verify

2+2 for Global Compliance – Your Expectations are Unreasonable

Due to increasing data requirements and best practices encouraged by various government and financial directives (like the 4th Money Laundering Directive – 4MLD) concerning customer due diligence in the UK and European Union, GDC has had many requests to provide enhanced levels of electronic identity verification combined with Watch List/PEP and Sanctions checks to meet these compliance needs.

While some customers are satisfied to have input-data verified against a single authoritative data source, many others require checks to be verified against multiple authenticated, in-country data sources of varying data types.  This difference between the single and multi-source checks has come to be called 2+2 vs. 1+1 – electronic Identity Verification (eIDV).

The data elements available in the source may vary – for example, below you see two sources described: one Credit and one Government each with three elements to match.

However, the source is typically of a single type, which is not a fit for the new EU compliance regulations (See post on 4MLD).  The types of data source that can be matched for either a 1+1 or 2+2 are:

Picture2

1+1 Identity Verification

GDC’s Worldview platform has been providing 1+1 electronic identity verification since its inception. Customers and partners typically work in the fraud or e-Commerce space mostly with high-volume transactional use cases.  Their goal is to reduce friction in a process (customer onboarding, sales, etc.), increase speed and efficiencies and cut cost.

Picture3

Most of what is gained in a 1+1 is efficiency and cost savings but there are compliance and regulatory rules met with this 1+1 check.  In the example below, we check the input of name, DOB and address against a single credit source and we may receive either of the matches listed in the OR and achieve a pass.

2+2 Identity Verification

By definition, GDC sees a 2+2 request as matching 2 different definitions of input against 2 different data sources.  For GDC to fulfill a 2+2 request, we check to a minimum of 2 different sources.

Thus to accomplish a 2+2 request  GDC is sending to a single request to a data provider which controls multiple unique sources (for example, a single partner with both an Electoral Role sources or a Public Utility source) or to multiple “best available” providers in country with unique data sources.

.

As a rule GDC requires a match based on two input elements verified against two independent data sources. For example, a match could be made on COMPLETE NAME plus DOB in a credit data source (1) and  COMPLETE NAME plus ADDRESS in a government (2) data source.

So Why are Your Expectations Unreasonable?

The rules sound simple enough, so you are probably thinking to yourself, what do you mean we have unreasonable expectations?

Country/Source Coverage

Country and source type are the two most important considerations in assessing potential match rates, across the world, data sources and data privacy regulations vary greatly. What works well in the United States and the United Kingdom does not neccessarily work in France and Poland.
In our many conversations with prospects, customers, and partners, the 2+2 topic immediately moves to:“Our compliance officers require the same levels and inputs for all countries: 2+2 checks with credit and government sources for Countries XYZ and we need a match rate of 70% or higher.”
This approach is not country-specific, and creates a challenge when trying to apply the same mindset to countries around the world.  For example, while matching COMPLETE NAME+ADDRESS and COMPLETE NAME+DOB in the Unites States returns great results, matching both a Credit and Government source in France is not possible. It is, however, likely to produce a 50% or better match rate in Australia, where there are multiple credit and government sources to leverage.

Why is France a challenge? The French data sources are tightly controlled and not available for access – further France does not really have a credit bureau open for query. However, matching COMPLETE NAME and DOB in two different telco sources in France is possible.
What is the take-away? In thinking about data sources, there is a major difference between “unique and from independent sources”vs. “unique and from Credit or Government”. Furthermore, 2+2 may be achievable with COMPLETE NAME and ADDRESS in a “telecom/mobile” source in Spain and a “commercial” source in Spain, but with no credit and very little government data source access. Thus, you cannot expect to use all the same inputs in every country ALL over the world and achieve the same match rate results.

What are the options?

So, looking across the globe there are three elements you can control inside an electronic 2+2 identity verification to improve or optimize match and pass rates for your compliance use cases:
• Improve the quality of the input elements to match
• Tightening or loosening the rules on matching criteria
• Continue to add additional data sources to increase coverage and thus potential match rates

Improve the quality of the input elements to match upon

Data quality is a challenge in most organizations and if you are not able to produce input elements for matching in eIDV requests you will severely impact potential match rates. For example, GDC typically uses address verification, standardization and correction to enhance the quality of input address data and allow for more accurate matching on street/thoroughfare, house number, postal code and locality/city input elements.

Tightening or loosening the rules on matching criteria

After the quality of the input data the next piece that can be considered is the actual definition of a match and a pass. This is a good bit of what has been hinted at in the title around expectations. The most common place we see for making rules less stringent is in name matching. In many countries matching on a given/first name can be a supreme challenge, but many of these same countries will allow for higher match rates on first initial, sur/last name, full address and even date of birth. Matching first initial+last name or even a fuzzy match or distance match in place of the often-mandated exact match will sometimes drastically improve match rates.

Continue to add additional data sources to increase coverage and thus potential match rates

The final piece of the puzzle is the data sources themselves. If you are using two data sources and each cover 35% of the population your best result is 70%, but is more than likely closer to 30%. This does not consider the 2+2 rules that might require an exact match on first and last name when only 1 of the 2 sources has a first/given name available. The GDC approach is to recognize that the best match rates for 2+2 really require as many sources, that do not duplicate, as possible. These sources need to be different but ultimately 6 data sources (telco, government, credit, utility, postal, and consumer) – will produce a higher 2+2 match rate than just 2 of the data sources. Simply put, you are covering more of the adult population and thus have a better chance to match and pass.

To conclude – reasonable expectation to great expectations

When interpreting and crafting the compliance rules, such as for Customer Due Diligence, for your organization be aware and willing to utilize the data sources available within the required country, and country sensibilities and privacy regulations. Each will potentially be different. Be certain to provide the highest quality input data possible and let data quality work for your eIDV efforts not against them. Don’t be limited to 2 data sources in a 2+2 match but leverage as many as possible to get the job done. Lastly, don’t let your compliance rules hand-cuff your success with eIDV in a country – use what is available, how best it can be used to achieve success.