Southeast Asia is a rapidly growing market for financial institutions, and is increasingly relying on mobile phones to onboard customers digitally. In 2021, there are still 174 million adults who lack bank accounts and credit cards, making up 27.10% of the total regional population. This is a tremendous leap when compared to the 50% take-up rate in 2018.
This represents immense demand for digital financial services throughout the pandemic, with little signs of slowing down. Services such as digital lending, e-wallets still help address existing financial issues faced by the public.
Hence, accessibility is the key determining factor within this digital race, and mobile phones are the best tools for the job – with mobile penetration rates exceeding 100% in countries like Indonesia, Vietnam, the Philippines and more.
User Onboarding Risks
However, Innov8tif has received reports of high user onboarding risks through mobile channels. From a user’s point of view, these apps follow the standard procedure of capturing facial images and identity documents. However, these captures do not have to be valid to pass through security checks.
For instance, we have found that certain apps accept photocopied identity documents as proper submissions. There are also others which do not require the captured face to match the profile photo displayed on the identity card.
Our internal report shows that these high-risk apps only incorporate three modules for eKYC purposes:
- Facial capture
- Document Capture
- Optical character recognition (OCR) for text extraction
Although sufficient for genuine user sign-ups, such systems are prone to abuse and security vulnerabilities. This can be detrimental to financial institutions and regular users, not to mention the regulatory compliance risks associated with them.
A well-established eKYC journey is exponentially more complex, with layers of checks and balances. It is a fine balancing act of delivering a streamlined customer journey for valid users, while not compromising on security for fraudulent sign-ups.
Common spoofing Techniques
- Displaying profile photo on screen instead of a live image capture
- Utilising printed profile photos
- Wearing a mask depicting another person
- Utilising black and white photocopies of the document
- Photoshop and text replacement attempts
- Physical tampering
Importance of Verification
At its core, eKYC is process automation aimed at replacing traditional KYC practices. Even today, traditional KYC practices involve meeting the applicants face-to-face, verifying if the documents are legitimate, and entering applicant details into a digital record.
An eKYC process that does not factor in document or applicant legitimacy needs to grapple with the following challenges:
- Fraud management
The lack of verification services opens up the floodgates to fraudulent or bot sign-ups. For non-essential accounts, this could lead to abuses in sign-up benefits, such as free gifts or coupons, nullifying a portion of genuine marketing efforts. In the case of the financial industry however, these accounts can be used for a far nefarious purpose – setting up mule accounts which can be used to accept and move ill-gotten funds.
- Sanctity of customer database
In any business, a healthy and well-established customer database is one of the company’s greatest assets. Fraudulent and bot sign-ups that insert themselves alongside genuine customers muddies the sanctity of such a customer database. This issue is more detrimental to public-listed companies, where investment decisions are based on the health of the business, which includes accurate statistics around customer databases.
- Lead to further exploits
The ability to sign up accounts without proper verification represents a gap within the bank’s security, which can be further exploited to gain deeper level access. Tactics may range from applying social engineering techniques to support staff members, to mass bot attacks targeting the sign-up process. Exploits do not necessarily have to be security-centric either. Having a fraudulent bank account allows bad players to establish credit scores, apply for loans, purchase high-ticket items and more, all the while under the guise of anonymity.
How Innov8tif manages verification
At Innov8tif, we have developed proprietary solutions aimed at providing verification service in tandem with eKYC processes:
OkayDoc is EMAS eKYC’s document verification API which helps determine if a submitted document is authentic or otherwise. It does so by detecting abnormalities within the document itself, such as landmark placements, font type and size, microprint detection, hologram checks, and more.
OkayLive refers to the facial capture liveness detection feature – ensuring that the selfie captured is taken from a live human being. We utilise passive liveness detection which does not require users to perform actions such as nodding or turning their heads. It supports a wide range of user base, including hijab wearers.