Talking to… Nuno Santos About Compliant Remote Identity Verification

Nuno Santos started at LOQR in 2018 as a Product Manager. He graduated in Systems and Informatics Engineering at Universidade do Minho and has a background in PKI and digital identities management as a Product and Project Manager. During his career of almost 20 years, he was part of several relevant projects in this field, such as the Electronic Passport, the Portuguese ID Card (Cartão de Cidadão), strong authentication with EMV-CAP, and Electronic Voting systems. In this conversation, he will talk a bit more about the challenges of compliant remote identity verification processes. 

Nuno, what are the main challenges of remote identification? 

The purpose of remote identity verification is to obtain a person’s identification and assess that it belongs to the person executing the process remotely. But this identification is linked to a business objective, which means that it is performed along with collecting and verifying different data to enrich the identity, including financial and professional data or any other information relevant to creating a customer profile. 

The verification procedures will be stricter or lighter according to the risks involved, either from the business area, the procedures themselves, or the characteristics of the person being identified. If someone is trying to access a restricted adult website, it may be only required to verify that the person is not underage. But if the goal is to make an order to transfer a large sum of money to an account on an offshore bank, there are high risks involved, and the identification process needs to be flawless and accurate. 

Financial services, led by fintech companies, are the main vertical doing remote identity verification, which nowadays is being followed by traditional deposit and investment banks and other financial institutions related to consumer credit. With this market move, central banks quickly established comprehensive regulations specific for remote identity verification and are closely monitoring the execution, adapting, and clarifying the rules when needed and even passing large amounts of fines when they are not met. At the same time, any other previously existing regulation requires to apply when conducting activities online, mainly related to Know Your Customer (KYC) and Anti-Money Laundering (AML), which impacts the procedures to assess the person’s real identity and to create its profile. 

These procedures are not exclusive to the financial businesses and are spreading to other areas like online gambling, healthcare, or online car rental and with the acceleration of the general online consumer activities provoked by the COVID19 pandemic restrictions. If the customer acquisition costs are generally high, meaning that the financial institutions can easily afford to pay remote identification associated costs, players from other markets expect lower costs, meaning that the processes need to be simpler, or the overall costs need to be reduced. 

What are the procedures to remotely identify a person? 

The identity verification procedures vary according to the goal or the business relation to be established with the person, but typically the main activities are: 

• Validating the person’s identity document; 

• Collect additional documents, including Proof of Address and Proof of Profession; 

• Collect additional KYC information or business-related data; 

• Perform a video interview, self-recorded or assisted by an operator; 

• Face match of the user with the identity document, either during the assisted interview or unattended with liveness detection (way to assure it is a real human in front of the camera, doing the process live and it is not based on any pre-recorded video or someone using some mask). 

The real implementation of a user journey depends on the applicable regulation, which varies according to the geography and the regulator body – although being part of the European Union, which created directives specific for remote identity verification, each country adopted slightly different regulation; for example, to open a bank account in Portugal it is required to have a video interview with an operator, but in Spain, it can be self-recorded. 

But the fundamentals are the same, based on AML and KYC requirements, and the risk must drive the journeys. This means that the entities should take an evolutive approach to the journeys, target low-risk individuals first, assess the process, and progressively open the process to higher-risk scenarios, including Politically Exposed Persons, in relation to high-risk countries, etc. The journey itself must be flexible to adapt to the risk, including triggering specific procedures when the user behavior is suspicious or including random factors to avoid the possibility of malicious people training to mislead the system. 

Building a journey seems to be a complex process…

There are a lot of variables to consider, but the main one is always to comply with the regulation. Compliance Offices may also have specific requirements to make the journeys according to internal rules or have stricter or different interpretations of the regulation. 
 
These rules must be the starting point for designing the journey; every step added on top of this must be thought carefully to make the journey as simple as possible to improve the user experience and reduce the dropouts. 

For the companies acquiring users, the identification process is not enough. After knowing the user’s identity, they need to establish a commercial relationship, which must be part of the journey: acquiring service and signing the contract. 

Can all of this be automated, or do companies need many people involved in the process? 

The verification process can be fully automated, based on several data sources and documents for cross-validation, applying tools and techniques for steps like ID documents validation and face match. 

But again, to reduce the risk of fraud, some regulators always require human intervention for process validation or conducting video interviews and may even require process review from another operator on all processes or only when a risk engine signals a process. 

When humans are involved in the validation, it does not mean the automated validations and tools are irrelevant; quite the contrary, they may be required by regulation to be applied and used as input for the humans to make the decisions. 

Another essential flow is the operation journey to keep client acquisition costs down: the steps and tools used by operators to reduce the time and effort to verify the user identity while also reducing the risk of operational errors.

How is LOQR helping businesses in these processes? 

LOQR offers a wide range of customer journeys that were already tested and validated, including, among others: opening a bank account, user data refresh, consumer credit, proof of life, etc. But since LOQR’s platform is built as a set of blocks that can be rearranged, the existing journeys can be easily and quickly adapted for clients’ specific requirements. 

If clients need a completely different journey with new steps, it can be easily built and mixed with the existing steps to fulfill the requirements. 

Within the user journey, not only a digital identity is created through the verification process, but this identity is ready to be used. The user is immediately capable of performing digital signatures to establish the commercial relationship and keeps this capability even after the journey is completed, allowing businesses and users to keep digital, compliant interactions through time. 

LOQR Portal offers a central management area to control and execute all operation activities, including access to user data and documents. To reduce the risk of operational errors, both document validation and video interviews are performed by operators by following pre-configured scripts that record all decisions and events during the execution. 

All the journey’s events, data, and assets are available for auditing during their lifecycle. Since LOQR acts as a temporary processor under GDPR, all data, including PII, is eventually removed, but only after everything from a process, including all video recordings, all documents, and data collected from the user or external sources, is packed in a dossier and made available to the client. This assures that all processes are fully and quickly auditable at any point in time, without the need for LOQR or any other party to intervene. 

Nuno, if you had to define LOQR in one sentence, which would it be?   

LOQR is a true enabler of digital relationships between individuals and businesses.