What is Know Your Customer (KYC)?
Know Your Customer (KYC) is a process to verify the identity of a customer/user who is conducting business with financial institutions such as banks, fintechs, credit unions, lenders, and other money transmitters. KYC is how companies assess the risk profile of users before letting them use their products. During KYC, customers have to provide Personally Identifiable Information (PII), which can include their name, date of birth, address, ID card, and biometric verification. KYC happens upon account creation, and then can be triggered again if PII changes or there is unusual account activity. Failure to comply can have serious legal and financial ramifications; over $4B of fines were given out from 2013-2014 for a failure to meet requirements. KYC is also important to reduce identity theft, fraud, and money laundering.
Does this satisfy KYC?
100%. Our system is designed to comply with all requirements of the Patriot Act and the Safe Banking Act. You, as our customer, still own the data of your users, but we simply store it (no different from AWS hosting you in their cloud). You at all times see an audit log of how we verified the identity of each user, and both you and your banking partner can request access to specific PII attributes. Footprint has had conversations with Directors at FinCEN and the top legal minds in the field while building our product.
This seems too good to be true—you handle KYC + PII Vaulting—what’s the catch?
The catch was that you were paying for those services separately before. We aren’t geniuses—it is actually simpler, quicker, and more secure to do both of these in one solution. By virtue of us securely storing data, we verify it. For example, by storing John Doe’s encrypted SSN as credentialed by the Social Security Administration, we are in real-time verifying John Doe’s identity in conjunction with our liveness checks.We think it is silly that in the past, companies had to pay to tokenize/vault this KYC data that was of little use to them. Fraudsters are always changing their approach, but nothing screams static like tokenizing KYC data upon account creation. Our vault with PII is a living mechanism. We constantly update our predictions on people’s identity based on new signals, such as them being good actors in new accounts they create through Footprint. Footprint was built to make it easier to get more good actors in the door.
Other places let me customize KYC. Do you?
We let you customize KYC to a certain extent, but we try to limit it to not add too much complexity. We don’t think KYC should be customized though on a toggle of accuracy and friction. There are certain attributes required by law that need to be collected (SSN, DOB), and then attributes that help us better confirm your identity (phone + email, and how long you’ve had each of those). We get all of this data and check it from the best data sources to remove complexity. Truth be told, this is why we think KYC is becoming commoditized, and why our product is built around security/storage of the data, real-time fraud monitoring, and the best developer experience. With that said, we let companies who “onboard” users have a few options as to which data they collect. We also have modular additions, for example letting brokers ask about income, investment appetite, and investment horizons. We don’t sell complexity, we sell results.
Is Internet fraud that big of a problem?
There is $56B of identity theft a year despite enterprises spending $10B on IDV. The problem is only getting worse; an IDology study found a 53% increase in fraud attempts in 2020. Enterprises report a 50+% account abandonment when people must go through a ~5 minute document verification. Meanwhile, even large financial institutions with seven-figure budgets say they are still only accurate 98.5% of the time; with 1M+ verifications a year this means they miss 1500 people a year with the cost of a bad actor ranging from $300-$30k. And this accuracy is much lower for growing fintechs with much fewer resources.
We built an in-house solution to store the data, so we really just need help with KYC. Why do we need your vaulting?
This is a common question we get, often because historically these have been seen as different functions performed by separate teams. As such, it may not be immediately clear how risk teams can solve issues for security team, and vice versa. While in-house solutions for vaulting can be a good starting point, there are many problems with them over time. It is expensive to maintain these structures—whether it be cost of tools or opportunity cost of your own team building and maintaining the vaults. Further, even if you build the vault, you will need to likely still pay for tools like BigID and OneTrust to label the fact that you securely stored the PII.Footprint is one of only four companies to have successfully built on nitro enclaves, and our specific use of them is now patent-pending. However, even if you adapted the same nitro enclaves that Footprint uses and brought advanced encryption to your environments, it would be difficult to generate the zero-trust environment we have built by default within Footprint. For example, some investment apps need to access users’ SSN for trades over $10k, while payroll systems want to see SSN and DOB if a user changes their direct deposit. Our system asks for the reason information is accessed and knows proper baselines across companies. As a result, if one company starts requesting information a disproportionate amount, we could flag it back to the company and Footprint can simply reject the request for the time being.Footprint’s vaulting system is designed to support the least privilege access from the start. With Footprint, you can restrict sub-components in your applications to only have access to certain user PII attributes (like last 4 of SSN).
We have heard promises of one-click before. Is Footprint only valuable once it truly is one-click?
We think Footprint is the best identity solution on the market even if we never removed the friction of filling out forms. Currently, we are easier to integrate (5 lines of code), more accurate (we get the same data as our competitors, and add to that the only in-market integration to Face ID), and more secure by offloading the risk and storage of PII into our enclaves.