Assessing Digital Identity- You Need to Ask ‘Who?’ and ‘Why?’

Assessing Digital Identity- You Need to Ask ‘Who?’ and ‘Why?’

Most Financial Institutions (FI) have experienced a fast and very thorough transition to digital customer interactions. This seismic change continues to create inherent risks that banks must address in complex and creative ways.

Weight Behaviour Over Identity

Digital identity authentication has become crucial when designing frictionless experiences for anything from real-time payments to simple account access. More than ever, verification throughout the customer lifecycle is necessary not only for fraud management and regulatory compliance but also to stop legitimate customers from participating in fraud — whether intentional or not.

Authenticating a customer with credentials or even biometrics at the point of entry is great if the risk we are protecting against is Account Takeover fraud (ATO). However, if the customer themselves is being scammed, we can’t rely on that alone.

Reconfirming an identity to authorize a transaction, like a large outgoing transfer, doesn’t really prevent fraud when the individual thinks they are doing something legitimate.  If FIs are to protect themselves from the fallout of scams, they need to establish baselines for normal behaviour, what the customer archetype is, and what the expected behaviour vs the one being observed.

Financial institutions can then compare live behaviour data against those baselines and detect anomalies. Anomalies can be examined and categorized according to established models.

Ultimately the decision between whether the exposure is authorized or unauthorized isn’t a single decision. It requires making a combination of decisions across the customer journey. Reviewing a “snapshot” moment doesn’t work as well as understanding the decisions made at each point in the journey, and driving the next set of decisions based on prior outcomes.

We’ve Been Playing the Game “Guess Who?”

As digital transformation took hold, fraudsters embraced technology to scale their attacks. To mitigate identity and ATO fraud, banks have deployed many identity management capabilities like authentication, biometrics, behavioural profiling, decisioning, and declines/holds.

This allowed us to start playing a game of “Guess Who?” with questions like: is the customer the one initiating these events or is it someone/something pretending to be them? A lot of effort has gone into solving these issues, with layers focused on authentication through various tests to prove that the real person matches their digital identity. Fraudsters have made an industry out of trying to defeat these tests – and while there’s always room to improve, we’ve gotten pretty good at it as an industry.

Integrate Decisioning to Answer, “Guess Why?”

A crucial part of the shift in thinking comes from having an additional mindset. Beyond “Guess Who?” the focus has to equally emphasize “Guess Why?” This means banks need to look at a customer’s action in context to determine whether it signals a scam.

All the identity checks and controls will quickly confirm the answer to the “Guess Who?” question. But since credential and identity checks may prove insufficient on their own, FIs can turn to integrated decisioning across the customer journey to ascertain what a digital identity is doing.

They need capabilities to profile individual behaviours, the ability to pull in applicable third-party data to support decisions, and a system to review all events in 100% real-time. With this framework, FIs can effectively take false positives and assess for authorized fraud/scam exposure. Data does not magically appear when and where it’s needed. FIs need to combine their customer data with both live customer behaviour data and third-party data for a richer set of contextual variables to answer the questions “Guess Who?” and “Guess Why?”

For example, third-party data might show if there are established relationships between a customer and their payees. Or it might provide insight that a user downloaded an app that has been red-flagged for scams, like a TeamViewer, or that someone has been on the phone for 45 minutes while connected to the online session for the last 10 minutes.

This additional web and app behaviour provides the digital breadcrumbs FIs need to detect fraud in the moment – and contact the customer to stop it.

When banks detect behaviour that suggests fraud, classifying it properly leads to appropriate follow-ups. These might include extra authentications, live information checks, and tests, and even interviews with fraud analysts before a customer can proceed to the next step in their journey.

Better Transaction Security Through Decisioning

Because digital transactions have become so prevalent, FIs will always need to know going forward whether any customer’s behaviour deviates from their norm. If it does, FIs will need to determine whether there’s fraud and what sort of fraud it is.

To effectively authenticate and authorize a customer for any activities, FIs should:

Deploy decisioning models that include customer behaviour, but are tailored specifically for each exposure type. Standard fraud models will typically not perform well to detect scams, as an example.

Identify which customers have the most potential to be victims of varieties of fraud/scams, segment those customers into different archetypes, and tailor controls & treatments specifically to those segments.

Determine what type of authentication or authorization methods will most benefit and protect those customers when unauthorized fraud is in play.

Educate customers to make them more aware of how to protect and verify their identities, and add sensible friction back into authentication activities, especially related to payments.

Educate customers on the risks of scams and tailor the message specific to the type of scams they might face.

Have more ways to engage with the customer across each customer journey and understand how to tailor the treatment depending on whether the risk is authorized or not.

By pulling in the right third-party data; using distinct modelling approaches for authorized and unauthorized exposure; and leveraging flexible orchestration, profiling, and decisioning; FIs can sequence very specific controls across the customer journey. They can also deliver positive customer experiences that ensure the customers feel protected and give the bank the best way to minimize losses.

About FICO

FICO (NYSE: FICO) powers decisions that help people and businesses around the world prosper. Founded in 1956, the company is a pioneer in the use of predictive analytics and data science to improve operational decisions. FICO South Africa is headquartered in Illovo, Sandton.


Join the conversation at &

For FICO news and media resources, visit

FICO is a registered trademark of Fair Isaac Corporation in the United States and in other countries.

Media Contact:


Nichollars Khoza

[email protected]