Beyond Basic Identity Verification and the Role of AI in Regulated Markets

Cameron D’Ambrosi [00:00:02] Welcome everyone to the State of Identity. I’m your host, Cameron Ambrosi. Joining me this week is Vyacheslav Zholudev, chief technology officer at Sumsub. Welcome to the State of Identity.

Vyacheslav Zholudev [00:00:13] Thank you, Cameron. Thanks for having me.

Cameron D’Ambrosi [00:00:16] It is my pleasure. I’m really glad to have you on Sumsub, a leader in this very hot identity verification and document verification, and know your customer space. It’s an area that is continuing to draw a lot of investment and attention and expanding its footprint outside of these traditionally regulated industries and into more use cases around things like trust and safety. There’s a lot of competition and platforms vying for market share. So I’m excited to chat with you about the story behind Sumsub, how the platform has grown, and what you see as being the future of this space as we continue to see the adoption of technologies like ID, like mobile driver’s licenses that I think are going to fundamentally change what it means to be one of these platforms in the near future.

Vyacheslav Zholudev [00:01:17] No. Could I tell you something about Sumsub first?

Cameron D’Ambrosi [00:01:23] Yeah, that’d be great. At a 15,000-foot level, and for our audience that hasn’t heard about Sumsub or was lately aware of what you do, how would you describe Sumsub in a nutshell?

Vyacheslav Zholudev [00:01:36] Sure. We started, like, founded the company in 2015, but the story goes way back to when we were doing some algorithms for detecting forgery in the images. But then, around about 2015, we realized that is just part of the story because, at the end of the day, our potential customers don’t care whether the image was modified. They care whether they can trust their customers. And that’s when we pivoted into the KYC, and things started to roll. But then, roughly about two years ago, we realized that KYC is also part of the story, just not enough because, okay, the user gets rewarded, but then he or she transacts, they log in, they change their passwords, they may change their behavior, they could be account takeovers, and things like that. So it’s very important to go beyond the classical onboarding and give, say, the compliance anti-fraud toolkit for all customers. And that’s when we started to rethink what we do next, how we actually close the full customer lifecycle to help our customers stay compliant and fight fraud.

Cameron D’Ambrosi [00:02:53] I love that. And we are obviously, at Liminal, big fans of what we call the digital identity lifecycle and kind of put that at the center of how we analyze the market and opportunities in and where we see this broader digital identity market space heading from that perspective. How much of a challenge has it been attempting to break down some of those internal silos that we see within customers? From my perspective and our audience, it’s probably sick of hearing me talk about this. But I cut my teeth exactly in this space doing work, doing digital transformation for global banks around customer onboarding, sanctions, and transaction monitoring. But I never really got the chance to work directly with fraud teams internally at these banks because of the fact that those were separate teams. Right? You had a separate team doing your kind of log in and cybersecurity and authentication. You had a separate team doing your customer onboarding. You had a separate team doing your AML transaction monitoring. You had a separate team doing the fraud. Like, is this transaction a valid transaction or do we think the money is going to disappear? But when you pull back the lens a little bit, these are all variations on really that same fundamental question to your point, which is, is Vojislav Vojislav and is he doing the things that we expect him to do with his account? And that’s the same whether or not you’re opening the account for the first time, coming back into the account, or transacting within the account. How challenging has it been to get your clients, your buyers, to break down some of those internal silos and maybe put your solution in between what previously had completely different software stacks, different stakeholders, different budgets, and different internal teams?

Vyacheslav Zholudev [00:04:56] Yeah. You brought a very nice point point actually, several teams are working on different parts of the user lifecycle. That’s true. But what could be beneficial is still having transactional monitoring have signals from a user on work onboarding. Right. So, for example, you can ask for a questionnaire during user onboarding and like figure out, for example, the user is unemployed. Right. And then in transaction monitoring, you see, for example, that this user is unemployed but receives them every month. That might be suspicious activities or some sort of money laundering going on, or at least they don’t pay taxes. Right. So I think this makes sort of this marriage between classical KYC onboarding and transaction monitoring becomes more important. Of course, there could be several teams, but if they know that they have more signals, for example, and they have one user transact, they have more signals to base their decision on. That could be really a relief or for those teams. Right. And the same time in transactional monitoring, they still can use. So to say KYC means to automate some sort of like the manual work that they are doing because I mean, that’s a big deal, especially for big companies. They are already round by manual intervention. They have to look at many cases manually, especially if they don’t use some sort of ready to use solution like ours, for example, they build something house, but they never find time to do it properly because they have to focus on their core or business. It becomes important to have everything under one umbrella. And from our customers, it’s actually a very nice selling point. At the same time, I know that many transaction monitoring tools, they offer some sort of KYC, they integrate with other KYC providers. But honestly, I don’t believe that it can be done really smoothly because when you need to glue to systems that are also heavily and rely on nice UI to configure everything, then it can be done nicely, and therefore it just it’s suboptimal, so to say, to use. But we also try to help like smaller companies are just started and, and in their case they don’t have separate teams yet, but still it becomes more important. It should be like a timesaver for them because they still need to focus on their main business, and therefore they need more time to integrate a multitude of providers that do just one small, tiny thing. So therefore, I think this balance of KYC and KYC credential monitoring is very important. Not sure how they answer your questions, but I spilled some thoughts on.

Cameron D’Ambrosi [00:07:54] Yeah, I mean, I think we’re right. We’re in violent agreement, you might say, around what the market opportunity is and that necessary integration to your point like these are fundamentally related things and the understanding you get from an initial customer onboarding from completing KYC, from completing customer due diligence, that information inherently must flow into how you risk rate that client and what their profile is going to look like for both regulatory compliance and transaction monitoring, as well as on the fraud side of the ledger and the fact that we have not seen more unified approaches to these from buyers, I think is something that inherently must change. And it’s great to see platforms like Sumsub leading the way in pushing this integration because I think we need to get there, we must get there. And with the market trends that we see around Passwordless in particular. They are tying authentication more and more to fundamental identity as well, right? When you’re moving away from a password. How are you going to do account recovery? Moving into, well, what is the physical characteristics of the person who opened this account is going to be the best way to let them back in, without relying on these super vulnerable shared secrets. So I think all of the trends are really pushing the market in this way. And you positioned yourself well in that regard. Thinking about this next set of trends that I alluded to in my intro idea Mobile driver’s license. I would love to hear your thoughts on and how you expect that to impact your customer base and how you’re thinking about these challenges at Sumsub. Obviously, you’re a European-based platform. Europe is leading the way in many regards globally with regard to rolling out IDs, this UTI digital wallet platform as part of it as 2.0. How are you thinking about the impact of IDs and what do you see the role of platforms like Sumsub as being when we get to a state when perhaps in the next couple of years, many consumers in the U.S. and in Europe are going to have either mobile driver’s licenses or IDs in their digital wallets. Like where can Sumsub play, and what do you see the challenges being in financial institutions beginning to learn how to accept and process these digital credentials?

Vyacheslav Zholudev [00:10:34] This topic is very, very important. And general thoughts on this is our domain is changing very quickly. And I mean, just a simple example. And then I will come back to your ideas, right? Like five years ago, it was like three years ago it was common to submit a selfie with a document. Right. But then those documents were leaked into the dark web, so therefore it became too easy to impersonate a person. Dandelion is checking me. Then when those checks came in and the fakes it rose. Right. And then there is a new challenge. The same happening actually with the ads. Because nowadays with all those neural networks, it’s so easy to create like a perfect image of a password with all Amrozi checks arms being correct, and the barcodes at the back of the US driving license are also convenient, completely perfect. So therefore I think those ideas definitely gain some popularity. However, the market is still super fragmented, and therefore one of the challenges here is actually to go to each country, like try to find connections and different providers. Some of them require you to register a legal entity. So there are many hassles, and those government sources are often unreliable, right? So you still need to have some sort of fallbacks to maybe classical HGV with like maybe you wanted this user with high risk if they just pass normal KYC, the image-based I mean, but so there are lots of challenges, but we’re getting closer and closer to using electronic IDs and not necessarily those. I mean, in Brazil, for example, there is a taxpayer number called CPF that everybody gets even foreigners. So it’s not a document is just a number, but still it can be used for verification, you can connect and that’s a basis. Also fetch the selfie from this government database. And compared to the loneliness check that is performed during customer onboarding. So I think the trend is broader, not only necessarily electronic documents, but some sort of unique identifiers. And you guys, of course, it’s SSN, but there are also lots of leakages of those systems, unfortunately. So sometimes it’s just not enough. And when it comes to NFC chips in the documents there, like there are also ways how you can bypass, you can copy them so the fraud won’t disappear. Actually, probably it will just become harder to commit this fraud. But then, it’s always good tomorrow’s game, and you really need to stay on the edge always. And just figuring out what will come next in terms of fraudulent attacks.

Cameron D’Ambrosi [00:13:52] I couldn’t agree more. IDs are going to be a really tremendous opportunity, hopefully to make things easier both for relying parties as well as consumers. But, from the perspective of the marketplace, we’re in a transitory phase. We’re in this state when not everyone is going to have it. Many folks are still going to be relying on physical IDs, and it’s going to be incumbent on platforms like Sumsub to help meet the needs of relying parties, which are going to be we have to accommodate. Even further variety. Right. We’re going to continue to see this intense fragmentation. And so, when folks talk about the threat in some ways that they think it poses to document verification platforms to onboarding platforms, I think in some ways that’s misguided because arguably IDs are going to make things more complicated, not less. Again, that’s not intended to be a slight on IDs or we shouldn’t adopt them. But we’ve seen from the EU and the U.S. These are going to be optional adoptions, right? The EU is not going to mandate that you use an ID as a consumer, which means it would not surprise me if we saw upwards of 15%, 20% of folks just declined to opt-in to these programs, which means if you’re a bank, you’re not going to be able to say, Hey, you must have an EU digital identity to open an account with us. They’re not going to want to leave those customers behind, which means you’re going to need as a platform to have a way of ingesting an ID, maybe ingesting a U.S. mobile driver’s license, of which there might be 50 different flavors because each state could be doing it differently. And then you’re also still going to have to handle this increasingly varied type of of data sets and platforms that you have to integrate with in order to make these sort of solutions work?

Cameron D’Ambrosi [00:13:52] I couldn’t agree more. Ideas is going to be a tremendous opportunity to make things easier for relying parties and consumers. However, we’re in a transitory phase from the perspective of the marketplace. Not everyone is going to have it. Many folks will still rely on physical IDs. Platforms like Sumsub will need to help meet the needs of relying parties, which will require further variety. We will continue to see intense fragmentation. When folks talk about the threat it poses to document verification and onboarding platforms, that’s misguided. IDs will make things more complicated, not less. That’s not intended to be a slight on IDs. We shouldn’t adopt them. But we’ve seen from the EU and the US that these will be optional adoptions. The EU will not mandate that you use an ID as a consumer. This means it would not surprise me if we saw upwards of 15-20% of folks decline to opt-in to these programs. If you’re a bank, you won’t be able to say, “Hey, you must have an EU digital identity to open an account with us.” They won’t want to leave those customers behind. This means you’ll need a way of ingesting an ID, ingesting a US mobile driver’s license, of which there are 50 different flavors because each state could be doing it differently. You’ll still have to handle several hundred flavors and formats of physical identity credentials, passports, driver’s licenses, national ID cards, etc. This arguably will make the need for platforms like Sumsub more acute, not less.

Vyacheslav Zholudev [00:16:07] Yeah, true. The classical IGT or the KYC won’t go anywhere anytime soon. As you mentioned, things will become more complicated. But again, that’s why we’re here to help our clients overcome those challenges. For example, our platform has some sort of orchestration that accounts for those fallbacks. Even if the government database is down for some reason, you can smoothly transition this user to the classical document-based approach. We also provide our customers with means to flag users who might be a bit more risky than those who passed the ID step. Then you can ask for ID later; for example, motivate them further on how to provide ID later on so that their limits are higher. The adoption of those IDs will be driven from both sides. Companies like ours will make it easier to orchestrate different types of scenarios. Companies will realize that it’s much safer to have this information for them, and therefore they will motivate their users to pass those ID checks.

Cameron D’Ambrosi [00:17:41] So from a technology perspective, what do you think are the biggest challenges facing Sumsub and relying parties on the transaction monitoring side? One of the historic challenges has always been what’s it like to integrate all of these different data sets? You have all sorts of blends of legacy on-prem technology. Now, banks are increasingly moving to cloud-based core banking systems, different cloud-based integrations with other vendors in their stack. You’re the chief technology officer. What have those struggles been like in terms of making sure that your platform can handle this increasingly varied type of data sets and platforms that you have to integrate with in order to make these sort of solutions work?

Vyacheslav Zholudev [00:18:36] Sure. When it comes to promoting our KYC solution, there are two types of challenges to business. One is how you convince our potential clients to use it because they might be very cautious about what data they send. With traditional banks, it’s not easy to convince them to switch over because they invested so much effort to create their own solution. So that is for them. It’s very hard to justify the switch. So therefore, your product must be super appealing. It has to be scalable. There are two types of transaction monitoring, the real-time and near real-time. The real-time is when the transaction comes in, hasn’t happened yet, but then you have to decide whether this transaction should go through or not quickly. Near real-time transaction monitoring or anomaly detection becomes much more complicated when you have to analyze not a particular user but look at the picture as a whole because the fraudsters are not sleeping. They come up with new ways to run their money. For example, they have ten accounts and they’re moving money or they can circle between those and then withdraw a bit of money like each iteration. So complicated cases. Some of them you can cover with a rule-based approach. Those rules will stay for several reasons. But by rule, I mean something like if the amount is higher than ten K and then you are not employed and already transacted too much this month, then we log this transaction or put it under investigation. Those rules won’t go anywhere because for regulatory purposes, you sometimes have to explain why you blocked or didn’t block a particular user. You say, “Hey, to the regulator, we have this set of rules. We defend those rules in front of you. You were fine with them. So, therefore, follow those rules.” It’s still possible to be clean from the compliance standpoint but still suffers from fraud. Therefore, those AI-based transactional monitoring may come into play that lives in real-time in huge amounts of data. It’s very important to react quickly to the changes in suspicious patterns, not like once a day or once a month, but relatively soon, like within 5 minutes. It’s also important to prioritize those alerts because there could still be false positives, and you want to investigate the more suspicious ones first. This challenge is probably not solved yet, but you can always do better, and that’s where it comes into place. The regime here, there are huge opportunities.

Cameron D’Ambrosi [00:22:13] You mentioned AI, and that’s a really salient topic because chat is taking over the world literally and figuratively. The adoption of AI in regulated spaces has always been an interesting area of debate. Regulators in the US have concerns about understanding when the AI makes a decision as to whether or not a transaction is suspicious or not. Is it human-readable? Is it understandable? Can you reference why the AI thought this was suspicious and not have it be a complete black box? How are you thinking about solving this kind of human addressability challenge? What has the feedback from regulators been from your perspective regarding getting them to understand that AI is actually making these systems better and more effective and not less?

Vyacheslav Zholudev [00:23:33] Good question. I think that could be a gradual process, so you don’t have to rely on 100%. First, I can develop new rules you haven’t thought of before, and then you put those rules in place. If you agree that they make sense, there are lots of experienced people that may understand that this new rule actually makes sense, and then they try to implement those and then they see how it behaves. If it behaves correctly and catches some fraud, that is good. The second step is actually using AI for alerting. Then human interacts and investigates and decides whether it was okay or not. Of course, fully relying on AI and just looking here, there’s nothing. One other way around, just by fraud, is probably we are not there yet. And probably, that chat also sometimes suffers from hallucinations. So with our transaction monitoring, it will be a gradual process. And I think in front of regulators, as long as you still transform the results of AI into the rules and it brings some benefit, it could still be the very first step to convince them that maybe it’s not a bad idea to actually think about the case where the Netherlands Bank was suing the central bank because the central bank was forbidding to use transaction monitoring. But then they won the case. And I think things are moving.

Cameron D’Ambrosi [00:25:41] Amazing. Well, putting your magic prognostication hat on, we’d love to hear your thoughts on what we can expect to see shaping the intersectionality of all of these steps of the digital identity lifecycle. Moving forward, what are some of your predictions for the trends that we’re going to see shaping this space in the next year or so?

Vyacheslav Zholudev [00:26:05] Wow. The tough question. One of the things that comes to my mind is that transactional monitoring will be perceived in a broader way. What I mean by that is that in any event in the customer lifecycle could be considered as a transaction. So for example, a user login results in a transaction with seven properties with device fingerprints, IP address, and so forth. Or for example, if users tried to rent a car-sharing car and you sit in the car and try to turn it on when they realize that the device has changed, maybe it’s an account takeover or maybe you just sold your account somewhere. It’s also a transaction. For example, if you usually drive during the day, but now you rent a very expensive car and try to drive during the night, it also could be a suspicious transaction. When it comes to insurance companies, if you break a leg three times a month, then probably you just faked those doctor bills or whatever, and therefore you need to be investigated. And when it comes to gambling, there are lots of other things that you may take into account. The transaction could be the fact that the person played poker and then lost like X amount of money or X amount of money. I think our customers will start looking at the transaction monitoring in a much broader way, and they will understand that having everything in one system will be super crucial and efficient for fighting fraud. So, for example, you are logged in during the night, an unusual time. Then they change their password, and then their transaction behavior changes. So this is very suspicious. But if you look at the transactions, you probably won’t understand that very few correlated with the fact that something happened in between, namely the password change. You can do much more about that. So I think this paradigm shift or another way of thinking of transaction one time, that’s what’s coming.

Cameron D’Ambrosi [00:28:30] I love that. To bring a son home here, an opportunity for what I like to call a shameless plug alert for our listeners who are excited to learn more about Sumsub, maybe deploy the solution, get in touch with you to learn more. What is the best place for them to go? How should they reach out?

Vyacheslav Zholudev [00:28:49] They can just head to our website, Sumsub.com, and fill out a very simple form. We have a couple of demos publicly available to everybody on our website. You can also register yourself as well so you don’t have to necessarily contact us to try the solution. They can also reach out to us directly.

Cameron D’Ambrosi [00:29:19] Fantastic. Well, we’ll include those links in the show notes below. Thank you so much for joining me. Fantastic conversation. Hope to catch up with you again soon. Let’s check in on some of these ID trends once we get some further traction with this EOD digital wallet. And maybe as some of these US states continue throwing IDs and models into the mix.

Vyacheslav Zholudev [00:29:44] Sure, sounds good. Thanks a lot, Cameron. See you next time.

Cameron D’Ambrosi [00:29:47] All right. Thanks.