Data privacy and identity verification in the US

Like two peas in a pod, advancing technology will always be met with advancing fraud. As digitalization has taken over the world, this has largely been a good thing for payments. But it’s also given rise to sophisticated and frequent identity theft attacks. Now, the accessibility of artificial intelligence (AI) has taken the sophistication of fraud to new heights, with developments such as deepfakes. 

Identity fraud is one of the main components of cybercrimes that are projected to cost the world approximately $9.5 trillion annually by the end of 2024. 

The emergence of new services and embedded finance has transformed the importance of Identity Verification (IDV), placing the service at the heart of a business’s customer onboarding process. 

Businesses face ever-increasing pressure to verify identities seamlessly and accurately, from both regulators and fraudsters. In the United States, regulations come at both federal and state levels, and different states have different rules – making it a tricky landscape to navigate. Not adhering to regulations can come with severe repercussions, such as hefty fines and reputational damage. 

Data privacy in the United States

Until 2018, data privacy in the US was dependent on the sector. Healthcare, financial services, education, and marketing industries all had their independent regulations, but no comprehensive US law existed to protect citizens’ data. 

In 2018, things started to shift with the California Consumer Privacy Act (CCPA) signed into law. When it became effective in January 2020, it was the US’s first comprehensive data privacy law. It gave consumers the right to ask what personal data is being collected about them, reject the sale of their personal data, and request their personal data be deleted, among other things. The law applies across all industries. 

Following the landmark CCPA, numerous other states have followed suit and developed their own privacy laws with similar scopes. 

Best practices for compliance

Verifying identities in the US comes with numerous challenges, not least because of the different requirements across states. Let’s take a look at the best practices for staying compliant.  

When it comes to a business’s compliance requirements, they can depend on the riskiness of the sector. If your business is operating in crypto or gambling, your compliance requirements will be higher than a fashion retail business’s, for example. 

Stay informed on regulatory changes

As the regulatory and enforcement landscape in the US constantly evolves, you should stay updated on the latest changes. Consider training your team in significant regulatory changes so everyone in the team knows how to adhere to the rules. You won’t be able to stay compliant if you’re not updating your practices to align with new obligations. 

Implement transparency

Many state-level data privacy laws stipulate that businesses must notify consumers if they intend to collect their data and how it will be used if so. Even in cases where it’s not a requirement, it may help build trust with your customers – nobody wants to feel like the use of their personal data is cloaked in mystery, especially when it comes to sensitive data like biometric information or identity documents. 

Processing a consumer’s data for the sole purpose of payment transactions is allowed under most state-level privacy laws. In such use cases, you don’t need to give consumers the choice to opt out. 

It’s worth noting that when verifying a customer’s identity during the Know Your Customer (KYC) process, it’s unnecessary to give users the chance to opt-out. Simply put, if they want to sign up for a business with KYC in place, their identity must be confirmed. Checkout.com’s Identity Verification (IDV) product doesn’t offer opt-outs for this reason. 

Review current processes

European markets such as France are much stricter when it comes to IDV and biometric identification than some states in the US. Slowly, more and more countries are following suit, including the US. 

Industries such as aviation, gaming, and gambling previously had more relaxed standards regarding digital identity, but are now much stricter, too. 

To keep ahead of the times and prevent potential hefty fines from lack of compliance, it’s a good idea to review your current processes. For example, you need to have a solid customer due diligence program in place. It must balance compliance and efficiency, by being able to onboard users in the most secure and simple way. 

Fraud is becoming a lot more advanced with the rise of methods like deepfakes. Before recent years, photo verification would have been enough to detect fraud, but now it’s lagging behind – it won’t catch a deepfake. Internal onboarding controls can catch out sophisticated fraud attempts, so make sure those processes are in place. 

Maybe you need to set up a team dedicated to fraud and risk management to stay on top of compliance and mitigate any fraud-related losses for your business. 

Partner with an IDV provider

With such complex and evolving compliance regulations, fraud techniques, and technology, it can be difficult to keep up. That’s why it’s beneficial to enlist the help of a specialist IDV provider that will do all the hard work for you. They’ll give you the comprehensive cybersecurity infrastructure you need to safeguard against identity fraud. 

Questions to ask yourself when considering which IDV provider to work with include:

• Does this provider use the most up-to-date technology to fight fraud?
• Is this provider compliant in all the markets your business operates in and may expand into?
• Does this provider offer a positive user experience for your customers?

What is Identity Verification (IDV)?

IDV is the process of confirming an individual’s identity to ensure they are who they claim to be. It’s mainly implemented to let users access a service or help businesses mitigate fraud. Identity verification should always be a smooth process to encourage success and not lead to drop-offs. However, this must be balanced with capturing high-quality information to discriminate against fraudsters and meet regulations. 

How can Checkout.com help support your IDV in the US market?

At Checkout.com, we’re committed to helping merchants like you safeguard your business against fraud, optimize revenue, and ensure secure transactions by verifying your customers are who they claim to be. Our Identity Verification (IDV) solution operates around the clock, leveraging a global database of over 3,000 government-issued IDs from 195 countries. 

Our solution follows a reliable, three-step process to confirm authenticity:

1. Document validation: Ensures the submitted ID is genuine
2. Liveness check: Verifies the user is a real person
3. Ownership confirmation: Confirms that the ID belongs to the user presenting it

The system captures video footage of both the front and back of the user’s ID and their face. We use this data to detect whether the document is legitimate or fraudulent, such as a photocopy or digitally altered image. We then compare the user’s face to the photo on the ID to prevent identity theft. 

All results are combined into a verdict of valid or invalid, which businesses can use to take action. Based on your business’s risk policies, you can block access, request additional information, or proceed with confidence. With Checkout.com’s IDV, you’ll have access to powerful tools to manage, analyze, and audit verifications. 

Our IDV solution has been fully customized for the US market to promote compliance and superior document coverage. Our consent management and data storage protocols are designed with US regulations in mind, with tailored workflows for each state’s requirements. 

In the US, we support over 350 ID documents, including driver’s licenses, ID cards, passports, passport cards, resident permits, and work permits. We can also add new documents to our database within days if they meet security standards. 

We rigorously test our US verification processes across all states to ensure they meet the same high standards as our European operations, providing a seamless experience for users. 

Live video streaming

Checkout.com’s IDV approach relies on three main components, the first of which is live video streaming. 

A live video allows the analysis of thousands of images while the user is interacting with the system – we take 20 images per second to get the best overall image of the ID and extract the most accurate data. While simple photo capture won’t pick up more advanced forms of fraud such as splicing or a good quality photocopy, video can. It’s also harder for fraudsters to fake video streams than simple photos. 

In addition, photo capture only gives users one opportunity to take the photo. If it’s blurred, the verification will fail, which leads to a negative user experience. 

Artificial intelligence (AI) algorithms

Checkout.com uses AI to analyze the captured video clips in real-time. This is the most reliable technology for detecting fraud. It’s also the most versatile because the algorithms automatically learn and adapt to new fraud patterns as they appear in the world. 

Our team of fraud experts continuously reviews a fraction of the verifications, hunting for creative fraud attempts, and feeding algorithms with precise annotations. They’re working 24/7 and can manually review every verification that comes in to provide an additional layer of security and trust. 

Optimized user flow

Combining live video streaming with AI algorithms creates an intuitive user experience. If a user is having difficulty with the flow, we can notify them live during the process and propose active solutions to help them, reducing friction. The entire process typically takes under three minutes.