Customer Due Diligence - You've got a false positive, now what?
Frictionless Checkout, Frictionless KYC, Frictionless Returns - We hear the word "frictionless" used a lot these days. It’s no surprise given customers propensity to switch stores because of even the slightest hiccup, leaving businesses fearful of implementing any safeguard which could get in the way of the overall customer experience. Let’s imagine an example where you walk past a door sensor at a shoe store and the alarm starts beeping wildly. You look around, confused, wondering what’s going on. You know you haven’t stolen anything, but at this point, the store staff don’t. A security guard calls out to you, asking politely if you would come over and empty your pockets. After realising that there’s nothing amiss, and how just entering the store you couldn't possibly have something stolen on your person, you’re waved off on your way. Slightly rattled by the entire experience. A combination of negative emotions you'd rather not unpack drives you online to look for your next pair of sneakers instead - you won't be back, and the shoe store has just lost a sale. The fact that it wasn’t an actual theft didn’t matter. The door sensors were just doing what they were designed to do, “beep if it detected something”. The sensors are part of a larger security system which includes CCTV cameras, security guards, sales staff, and all the standard operating procedures of what to do in the event any one of these layers of security spot something deemed suspicious.
Enter the false positive
A false positive can be explained simply as "a wrong decision"; an outcome of any test which indicates the subject has a condition that the tester was looking for when they actually do not. We often hear the term used in the medical field, but it exists in all scenarios where a business may be screening for something - financial crime, fraud, security, etc. In the shoe store example earlier, it was simply because the sensor detected something it thought was one of those anti-theft tags. It could have gone off for any number of legitimate reasons - perhaps the customer was wearing clothing that hadn’t had its tag taken off from when it was originally purchased at a different store, or the door sensor could have been malfunctioning, or perhaps a random prankster had tossed a $2 pair of socks with a security tag across the sensor just as the customer was walking past.
If it’s damaging my sales - why should I even bother screening?
Sometimes as a business you don’t have a lot of options. It can be irresponsible or sometimes illegal to skip screening procedures, like when opening a new bank account. It would certainly be far more profitable for the bank to just skip asking for documents and just get the transaction over with. But imagine how much trouble that could cause down the road? Envision your business had a process so frictionless that, without intending to be, you accidentally became known as "the company of choice for scammers or money laundering”, without knowing it you would soon have two bad actors for every five active users in your system. At first, it wouldn’t matter, profit margins would be healthy and you would have fantastic headline numbers. Fast forward three years - you’re now in the middle of a disaster, struggling to keep up with the barrage of weekly information requests from the authorities, an avalanche of non-compliance fines, and a flurry of social media fires to put out. This is life for many a doomed startup, their story over before it ever truly began. As you can see, false positives are the bane of the customer due diligence process, let's take a moment to walk through some of the ways a KYC team can deal with.
Start comparing multiple data points
In today’s data-rich environment, a business rarely has to rely on a single parameter when screening. If you were signing up a user for a new e-Wallet, you’d probably be able to get most of their personal information from their identification document. This becomes important because if you were screening for criminals or terrorists, there’s a significant difference between John Smith (aged 43, born in Los Angeles) and John Smith (aged 18, born in Kuala Lumpur). If you were on the lookout for a middle-aged person, originally from the western hemisphere, the last thing you would want to do is to stop college-going John Smith, from signing up. It would be a waste of time and effort for everyone involved. Remember, when conducting due diligence, ensure that you maximise the number of data points available to reduce false positives. At the bare minimum full legal name, date-of-birth, and nationality should be considered. This could be expanded to include as many independently verifiable data sources as your systems can handle.
Collect as much unstructured data as possible
Sometimes information that is easy to obtain isn’t the type that is easy for automated processing to deal with. Examples include online profile information, social media activity, photographs and scans of documents. These are the kinds of data points which are simple enough for a user to allow a business access to. It's vital to not discard this type of information or fail to give your KYC teams access to it. It would allow your team of analysts to quickly dismiss a false positive without needing to reach out to the user and inconvenience them further. An example would be photos from credible news websites where the person-of-interest's face can clearly be seen. A KYC analyst could quickly determine this through a manual review and make a quick decision whether or not this person’s application should be rejected or processed further. There is of course a privacy and data angle that must be considered when collecting such information about a user. But “How much is too much?” is a complex topic that deserves an article of its own.
Ensure your team knows how to dismiss nonsensical cases
When conducting due diligence, you will often come across screening results that make very little sense. Your teams must be empowered to make decisions regarding what types of alerts are unnecessary or uneconomic to pursue. For example, if Jane Doe’s name was highlighted in your system because her name was also a fictional criminal on a TV series (and not the name of an actual criminal off the FBI/Interpol list), would you really want your team wasting time trying to ascertain if a very real person named Jane Doe who just signed up for your subscription service is a fictional character? How do you ensure that everyone interprets “nonsense” the same way? This is a question of common sense, and how it may not be so common after all. This stems from different life experiences giving different worldviews to people and even artificial intelligence systems. Is always important to properly document your decision-trees and standards used during reviews to make sure everyone is on the same page. This may seem pedantic and risk having very long process manuals, but you'll thank yourself later for it.
Okay, I'm convinced. What do I do next?
Start building a screening process that ensures you're protecting your business from dealing with the wrong kinds of customers. If you’re not sure how to proceed, Dicorm can help you figure out what obligations you have and if your business has any real risk at all. We’ll get you set up with the best systems and processes possible to ensure you don’t slow down your KYC pipeline while keeping you in check with the latest compliance requirements. Contact us today for a no-obligation chat about your screening and monitoring setup.