Identity verification (IDV) has become a crucial process for businesses across sectors to validate users and comply with regulatory requirements. Yet many companies put themselves at serious risk by selecting IDV vendors that fail to meet legal and industry standards.
The penalties for non-compliant IDV can be severe, including hefty government fines, legal action from customers, and irreparable damage to a company’s reputation. In part one of our Hidden Costs blog series, we explore the concept of “return on identity” and the financial consequences of working with an IDV vendor that doesn’t prioritize adherence to regulatory standards.
Opening the door to fraud
Without rigorous IDV, bad actors can infiltrate company systems and customer accounts more easily by using fake or stolen identities. Once these cybercriminals bypass identity verification defenses, they are free to carry out all manners of fraud, data theft, and illicit activity under the guise of a legitimate customer, which can prove extremely costly for targeted businesses in many ways.
The 2022 True Cost of Fraud study conducted by LexisNexis found that the average financial cost of each successful fraudulent transaction that companies experience is around $3,000 when accounting for losses and the costs of recovery. Other estimates from leading research firms like Javelin Strategy have placed the average cost even higher at nearly $4,000 per fraud incident.
The high cost of bad IDV
Consider a solution that is 99% accurate. That sounds highly reliable, right? But let’s take a look at the financial impact of using a 99% accurate IDV vendor versus using one that meets the more stringent Four Nines standard (99.99% accuracy). Over the course of 10,000 deepfakes and counterfeit IDs, the 99% accurate solution will miss 100 fraudulent cases. Using the conservative $3,000 figure from Lexis Nexis, that’s $300,000 in cost to the defrauded business.
With a 99.99% accurate solution, just a single instance of fraud is permitted over the course of 10,000 counterfeit ID presentations, costing the business just $3,000—a difference of $297,000.
Non-compliance, steep fines
Various regulations at the international, federal, and state levels establish legal requirements for identity verification processes. These include prominent laws like AML, KYC, GDPR, CCPA and others. Companies that fail to meet compliance standards open themselves to substantial government fines and sanctions.
In the UK, the Information Commissioner’s Office (ICO) can levy fines up to £17.5 million or 4% of a company’s global revenue for violations of GDPR’s data protection stipulations. Banks that run afoul of AML and KYC rules face even higher maximum fines of £22.5m or 10% of revenue.
Lawsuits from customers
Insufficient IDV also exposes businesses to expensive class action lawsuits, especially following data breaches. Such breaches have cost companies an estimated $100 billion of dollars in lawsuits and settlements over the past decade alone.
In fact, over $1.3 billion was spent on data breach settlements by US companies in 2021 alone, a 19% increase from 2020. That same year, the average cost of a data breach was $4.24 million, according to the IBM Cost of a Data Breach Report.
Clearly, data breaches enabled by poor security and credentialing have proven extremely costly for enterprises due to legal damages, and the frequency and costs of breach lawsuits continue to rise each year as companies collect more and more personal data. So don’t expect the multimillion dollar settlements to end anytime soon.
Avoiding high-risk IDV vendors
To steer clear of these potential penalties, companies must thoroughly vet potential IDV partners using the following criteria:
- Compliance: Ensure vendors comply fully with all relevant regulations for your location, industry, and data types.
- Security/Audits: Vendors should meet rigorous standards set by organizations like ISO, SOC, and iBeta/BixeLab and use encryption to protect sensitive personal data. Vendors should also be subject to independent audits of their privacy and security controls.
- Algorithms: Vendors should have adopted a code of ethics demonstrating their commitment to removing bias from their machine learning algorithms. These rules should be followed by all members of the development team, including data scientists, programmers, and other stakeholders.
- Biometrics: Look for vendors offering multi-layered authentication that includes face biometrics and liveness in addition to document fraud analysis.
- Testing: Use a vendor that regularly tests and audits their systems to ensure that they are free from biases and assumptions. Testing should be performed on a large, diverse, and representative dataset.
- Transparency: Vendors should make the decision-making process transparent and provide explanations for the system’s predictions. This helps build trust with users and stakeholders alike.
Get it right the first time
Making compliance, security, and ethical AI top priorities when selecting an IDV provider significantly reduces risk exposure. Being deliberate about this choice also enables companies to tap into the major opportunities of AI-driven identity proofing to stop fraud, build trust, and improve the customer experience.
With the stakes so high, businesses can’t afford to work with substandard IDV partners. Make the right choice and work with a vendor that complies with every relevant regulatory requirement—and avoid paying a steep price.
About the post:
Images are generative AI-created. Prompt: A powerful bull, its muscles rippling with raw strength, crashes through a wooden fence, sending splinters of wood flying. Tool: Midjourney.
About the author:
Shane Oren is the CRO for IDVerse. He has over 12 years experience in sales for a range of businesses, from startups to large enterprises, where he has achieved record-breaking results. In his current role, Shane leads the North American office and manages revenue across the market, overseeing sales and customer support teams.