Back to blog

KYC: How to Avoid Fraud in Fintech App

KYC: How to Avoid Fraud in Fintech App
clock

11 min read

How to prevent fraud in the company? Nowadays, people can run the world via their mobile phones. We can communicate with friends, perform task management, perform financial operations, order or buy things, etc. Nearly every aspect of our lives is becoming easier and more convenient, but harder to detect fraud.

From this perspective, the unstoppable growth of the digital banking system inspires me the most. People are ready to give financial institutions or branchless banks their money without visiting the official branch. Such organizations are called challenger banks in the UK. On the other side, banks are ready to open an account for a person they have never seen before. The risk from both sides is enormous. However, billions of customers use the services of neo-banks and trust them with their funds, so banks should use fraud prevention and detection systems.

By the way, not only the banking sector is undergoing the digitalization of its products. Investment, insurance, credit, and loan/leasing companies are optimizing the process of registration and execution of their services for their users too.

A few years ago, I wasn’t even thinking about the virtualization of the banking system. Almost two years ago, we started to work on a new product in the UK financial institution – Dozens. We created this fintech application from scratch. The name of our company is DashDevs. We are an outsourcing company that was completely involved in product development. We are a fintech consulting organization with a deep understanding of the technical background. From our side, we dove deeply into the selection and communication process with the vendors. We needed to think about a lot of stuff, for instance, ways to detect fraud.

My position on this project is a product owner. However, when this project started, I needed to gain experience in fintech or regtech. It was a little bit hard and unusual for me because I couldn’t find any systematized information about fintech from the product perspective. However, I’ve received a lot of insights based on my own experience. At his point in my life, I’ve already cooperated with a few fintech companies and gained a lot of useful knowledge, and being a product owner myself. I decided to write several articles specifically for future and current fintech product owners.

How does fraud detection work? This article is dedicated to the very first step of account creation – The Know Your Customer/Consumer (KYC) procedure. This is the most crucial step because you need to prevent fraudulent activities from taking place during the account creation process. It is important not only for an anti-fraud fintech but also for any financial institution.

What are KYC and AML

First of all, we need to clear up two different terms that are usually used together:

  1. Know Your Customer/Consumer (KYC) is the procedure of a business verifying the identity of its clients. During this process, financial institutions assess the potential risks of criminal intentions for the business relationship. During this step, we need to block anyone identified as a politically exposed person (PEP), sanctioned people, cyber criminals, and fraudsters. Basically, do a fintech fraud detection. With PEP, everything is complicated because we need to consider the person who performs an entrusted public function or holds a public office. In addition, they check anyone closely tied to that person.
  2. Anti-Money Laundering (AML) fights against money laundering that is used in illegal arms and drug trafficking, financing of terrorists, and the proliferation of weapons of mass destruction. There are lists of people who have been proven to be connected to the activity described above. That’s why, during the registration process, you need to eliminate the possibility of registration of such bad actors. In many government regulations, it is required that financial institutions establish such checks and fintech fraud prevention procedures. In order to do this, they need to control all people and businesses who try to open an account. Financial organizations have to monitor the transaction, identify suspicious activity, and notify the authorities when suspicious transactions occur.

How the KYC works

How to detect fraud? Fraudsters will attack all newborn financial institutions. This is because they usually have some holes in the registration process that allow criminally minded individuals to create accounts and perform illegal activities. There is a list of preventative measures that you can take to identify the person who is applying for the services of the bank that you are working with/for.

Possible checks of KYC:

  1. Identity check uses the photo of a real document to avoid fintech fraud, recognizes data on it, and checks if it is authentic and that it belongs to the user. This step requires using artificial intelligence (AI), machine learning (ML), computer vision, Optical Character Recognition (OCR), and Natural Language Processing (NLP).
  2. A Liveness check is another way to prove the identity and ensure fraud strategy. There can be a few ways to authenticate this step: photo, video, and/or live-streaming. A photo liveness check requires the user to submit a selfie. There can be additional requirements, such as holding a piece of paper in their hand with the current date written on it. A video liveness check asks the user to conduct a live video for anti-fraud detection. During this process, the end-user needs to do some random actions - say the custom expression, move his/her head from side to side, move their eyes, and so on. The basic requirements are being in a quiet place, having good lighting, and being the only person in the video. A live-streaming check is the most expensive of the user authentication for a business and is sometimes the most inconvenient for the user but the best fraud prevention solution. During some steps of the registration, the software application asks the user to give access to the camera. The bank employee makes a video call to the user via the banking application. Bank officers ask basic questions to prove that the person really is the individual that they are claiming to be. Usually, people don’t expect such a video call, and they are not prepared.

Address proof helps prove that the user belongs to the place that he/she had mentioned and often used by fraud detection fintech. Primarily, the user needs to send some actual bills (telephone/utility bill). Usually, this kind of check is used as an additional verification step. By the way, some financial institutions have a particular requirement for Commercial addresses. They don’t allow users to use such addresses.

What should be checked by KYC

I think the first question you may ask yourself is, what is the best option for my business, and why is fraud prevention so important? I prepared a list of items that may help you define what checks are necessary:

  1. What documents are you going to accept? Basically, you need to understand the goal of the user identification process and choose the most appropriate list. Sometimes the market’s regulatory system within which your product is located will give you guidance (e.i. Passport, Driving License or National ID only).
  2. What is critical to check? All Products require submitted documents to be verified and authenticated. You definitely need anti-fraud measures to check that the person has not been sanctioned, is a PEP (Politically Exposed Person), or is on any cyber-crimes lists.
  3. What countries do you plan to operate in? This question is critical for the Product vision and the selection of the provider. Every jurisdiction has different requirements and particular lists of documents that need to be submitted.
  4. Do you want to be able to change different settings for the identity check in different countries? This feature is used in many financial institutions that work with different markets. For example, some countries only have customer fraud detection for an identity and a photo check. But for the high-risk countries, they set up video liveness checks and proof of address.
  5. What are the non-functional requirements for the check? One of the most usual KYC requirements is to check the position of the device at the moment of verification. It can help you detect if someone tries to impersonate real users.
  6. Is the product going to work only with individual users? The processes of KYC and KYB (Know Your Business) are different. One service provider can design fraud detection system for bank that works only with KYC and another — only with KYB.
  7. Are you going to have only mobile solutions or you are going to have web apps for the product with the same stack of functionality? You need to remember that not all PC/laptops have a webcam (or a good webcam) for liveness checks. The user can’t easily change their position. From another perspective, some KYC providers have only mobile SDK that can’t be used for web applications.

How to choose the KYC vendor

After you define what checks need to be done and have your fraud detection strategy, you need to create wireframes of the KYC flow in your software application. I don’t suggest starting with the full design because the KYC service provider will have a significant impact on your vision of the best user flow. We had a lot of issues with some of our providers along the way. Another big architectural problem that arises when working with a few KYC and fraud fintech for one product is that you need to sync them on your platform. I have prepared a few questions for your KYC provider that can help you avoid unexpected surprises:

  1. What documents are you working with? You may find out that the vendor accepts only a few options.
  2. How does the provider check the identity of the user? You need to understand what processes exist under the hood to evaluate the results of the provider. There are three basic options: check holograms, checksums on the documents, or check in the government databases. The last one is more expensive for the provider but more precise to conquer fraud in fintech.
  3. What countries is the KYC vendor working in? Each country is an additional source for the vendor.
  4. Does the provider do KYC and AML using their own resources, or do they have partners? You may be faced with a situation where you are working with a vendor company which does nothing by itself. They are using the resources of another vendor. It may increase the cost of fraud prevention and detection strategies for you.
  5. Do they have SDK for mobiles? SDK stands for software developers kit. They can be native for IOS/Android or hybrid for React Native, Cordova, and Xamarin. It is a small application inside of your fintech application with some predefined flow. Some SDKs can have integrated OCR and check for photo quality. These additional features are going to validate a user’s photo before sending it off for the main check. It improves the user experience and helps the user pass through the identity verification process for the first time. Overall, if your provider has SDK - ask more about all the functionality it has.
  6. What can be customized in the SDK? It is better to know the answer to this question before you start to create the final design. You may be really disappointed when realizing that nothing can be changed in the SDK. However, nowadays, KYC vendors have begun allowing some small changes that make the application look consistent. For example, customization of the background colors, color/size of the buttons, and text labels can be applied. Pay additional attention to the provider advertisement. You may have a “Powered by …” label in your app.
  7. Does the provider have an API for mobile and web applications? In some cases, the requirements for verification can’t be accomplished with an SDK. API stands for Application Programming Interface. The API allows you to send some requests to the vendor for verification according to your preferred user flow, but not as is designed by the API.
  8. Can the API and the SDK of the same vendor be used together for the mobile application? This is another tricky question for the KYC provider. You may receive the NO answer. You’ll need to choose one or another.
  9. What are the supported devices for an SDK? Depending on the country you are going to work with, the list of the most popular (the most used by your target audience) devices can differ. You need to check that the SDK has no limitations for the list of devices.
  10. How many development environments does your vendor have? Usually, it is better to have at least two: a test environment and a production environment. A lot of providers have only one environment - production. It means that you are paying for every test check of your QA team. Believe me. Sometimes they can be really active.
  11. Does the vendor have full SDK and API documentation of a production environment? If you want to have a smooth fintech software development process, it is better to give them full documentation. Some of the requirements might not be so obvious for the developers, and it will make their heads spin.
  12. What are the possible responses from the KYC vendor for the check? Sometimes we have to explain why fraud detection is important. The most common approach is to have a few kinds of answers like – Positive, Negative, False Positive, and False Negative. However, some providers may give you a Yes/No answer. By the way, it would be great if your provider could send you the reason for the failure in the server-side response too.
  13. Can we change the fuzziness levels for the verification checks? Fuzziness is a coefficient that is used for comparison of the names. It may be from 0 to 1. Basically, this level defines if Alexander and Aleksandr are the same names.

If you select the vendors for both KYC and AML processes, and you think that your headache is over, then you are in for a bit of a surprise. If you are using a few providers, you need to synchronize their fraud prevention measures. There must be some sequence of checks. However, this is not the most painful. Now you need to think about your compliance and support teams.

They need to have a dashboard where they can see the results of all KYC checks. As a sequence, they need to be able to

  • contact the user and ask for additional information,
  • upload additional documents,
  • restart KYC checks,
  • block the user,
  • and so on.

Conclusions

Fraudsters are tricky. They are always trying to gain access to your system from different sides and trick your fraud prevention methods. They use different phone numbers, emails, documents, name spellings, and so on. So, you need to have an additional check that verifies if the user who is trying to register has not been already blocked in your system.

KYC and AML services are just the beginning of your journey to the exciting world of Fintech. Hope this article can help you secure your fintech application from fraud and cybercriminals.

FAQ

What is fintech KYC?

One of the most important regulatory and compliance considerations in fintech product development is knowing your customer (KYC), a measurement of fraud and financial crime prevention.

How do I protect my KYC?

Acquiring a more educated consumer base is crucial in the fight against online KYC fraud. When making purchases online, consumers should exercise caution since their personal information might be misused. Never give out your credit card information, CVV, one-time password, or ATM PIN/TAN to anybody. Providing this kind of information to a bank is voluntary, and one should be aware of this.

What are the key elements of KYC?

Banks should include the following four components in their Know Your Customer policies: Customer Acceptance Policy, Customer Identification Procedures, Transaction Monitoring, and Risk Management.

Share article

Table of contents