By Andrew Bud on Thursday 9 April 2020
In a world of spoof attacks and deepfake synthetic videos, digital verification isn't as easy as you'd think, writes Andrew Bud, CEO and founder of iProov.
Just over a week ago, the Financial Conduct Authority (FCA) issued a letter to the CEOs of UK regulated financial institutions providing guidance on how to verify customer identities during the coronavirus outbreak.
The letter, however, has been interpreted by some national news outlets to mean that identity checks can be completed using just a selfie. This is simply not true. Identity checks conducted via selfie alone are an open invitation to money launderers and other criminal actors.
The mere act of taking a selfie and sharing it with a financial institution is in no way sufficient proof of your identity. It’s far too easy to submit a photo of someone else; a victim of identity theft. Or of a non-existent person, to create a synthetic identity. In fact, the only way to remotely verify that a person is whom they claim to be is by a rigorous process that confirms they are a genuinely present person, not a digitally created forgery.
In order to accept an identity presented during remote onboarding, financial institutions need to know that the individual in question is the right person, that they’re a real person and that they’re authenticating themselves at that exact moment in time. Only the combination of these three elements is enough to truly validate an identity.
So, what does this mean in practice?
First, it means the individual must prove, online, that they are the rightful holder of a passport, driver’s license or other identity document. Their face in a selfie must match their photo ID portrait, and this can be done by automatic face verification, whose performance today far exceeds that of any human being. Only then can they be deemed the right person.
Second, it means the individual presenting themselves for identification needs to be a genuine human being, not a doctored or digitally altered photograph, video, mask or another object. Only then can they be confirmed as a real person.
The third, final, and perhaps most complex element, is determining whether the individual is authenticating themselves in that exact moment. Criminals frequently use replay attacks, in which videos are used to dupe biometric defences, to fraudulently pose as someone else and trick such systems. Only by confirming that the individual is a real human being, who is also verifying their identity at that very moment, can institutions protect against spoof attacks and deepfake synthetic videos.
Without undergoing these steps, criminals, terrorists and other malicious actors can, and will, exploit identity checking processes for financial gain and illicit activities. Their business models amply justify the effort involved. By following the proper procedures however, financial institutions can remotely identify and authenticate their customers, safely and compliantly.
If the coronavirus has proved anything, it’s that allowing customers to access banking services remotely is a positive thing. Not only can it enhance banking processes such as onboarding customers, handling both high value and high-risk transactions that previously required a visit to a branch, and authenticating customers in need of access to secure online services, it can also protect against opportunistic criminal activity in these turbulent times.
What the FCA is doing is re-emphasising the permitted level of flexibility that exists within the current regulations and desperately needs to be adopted in the present situation. What it is not doing is relaxing its rules on identity verification. A selfie submitted by email or text is quite clearly neither protected from fraud and misuse, nor capable of providing an appropriate level of assurance that the person is who they claim to be.
Thanks to a revolution in online identity verification and genuine presence assurance, today customers are still capable of setting up bank accounts, performing transactions and even authorising customer identities for as long as branches remain closed. The FCA’s actions represent a welcome reminder to the industry that this kind of verification is possible and should hopefully serve as much-needed encouragement for financial institutions to make a swift, secure transition.