We live in a universe where disorder is the rule. Entropy, the second law of thermodynamics, is a measure of disorder and states that an isolated system’s entropy always increases, and becomes chaotic over time. If left alone, it will achieve equilibrium, or maximum entropy.
How are you measuring the “entropy” of your digital business risk around your partners and clients?
Imagine an online business network is left alone (an isolated system) with any participants allowed to perform any action without intervention or consequence. What would happen? In theory, you would achieve maximum entropy, which in the business world probably means significant financial risk exposure or even insolvency.
Is “John” Really Who He Says He Is?
In the financial digital universe, the concept of KYC or “Know Your Customer” can be less complicated than the second law of thermodynamics. In the days before e-commerce and data, KYC was primarily a function of understanding your client’s needs and risk profile and talking on the phone, with the occasional face-to-face meeting. If your client, “ABC Corporation,” has a relationship manager named John you regularly interact with on the phone or in person, you know with a high degree of confidence the person you are talking to is John.
But in today’s digital world, most interactions between businesses occur via “sessions” between systems. There is no human to visually or audibly validate these digital handshakes; there are just attributes of the session you must verify to know if it’s John connecting to your system. You can’t assume, just because the session was opened with valid credentials, that the real John is on the other end. So what do you do?
Important Data Points to Verify
By collecting key data on all users, you can assure they are who they say they are. Having more data positions you to optimize algorithms and realize fewer false positives and negatives over time. However, collecting data requires a tricky balancing act because the more you ask for, the more difficult it becomes to provide a great user experience (UX) online.
In the financial world, some of the key data elements you’ll need to validate identity (for individuals and their organizations for B2B) include name, address, date of birth and last four digits of social security number (which should all be stored as encrypted).
By collecting key data on all users, you can assure they are who they say they are.
This data should allow you to validate the identity of the individual with a very high degree of confidence, and validate the association of the individual with the business, if you are using a top-tier risk service integrated into your risk workflow. But that’s not enough.
Developing a History of Trusted IP Addresses
You also need to collect additional information during the user’s session including a “user agent string,” which can include browser with version, operating system, and device. You also want to capture IP addresses and over time you can develop a history of “trusted” IPs for each user.
Organizations should also block any session if the user is using an IP anonymizer—those are easy to access and are often used to commit fraud. It’s also important to block IP ranges associated with high-risk OFAC countries and individuals.
Validating the Device
Other steps include capturing the agent string info to validate the device being used. These are important because they allow you to identify any future sessions where an unknown IP or device is being used and could justify additional authentication layers, like a secret question or sending a code to the user’s mobile device. These additional authentication steps can be applied strategically—maybe you allow a session to be created with the untrusted IP address, but if they are taking steps to change account info or complete a financial transaction with a different OS or browser, hit them with the additional authentication hurdles.
Having transactions tagged with geo-location (IP, mobile, etc.) provides another important set of data points to manage risk. Significant changes in transactional activity, such as unusually large transactions or a major change in transaction frequency, may warrant additional authentication. Many financial institutions already use these geo and velocity approaches to alert consumers and businesses in near real-time of “unusual” transactions occurring far from where you live or for debit activity misaligned with historical patterns.
Decreasing entropy in our financial universe is possible, and by following some basic protocols, you can mitigate risk in this dynamic digital environment. Integrate risk management into your business culture and scrutinize your data to refine your processes and system logic to find the right balance between risk tolerance and UX.
The definition of KYC will continue to change, but with access to a broad range of third-party services and simple but smart logic, it is becoming easier to build risk models that strangle entropy and bring order to most any online financial universe.