The 2017 Equifax breach was one of the worst in history, exposing the personal identifying information (PII) of more 147.9 million Americans, putting them at risk of identity theft. But the Equifax breach isn’t simply a story of a single (albeit massive) company screw-up. Instead, the breach was historic also for its potential to transform the practice of KYC—and upend fraud practices in financial services as we know them today.
KYC was introduced as part of the 2001 Patriot Act to deter terrorist activity. In short, KYC put requirements on financial institutions to stop illicit activity by knowing who their customers were, part of the Customer Identification Program (CIP), and what they do, as part of the Customer Due Diligence (CDD). To comply with the first component, CIP, a bank typically asks the customer for scores of identifying information. By exposing the PII of nearly half of all Americans, Equifax basically blew up the model for CIP.
That’s because most banks and fintech companies rely on driver’s license checks and Social Security Number lookups as the primary form of KYC, mostly because that information was once thought to be private. The Equifax breach renders these checks useless. That’s not to say that knowledge-based authentication offered the most robust security to begin with. As with many things, private data often isn’t as private as we might optimistically think.
In this way, the Equifax breach offers a unique opportunity to improve the practice of KYC and actually ensure it does as it’s intended.
For now, though, it leaves us with few options. Multifactor authentication, such as with phone number validation is one, but the viability has eroded in the face of frequent carrier account takeover. So there are many that believe that KYC needs to evolve—and quick.
Unfortunately, however, it could take years for financial services to catch up. And because KYC rules are so explicit about what’s required under CIP, processes probably won’t change until regulators or litigators force them to, leaving an ever widening gap between what’s happening and what the laws intended.
Until then—and from there—actually understanding customers will become more important. That puts more focus on the second aspect of CDD, which seeks to develop an understanding of users’ usual behavior, and the transactions or activity that exist outside it. In other words, banks and fintech companies will need to continue to rely on machine learning techniques that flag and appropriately score risky behavior as part of user behavioral analytics-focused security practices.
The Equifax breach did a lot of damage, and it’s fair to say it will do more. But one silver lining is that it prompts an evolution in KYC, then financial services has a major opportunity to protect consumers ahead of it.