Solving for Simplicity and Security: Improving ID Verification for Alias-Based Transactions
Venmo, one of the most popular peer-to-peer (P2P) payment services, processed $17.6 billion in 2016. And Venmo is only one of many such options available to consumers hungry for convenience.
Simple for Users Only: The ID Verification Process Behind Alias-Based Transactions
As simple as alias-based transactions make P2P payments for users, there’s a lot that goes into the backend to meet regulatory requirements. For example, these services must conduct ID verification to prevent hackers from taking over accounts or creating accounts with fake credentials.
The most common forms of ID verification for alias-based transactions include SMS two-factor authentication (Venmo), bank account logins (Zelle), and fingerprint ID (Apple Pay). However, are these methods enough to satisfy regulations and keep users secure? Let’s take a look.
A Regulatory Alphabet Soup for Alias-Based Transactions
Alias-based transactions are governed by an alphabet soup of regulations including:
- FINRA: Financial Industry Regulatory Authority, which helps maintain market integrity and protect investors by developing and enforcing rules that apply to broker-dealer activities. FINRA’s oversight helps keep financial activities like alias-based transactions secure. For example, in 2016 FINRA identified more than 785 fraud and insider trading cases.
- AML: Anti-Money Laundering laws with which all financial institutions must comply under the Bank Secrecy Act. These laws require institutions to file a report for any individual who makes a cash transaction of over $10,000. The Financial Crimes Enforcement Network investigates those reports for signs of suspicious activity.
- KYC: Know Your Customer, a program required by the Bank Secrecy Act and U.S. Patriot Act. This program requires banks to confirm that customers only open accounts in their own legal name, to obtain a general understanding of where money in an account comes from, and to monitor customers’ transactions. This program is meant to prevent banks from being used for money laundering activities.
- CIP: Customer Identification Program, which is part of KYC and requires financial institutions to verify the identity of customers, including their name, date of birth, address, and taxpayer ID number (for US citizens) or passport or alien ID number (for non-US citizens). These requirements aim to cut down on identity fraud.
- GDPR: General Data Protection Regulation, an EU Parliament resolution that gives consumers control over their data by allowing them to know exactly what financial institutions are using their data for, obtain an electronic copy of that data, and demand that data stop being used and even erased at any time.
- PCI DSS: Payment Card Industry Data Security Standard, which was originally introduced to cover branded credit cards in order to reduce fraud by requiring regular compliance reviews.
Complying with ID Verification Regulations for Alias-Based Transactions
As recently as 2015, alias-based transaction services struggled with ID verification. For instance, Venmo came under fire in 2015 for poor ID verification. Complaints against Venmo included the ability of hackers to create accounts that pose as users’ friends (meaning those hackers used fake names in violation of KYC and CIP regulations) and to change users’ login details, including linked email addresses and passwords, without Venmo notifying users.
Apple Pay also faced issues with ID verification when it launched in 2015. Specifically, Apple Pay allowed users to connect credit cards to their accounts without any ID verification, enabling hackers to use stolen credit cards. Since Apple did not verify that users were connecting their own, legitimate source of funds, it violated KYC and CIP regulations.
Today, ID verification for most alias-based transactions involves some combination of bank account validation, confirmation of personally identifiable information through sources like credit bureaus, utility bills, and driver’s licenses, and “out-of-wallet” questions that ask about things like education history and cars owned. Most services obtain this information from users digitally. For example, users might upload images of a driver’s license or utility bill. However, this process opens the door for fraud, as it’s relatively easy to doctor digital images that can pass muster. While some services do use fingerprint identification, which is extremely difficult to fake, this form of verification is not widespread and not always welcome by consumers.
The problem? Today’s ID verification methods leave loopholes for hackers and create several obstacles for legitimate users.
Simplicity Meets Security: A New Approach for ID Verification
If the appeal of alias-based transactions is simplicity, then ID verification should be simple as well. However, it must also be secure enough to avoid fraud and satisfy regulations.
Fortunately, there’s a new approach for ID verification that offers both simplicity and security: Direct-from-source data. Instead of requiring users to upload documents, services can simply ask users to input their login credentials for a bank or utility account. The service can then grab ID verification data directly from the bank or utility provider. This process provides three main benefits:
- It prevents hackers from altering documents and uploading false information
- It simplifies the process for users (versus scanning and uploading documents)
- It provides another layer of security since receiving data through a one-time feed means services don’t have to store users’ information on their servers
How Utility Data Can Add Security to Alias-Based Transactions
With direct-from-source data, ID verification becomes simpler and more secure for alias-based transactions. That said, we know digital security should not be taken lightly, and that’s where the combination of direct-from-source data and utility data can make a difference.
Currently, most alias-based transaction services verify users’ identities through bank accounts, social media profiles, out-of-wallet data, and phone numbers. For the most part, these are safe and reasonable: If users pay an existing contact $5 or $10, they don’t need to go through a complicated ID verification process.
But when they’re first creating an account, making a large payment, and/or paying someone new, those extra steps are necessary. That’s where adding in the more secure direct-from-source data along with the additional source of utility data that’s not regularly tied to the account can improve security for users and better ensure compliance for service providers.
Want to learn more about how utility data can help your business? Contact one of our utility data experts.
- Webinar Recap: Secure ID Verification in a Digital World
- Solutions Sheet: Utility Data for Identity Verification
- The Untapped Potential of IoT and Sustainability
If you like what you’re reading, why not subscribe?
About Amy Hou
Amy Hou is a Marketing Manager at Urjanet, overseeing content and communications. She enjoys writing about the latest industry updates in sustainability, energy efficiency, and data innovation.