name, last name, date of birth, address fields, passport and national ID.
The verification results matrix in the GlobalGateway portal delivers a visualization of a verification result, displaying the match results for each attribute from each data source. This results matrix provides you with an enhanced understanding and greater clarity of why a customer was or wasn’t verified.
GlobalGateway includes multiple built-in standard verification rules, as well as the ability to define your own match rules. You can also apply different rules for different countries, enabling you to comply with regional and international AML and Counter Terrorism Funding (CTF) regulations.
GlobalGateway provides the ability to create multiple test entities per country, allowing you to test for consistency.
It depends. Verification rules can be dependent on the country and industry. We recommend discussing your verification requirements with your legal counsel to ensure that you’re compliant with country-specific regulations.
While we purge all PII related to a transaction, we do retain a copy of the verification rule as it was defined at the time, along with individual field match signals that were produced from the verification transaction, and the name of the data source(s) that were used. This evidence allows a regulator to have full confidence that all regulations and stated controls were followed.
The fields that a person must give to be verified do vary between countries. Normally, the fields required to perform the verification and the fields required by the data source partner to find corresponding records are the same. In some cases, however, a data source partner may require a field that is not currently collected in the onboarding process. The most common case is a U.S. company expanding globally, which needs to start collecting national ID numbers during their onboarding process in order to verify people in non-U.S. countries.
There are two levels of normalization that provide consistency of output results.
For the first level, across all data sources and countries, GlobalGateway normalizes all common fields by mapping the different outputs of data sources (for example, while different sources may return “LastName”, “Surname”, or “FamilyName” to GlobalGateway, the API always returns this field as “FirstSurName”). This means that, the vast majority of the time, developers don’t need to worry about data source or region-specific differences during integration.
The second level of normalization happens at the verification level. Ensuring that a person’s name is verified is almost always necessary. In North America, this requirement translates to field matches on first name and last name (and optionally middle name or initial). In other countries, this requirement may translate into a match of first name, first surname, and second surname. These regional differences are accounted for in GlobalGateway, and they don’t require additional development work by our clients. Though rare, there are some country-specific fields that are unique (for example, “Prefecture” in a Japanese address). In these cases, your developers must handle these fields separately. We provide API calls that return which rare country-specific fields need to be handled, specific to your account and configuration.
We provide a single API and standard input and output fields to perform verifications across all countries. Each verification call must provide a two-letter country code to specify in which country to run the verification. Note that you can restrict certain integrations to specific countries by configuring the account associated with the API credentials, without having to update your API integration.
The integration time depends on a number of factors, including how many countries are selected and your development team’s timeline. We have been able to onboard clients as quickly as one day.
To address the recurring need to remediate client data attributes, we offer a batch service where you can upload and process batch files (up to 200,000 transactions) to re-verify customers against watchlist (AML/PEP/OFAC) data sources, with minimal impact on your business. In one to five business days, the results are provided in the form of a CSV file with a negative or positive flag per person. For positively flagged results, links to the specific identified list(s) are provided. For more information, visit our AML watchlist page.
Identity verification is a process that compares identity information from a person to database results, to see if it matches. For example, a new customer might be asked for their full name, phone number, address and date of birth. This identity information is then compared to records from credit bureaus, government agencies, utilities or various other reliable and independent sources to see if that personally identifiable information (PII) is accurate.
Identity verification confirms that an identity actually exists and matches records. However, this confirmation doesn’t indicate that the identity is authentic, that is, that the person is who they say they are. Identity authentication goes a step further and ensures that the person claiming the identity actually owns it. For example, facial recognition matches a person’s selfie with the photo on their identity document.
Anti-Money Laundering (AML) refers to the legislation that exists to prevent criminals from disguising illegally obtained funds. To disrupt and prevent corruption, terrorist financing and other criminal activities, governments enact AML regulations requiring banks and other financial institutions to ascertain that the customer and their funds are legitimate.
Know Your Customer. As part of AML, financial institutions need to establish customer identity and do Customer Due Diligence (CDD) to ensure that they know the source of the customer’s funds and determine the associated risk of doing business with them.
The initial step of an effective KYC process is to accurately identify an individual. Each financial institution has to have a set policy for account opening, identity verification, account screening, customer notification and record keeping.
Politically exposed persons. These are individuals who, based on their position of power and influence, pose a higher risk of bribery and corruption. Due to their higher risk category, Customer Due Diligence requirements are more stringent (see Enhanced Due Diligence question).
Anti-Money Laundering (AML) sanctions lists. These are lists of people who are suspected (or have been convicted) of various financial crimes and restricted from doing business in sanctioning countries. These lists come from diverse government sources, international regulators and law enforcement agencies.
A legislated responsibility of banks and other financial institutions to understand their customer’s activities and do an analysis of their risk of money laundering and terrorist financing. CDD is a critical element of effectively managing the institution’s risks and protecting itself against potential financial crimes and nefarious activities.
Types of activities or account holders that require extra customer due diligence scrutiny. If an account type or account owner has a higher risk of money laundering or terrorist funding, then it’s subject to EDD.
Financial technology. While any technology used in finance could, technically, be fintech, the term is now more descriptive of new financial startups that are offering innovative technology and processes. According to PwC, “fintech is a dynamic segment at the intersection of the financial services and technology sectors where technology focused startups and new market entrants innovate on the products and services currently provided by the traditional financial services industry.”
Regulatory technology. This term describes the field of companies that help financial firms deal with the burden of regulations. According to Deloitte, “RegTech helps firms to automate the more mundane compliance tasks and reduce operational risks associated with meeting compliance and reporting obligations. In the long term, RegTech will empower compliance functions to make informed risk choices based on data provided insight about the compliance risks it faces and how it mitigates and manages those risks.”
Beneficial ownership refers to the person or people who has/have legal ownership and control of a business. It involves knowing who you are doing business with.
The beneficial owner is often referred to as the UBO, which stands for Ultimate Beneficial Owner. (See Ultimate Beneficial Owners question.)
Verifying business entities involves matching information provided by the entity against information available from the business registrar in the specific area or jurisdiction (or another reputable source). This can include registration number, address, telephone, date of incorporation, status, beneficial owners and other information related to the operation of the business.
Know Your Customer’s Customer. As an extension of KYC requirements, KYCC takes those requirements to the next level and looks at who your customers are doing business with, their source of funds and its legitimacy, and the risk that these third parties are laundering money.
Know Your Business. Similar to KYCC, it’s a requirement to do proper Customer Due Diligence and risk assessment on corporate accounts to ensure that the source of funds is legitimate and the risk to launder money or finance terrorism is sufficiently low. (Also referred to as corporate KYC.)
If your business is required to adhere to international or local AML regulatory requirements, your organization needs procedures and processes to collect information about the beneficial owner. When opening business accounts, in addition to collecting the usual business information (for example, business name, location, type, business registration number), you need to obtain the identity of anyone who has a significant ownership or control position. Also, if there is a significant change on the account, collect the beneficial ownership information.
The beneficial ownership information includes:
- With respect to the natural person opening the account: name and title
- With respect to the legal entity customer: name and address