When you operate a marketplace business, you know the challenge: how to make sure that the right person is carrying out the gig? Far too often, you will face the situation where somebody else is acting and you start being confronted with quality and compliance issues, in the worst case, even fraud. At Shippr, a marketplace for B2B same-day deliveries, we are working with a fleet of independent couriers who have quickly developed the habit of sharing user accounts in the courier app. The solution to this challenge comes down to firstly verifying the identity of the person at registration, and, secondly regularly re-verifying the identity on the job. In technical terms, it means performing a know-your-customer (KYC) check at enrollment and prompting a biometric (or face) authentication before starting the job process.
Clearly, the deployment of such tools is generally not your core competency, and you would turn to third parties who specialize in this identity verification business. Surprisingly, the market is very saturated with numerous players focussing on either identity verification at registration (e.g. Dotfile), or biometric authentication (e.g. Keyless), and others covering both for a complete process (e.g. Sumsub or Onfido). While the integration of a solution provider is somewhat costly and somewhat locking in the (end)customer, often the commercial agreements add additional constraints by requiring long-term contracts and volume discounts, making it more difficult to change your mind along the way.
While the most common approach of vendor selection comes down to breaking down comparison points on price, technology and functionalities, it is a lot less straightforward than one could expect when it comes to KYC providers. Our experience has told us that each of these categories requires in-depth analysis.
Because the process of selecting the right vendor is, as it turns out, a tedious process, it is crucial to be prepared to ask the right questions during the introductory and demo calls so that you quickly disqualify the irrelevant vendors and focus as soon as possible on a short list.
The cost and pricing model
It is striking how expensive the list prices are, especially for a market full of competition. Typical pricing models include a price per transaction, a minimum commitment per year and upfront payment, with sometimes extra costs for additional features or support. The biggest lesson is that all prices are highly negotiable, by a lot! This is the reason why non-disclosure agreements are signed with most vendors. In hindsight, given that enormous room for negotiation, you should not disqualify any vendor because of its expensive list prices, not even the most expensive one! Typically, you can expect a KYC transaction cost of no more than one euro and a biometric authentication transaction cost of a dozen euro cents.
Some providers, such as Onfido, have a pricing model in which they price per user, making it worthwhile to evaluate in a business case when the number of transactions per user is fluctuating, uncertain or simply very big.
The scope of your verification can greatly affect your cost. While in our case, we had to balance the unit cost for a document ID verification and re-verification transactions, you might require more verifications such as a proof of address check, an AML screening check or a check with 3rd party databases such as credit agencies or governmental authorities.
The technical aspects
This is where the engineers need to be involved in the assessment, especially by reading the document and developing proofs-of-concepts. The latter is very important for the shortlisted solutions because we have encountered plenty of challenges at technical level and a working prototype also allows you to appreciate the functional aspects and run real test cases with ID documents and faces.
Depending on your product, it can make great sense to consider only solutions with a software-development-kit (SDK) for your platform. They will allow you to get started with all the, amongst others, UX/UI features off-the-shelves and the complete workflow readily coded. In our case, a React Native SDK for our mobile app was a strict requirement which disqualified quite some vendors. Integrating other SDKs, such as app native ones with a bridge, require a lot more development and maintenance efforts and WebSDKs would have disrupted the user experience in our app. A well-functioning and documented SDK can drastically speed up the integration. Such was the case with Persona and Veriff for their clean SDK which comprised both flows, the KYC enrolment one and the biometric authentication one.
On-device and on-server solutions. While the KYC usually involves a number of verifications and sometimes connection with third parties which are better handled on-server, some biometric solutions can be performed on-device, such as Keyless. This choice is very much architectural and can be a disqualifying criterion or not. If GDPR concerns you, most on-cloud solutions have proper data-redaction functionalities and data-centers also in Europe. Always make sure to also sign the data processing agreements to have you covered because you have little means to verify the actual location of where your data is stored.
API and webhooks are part of the considerations for integration. They will allow you to run logic in your own product based on the KYC process responses, retrieve information from the verification (such as the status, the check details or the pictures) or even to trigger actions on the KYC platform. Most serious vendors have, luckily, everything needed. Beware that certain features may be payable or that some details are missing (on purpose?) to force the use of upsold features. Such is the case with the web workflows at Persona which are the only way to trigger manual review processes.
The functionalities and user experience
The core functionality of these solutions is simple: perform identity verification and potentially re-verifications. However, testing the actual accuracy of verification is crucial because, astonishingly, several providers, such as Shufti Pro and Sumsub, have returned both false positive and false negative results. It is often not public information which technologies are used behind the scenes but we have clearly observed a variety of results. I do therefore recommend using the demo accounts and a proof of concept to perform real tests with colleagues, fools, and family! These tests should include person tests, in particular same-person and different-person tests at the different process steps, i.e. ID document against selfie at enrollment and biometric authentication (see below table). Amongst the rock solid providers, GBG has shown not a single false result.
Note that it is worth checking with the vendor which face the picture is taken as reference picture for reverification checks: it can be either a) the document picture provided during the enrollment (e.g. Onfido), b) the picture originally taken during enrollment (e.g. Veriff) or c) the latest selfie picture taken with the previous reverification (e.g. Persona, ComplyCube). Should your reference document be an old driving license, it might be more difficult to do the face reverifications against that reference.
|Enrollment document||Enrollment face||Reverification face||Expected outcome||Comment|
|Person A||Person A||Success||False negatives can happen|
|Person A||Person B||Fail||False positives can happen|
|Person A||Person A||Person A||Success||Usually works well|
|Person A||Person A||Person B||Fail||Usually works well|
|Person A||Picture of person A||Fail||The liveness check can fail|
A KYC or biometric authentication process must be user-centric and foolproof. A neat user interface for the best possible user experience will pay off at the deployment. Noteworthy features are: assistance with document and face framing, object recognition and autocapture, fast liveness capture, and customizable screens (text and design). If frequent re-verification is a use case, make sure to assess the loading speed of the different steps in the SDK.
The degree of customization can, in many cases, be interesting to best fit into your product. The most basic customization concerns the branding and styling to match the look and feel of your app, as well as modifying text to be as specific and relevant as possible. However, most solutions take this into account and lack of basic customization is rarely a deal breaker. For multilingual businesses, bear in mind that the vendors have different approaches to localisation, ranging from automatic (device) language detection in the SDK (e.g. Persona) to a fully controlled language locale passed as parameter to the instance (e.g. Veriff) or even the translations passed on the fly (e.g. ComplyCube). In our case, we even ended up with the original multilingual copy. More advanced customization could allow the flow to be changed and configured with extra rules. Here again, the job-to-be-done is usually the same across the different solutions and few to no flow adaptation is usually needed (or justifying additional expenses).
It is more than useful to follow the verifications in a user-friendly online dashboard. Many vendors offer dashboards which either have a transaction-based information display (e.g. Veriff) or a person-based one (e.g. Persona, ComplyCube). While it is very useful to have a detailed dashboard to follow up on the first verifications yourself, the set of required features is rather a question of what the future operator will need to do in their daily work. For instance, automatic workflows can both simplify the lives of the operators and save a lot of in-house development work, and GPS location information can complement some deeper analysis without having to build location tracking into your product. It will not just be useful, but also fun to see how account-sharing people are at two different places while trying to get past the KYC enrolment… until the re-verification comes!
Bottomline, in your sales discussions, first ask for a demonstration (to assess the overall solution, both of the app and the dashboard), then request a sandbox to create a POC and perform real verifications (it might require the vendor to activate some production environment credits/quotas) and finally negotiate the price big time!
Note: All things considered, we have shortlisted 3 vendor solutions which met our selection criteria: Veriff, Persona and ComplyCube. Should your criteria vary from ours, a wide range of other vendors could be considered. Our non-exhaustive long list of vendors was the result of many web searches or recommendations from my network and included the following: (…)