Thank you for your interest in Winning More Customers with Multiple Matching.
One of our industry’s challenges is the balance we need to strike between making it easy for customers to access services on line and the need to operate with full compliance to industry regulation.
As a long-established player in the identity verification space, GBG is uniquely placed to understand how regulation and technology have evolved in tandem over the last three decades.
We know that multiple data sources are needed to provide confidence of identity but matching technology is where the real expertise lies in order to make sure you get the maximum number of customers on board - compliantly.
This whitepaper will discuss the four core principles that apply to optimising the matching of multiple data sources: configurability, granularity, transparency and triangulation.
The correct application of these principles ensures you achieve the critical balance of full regulatory compliance while onboarding the maximum number of good customers.
I hope you find this guide valuable and it helps your organisation achieve robust, sustainable and scalable identity verification.
Nick Brown
GBG Group Managing Director
What is Winning More Customers with Multiple Matching?
Winning More Customers with Multiple Matching says true multiple matching compliance can only be achieved successfully by following four core principles:
- Configurability
- Granularity
- Transparency
- Triangulation
This report exists to illustrate the shortcomings of ‘black box’ identity verification solutions and makes the case for true multiple-matching compliance.
What is multiple matching?
When you’re verifying someone’s identity, you’re expected to match multiple pieces of their personal information against multiple independent and trusted data sources.
This was once known as a ‘2+2 check’ - but is increasingly referred to as multiple matching – since regulators encourage layered matching.
Layered matching means employing multiple layers of identity attributes - including location, activity, device, and email - that seamlessly work together to validate a customer.
What is true multiple-matching?
Organisations are encouraged to match against reliable sources of data.
In the UK, we use top-level credit report data and Electoral Register data as the foundations for matching, supported by document, digital, biometric and behavioural data points.
With three credit bureaus and multiple identity providers in the UK, many organisations choose to integrate two data points or solutions in order to increase match rates. However, this can sometimes cause complications.
For example, one supplier might match the first piece of personal information with a mortgage lender via a credit reference agency before matching a second piece of information with that same mortgage lender via a separate credit reference agency.
Or, a supplier may match against one source and accept a match against a different source without having true confidence that they are matching the same identity information.
Without decent granularity and transparency on the decision, you could be completely unaware that you are matching against the same data source in both instances, or matching data with different criteria. This does not represent true multiple matching and can open you up to compliance fines and, increasingly, risk of synthetic identity fraud.
With a lack of clear identity standards in the UK, organisations take a risk-based approach to onboarding identities. For instance, a bank will typically be more cautious while verifying and onboarding a new customer when compared to a mail order retail site.
It is important to marry your risk approach to the sources of data that you are matching against or the data sources may fall short of what you actually require to satisfy your risk-based approach.
AKA ‘I need a solution that fits my risk-based approach’
Every business is different. So too is every regulator. And, of course, every identity is unique. That’s why true multiple matching has to begin with configurability.
Each organisation has its unique challenges, appetite for risk and approach to regulatory compliance. So, it stands to reason that no out-of-the-box solution can fit every organisation’s needs.
Risk-based approach
Regulators expect you to take a risk-based approach to compliance. The Financial Action Task Force (FATF) is the global money laundering and terrorist financing watchdog. It defines a risk-based approach as follows:
“A risk-based approach means that countries, competent authorities, and banks identify, assess, and understand the money laundering and terrorist financing risk to which they are exposed, and take the appropriate mitigation measures in accordance with the level of risk.”
Attitudes to risk vary between organisations. They may also change within an organisation, depending on the customer and product or within a single sector e.g. a high street bank versus a challenger bank.
Businesses need always-on compliance solutions they can configure to their requirements that can withstand data supplier outages by defaulting to a backup supplier and that will grow with businesses and the risks they become exposed to.
In practical terms this means a multi bureau solution with the capability to create an unlimited number of risk profiles, to reference as many different data sources as required and to employ an automated execution approach to checks.
Flexibility
GBG’s multi bureau solution allows you to create an infinite number of risk profiles and supports thousands of possible decision bands. It gives you the flexibility to set what you consider necessary for a pass, whether full or partial, and to dictate the database combinations that qualify as a pass.
Effective configuration means having the option to easily make changes independent of your supplier, and while our expert consultants do work with businesses to convert risk-based approaches into profile configurations, you can also alter your configurations yourself, as and when you see fit, without GBG involvement.
In terms of Politically Exposed Persons (PEPs) and Sanctions, a configurable solution should allow you to define which authorities to check against, what PEP tiers to reference and whether dates of birth and alias matching are necessary.
Not only does robust configurability help you satisfy your risk-based approach and meet your regulatory requirements, it also reduces operational costs by checking only against the relevant and appropriate data sources.
Challenge check-in
Match rates are the key to onboarding more good customers. Our configurable solution allows you to optimise your match rates by making changes to your pass criteria and risk-based approach based on insights from the granular results it returns.
AKA “I need to get the best match rates from the right data”
Granularity sits at the heart of true multiple matching. In order to trust the data you are matching you need to understand the data in detail.
With robust configurability in place to ensure your checks fit your risk-based approach, granularity gives you complete oversight of your decisions to truly understand every pass, fail and refer.
Granularity is all about being able to see and understand the logic that led to a match, and the data upon which it was based. After all, it would be easy for a mortgage lender to increase its match rates by matching against less robust data sources, using less robust techniques, but it wouldn’t necessarily suit the lender’s risk-based approach.
For example, being able to inspect the recency of data i.e. when it was first and last seen, is granular detail required for both compliance and synthetic fraud prevention.
While some solutions promise dual or multi-point verification, they lack the granularity to ensure true multiple matching compliance.
For instance, they could be unintentionally matching customer information against the same data source twice via two separate credit reference agencies. With a granular solution, this kind of ‘double matching’ can be easily identified and avoided in order to achieve true multiple matching.
Such is the granularity of GBG’s solution that a single check can return one of almost 7,500 unique result codes. Each code represents a specific set of conditions against which the data was or wasn’t matched.
So, while you get decision that tells you whether or not to onboard a customer, you also see the precise reasons for the decision, allowing you to refine your approach and maximise onboarding without compromising your risk-based approach.
For example, you can review customers who haven’t quite met your criteria for a pass and assess the actions you can take to move them into pass status. This could mean changing your configuration, adding data sources or deploying an alternative customer journey, such as asking for identity documents.
When you couple granular insight with full configurability, it allows you to monitor the appropriateness of matches and make changes where necessary.
Challenge check-in
You need to onboard as many viable customers as you can, which means you need the highest possible match rates. A multi-bureau solution that offers granular results allows you to maximise match rates and customer onboarding with confidence – knowing that no customer has been passed as a result of double matching.
AKA “Regulators want to know how I make every decision”
Transparency is the third core principle of true multiple matching, and is only possible with the robust configurability and granularity outlined in chapters one and two.
The audit trail you get when your solution is configurable and granular is totally transparent, and allows you to prove compliance to regulators and evidence decisions to customers. What’s more, it gives you complete insight on how you can increase in onboarding rates without compromising on compliance.
Regulators expect you to take a risk-based approach to compliance and to evidence multiple matches on every decision. A true multiple matching solution will show not only that you carried out your due diligence, but that you did so in a way that demonstrates a considered approach to risk and reflects a comprehensive understanding of the logic behind your decisions.
A true multiple matching solution would allow you, for instance, to generate aggregate reports on decision bands/outcomes for individuals who have passed or failed checks, or have been referred.
Your audit trail should also retain all information on the pieces of personal information that have passed (as described in Chapter 2) so that you can refer back to these details for yourself or an auditor.
It’s also important to have access to a record of any changes made to your configurations by administrators. A true multiple matching solution will give you this level of oversight so that, if any issues arise, you’re able to establish context. It will also help you to ensure any and all changes are made in line with your risk-based approach.
Of course, you should also be able to allocate the appropriate permissions for different users so that not everyone is able to make changes to your configuration.
Black box solutions don’t have comparable levels of configurability and granularity, and so the audit trails they offer are more superficial. Ultimately, they leave you open to challenge from auditors and expose you to synthetic fraud.
Challenge check-in
Regulation becomes more stringent every year, with regulated organisations constantly expected to do more to remain compliant. A transparent solution makes it easier to demonstrate compliance to regulators, and to understand where you need to make changes to remain compliant.
AKA “I need confidence in every decision I make”
The fourth core principle of true multiple matching - triangulation – is about cross-referencing individual data points to ensure the individual you’re verifying is the same person represented by information they submit.
Fraudsters know that you’re expected to match at least two pieces of personal information against two separate data sources. They also exploit solutions that fail to cross reference those two separate checks.
In those instances, they will use any genuine identity information to pass the two checks. Since the checks don’t talk to one another, it doesn’t matter if the identities the fraudster uses are different or even synthetic – the decision will still be a pass if both checks pass individually and they’ll be able to open an account.
Triangulation cross references these separate checks with the applicant to ensure they all represent the same person, stopping fraudsters in their tracks.
A risk-based approach should recognise the potential for this kind of fraud and take steps to mitigate it, which means a true multiple matching solution must employ the principle of triangulation alongside configurability, granularity and transparency.