Article

5 risk management considerations for identity verification

A risk management framework for IT managers when selecting an identity verification service provider

Managing cyber risks and vulnerabilities is central not only to the success of individual crypto businesses but also to sustaining the digital economy as a whole. The Mt. Gox scandal of 2014, which resulted in a loss of 850,000 bitcoins, highlighted the absolute necessity for increased security within the industry. Seven years later, cybercrime is still a major issue, with 32 cases of hacks and frauds causing $2.99 billion in losses just this year. How you bake security throughout your platform to mitigate risks will directly impact your company’s future growth potential.

Developing an effective response to financial cyber crimes calls for collaboration. A siloed approach to cyber risk management thinks of cybersecurity as a wall to be added to a product that has already been built. Security is not just hardened infrastrcture to resist penetration, but also designing resilient architecture and processes. Instead of competing with other departments for resource allocation within your company, you can reframe the issue of cyber risk as an enterprise-wide challenge. By working with product managers, UX designers and CX experts, risk management teams can devise sustainable security solutions while also adding value to their companies. KYC compliance is just one example of how an IT risk manager can introduce better security practices through a feature that product teams are already working on.infrastructure

How identity verification has evolved

Early identity verification solutions were tailored to address KYC use cases in the traditional financial system, namely for customer onboarding. Companies were responsible for assembling their own solutions stack for compliance using point solutions for specific tasks such as verifying ID documents and conducting database checks. This created complicated integration challenges.

Identity verification and KYC solutions have, however, evolved since then. In contrast to the point solution approach, the new generation of identity verification platforms, such as Passbase, have designed solutions that integrate seamlessly into services for the digital economy. Identity verification is no longer simply collecting documentation to adhere to KYC regulatory requirements; it is now seen as a way to build safety and trust between users and businesses.

How identity verification solutions also support security with KYC

Modern IDV service providers offer businesses a comprehensive and secure platform approach to identity verification. This means:

  • Teams now have access to free trials and live testing
  • Companies can customize multiple identity verification workflows
  • Customers get better in-app identity verification experience
  • Compounding effects after a first identity verification when customers can use biometrics to authenticate logins and transactions
  • Teams can check have a single source of truth to review verifications and trigger new checks

Modern identity verification solutions like Passbase focus on ensuring your customer is who they say they are at critical touchpoints. Unlike prior generations of solutions, such as Single Sign On with social media platforms, identity verification solutions can remain privacy-focused without a conflict of interest in handling sensitive customer information. For example, Passbase is not privy to a customer’s activity on your platform. This privacy-centric approach to handling digital identity helps to reduce the impact of a security breach while also respecting the personal data of users.

Creating a KYC solutions vendor risk management framework

IDV services handle extremely sensitive data: your customer’s PII (personally identifiable information). While such services have traditionally been the domain of compliance teams, digitalization make it necessary to reevaluate them through a cybersecurity lens. It’s important to make sure that an IDV provider’s security posture aligns with your company’s and your customers’ expectations of responsible data management. Here are five things to consider when creating an IDV vendor risk management framework:

1. Map out your risks

Identify and assess the risks of taking on a third party. Ask yourself: What data are you giving to this company? Which systems do you have in place to deal with the potential risks of sharing this data?

2. Understand compliance risk

Determine which compliance requirements need to be met (for example, GDPR or CCPA compliance) and ask if they have a PII compliance procedure in place.

3. Learn from the best

Familiarize yourself with third-party risk management frameworks that have benchmarks, policies, and standards, such as ISO27001 and SOC 2 Type II. Ask potential providers about their risk management frameworks and which certifications they have. Providers that can engage in complex discussions about security considerations will be able to quickly adapt to changing risk landscapes.

4. Prepare your own vendor security assessment questionnaire template

Do your own vendor security audit if possible. Find out what their data handling practices are. Is data encrypted at rest and in transit? Are there forth or fifth party risks that your company may encounter by working with this provider? Try to set up an appointment to discuss potential risks and concerns with the vendor’s security team, if possible.

5. Keep security by design in mind

The right identity verification solution for your company also has to be relevant and usable for different teams. Engineers can assess if the service is easy to integrate and maintain, while product teams can identify which critical activities on your platform necessitate user authentication. Additionally, fraud teams can determine if the mechanisms for auditing verifications, submitting documents and flagging users are effective. Rather than competing with stakeholders from engineering, product, fraud, and compliance, find the tensions and acceptable trade offs for everyone to select a solution that is a net benefit for company operations.

Online services and engaging third parties will always carry a certain amount of cyber risk. Successful risk management leadership lies in proactively identifying what these risks are. Conducting a thorough vendor security assessment will help you to identify providers that are committed to privacy, performance, scalability and security. Choosing the right IDV solution not only enables companies to offload a major data liability, it also enhances organizational effectiveness by providing businesses with the tools for safe cross-department collaboration.


Passbase provides a convenient way for crypto businesses to perform KYC checks through identity verification. You can integrate Passbase into your platform via the Passbase API or with SDKs for iOS, Android, and web.

To see how identity verification can work for your business today, try Passbase today for free or book a demo.

Get the latest news from Passbase

Passbase © 2021

KI VERBAND

Passbase is an identity verification solution that makes facial recognition, liveness detection, ID verification and KYC and AML compliance accessible through a suite of flexible developer tools. A zero-knowledge architecture ensures that companies using Passbase can securely verify users from over 190 countries without having to store their data. Built for developers, it can be integrated with just a few lines of code on iOS, Android, and Web.