Now more than ever, digital trust is what makes the world go round. Why? Because the pandemic has created a dramatic shift to online everything.
Digital programs have accelerated - what started as strategic plans have become mandates overnight. And on top of this, fraudsters have become increasingly active and innovative.
For Oktane 2021, Onfido and Northern Trust shared their story of how they rebuilt trust online, by anchoring a user’s real identity to their digital presence. You can watch the full recording or read through an abridged version below.
Find out how the Onfido x Okta integration could help you anchor a user’s real identity to their digital presence to unlock effective identity lifecycle management.
Robert Humphrey, Chief Marketing Officer at Onfido, and Dhruvin Shah, Vice President, Security Architect at Northern Trust discuss the strategic imperative of identity and how it helps to balance user experience and security.
Robert: Can you take me through how identity became such a strategic imperative for Northern Trust?
Dhruvin: We’re always trying to improve the experience we deliver for our clients. Digital is a key part of this. Client experience is right at the heart of this and how they feel protected. Ultimately we’re trying to build the entirety of our services around our customers, not around individual products or parts of the business. So identity is a long-term strategy for us. To summarise, we’re trying to unify our three services under the IAM architecture and improve the experience, to enable Northern Trust to move its signature white-glove experience online, and to enhance security across everything.
Robert: That white-glove experience you mentioned, it’s what you’re so famous for. It’s a physical experience, an in-person experience. So there are challenges shifting that to a digital experience. How do you create that same experience digitally - that’s a challenge we see a lot.
Dhruvin: Exactly, and do the challenges we have resonate with Onfido?
Robert: We certainly see it across our customer base, and it’s been re-emphasized and accelerated because of the pandemic. It’s been driven a lot by increased fraud across the pandemic - we’ve seen a 40% increase in document fraud in 2020. Plus a lower level of fraud sophistication, ie. more people are getting into the fraud game. Fraud rates generally increase during a crisis, and with more and more people online, there are just more people to go after.
We’ve also seen a huge rise in customer expectations. This has been growing for a long time, the Apple and Amazon effect, but customers are now expecting more and more good digital services.
As you’re enabling more omnichannel online experiences, how do you see identity playing into that?
Dhruvin: As you mentioned, branches are closed because of the pandemic, and users’ expectations have increased. They want Apple/Amazon-like experiences for everything. They demand all channels to work in conjunction so they can move between devices. They consider mobile and web channels to be one. And it makes sense as different devices are suited for different things. We’re enabling people to authorize themselves via a device, using a selfie. But then using a second device can also increase trust - eg. is that second device where we’d expect it to be. Everything gives us context to create a richer, more secure risk-based model. It’s all designed so that users can complete actions on devices that make the most sense for them, while maintaining security.
Robert: That makes sense - and we see the use of our technology exactly as you are applying it. That is if someone is registering online, when it’s time to take a picture of a doc or selfie, their natural inclination is to pick up a phone. That’s seamless integration between devices. The additional fraud signal that you’re talking about, we’re seeing more and more of. We’re not to block the legitimate users (which 98% are) - but what you’re trying to do is find that 1 or 2% and do it really quickly. In an industry like yours (Financial Services) this digitization has been in the plan for years, but the pandemic has sped everything up. And we’re also seeing digitization in places we wouldn’t expect it. This new way we’re using digital experiences in a contactless world is really interesting.
Dhruvin: That’s true. One of the challenges in delivering an omnichannel experience is maintaining security. Which I know is one of your specialties.
Robert: From our perspective, we’ve seen that fraudsters are getting really good at what they do. At emulating trust. Credit bureaus used to be a big source of data. Unfortunately, those bureaus where our details have been kept have all been hacked. So getting past that data-orientated onboarding is a big deal, because of the lack of trust associated with databases. That’s where biometrics are really effective. Combining that with fraud signals you’ve talked about is where you really begin to see that trust at onboarding.
I’m curious - what changes have you seen and are making in your approach to fraud prevention and detection?
Dhruvin: As you say, data breaches have increased, and fraud has increased year on year. There was a report released last year by Atlas Web which looked at the average cost of PII on the dark web. SSNs are being sold for as little as $4, often bundled with names, driver’s licenses, email addresses - a lot of info to start committing impersonation fraud. One of the ways we’re trying to address this is, is to no longer check for static data.
This data is easily accessible and it’s not a good indicator of trust. To secure against this we’ve been looking at using other known info such as identity proofing and selfie check. Plus we’ve integrated more ongoing risk signals - device fingerprinting, geo location. Users now do more outside the network than inside, on the public cloud as opposed to tied to a device. So identity has become the new parameter. Identity has become the lynchpin for security. It needs to account for online fraud detection, user authentication, compliance etc.
Robert: Those are great points, and what a challenge it is, as 98-99% are good users that we want to provide a white-glove experience for. What we’re both trying to do is provide fraud detection that goes unseen by 99% of users but catches the 1-2%.
We’ve spoken a lot about fraud, and even though we’re injecting friction into the system, how we’re trying to make it feel as frictionless as possible. Let’s shift to operating efficiencies.
What operating efficiencies do you see associated with some of the technology?
Dhruvin: Operating efficiencies go hand in hand. We want to provide optimized, frictionless experiences - for example, password resets. One of the most frequent high-risk account actions. Previously users would have to call in to reset. But with solutions like Okta and Onfido a user can prove their account ownership using secure self-service options such as facial biometrics. They no longer have to spend 10 minutes on the phone - they can recover passwords, unlock accounts using a selfie and valid document within 2-3 minutes from their own phone, which is a much better experience. And it also equates to major operating efficiencies.
Robert: Absolutely. A Gartner report recently found that 30-40% of all IT helpdesk calls are for password resets. Bearing in mind the helpdesks are there to support with all other kinds of queries like application support. 78% of us reset a password in the last 90 days. The same report showed that the average cost of that call to a helpdesk to reset passwords is $70. The return for solutions like Okta where you can do a self-service password reset, or like Onfido where you’re using your face to reset password - the operating efficiency starts making a lot of savings.
So what other things in Northern Trust looking at, what other technologies do you see yourselves using?
Dhruvin: Blockchain is one of the key initiatives we’re looking into. With these initiatives we’re making investment opportunities available to new classes of investors, opening markets that were previously in non-public domains. We’re constantly looking to new fraud detection and new response technologies. These new markets pose risks, and as you know fraud is in an arms race, it always gets smarter, so we’ve got to be moving as well. Adopting new technologies is a way to keep us ahead of fraudsters. What about Onfido?
Robert: It’s a similar story for us. Today we’re very focused on document and biometric fraud detection. But in the future, there’s going to be other technology as well. We’re essentially in competition with the fraudsters. We’ve got lots of exciting stuff coming to continue and enhance our fraud detection.
To finish, would you mind summarizing your key challenges and any tips on how to manage them?
Dhruvin: To keep up with the moving world and to keep up with cloud initiatives and rising expectations from the users - identity is becoming more key to bridging the gap between user expectations and security. A process which before would take weeks now takes minutes - but still maintains proper security checks and compliance and regulation needs. Users can self serve on all their devices while keeping them secure. Traditionally there’s been a tug of war between security and experience, but with a combination of Onfido and Okta we can get the best of both worlds. It’s now more than a back-office process. It’s a strategic imperative for us.