Soldo interviewed Husayn Kassai, Co-Founder of Onfido.
We live in a strange world in terms of security. There’s a paradox that we all care about security: we’re up in arms when companies lose our data, but we really want to minimize the effort that we have to put in?
Security is broken and getting worse from our perspective. When I and my two co-founders researched this seven years ago, when we first started the company, we were surprised at the statistics. The UN estimates that up to 5% of the world’s GDP is laundered money. That is up to $2 trillion worth. And it is used in human trafficking, drug trafficking and terrorist financing.
The common denominator across the many different types of fraud is that the individual would commit identity fraud, but not get caught. And of the laundered funds, less than 1% is recovered by authorities. So 99% of it goes through successfully, which is a terrible statistic and a shameful one for anyone in the security industry.
The first pillar of our business is to make it easy for the honest 98% of people to easily access services while allowing companies to meet their legal obligations. The core of any business, especially if it’s a financial services business, is that they legally have to ensure that you are who you claim to be. Traditionally, that has been achieved using credit bureaux like Experian or Equifax. But a bad actor can easily steal a copy of key documents or buy your date of birth, name and address on the Dark Web. So our approach of using Government IDs and facial biometrics is geared towards ensuring that proving identity is done in a more secure way.
Secondly, there’s a financial component to those companies losing money—or reputation—thanks to bad actors. So the optimized state is for businesses to give access to as many people as possible to their services while locking out the bad actors—it’s two sides of the same coin.
How does Onfido’s machine learning achieve both at the same time?
Every time we see a Government ID and a facial biometric, our machine learning models are progressively getting trained automatically to understand what good looks like and what a fake looks like. And as we get better at detecting the 2% that are fake, so we can more confidently identify the 98% that are actually genuine.
That may seem obvious, but if you don’t have clear signals as to who the bad actors are, then often legitimate people are blocked from accessing services altogether. If you consider the unbanked and underbanked, or businesses without a strong trading history, people who don’t have rich financial records and who are therefore not on credit bureau listings; historically the financial services industry in particular was not able to extend services to them. There are swathes of communities—emerging markets served by pocket banks, for example, who can now be verified and gain access to services because we can improve our understanding of what a bad actor looks like.
Thinking about the way credit reference agencies work, they have started to interrogate much broader sources of data, and that’s working well. What sort of criteria do you use to feed the machine learning algorithm for an unbanked person?
The credit bureaus are aggregating data, which means their method is database driven. They constantly seek to add more data to their databases and create connections between those datasets. It could be social media activity or third party data like insurance information, for example.
We have no reliance on centralized databases whatsoever. If an unbanked person has a photographic Government ID and access to a phone with a camera, then we are able to verify them.
Around 2 billion people are bureau backed; but around half the world’s population are underbanked, unbanked, and not on any bureau’s listings. We can help them prove their own identities and do so more securely. There’s no longer a trade-off between lack of documentation and gaining access because nothing we do is database driven. It’s machine learning applied only to government-backed ID documents and facial biometrics.
It’s great that you can facilitate access for the underbanked, but what about other people? The challenge here is that people have a very low tolerance to barriers for onboarding. Do you have a quantifiable idea of how much better take up is on financial services when you can remove a few seconds off that painful hurdle of the onboarding experience?
Sure. Three quarters of the checks that we provide today are for people who are already banked. Traditionally, a mainstream, high street bank experiences a 40% drop-off. It takes hours for you to open an account there. An online bank can see as little as a 15% drop off, with a 25% uplift in the number of people that are successfully onboarded, while being able to target a five-minute process overall. For the consumer, it will be a matter of 30 seconds actual activity, but including back-office processes, the gold standard for fintechs is really that five-minute mark.
That’s very much the value proposition of our business right now: consumers can verify their ID from the comfort of their own home, you don’t have to go and see someone face-to-face in a bank branch or take your paper utility bills. This is very much at the heart of the first wave of fintech innovation; focusing on UX-centred improvements. The second wave of fintech innovation is the bottom of the pyramid we discussed earlier: servicing the underbanked and unbanked who historically have not had the opportunity to access services at all.
Let’s talk about security for fintech entrepreneurs. You provide a thin layer service in the broader security ecosystem. It seems that it’s getting ever harder for entrepreneurs and technologists to understand security in our piecemeal world. What does great security looks like for somebody, say, building a bank from scratch?
There are broadly three categories that someone would need to consider if they are setting up a fintech company in particular:
First is our piece of the puzzle: user onboarding enrolments of the customer’s identity, which is a legal requirement.
The second are watchlist searches of databases like the United Nations sanctions list and OFAC and other lists like the HM Treasury’s list in the UK, for instance. Again, it is a legal requirement to search these databases to ensure the person is not on one of these sanction lists. We have partners for this such as ComplyAdvantage who do a very good job. The problem is, if I’m a bad actor and I know I’m on a sanctions list, the first thing I’m going to do is provide a fake ID or try to cheat the system by pretending to be someone else in order not to get caught out.
Third is behavioral fraud prevention. Again, we work with all leading partners such as iovation. It’s their job to monitor your transactions, so if you’re on holiday and there’s a suspicion that you may be someone else, those tools will give a bank those risk indicators. Even then, Onfido is increasingly being used by fintechs as a double check, maybe to ask the person to take out their phone and take another photo of their face to confirm that they are still the account holder, as opposed to blocking your credit card while you’re on holiday and have you call a call centre.
What does the future look like for ID management? I sense that lots of us use passwords which are proven to be horribly outdated and generally insecure.
In our view, version one of our digital world was the centralised credit bureau model. We have taken things to phase two, which is government identification biometrics: more secure and giving access to more people. The third phase, which we’re working towards now, is consumer-driven identity. We envision everyone in the world being part of essentially a portable identity ecosystem, where the consumer ultimately owns or controls their legal identity. They are then able to provision access to any business or organisation they choose. Fully private, fully controlled by the consumer and even more secure.
Recently, an argument was presented in the press against What Three Words, the geo-positioning service, that they provide life-critical positioning to, for example emergency services; but they are a private and profit-making organisation. Does that not apply to Onfido as well? Are people going to feel comfortable giving a business custodianship over their digital identity?
You’re completely right that this is an issue. So what we are doing is twofold. One, we wouldn’t be the custodian. For those who want to participate, we work with partners to help consumers store their identity credentials in whichever way they choose. We don’t store the data and we don’t have access to any of it. Only the consumer does, and only the consumer using their biometrics would be able to unlock it and grant access to others.
The second component is that parts of the system will be open source, so that others are able to come and play their role as well. If, one day, we were to become complacent and cease to be the most effective partner, then others should be able to take our place.
The longer term point is that security is, unfortunately, not going to get better. The big concern that I and others have is that the big tech giants have far too much control over us. And that’s because they can profile us online, and therefore they have all the power. But if you are able to have control and ownership over your legal identity, then ultimately you can become invisible online in the sense that you don’t need to prove yourself. You don’t need to share your name, date of birth and everything else with the service providers—you can just give them proof that you’re over 18, for instance, or that you have been verified. That will hopefully create much more of a level playing field online so that businesses can know you, trust you and extend their services to you, but only know what they need to know. That way, we can redress the disparity of the amount of data usage that is increasingly dominated by the tech giants today.
Read our research whitepaper, Digital by Default, to learn more about how customers feel about digital verification and access.