T-Mobile recently disclosed that hackers obtained millions of records containing personal information from current and past customers -- details like their addresses, Social Security Numbers, and phone numbers.

How to Prevent the T-Mobile (or Experian or Target) Breach from Happening Again


As humans, we are always longing for the latest and greatest; an upgraded car, the latest iPhone version or a first class upgrade on our next flight. We long for these upgrades because we know they offer enhancements that will ultimately make our lives easier and better. While it may not be as top of mind as a new phone, the same can be said for your company’s IDV solution. You, your CEO, investors, and your customers will all benefit from a state of the art, upgraded IDV solution.

You will have less headache working with a battle tested API, your management will be amazed by the increased user volume, investors will love increased profits from a cost effective solution and customers will be happy from the very beginning of your relationship because you made life easy.

---

Here a few more reasons your team will love the upgrade to Cognito:

**Traditional solutions cannot scale** - Solutions like Documentary ID Verification are not scalable. Companies providing documentary solutions often have difficulty hitting SLA’s and in many instances manual review has to take place. Yes, an actual person has to get involved - even in 2019!

**Traditional solutions are not _actually_ verifiable** - when a person submits a passport photo or a copy of their driver’s license, the real work being done is simply checking for tampering evidence. Validating if it is a legit document - not actually verifying the person who submitted the ID is the actual person on the ID.

[**Traditional solutions are not user friendly**](/blog/5-trends-in-identity-verification-to-watch-for-in-2019/) - we all know (and if you don’t here is a previous blog post on it) that user experience is a huge priority for companies, users are demanding it. For documentary providers, 15 seconds is the absolute best case turnaround time for IDV. Often times it can take 5 minutes to receive a verification. 5 MINUTES! And, that does not include the time it takes for a person to find their ID, take a picture and upload it. Remember when Google came out with a stat in 2016 saying 53% of visits are likely to be abandoned if pages take longer than 3 seconds to load? How many lost customers will traditional IDV cost you in 2019?

Cognito is built for scale, fully verifiable, and designed for users so that results get delivered instantaneously.

Contact us today to see how you can upgrade!


As humans, we are always longing for the latest and greatest; an upgraded car, the latest iPhone version or a first class upgrade on our next flight.

3 Reasons Why It’s Time To Upgrade Your IDV Solution


[Pry](https://github.com/pry/pry) is a great tool for Ruby. You have probably used it by setting `binding.pry` in the middle of your code like so:

```ruby
From: lib/dry/types/hash/schema.rb @ line 58 Dry::Types::Hash::Schema#try:

    40: def try(hash, &block)
    41:   success = true
    42:   output  = {}
    43:
    44:   begin
    45:     result = try_coerce(hash) do |key, member_result|
    46:       success &&= member_result.success?
    47:       output[key] = member_result.input
    48:
    49:       member_result
    50:     end
    51:   rescue ConstraintError, UnknownKeysError, SchemaError => e
    52:     success = false
    53:     result = e
    54:   end
    55:
    56:   binding.pry
    57:
 => 58:   if success
    59:     success(output)
    60:   else
    61:     failure = failure(output, result)
    62:     block ? yield(failure) : failure
    63:   end
    64: end

> (#<Dry::Types::Hash::Weak>)
```

Pry is much more than a tool for setting a breakpoint though. It is a great tool for exploring code interactively.

## Discovering available methods

Pry provides a command called `ls` that lists methods and variables available in the current scope. In the code snippet above, the `ls` command would print out the following:

```ruby
> (#<Dry::Types::Hash::Weak>) ls
#<Dry::Equalizer:0x007fafd29f2b88>#methods:
  hash
  inspect

Dry::Equalizer::Methods#methods:
  ==
  eql?

Dry::Types::Options#methods:
  meta
  pristine
  with

Dry::Types::Builder#methods:
  constrained
  constrained_type
  constructor
  default
  enum
  optional
  safe
  |

Dry::Types::Definition#methods:
  ===
  default?
  name
  options
  primitive?
  success
  constrained?
  failure
  optional?
  primitive
  result
  valid?

Dry::Types::Hash#methods:
  permissive
  schema
  strict
  strict_with_defaults
  symbolized
  weak

Dry::Types::Hash::Schema#methods:
  []
  call
  member_types

Dry::Types::Hash::Weak#methods:
  try

instance variables:
  @__args__
  @member_types
  @meta
  @options
  @primitive

locals:
  block
  e
  failure
  hash
  output
  result
  success
```

This is a breakdown of all the methods available in the current scope, grouped by the class or module that owns that method. It also lists the available instance variables and local variables. This is a very powerful tool for quickly understanding the role and responsibility of the code you are debugging.

The `ls` command also lets you drill down into different parts of the current scope. We can use `ls --locals` to view the names of local variables alongside their current values:

```ruby
> (#<Dry::Types::Hash::Weak>) ls -l
result = {
  :name=> #<Dry::Types::Result::Failure
    input=nil
    error=#<Dry::Logic::Result:0x007fafd2cb98d0
      @success=false,
      @id=nil,
      @serializer=#<Proc:0x01@lib/dry/logic/rule.rb:47>>>}
hash = {:name=>nil}
output = {:name=>nil}
success = false
block = nil
e = nil
failure = nil
```

## Learning without documentation

Pry makes it easy to search for methods under a namespace. For example, if we wanted to find methods for handling xpaths with Nokogiri, we can use `find-method`:

```ruby
> find-method xpath Nokogiri

Nokogiri::CSS.xpath_for
Nokogiri::CSS::Node
Nokogiri::CSS::Node#to_xpath
Nokogiri::CSS::Parser
Nokogiri::CSS::Parser#xpath_for
Nokogiri::XML::Document
Nokogiri::XML::Document#implied_xpath_contexts
Nokogiri::XML::Node
Nokogiri::XML::Node#implied_xpath_contexts
Nokogiri::XML::NodeSet
Nokogiri::XML::NodeSet#xpath
Nokogiri::XML::NodeSet#implied_xpath_contexts
Nokogiri::XML::Searchable
Nokogiri::XML::Searchable#xpath
Nokogiri::XML::Searchable#at_xpath
Nokogiri::XML::Searchable#xpath_query_from_css_rule
```

We learn some interesting features from this list:

1. We can convert CSS selectors into XPaths
2. We can search XML documents with `#xpath` and `#xpath_at`

If we want to learn more about how to precisely use one of these methods we can use the `stat` command:

```ruby
> stat Nokogiri::CSS.xpath_for
Method Information:
--
Name: xpath_for
Alias: None.
Owner: #<Class:Nokogiri::CSS>
Visibility: public
Type: Bound
Arity: -2
Method Signature: xpath_for(selector, options=?)
Source Location: /dev/gems/ruby/2.4.1/gems/nokogiri-1.7.2/lib/nokogiri/css.rb:22
```

If we wanted to learn how the method works, we can use `show-source`:

```ruby
> show-source Nokogiri::CSS.xpath_for

From: /dev/gems/ruby/2.4.1/gems/nokogiri-1.7.2/lib/nokogiri/css.rb @ line 22:
Owner: #<Class:Nokogiri::CSS>
Visibility: public
Number of lines: 3

def xpath_for(selector, options={})
  Parser.new(options[:ns] || {}).xpath_for selector, options
end
```

We can also see nice, syntax highlighted code examples using `show-doc`:

![show-doc-usage](images/pry-show-doc-bcd3536b.jpg)

These handful of commands are a great daily resource for debugging and exploring new gems. Give it a try!


Pry is a great tool for Ruby. Here are our best tricks that you may not know about how to use it.

5 Pry Features Every Ruby Developer Should Know


Cognito’s flexible [identity verification API](https://plaid.com/products/identity-verification/) was built to adapt to your sign up flow, not define it. With flexibility comes options so our engineers put together a few common tips and tricks to help ensure you have the highest match rates possible for your users:

1. **Data Validations**: Good data validations filter out sign up spam. The more validation you do up front, the more streamlined and successful your verifications will become. Also be clear in the information you are collection, for example request legal name, not just name.
2. **Experiment:** Test out different input combinations to see what works best for your demographic. Phone + Name + DOB? Or Phone + Name + last 4 of SSN? Or try [layering different input combinations](/docs/expanding-your-search/) with gradual verification. Remember, if you don’t get a hit, there is no charge!
3. **Thresholds:** As a default, the threshold for a passing score is set to 80. However, you can [adjust this threshold](/docs/assessing-results/) based on your risk tolerance and compliance requirements.
4. **Second Chance:** If a user does not pass verification because of a low score on the phone number, try giving them an opportunity to verify themselves a different way. Sometimes the issue can be a simple as a recent change to their phone number, or they input their non-primary number.
5. **Review Compliance Requirements:** Often times we find customers over constrain searches when they don’t need to. Be sure to review your compliance requirements to see if you can simplify inputs. For example, do you need to ask for address? Perhaps you can just ask for name, phone number and DOB?

Still have questions or want to learn more? Feel free to [reach out](/contact/) to us about your use case and our solutions engineers we would love to help!


With flexibility comes options so our engineers put together a few common tips and tricks to help ensure you have the highest match rates possible for your users.

5 Tips to Optimizing Match Rates


## 1. KBA is moving out

Identity verification that relies on the possession of data is no longer a sufficient solution. KBA and SSN verification are proving to be a weak and unsafe security method and the most recent data leak involving [US Postal Service](https://krebsonsecurity.com/2018/11/usps-site-exposed-data-on-60-million-users/) further validates this. The digital world needs a better way to validate your real-world identity and what better with which to do that than with the one thing you are never without: your phone.

A [phone number-to-identity](https://plaid.com/products/identity-verification/) link allows a business to authenticate the user signing up is the owner of the identity, not a fraudster using leaked data.

## 2\. User experience is everything

From your website’s [color scheme](https://gradesfixer.com/blog/color-of-the-year-2019/) to a dedicated customer support team, the experience a prospective customer has with your brand is critical to their lifetime value. In 2019, companies are going to have to put an even sharper focus on the experience they are creating, while artfully balancing security.

By structuring a signup flow with [gradual information collection](/blog/how-gradual-verification-reduces-sign-up-abandonment/), you minimize the friction required without forcing all customers to through a single, complicated process. This decreases the number of fields you collect from your users on sign up and increases the security of onboarding users.

## 3\. Small businesses will become an even bigger target

As mature businesses are tightening up their security, fraudsters are likely to shift their focus to smaller targets. Those targets are startups or high growth companies that have limited engineering resources to implement historically difficult, secure user onboarding programs.

Don’t let that be you in 2019. Cognito is a[simple API](/docs/) that takes much less time than your historical ID verification solution to integrate and maintain. If you need to adapt to certain trends in fraud you’re seeing on your platform, you can do so within minutes, not days. Plus, you will have a support team ready to assist (we are all about experience, too).

## 4\. Automation will continue to be gold

The need to automate is not a new concept in the business world. Any element we can automate, we are all for it, like kids in a candy store. In 2019, continue to fuel your sugar cravings by automating parts of your customer compliance.

Cognito’s automated [watchlist scans](https://blockscore.com/features/watchlist) can ensure that your customers, whether that is thousands or millions, never change status. If they do, you will know it automatically through our extensive global databases. Automated daily, monthly or quarterly scans are available and ready for you.

## 5\. Age verification will be in the headlines

Age verification is becoming a hot news topic as of late with [companies like Tinder](https://www.theverge.com/2019/2/11/18220744/tinder-minors-grindr-age-verification-child-abuse) going under fire for allowing underage people to use their service. While the laws are still unclear in the US across many industries, proactive companies are finding ways to stay ahead of these negative headlines by using a frictionless age verification solution. If you are selling age-restricted content or goods, we are ready to help keep you out of the negative headlines in 2019and ensure that your customers are old enough to do business with you.


5 Trends in Identity Verification to Watch for in 2019


We’ve helped hundreds of companies optimize their ID verification flows to ensure the best possible user experience. As part of this work, we’ve learned what works - and doesn’t - when onboarding customers and we’ve compiled a list of actionable tips to help keep your users happy.

---

## 1\. Use text inputs, not dropdowns for date of birth

Despite what you may expect, on average users fill out 3 separate text inputs asking for the day, month and year of their birth faster than they can fill out 3 dropdowns. When coupled with strong data validations, text input date of birth entry increases conversion rates.

## 2\. Autofill state and city information

Use a service like [Zippopotamus](http://www.zippopotam.us/) or [SmartyStreets](https://smartystreets.com/docs/cloud/us-zipcode-api) to autofill a user’s state and city information using their entered postal code. Not only will it reduce potential typos but it will also speed up their experience if you collect addresses from your customers.

## 3\. Use gradual verification

We have already covered this extensively in our post about [how gradual verification reduces sign up abandonment](/blog/how-gradual-verification-reduces-sign-up-abandonment/), but in summary: by using our product, Cognito, you can reduce the number of fields you need to collect on signup making it a lower friction experience.

## 4\. Collect last 4, not full 9 SSN

If your identity verification provider supports it, opt for collecting only the last 4 digits of your user’s SSN and not the full 9 digits. This change can increase conversion rates on the order of 5% depending on the application.

## 5\. Have a fallback flow

A small percentage of your customers will fail electronic ID verification - some of them will be fraudulent, but some will also likely be legitimate. This is why it’s important to still maintain some kind of fallback flow in the event that a user doesn’t pass electronic ID verification such as collecting their [physical identification documents](/blog/documentary-versus-electronic-id-verification/) like passport or driver’s license.

## 6\. Ask for legal names, not nicknames

Though Cognito has support for nickname comparison, not all ID verification providers do. If your user’s first name is Richard and they enter Rich, that can cause unnecessary failures and frustration. Test your ID verification provider to see how they handle nicknames and be clear with your users that they should enter their legal name and not a nickname if nicknames aren’t supported.

---

If you adhere to as many of these tips as possible when verifying your customers, you should see ID verification conversion rates improve considerably. We’re always happy to give you an individual consultation so do not hesitate to reach out.


We’ve helped hundreds of companies optimize their ID verification flows to ensure the best possible user experience. As part of this work, we’ve learned what works - and doesn’t - when onboarding customers and we’ve compiled a list of actionable tips to help keep your users happy.

6 Tips to Maximize Identity Verification UX


No matter what sort of business you are a part of, if your company asks customers for their address, there’s a good chance you will benefit from an address verification service. A postal address is a ubiquitously requested piece of information for online shopping, shipping, setting up accounts, and more. But how do you know whether or not the address your customer provided has a typo, or worse— is fraudulent? The solution is an address verification system.

### e-Commerce and Address Verification

e-Commerce businesses have a lot to gain by using a reliable address verification service. After filling out a lengthy webform, it’s easy to mistype your address. Some sources say that a staggering 18% of addresses entered online contain a typo.

A simple little typo is all it takes for a customer’s package to be sent to the wrong address, causing strife for both the customer and the company.

### Address Verification Services

Address verification becomes progressively more complicated when your business needs to ensure that a customer _currently_ lives at the address they claim to. This verification is essential for many companies including those in the financial industry, delivery business, and sharing economy (think companies like Airbnb and TaskRabbit). One option for address verification is through document verification, where a customer submits a bill or a driver’s license that shows proof of address. Unfortunately, this process tends to be a poor user experience. The customer has to track down paperwork and wait through a slow authentication process.

Instead of documentary verification, many savvy address verification services check the information against online databases to match a name to an address. Unlike documentary verification, this method requires no further effort from the customer. This reduces friction for onboarding and increases conversion rates.

### Address Verification to Combat Fraud

Regardless of what type of business you are a part of, if you collect customer’s addresses, you are at risk of being defrauded.

Many companies are changing their business models and providing delivery services for the first time due to the COVID-19 outbreak. These companies would benefit from examining whether their recent changes warrant further measures to protect themselves from fraud. The total cost to U.S. organizations from web and mobile fraud transactions in 2018 was estimated to be [6.4 billion](https://community.rsa.com/docs/DOC-40326)_._ Surprisingly, many banks approve financial transactions even if the address provided doesn’t match the data they have on file. Address verification was reported to be the _most effective_ anti-fraud tool in a [survey](https://amasty.com/blog/all-in-one-e-commerce-fraud-guide-types-detection-prevention-2018/) of eCommerce merchants. Follow the lead of industry experts to make sure your company is prepared to catch fraudsters trying to prey on your company.

### Simple Address Verification with Cognito

Cognito makes address verification simple, saving your company (and your customers) time and money.

Validating addresses at the beginning of the onboarding process is crucial, to catch fraud and errors before they can even happen. Cognito’s secure API verifies a user's address in _real-time_ using highly regulated data. Some services verify an address against \_un_regulated data such as from social media. This information can be easily altered. Cognito’s simple address verification provides a secure verification process, using regulated data from official sources such as government records, credit files, and voter registration. We use data that you can trust. Cognito’s simple address verification provides your company with a rich data file of a person's address including their address history. Our user-friendly setup allows you to view up to the last 15 addresses associated with your customer and provides estimates for when they lived at those locations. This allows a company to tie a person to a place, which can be useful in combating fraud. With Cognito’s streamlined service, your customers no longer need to muddle through the process of uploading their driver’s license to verify their address. Cognito provides a significantly better user experience by making cumbersome documentary verification a thing of the past.

If your company is looking to increase conversion rates, create a smooth onboarding process, and reduce fraud, Cognito’s [simple address verification](https://plaid.com/products/identity-verification/) can help.


No matter what sort of business you are a part of, if your company asks customers for their address, there’s a good chance you will benefit from an address verification service.

Address Verification: How, Where, Why?


Who’s to say whether an online customer who claims to be 21 isn’t just a wayward 13 year old with an internet connection? As a business, it is your responsibility to implement a dependable method of age verification to protect underage customers from purchasing age-restricted products such as e-cigarettes and alcohol.

However, time-consuming age verification processes can easily deter legitimate adult customers, and impact a business’ bottom line. Can an age verification method be highly dependable without compromising a frictionless onboarding process?

## Online Gambling and Gaming

Legal age limits hold true for online gambling just as much as they do at a casino in Vegas. Without a sufficiently accurate age verification system, a company can be hit with a pile of fines if they are caught allowing a minor to play.

Gambling age requirements differ between jurisdictions, from 18 to 21 years old. This necessitates a dynamic age verification system that can account for regional variation without the need for many separate onboarding processes.

A wave of [legislative proposals](https://www.nytimes.com/2018/04/24/business/loot-boxes-video-games.html) may indicate that the definition of online gambling is expanding, with major gaming companies such as Blizzard under scrutiny for the gambling-like nature of “loot crates.” This makes it all the more important for online gaming companies to implement a reliable age verification system to ensure that their products are in the hands of the appropriate audience.

The age verification process when purchasing a video game needs to be vigorous, but not tedious, so that players can get right to enjoying their games.

## e-Cigarette & Vape

The e-cigarette industry has received significant scrutiny for lack of sufficient age verification; the Food and Drug Administration (FDA) prohibits the sale of nicotine products to customers under 18, and several US states have increased the age requirement to 21. However, many companies lack a robust age verification system for online purchases and deliveries, leaving it up to the delivery person to judge if the customer appears underage.

A lax age verification system can lead to legal repercussions for e-cigarette companies. In 2018, the FDA issued [1,300 warning letters and fines](https://www.fda.gov/tobacco-products/ctp-newsroom/warning-letters-and-civil-money-penalties-issued-retailers-selling-juul-and-other-e-cigarettes) to businesses who illegally sold e-cigarettes to minors, including via online stores. This ranked as the largest coordinated enforcement effort in the FDA's history.

The age verification system for e-cigarette companies needs to be rigorous so that nicotine products aren’t sold to underage customers, while not inhibiting adult access. Ultimately, overly lengthy age verification methods will test customers’ patience and limit signup conversion.

## Dating Apps

A trustworthy age verification system is essential for any online dating service in order to screen out underage users. The consequences of poor age verification is more than just steep fines— it puts children at risk.

Recently, online dating companies like Tinder, Bumble, and Grindr are [under investigation](https://nypost.com/2020/01/31/tinder-bumble-face-us-inquiry-over-sex-offenders-underage-use/) by a subcommittee of the US House of Representatives for allegedly allowing underage people to use their service.

Smart companies are working ahead to avoid the financial and reputational damage that results from failing to use a reliable age verification system.

## Frictionless Identity Verification

Not all identity verification services are created equal. Some processes are multi-step and may also require disclosing sensitive personal information such as a social security number. Other services require documentary verification, where customers upload a photo of their driver’s license or passport.

Documentary verification poses a roadblock in the onboarding process— a customer may leave their computer to retrieve the necessary document, and never make it back to signing up.

Customers may even be asked to take a selfie _with_ a document to prove it’s not a forgery. A blurry overexposed selfie may be fine for social media, but when it comes to documentary verification, glitches like this pose a problem. Savvy businesses will benefit from leaving paperwork in the past.

With Cognito’s [identity verification service](https://plaid.com/products/identity-verification/), security and user experience don’t have to be a tradeoff. A customer’s date of birth can be verified using nothing more than their [name and phone number](/blog/how-a-phone-number-becomes-an-identity/).

This is a powerful tool for any industry that sells age restricted products. It guards the company against fraudsters and fines, protects underage users from harm, and allows the product to be purchased by legitimate customers in a uniquely seamless way.

For businesses that focus on age-restricted products and services, reliable age verification is not optional, it is essential. Cognito’s [identity verification service](https://plaid.com/products/identity-verification/) makes this process frictionless.


As a business, it is your responsibility to implement a dependable method of age verification to protect underage customers from purchasing age-restricted products such as e-cigarettes and alcohol.

Age Verification Without Friction


It’s not news to today’s financial institutions that money laundering is a serious global problem. [According to the U.N.](https://www.unodc.org/unodc/en/money-laundering/globalization.html), the estimated amount of money laundered in one year is 2–5% of global GDP — in other words, the world loses a staggering $2 trillion USD to money laundering a year. Understandably, Anti-Money Laundering (AML) regulations have become significantly stricter over the past year as a result. Strengthening AML compliance is essential for businesses looking to reduce the risk of fraud and avoid the financial, legal, and reputational damage that can result from it.

AML compliance can be a complex undertaking for any company, but there are smart ways to streamline the process. We’ve assembled a handy checklist to help ensure your AML program is up to scratch.

## 1\. Do you have a written AML compliance program?

A written AML compliance program is an essential part of any effective AML strategy. Your business may also be required to have one — [FINRA Rule 3310](https://www.finra.org/rules-guidance/key-topics/aml/faq), for example, directs financial institutions to develop and implement a written AML compliance program in order to meet minimum standards.

As a rule of thumb, your written compliance program should explain:

- Which regulations you are complying with
- Your identification policies
- How you will monitor and report on your compliance program
- Your criteria for identifying suspicious activity
- Your record retention policy
- How often you will conduct internal audits
- Your communications procedures
- The name of your compliance officer

Having this policy available to your executive leadership, board, staff, and regulators in an important component of any good AML program.

## 2\. Do you have a compliance officer?

A compliance officer’s role is to ensure your organization is meeting the national and international regulations specific to your industry. Compliance officers work with management and internal teams to roll out or augment company-wide compliance programs.

If you don’t put someone in charge of compliance, your processes will not be as robust or up to date as they should be. In the long run, this will hamper your ability to manage the risk of fraud. Make sure whoever you designate as your compliance officer has the seniority and influence necessary to ensure AML compliance is fully implemented and monitored.

## 3\. Do you efficiently screen new customers?

Onboarding is a critical component of your AML compliance program as well as your customer experience. With an effective watchlist solution in place, you can quickly and securely screen new customers — protecting you from money launderers from the get-go by identifying them and refusing them access to your systems. [A smart watchlist tool](/products/watchlist/) can ease the burden on your compliance team and reduce false positives in the screening process, boosting your efficiency.

## 4\. Do you regularly re-screen customers?

Although it’s tempting to think the screening process ends after you’ve onboarded a new customer, it should be an ongoing part of your customer relationship lifecycle. A customer’s status can change after they’ve signed up for your services, and when it does, you need to be able to detect this change so you can manage the potential risk to your business.

How often do you re-screen your customers, and how much time does it take your team to accomplish this task? An efficient watchlist solution re-scans your users on a regular basis to automatically uncover any changes in their status, giving you the timely notification you need in order to respond before a threat becomes a liability. The right watchlist product should non-intrusively screen hundreds of millions of accounts each month, keeping your business compliant while maintaining a smooth and frictionless customer experience.

## 5\. Do you train your employees on AML?

AML training can help your employees protect your company. By educating your teams on the legal requirements affecting your business and the compliance policies you have in place, you equip them to better recognize the common techniques used by money launderers to gain access. Make sure to conduct regular training so your team’s knowledge is kept current: in addition to providing introductory sessions to new hires, host refresher programs for existing employees as well.

## 6\. How often do you review your AML compliance processes?

Your compliance requirements will evolve as your business grows and regulations change. That’s why you should review your compliance processes and procedures on a regular basis to make sure they are up to date. Consider bringing in an expert to advise you on which aspects of your compliance program need to be strengthened and how to improve them.

[The right partner](/blog/know-your-strategy-assessing-aml-compliance/) can help you streamline your AML processes, improve the accuracy of your onboarding and re-screening processes, cut the costs associated with compliance, and deliver a more seamless customer experience.

In a world with increasingly strict regulations, AML compliance is no longer optional. Make sure your company is up to the challenge by taking advantage of smart solutions that streamline your compliance processes. By increasing your capacity to manage business risk, you can better protect your company as well as your customers.

_With automatic rescans and frictionless, gradual verification, Cognito’s_[_watchlist product_](/products/watchlist/)_is designed to keep your company AML compliant. Contact us to learn more._


It’s not news to today’s financial institutions that money laundering is a serious global problem.

AML Compliance Checklist


Customers often ask us for the best practices when putting together their BlockScore verification integration. We have seen many custom integrations, some good, some bad. In this article we have compiled a list of tips to maximize pass rates and minimize customer frustration.

## 1\. Reduce required input fields

For most businesses, your users don’t use your service because of ID verification; they use it in spite of it. Reducing friction is paramount for improving your user experience and this can be achieved by only asking the bare minimum of what is required for your purposes. One convenient optimization is to pre-fill a user’s city and state based on their postal code. Though this isn’t possible for every country in the world, it is possible for most.

## 2\. Let them know to use a credit-related address and their legal name

One of the most common reasons for a false failure is the use of an incorrect address or nickname. If your customer enters their work address or the address of a home to which they only recently moved, their verification will likely not pass. Let them know that they should use an address that they have associated with their bank of credit card for the best chance of success. In addition, the “name” fields should be labelled “legal name” so as to prompt people not to use nicknames when filling out the form.

## 3\. Show the correct forms of ID based on country

If you are verifying an international audience, it is best to customize the forms of identity based on the country they live. For instance, if your customer is in the United States, you would use the language _SSN_ and _Driver’s License_ as means of verification. However, if your customer is in Mexico, they can use their _Matricula Consular_ or _Passport_. This is much clearer and easier to understand than something like _document number_ or _ID number_.

## 4\. Properly format the address field based on country

Every country has its own peculiarities when it comes to addresses. For instance, [not every country has postal codes](http://en.wikipedia.org/wiki/List_of_postal_codes) and the subdivision that is referred to as “state” in the United States has a variety of equivalents in other countries such as the Swiss “canton” or the Canadian “province”. If your customers come from across the world, localizing the fields based on language they understand will greatly improve accurate data entry.

## 5\. Explain why you need the information

Depending on your audience, people may not understand why your business is asking for their sensitive information. Even mammoth companies like [Target are subject to being hacked](http://money.cnn.com/2014/01/10/news/companies/target-hacking/), so it is no wonder people are sometimes a bit weary of handing over their data. A few sentences before the ID verification form as to why you need to collect this info can go a long way towards improving your customer’s trust.

## 6\. Give them a way to correct a failure

Sometimes good people do not pass the ID verification process. This can happen for a variety of reasons beyond the person’s control, so it is important to provide some form of recourse. Whether that means allowing the customer to upload a scanned physical document or to provide a way to contact support, making sure that people have an alternative means turning away fewer good customers.

After making these simple changes, your BlockScore integration will convert more people and be much more enjoyable to use. If you have any more questions, we’d love to hear from you at [support@blockscore.com](mailto:support@blockscore.com).


Customers often ask us for the best practices when putting together their BlockScore verification integration. We have seen many custom integrations, some good, some bad.

6 Best Practices for ID Verification


The [California Consumer Privacy Act](http://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375) (CCPA) was enacted at the beginning of this year, and enforcement will start July 1, 2020. Is your company prepared?

At its core, the CCPA is intended to improve Californians’ data privacy rights by giving them an effective way to control their personal information. The legislation is part of a global backlash against the misuse of consumer data, and it specifically cites the [2018 Cambridge Analytica scandal](https://en.wikipedia.org/wiki/Facebook%E2%80%93Cambridge_Analytica_data_scandal) where millions of people were alarmed to discover that their personal data was used for political advertising without their consent.

### CCPA Basics

A familiarity with the intentions of the CCPA is necessary in order to fully understand its regulations. The legislation’s goal is to provide California residents with the right to:

- know what personal data is being collected about them;
- know who their personal data is being sold or disclosed to;
- say no to the sale of their personal data;
- access their personal data;
- request for their personal data to be deleted;
- and not be discriminated against for exercising their privacy rights.

### What Counts as Personal Information?

The CCPA uses a broad definition of personal data: anything that “identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.” The legislation provides examples such as:

- name or alias;
- postal address, email address, IP address;
- account name, unique personal identifier;
- social security, driver’s license, or passport number;
- browsing, search, or purchase history;
- and geolocation data.

### Who is Subject to CCPA?

Just because your business is based outside of California doesn’t mean the CCPA is not applicable. The CCPA applies to any for-profit company that _does business_ in California, collects consumers' personal information, and meets one or more of the following thresholds:

- +$25 million annual gross revenue;
- buys, sells, receives, or shares the personal data of 50k or more consumers, households, or devices;
- or earns more than half of its annual revenue from selling consumers' personal data.

The CCPA also applies to any entity that shares common branding with a business that meets at least one of the above thresholds. Think of it like a parent being deemed responsible for the actions of their child.

### What are the Penalties of Violating CCPA?

There are steep consequences for noncompliance with the CCPA. The legislation includes provisions for civil penalties of up to $2,500 _per_ violation, which can be increased to $7,500 if the violation is deemed to be intentional.

A security breach compromising customer’s personal information is also a cause for civil action under the CCPA. Companies that have a data breach may have to pay up to $750 _per_ California resident affected. Talk of CCPA-related lawsuits have already begun, with a [class action lawsuit](https://timesofsandiego.com/crime/2020/04/21/s-d-county-woman-sues-video-chat-app-for-alleged-privacy-breach/) filed against the company behind Houseparty for allegedly sharing personal information without consent.

### Identity Verification for CCPA Compliance

CCPA gives consumers the right to request their personal data, but it does not prescribe the method to ensure you are giving the data to the right person. A request for data access may just be a fraudster impersonating someone to steal their sensitive personal information. A business can find itself in a sticky situation if they provide personal information of a consumer to the wrong party in response to a fraudulent request. In addition to leading to poor publicity and lost customer trust, it is also considered a data breach and cause for a class action lawsuit under the CCPA itself. The financial and fintech industries are especially at risk of this type of fraud considering the sensitivity and value of the personal data they possess. A [European study](https://i.blackhat.com/USA-19/Thursday/us-19-Pavur-GDPArrrrr-Using-Privacy-Laws-To-Steal-Identities-wp.pdf) recently revealed just how easy it is for fraudsters to take advantage of data access requests. They found around a _quarter_ of businesses provided sensitive information without verifying the identity of the requester, and 15% requested a form of identity that could easily be stolen or forged. The study also found that larger or regulated businesses tended to have stronger identity verification requirements, implying that businesses that invest in anti-fraud and know your customer (KYC) policies will likely be more successful at identifying fake requests.

In summary, while implementing processes to be compliant with CCPA and allow customers to request access to their personal data, it is vital to not overlook the requirement to verify the requestor’s identity. The best defense against this new avenue of fraud is a robust identity verification system. Cognito’s [i](https://plaid.com/products/identity-verification/)dentity verification service is designed to help your company be CCPA compliant. Contact us to learn more.


The California Consumer Privacy Act (CCPA) was enacted at the beginning of this year, and enforcement will start July 1, 2020. Is your company prepared?

CCPA Guidelines


Cryptocurrency has been quickly moving from the margins to the mainstream — but the journey to securing crypto transactions isn’t over yet. There’s currently a perceived gap between cryptocurrency businesses and the regulatory frameworks that govern financial services and institutions across the globe.

This infographic discusses where the current gaps are, and how a modern, intelligent Know Your Customer (KYC) and Anti-Money Laundering (AML) solution can help close them.

[Download Infographic](/wp-content/uploads/2021/02/Cognito_Infographic_Crypto-Company-Compliance_V1.pdf)


Cryptocurrency has been quickly moving from the margins to the mainstream — but the journey to securing crypto transactions isn’t over yet.

Cognito Helps Crypto Companies Stay Compliant


After working with hundreds of enterprise companies for what we thought was standard KYC and AML product research, we quickly discovered that even the largest organizations had seriously flawed compliance screening programs. The most common findings were inadequate screening controls, overall misinterpretations of regulations, and an inappropriate risk appetite. Beyond misunderstandings, many organizations weren’t proactively protecting themselves from fraud. Their use of manual systems allowed human error which was only exacerbated by adding headcount rather than overhauling or replacing antiquated systems and processes.

Why, within such a critical business function, does a lack of automation persist? While “flexibility and customization” may be trending features, it’s worth questioning whether they’ve become a disservice if not a liability. How can we as a vendor provide expertise along with guardrails? In building our latest product, we placed more emphasis than ever on being an expert for our customer. Building a best in class product that guides you through confusing regulations to protect your business.

With its industry-leading screening capabilities, Cognito’s watchlist solution is the platform that today’s compliance-conscious companies need. And now, we’re pleased to be rolling out the latest iteration.

![](/images/blog/post_images/cognito-screening-1-1.png)

## Highlights include:

- Manually enriched watchlist data to make it easier to investigate hits and programmatically review them.
- Automatic daily rescans for all of your customers.
- Support for transliteration across 18 different languages.
- A full compliance CRM for handling hits and viewing results (that can also be entirely controlled via API).
- Unlimited free re-searches for a customer if their information updates (name, location, etc).
- Persistent audit trails for all actions that take place on the dashboard and API.
- A completely updated search algorithm to help improve search relevance.

## Enjoy automatic scanning at scale

Unlike other screening solutions on the market that provide only periodic or manual monitoring and change tracking, Cognito is automatic: our solution rescans all users on an ongoing basis. No breaks, no gaps — with Cognito you can:

- See continuous up-to-date status for all your customers.
- Maintain comprehensive audit trails.
- Take notes on activity.
- Automatically assign agents to manage accounts.
- Monitor compliance in our appealing dashboard or API.

Not only do these regular risk assessments reduce your manual workload and let you focus your efforts on high-priority accounts, but they surpass industry best practices.

Cognito is also geared for your growth. Our compliance CRM has the capability to scale with your organization, so you’ll no longer need to switch solutions as your company expands. Even if you have more than 100 million customers, seamless scanning and rescanning is automatic, letting you catch even the smallest changes in the status and profiles of each user.

![](/images/blog/post_images/cognito-screening-2-scaled.jpg)

## Identify PEPs without burdening in-house teams

Anti-Money Laundering (AML) regulations not only let you watch your customers’ backs — they help you watch your own too. That’s because these rules prevent financial services companies from aiding and abetting criminal activity. For organizations whose customers could include [politically exposed persons](/blog/cognito-flags-politically-exposed-persons/) (PEPs), AML compliance is critical.

For Cognito, it’s all about preventing financial crime while providing unparalleled accuracy. We use industry-leading search algorithms to help you surface potential matches for all your customers from an extensive list of regulated databases — and immediately raise any red flags. These algorithms come ready to deploy with our watchlist solutions, which means you no longer have to divert your developer resources into building and operating these functionalities on your own — and can take advantage of a seamless user experience right away.

## Reap the benefits of intelligent global language handling

All you need to begin an effective Cognito verification search is a name. Cognito:

- Scans for names with phonetic similarity, nicknames, initials, titles and honorifics, and missing or truncated components.
- Compares results against official, reliable government data.
- Gathers crucial supplementary information, including the customer’s location, passport, date of birth, and other relevant insights.
- Uses intelligent global language handling to conduct automatic cross-comparisons across 18 of the world’s most widely-spoken languages.

By highlighting customers with risk factors, you can assign accounts to a more senior agent, increase the sensitivity of your match settings, and triage your reviews and investigations.

![](/images/blog/post_images/cognito-screening-3-scaled.jpg)

## An industry-leading compliance CRM that keeps getting better

There are a variety of reasons why there might be a hit during the customer screening process, and different companies have different priorities. Cognito’s compliance CRM is designed to learn what yours are, so it can constantly refine why, how, and when it flags hits for immediate review.

At Cognito, we understand that sanction and PEP screening is the first critical step in preventing financial crime. That’s why we’ve designed a robust, proactive system that combines automation, search algorithms, and self-learning analytics to deliver meaningful results. Finally, you have a compliance CRM that focuses on the things financial organizations truly care about.

_Find out more about how_ [_Cognito's watchlist solution_](/products/watchlist/) _can work for you._


After working with hundreds of enterprise companies for what we thought was standard KYC and AML product research, we quickly discovered that even the largest organizations had seriously flawed compliance screening programs.

Introducing our reinvented watchlist platform, Cognito Screening


Traditional methods of electronic identity verification use a two phase approach. The first phase asks the user to show “this is who I am” using name, date of birth, address, phone number, and social security number. The second phase challenges the user to prove who they are by assembling questions from that person’s past, often called Knowledge-based Authentication (KBA).

KBA has been an industry standard for over a decade. Unfortunately fraud-mitigation techniques become stale as fraudulent actors find ways around them. While KBA can be tuned to increase efficacy, such as limiting the time permitted to respond to questions and limiting the number of attempts a user has to retry failed question sets, fraudulent actors have augmented black markets to include information that can be used to pass KBA questions.

Even as early as 2010, [Gartner warned clients that “criminals can get their hands on anyone’s KBA or identity information through the black market exchanges.”](http://blogs.gartner.com/avivah-litan/2013/09/25/knowledge-based-authentication-breached-big-time-another-dagger-for-obamacare-the-banks-and-many-others/) To make matters worse for KBA, Gartner notes that businesses experience KBA failure rates up to 30% depending on the population. For every KBA failure, authentic users may be turned away or required to pass a costly manual process if they are willing to go through the hassle.

---

## How Cognito differs

With a traditional verification, only information needs to be compromised. With Cognito, possession of a person’s phone or compromising the phone network is required to pass user authentication.

[Cognito exceeds traditional ID verification](/blog/ssn-from-a-phone-number/) and KBA in the following ways.

**Near ubiquity**. Nearly everyone in the US has a phone number

**Provable possession**. By sending a text message or placing an automated call, you can prove the person is in control of the phone number associated with their identity records

**Low friction**. It is much easier to verify and authenticate possession of a phone than to answer intrusive financial questions that the user often does not remember

**Secure**. Compromising a phone adds a layer of complexity outside of just purchasing KBA information through the same black market that sells identity information

Fraudsters use the path of least resistance to commit fraud and test exploits en masse. Millions of identities are trafficked through black markets and used to create fake accounts. While KBA does add a layer of difficulty, a very small hit rate can yield a lucrative return on stolen identity information. Because Cognito requires possession of a device in addition to compromised identity information, black market identity information isn’t sufficient to pass a Cognito verification.


Traditional methods of electronic identity verification use a two phase approach.

Cognito vs. Traditional ID Verification


There are many ways to verify an individual’s identity but they broadly fall into two categories: documentary and electronic ID verification.

## Documentary ID Verification

![Documentary ID verification passport](images/documentary-flow-9b93c774.png)

Documentary ID verification is the method to verify the authenticity of physical documents. When in person or submitting paperwork, copies of documents such as identity cards, birth certificates, legal documents, and utility bills provide the basis to verify the authenticity of the person providing the information. These documents may be certified copies, be embossed with seals, or have holograms to provide evidence of authenticity. The conclusion is that only person possessing these documents and having similar characteristics to the person stated on the documents such as photos, sex, addresses, and schooling is likely to be the person owning the identity.

### Advantages

- Easy to perform sufficient photo ID verification in person
- Provides sufficient hurdles to deter most fraudulent activity
- Documents may be the only method available to verify a person’s identity

### Disadvantages

- Challenging to perform when not in person
- Authenticating most documents is impossible or cost prohibitive because it requires sending the documents to the issuing authority
- Many types of documents may be not be available due to loss, fire, floor, or insufficient record keeping
- People are less likely to keep utilities in their names which makes proof of residency challenging

## Electronic ID Verification

![Electronic ID verification computer](images/electronic-flow-35081320.png)

BlockScore provides a electronic ID verification method to verify the identity of a person meaning that only knowledge is required. Information that only the owner of the identity is likely to know is checked against authoritative sources for authenticity. Additionally, the authoritative source may also prompt the person being verified for additional information to further verify his or her authenticity. The additional questions returned from authoritative sources is called question sets or knowledge-based authentication (KBA).

### Advantages

- Easy and cost effective to check against many authoritative sources quickly
- Additional screenings can easily be performed such as checking against government watchlists
- Works well over the Internet
- May fulfill compliance obligations

### Disadvantages

- Authoritative sources may not be available to check against in certain countries and among certain demographics
- Privacy laws may prohibit using authoritative information to verify a person

## Combining documentary and electronic ID verification methods

Businesses can use both documentary and electronic ID verifications together to mitigate risk and comply with regulations. In many jurisdictions, electronic ID verification is required to ensure that it is legal to do business with a person by checking the person against watchlists. Automated documentary ID verification, such as [Jumio Netverify](https://www.jumio.com/netverify/), can be added to the user flow as part of the signup process or when certain events occur such as large transactions. Information extracted by using automated documentary ID verification such as Netverify can be sent directly to BlockScore for electronic ID verification simultaneously.

## Conclusion

Businesses have options to balance the impact to users and the need to verify the identity of individuals to comply with regulations and mitigate fraud. Documentary, electronic, or both methods of ID verification can be implemented to minimize the impact to users at various places in the signup flow and ongoing relationship. BlockScore provides the easiest-to-implement electronic ID verification service and works with others such as Jumio for documentary ID verification.


There are many ways to verify an individual’s identity but they broadly fall into two categories: documentary and electronic ID verification.

Documentary versus electronic ID verification


As a financial institution, you already do your customer due diligence (CDD) - but when do you need to step it up to enhanced due diligence (EDD)? The answer: surprisingly often. In this industry, you simply can't be too careful, which is why it's always a good time to review how to keep your EDD processes up to scratch.

Of course, EDD is nothing new - it's been an essential part of Know Your Customer (KYC) regulations since the Patriot Act of 2001. EDD mandates the collection of additional customer information in cases where customers are high risk, in order to better understand their activity and head off vulnerabilities. [New rules from FinCEN](https://www.fincen.gov/resources/statutes-and-regulations/cdd-final-rule) around CDD and EDD went into effect in July 2016 with a compliance deadline of May 2018, meaning it's more critical than ever to ensure you are implementing the right systems to keep your processes in shape.

Both CDD and enhanced due diligence are part of a complete KYC process. Identity verification (IDV) at the account-opening stage is one of the most critical moments in the process, but it doesn't end there: read on to identify when your due diligence should kick up a notch.

## Raising the Enhanced Due Diligence flag

EDD might seem like something you save for high-stakes situations, but the truth is, it should be a lot more routine. Any customer who qualifies as high-risk or high-net-worth automatically merits more scrutiny, as do those who conduct large transactions. According to the Federal Financial Institutions Council (FFIEC), there are three risk categories to consider:

- Customers and entities
- Geographic location
- Products and services

### Customers and entities

When considering individuals and entities, you will most often want to be tracking [politically exposed persons, or PEPs](/blog/types-of-peps-and-the-risks-they-pose/) . PEPs include anyone who holds an influential position in a nation's government - that can be in the public or adjacent private sector-as well as their close associates and family members. It's a given that these individuals are screened and scanned more extensively given their higher risk assessment. If an individual is identified as high-risk, then you should collect additional information on their personal and business relationships.

Some other factors for which to watch:

- foreign clients opening accounts with your financial service, despite being non-residents of your country of operation;
- nominee shareholders of a company, or those who possess shares in the company's bearer form; and
- personal asset-holding vehicles who are not actual people, but who are considered legal persons.

For all of these individuals and entities, it is essential to know the nature of their business or occupation, the sources of their funds or wealth, as well as the typical pattern, volume, frequency, and purpose of their transactions, all of which can be risk factors. You will need to understand who their customers are too, whether they're expected to be domestic or international, and the normal origin and method of payment. With a totality of information, you can watch for transactions that appear abnormal, convoluted, or pointless.

Keep track of the individuals' approximate salaries or the organization's annual sales, as well as articles of incorporation, partnership agreements, and business certificates. Know who the account's ultimate beneficial owner (UBO) is. Monitor adverse media for any unsavory mentions of the clients with which you are working.

### Geographic locations

In terms of places to be wary, the list is long. The [Financial Action Task Force (FATF) retains records](<http://www.fatf-gafi.org/publications/high-riskandnon-cooperativejurisdictions/?hf=10&b=0&s=desc(fatf_releasedate)>) of countries that lack adequate AML systems, as well as watchlists like the Call for Action Jurisdictions and Other Monitored Jurisdictions. Watch out for customers or entities operating out of these places and those whose country of origin is not a member of the FATF or its partners.

Some other reliable sources of information:

- The [State Sponsor of Terrorism list](https://www.state.gov/state-sponsors-of-terrorism/) names countries that are known financiers or supporters of terrorist activity.
- Some countries have widespread corruption reported by credible sources such as the [Transparency Index List](https://www.transparency.org/en/countries/afghanistan?redirected=1) .

Financial businesses need to be cognizant of the diplomatic relations between their country of operation and foreign states. If your company is based in the U.S., you need to be blocking business with countries that currently have sanctions, embargoes, or other restrictions against them. Also, even if a country or a foreign bank doesn't directly support terrorist organizations, it's critical to monitor whether there are any operating within its borders to avoid inadvertently supporting terrorist financing. However, EDD should be used to determine if someone has associations with any sanctioned organization indirectly.

### Products and services

Regulators also keep an especially close eye on certain types of financial services, like people who use a correspondent account. For example, because private and correspondent banking is extremely confidential, money laundering is a problem in that sector. Here are some other organizations or offerings that are subject to higher scrutiny:

- shell banks;
- cash-intensive businesses; and
- industries associated with high cash flow, such as casinos.

## Putting Enhanced Due Diligence into action

Where do you start with EDD? Regulators recommend a risk-based approach. Have an effective system for recognizing and categorizing customers according to their risk rating, and create a customer risk profile that is reviewed regularly.

Additionally, regulators require your policies to meet specific criteria:

- they must be rigorous and robust in the quality and quantity of information collected;
- there must be detailed documentation so regulators have EDD reports on demand;
- regulators want reasonable assurance that your organization has done every necessary step in calculating KYC risk ratings; and
- all relevant information must be considered, including negative media, and anything suspicious must be reported.

One of the most effective ways to implement EDD is to make sure you apply consistent and frequent monitoring of high risk customer activity, as well as screen against international AML watchlists periodically. Experts strongly recommend a compliance software solution that can automate this process. Cognito covers your bases with:

- an industry-leading IDV solution for authenticating new customers;
- best-in-class AML Watchlist algorithms with transliteration across 18+ languages; and
- regular rescans to catch any changes or anomalies in customer status.

With the right IDV partner, you can ensure your due diligence reflects the risk level at hand, no matter who is looking to access your services.

Compliance has never been more critical. [Try Cognito today](https://plaid.com/products/identity-verification/) and see the difference it makes for your business.


As a financial institution, you already do your customer due diligence (CDD) - but when do you need to step it up to enhanced due diligence (EDD)? The answer: surprisingly often.

Enhanced Due Diligence Is Non-Negotiable. Here is How to Do It Right


![](/images/blog/post_images/Cognito-Phone-ID-Infographic-2020-03-03-v09-GM-1.jpg)

[Download Infographic](/wp-content/uploads/2020/03/Cognito-Phone-ID-Infographic-2020.pdf)

---

Securing logins and preventing fraud is a top concern for today’s companies. But for many — particularly those that have to comply with strict Know Your Customer (KYC) regulations — the need for multiple identifiers leads to user friction and sign-up abandonment. Cognito has a better solution. And it all begins with a phone number.

## How does a phone number become a secure, trustworthy source of identity?

Let’s start with what doesn’t work.

- **Social Security Numbers (SSNs)** are unfortunately still one of the most commonly asked-for identifiers. SSNs can’t be authenticated. This means anyone who has it can use it.
- **Knowledge-Based Authentication (KBA)** is an outdated but common practice where the user is asked personal questions. SSNs can’t be authenticated. This means anyone who has it can use it. Few people can remember their 9-digit SSN or KBA answers, leading to frustration.

However, there’s a different and much more memorable number that nearly everyone has...

## Enter the phone number.

- The phone number is a better identifier because it’s associated with a physical object that a person possesses, instead of being based on information they know.
- Nearly everyone has one, with 95% of adults in the U.S. having a number that they’re likely to keep for.

## A phone number can be as good as a thumbprint — or better.

When a solution relies on regulated data from official sources, rather than unregulated data from social media and other places that users alter frequently, it provides a much more secure verification process. Over the course of its lifespan, a phone number is recorded at a variety of regulated, trusted touchpoints. These sources include:

- Financial institutions
- Government records
- Credit header files

A phone number is a unique identifier that can be authenticated. Regulated data becomes the key to taking a number from a randomized string of digits to an identity. A number is confirmed as belonging to your customer any time.

- Register to vote
- Purchase a home

## So how does verification work?

- Your company adds the Cognito API to your sign-up flow. (It’s quick: we’ve had companies integrated and running in the span of a day.)
- A customer signs up for your service by providing as little as their name and phone number. At this stage, we recommend you send your customer a one-time passcode. This lets you verify your user is in possession of their phone at the time of sign-up. It also raises the attack barrier, because compromising a physical device is much more complex than stealing a SSN.
- The Cognito API automatically consults powerful, regulated data sources to retrieve information and stitch together a real-world identity record for your customer. (This includes their SSN, so that businesses can remain KYC compliant without introducing hurdles upfront).

A user is verified based on the key data points your company chooses. You can set the threshold for verification that suits your business: whatever your use case, Cognito remains flexible.

## Behind the scenes, Cognito helps with:

- **Verification:** Making sure that the name and phone number are tied to each other, and part of a legitimate identity.
- **Authentication:** Affirming that the user is actually who they say they are.

## What if a name and phone number do not surface a complete profile?

Our goal is to verify the majority of customers using as little data as possible. But for the exceptions, gradual verification can still provide your user with a great experience. In such instances, Cognito allows you to prompt the user for their:

- Date of Birth
- Full SSN
- Address
- Last Four Digits of SSN

You can send us another request using one or more of these additional inputs, and we’ll apply for a credit card retry — in most cases, at no extra cost. Turning a phone number into an identity isn’t only a safe option — in today’s identity verification landscape, it’s the smartest. Are you ready for a flexible, frictionless identity verification service? _[Talk to our team today](/contact/) to try Cognito for free._


Securing logins and preventing fraud is a top concern for today’s companies. But for many — particularly those that have to comply with strict Know Your Customer (KYC) regulations — the need for multiple identifiers leads to user friction and sign-up abandonment.

Infographic: How a Phone Number Becomes an Identity


Like any compliance officer, Matt Mehlman has a lot to keep track of. A consultant with iLex Consulting Group, LLC, he works with multiple fintech companies as a specialist in compliance oversight. Many startups aren’t going to hire a Chief Compliance Officer before they hit their growth stride — yet being in compliance is crucial to their survival. That’s particularly true when it comes to anti-money laundering (AML) policies.

“It’s the most crucial thing for a business because it’s literally how your doors stay open — one AML misstep and the government can shut you down,” says Mehlman. But beyond being vigilant for the sake of the company, AML adds value to society — something that compliance officers want their teams to understand.

“We have a duty not just to the government, but to the people of this country and to the world to do our part in stopping financial crime,” he notes. “Illicit activity is a multi-billion-dollar business, and it’s honorable for us to be able to do our part to fight it. We’re stopping bad actors from laundering money across borders where it can finance terrorism or dictatorships and compromise human rights.”

Seen from that perspective, [a robust AML program](/blog/know-your-strategy-assessing-aml-compliance/) is more than just a business precaution — it’s a social responsibility, and Mehlman looks to vendors who take compliance as seriously as he does.

That’s why he recommends Cognito. The automated platform allows compliance officers to not only verify the identity of their customers, but to scan them against government watchlists. The solution uses powerful APIs and search algorithms to yield comprehensive and up-to-date data.

## Compliance priorities and training

In spite of the importance of AML, business owners are often thinking of other issues which are no less urgent. “They’re not trying to solve crime — one of my clients is trying to solve underbanking and bring access to people in banking deserts,” says Mehlman. “So while they may not be focused on AML, they need to stay compliant while doing what they’re passionate about.”

The same goes for other team members who have their own business roles and goals above and beyond compliance — which is why [ongoing training is so critical](/blog/aml-compliance-checklist/). “If you don’t train your employees, AML is not everyday knowledge. Most people want to avoid it and not think about it, because this is the dark side of the world we all wish wasn’t there,” says Mehlman. “But unless you understand the trends, you’ll never know how to pinpoint the red flags.”

Just as founders and employees have a range of roles and responsibilities to keep track of, so do compliance officers, who monitor everything from the transactions taking place to the content in marketing materials. “A compliance officer’s day is probably the most hectic thing I’ve seen in my life,” says Mehlman. “To have a solution like Cognito give you data quickly and simply — and to be able to have faith that you’re getting the best data — takes a huge chunk off your plate.”

For business leaders and owners, having concise, coherent reporting with tokenized results is a huge weight off, as they can hand information over to auditors without any additional hassle. “It makes the reporting part of their job so much easier, they can get back to their day-to-day role of growing their company,” says Mehlman.

## Automatic and continuous screening

There are two [major pain points](/blog/how-to-avoid-common-aml-missteps/) that most companies have when it comes to AML: screening and re-screening. “The Office of Foreign Assets Control (OFAC) posts a disclaimer that their watchlists can change overnight, if not hourly,” notes Mehlman.

This is why he recommends his clients partner with vendors who can effectively screen customers through software.

“Cognito can run an identity verification check and a watchlist check simultaneously,” he says. “This solves the need to manually search, eliminating any need for intervention altogether.”

As Mehlman notes, this saves not only time, but eliminates human error, where something as simple as a misspelled name or a momentary internet outage can derail the process.

“The other pain point Cognito solves is the regular re-scan — instead of other solutions where I would have to send through my entire customer list, Cognito takes care of re-scans automatically,” he says. “For my clients, it makes it so much more seamless and so much less time consuming. For me, it gives me freedom of my day to do other things, and it gives me more specific insight when information doesn’t match, where there was a hit, and why.”

## A tool that works, a team that listens

When connecting his clients with a vendor, Mehlman evaluates [the functionality and user friendliness of the solution](/blog/sanction-screening-head-to-head-results/), as well as the vendor’s knowledge. “I’ve met vendors that understand their technology but have limited understanding of the space they’re actually working in. I like that Cognito is very knowledgeable about the technology _and_ keeps up to date on the latest AML rules. [They just revamped their watchlist tool](/blog/cognito-screening-now-available/), and the features in there made everyone’s life easier. They’ve been listening to what people are saying.”

Mehlman also appreciates that Cognito is a specialist, not a generalist. “They know identity verification and AML, and how they’re going to help their clients solve those issues, and they’re very open to listening. Every update they’ve made, every new product they’ve provided, has always been with that goal in mind.” For Mehlman, being able to trust that his vendor has his clients’ best interests in mind enables him to concentrate on his critical AML work, instead of managing and oversighting third parties.

“AML is super important because without it, we’d be living in a comic book world — it would literally be Gotham City, where we would need a superhero to fight all the crime, because money can flow faster than you can imagine,” he says. “The greatest tool that I can recommend to my clients is to partner with the kind of vendors that help me do my job and make my life easier so we can all fight the good fight.”


Many startups aren’t going to hire a Chief Compliance Officer before they hit their growth stride — yet being in compliance is crucial to their survival. That’s particularly true when it comes to anti-money laundering (AML) policies.

Compliance Truths: How Cognito Supports Compliance Officers and AML Programs


New companies face a balancing act: they need to launch their products and scale their services while meeting industry regulations and staying afloat. As a result, not every fast-paced startup has a Chief Compliance Officer.

That’s where Matt Mehlman comes in. As a consultant and fintech specialist with [iLEX Consulting Group, LLC](https://ilexgroupllc.com/), it’s his job to join fintech organizations in the role of a compliance officer or outsourced CCO, contributing the expertise his clients need to continue their growth while staying within the established compliance guidelines.

A key component of Mehlman’s role involves ensuring his clients know their customers. [Know Your Customer](/blog/what-is-required-to-know-your-customer/) (KYC) policies exist to help companies fight fraud, money laundering, and terrorist financing — and if they’re not properly enforced, companies can incur fines, sanctions, and reputational damage. Fintech startups are especially susceptible to this: if auditors find they’re not doing their due diligence, their product will be discontinued, effectively shutting down the business.

Cognito’s modern [identity verification service](https://plaid.com/products/identity-verification/) and [watchlist screening](/products/watchlist/) have been built to ensure regulatory compliance is as frictionless for businesses as it is for their customers. Mehlman explains why it's one of his first choices for the fintech innovators he works with everyday.

## Keep the importance of KYC front and center

The reason why fintechs tend to outsource compliance responsibilities is simple: founders, developers, operations, and marketing teams are familiar with the sales and technology aspects of the business, but they may not be as knowledgeable when it comes to regulatory compliance. “My role is to be that sort of ‘bank in a box,’” says Mehlman. “I understand the rules, and I can help take the compliance weight off the company.”

As a result, there’s one principle that Mehlman and his fellow compliance professionals keep top of mind: “You can make multiple sales to get your name out there — but it takes just one compliance mistake to get yourself shut down.”

While a traditional bank might be able to bounce back after facing fines or sanctions, Mehlman notes that once a fintech owner’s app is gone, so is the business. “While they work on fundraising, marketing, and targeting customers, I work on compliance and keeping them safe,” he says. “They know the business can keep running while they go out and do the important work of building their brand.”

## Choose a KYC solution that makes life easier for you and your customers

KYC friction is a huge blocker when it comes to fintech adoption for end users. [89% of customers](/blog/the-cost-of-a-poor-kyc-program/) already report having negative KYC experiences with their regular banks, according to Thomson Reuters. Convincing them to switch to a fintech startup — and break out of the mindset that a bank has to be a brick-and-mortar business — can be challenging enough without the added burden of difficult, document-heavy onboarding.

The first time one of his clients adopted Cognito, Mehlman couldn’t believe the difference it made for end users. “By reducing friction, our numbers went up immediately. Auto approval rates went from 40% to above 85% — that’s a huge jump. And for me, that means less time in front of a computer and looking at a manual review cue piece by piece.”

No matter your vertical, choosing a KYC partner is a matter of maintaining balance. “We wanted as much as possible to be automated,” says Mehlman of his work with a recent client. “We wanted to be a seamless, frictionless experience for the client, their end customers, and the specialist doing the day-to-day KYC.” That’s why he suggested his client use Cognito. Whether or not you have a consultant like Mehlman in your corner, source vendors that make the KYC process manageable for your end users.

## Reduce manual processes to reduce risk

As Mehlman found out firsthand on a project, vendors can be hit or miss. “With other vendors, we weren’t receiving the best data or the right results, and a lot of processes were manual, leading to longer wait times and onboarding issues for end users,” he says. “As the client specialist working, I was spending six hours a day just doing KYC and not any other of my roles.”

Working with Cognito immediately streamlined Mehlman’s workload. On the client side, the Cognito team connected with the tech team to facilitate a seamless integration into the onboarding flow for their apps. “At any company, it’s great when you can switch a vendor and there’s no downtime or impact on customers,” says Mehlman. “Cognito made the changeover super simple, and their API documentation gave our engineers immediate access to start integrating from day one. By the end of the week, I had everything up and running, which was amazing.”

The Cognito platform automatically collates reliable data from regulated sources to complete KYC-compliant customer profiles, and can start the process with as little as a name and phone number. “Not only is their data detailed and easily parsed by my client to generate great results on our end — enabling us to build our own customer service dashboard—but Cognito gives us the ability to look at the raw data on their own user-friendly dashboards so you have everything you need to know right in front of you.”

This makes it easy for Mehlman to flag when information is missing or doesn’t match. “With previous vendors, I wouldn’t know what failed or what didn’t verify for the customer’s identity. It was all tied together so if the date of birth was off by a day, it caused their SSN to fail, even though the SSN was right. Cognito scores each individual aspect, which is great because I can target what needs to be verified.”

Mehlman notes that KYC compliance can sometimes seem more like an art than a science, with multiple variables that must be accounted for. Cognito’s solution puts the science back in charge, with high-quality data to streamline processes and help organizations know their customers better.

“The real need it solves is giving time back to everyone in the process — to me, to the client, to their customers — so that we can all get on with other things,” says Mehlman. “It’s way better data, with way better results. To more than double your numbers is incredible.”

_Find out more about our_ [_reinvented watchlist solution_](/blog/cognito-screening-now-available/)_, and how Cognito can ensure your business knows its customers._


New companies face a balancing act: they need to launch their products and scale their services while meeting industry regulations and staying afloat.

Compliance Truths: How Compliance Officers Ensure They Know Their Customers


If you’re currently running identity verification on your users, you are probably leaving money on the table. Any person who begins the sign up process and leaves before becoming a user is lost revenue. In any relationship between a business and a customer, sign up abandonment can be thought of in the following terms:

> If the perceived benefit that your customer will get from your product is less than the effort required to sign up, then they will abandon you.

The traditional method of identity verification whereby a company asks for, at a minimum, a customer’s name, date of birth and address - and frequently also their Social Security Number - is onerous and time consuming for users and raises the cost of sign up considerably.

Companies with strict regulatory or anti-fraud requirements are at a disadvantage to other web-facing companies because of the inherent need to increase the required effort to sign up in order to be compliant. They have two levers they can pull: either increase perceived value or reduce effort required to sign up.

---

## How do I reverse ID verification abandonment?

One method of decreasing the effort required to sign up is to reduce the number of form fields required for the user to fill out. But how can you decrease the number of fields collected if they are usually required to run identity verification? Instead of collecting all of the required information at once, Cognito allows you to gradually collect additional customer information as you see fit and pull back the rest of the data that your business needs to onboard the customer. For instance, if your sign up flow only collects name, phone and email, then Cognito can verify your customer’s identity with just a name and phone number.

If Cognito is unable to verify your customer with just a name and phone number, you can prompt the user for any one of: 1. date of birth, 2. full Social Security Number, 3. last 4 of Social Security Number, or 4. their address. In most cases, for no extra cost, Cognito can verify your customer using one or more of these additional data points.

---

## Example gradual verification breakdown

Let’s take a look at a realistic gradual verification flow that starts with collecting just name and phone, followed by date of birth and last 4 of SSN. The table below outlines a realistic match rate at each stage of the gradual verification process.

| Verified with                          | Total % of customers verified |
| -------------------------------------- | ----------------------------- |
| Name, Phone                            | 75%                           |
| Name, Phone, Date of Birth             | 85%                           |
| Name, Phone, Date of Birth, Last 4 SSN | 95%                           |

The key point to remember is that by structuring your verification flow with gradual information collection, _you minimize the friction required for the maximum number of users_. Using this example, 75% of customers would never need to provide more than just their name and phone number in order to verify their identity.

Gradual verifications are a powerful way to both decrease the number of fields you collect from your users on sign up and [increase the security](/blog/ssn-from-a-phone-number/) of onboarding users by connecting them with their mobile phone number.


If you’re currently running identity verification on your users, you are probably leaving money on the table. Any person who begins the sign up process and leaves before becoming a user is lost revenue.

How Gradual Verification Reduces Sign Up Abandonment


BlockScore is an identity verification service that uses many data sources to verify the identity of your customers or users. The goal of the verification is to take information provided by a user, see if the coherence of that information matches various data sources, and return the results to you for compliance and fraud mitigation.

Unlike single-source providers such as credit bureaus, BlockScore uses not only BlockScore data, but data from many sources to verify identity information. When identity information is submitted, proprietary algorithms compare the identity information provided against various data sources and within a second, return both a simple valid/invalid and details about the match strength of each piece of data provided by the user. For many businesses, a valid/invalid response is sufficient. For more sophisticated risk models, the details can be used.

Optionally, BlockScore offers a question set service, also known as KBA (knowledge-based authentication). After a verification is performed on a person and determined to be valid, you may request a question set comprised of five questions. These questions are used to determine if the owner of the identity is submitting the identity information to you. You may present the user with as few questions as you like. After you collect the answers to the questions from the user, send the answers to BlockScore and you will receive the results in under a second.

In addition to verifying that the identity information is for a real person, the information can also be checked against several watchlists simultaneously. See watchlist scanning for more information on supported lists.


How ID verification works


SSNs are dead. The most recent Equifax hack confirms that.

In a post-SSN world, using one for authenticating an identity is a recklessly insecure business practice that will leave you susceptible to fraud.

For years, we at Cognito have been trying to find ways to move past the old world of identity verification that relies on possession of data. Not only are the industry-standard methods of KBA and SSN verification insecure, but they are also [onerous for your customers](/blog/how-gradual-verification-reduces-sign-up-abandonment/). The Social Security Number was never supposed to be the private key to your life as it is used today. It emerged as one because it was purported to be secret; the act of knowing a Social Security Number was considered sufficient proof that you are who you claim to be. Thanks to Equifax, that narrative no longer holds any merit.

Beyond the secrecy issue, the primary issue with a Social Security Number is that it is not an authenticatable number, meaning that if your SSN is leaked, anyone is able to use it. When we created Cognito, we needed a number that uniquely identifies a person while also being authenticatable. A phone number fits this description perfectly.

---

## The Post-SSN Solution

Using the phone number as a person’s primary identifier is advantageous for a few reasons:

**Phone numbers are ubiquitous.** 95% of adults in the US have one and tend to keep the same one for life. This means that there is a very high likelihood that your user has a phone number.

**Possession can be proven.** Verifying possession of a phone number creates a link between the actual person and their number. Using Cognito creates a link between that phone number and the identity.

**Higher barriers to attack.** Basing the verification around a phone number creates a much higher barrier to fraudulent activity. Relying on an old verification system would allow a fraudster to commit fraud simply by buying stolen identities on the black market. A company using Cognito removes that possibility and would require a fraudster to try to gain access to a user’s phone, which is much more difficult.

---

## What is the future of SSNs?

Obtaining the SSN of a user will still be necessary for KYC compliance, which means SSNs won’t disappear completely until new regulations are adopted or guidance is given. To help with this requirement, Cognito retrieves the full SSN of a user so that businesses can remain in compliance.

Additionally, despite the massive leak, SSNs have not lost all functionality in an identity verification process. Having some form of unique identifier to associate with an person is still highly valuable for identity verification. Similarly to dates of birth or other non-secretive identifying data, SSNs can help filter through results to locate an identity. With [gradual verifications](/blog/how-gradual-verification-reduces-sign-up-abandonment/), Cognito can use SSNs in this manner to improve match results.

---

Any company relying on SSNs to authenticate an identity should be concerned with the release of 143 million SSNs. Cognito is the solution to secure your business and ensure a reliable KYC process in a post-SSN world.


In a post-SSN world, using one for authenticating an identity is a recklessly insecure business practice that will leave you susceptible to fraud.

How Identity Verification Works in a Post-SSN World


Ruby makes it easy to write concise code. This is a benefit of the language and the ecosystem. Matz focuses on [“making programs succinct”](http://www.artima.com/intv/tuesday3.html) and Rails boasts that it lets you build “in a matter of days” what used to take months.

Concise code can have a dark side. Convenient interfaces can tuck away complexity and side effects that might surprise you later. Brevity in software comes at the cost of diligence both from developers and reviewers. It is especially important to understand how your abstractions work and the business rules they implicitly handle.

## Moving Fast

Imagine you are adding a new feature to your Ruby on Rails web application. This feature breaks down into three small tasks:

- Integrate with an internal API which provides information about the current user
- Use information about the current user in order add a welcome message to the header of each page
- Display a flag alongside the message corresponding to the user’s `country`field

The current user JSON looks like this

```json
{
  "status": "success",
  "data": {
    "name": {
      "first": "Edmond",
      "last": "O'Connell"
    },
    "address": {
      "street1": "53236 Camilla Light",
      "street2": null,
      "city": "Pierceville",
      "state": "NJ",
      "country": "United States"
    }
  }
}
```

To integrate with the API you create three simple classes with `ActiveModel::Model`:

```ruby
class User
  include ActiveModel::Model

  attr_accessor :address, :name
end

class Name
  include ActiveModel::Model

  attr_accessor :first, :last
end

class Address
  include ActiveModel::Model

  attr_accessor :street1, :street2, :city, :state, :country
end
```

To extract the user data you use the [new `#dig` method introduced in Ruby 2.3](/blog/new-features-in-ruby-2-3/):

```ruby
User.new(
  name:    Name.new(response.dig('data', 'name')),
  address: Address.new(response.dig('data', 'address')))
)
```

Finally, you add a `current_country` view helper method and create a new view partial:

```ruby
module UserHelper
  def current_country
    return 'Unknown' unless current_user

    current_user.address.country
  end
end
```

```erb
<div id="user-welcome">
  <% if current_user %>
    <span>Welcome back <%= current_user.name.first %>!</span>
  <% end %>

  <div id="user-welcome-flag">
    <%= image_tag("/imgs/flags/#{current_country}.png") %>
  </div>
</div>
```

## Breaking Things

A few weeks pass and you find out that some pages rendered the message “Welcome back !” and a broken image in place of the flag. The internal API encountered its own error and returned

```json
{
  "status": "error",
  "message": "Internal server error"
}
```

Oddly enough this did not break your code:

```ruby
response = { 'status' => 'error', 'message' => 'Internal server error' }

name    = response.dig('data', 'name')    # => nil
address = response.dig('data', 'address') # => nil

user = User.new(name: Name.new(name), address: Address.new(address))

user.name            # => #<Name:0x0011910412163>
user.address         # => #<Address:0x0011910412163>
user.name.first      # => nil
user.address.country # => nil

```

Feeling a bit embarrassed by the bug you reflect on how you could prevent similar issues in the future:

> What if the internal API renames the `country` field to `country_code`? That would also silently break the view. Can I only avoid these cryptic bugs by being vigilant about every external dependency?

## Reflection

The features in Ruby and Rails which let you write concise code can also let you cut corners. Consider our `Name` class and how the corresponding response data was originally extracted:

```ruby
class Name
  include ActiveModel::Model

  attr_accessor :first, :last
end

module ResponseHandler
  def self.extract_name(response)
    Name.new(response.dig('data', 'name'))
  end
end
```

Let’s rewrite `Name` without `ActiveModel` or `attr_accessor`:

```ruby
class Name
  # Inlined from Active Model source http://git.io/vuECr
  def initialize(params={})
    params.each do |attr, value|
      self.public_send("#{attr}=", value)
    end if params

    super()
  end

  def first
    @first
  end

  def first=(first)
    @first = first
  end

  def last
    @last
  end

  def last=(last)
    @last = last
  end
end
```

Imagining our code like this is instructive. It seems like three questions are now immediately obvious

- Should the initializer invoke setter methods for _any key_ passed to the initializer?
- Will `Name` ever be invoked without arguments?
- Are these public setter methods necessary or is `Name` a [value object](https://en.wikipedia.org/wiki/Value_object)?

Let’s throw out `#dig` and instead handle each edge case manually.

```ruby
module ResponseHandler
  def self.extract_name(response)
    return Name.new(nil) unless response.key?('data')
    return Name.new(nil) if     response['data'].empty?

    Name.new(response['data']['name'])
  end
end
```

Expanding this method highlights three distinct outcomes which are each important to consider. The original code properly handled a valid user object but overlooked two important edge cases:

### 1\. API error handling when `response['data']` is `nil`

```ruby
return Name.new(nil) unless response.key?('data')
```

This happened when the internal API encountered an error. This condition should instead result in our application notifying the end user of an error.

### 2\. Alternate behavior when a user is not returned

```ruby
return Name.new(nil) if response['data'].empty?
```

This corresponds to the following JSON

```json
{
  "status": "success",
  "data": {}
}
```

This might mean that the current user has not yet logged in. It could also be a buggy response.

Depending on how robust you expect the internal API to be you might want to handle this case independently as well. If this is invalid state then the response handler should raise an error. If it is valid state and you want to handle cases where the user is not logged in then there should be a separate `Guest` class independent of the `User` class.

Both of these options are better than implicitly assuming this condition never happens. Once the code embedding your assumption is deployed it is too easy to forget and unknowingly introduce a silent regression in the future.

## Conclusions

Ruby certainly makes it easy to write concise code. The question then is how do you reap these benefits without cutting corners accidentally? At BlockScore we have a few practices which help us write better Ruby.

### 1\. Strict and simple dependencies

Active Model’s initializer is permissive and this led to surprising behavior. Consider the benefit of a strict alternative like [anima](https://github.com/mbj/anima):

```ruby
# Test cases
valid_arguments  = { first: 'John', last: 'Doe'                  }
missing_argument = { first: 'John'                               }
extra_argument   = { first: 'John', last: 'Doe', nickname: 'Jim' }

# With Active Model
class Name
  include ActiveModel::Model

  attr_accessor :first, :last
end

Name.new(valid_arguments)  # => #<Name:0x0011910412163 @first="John", @last="Doe">
Name.new(missing_argument) # => #<Name:0x0011910412163 @first="John">
Name.new(extra_argument)   # => NoMethodError: undefined method `nickname=`
Name.new(nil)              # => #<Name:0x0011910412163>
Name.new                   # => #<Name:0x0011910412163>

# With Anima
class Name
  include Anima.new(:first, :last)
end

Name.new(valid_arguments)  # => #<Name first="John" last="Doe">
Name.new(missing_argument) # => Anima::Error: Name attributes missing: [:last]
Name.new(extra_argument)   # => Anima::Error: Name attributes missing: [], unknown: [:nickname]
Name.new(nil)              # => NoMethodError: undefined method `keys'
Name.new                   # => ArgumentError: wrong number of arguments (given 0, expected 1)

```

### 2\. Meticulous code review

An inconspicuous line of code like

```ruby
Name.new(response.dig('data', 'name'))
```

can encode multiple important code paths. With Ruby it is especially important to visualize the equivalent “expanded” code.

### 3\. Static analysis

Tools like [reek](https://github.com/troessner/reek) and [rubocop](https://github.com/bbatsov/rubocop) are great for learning how to write better code. Reek might point out a design issue before you notice it. Rubocop now goes way beyond style: the [next release will include eight new cops for helping you catch bad performing code](https://github.com/bbatsov/rubocop/blob/482345bafd9421e77b8629ec1b809c197e6bdaf5/CHANGELOG.md#master-unreleased).

### 4\. Mutation testing

Mutation testing helps me [write better Ruby](/blog/how-to-write-better-code-using-mutation-testing/). It sniffs out dead code, helps me find missing tests, and generally helps me think about the assumptions I’ve made.


Ruby makes it easy to write concise code. This is a benefit of the language and the ecosystem.

How Ruby Hides Complexity


Money launderers are hard to detect — and their methods evolve over time. It’s easy for companies to think they’ve done enough to squash criminal activity, when in reality there are cracks in their systems that can be exploited. And regulators are keeping track: in recent years, penalties for Anti-Money Laundering (AML) non-compliance have [reached all-time highs](/blog/know-your-strategy-assessing-aml-compliance/).

So what are some recurring errors and mistakes organizations make in their AML efforts? We’ve identified seven common AML oversights your company should be aware of.

### 1\. See the whole picture

In today’s globalized world, there’s a good chance that your customer base and supply chains span numerous jurisdictions. But what counts as compliance in one region isn’t necessarily good enough elsewhere. Inconsistent standards — whether in customer screening and identification, account monitoring, or due diligence — puts companies at risk.

To offset these inconsistencies, err on the side of over-compliance. [An investigative report from KYC360º](https://www.riskscreen.com/kyc360/special-report/failures-in-anti-money-laundering-controls-paying-the-price/) points out that common management oversights include: a lack of clearly-defined roles and responsibilities, a deficit of communication, and infrequent audits of overseas branches and affiliates. Aim to do the opposite. It’s up to organizations to think big in their AML approach while also taking care of the small details.

### 2\. Don’t get distracted by dollar signs

Some organizations are willing to take risks if they see the potential for profit, even when it comes to something as serious as AML — they ignore warning signs or fail to review high-risk transactions. Meanwhile, AML compliance officers are seen as unnecessary and relegated to minor roles.

If caught in non-compliance, the regulatory fines will be the least of your worries. The reputational damage of ignoring criminal activity is steep, and it’s always better to be safe than sorry.

### 3\. Avoid false positives

On the other side of the AML spectrum are organizations that overreport and review abnormal activity that isn’t, in the end, abnormal. This results in huge costs, and frustrates regulators who are stuck processing countless unfounded suspicious activity reports.

Part of the problem is that conventional transaction monitoring systems (TMSs) often follow formulaic, action-based rules to detect anomalous behaviors. Sophisticated criminals know how to skirt them, so [over 95% of flagged activities are “false positives”](https://www.reuters.com/article/bc-finreg-laundering-detecting/anti-money-laundering-controls-failing-to-detect-terrorists-cartels-and-sanctioned-states-idUSKCN1GP2NV). These cost financial institutions billions of dollars per year in pointless investigations — and while their resources are tied up in chasing dead ends, real criminals can strike.

Rather than being static and predictable like a TMS, a solution like Cognito is dynamic, drawing data from multiple official sources and comparing it in real time to form a more complete view of the customer. In [its survey of the banking industry](https://www.mckinsey.com/business-functions/risk/our-insights/the-new-frontier-in-anti-money-laundering), McKinsey found that half the transactions that were flagged wouldn’t have needed to be investigated if data points could have been connected across the bank’s own divisions.

### 4\. Define identity across departments

“Customer identity” may mean different things to different departments. The “single customer view” that marketers utilize in their work isn’t necessarily the same as the one understood by IT admins — and neither will help you ensure AML compliance.

As your company implements systems for identity authentication and verification, have a conversation with IT leads to make sure your processes are also aligned with proper KYC and AML policies.

### 5\. Empower employees

Companies agree that [training is a central pillar of AML](https://www.mckinsey.com/industries/financial-services/our-insights/banking-matters/the-aml-industry-in-2019), but it poses distinct challenges. The material taught is often too abstract and inaccessible for new learners, and it's difficult to see how theory applies in practice. When it comes to raising team members’ awareness of AML policies, protocols, and procedures, real-life case studies and hands-on learning is every bit as essential as classroom-based training.

### 6\. Identify PEPs early

Some companies aren’t proactive in [flagging politically exposed persons (PEPs)](/blog/cognito-flags-politically-exposed-persons/), either as a result of perceived complexity or because they bring in lots of business. Do your due diligence, and implement systems that help you trace the source of your PEPs’ finances and raise a red flag when transactions don’t fit their profile.

[Cognito Watchlist](/products/watchlist/) is designed to identify PEPs, automatically re-scanning all customers on a regular basis to catch changes in their status. Even clients that have a longstanding relationship with you can raise their risk profile over time, which is why we’re adding a new feature to Watchlist — automated re-scans.

### 7\. Change with the times

Aggregating customer information can be difficult. McKinsey cites low-quality data, nonstandard data structures, and fragmented sources as common barriers, and many organizations still rely on manual AML activities, like making thousands of monthly calls to customers to keep KYC documents current.

All these manual processes and fragmented data points mean that compliance investigations depend too much on “stare and compare”, instead of taking action. In the U.S., companies spent [$25.3 billion](https://www.mckinsey.com/~/media/mckinsey/industries/financial%20services/banking%20blog/why%20aml%20should%20be%20a%20top%20priority%20for%20financial%20institutions/why-aml-should-be-a-top-priority-for-financial-institutions.ashx) managing money laundering risk in 2018, when unifying scattered customer identity information with a solution like Cognito could have saved time and resources.

AML will always involve a multi-stage, collaborative plan of attack, but the right software solution can advance your company’s compliance by leaps and bounds. [Cognito](https://cognitohq.com/) can keep you from making common security mistakes.

_Our_ [_watchlist product_](/products/watchlist/) _takes the stress out of AML compliance so you can focus on your business. Contact us to learn more._


Money launderers are hard to detect — and their methods evolve over time. It’s easy for companies to think they’ve done enough to squash criminal activity, when in reality there are cracks in their systems that can be exploited.

How to Avoid Common AML Missteps


For ecommerce companies that sell age-restricted goods, getting products and services into adult hands can be challenging. The internet has made online gambling, cannabis, tobacco, online dating, sports betting, weapons and more adult-oriented commerce accessible. However, these companies have a moral and legal responsibility to make sure products intended for adults are not accessible to minors.

Unfortunately, teens and kids typically aren’t deterred by pop-up messages requiring them to check a box to confirm that they’re over 18. On the contrary, this additional step often makes it more thrilling for rule-breaking teens and kids to seek out adult-only products and services online. That’s where [age verification software](/use-cases/age-verification) for your website comes into play.

## Why It’s Important

Basic age checks like the pop-up box mentioned above are not enough to protect minors from age-sensitive products. For this reason, age verification software can be advantageous for many companies that sell goods online.

Age verification software accurately confirms a user’s age to restrict access to products or services that are not suitable for them. This type of software works to quickly verify a user’s age by referencing reliable public sources of information.

Suppose you operate a company that sells age-restricted goods or services online. In that case, you’ll need age verification software to avoid hefty fines and legal issues that may result from underage customers accessing your goods. Implementing effective software on your website can also help you filter out users who aren’t real customers while offering a frictionless verification process.

## Types of Age Verification

Now that you know what age verification software is, how it works and its benefits, let’s take a look at the different ways to verify a website user’s age using this type of software.

Electronic (data source) identity verification: With electronic identity verification, ecommerce companies can verify a customer’s age by cross-referencing reliable public data sources to ensure legitimacy. These types of verification tools can also be paired with two-factor authentication using email or phone number verification.

Document verification: Document verification compares a customer’s picture with their photo ID. Ecommerce companies that sell age-restricted products can also require sellers to provide credit card information. However, a minor could easily bypass this by using a parent’s card.

Face-based biometric verification: Face-based biometric verification measures a customer’s face and head to verify a person’s identity based on the biometric patterns and data it collects.

While there are pros and cons to each of these types of verification tools, generally electronic identity verification works well for most industries and is less burdensome for the customer. However, you will need to decide for yourself what works best for your use case.

## What to Look for in Age Verification Software

Shopping for age verification software is not as easy as it sounds, because not all verification software is created equally.

If you’re searching for an age verification solution for your website, you should consider the following factors when selecting one:

Age verification software should be effective. Perhaps most importantly, whatever software you choose should be good at what it claims to do, which is verifying the actual age of an online customer. If it does not provide accurate and precise results each time, it’s not worth the time and money required to invest in it.

It should be user friendly. If age verification software is slow, clunky or hard to use, it will kill your conversion rate. The best options are easy for customers to navigate and provide a quick and accurate verification process. An age verification tool should not hurt the user experience in any way.

It should adhere to federal and state regulations. Any verification software you use should adhere to the most up-to-date legislation to protect your business from legal trouble or fines.

It should be easy to integrate into your website. The best age verification software will also be easy to incorporate into your website and tailor to fit your brand and style. Additionally, integration should only take a few minutes, not weeks.

While many verification software programs claim to provide these factors listed above, that’s not always true. You will need to do your own independent research to ensure that you’re using high-quality software that meets all legal requirements. You can also reference customer reviews to discover potential downfalls or benefits associated with specific verification software.

If you’re unsure of what your company needs, feel free to contact a Cognito expert. We can help guide you through the process of choosing your verification software, show you the benefits of using ours and provide a free demo of our product so you can make sure you’re happy with it before you commit.

## Try Cognito for Free Today

Online businesses should strongly consider adding accurate age verification software to their websites if they haven’t already. Reducing the risk of underage access to adult-oriented products and services will help companies avoid legal problems and large fines while protecting their reputation as responsible organizations.

With Cognito’s age verification software, you can quickly identify legitimate customers and calculate age by date of birth. Our software empowers you to limit access to adult-oriented products and services to protect your business from fraud. Most importantly, our reliable digital age verification tool won’t force you to compromise any user-friendly aspects of your website.

Age verification doesn’t have to be burdensome for the customer. With [Cognito Flow](/products/flow), you can add reliable international age verification to your website with just 20 lines of code. You customize the type of information you'd like to collect -- just a picture of their government ID, for example, or just verification with a government ID number. So you can stay compliant without introducing additional friction in your buying experience.

Contact our sales team to get a demo and see how Cognito's age verification solution can help your business.


For ecommerce companies that sell age-restricted goods, getting products and services into adult hands can be challenging. The internet has made online gambling, cannabis, tobacco, online dating, sports betting, weapons and more adult-oriented commerce accessible.

How to Choose Age Verification Software for Your Website


When you go to signup for an account, do you get excited to enter your personal information into the looming wall of blank white boxes? No, and neither do you customers. You need to start thinking about the onboarding process from the customer’s perspective.

Businesses are finally realizing that a lengthy signup process results in abandonment and dissatisfaction for the customers who do get through it. This experience is not the first impression your customers deserve. [Studies show](http://unbounce.com/conversion-rate-optimization/how-to-optimize-contact-forms/) that conversions increase 120% by reducing the number of form fields from eleven to four.

## So what can you do?

Stop collecting unnecessary data! Accelerate your signup flow and reduce the required keystrokes as much as possible. Balancing data collection with a low friction signup flow can be a challenge, but it is one that will have a direct impact on your bottom line. In industries such as banking, lending, gaming, and P2P where a signup requires verifying the identity for KYC compliance reasons, it is crucial to make the first stage of the customer journey as seamless as possible.

Groundbreaking technologies, such as BlockScore’s Cognito verification, easily balance identity verification requirements with a true user-centric signup. To optimize for mobile and online signups, Cognito requires only a phone number and name. With those inputs, the API returns your customer’s full name, address, past addresses, date of birth, and full SSN from regulated sources such as credit bureaus and government records. This significantly reduces the amount of information your customer needs to provide while still satisfying business needs for complete information.

In addition to reducing abandonment, Cognito also does more to mitigate fraud as seen in our [comparison blog post](/blog/cognito-compared-to-traditional-idv/). This all translates to the most streamlined customer experience, happier customers, and more revenue to your bottom line.


When you go to signup for an account, do you get excited to enter your personal information into the looming wall of blank white boxes? No, and neither do you customers.

How to Fix Your Verification Conversion Rate


When developers talk about “test coverage” they are typically talking about how many lines of code are executed by their test suite. This is a simple calculation: what percentage of our code was run by our tests? We don’t want to accidentally break our code later so having strong test coverage is important.

Mutation testing is not an alternative to line coverage. While line coverage asks “what percentage of our code is run by our tests,” mutation testing asks “what code can I change without breaking your tests?” Mutation testing tools answer this question by applying and testing small modifications to your application.

This post explores how asking “what changes don’t break my tests?” can benefit more than just test coverage. Using a ruby mutation testing tool called [mutant](https://github.com/mbj/mutant), I’ll introduce and reflect on two separate code examples to demonstrate how mutation testing helps you improve both your tests and your code itself.

## Mutant keeps your tests honest

Consider this script for looking up users who tweeted ‘“I really enjoy #pizza”’:

```ruby
require 'twitter'

class Tweeters
  def recent
    query.first(3).map do |tweet|
      "@#{tweet.user.screen_name}"
    end
  end

  private

  def query
    api_client.search('"I really enjoy #pizza"')
  end

  def api_client
    Twitter::REST::Client.new do |config|
      config.consumer_key        = ENV['TWITTER_CONSUMER_KEY']
      config.consumer_secret     = ENV['TWITTER_CONSUMER_SECRET']
      config.access_token        = ENV['TWITTER_ACCESS_TOKEN']
      config.access_token_secret = ENV['TWITTER_ACCESS_TOKEN_SECRET']
    end
  end
end

puts Tweeters.new.recent if __FILE__ == $0
```

To illustrate the difference between “line coverage” and “mutation coverage” consider this intentionally bad test:

```ruby
require 'simplecov'
SimpleCov.start

require 'tweeters'
require 'rspec'

RSpec.describe Tweeters do
  it 'returns results' do
    expect(Tweeters.new.recent).to_not be(nil)
  end
end
```

Now if I run this test:

```plaintext
$ rspec -I. -rpizza_spec.rb
.

Finished in 0.94429 seconds (files took 1.38 seconds to load)
1 example, 0 failures

Coverage report generated for RSpec to /dev/coverage. 15 / 15 LOC (100.0%) covered.
```

My test passed with 100% coverage.

If I run this test again with mutant and instruct it to only mutate the `recent` instance method then I see the following summary:

```plaintext
Mutations:       36
Kills:           19
Coverage:        52.78%
```

See full output

This tells me that my `recent` method actually has 52.78% mutation coverage! This means that mutant found 36 ways it could _change_ my method and only 19 of those changes resulted in my test failing.

Mutant shows me what my tests missed. For example, here are three of the nineteen mutations my tests did not catch:

```diff
 def recent
- query.first(3).map do |tweet|
- "@#{tweet.user.screen_name}"
- end
+  self
 end

 def recent
   query.first(3).map do |tweet|
- "@#{tweet.user.screen_name}"
+    nil
   end
 end

 def recent
   query.first(3).map do |tweet|
- "@#{tweet.user.screen_name}"
+    "@#{tweet.user}"
   end
 end
```

Again, the test for this script was intentionally bad, but the difference in results is important. All my test did was assert that my `recent` method did not return null. This assertion did technically exercise 100% of the code though so the line coverage tool is reporting 100% coverage. Mutant quickly showed me that it could make my method return `self`, `[nil, nil, nil]`, and `['@#<Twitter::User:0x1>', '@#<Twitter::User:0x2>', '@#<Twitter::User:0x3>']`without breaking my tests.

The takeaway here is not that line coverage is bad. You can write good tests without mutant. Instead, think of mutation testing as an x-ray for your tests. Running mutant on new code can help you double check that your tests are covering everything you care about. Mutant can also be a powerful tool when conducting a code review. It is easy to see roughly which methods are tested, but it can be hard to spot what that original author might have overlooked.

## Mutant helps you write more robust code

Imagine you are tasked with creating an endpoint in your company’s internal API which does two tasks:

- Looking up users by their unique id
- Returning a list of users which signed up after a certain date

A few hours later you write the following code

```ruby
class UsersController < ApplicationController>
  # Looks up GET param `user_id` and returns user
  #
  # @return [User]
  #
  # @api public
  def show
    render json: UserFinder.call(params[:user_id].to_i)
  rescue UserFinder::RecordNotFound => error
    render json: { error: error.to_s }
  end

  # Finds users created after date specified in GET param `after`
  #
  # @return [Array<User>] list of users
  #
  # @api public
  def created_after
    after = Date.parse(params[:after])
    render json: UserFinder::Recent.call(after)
  end
end
```

Along with this code you write some unit tests for the different edge cases you expect your controller to handle:

```shell
$ rspec --format documentation users_controller_spec.rb

UsersController#show
  returns a user when given a valid id
  renders JSON error when given an invalid id

UsersController#created_after
  returns multiple users given an early date
  excludes users created before date and includes users after
  renders empty array when date is in the future

Finished in 0.00433 seconds (files took 0.23881 seconds to load)
5 examples, 0 failures
```

You deploy your new features and move on to your next task. Later, you find out that the front end team reported a bug in your API. Apparently every request they make returns

```json
{
  "error": "Could not find User with 'id'=0"
}
```

That same day you find out that the marketing team thinks your “new users” endpoint doesn’t work either. Apparently they sometimes get empty results when they shouldn’t. You end up spending the day debugging for your co-workers and eventually figure out what they were doing wrong.

To the front end developer you explain

> The API expects the parameter `user_id` but you specified `id`. My code ends up getting `nil` when it tries to get the `user_id` parameter which is coerced `0` which explains why you always got that error.

moving on to the marketing team you explain

> You need to write your dates in the format `"YYYY-MM-DD"`. The problem was when you were searching things like “last December” which ruby parses as December of _this_ year.

---

What if we ran mutant on this code before shipping it? Running mutant on `UsersController` we see the following alive mutations:

```diff
 def created_after
- after = Date.parse(params[:after])
+  after = Date.iso8601(params[:after])
   render(json: UserFinder::Recent.call(after))
 end

 def created_after
- after = Date.parse(params[:after])
+  after = Date.parse(params.fetch(:after))
   render(json: UserFinder::Recent.call(after))
 end

 def show
- render(json: UserFinder.call(params[:user_id].to_i))
+  render(json: UserFinder.call(Integer(params[:user_id])))
 rescue UserFinder::RecordNotFound => error
   render(json: { error: error.to_s })
 end

 def show
- render(json: UserFinder.call(params[:user_id].to_i))
+  render(json: UserFinder.call(params.fetch(:user_id).to_i))
 rescue UserFinder::RecordNotFound => error
   render(json: { error: error.to_s })
 end
```

Mutant is helping me reduce the side effects that my application will permit. These four mutations eliminate subtle bugs which produce misleading errors and incorrect output.

### 1\. Requiring parameters with [`Hash#fetch`](http://ruby-doc.org/core-2.2.3/Hash.html#method-i-fetch)

```
Date.parse(params[:after]) → Date.parse(params.fetch(:after))
```

In both actions before we used [`Hash#[]`](http://ruby-doc.org/core-2.2.3/Hash.html#method-i-5B-5D) which implicitly returns nil if the specified key is not present. `Hash#fetch` on the other hand will raise an error if the specified key is not present. As a result, mutant makes me think about the use case where an implementer of the API does not provide an expected parameter.

### 2\. Better type coercion with [`Kernel#Integer`](http://ruby-doc.org/core-2.2.3/Kernel.html#method-i-Integer)

```
params[:user_id].to_i → Integer(params[:user_id])
```

In `UsersController#show` we called `#to_i` on our `user_id` parameter. This ended up coercing `nil` into `0` which made our final error message more confusing. `#to_i` will do its best to coerce _any_ input, but this is often not what we want:

```ruby
nil.to_i     # => 0
'hello'.to_i # => 0
```

Mutant replaces this with `Kernel#Integer` which is more strict:

```ruby
Integer(nil)     # => TypeError: can't convert nil into Integer
Integer('hello') # => ArgumentError: invalid value for Integer(): "hello"
```

### 3\. Rejecting invalid dates with [`Date.iso8601`](http://ruby-doc.org/stdlib-2.2.3/libdoc/date/rdoc/Date.html#method-c-iso8601)

```
Date.parse(params[:after]) → Date.iso8601(params[:after])
```

In `UsersController#created_after` we called `Date#parse` which tries to parse any string it thinks could be a date. This sounds handy, but in practice it often can be a subtle source of bugs since all it really needs to see are two adjacent numbers or three letters which could be a month abbreviation:

```ruby
# Seems useful!
Date.parse('May 1st 2015')      # => #<Date: 2015-05-01>
Date.parse('2015-05-01')        # => #<Date: 2015-05-01>

# Never mind
Date.parse('Maybe not a date')  # => #<Date: 2015-05-01>
Date.parse('I am 10 years old') # => #<Date: 2015-10-10>
```

Ruby has many more specific date parsing methods. In this case mutant found that `iso8601` still works with the tests cases we specified:

```ruby
# Actually useful!
Date.iso8601('2015-05-01')        # => #<Date: 2015-05-01>
Date.iso8601('May 1st 2015')      # => invalid date (ArgumentError)
Date.iso8601('Maybe not a date')  # => invalid date (ArgumentError)
Date.iso8601('I am 10 years old') # => invalid date (ArgumentError)
```

Each mutation was better fit for the use case in question. The replacement methods were more likely to throw errors when given unexpected input. Knowing this during the development cycle causes me to handle these edge cases since I don’t want an exception to go uncaught and produce an application error. Even if I do forget to cover one of these use cases though the alternative is still preferable: an exception is thrown in production instead of weird behavior silently degrading my app’s quality for months. I know about the error the first time a user triggers it instead of the first time a user complains.

## Add mutant to your workflow

Mutant is a powerful tool for improving your code. At Cognito we try to always check the mutation coverage before shipping code to production. You don’t have to aim for 100% coverage to benefit from tools like mutant. Simply running mutant against your codebase and seeing what it can change should help you better understand what tests you are missing and what code could be improved.


When developers talk about “test coverage” they are typically talking about how many lines of code are executed by their test suite.

How to Write Better Code Using Mutation Testing


Today we're releasing our brand new website, and along with it an announcement that we're merging our previously separate brands, Cognito and BlockScore. BlockScore was our original product that aimed to make ID verification easier by making API integration as easy as [Stripe](https://stripe.com) made integrating payments.

Three years ago we took a major risk when [we decided to rewrite our entire product and codebase to support a new vision](/say-hello-to-cognito/) that we called Cognito, a more secure and effective ID verification service. [Rewrites notoriously spell the death of a project](https://www.joelonsoftware.com/2000/04/06/things-you-should-never-do-part-i/) due to the amount of dead time spent not shipping features, but we coupled the change with an entirely new set of features that were impossible under our old infrastructure, and the results speak for themselves:

![](/images/blog/post_images/Cognito-graph-1.jpg)

Along the way, we've learned the symptoms of having product-market-fit, and we wanted to document a few of them to help other companies who are considering a major change in their product lineup.

## Lessons we learned

- **Re-writes don't always spell the end of your company.** They just need to be coupled with a major evolution in your core product offering rather than a re-write for the sake of code clarity.
- **Simplicity isn't compelling enough.** A product that offers simplicity in a complex environment isn't always enough, and you shouldn't be surprised if it provides middling growth results. Simplicity is not enough of a barrier to entry, though it can help you get a foothold in a market.
- **Aligning incentives with your customers makes selling easier.** Instead of just verifying users more effectively, we built a product that could actually _increase conversion rates while simultaneously decreasing fraud_. This made our product more compelling to not just compliance teams, but also on-boarding optimization teams, who typically have more resources to integrate new solutions.
- **A great product will feel completely different to your sales team.** Cognito exceeded the number of API transactions of our old product on the month that we publicly launched it. Selling and growing stopped feeling like running uphill within months of release and the product went from feeling "nice to have" to "must have".
- **Having a small team makes major company changes an order of magnitude easier.** We've always been very conservative with hiring and typically optimize for output per person rather than just raw output. This allowed the whole company to mobilize behind a new vision and efficiently work together to build, market, and sell a new product cohesively.
- **Pit your new product against your old product to learn about shortcomings and strengths.** We have been careful to support customers on our old product to the same level as our new product, but provided them with an option to upgrade to our new systems. Customers who are willing to transition to a new product speak volumes about the quality of the new solution, and conversely, customers who are unwilling to upgrade present a learning opportunity.
- **Re-writing your messaging is equally as important as re-writing your product.** The optimal messaging for a complex product widens the top of your funnel, which trickles down to more customers trying your fancy new product. Marketing and sales should be involved in new product launches as early as the development team is.
- **Treat your early testers well.** Companies and individuals who are willing to help a nascent product should be rewarded with price breaks and perks, and in turn they will reward you with word-of-mouth referrals.

> Cognito exceeded the number of API transactions of our old product on the month we publicly launched it

This is undoubtedly an exciting time for our company. We have always tried to operate with a certain level of modesty, but we are so excited about the future that we felt the need to share a little bit about what's going on behind the scenes. Make sure to also check out our two new upcoming products: a new version of our [watchlist screening service](/products/watchlist), and [business verification system](/products/business-verification).

**If you’re interested in joining us, we would love to hear from you. While we will continue to maintain a lean team, we are currently hiring!**


Today we're releasing our brand new website, and along with it an announcement that we're merging our previously separate brands, Cognito and BlockScore.

How We Re-Built Our Product to Have 2,000% More Traction


Gig workers are expected to comprise the majority of the American workforce by [2027](https://www.statista.com/topics/4891/gig-economy-in-the-us/). However, many gig marketplace sites use lenient identity verification procedures that make them an easy target for account fraud. Let’s examine common fraud issues affecting the gig economy and how identity verification strategies can help enhance defenses.

### Gig Marketplace Fraud

Many freelancers and clients report being defrauded by fake gig marketplace accounts. Here are some of the ways that bad actors trick gig economy platforms and users into facilitating their criminal activity.

#### Impersonating a Gig Worker

Reportedly, [48%](https://www.sterlingcheck.com/about/news-article/study-gig-economy-is-impacting-hiring-and-staffing-practices-says-majority-of-hr-professionals/) of employers in the gig industry have dealt with identity fraud amongst freelancers. The issue is that _anyone_ can make a fake account if there are not sufficient security measures in place. A bad actor can pose as a gig worker and wreak all kinds of havoc with no real-life repercussions because they are under the cover of a false identity. They can claim to have any number of desirable skills and be selected for a project that is well outside their abilities. With a stolen credit card, they can rent a car from a carshare site and never return it. The possibilities for cons and scams are endless.

#### **Fraudulent Offers**

Another way that bad actors exploit the gig economy is by posting fraudulent offers. The typical story goes: the scammer posts a job offer, but, upon receiving the completed project, they refuse to pay the freelancer. The scammer gets away with a completed project without having to pay a penny. Between fraudulent gig offers and other issues, [51%](https://www.statista.com/topics/4891/gig-economy-in-the-us/) of freelancers report that they have not been paid for completed work at least once in their career.

#### **Money Laundering Loop**

Another way that bad actors abuse gig platforms is by using them for money laundering. They set up a fake account as an employer _and_ employee and funnel illegally-obtained money between the accounts under the guise of a legitimate partnership. Depending on what jurisdiction the gig platform operates under, the business may end up facing legal action for unwittingly facilitating this criminal activity.

### **Why Cognito Identity Verification to Fight Fraud?**

Some sites take a relaxed approach to identity verification and allow users to confirm their identity via linking their account to their social media profile. This tends to be a user-friendly approach, but it is not optimal considering social media accounts can be easily fabricated. Another common method of identity verification is to submit proof of a government-issued ID. Though this method of identity verification is more robust than the former, it only provides a one-dimensional view of the customer’s identity. Cognito’s identity verification is uniquely tailored to the needs of the gig economy by being both secure and low friction. With as little as a name and phone number, we take a multidimensional approach to verification. By confirming a user is in possession of their phone, we can then determine whether a number is tied to their identity.Leveraging highly regulated data, Cognito has increased the barrier to fraud exponentially while keeping the process simple for users.

Cognito’s frictionless [identity verification](https://plaid.com/products/identity-verification/) service is designed to help your company meet the demands of the growing gig workforce. [Reach out](/contact/) today to learn more!


Gig workers are expected to comprise the majority of the American workforce by 2027. However, many gig marketplace sites use lenient identity verification procedures that make them an easy target for account fraud.

Identity Verification for the Gig Economy


The identity verification market is heavily fragmented, which makes picking a solution for your business an increasingly difficult task. To help you find the right product, we've compiled a comprehensive guide to the ID verification market to help you get a quick grasp of the landscape so you can make an informed decision.

We provide our own [ID verification service](https://plaid.com/products/identity-verification/), but have done our best to remain as honest, transparent, and impartial as possible when writing this guide. Our solution is perfect for many businesses, but that doesn't mean that it's right for every business. Our hope is that this guide will help make you an expert to enable you to build a world-class on-boarding flow.

## Types of ID verification

When people talk about "identity verification", they're typically referring to one of two means of verifying identity: electronic ID verification, or documentary ID verification.

**Electronic ID verification** usually involves a user typing their data into a form, typically information like a name, date of birth, address, and some form of identifier like a Social Security Number, passport number and then that information is compared against a centralized database of information to verify authenticity.

**Documentary ID verification** typically involves taking a photo of a government-issued document such as a passport or driver’s license, and sometimes a selfie of your customer holding the aforementioned document and verifying that the document appears to be authentic and not a forgery.

Variations of both of these types of IDV exist, which we will go into later in this guide, but that is broadly what those terms refer to.

## The difference between verification and authentication

A major point of confusion that we have seen among buyers is a misunderstanding of the difference between verification and authentication, and the role that each play in picking a solution.

**Verification** is the act of ensuring that information provided is factually correct. For example, to make sure that the name John Doe is real and associated with the SSN 555-55-5555 and address 123 Main St.

**Authentication** is the act of ensuring that the supplier of the verified information is actually the person referenced in the data. Did John Doe just submit that data, or was it really Peggy Sue who submitted it?

Though not every company needs both verification and authentication, the majority of use cases will mandate both.

---

## Electronic ID verification considerations

**Determining Match Rate**

A "match rate" means "given a set of my customer data, what percentage of this data would be able to be verified by this solution?" Navigating match rates between vendors can be very difficult as every business measures them in a slightly different way, and some vendors use deceptive models in order to maximize the perceived match rate. In the real world, data is imperfect; people typo their name, they leave out apartment numbers for their address, offset a number in their Social Security Number, the list goes on. The important first step to comparing match rates is to thoroughly understand a vendor's methodology and what they do to handle for edge cases. Ask what it means to be a match and what those similarity thresholds are.

Electronic ID verification solutions are typically based on some derivative of past credit history as one of the primary data sources, which means that they can struggle for specific demographics. That is not to say that no solutions can cover these demographics, but it means that the solution needs to be supplementing their information with more than typical credit bureau data in order to achieve the best results. If the following demographics are particularly common in your business, they should be a key area to test and enquire about when scouting a solution:

- **Recently immigrated:** People who have recently immigrated to the country in which they currently live. They typically do not yet have an established credit profile.
- **Recently married:** When people get married, they frequently change their names, which can sometimes affect automated pass rates and require manual review.
- **Recently moved:** This category is similar to recent immigration. If a solution is not using smart ID lookup mechanisms, then changing addresses can sometimes mean that a user is unable to be verified automatically.
- **Younger age:** Younger generations can be harder to verify either because they're too young to have taken out a credit line, or they do not trust credit systems and so have actively avoided the system. (This is becoming increasingly common).
- **Victims of identity theft:** If someone has had their identity stolen, their associated info can sometimes be polluted with false information, compromising match rates. Business that attract consumers prone to identity theft such as seniors are particularly at risk.

**Understand Uptime and Outages**

It is crucial for your identity verification solution to have a strong uptime, as that will directly affect your ability to onboard new users in real time. Ensure that a solution has an uptime of at least 99%, and that there is a clear and defined notification process in the event of an outage. Who will be notified, and how?

**Support and SLAs**

A good support team can make or break the integration of an identity verification solution, and ensure your ongoing ability to verify users. Fast response times, easy to follow instructions, and helpful insight along the way, can be instrumental. It is generally a good idea to ask the providers you are considering, how they handle support. SLAs (Service Level Agreements) are also an important consideration. If there is an outage, most providers will provide a Service Credit.

**API and Documentation Availability**

Always review API documentation thoroughly when evaluating an IDV provider. Strong documentation gives your team a deeper understanding of the API, its flexibility and how it will fit into your flow best. It will also help you determine the resources that each solution would require for you to build out an integration. If it is not transparently available on the website, you should ask for a copy of it.

**User Conversion Rate**

When selecting a provider, more should be considered than just their ability to verify an identity. What is their approach to identity verification? What is the impact on user experience?

Documentary style verification introduces a high amount of friction in your funnel, because users are generally uncomfortable taking a picture of their driver’s license, or do not have immediate access to it. The same applies to facial recognition.

KBA (Knowledge-Based Authentication) style verification also introduces a high amount of friction as it has been found that recollection of information is actually a major pain point for legitimate users looking to verify themselves, and can often result in incorrect inputs.

Any amount of friction introduced during the sign-up journey, will have a negative impact on your conversion rates.

Your use case, and legal requirements should carefully be reviewed in order to make the right choice. Although documentary and KBA style verification makes little sense for a modern business that has a focus on both user experience and security, they can be the right choice in some situations. Remote notarization services are required by law to employ KBA style verification for example.

**Regulated vs Unregulated Data**

Identity verification solutions will typically rely on either regulated data(from trusted sources, and can not easily be modified by the end user) or unregulated data(from alternative sources like social media scraping, and can easily be tampered with by the end user). Unregulated data can be leveraged when there is a need to verify identities in countries with a less robust identification and data system, but makes less sense when looking to verify residents of a more developed country like the US, as it can lead to false identification. Using a solution that relies on regulated data, will help ensure the validity of your decision-making, and give you confidence when choosing to do business with someone.

**Country Coverage**

Electronic IDV solutions tend to have lower coverage outside of the United States than documentary solutions because they require access to country-specific information databases. Every country has its own set of data laws and information availability, which can make results highly variable. Not only is there variability in the depth of data, but there are also varying sets of information available. For instance, some countries will only be able to match against name and address, and not against date of birth or identifiers like passport or insurance number.

When trying to grasp what a vendor's country coverage looks like, here are some important questions to think about and ask:

- Which countries do you cover?
- Approximately what percentage of the population over 18 is covered?
- Which data points are available in each country?
- If you add additional countries, do I need to change my implementation?
- Are there any country-specific legal or consent requirements that I should be aware of?

---

## How to achieve the best results

We've helped countless clients tweak their on-boarding flow to reduce fraud, increase conversion rates, and decrease manual reviews, and there's one major lesson that we've learned that holds true regardless of which solution a customer lands on: stacking verification approaches will almost always yield the best results. Using one approach alone unfortunately requires compromising on one of 1) conversion rate / speed to verify, 2) pass rate, 3) cost, or 4) coverage.

Here are a few example scenarios and our suggested solutions in order to get the best results:

**Scenario 1: Need to verify US-only customer base.**Low friction electronic ID verification as the top of the funnel (like [Cognito](https://plaid.com/products/identity-verification/)), followed by documentary verification as a fallback.

**Scenario 2: Need to verify international customer base with US focus:**Low friction electronic ID verification for the US (like [Cognito](https://plaid.com/products/identity-verification/)), a standard international-focus electronic ID verification solution for non-US countries, and finally a documentary verification as a fallback for every country.

**Scenario 3: Need to verify international customer base with no specific country focus:** A standard international-focused electronic ID verification solution, followed by a documentary verification as a fallback.

---

## Still have questions?

If you enjoyed this guide but still have questions about the identity verification process, or want to learn more about our approach to ID verification, please [reach out](/contact/) to our team!


The identity verification market is heavily fragmented, which makes picking a solution for your business an increasingly difficult task.

Identity Verification: The Complete Guide to Choosing a Solution


For decades the SSN has been a standard component of identity verification. However, in today’s digital landscape, it is becoming more and more clear that an SSN alone is no longer a viable solution for businesses looking to increase safety and decrease fraud.

**Why using SSNs for identity verification is not for the 21st century**

1\. Asking for SSNs during onboarding causes unnecessary friction for your users. 2. Most users do not feel comfortable providing their SSN online. 3. Millions of SSNs are in the hands of fraudsters, decreasing the efficacy of IDV. 4. SSNs will never provide true authentication, proof that the person providing the data is actually the person being verified.

**A better solution for the 21st century**

Cognito has taken the power away from the 9-digit Social Security Number, a number that was never intended to be a secret passcode to your identity, and given that power to your phone number. By asking for as little as a name and phone number, Cognito can stitch together an identity record from powerful regulated data sources, instantaneously confirming if someone is who they say they are.

Additionally, by using the phone number, a number that 95% of Americans have and feel safe using, we are able to add in a layer of security that the SSN was never able to provide: authentication. We’ve raised the bar on fraud prevention and no longer can someone buy your identity and pretend to be you. This phone to identity link allows Cognito to authenticate exactly who is signing up for your service.

**A solution without sacrifice**

As a business you are constantly ensuring that your products and services stay ahead of the competition and changing trends. That same mindset is also true for you company’s security. Today, everything is about instant gratification, low friction experiences and simplicity, but historically when it came to onboarding and sign-up flows, simplicity meant choosing less security for less friction.

With Cognito Identity, we are providing you a better way to onboard your customers. An identity verification solution with increased security, reduced friction, reduced fraud, and lower sign up abandonment.

Want to learn more? Contact us [here](/contact/) and we’ll walk you through the details.


For decades the SSN has been a standard component of identity verification. However, in today’s digital landscape, it is becoming more and more clear that an SSN alone is no longer a viable solution for businesses looking to increase safety and decrease fraud.

Identity Verification Without SSN


Data is not bound by national borders, and neither are today's connected businesses, but rules and regulations around identity verification (IDV) are. This causes problems for organizations providing financial services and other offerings that require strong authentication and makes services that cover multiple countries nearly impossible.

"There is little uniformity of data, yet uniformity is critical for verification to succeed," says Chris Morton, President and COO at Cognito. "Even something that seems universal like an address is very different in each country."

Morton and his team have observed the unique challenges of international identity verification up close and personal and they have worked to solve them for nearly eight years. He shares his insights on why international IDV is such a stumbling block for many businesses and how Cognito is blazing a trail to making digital identity verification simple.

## Who depends on international identity verification?

In today's world, nearly all businesses need to verify people outside of the country in which they operate. While highly regulated businesses tend to focus on customers who are residents of their country of operation, there are exceptions and most of the time these need to be handled manually. A prime example is a foreign student needing a bank account when studying abroad.

Then there are financial institutions whose footprints are inherently global, a good example being those that handle [cryptocurrency](/blog/cognito-helps-crypto-companies-stay-compliant/). There has been an uptick in businesses with international services and manually managing multiple international accounts quickly becomes unwieldy.

## Why is international identity verification important?

There are several reasons why international IDV is fundamental. Some of the most commonly cited are regulatory compliance, consumer protection, and fighting financial crime and limiting fraud.

However, all businesses should place a high value on the sense of trust and safety that strong verification brings. "When people identify themselves, they tend to behave better, much like when people see each other face-to-face," explains Morton. "There is a level of accountability. just compare Twitter to your neighborhood email list. Identifying people keeps bad actors out."

## Two key challenges to global IDV

### 1\. Strengthening the security layer siphons developer time

Morton and his team support many organizations that, prior to Cognito, had implemented ID verification in stages. "One company we helped started off with no verification, then verification via postcard, then credit card, but ultimately adopted Cognito and used phone numbers," says Morton.

It is common for businesses to introduce hurdles that increase the burden on bad actors but any impact the verification process has on the sign-up funnel has implications for all users. And as Morton points out, "Each one of those iterations takes months, and always sacrifices user growth and development time."

### 2\. Different jurisdictions need different APIs and providers inhibiting scale

When it comes to identity verification, standard methods of authentication such as address vary in format from country to country. When using an API-based solution to perform global identity verification in another country, businesses need to make sure any information they input is formatted according to the specifications of both the API and the jurisdiction.

That usually means creating different user interfaces (UIs) per country. "We had been testing international data for a while," says Morton. "The thing that kept us from creating an international IDV service early on was the fact that just adding an API for each country didn't deliver enough value for us or our customers."

The team found that duplicating the work for every country was not effective in terms of time, cost, and payoff. "This was especially true when there is not much re-use of code between countries," notes Morton. "The API solution simply wasn't enough." As a result, a robust solution for international identity verification was left off the table until now.

## The fix? Simplify international IDV with a flexible platform

The Cognito team has developed a powerful platform solution, Flow, that simplifies the international IDV process. Flow allows organizations to implement new verification requirements quickly without technical intervention.

"If you want to add a country, you check a box and set up the rules visually in minutes," says Morton. "There is no code to update, no APIs to implement, and no SDK to push through App Store reviews. That would literally take months of work per country with a traditional solution."

With an API-based solution, the best way to make sure identity verification criteria are formatted correctly is to build complex programs to interact with users in real time as they type in their information, fact-checking it against reliable sources for instance, comparing addresses to Google Maps. That information would then be sent to the verification API. Now, Flow does all that for you.

"You add in a few lines of JavaScript code, and all the complexity of making the per-country UI is completed for you including address normalization, name normalization, character set enforcement, and any enhanced features like capturing a photo ID or other identity document. You add a new country by clicking on the dashboard."

The ability to add new countries to your service delivery is going to continue being essential in today's global marketplace, and the hassle of a traditional API-based solution or legacy identity verification process just won't cut it. Go beyond APIs to ensure your international identity verification is up to the task.

[_Contact Cognito_](/contact/) _to learn more about international identity verification solutions for your business._


Data is not bound by national borders, and neither are today's connected businesses, but rules and regulations around identity verification (IDV) are.

Solving the Puzzle of International Identity Verification


When Cognito first launched, we aimed to make ID verification online as simple as possible for businesses. In the years since, ID verification has become significantly more complex both due to increased regulatory scrutiny as well as the business need to provide both a low-friction and high-security onboarding flow for customers.

![](/images/blog/post_images/flow-pic-1.jpg)

Today we’re introducing our vision for the future of ID verification, Cognito Flow. Flow is a drop-in ID verification system that contains all of the necessary components for a complete and robust identity verification setup, from hundreds of data sources across the globe, to passport and driver’s license verifications, liveness checks, risk flags, and much more, all handled intelligently that evolves with the industry so you don’t have to.

![](/images/blog/post_images/flow-pic-2.jpg)

### **Offer the lowest friction ID verification experience for all customers, globally**

We have helped our customers verify and screen tens of millions of users. As part of this process, we’ve learned about the kinds of problems that can plague a verification user experience as well as the myriad issues that businesses encounter when trying to collect accurate data from their users. We have designed Flow with these data points in mind so that your verification experience converts users from around the world with the highest possible rates.

![](/images/blog/post_images/flow-pic-3.jpg)

### **Integrate in minutes**

Flow’s integration starts with just a snippet of Javascript that is optimized for mobile and web. We do everything we can to make sure that Flow loads lightning fast and feels great no matter what kind of device your user has. What would have taken weeks of development time and months of fine-tuning and trial and error has been reduced to minutes.

![](/images/blog/post_images/flow-pic-4-1.jpg)

### **Fully automated passport, ID card, drivers license, and selfie verification**

Flow’s documentary verification screens thousands of document types from 235 countries and territories around the world. Verification of the documents takes between 5 and 15 seconds and is fully automated. We support international character sets such as Hebrew, Cyrilic, Chinese, Arabic, and Japanese, which integrates hand in hand with our [global watchlist screening algorithms](/docs/watchlist-algorithms/).

Many solutions only read barcodes or use humans for manual document review. Flow has advanced OCR that accurately reads the fronts and backs of documents to allow more cross-comparisons and anti-fraud checks. Other anti-fraud checks include analyzing document integrity, formatting, whether it’s a picture of a screen or photocopy, has evidence of tampering or image manipulation software, and much more.

![](/images/blog/post_images/flow-pic-8.jpg)

### **Customize to match your brand**

Tailor the verification experience to match your company identity and feel like an extension of your platform by customizing brand colors and your logo.

![](/images/blog/post_images/flow-pic-5.jpg)

### **Manage workflows without code**

Remove the middlemen and let your compliance and fraud teams manage success criteria directly. No more cross-team miscommunication or badly documented behaviors. By increasing the speed of iteration and allowing decision makers to make changes themselves, Flow enables you to run experiments and optimize your verification process in real time.

![](/images/blog/post_images/flow-pic-6.jpg)

### **Our risk engine comes standard**

Harness the power of cutting edge anti-fraud without the information overload. Flow looks at hundreds of attributes for signs of fraud and reports them as straightforward explanations. The Flow risk engine checks for email, phone, IP address, and device ID risk factors. Our risk rules editor gives you the ability to customize your acceptable risk levels across all categories.

### **Automatically stays up-to-date so you don’t have to**

ID verification and its associated requirements and technologies are always changing. Because of this, it’s becoming increasingly infeasible for teams to maintain a high-quality verification experience in-house. One of Flow’s design goals was to be able to stay up-to-date without requiring our customers to re-integrate new APIs or systems. Since Flow is implemented with a Javascript snippet, Cognito can push out new upgrades to your Flow without your intervention. As we add new features, you can instantly benefit and roll out upgrades within minutes.

![](/images/blog/post_images/flow-pic-7.jpg)

### **Just the beginning**

Flow represents a completely new way of deploying and maintaining ID verification systems, and we’re extremely excited about its possibilities. What we are releasing today is just the very beginning of the features and enhancements that we are working hard on and we can’t wait to show you what else we have in store.

To get started with the Flow beta, [sign up for a sandbox account](http://playground.cognitohq.com/signup) today and reach out to [sales@cognitohq.com](mailto:sales@cognitohq.com) to be admitted into the beta.

[Contact Sales](/contact/)


Today we’re introducing our vision for the future of ID verification, Cognito Flow. Flow is a drop-in ID verification system that contains all of the necessary components for a complete and robust identity verification setup.

Introducing Cognito Flow, the all-in-one ID verification platform


Last year, many companies had to quickly adjust their customer authentication strategies to digital. Those with a system already in place were in a good spot. Those who didn’t had to catch up quickly — or fail. Manual authentication review is now outdated.

Although manual verification was once completely necessary, we now have the tools and customer verification solutions to do it remotely and automatically. But what’s pushing businesses to throw manual review out the window so fast? What makes it obsolete when compared to better alternatives?

In this blog we’ll answer these questions and more. We’ll also show you why you should be using a more effective, efficient alternative.

[Get Started with Cognito](https://playground.cognitohq.com/signup)

## Human Resources Are Expensive

Cost is always one of the primary reasons that businesses implement a new process. Getting rid of manual verification is no different. The problem with manual verification is that in order to process everything in an efficient manner, you need a fairly large workforce. Running a human resources department this big can get exceedingly expensive.

When you remove the need for manual verification, your HR department can be much smaller and more efficient. Automating this process means that your HR department has room to breathe and actually focus on strategic work rather than spending their time doing arduous, tedious verification work.

Your human resources department will also spend much less time dealing with customer account access attempts and confusion with the onboarding process. Reducing costs in the HR department is just the beginning of the benefits you’ll see when you use an authentication solution instead of manual verification.

## The Risk of Human Error Is Problematic

Compliance errors can be costly and difficult to resolve. When your verification process is manual, the chance of human error is greatly increased. When these tasks are automated, you reduce risk and save on unneeded compliance expenses.

With manual input, the question isn’t if an error will happen, the question is when. Eventually human errors will occur, and you’ll have to pay the price. When you automate these processes, you can virtually eliminate the human error factor.

Human error is a variable that can’t be controlled. The only certainty is that it will happen and then you’ll need to deal with it. When you remove this variable, you’ll save time, money and frustration for everyone.

## The Time Required for Businesses Is Exorbitant

Remember how we said that you need a large workforce to stay efficient with manual verification? Well, what if you can’t afford a workforce of that size? If this is the case, your business will be pouring hours upon hours of time into the manual verification process.

Consider all of the factors that go into manual verification and how much time that takes away at every stage of the customer onboarding process.

When a customer needs to be verified:

- First they have to go through the process of providing the necessary verification resources.
- Next, they have to wait for your team to receive it. Your team likely already has a backlog of verifications to get through, which means that the customer will be waiting even longer than usual to get their verification to go through.
- When your team has the time, they have to go through the tedious process of making sure everything is in order. If anything is wrong, they have to notify the customer and the process starts all over again.
- Once all of the information is verified and correct, the customer can finally access their account and start using your product or service.
- This isn’t even considering re-screening and continuous monitoring for high-risk customers. In order to comply with KYC, your high-risk customers need to be monitored, and all of your customers should be regularly re-screened to assess any possible new risk factors. Add in the time required to do this manually, and the amount of time spent on KYC can be mind boggling.

In short, time is wasted and nobody is happy.

Your employees who are spending large chunks of their week on manual verification could be doing much better work. With verification automated, they’re able to spend time on billable and strategic work. Not only does this lead to a more efficient workforce, it leads to a happier one too.

## The Time Required for Customers Is an Obstacle

When customers sign up for a product or service, they expect to be able to use it right away. With manual verification, this is impossible. Even if you are able to hone your manual verification process as much as possible, your customers will still be waiting.

With automatic verification, your customers don’t have to wait. They’ll be able to start using your services almost immediately. This alleviates a lot of the frustrations that customers may have during the sign-up process. And any time you can speed up the sign-up process, you also reduce churn. Losing customers during the sign-up process is the last thing you want to happen, so make sure you’re using a solution that can seamlessly get them through KYC while still being extremely secure.

## There Are Better User Verification Solutions

There are much better verification solutions out there for your users. When you use Cognito, all of the pains of manual verification will be a thing of the past. Cognito is built to seamlessly integrate with your sign-up process while easily and quickly authenticating your new customers.

[Cognito Flow](/products/flow) will save you time, money and the frustrations that come with manual verification. Manual verification is no longer good enough for the modern business or the modern customer. Cognito is the solution to that.

With Cognito’s user verification solution, you can improve the customer experience, save time and money and have a happier workforce. If you want to see your business improve and make your customers happy, then give Cognito a try as your authentication solution. Give our team a call to learn more about Cognito and why it’s the best, most comprehensive authentication solution on the market.

[Get Started with Cognito](https://playground.cognitohq.com/signup)


Last year, many companies had to quickly adjust their customer authentication strategies to digital. Those with a system already in place were in a good spot. Those who didn’t had to catch up quickly — or fail. Manual authentication review is now outdated. 

Why Manual Review for Authentication Is Outdated


For anti-money laundering (AML) authorities, the decade finished with a bang: more than $8 billion in AML fines were served in 2019, [doubling the number](https://www.finextra.com/newsarticle/35105/aml-penalties-skyrocket-during-2019-doubling-2018-figures) handed out the year before.

You could see this jump as being both very good and very bad. Good, because it shows that regulators across the globe are on high alert when it comes to financial crime. Bad, because it proves that criminal enterprise is still widespread and going strong. In the U.K., which had the second-highest number of penalties in 2019, the amount of money laundered each year is equivalent to [4% of the country’s GDP](https://www.theguardian.com/world/2019/jul/04/inside-the-21st-century-british-criminal-underworld).

Whether regulators are pushing you to or not, your company needs to establish clear anti-money laundering protocols. When you don’t, you put yourself and your customers at risk.

As we look ahead to the 2020s and beyond, you can bet that the businesses that will survive are the ones that prioritize compliance on an ongoing basis. But the good news is, implementing new processes and ensuring frictionless screening for your customers doesn’t need to be onerous. Here’s what you need to know in order to minimize risk and maximize reward.

## 1\. Review your regulations

AML regulations have evolved with the times, and for compliance officers looking to stay aligned, an understanding of the major milestones can be a smart place to start. And while it can feel like there’s a lot to absorb, a solution like [Cognito Watchlist](/products/watchlist/) covers all the screening bases for you.

Here are just some of the regulations we comply with.

- The U.S.’s Bank Secrecy Act (BSA). The starting point for many companies? Ensuring that cash transactions over $10,000 are actively reported and paper trails are maintained.

- The U.S.’s Patriot Act. Section 352 mandates that all financial institutions have robust compliance programs, including internal controls, AML compliance officers, independent audits, and ongoing training.
- The recommendations laid out by the international [Financial Action Task Force](http://www.fatf-gafi.org/media/fatf/documents/recommendations/pdfs/FATF%20Recommendations%202012.pdf) (FATF).
- The requirements of the Office of Foreign Assets Control (OFAC). In the U.S., continuous monitoring of customers is now mandatory regardless of risk profile.

The changing regulatory landscape in the U.S. is mirrored in countries around the world. Many have their own independent AML systems, some of which go beyond the global standards outlined by the FATF. Companies conducting international business need to comply with regulations not only in their own jurisdiction, but anywhere they operate.

Ensuring you have [systems in place](https://www.finra.org/rules-guidance/key-topics/aml) to detect suspicious activity is essential, including customer identification capabilities that have been externally tested.

## 2\. Determine your risk appetite

In spite of high regulatory standards worldwide, AML compliance is not one-size-fits-all. Different companies have different tolerances for risk, depending on how they operate, where they operate, and what they offer. Compliance officers should focus on identifying the levels of exposure a company is comfortable accepting when it comes to compliance. You can start by considering specific factors as they relate to your organization:

- The types of products and services your company provides
- The kinds of customers you serve
- The geographic location of your organization, as well as the locations in which it conducts business globally

All of these factors inform your company’s risk appetite. This measurement is often more difficult to quantify than other aspects of your overall risk tolerance, due to the need to balance customer privacy and fair treatment with strict regulatory compliance.

But remember: it’s never a good idea to skimp on compliance. As a general rule, your risk appetite should be sufficiently stricter than your country’s legal obligations; only then can you be confident that the rules you’ve set are acceptable in all jurisdictions.

## 3\. Optimize the customer onboarding lifecycle

If you want to embed a higher degree of certainty and security into your compliance strategy, start with customer onboarding. This is one of the simplest stages to find any red flags, since you’re [screening customers for the first time](/blog/identity-verification-services-the-complete-guide/). Ineffective onboarding opens your company up to unacceptable risks — and spotting potential bad actors is far easier in the early stages, before they’re exploring and exploiting your systems from the inside.

Protect your business with Know Your Customer (KYC) processes by having the following systems in place:

- **A Customer Identification Program (CIP)** so you can correctly identify the customer.
- **Customer Due Diligence (CDD)** to [verify the customer’s identity](https://plaid.com/products/identity-verification/) with valid information and documentation, and gauge the purpose of their transaction or request.
- **Enhanced Due Diligence (EDD)**, which is key in suspicious or higher-risk situations where you need to [obtain more information](/products/watchlist/), especially if your customer has surfaced as a [politically exposed person](/use-cases/pep-screening/).
- **Account opening** procedures in which it’s standard to onboard high-profile clients in person.
- **Regular review of account and transactions**, with recurring [checks](/products/watchlist/).

## 4\. Implement an AML compliance program

Thanks to digital technology, companies have all the data and documentation they need in order to properly identify and verify customers. The only problem is information overload: [how do you ensure comprehensive reporting](https://www.finra.org/rules-guidance/key-topics/aml/faq), record-keeping, and training when you’re managing thousands — or even millions — of customer accounts?

If you’re going to implement risk-based, global AML compliance programs that are effective, versatile, and cost-efficient, you’ll require automation. The good news is that solutions like [Cognito Watchlist](/products/watchlist/) streamline and simplify the complexity of AML, making the manual aspects of assessment and reporting effortless.

- Watchlist compares the customers you’re onboarding against extensive, regulated databases from around the world, making it far more likely that any AML-related conflicts or issues will be surfaced early on in the process.
- By leveraging data normalization technology and powerful search algorithms, Watchlist also uncovers more potential matches for your customers and helps you understand the quality and likelihood of each one, while also taking day-to-day edge cases into account.
- Watchlist re-scans your users on a regular basis to automatically uncover any changes in their status, and non-intrusively screens hundreds of millions of accounts each month.

## Streamline your AML processes with the right partner

While AML policies are necessary and mandatory, they can be expensive, with some of the major banks paying hundreds of millions — or even billions — of dollars to enforce them every year. And the nebulous nature of criminal enterprise makes it difficult to prove that these huge expenditures are actually helping to fight and prevent money laundering.

That’s why finding a technology partner that knows the AML space is critical: automation allows you to cut the costs of compliance so you can reinvest those funds in your people, products, and services. Even better, it improves the accuracy of your onboarding and re-screening processes so you can have more confidence in your risk-management efforts — and your customers can have a more seamless experience.

_Cognito’s_ [_watchlist product_](/products/watchlist/) _is designed to keep your company AML compliant. Contact us to learn more._


For anti-money laundering (AML) authorities, the decade finished with a bang: more than $8 billion in AML fines were served in 2019, doubling the number handed out the year before.

Know Your Strategy: Assessing AML Compliance, Risk Appetite, and the Onboarding Lifecycle


_Note: This is the first part of a new series highlighting the team building the future of identity here at Cognito._

### What’s your role at Cognito?

I’m a Senior Software Engineer. I started about seven months ago, and I’ve been focused
on both the frontend and backend of our [Flow](/products/flow) product. Flow launched
in July, a few months after I started. Since then, we’ve been busy with [weekly updates](/changelog).

Right now, I’m working on behind-the-scenes improvements to make documentary verification and selfie verification even more robust. I’m also working on some UX changes that will make common tasks a little bit easier and more intuitive.

<div
  style={{
    marginTop: "40px",
    height: "400px",
    overflow: "hidden",
    borderRadius: "20px",
    position: "relative",
    backgroundImage: "url('/images/blog/post_images/dallin.jpg')",
    backgroundSize: "100%"
  }}
/>

I enjoy solving challenging problems and have a strong sense of personal ownership over many aspects of our product. At Cognito I enjoy the freedom to pursue solutions that I come up with, but also the support of my teammates to collaboratively solve complex problems.

### What did you do before Cognito?

Before Cognito, I worked at a company called Loveland Innovations, a startup focused on property inspections using drones. I heard about Cognito through a recruiter that reached out to me on LinkedIn.

### What drew you to working at Cognito? What’s changed since you joined?

I really enjoy working at small startups tackling interesting problems. I love that I know all of my coworkers, even though we’re not in the same physical location. With a team of less than twenty people, everyone can have a huge impact on the future of the company -- the product, but also the culture. And such a small team also means that I’m working with other incredibly talented engineers.

I’ve only been at Cognito for seven months, so not much has changed yet. I am the most recent addition to the engineering team, so we have the same team we did when I joined.. But we’re all more skilled, more knowledgeable, and more informed on what we want Flow to be than we were when I joined.

Flow hadn’t been released yet when I started. It was in a functional state, but lacking many of the features that we use daily now. For example, selfie checks were recorded videos that we couldn’t validate until the entire video was recorded, uploaded, and processed. Now we process the selfie check in real time and the entire process is much quicker. Reflowing sessions, canceling sessions, and manually overriding failed steps didn’t exist back then.

### Where’d you grow up? Where do you live now?

I grew up in Utah, about one hour south of Salt Lake City. I still live in Utah, just a little closer to SLC.

### Are there any other places you’d like to live?

Japan, Korea, and anywhere on the West Coast of the US.

### Do you have any trips planned?

Next February, I’ll be taking a cruise with my family in the Caribbean. I might also take a ski trip to northern Japan right before that. And after the cruise, the next big trip will be to Santorini and the rest of Greece in 2023. My parents are doing humanitarian work there, so my family and I are going to visit them and do some sightseeing.

### How do you like to spend your free time?

Like you might expect from a lifelong Utahn, it’s a mix of sports and outdoor activities. I love watching BYU football and basketball, as well as the Utah Jazz. When the weather is right, I go mountain biking and snowboarding. And I really enjoy polishing my photography skills.

### Finally, what’s your go-to recipe?

Japanese curry!

_To learn more about Cognito, along with open roles on the team, [click here](/about)_


I’m a Senior Software Engineer. I started about seven months ago, and I’ve been focused on both the frontend and backend of our Flow product.

Meet the Team: Dallin Christensen


For the past few months, we have been working on an improved dashboard experience. All BlockScore businesses will now see it once they login. Though there are dozens of improvements, here are some highlights:

![New dashboard homepage](images/new-dash-1-d48170c9.png)

## Search

One of our most requested features, search, is now available on the top bar of every page. You can now search universally for all people, companies and candidates and then drill down into specific results using the sidebar.

We have also added the ability to search past results directly using the API. You can read more about how to do that [in our documentation](http://docs.blockscore.com/).

## Brand new interface

The new dashboard now shares the same look and feel as the rest of the BlockScore systems. It is now much easier to find what you are looking for, and we have vastly improved the signup experience and applying for live access. Common actions like verifying new people can now be done right from the dashboard homepage.

## Manage candidates

Our comprehensive watchlist scanning system, _Candidates_, is now accessible from the dashboard. View your searches and any watchlist hits that may have occurred.

## Address autocomplete

We have made using the dashboard to verify users easier than ever before by automatically filling in country subdivisions (like states, provinces and cantons) as well as cities once you enter a postal code.

## Activity feed

The new dashboard homepage includes an activity feed that helps you stay on top of what is happening in your business.

## Support for international documents

The person verification forms now supports all of the [forms of documentation](http://docs.blockscore.com/v4.0/curl/#documents) that we support on our API.

## Comprehensive verification details

After verifying a person or company, we now display all of the details regarding the verification results as well as icons to indicate whether this response is good, bad or neutral.

We hope you enjoy the improvements. If you have any feedback, please message us at [support@blockscore.com](mailto:support@blockscore.com). There is a lot more to come in the following weeks!


For the past few months, we have been working on an improved dashboard experience. All BlockScore businesses will now see it once they login.

New dashboard now available


In late November 2018, the U.S. Department of the Treasury’s Office of Foreign Assets Control [added two virtual currency (Bitcoin) addresses to their SDN lists](https://home.treasury.gov/news/press-releases/sm556) for the first time since the program’s inception. This change ushered in a new era of law enforcement and mandated that any companies transacting with cryptocurrency screen for potentially incoming and outgoing funds associated with sanctioned addresses.

We’re pleased to announce the addition of virtual currency addresses to the BlockScore watch list screening product. This is a free addition for all customers and is available today in your BlockScore account.

Digital currency addresses will now be listed among other documents such as `ssn` or `passport` using the type `digital_currency_address` for any potential watch list hits returned. Alternatively, BlockScore customers can enter a cryptocurrency address as a search term when creating a Candidate.

You can read more about how to upgrade your integration to take advantage of these new screening features [in our documentation](https://docs.blockscore.com/v4/curl/#candidates).

If you have any questions about how to take advantage of these new changes, please contact support@blockscore.com and we would be happy to assist you.


We’re pleased to announce the addition of virtual currency addresses to the BlockScore watch list screening product. This is a free addition for all customers and is available today in your BlockScore account.

New feature: screen digital currency addresses on OFAC lists


Yesterday ruby 2.3-preview1 [was released](https://www.ruby-lang.org/en/news/2015/11/11/ruby-2-3-0-preview1-released/). This update brings several new additions to core classes in ruby as well as some new syntax. Here are a few of the new additions coming in ruby 2.3:

## Extract values with `Array#dig` and `Hash#dig`

The new `#dig` instance methods provide concise syntax for accessing deeply nested data. For example:

```ruby
user = {
  user: {
    address: {
      street1: '123 Main street'
    }
  }
}

user.dig(:user, :address, :street1) # => '123 Main street'

results = [[[1, 2, 3]]]

results.dig(0, 0, 0) # => 1
```

Both of these methods will return `nil` if any access attempt in the deeply nested structure returns `nil`:

```ruby
user.dig(:user, :adddresss, :street1) # => nil
user.dig(:user, :address, :street2) # => nil
```

## Grep out the inverse of a pattern with `Enumerable#grep_v`

This method is the inverse of the `Enumerable#grep` method. The grep method and its inverse provide several powerful ways to filter enumerables:

### Filtering by regular expression

```ruby
friends = %w[John Alain Jim Delmer]

j_friends = friends.grep(/^J/)   # => ["John", "Jim"]
others    = friends.grep_v(/^J/) # => ["Alain", "Delmer"]
```

### Filtering by types

```ruby
items = [1, 1.0, '1', nil]

nums   = items.grep(Numeric)   # => [1, 1.0]
others = items.grep_v(Numeric) # => ['1', nil]
```

## Fetching multiple values with `Hash#fetch_values`

Sometimes [`Hash#fetch` is a better choice than `Hash#[]`](https://blog.blockscore.com/how-to-write-better-code-using-mutation-testing/#requiring-parameters-with-hashfetchhttpruby-docorgcore-223hashhtmlmethod-i-fetch) when you want to write more strict code. You can also access multiple values from a hash using `Hash#values_at`, but there wasn’t a strict equivalent to `values_at` until ruby 2.3:

```ruby
values = {
  foo: 1,
  bar: 2,
  baz: 3,
  qux: 4
}

values.values_at(:foo, :bar)    # => [1, 2]
values.fetch_values(:foo, :bar) # => [1, 2]

values.values_at(:foo, :bar, :invalid)    # => [1, 2, nil]
values.fetch_values(:foo, :bar, :invalid) # => KeyError: key not found: :invalid
```

## Positive and negative predicates for `Numeric#positive?` and `Numeric#negative?`

Numeric values now have predicate methods that check if the subject is positive or negative. This can be useful if you want to filter an enumerable:

```ruby
numbers = (-5..5)

numbers.select(&:positive?) # => [1, 2, 3, 4, 5]
numbers.select(&:negative?) # => [-5, -4, -3, -2, -1]
```

## Hash superset and subset operators `Hash#<=`, `Hash#<`, `Hash#>=`, and `Hash#>`

These methods lets you compare hashes to see if they are subsets or proper subsets of each other. For example:

```ruby
small     = { a: 1                }
medium    = { a: 1, b: 2          }
large     = { a: 1, b: 2, c: 3    }
different = { totally: :different }

{ a: 1, b: 2 } > { a: 1 }             # => true
{ a: 1 } > { a: 1 }                   # => false
{ b: 1 } > { a: 1 }                   # => false
{ a: 1, b: 2 } < { a: 1, b: 2, c: 3 } # => true
```

## Convert a hash to a proc with `Hash#to_proc`

Now you can use a hash to iterate over an enumerable object:

```ruby
hash = { a: 1, b: 2, c: 3 }
keys = %i[a c d]

keys.map(&hash) # => [1, 3, nil]
```

Honestly, I can’t think of a use case for this yet.

## Avoid nil related errors with the safe navigation operator

Ruby 2.3 will introduce new syntax for accessing deeply nested objects safely without accidentally triggering a dreaded `NoMethodError` on `nil`. The syntax looks like this:

```ruby
require 'ostruct'

user&.address&.street&.first_line
```

where each instance of `&.` is similar to ActiveSupport’s `Object#try` method. Basically, if a nil value is encountered, then each method call will not be attempted and instead the `nil` value will be returned immediately.

## Experimental frozen string pragma

You’ve probably heard that strings will be frozen by default in ruby 3. Ruby 2.3 lets you specify a pragma which enables this by default:

```shell
$ ruby -v
ruby 2.3.0preview1 (2015-11-11 trunk 52539) [x86_64-darwin14]
$ cat default.rb
# frozen_string_literal: false

puts "Hello world".reverse!
$ ruby default.rb
dlrow olleH
$ cat enabled.rb
# frozen_string_literal: true

puts "Hello world".reverse!
$ ruby enabled.rb
enabled.rb:3:in `reverse!': can't modify frozen String (RuntimeError)
  from enabled.rb:3:in `<main>'
```

Alternatively, you can also enable and disable this using the command line argument `--enable=frozen-string-literal`

## Further reading

You can read about other new features, performance improvements, compatibility issues, and more [here](https://github.com/ruby/ruby/blob/v2_3_0_preview1/NEWS). Remember that this is still a _preview_ of ruby 2.3 and some things might be subject to change.


Yesterday ruby 2.3-preview1 was released. This update brings several new additions to core classes in ruby as well as some new syntax. Here are a few of the new additions coming in ruby 2.3

New Features in Ruby 2.3


## Faster regular expressions with `Regexp#match?`

Ruby 2.4 adds a new `#match?` method for regular expressions which is **three times faster** than any `Regexp` method in Ruby 2.3:

```ruby
Regexp#match?:  2630002.5 i/s
  Regexp#===:   872217.5 i/s - 3.02x slower
   Regexp#=~:   859713.0 i/s - 3.06x slower
Regexp#match:   539361.3 i/s - 4.88x slower
```

Expand benchmark source

When you call `Regexp#===`, `Regexp#=~`, or `Regexp#match`, Ruby sets the `$~`global variable with the resulting `MatchData`:

```ruby
/^foo (\w+)$/ =~ 'foo bar'      # => 0
$~                              # => #<MatchData "foo bar" 1:"bar">

/^foo (\w+)$/.match('foo baz')  # => #<MatchData "foo baz" 1:"baz">
$~                              # => #<MatchData "foo baz" 1:"baz">

/^foo (\w+)$/ === 'foo qux'     # => true
$~                              # => #<MatchData "foo qux" 1:"qux">
```

`Regexp#match?` returns a boolean and avoids building a `MatchData` object or updating global state:

```ruby
/^foo (\w+)$/.match?('foo wow') # => true
$~                              # => nil
```

By skipping the global variable Ruby is able to avoid work allocating memory for the `MatchData`.

## New `#sum` method for `Enumerable`

You can now call `#sum` on any `Enumerable` object:

```ruby
[1, 1, 2, 3, 5, 8, 13, 21].sum # => 54
```

The `#sum` method has an optional parameter which defaults to 0. This value is the starting value of a summation meaning that `[].sum` is `0`.

If you are calling `#sum` on an array of non-integers then you need to provide your own initial value:

```ruby
class ShoppingList
  attr_reader :items

  def initialize(*items)
    @items = items
  end

  def +(other)
    ShoppingList.new(*items, *other.items)
  end
end

eggs   = ShoppingList.new('eggs')          # => #<ShoppingList:0x007f952282e7b8 @items=["eggs"]>
milk   = ShoppingList.new('milks')         # => #<ShoppingList:0x007f952282ce68 @items=["milks"]>
cheese = ShoppingList.new('cheese')        # => #<ShoppingList:0x007f95228271e8 @items=["cheese"]>

eggs + milk + cheese                       # => #<ShoppingList:0x007f95228261d0 @items=["eggs", "milks", "cheese"]>
[eggs, milk, cheese].sum                   # => #<TypeError: ShoppingList can't be coerced into Integer>
[eggs, milk, cheese].sum(ShoppingList.new) # => #<ShoppingList:0x007f9522824cb8 @items=["eggs", "milks", "cheese"]>
```

On the last line an empty shopping list (`ShoppingList.new`) is supplied as the initial value.

## New methods for testing if directories or files are empty

In Ruby 2.4 you can test whether directories and files are empty using the `File` and `Dir` modules:

```ruby
Dir.empty?('empty_directory')      # => true
Dir.empty?('directory_with_files') # => false

File.empty?('contains_text.txt')   # => false
File.empty?('empty.txt')           # => true
```

The `File.empty?` method is equivalent to `File.zero?` which is already available in all supported Ruby versions:

```ruby
File.zero?('contains_text.txt')  # => false
File.zero?('empty.txt')          # => true
```

Unfortunately these methods are not available for `Pathname` yet.

## Extract named captures from `Regexp` match results

In Ruby 2.4 you can called `#named_captures` on a Regexp match result and get a hash containing your named capture groups and the data they extracted:

```ruby
pattern  = /(?<first_name>John) (?<last_name>\w+)/
pattern.match('John Backus').named_captures # => { "first_name" => "John", "last_name" => "Backus" }
```

Ruby 2.4 also adds a `#values_at` method for extracting just the named captures which you care about:

```ruby
pattern = /(?<year>\d{4})-(?<month>\d{2})-(?<day>\d{2})/
pattern.match('2016-02-01').values_at(:year, :month) # => ["2016", "02"]
```

The `#values_at` method also works for positional capture groups:

```ruby
pattern = /(\d{4})-(\d{2})-(\d{2})$/
pattern.match('2016-07-18').values_at(1, 3) # => ["2016", "18"]
```

## New `Integer#digits` method

If you want to access a digit in a certain position within an integer (from right to left) then you can use `Integer#digits`:

```ruby
123.digits                  # => [3, 2, 1]
123.digits[0]               # => 3

# Equivalent behavior in Ruby 2.3:
123.to_s.chars.map(&:to_i).reverse # => [3, 2, 1]
```

If you want to know positional digit information given a non-decimal base, you can pass in a different [radix](https://en.wikipedia.org/wiki/Radix). For example, to lookup positional digit information for a hexadecimal integer you can pass in `16`:

```ruby
0x7b.digits(16)                                # => [11, 7]
0x7b.digits(16).map { |digit| digit.to_s(16) } # => ["b", "7"]
```

## Improvements to the `Logger` interface

The `Logger` library in Ruby 2.3 can be a bit cumbersome to setup:

```ruby
logger1 = Logger.new(STDOUT)
logger1.level    = :info
logger1.progname = 'LOG1'

logger1.debug('This is ignored')
logger1.info('This is logged')

# >> I, [2016-07-17T23:45:30.571508 #19837]  INFO -- LOG1: This is logged
```

Ruby 2.4 moves this configuration to `Logger`’s constructor:

```ruby
logger2 = Logger.new(STDOUT, level: :info, progname: 'LOG2')

logger2.debug('This is ignored')
logger2.info('This is logged')

# >> I, [2016-07-17T23:45:30.571556 #19837]  INFO -- LOG2: This is logged
```

## Parse CLI options into a Hash

Parsing command line flags with `OptionParser` often involves a lot of boilerplate in order to compile the options down into a hash:

```ruby
require 'optparse'
require 'optparse/date'
require 'optparse/uri'

config = {}

cli =
  OptionParser.new do |options|
    options.define('--from=DATE', Date) do |from|
      config[:from] = from
    end

    options.define('--url=ENDPOINT', URI) do |url|
      config[:url] = url
    end

    options.define('--names=LIST', Array) do |names|
      config[:names] = names
    end
  end
```

Now you can provide a hash via the `:into` keyword argument when parsing arguments:

```ruby
require 'optparse'
require 'optparse/date'
require 'optparse/uri'

cli =
  OptionParser.new do |options|
    options.define '--from=DATE',    Date
    options.define '--url=ENDPOINT', URI
    options.define '--names=LIST',   Array
  end

config = {}

args = %w[
  --from  2016-02-03
  --url   https://blog.blockscore.com/
  --names John,Daniel,Delmer
]

cli.parse(args, into: config)

config.keys    # => [:from, :url, :names]
config[:from]  # => #<Date: 2016-02-03 ((2457422j,0s,0n),+0s,2299161j)>
config[:url]   # => #<URI::HTTPS https://blog.blockscore.com/>
config[:names] # => ["John", "Daniel", "Delmer"]
```

## Faster `Array#min` and `Array#max`

In Ruby 2.4 the `Array` class defines its own `#min` and `#max` instance methods. This change dramatically speeds up the `#min` and `#max` methods on `Array`:

```ruby
     Array#min:       35.1 i/s
Enumerable#min:       21.8 i/s - 1.61x slower
```

Expand benchmark source

## Simplified integers

Until Ruby 2.4 you had to manage many numeric types:

```ruby
# Find classes which subclass the base "Numeric" class:
numerics = ObjectSpace.each_object(Module).select { |mod| mod < Numeric }

# In Ruby 2.3:
numerics # => [Complex, Rational, Bignum, Float, Fixnum, Integer, BigDecimal]

# In Ruby 2.4:
numerics # => [Complex, Rational, Float, Integer, BigDecimal]
```

Now `Fixnum` and `Bignum` are implementation details that Ruby manages for you. This should help avoid subtle bugs like this:

```ruby
def categorize_number(num)
  case num
  when Fixnum then 'fixed number!'
  when Float  then 'floating point!'
  end
end

# In Ruby 2.3:
categorize_number(2)        # => "fixed number!"
categorize_number(2.0)      # => "floating point!"
categorize_number(2 ** 500) # => nil

# In Ruby 2.4:
categorize_number(2)        # => "fixed number!"
categorize_number(2.0)      # => "floating point!"
categorize_number(2 ** 500) # => "fixed number!"
```

If you have `Bignum` or `Fixnum` hardcoded in your source code that is fine. These constants now point to `Integer`:

```ruby
Fixnum  # => Integer
Bignum  # => Integer
Integer # => Integer
```

## New arguments supported for float modifiers

`#round`, `#ceil`, `#floor`, and `#truncate` now accept a precision argument

```ruby
4.55.ceil(1)     # => 4.6
4.55.floor(1)    # => 4.5
4.55.truncate(1) # => 4.5
4.55.round(1)    # => 4.6
```

These methods all work the same on `Integer` as well:

```ruby
4.ceil(1)        # => 4.0
4.floor(1)       # => 4.0
4.truncate(1)    # => 4.0
4.round(1)       # => 4.0
```

## Case sensitivity for unicode characters

Consider the following sentence:

> My name is JOHN. That is spelled Ｊ-Ο-Ｈ-Ｎ

Calling `#downcase` on this string in Ruby 2.3 produces this output:

> my name is john. that is spelled Ｊ-Ο-Ｈ-Ｎ

This is because “Ｊ-Ο-Ｈ-Ｎ” in the string above is written with unicode characters.

Ruby’s letter casing methods now handle unicode properly:

```ruby
sentence =  "\uff2a-\u039f-\uff28-\uff2e"
sentence                              # => "Ｊ-Ο-Ｈ-Ｎ"
sentence.downcase                     # => "ｊ-ο-ｈ-ｎ"
sentence.downcase.capitalize          # => "Ｊ-ο-ｈ-ｎ"
sentence.downcase.capitalize.swapcase # => "ｊ-Ο-Ｈ-Ｎ"
```

## New option to specify size of a new string

When creating a string you can now define a `:capacity` option which will tell Ruby how much memory it should allocate for your string. This can help performance as Ruby can avoid reallocations as you increase the size of the string in question:

```ruby
   With capacity:    37225.1 i/s
Without capacity:    16031.3 i/s - 2.32x slower
```

Expand benchmark source

## Fixed matching behavior for symbols

Ruby 2.3’s `Symbol#match` returned the match position even though `String#match` returns `MatchData`. This inconsistency is fixed in Ruby 2.4:

```ruby
# Ruby 2.3 behavior:

'foo bar'.match(/^foo (\w+)$/)  # => #<MatchData "foo bar" 1:"bar">
:'foo bar'.match(/^foo (\w+)$/) # => 0

# Ruby 2.4 behavior:

'foo bar'.match(/^foo (\w+)$/)  # => #<MatchData "foo bar" 1:"bar">
:'foo bar'.match(/^foo (\w+)$/) # => #<MatchData "foo bar" 1:"bar">
```

## Multiple assignment inside of conditionals

You can now assign multiple variables within a conditional:

```ruby
branch1 =
  if (foo, bar = %w[foo bar])
    'truthy'
  else
    'falsey'
  end

branch2 =
  if (foo, bar = nil)
    'truthy'
  else
    'falsey'
  end

branch1 # => "truthy"
branch2 # => "falsey"
```

You probably shouldn’t do that though.

## Exception reporting improvements for threading

If you encounter an exception within a thread then Ruby defaults to silently swallowing up that error:

```ruby
puts 'Starting some parallel work'

thread =
  Thread.new do
    sleep 1

    fail 'something very bad happened!'
  end

sleep 2

puts 'Done!'
```

```shell
$ ruby parallel-work.rb
Starting some parallel work
Done!
```

If you want to fail the entire process when an exception happens within a thread then you can use `Thread.abort_on_exception = true`. Adding this to the `parallel-work.rb` script above would change the output to:

```shell
$ ruby parallel-work.rb
Starting some parallel work
parallel-work.rb:9:in 'block in <main>': something very bad happened! (RuntimeError)
```

In Ruby 2.4 you now have a middle ground between errors being silently ignored and aborting your entire program. Instead of `abort_on_exception` you can set `Thread.report_on_exception = true`:

```shell
$ ruby parallel-work.rb
Starting some parallel work
#<Thread:0x007ffa628a62b8@parallel-work.rb:6 run> terminated with exception:
parallel-work.rb:9:in 'block in <main>': something very bad happened! (RuntimeError)
Done!
```


Ruby 2.4 has some key new additions which we have outlined in this post to help you stay on top of what's new.

New Features in Ruby 2.4


It’s been said that regulation can’t keep pace with technological innovation but regulators are doing their best to prove otherwise. New rules around data security, privacy, and consumer protection are continually being rolled out, sometimes without much notice. And while many businesses may not be directly impacted, financial service providers in particular need to put compliance front and center.

Cognito President and COO Chris Morton takes a closer look at some of the main challenges in this shifting privacy landscape and how many software providers are falling short in addressing them. By keeping the following insights in mind, financial organizations can continue to adapt no matter the policy change.

## New rules can come with little warning…

Sometimes sweeping new regulations come in big waves, like the GDPR, but the real challenges are the regulations that arrive with little to no warning.

“Insidious changes are the ones that present the most harm,” cautions Morton. “For instance, the [Consolidated Appropriations Act, 2021](https://www.congress.gov/bill/116th-congress/house-bill/133/actions) passed in two weeks at the end of 2020 and required ID verification of all pandemic unemployment assistance claims by late January, 2021. Imagine running an operation where you verify a small percentage of claimants and now you need to verify all within a matter of weeks.”

New government lists are another change factor affecting businesses as all users need to be screened against the latest watchlists. This poses yet another noncompliance risk for companies particularly those who are struggling to update and adapt their infrastructure. Every new list becomes a cause for panic.

Morton and the Cognito team often hear from organizations that need to pivot quickly to a more reliable solution. “We’ve helped businesses with urgent needs get up and running in a week so quelling that panic isn’t new for us,” says Morton. “We have a dynamic system to add additional lists quickly.” As the privacy landscape continues to change, Morton and his team continue to see companies caught by surprise.

## Often vendors aren’t ready

It’s not uncommon for companies to discover too late that the compliance solutions in which they have invested do not deliver as promised. Morton notes a few red flags that may indicate your vendor is not as agile or flexible as they claim to be.

1. The first is a lack of transparency and documentation. “Does it take too long to get definitive answers on how your system works?” he asks. “If the sales process is slow, expect the implementation to take twice as long.” Companies that can readily show their solution is best-in-class do not have anything to hide. “For example, with Cognito, if you want to see how our products work, our documentation is freely available without a non-disclosure agreement (NDA), and you can test in our sandbox right away.”
2. The second warning sign is buzzwords. “We see vendors pop up with novel solutions that fail to solve the core problem. It’s great that you have artificial intelligence, but how does that help a sign-up funnel or compliance program?”

Another important factor to pay attention to is APIs; they may be essential to the digital economy, but that doesn’t mean they’re flexible. “In this industry, it’s common for an API version to last for a decade because so many systems become dependent on it,” notes Morton. “If you spend the time and effort to develop an API version, it’s extremely expensive and time-consuming to change. That rigidity stifles innovation.”

Morton has three questions he recommends every company ask a prospective partner before they commit to their product:

- What is the process to get from first contact to full implementation, and how long does it take?
- What is the minimal information a user needs to provide in order to verify their identity?
- How can I tell if your solution will be better than what I currently have?

## Staying in step with change

Leading software providers are building solutions that can respond quickly to change and are tailored to clients’ unique business needs. At Cognito, the team recently developed Flow, a platform service that’s due to launch this year and lets you seamlessly update your IDV and compliance systems from a simple, user-friendly visual interface.

“With a traditional solution, decisions are hard-coded and inflexible. For instance, if you want to add a new country or change some decision logic, you need to pass that to the programmers and have them implement it, which could take months,” explains Morton.

“With Flow, you click a box and the change is made instantly with zero programming required. Conceptually, it’s similar to using a visual editor on a website compared to the complexity of making changes through a long and technical process.”

Another key benefit of a solution like Flow is that it isn’t API dependent and there’s no need to code. “You can make instant changes to your implementation without any technical intervention. It empowers product managers and compliance teams to be in control of their domains without weeks-long technical cycles.”

The regulatory environment evolves quickly, and your business has to stay in sync. With Flow, you can make changes in minutes without impacting your current software implementation and you can continue to make adjustments as requirements evolve in future. Do not let a complex privacy landscape compromise your ability to provide frictionless, comprehensive IDV for your customers.

_Talk to Cognito about what the future of compliance looks like for your organization, and_ [_try the solutions for yourself_](https://playground.cognitohq.com/signup)_._


Cognito President and COO Chris Morton takes a closer look at some of the main challenges in this shifting privacy landscape and how many software providers are falling short in addressing them.

Keeping Pace With a Rapidly Changing Privacy Landscape


Vaping and e-cigarettes have become popular and are starting to encounter similar regulation that has controlled tobacco sales. For instance, Texas passed [TX SB97](http://www.legis.state.tx.us/tlodocs/84R/billtext/html/SB00097I.htm) to extend [Health and Safety Code, Title 2, Subtitle H, 161.453](http://codes.lp.findlaw.com/txstatutes/HS/2/H/161/R/161.453)beyond tobacco to include vaping and e-cigarettes.

Companies that are either based in Texas or service Texas residents must now verify the age, date of birth, and address of purchasers starting October 1, 2015. While some sellers have temporarily suspended selling to Texas residents, BlockScore can quickly help you comply with this and similar regulations being enacted in other jurisdictions.

Here is the pertinent text from 161.453 referenced in TX SB97:

> (a) A person may not mail or ship cigarettes in connection with a delivery sale order unless before mailing or shipping the cigarettes the person accepting the delivery sale order first:
>
> (1) obtains from the prospective customer a certification that includes:
>
> (A) reliable confirmation that the purchaser is at least 18 years of age; and
>
> (B) a statement signed by the prospective purchaser in writing and under penalty of law:
>
> (i) certifying the prospective purchaser’s address and date of birth;
>
> (ii) confirming that the prospective purchaser understands that signing another person’s name to the certification is illegal, that sales of cigarettes to an individual under the age prescribed by Section 161.082 are illegal under state law, and that the purchase of cigarettes by an individual under that age is illegal under state law; and
>
> (iii) confirming that the prospective purchaser wants to receive mailings from a tobacco company;
>
> (2) makes a good faith effort to verify the information contained in the certification provided by the prospective purchaser under Subdivision against a commercially available database

BlockScore is the simplest way to comply with the requirement to verify age, birth date, and address using a commercially available database as stated above. In your checkout flow, you can collect the required information, submit it to BlockScore, and get a response back from BlockScore in under a second.

As with any compliance program, make sure that you check with your attorney and comply with the other provisions in TX SB97 and 161.453.


Vaping and e-cigarettes have become popular and are starting to encounter similar regulation that has controlled tobacco sales.

New regulations for e-cigarette and vaping compliance under TX SB97


Fraud is something companies and individuals experience everyday, but not all fraud is the same. In fact, some of us have committed fraud and may have not even known. In all instances, fraud negatively impacts a company’s bottom line. So what are the differences?

**True Fraud vs. Friendly Fraud** Fraud can happen in a variety of different ways, but for the sake of simplicity, we will be discussing the two categories that are most prevalent in the digital age.

True Fraud is the category that most businesses are familiar with. It is most often labeled as identity theft and can cost companies millions of dollars and even result in a loss of business. When an individual steals another individual’s name, credit card, SSN, address, or any other piece of information to open an account or make a purchase, they are committing true fraud. Thanks to the numerous amounts of sensitive data leaks, fraudsters have relatively easy access to stolen data, which they can use to impersonate a good user (thanks Equifax, Facebook, UPS, Marriott, etc.). True Fraud hits companies the hardest and should be the main type of fraud to focus preventative efforts towards.

Friendly Fraud generally refers to chargeback fraud; the fraudulent request for a return or refund in the form of a chargeback. The expanded view of friendly fraud can be seen as any legitimate user committing malicious activity on your platform. Meaning, a user creates a profile that is true to their identity, but proceeds to try to “game the system” It can be as innocuous as creating multiple accounts with different emails to as serious as money laundering through your platform. This type of fraud is less frequent, but much harder to prevent.

**3 Ways to Prevent Fraud**

**1\. Verify your users!** This is going to be the biggest barrier to true fraud. Using a service to confirm a user is who they say they are will greatly reduce the amount of fraud you see. Many companies have regulatory requirements to do this already (KYC). But, even if your industry does not require identity verification, this process helps weed out bad actors from your platform. **2\. Make support easy** Users need an avenue where they can easily reach support if they see unknown activity on their credit card or account. Be available to combat fraud.

**3\. Have a fraud prevention tech stack** IDV is one piece of the puzzle. But, if your business experiences fraud on a very large scale, you should look at integrating a transaction monitoring service as well. There are services that monitor activity in real-time and can be a powerful addition to your security program.

Fraud is a problem that consistently plagues businesses. Cognito is committed to helping companies prevent this problem as securely and as seamlessly as possible. If you’re interested in exploring [Cognito’s IDV solution](https://plaid.com/products/identity-verification/) or if you have any questions regarding how to improve your Customer Identification Program, feel free to [connect with us](/contact/)!


Fraud is something companies and individuals experience everyday, but not all fraud is the same. In fact, some of us have committed fraud and may have not even known.

Not All Fraud is the Same

OFAC agrees that financial institutions should take a risk-based approach when considering the likelihood that they may encounter OFAC issues.

OFAC Risk Matrix: How High Risk is Your Business?


## Cognito is Joining Plaid

I'm extremely excited to publicly share that Cognito has been acquired by Plaid.
Together, we will continue building the products that power the identity verification
and compliance processes across the fintech ecosystem.

After almost a decade of working together, this is a very sentimental moment for me and the rest of the Cognito team,
so I'd like to share a bit about our history before I speak about the future.

The first line of code for Cognito (“BlockScore” at the time) was written in July of 2013. At the time, John and I were still in college. We were enthusiastic about the
future potential of Bitcoin and noticed that identity verification was a common pain
point for every founder we met. Despite us not knowing how identity verification
worked at the time, we had full conviction that we could make something better if
we put in the work.

The first APIs we shipped in 2014 were focused on providing simple APIs oriented towards new startups. Our “people” API processed basic identity data
and returned a pass / fail result. Our “watchlist” API made it easy to search against
a set of government watchlists.

Over time, we focused on sourcing higher quality data sources and introduced a new set of APIs focused on minimizing customer friction
and understanding why verifications pass or fail.

As Cognito's products grew over the years, we developed an in-depth understanding of how compliance and verification
processes work across the industries we serve. These insights allowed us to move
beyond just providing APIs. Flow and Screening provide more holistic solutions that
help move building, configuring, and managing a compliance program out of code, significantly
reducing engineering overhead in the process.

## Looking to the future

Plaid Link is nearly ubiquitous across the fintech ecosystem because it does a fantastic
job at abstracting over the thousands of banking providers every company needs to
support. The identity and compliance story that immediately follows connecting a
bank account is still, comparatively, quite fragmented and home rolled.

Cognito's trajectory over the past decade, starting from outsiders peering into the identity
space and ending with a crisp and confident vision for the future, is why I sincerely
believe that Plaid is a perfect home for Cognito. Plaid believes in our vision to
drastically reduce the overhead of onboarding customers for all fintech applications.
With Plaid backing us, we will continue to build amazing products for years to come.

## To current customers

To all of the amazing customers who have integrated our products over the years:
thank you. Many of you took a risk on us, enthusiastically tried out new features,
gave us feedback, and helped us evolve our vision into what it is today.

I also want to be crystal clear: **Cognito's products are not going anywhere.** The products you use today will continue to work, evolve, and improve.

## To the Cognito team

Thank you all for your loyalty, support, and hard work over the years. Your dedication
helped us get where we are today and I cannot wait to spend the coming years with
you at Plaid. Working alongside you all has been one of the greatest pleasures of
my life.

Sincerely,  
Alain Meier  
CEO of Cognito


I'm extremely excited to publicly share that Cognito has been acquired by Plaid. Together, we will continue building the products that power the identity verification and compliance processes across the fintech ecosystem.

Plaid and Cognito


All good companies care about giving their customers a seamless experience — but not at the cost of security. When it comes to keeping security on lock, identifying potential politically exposed persons (PEPs) is especially crucial for organizations experiencing rapid growth: increased momentum shouldn’t mean increased risk. With the right solution, companies can simplify the screening process while remaining safe and compliant as they scale.

On top of the security concerns, organizations that fail to properly flag PEPs can face serious consequences. In early 2019, the Financial Conduct Authority (FCA) fined Standard Chartered Bank [£102,163,200](https://www.fca.org.uk/news/press-releases/fca-fines-standard-chartered-bank-102-2-million-poor-aml-controls) (~$134,039,000 USD) for, among other violations, not conducting due diligence on a compromised customer despite red flags. Governments have also strengthened their anti-money laundering regulations in recent years — the European Union’s Fifth Anti-Money Laundering Directive has taken effect as of 2020 and the United States’ Bank Secrecy Act was amended post-2001 to include customer identification requirements — and smart companies are working ahead to avoid the financial and reputational damage that results from a PEP misstep.

For many organizations, screening PEPs is a key part of meeting compliance regulations. If you haven’t yet accelerated and strengthened your PEP screening process, it’s time.

## Why you should screen for PEPs

You’re likely already familiar with the [accepted definition of a PEP](https://www.fatf-gafi.org/documents/documents/peps-r12-r22.html). A politically exposed person is someone who has been entrusted with a prominent function at an organization — a person with the kind of influence that could lead to a misuse of financial systems. As the name implies, a PEP is often a person who holds an important domestic or foreign political office, but the term is broad enough to include relatives and close associates of prominent public figures and senior executives.

Examples of persons identified as PEPs include:

- **Foreign PEPs:** individuals given prominent public functions by a foreign country
- **Domestic PEPs:** individuals entrusted domestically with prominent public functions
- **International organization PEPs:** persons given a prominent function by an international organization
- **Family members** related to a PEP
- **Close associates** of a PEP

PEPs pose a higher risk than more traditional customers when it comes to security: because of their position, they’re more easily able to engage in money laundering or the funding of criminal behavior. While it’s not a foregone conclusion that someone who has been flagged as a PEP will engage in criminal activity, it’s wise to take extra steps when vetting that individual as a customer.

In many organizations, this screening is already mandatory — for instance, national banks in the U.S. are [required to screen for PEPs](https://www.occ.treas.gov/topics/supervision-and-examination/bsa/bsa-related-regulations/index-bsa-and-related-regulations.html), ascertain the level of risk they pose, and then implement appropriate risk mitigation measures to protect their customers. In Canada, financial institutions, life insurance providers, securities dealers, and money services businesses must also have a process in place to screen for and assess PEPs, in accordance with new legal requirements implemented in 2017. Each country may vary in how it adopts the FATF guidelines for screening PEPs, so companies — particularly those with international operations — should pay close attention to the country-level requirements that may apply to them and, wherever possible, default to the most stringent standards to ensure maximum compliance.

## Common challenges in screening for PEPs

There are four common challenges that companies face when attempting to regularly screen for PEPs:

- False positives or false negatives in compliance queues
- A large volume of users requiring re-scanning on a regular basis
- PEP screening workflows that are high-friction for customers, which in turn results in an influx of support tickets
- Lack of development resources to optimize compliance

Since a person’s risk profile can shift over time, it’s important to never treat screening like a one-off initiative; be sure to conduct ongoing PEP monitoring to flag any changes in status. To successfully adhere to this best practice while ensuring a streamlined customer onboarding experience, companies need an efficient, automated solution in their corner.

Addressing any or all of these challenges would normally take a considerable amount of staff time and resources. Cognito can efficiently resolve them by alleviating the administrative burden and bringing your organization into compliance.

## How Cognito efficiently flags PEPs for you

Cognito’s [Watchlist](/products/watchlist/) solution efficiently flags PEPs for you, filtering out false positives and enabling you to implement a high-quality sanction screening program.

Watchlist screens for and identifies PEPs via:

- **Industry-leading search algorithms.** Our proprietary search algorithms take into account the day-to-day edge cases that occur, along with watchlist databases and user inputs, providing a reliable and comprehensive list of potential matches for your customers.
- **Gradual user verification.** We gradually fill out each customer’s profile so you can screen them at every step of the way, enabling you to start screening your customers with as little information as possible.
- **Ongoing re-scans.** Cognito reassesses hundreds of millions of users each month to promptly catch any changes in the status of your customers.
- **Relevant databases.** We screen a large number of databases from across the world, meaning that you get a clearer picture of who you’re dealing with. Our databases are accurate, and we use data normalization to cross-reference more than just names.

All of these benefits can give compliance leaders confidence that they’re properly managing the risks associated with PEPs, and can free them up to focus on more advanced initiatives that will help the business remain compliant and secure as it rapidly grows. Meanwhile, product managers will appreciate having more efficient systems in place that enable rather than hinder that growth so they can quickly deliver innovative solutions for the company and its customers.

## Efficiently screen PEPs and securely grow your business

Your customers aren’t static, and your screening process shouldn’t be either. Cognito strengthens companies’ compliance processes on an ongoing basis, adjusting to changing business requirements as needed. For example, companies can simulate sensitivity and program changes with samples of their real user-base to estimate how changes in their compliance program will impact agent workload and overarching goals.

Identifying PEPs who pose a risk to your business is just one challenge among many when it comes to compliance. Not only does Cognito address these challenges, but it also establishes a strong foundation for a company’s compliance processes so that it can focus on its core priority — achieving secure, compliant growth.

_Discover how Cognito’s_ [_watchlist and PEP screening_](/products/watchlist/) _features help your company achieve compliance and deliver a seamless customer onboarding experience._


All good companies care about giving their customers a seamless experience — but not at the cost of security.

Who is a Politically Exposed Person (PEP)?


## Is Every Politically Exposed Person Considered a Risk?

Individuals identified as politically exposed persons (PEPs) have important roles that can make them susceptible to dealings that involve criminal behavior like money laundering, terrorism financing, corruption and bribery. PEPs are not necessarily going to be involved in crimes like money laundering or bribery, but having procedures in place to identify and monitor these accounts is critical.

Under U.S. law, companies must accurately assess risk exposure when establishing new business relationships with PEPs by implementing the appropriate anti-money laundering (AML) measures. Doing so helps to protect them from the consequences and blowback of the financial crimes listed above, among others.

In this article, we'll review the risk factors that influence a PEP's status and how businesses can best mitigate risk while designing and implementing procedures regarding PEPs.

Learn more about how <a href="/products/watchlist">Cognito Screening can help you screen for PEPs</a> easily.

## What Qualifies Someone to Be a PEP?

A PEP is defined as someone with a high-profile public or political role or who maintains a very prominent public role. Not surprisingly, the criteria for a PEP are broad and vary from country to country.

Regardless, many companies adhere to the criteria provided by the <a href="https://www.fatf-gafi.org/documents/documents/peps-r12-r22.html">Financial Action Task Force (FATF)</a>, which categorizes PEPs as:

- Government officials: An individual who currently holds or previously held a domestic or foreign government position, including elected or unelected roles, could be considered a PEP.
  Political party officials: Senior officials appointed to roles in major political parties in the U.S. or other countries could be classified as PEPs.
- Senior executives: Individuals serving in senior executive roles (such as board members) in a government-owned commercial business or an international organization may also be considered PEPs.
- Relatives and close associates: Immediate family members of a senior executive, political official or government official can also be PEPs. That could include spouses, siblings, children, parents and other close relatives.

There are varying levels of risk for all types of PEPs, which affects the amount of scrutiny a company must place on each individual. Although every PEP is not always high risk, businesses and financial institutions must do their due diligence to avoid doing business with someone who is likely to commit financial crimes or other fraud.

## What Are the Risk Factors?

The level of risk associated with a PEP depends on several factors, including their:

- Geographic location
- Position
- Industry/sector
- Level of influence or authority

Additionally, when assessing the potential risk of a PEP, companies should also consider the purpose of the account and its anticipated activity, the services or products requested and the size or complexity of the account relationship.

As you can see, a PEP's risk level will vary quite a bit depending on the individual situation and the factors listed above. As a result, some PEPs are considered higher or lower risk for certain crimes like foreign corruption or money laundering.

## How to Mitigate Risk

Whether a PEP's risk is determined to be low or high, businesses must take action to prevent criminal behavior that could harm their financial health and reputation. The best solution is to implement appropriate PEP screening measures as a part of their AML programs. That way, they can determine their clients’ PEP status.

When companies or financial institutions open accounts with new customers, they employ KYC (know your customer) procedures to obtain information about the customer for identification purposes. They also perform customer due diligence, a KYC process of doing background checks on each customer to assess their risk before establishing a business relationship with them.

The types of customer due diligence that companies and financial institutions may employ when opening a new account with a customer include:

- Customer due diligence (CDD): CDD is a background check process that helps companies assess the level of risk a customer carries.
- Enhanced due diligence (EDD): EDD is a more strict verification procedure used for customers classified as high risk. Typically, this involves verifying the customer's identity and address and evaluating their risk category. Companies may also need to obtain additional information when necessary.

In addition to conducting CDD and EDD during the customer onboarding process, companies should prioritize ongoing account monitoring. Customers are not static, and their status will change over time. As such, companies must monitor their PEP accounts regularly to catch any of those changes and reassess their risk profile.

Since PEP laws also change over time, organizations must be aware of those changes and how they affect their business to adjust their processes accordingly.

## Try Cognito for Free Today

The risk mitigation efforts companies must take to comply with KYC and AML laws can be expensive and time consuming — not to mention, the likelihood of human error is high when an organization completes the entire process manually.

Cognito's <a href="https://cognitohq.com/products/watchlist">AML watchlist and PEP screening software</a> offers automated solutions that complete reliable CDD and EDD as well as PEP screening procedures without the drawbacks of doing it all manually. It's designed to provide a frictionless customer experience by starting the screening process with as little information as necessary and gradually filling out their profile.

Our application programming interface (API) is sophisticated and secure and complies with best practices for data protection. It's also flexible to meet the needs of any organization and will maintain ongoing sanction screening and automated Office of Foreign Assets Control (OFAC) screening. To meet ongoing compliance needs, Cognito's API also provides automatic re-scans to catch any changes in the status of your customers.

If you're searching for a complete compliance customer relationship management (CRM) solution, Cognito can help. Let us help you improve your company's efficiency and organization with our watchlist screening product. <a href="https://cognitohq.com/products/watchlist">Sign up for free or contact our sales team</a> today for more details.


Individuals identified as politically exposed persons (PEPs) have important roles that can make them susceptible to dealings that involve criminal behavior like money laundering, terrorism financing, corruption and bribery. 

Are PEPs Always High Risk?


## How does presentation attack detection impact identity verification?

A presentation attack occurs when a bad actor uses someone else's biometric data. Known as "spoofing," fraudsters then use this data to impersonate someone else.

This can take a few different forms, known as presentation attack instruments. A fake fingerprint or trying to bypass liveness detection by using a printed photo are common.
The threat of spoofing has increased as more users sign up for new accounts online, rather than in person.

Fraudsters may use this data to commit all kinds of theft. They may sign up for a mobile banking app or a line of credit online, for example, in an attempt to steal money from either the platform or an individual.

## How does Cognito mitigate the risk of presentation attacks?

[Cognito Flow](https://cognitohq.com) offers robust protection
against presentation attacks. In Cognito Flow, verification flows can include three
different types of identity information from a user. Those are data source, documentary,
and liveness. By using all three verification methods in concert, you can be sure
that new users know their identity data, possess their physical identity documents,
and are alive.

Crucially, in addition to verifying the authenticity of someone's identity documents, Cognito Flow uses facial mapping technology to verify that the person's ID document photo matches the face they present during their liveness verification.

Further, Cognito Flow uses advanced image processing and machine learning to combat fraud. Our solution is able to detect pixel changes, deep fakes, masks, and more.

## How does Cognito compare to other ID verification providers when handling presentation attacks?

Cognito Flow starts with data source verification, which:

- Matches user-entered details, like their address and government ID number, against authoritative sources.
- Uniquely, Cognito Flow also uses some of this data to confirm an online footprint, like email accounts and social media accounts.

Then takes a photo of a government-issued ID document, like a passport or driver's license, and:

- Confirms the authenticity of the document using advanced machine learning to ensure it isn't a printout.
- Uses sophisticated OCR to ensure information on the document matches what the user entered in the data source verification step.

And, finally, requests a liveness check in the form of very short videos, like a GIF, for face presentation attack detection. This:

- Uses complex machine learning algorithms to ensure that the person is real. Not, for example, a person holding up someone else's photo to their face.
- Uses face-matching to ensure the person matches the photo on their government-issued ID document.

Unlike other [ID verification](https://cognitohq.com) providers, Cognito goes one step further. Flow prevents presentation attacks by asking users to record short videos, rather than simply uploading a photo. Users with slow or unreliable internet connections will fallback to a photo. Still, Cognito Flow applies the same advanced algorithm to ensure the photos represent a real live person, by looking at lighting, pixel changes, depth, and more.

It's worth noting here that [identity verification](https://cognitohq.com) is only one area where the threat of presentation attacks exists. Biometric authentication equipment, like building access controls, fingerprint recognition or iris employee time clocks, and other devices are at risk for presentation attacks. That said, they have very different requirements, and as a result the solution may be different.

Ultimately, Cognito Flow uses best-in-class fraud presentation attack detection methods, combined with a conversion-optimized funnel, to both reduce risk and improve new user sign-up rates relative to other solutions.

## Active vs. passive presentation attack detection

Balancing security with user convenience requires some trade-offs, but Cognito Flow is optimized for a secure, convenient online identity verification process.

### Active presentation attack detection

Active PAD requires users to perform a series of actions to confirm their liveness, identity and authenticity.

Cognito Flow, for example, requires users to take several very short actions - like looking left or smiling at their phone camera - to prevent a presentation attack.

This method works well, because new users can complete their identity verification entirely online, from their homes, in just a few minutes.

### Passive presentation attack detection

Passive PAD relies on specialized equipment, rather than a series of actions, to confirm someone's identity and liveness. A specialized 3d camera, for example, may look at lighting, depth-sensing, infrared, and other characteristics to confirm someone's authentic identity.

Passive PAD is most useful in situations where absolute speed is critical, like building access. But because it requires specialized hardware far beyond a standard phone or laptop camera, a passive PAD system is often not a good solution to online identity verifications.

## What are the risks of a presentation attack? How easy are presentation attacks to perpetrate?

The threat of a presentation attack can range in severity, usually based on both the ease of committing fraud and the value of the target. But apps using ID verification solutions also need to balance the need for fraud protection against the need for usability among their customers.

[Cognito](https://cognitohq.com) designed Flow to balance those needs, in part by relying on artificial intelligence to handle presentation attack detection behind the scenes. It's absolutely critical that applications connected to user's bank or credit card accounts have fraud protection, especially when it does not add any burden to the new user sign-up funnel.

## Conclusion

The risk of sophisticated presentation attacks has been growing as more people complete identity verifications online from their mobile devices. Because mobile cameras aren't sophisticated enough to handle passive presentation attack detection natively, and requiring in-person identity verification is too onerous, sophisticated active presentation attack detection is the best option for accurately verifying identities online.

Coupled with documentary and data source verifications - where people must also possess their physical ID documents, with a face that matches their liveness verification - Cognito Flow provides robust protection against presentation attacks, all without sacrificing user experience.


A presentation attack occurs when a bad actor uses someone else's biometric data.

Presentation Attack Detection


We’ve been hard at work improving your Cognito experience, and today we are highlighting 5 upgrades that we have made recently:

**Faster responses**: The speed of our responses is always a priority for us to ensure that your customers’ experience is as seamless as possible. Over the past few months we have improved response times by as much as 30% and doubled the speed of accessing the dashboard for high volume customers.

**Drivers license data**: Approved customers can now opt to receive drivers license numbers and issuance states where the data is available. Please contact our sales team if you are interested in receiving this data.

**API keys on the dashboard**: You no longer need to contact our support to view your account’s API keys. All you need to do is log into your dashboard and you can find it [in your account settings](https://dashboard.cognitohq.com/settings/api_keys).

**Strong phone link indicator**: You are now able to tell which phones are most strongly associated with an individual using the dashboard. This is particularly helpful for anti-fraud review.

**Address timeline**: Combing through someone’s address history can be difficult, so we’ve added the ability to visualize where someone has lived on a timeline by clicking “View Timeline” on any identity search on the dashboard.


This month we've brought a number of changes to the Cognito platform to help you verify your users more quickly and easily.

Product updates: faster responses, drivers licenses, and more


At BlockScore, we provide an API that allows companies to easily verify customer identities. We do all the heavy lifting for you: correlate data across credit bureaus, motor vehicle records, address histories, watchlists, and other records and wrap it all into a simple API that you can integrate into your signup flow. Our vision is to provide the world’s best intelligent identity verification system. Today, we’re announcing the next major milestone in our journey: company verifications.

You can now ensure the information provided by companies with which you do business matches tax IDs and other corporate information for compliance and IRS penalty avoidance. You can verify companies, counterparties, and merchants in real-time without manual processes, and verify that you are not doing business with any sanctioned companies. Company verifications are most useful if:

- you process payments for merchants that use your service; you have a process to collect incorporation documents from companies as part of your on-boarding process;
- you need to verify EIN (employer tax identification number) for tax purposes;

We currently can verify US-based companies with more countries on the way.

The company verification API is available in the BlockScore v3 API and covered in the documentation.


At BlockScore, we provide an API that allows companies to easily verify customer identities. We do all the heavy lifting for you: correlate data across credit bureaus, motor vehicle records, address histories, watchlists, and other records and wrap it all into a simple API that you can integrate into your signup flow.

Real-time company and merchant verification


Effectively evaluating the data and match quality of the various sanction screening systems on the market is extremely difficult, especially for customers who have limited experience with knowing what kinds of edge cases can occur in real-world scenarios.

Cognito has fulfilled hundreds of millions of watchlist searches and have compiled a handful of patterns that we have observed. We then created examples using these patterns and ran them across a variety of other vendors in the watchlist screening industry to see how we stack up.

[![](/images/blog/post_images/view-the-report-2.jpg)](/wp-content/uploads/2020/09/watchlist-screening-report-results.pdf)

#### **In Summary**

- **Cognito Screening effectively reduces common false positives while handling complex real-world name inputs that cause other solutions to result in false negatives.**
- There are many vendors who offer watchlist screening, but they vary widely in terms of algorithm and data quality. Budget solutions often command budget results.
- These examples are not just cherry-picked, but rather represent **patterns**for name variations. These examples cannot be fixed as one-off cases by vendors but rather represent an algorithmic-level deficiency.
- Few vendors properly handle international names. Even if you only do business in the US, names are increasingly heterogeneous and require sophisticated handling.
- There are very basic ways to circumvent most screening systems that are invisible or hard to spot by a human reviewer.

We encourage you to try some of these kinds of patterns on your watchlist screening system. The results may surprise you.

Curious to learn more? Check out our [watchlist screening product tour](/products/watchlist/).


We ran our watchlist screening product against some other providers in the industry to see how we stack up.

Sanction screening: head to head results


We founded BlockScore in 2014 with the goal of making verifying your users as easy as [Stripe](https://stripe.com/) made billing your users. Over the past 3 years, we’ve learned a tremendous amount about the identity data industry while helping our customers onboard millions of users and wanted to make a change to reflect that.

Starting today, we are renaming from BlockScore to Cognito. Along with this name change, we are also announcing our completely re-imagined identity verification product. The most common feedback we get with our traditional product is that it requires too much intrusive information to verify a user and that knowledge-based authentication is too high friction while not providing enough security benefit. Our new product directly addresses these two concerns:

## Cognito is dramatically lower friction

All Cognito needs to verify a user is a phone number. Using this input, we return your user’s real-world identity including their name, date of birth, address, and SSN. If a user can’t be verified using just a phone number, you can send us another request using their name, date of birth, address, SSN or any combination of the above as inputs and we will attempt to verify them again.

Our gradual approach allows you to give the majority of your users the [best signup experience possible](/blog/why-startups-get-millennials-and-you-dont/) while maximizing verification match rates. This means that our built-in _fallback_ is still a better user experience than our competitors’ best case scenario. Cognito adapts to your signup flow rather than defining it.

## Cognito improves user authentication

Because we are able to link a phone number with a real-world identity, all you have to do is confirm that a user is in possession of her phone using a one-time passcode and you have a much stronger level of identity assurance that she is who she claims to be. Not only is this a lower friction experience than KBA, but it is also a [significantly more secure solution](/blog/cognito-vs-traditional-id-verification/). Cognito ends buying black market data to bypass questions about address history or car loans.

## What happens to our current products?

To our current customers, all of our traditional products will remain fully supported and maintained. Some of our customers, big and small, will not want to switch to Cognito and we won’t force you to. We will, however, offer current customers special deals if you would like to switch over.

---

The team has worked incredibly hard to bring this product to you and we look forward to hearing what you think.

**Alain Meier** - CEO, Cognito


We've launched the biggest upgrade to our product since our inception and are announcing a new name for the company, Cognito.

Say Hello to Cognito


There are many factors to selecting an ID verification provider. This post goes through the important points to consider.

## Timeline

The amount of time required to engage, negotiate, implement, and verify varies dramatically between providers. Here are the questions to ask.

- What is the complete process before I can submit my first verification?
- How quickly can I get access to a test environment?
- How long will it take to get implementation guides and developer documentation?
- Do I need to sign an NDA before any engagement?
- Do I need to get an office inspection? If so, how quickly can I get one scheduled?

The time between finding BlockScore and going live can be as short as one day. Legacy providers have rigid business processes that can take up to six months.

## Cost

The cost of implementing, deploying, and operating an ID verification solution varies dramatically between solutions. The hidden costs of the solution can add up to be significantly more than anticipated. Here are some questions to ask.

- Are there any setup fees?
- Are there monthly fees?
- Does the per verification price include essentials such as watchlist and PEP screening? If not, how much extra are these essential services?
- Is there an extra charge for high risk address checks?
- Do I need to amend the contract when I add new services?
- What is the cost to cancel the contract?

BlockScore offers simple, transparent, inclusive pricing with no setup or monthly fees. See the BlockScore [pricing page](https://blockscore.com/pricing) for more information.

## Implementation

The complexity and time to implement a solution varies dramatically between identity verification providers. Here are some questions to ask.

- Do have have to use your API or can I use a dashboard for manual verifications?
- Are developer and implementation guides available freely?
- Are SOAP-aware developers required?
- Are client libraries available to speed integration?
- What is required to go live with the solution? Must time be scheduled to go live?
- Is a test environment available? It is the same version as the production environment?

BlockScore provides freely available client libraries, documentation, and a production-equivalent test environment. When you are ready for live access, submit a request and usually get approved within one day. If you only need occasional verifications, our dashboard has a simple graphical interface to perform verifications with zero programming required.

## Remaining in compliance

Verifying someone’s identity is the first step, but how do you ensure that customers do not show up on any watchlists now and in the future? Here are the questions to ask.

- How many watchlists do you check?
- Do you check more than OFAC lists?
- How much does it cost to check watchlists? Do I have to pay per list?
- Do I have to manually recheck my customers against watchlists or can you do that for me?
- Do you also check for politically exposed persons (PEP)?
- Do I need to use third-party software to parse through your responses?

BlockScore provides a comprehensive watchlist scanning service for US and international watchlists. The service performs initial scans and perpetual rescans at designated intervals to ensure that your business remains in compliance.

## Coverage

As your business expands internationally, you need an ID verification provider that covers the countries in which you expand. Here are the questions to ask.

- Which countries do you cover?
- If you add additional countries, do I need to change my implementation?
- If I submit an international verification and no data is available, am I charged?
- Is your data limited to credit bureaus or do you have other sources?

BlockScore covers many countries throughout the world and never charges for international verifications where no data is available.

## References

[Upfront, transparent pricing](https://blockscore.com/pricing)

[Freely available documentation](http://docs.blockscore.com/)

[Simple contract terms](https://manage.blockscore.com/legal/terms)

[Comprehensive coverage](http://docs.blockscore.com/v4.0/curl/#coverage)


Selecting an ID verification provider


It’s true - Cognito can return a Social Security Number from a phone number. As crazy as this may seem at first, our ability to link phone numbers with real-world identity is a huge benefit to both consumers and the businesses.

In order to understand why, we need to dive into how fraudsters currently steal your identity to defraud online businesses.

## How fraudsters bypass identity verification

The industry standard, [knowledge-based authentication](https://en.wikipedia.org/wiki/Knowledge-based_authentication) - sometimes also called “out of wallet questions”, uses information like your address history, your car loans or mortgage data to ask questions that supposedly only the person to whom this data pertains would be able to answer. For instance, “what color was your 2001 Toyota Corolla?”.

In theory, this is a great idea. It allows you to verify that the person is in fact who they claim to be. But in reality, fraudsters can visit [darknet markets](https://en.wikipedia.org/wiki/Darknet_market) and buy bulk data sets containing _[exactly this data on tens of thousands of consumers and even targeted individuals](https://krebsonsecurity.com/2013/03/credit-reports-sold-for-cheap-in-the-underweb/)_. Due to the ubiquity of leaked personally identifiable information, the market price for lists of hundreds or even thousands of identities is on the order of hundreds of dollars - a small price to pay for a fraudster.

We are entering an era where simply knowing information is not enough proof that you are who you claim to be. There needs to be something more.

## How Cognito blocks fraudsters

Cognito protects your identity by linking your phone number with your real-world identity. This phone to identity link allows us to authenticate that _you_and \_you alone_ are signing up for a service.

Imagine signing up for a new bank account with Acme Bank and during the onboarding process you receive a text message with a 6-digit authentication code that says “Did you just sign up for Acme Bank? Enter this code during signup: 1234”. Behind the scenes, we tell Acme bank that, yes, this phone number is associated with you and once you enter the authentication code, you verify that you _meant_ to share your identity information with Acme Bank.

This raises the bar to steal your identity by an order of magnitude. No longer can the fraudster just buy your identity and pretend to be you. They need to either steal your phone or engage in a [phone number porting attack](https://www.forbes.com/sites/laurashin/2016/12/21/hackers-are-hijacking-phone-numbers-and-breaking-into-email-and-bank-accounts-how-to-protect-yourself/) - both of which require significant effort and have lower success rates when compared to logging into the darknet and buying new fraud opportunities in bulk.

---

Knowledge-based authentication (KBA) should be a last resort, not the frontlines, when defending businesses from stolen identities. Not only is Cognito lower friction than KBA, no longer requiring your users to furrow their brows deciding whether their Toyota Corolla from 2001 was purple or magenta, but it also increases the attack barrier to entry and in turn reducing the amount of fraud that businesses have to deal with.


As crazy as this may seem at first, our ability to link phone numbers with real-world identity is a huge benefit to both consumers and the businesses.

SSN From a Phone Number?!


In response to the growing impact that the Coronavirus is having on people, businesses and communities, the Cognito team is now offering additional support to businesses who are providing community relief during the outbreak. We will be offering the lowest prices that we possibly can to help facilitate altruistic use cases such as:

- Telemedicine
- Remote learning or access to educational resources
- Child care for workers unable to work from home
- Food and resource distribution

We have heard from businesses generously offering their goods or services at little to no cost, and want to do our part to ensure that your internal costs are not a prohibiting factor.Remote authentication of identity is a core part of ensuring the integrity and security of the services that we use every day. The Cognito team is continuing to operate as normal and is ready to support others who are providing a helping hand during this trying time. We are all in this together.

**If you are working on a project that you think benefits the broader community, please reach out to us so we can attempt to help in any way we can at **support+coronavirus@cognitohq.com**.**


We're supporting businesses with critical use cases to help our community during the COVID-19 outbreak.

Supporting companies providing community relief during COVID-19


## What is a synthetic identity?

A synthetic identity is a fake identity that combines real personal information, like a Social Security number, with fraudulent or fabricated information. Fraudsters create synthetic identities to pass identity verification checks when signing up for financial services, like bank accounts or loans.

Not all synthetic identities are created with the intention to defraud people or financial institutions. Sometimes, a real person without access to the required documentation or credit history creates a synthetic identity to apply for loans, open bank accounts, or similar, without the intent to defraud anyone, but simply because that's the only option available to them. Nonetheless, synthetic identities are still a financial crime, and not a legitimate solution.

Contrast this synthetic fraud with traditional identity theft, which typically involves identity thieves impersonating a real person using entirely real data.

## Why are synthetic identities becoming more common?

Synthetic identities -- and synthetic ID fraud -- have become more common in recent years. While there are a few reasons for the increase, the tremendous amount of personally identifiable information (PII) data available on the dark web has made third-party synthetic ID fraud much easier.

What's more, after the Social Security Administration decided to randomize social security number assignments, anti-fraud systems that used algorithms based on the formula the SSA used to assign SSNs could no longer quickly spot fake SSNs. While the initiative was designed to help prevent traditional identity fraud by making the numbers less predictable, the move inadvertently made it more difficult for fraud detection systems to suss out fake identities.

## Should I be concerned about synthetic identities?

No more or less than traditional identity theft. Synthetic identities are difficult for identity verification platforms to detect, and oftentimes, they are not used to defraud individuals (although they can be). In many cases, synthetic identities are used to defraud financial services platforms or an institution, rather than individual users.

Synthetic identities are of growing concern, in part, because they are difficult for platforms to find and prevent before a crime has occurred. In some cases, fraudsters may wait years - in the process, building up a legitimate financial history - before committing any kind of fraud.

An individuals credit history is, for the most part, built under the assumption of trust, provided by a credit reporting agency, and is only loosely regulated by the government. In the US, financial consumers typically need to rely on private companies to maintain their credit history, and should carefully monitor their credit score and run a yearly credit report.

## How does someone create a synthetic identity?

Creating a synthetic identity involves combining real personally identifiable information with fake personal information. By using a mix of real and fake identity information, fraudsters can bypass some identity verification checks when signing up for an account with a financial institution.

Typically, people using synthetic identities to defraud banks and lenders then build up their credit history with legitimate records at a credit bureau - applying for a credit line and paying it off, for example - to make them harder to find by risk assessment tools. They will often wait for years before actually defrauding an institution by, for example, taking out a huge loan or opening a credit card without the intent to pay it back.

## How does synthetic identity theft occur?

Synthetic identity theft occurs when a bad actor cobbles together real and fake PII - like a deceased person's Social Security Numbers and a made-up address, for example, combined with some information purchased on the dark web from a data breach - with the intent of defrauding a financial institution. This usually takes years, after they have built up a credit history that implies this is a real person making legitimate financial transactions, like building credit, using fraudulent accounts.

In some cases, bad actors will defraud a financial institution, then use the real and verifiable elements of their synthetic identity to claim identity fraud.

Another common tactic is “piggybacking” - where someone adds a synthetic identity to an established credit file, oftentimes inheriting the positive credit history.

## How big is the threat of synthetic identity fraud?

The impact of synthetic identity theft is hard to measure. Synthetic identity fraud can be hard to detect, and once it's discovered, there's no standardized process for how those losses are recorded. Some banks may record the loss as a credit loss, while others may account for it as third-party fraud loss.

[Estimates cited by the Federal Reserve](http://www.fedpaymentsimprovement.org/wp-content/uploads/frs-synthetic-identity-payments-fraud-white-paper-july-2020.pdf) pegged the losses at **$6 billion per year, or roughly 20% of credit losses**. And that was back in 2016 - in the subsequent years, the threat has almost certainly grown.

## How does Cognito prevent synthetic identity fraud?

[Cognito Flow](https://cognitohq.com/products/flow) mitigates the risk of synthetic identity fraud in a few different ways.

We start by evaluating multiple sources of identification:

1. Data source: does the person know their basic personally identifiable information (PII)? Does it match an authoritative source?
2. Documentary: does the person physically possess an authentic government-issued ID document?
3. Liveness: can the person, using their mobile phone camera, follow a few instructions to prove they are live?

Using sophisticated neural networks, while completing the steps above, [Cognito](https://cognitohq.com):

1. Ensures, using OCR, that the information included in the data source verification matches the information on the government-issued document.
2. Ensures, using facial matching, that the face captured during the liveness test matches the photos on the government-issued ID document.
3. Ensures, using best-in-class tools, that the person in the liveness check is real and not, for example, a printout of someone's face. Cognito Flow looks at factors like skin reflectivity, patterns seen on screens, signs of image manipulation, etc.

And Cognito looks to make sure that the person has active accounts online, like a valid email address and phone number, and social media accounts for identity authentication. Using our proprietary Flow Network Explorer, we can also alert you to repeated ID verification attempts coming from a single IP address, device, and more. And behind the scenes, we run a host of fraud checks to detect any other flags that may be indicative of fraudulent activity to prevent synthetic identity theft.


A synthetic identity is a fake identity that combines real personal information, like a Social Security number, with fraudulent or fabricated information.

Synthetic Identity Fraud


Know your customer (KYC) programs are intended to verify a customer’s identity, protect against fraud, and facilitate anti-money laundering (AML) compliance. In general, there are two formats for KYC programs. In traditional KYC programs, the customer drives to the business and presents various forms of identification to a staff member who confirms the client’s identity via various manual reviews. Modern KYC programs go about this differently. Customers enter their information online, and their identity is confirmed automatically against numerous electronic databases. Though many companies have made the switch to modern KYC processes, some are hesitant to make the change. Though maintaining the status-quo may feel like the “safe” option, there are significant costs to clinging to a poor KYC program.

### **Loss of Customers**

A [Thomson Reuters](https://www.thomsonreuters.com/en/press-releases/2016/may/thomson-reuters-2016-know-your-customer-surveys.html) survey of bank patrons found that a staggering 89% did not have a good KYC experience, and 13% changed their financial institution as a result. It is clear that consumers are dissatisfied with current on-boarding processes, and businesses are doing nothing but losing profit by driving customers away. The [primary complaints](https://signicat.com/wp-content/whitepapers/signicat-onboarding-whitepaper.pdf) about KYC processes are the amount of personal information required, the lengthy forms, and the need to submit information in person or via mail. None of these factors are outside a business’s control; each can be improved with the implementation of an efficient modern identity verification service. Companies that use in person identity verification may not realize that they are losing out on a large untapped customer demographic. A [survey](https://signicat.com/wp-content/whitepapers/signicat-onboarding-whitepaper.pdf) of 2000 consumers applying to traditional banks found that over _half_ would buy additional services if paper-based identity verification was not needed. Businesses would be short-sighted to risk losing their customers to other companies who are offering a better onboarding experience.

### **Manual Review & Human Error**

Another issue with traditional KYC processes is that they place too much reliance on inefficient and error prone manual reviews. When it comes to properly identifying your customers, accuracy and reliability is essential. KYC missteps can lead to a whole host of secondary issues such as fraud, money-laundering, and fines. Notably, recent legislation calls for higher fines when breaches in KYC compliance occur.

The need for staff to perform manual review of documents significantly contributes to the high cost of KYC compliance. Businesses have a compelling opportunity to mitigate these costs by using automated KYC processes, with simpler monitoring systems and lower error rates. With the proper partner for KYC, the reliability of digital processes offers a way to minimize costly manual review and human error.

### **Low Friction & Automation Wins**

Some companies are hesitant to upgrade to a modern KYC process due to the mistaken belief that the transition would be costly. However, there are substantial financial gains to making this change. [Consult Hyperion](https://www.chyp.com/wp-content/uploads/2018/08/170623-AMLD-KYCC-Consult-Hyperion-Mitek-FINAL.pdf), an independent technical consultancy, asserts that the average-sized financial institution can save $6.2m in operational costs by using mobile technology for KYC compliance. They report that this is a conservative estimate, and businesses likely stand to benefit even more than this.

However, there are pitfalls even amongst modern KYC programs. For example, processes that rely heavily on customer-entered data are especially vulnerable to phishing attacks. Also, knowledge-based identity verification has a notoriously high failure rate of [up to 20%](https://www.chyp.com/wp-content/uploads/2018/08/170623-AMLD-KYCC-Consult-Hyperion-Mitek-FINAL.pdf) due to data quality issues. Some identity verification services such as [Cognito](https://plaid.com/products/identity-verification/) have found a unique solution to circumvent these KYC pitfalls. Cognito begins the KYC process frictionlessly, requiring nothing more than a name and phone number. Cognito can securely confirm a customer’s identity using highly regulated data, and if you combine this with a simple one time passcode, you can confirm they are in possession of the phone associated with their identity. Within modern KYC programs there are many systems that can provide an excellent user experience, though not all are created equal. Cognito is heavily focused on security and user experience. After all, it is far easier to authenticate possession of a phone than to answer numerous intrusive financial questions. In turn, a frictionless onboarding process means increased conversion rates and financial gains. It allows companies to catch and keep the customers who would ordinarily be turned away by lengthy forms.

There is a significant opportunity for businesses to improve the user experience, minimize operational costs, and reduce the risk of sanctions by switching to a low friction modern KYC program. These processes will increase conversion rates, drastically reduce manual processing, and be much less prone to error compared to their traditional counterpart. Don’t let your company be complacent with your current KYC program if it is costing you customers and profits. Cognito is here to help your business provide a secure frictionless KYC program.


Know your customer (KYC) programs are intended to verify a customer’s identity, protect against fraud, and facilitate anti-money laundering (AML) compliance.

The Cost of a Poor KYC program


If you’re looking to boost your customer due diligence (CDD), there are a number of watchlist solutions on the market. But not all watchlist solutions are created equal. Substandard watchlist products can generate false positives, force you to manually re-scan thousands of users, and introduce friction into the customer sign-up process. As a result, your compliance program could suffer major setbacks — and a less-than-stellar customer experience could affect your bottom line.

Compliance teams at high-growth companies can’t afford to deal with costly and time-consuming incompetencies. With that in mind, here are five common frustrations that compliance professionals run into when implementing a CDD solution and how the right watchlist product can solve them.

## 1\. Manually re-scanning users takes time

CDD is an ongoing process that requires an automated watchlist solution, especially if you’re scaling for growth. Lesser watchlist solutions force you to manually re-scan thousands or even millions of users on a regular basis, placing an unnecessary burden on your compliance team. If a bad actor slips through the cracks, your company could face steep regulatory penalties and reputational damage.

Cognito’s complete compliance CRM lightens this burden for you by automatically re-screening hundreds of millions of users per month. This way, you can quickly catch any changes in the status of your customers and take the appropriate action.

## 2\. False positives send your compliance team down the wrong path

According to [NASDAQ](https://www.nasdaq.com/articles/what-keeps-compliance-chiefs-up-at-night-read-on.-2019-12-02) — and what we’ve heard from our own customers — false positives are a growing concern for compliance professionals. When false positives show up in your watchlist queue, your team has to spend valuable time investigating and resolving them — time that could be better spent following up on genuine positives or improving your overall compliance program. Inadequate watchlist solutions generate false positives and even false negatives, raising questions about your compliance effectiveness.

Fortunately, Cognito features industry-leading search algorithms that eliminate this common complaint. By taking into account the day-to-day edge cases that occur with watchlist databases and user inputs, Cognito’s search technology provides a reliable and comprehensive list of potential matches for your customers.

## 3\. Limited or unregulated databases paint an incomplete picture

Some watchlist solutions offer a small selection of databases or rely primarily on unregulated sources, giving you only a partial or incomplete picture of a potential customer. This makes your job harder than it needs to be, hampering the effectiveness of your compliance program.

Cognito’s databases are extensive and accurate, allowing you to better understand the quality and likelihood of a match. By automatically tapping a wide array of databases across the globe and using data normalization that extracts more information than just names, Cognito gives you greater confidence in your compliance process.

## 4\. Monitoring the compliance process is fragmented and complex

If you don’t know where your customers are in the compliance process, you’re essentially flying blind — and that’s a position no leader should have to be in. Yet many solutions don’t actually give you a unified view of your compliance process. If they don’t integrate with your other software tools, that makes it even harder for you to make sure your CDD is on track.

By comparison, Cognito gives you a comprehensive, real-time view of your compliance program. You can track your customers throughout their sign-up process and even visualize and triage cases with an intuitive interface and detailed audit trails. Cognito’s workflow APIs let you integrate your compliance tools, allowing for fine-tuned and automated management.

## 5\. Friction in the onboarding process frustrates your customers

A smooth onboarding process is critical to customer satisfaction. However, ineffective watchlist solutions can cause friction by requiring customers to provide large quantities of information up front. This increases the odds that customers will abandon the process or sign up with a competitor instead.

A robust compliance program doesn’t have to be at odds with a high-quality customer experience. Cognito’s watchlist gradually verifies your customers behind the scenes, helping you screen new users without making them jump through too many hoops. It then gradually fills out their profiles in the background, helping you screen customers every step of the way.

## Find a watchlist solution that does it all

Ineffective watchlist solutions can introduce hurdles to your compliance program, flagging false positives that send you down a rabbit hole and creating friction in the experience that slows down customer acquisition. With the right watchlist in your corner, you can strengthen your customer due diligence and clear the way for unimpeded business growth.

_Protect your business with_[_a watchlist solution that offers complete peace of mind_](/products/watchlist/)_. To learn more,_[_get in touch_](/contact/)_— we’re here to answer your questions._


If you’re looking to boost your customer due diligence (CDD), there are a number of watchlist solutions on the market. But not all watchlist solutions are created equal.

The Frustrations of Ineffective Watchlist Solutions


Using a social network for verification became popular to reduce signup friction and tie your user’s real world identity to their online identity. Social networks will return [limited, user-reported data](https://developers.facebook.com/docs/facebook-login/permissions/). However, for many applications such as insurance, lending, sharing economy, and banking, more trusted sources are required and those sources of data cannot be self reported. Regulated sources include credit bureaus, government agencies, and bank records.

Here are some characteristics of the data types and uses.

## Social data

- Data is reported by a user over time and stored in various databases
- Data may contain errors or false information
- Creating multiple online personas is simple and common
- Data can be changed at will by the user
- Fast way for users to signup on a desktop without having to fill out long forms

## Regulated data

- Data is collected from authoritative, regulated sources and maintained in controlled repositories such as financial institutions
- Data is required to be kept up-to-date
- Creating a fake identity is illegal and requires significant effort and takes years of fraudulent activity to look authentic
- Data can only be used for anti-fraud and KYC use cases

## When is social data a fit?

Social network verification is a great way to reduce signup friction when the user is on a desktop and the impact of fraud is low. For services that required a higher level of trust, traditional identity verification uses name, date of birth, address, and social security number. With mobile signup flows becoming so common, supporting mobile is now a requirement instead of an advantage. [66% of companies that saw a decrease in customer loyalty over the past year do not have a mobile app](http://info.apptentive.com/feedback-and-loyalty-on-the-mobile-frontier). However, it’s not enough to simply offer an app and mobile support, you must optimize the entire customer journey for the unique needs of a mobile user without asking for too much personal information.

As mobile devices have become more common, having the user enter their social network username and password is quite cumbersome on a phone screen. Additionally, for trusted services, asking for personal information and social security number dissuades users. A new alternative that offers both convenience and a high level of user trust is [Cognito](https://www.cognitohq.com/). Using a name and phone number, you can reduce signup friction and ensure the highest level of trust.


Using a social network for verification became popular to reduce signup friction and tie your user’s real world identity to their online identity.

Thinking of Using Social Data?


T-Mobile recently [disclosed](https://www.t-mobile.com/news/network/cyberattack-against-tmobile-and-our-customers) that hackers obtained millions of records containing personal information from current and past customers -- details like their addresses, Social Security Numbers, and phone numbers -- that can be used to steal their identities.

Before T-Mobile, there was Experian. And Target. This has happened countless times before, and it will happen again. But it does not have to, with some easy improvements to how we verify a person’s identity.

In the case of the T-Mobile hack, the hackers claim that some of the data they were able to access includes the names, dates of birth, SSNs, driver’s licenses, addresses and phone numbers of current, past, and prospective customers. They’re looking for a buyer and, almost certainly, they will find one or more. These hacks understandably further erode customer confidence in the security of their personal information -- and some will end up the victims of identity theft as the result of these hacks.

## What Current and Past T-Mobile Customers Should Do Now

In the short term, consumers should follow the advice of experts: freeze your credit, sign up for credit monitoring, check your bank statements regularly, and more. When possible, people should ask how long their data is stored when signing up for a service, and read their privacy and security policies to better make an informed decision. And when you no longer use a service, close or ask to delete your account (and data), rather than simply leaving it dormant. But those are not always options, and switching providers when you find something concerning certainly is not either.

## The Future of Identity Security

Longer term, we need to figure out a better way -- a way to make this data worth less. We can make this data less useful to hackers by making some services require additional verification steps, like requiring a liveness check (also known as a selfie check) and documentary verification when opening new accounts. Consumers and businesses alike can protect themselves from fraud by ensuring that the person applying for an account is both a real live person and that the face on their identity documents matches the face of the real person opening the account.

With [Cognito Flow](https://cognitohq.com/products/flow), we make this more secure ID verification easy for both the business and the end user. The added verification steps only take a few extra seconds, and are completed using accurate artificial intelligence without requiring human verification. Requiring these extra pieces of data will reduce fraud dramatically without adding too much friction to the sign up process. And, most importantly, they’re impossible to hack. You can’t buy a liveness check and accompanying physical ID documents on the internet.

By adopting stricter verification standards, we can secure people’s identities with minimal effort and make serious data breaches a problem of the past.



How familiar are you with the term Politically Exposed Person (PEP)? It is extremely important in compliance but often times is over looked or misinterpreted. This guide helps you understand the 5 key types of PEPs and the risk they pose to your business.

[Download Infographic](/wp-content/uploads/2020/10/Cognito_Infographic_5xPEPs-Risks.pdf)


This guide helps you understand the 5 key types of PEPs and the risk they pose to your business.

Infographic: 5 Types of PEPs and the Risks they Pose


BlockScore can be easily implemented in apps. As with any good system design, there are some important points to ensure user data is protected. This post goes through the basics of how to use BlockScore ID verification in an app.

The first step is to design a form to collect the required identity information from your user in your app. From that form, identity information needs to be sent to your server. Always use encrypted channels to communicate between your app, server, and external service providers such as BlockScore. Never store identity information in the app. We also recommend not storing personally identifiable information (PII) on your server because BlockScore can safely store it for you.

The next step is to send the identity information from your server to BlockScore using either our RESTful HTTP API or a client library for your server platform. Many client libraries are available on the BlockScore Github repository. Within a second of sending the information from your server to BlockScore, you will receive a response with valid/invalid, details about the matching pieces of information, and a token to access information about that verification in the future. As mentioned, in lieu of storing the identity information on your server, this token can be used to retrieve identity information from BlockScore.

Once BlockScore has responded with a valid status to your server, store the token in the user’s record. If an invalid status is returned, you may permit the user to retry the verification. We recommend that you limit the number of times the user may retry the verification. A common rate is two verifications per 24 hour period.

BlockScore provides an API key to communicate with our web service. All requests must including this API key. Because this key is also used to retrieve past verification information, it should never be used outside of your server. Never use or store your BlockScore API key on your app.

Optionally, you may request a question set to ensure the person submitting the identity information is the owner of the identity. See BlockScore documentation on implementing question sets.

For app developers with little server development experience, services like Parse provide an easy way to run the necessary server software to support your apps.


As with any good system design, there are some important points to ensure user data is protected. This post goes through the basics of how to use BlockScore ID verification in an app.

Using BlockScore in an app


Technology has evolved so rapidly over the past few decades, it can be hard sometimes for businesses to keep up. KYC is an essential part of many industries, but the slow nature of manual or in-person KYC doesn’t mesh with the demands of the modern customer. Efficiency and speed are the norm, and everyone is used to nearly instantaneous results.

With eKYC, or electronic know your customer processes, this instant gratification is closer to reality. Thanks to eKYC solutions, the process of customer authentication has gone digital. With the help of eKYC, finance, retail and other industries are able to keep up with the demands of their customers.

In order to keep up with this new era, you may be wondering where you should start. The choice of a KYC solution is one that shouldn’t be taken lightly. In this blog, we’ll define what exactly eKYC is and how it’s different from the traditional process, describe the different security and authentication methods and help you decide on the best verification solution for your needs.

[Get Started with Cognito](https://playground.cognitohq.com/signup)

## The Meaning of eKYC

eKYC, as we mentioned, is electronic know your customer. If you’re already familiar with the legacy KYC process, you know that it involves verification of certain customer information that proves their identity. This process is typically slow and painful for both the company and the customer. With eKYC, you can create a digital identity profile and verify remotely and online.

The impact of eKYC is that companies no longer are tied to the frustrations and slowdowns that come with the typical KYC regulations. KYC has evolved, and eKYC helps companies comply with KYC standards while still maintaining a high level of security.

## What’s different about the process?

eKYC is a much more efficient, effective process than the traditional know your customer process. With eKYC, there are a lot of differences that make it much better overall.

Here are the biggest differences between eKYC and the older way of doing things:

- eKYC is remote and paperless.
- eKYC is automated.
- eKYC happens almost instantaneously, saving time and money.
- eKYC uses digital authentication methods, such as biometrics, ID verification and more.
- eKYC avoids the usual bureaucracy involved with KYC.
- eKYC uses digital security measures to ensure information remains safe.

The advantages of eKYC allow you to save time and money, and they make for a better customer experience. Of course, the biggest difference between KYC and eKYC is the near instantaneous verification. In traditional KYC methods, verification can be an arduous process that takes time out of the day for your customers, employees and everyone else involved in the process.

## Digital Security Applications: Identity, Finance, Documentation

When you use eKYC, digital security is going to be of the utmost importance. People are already wary of sharing their information online, so you have to make sure your customers are comfortable and earn their trust. High levels of digital security will keep your data from falling into the wrong hands. Typically, in the KYC process, customers will share sensitive information involving their identity, financials and other forms of documentation.

All of this information is something that people won’t be readily sharing online, so you have to make sure digital security measures like comprehensive security and compliance are regularly audited by your chosen authentication app. Encryption for sensitive values is also essential.

No matter what sector you’re in, you have to make sure your eKYC solution is secure. KYC is commonly used in banking, investing, retail and government agencies. Whichever industry you’re working in, your customers’ data is important to protect. You need to prioritize security to keep your business’s reputation intact and to keep your customers’ data safe.

## Your Best Options for Authentication

Keeping all of the above information in mind, you might be wondering which way you should go for your authentication solution. There are a lot of ways to authenticate in accordance with KYC compliance, but some are much better than others.

If you’re wanting to choose among some of the most common options, here is what many companies use:

**Knowledge Based Authentication:** Many people are familiar with knowledge based authentication. This is where users are asked questions that only they know the answers to in order to prove their identity. There are two types of knowledge based authentication: dynamic and static. Static is where the questions are provided by the users, and dynamic is where questions are pulled from databases. The problem with KBA is that even the more secure method, dynamic KBA, is vulnerable to hacks and data leaks.

**Biometric Based Authentication:** Biometrics have advanced rapidly and now have become a fairly reliable form of authentication. Biometrics use your physical — and in rare cases behavioral — signifiers to verify your identity. Things like your facial shape, retinas, fingerprints and more can be used as a biometric signature. Although you’d think that this is extremely secure, since only you have these signatures, this data is still collected and stored, meaning it’s vulnerable to leaks. Biometric data is something you don’t want hackers to have, so this makes this solution less than ideal too.

**Key-Pair Based Authentication:** If you’re familiar with cryptocurrency, this is one of the primary authentication methods. This provides customers with a public and a private key. Their public key is used for transactions, and private keys are what the customers use to access their account. The private key isn’t meant for sharing. The issue with this method is that it isn’t uncommon for users to lose their private key and thus everything stored in the account involved with it.

**ID Based Authentication:** Although this is one of the simplest forms of authentication, it’s also one of the most secure and effective. With ID based authentication, initially all customers need to do is provide their name and phone number. They’re then immediately prompted by their phone to prove their identity. This makes things much easier for the customer as well.

The choice of authentication method is up to you, and you should always choose what works best for your company. But remember to keep in mind your customers’ onboarding experience and their information security. You want to make onboarding as easy as possible for them and make sure their information is always safe. The combination of these two factors is going to be the most important consideration.

## Advanced Solutions From Cognito

Cognito provides advanced authentication solutions that allow you to make the customer onboarding process seamless and frictionless. With Cognito’s identity verification solution, your customers can be verified quickly and securely.

Cognito is a comprehensive authentication solution that offers identity verification, ongoing screening and business verification. If you’re wanting to automate your KYC, protect your business against fraud and protect your organization’s reputation, then Cognito can help.

Best of all, Cognito makes it easy to integrate our API with your existing onboarding processes. By seamlessly integrating our powerful KYC tools, you can ensure that KYC is easy for both you and your customers.

If you’re interested in the most comprehensive, secure and easy-to-use authentication solution possible, then choose Cognito. Get in touch with a member of our team to learn more about how Cognito can help you bring your KYC process into the new era.

[Get Started with Cognito](https://playground.cognitohq.com/signup)


Technology has evolved so rapidly over the past few decades, it can be hard sometimes for businesses to keep up. KYC is an essential part of many industries, but the slow nature of manual or in-person KYC doesn’t mesh with the demands of the modern customer.

A New Era: Electronic Know Your Customer Verification


[KYC](/use-cases/kyc-verification) is an important process, especially in banking and financial industries. Without the proper KYC protocols in place, banks open themselves up to a multitude of regulatory issues and problems. If banks don’t adhere to KYC properly, they also open themselves up to heavy fines.

In this blog, we’ll go into further depth about the various facets of KYC in banking. You’ll learn the definition of KYC, why it’s especially important for banks and how you can improve your current KYC processes.

## KYC: A Quick Definition

First, let’s clearly define what we mean when we’re talking about KYC. KYC stands for “know your customer” or sometimes “know your client.” Know your customer has quickly become mandatory in banks and other financial institutions. The KYC process involves verifying the identity of a customer when they open a new account. Banks need to make sure that customers are who they say they are for a variety of reasons, which we’ll get into.

The important thing to know is that without know your customer in place, it would be easier for people to take advantage of the banking systems. KYC protects banks and the customers they serve. If a customer doesn’t meet KYC standards, a bank is required to turn down their request to open an account or require further identification and verification from the potential customer.

## Why It’s Important for Banks

Know your customer protocols are extremely important in banking. Without KYC, it would be far easier for crimes like money laundering, terrorism funding and corruption to occur. It’s completely on the bank or institution to comply with the know your customer protocols. Failure to do so can not only result in huge fines for the bank in question but also a massive blow to reputation — not to mention failing to prevent the aforementioned crimes, which can damage and affect people, businesses and communities.

## Reliable Source of Documents

When a customer opens an account, KYC requires the bank to check the proper documents and information in order to verify their identity. It’s on the customer to provide these credentials or they may be denied service. Typically, customers will need to provide information and documents that prove both their identity and address. In addition, corporations have to go the extra mile when opening an account. They’re required to provide social security numbers and photo IDs for employees, board members and shareholders of the company.

## Protect Against the Risks of Money Laundering

[Money laundering](/products/watchlist) poses one of the biggest risks when there is a lack of KYC protocols in place. Money laundering is especially dangerous, because the money that is cleaned can be used to commit illicit activities, not the least of which is funding terrorist activities. In order to tamp down on money laundering, higher levels of due diligence need to be put in place. This is done through risk assessment of any potential customers.

With risk assessment measures in place, a bank is able to understand how exposed an individual person or a beneficial owner of a business is to financial crimes. Depending on their financial dealings and their levels of influence and access, they may need to have their financial activities more closely monitored than your typical individual account. With this kind of screening in place, banks are able to catch suspicious activity much faster and prevent money laundering on a much larger scale.

## How Banks Frame Their Know Your Customer Process

Banks need to be up front and transparent about their KYC protocols, but that doesn’t mean they have to feel difficult for new customers. Typically, banks will go through the required documents with the customer and let them know what they’ll need to provide in order to open an account.

Most people have an understanding of the need for KYC measures, so it often isn’t a problem. If it is an issue, it’s unlikely the bank would want to take on that risk either way.

## How Banks Verify Identity

Banks can verify identity in a number of ways, but the primary methods are with photo ID, social security numbers and proof of address. A combination of identifying documents allows them to check that the customer is indeed who they say they are and minimize risk for the bank. Making sure to do due diligence also helps the banks stay on top of their at-risk customers.

Electronic know your customer (eKYC) is also becoming increasingly popular. This is especially the case with more people needing to set up their accounts remotely. Of course, electronic know your customer is seemingly a more difficult prospect for banks. It stands to reason that being unable to verify identity in person makes a bank more exposed to risk. Let’s talk more about eKYC and how it’s developing in the modern world.

## What About eKYC?

Digital onboarding is quickly becoming the latest KYC issue for banks. Obviously, you need to be able to offer this kind of service, but how do you do it? Sending in identification and proof of address is essential, but other measures need to be in place to prevent fraud. Many banks started to rely on facial recognition and biometrics in order to further identify potential customers.

Built with security and privacy in mind, eKYC solutions can work well, and securely verify the identities of new customers. Cognito Flow, for example, quickly and securely verifies your users' identities -- around the world -- with a customizable mix of data source, documentary, and liveness (selfie) verification. With all three verification methods enabled, you can be sure that the person who is signing up for your service is who they say they are.

## Try Cognito for Free Today

[Cognito Flow](/products/flow) is the most innovative KYC solution available to banks, financial institutions and other organizations. With Cognito, you’re able to accurately verify identities and adhere to KYC protocols all without being invasive. In fact, we built Cognito to increase your sign up conversion rate. All Coginto requires to start is a full name and phone number -- though you can request other forms of identification, like government IDs and a selfie check -- if you require them. Our software is then able to check this information against various independent databases to confirm the identity of the individual or entity. We even offer politically exposed persons (PEP) screening tools to further secure your KYC protocols. If you’re interested in seeing how Cognito can help your bank with KYC, get in touch with us today. You can give Cognito a try for free and see what a difference it can make.


KYC is an important process, especially in banking and financial industries. Without the proper KYC protocols in place, banks open themselves up to a multitude of regulatory issues and problems.

What Is Know Your Customer in Banking?


KYC, or know your customer, is an essential part of the customer onboarding process. Modern businesses need to make sure they’re complying with the latest KYC regulations. But what is KYC verification, exactly? How has it changed for the modern landscape? Is KYC the same in 2021 as it was in 2020?

These are all good questions to be asking, since it’s extremely important to stay on top of these regulations. Businesses need to make sure they’re doing everything they can to stay in line with KYC, not only for their own security but for the security of their customers as well. In this blog, we’ll provide you with a clear definition of know your customer, discuss which industries need it most and suggest the most advanced KYC software possible to keep your business on track.

[Get Started with Cognito](https://playground.cognitohq.com/signup)

When a company gets to know their customer, they need to do the following things:

- Establish and verify the customer’s identity through some form of authentication
- Obtain CIP, or customer identification program, information. This information can include name, date of birth and address.
- Establish due diligence and monitoring. In the financial sector, part of KYC is determining whether a customer is at risk of money laundering, terroism funding or a number of other illicit activities. If their risk profile is higher, then higher levels of monitoring are required.

Knowing your customer means ensuring that you’re dealing with a real person and knowing the inherent risks of dealing with that individual. The typical methods of KYC are slow, inefficient and frustrating for all parties involved. Modern companies need modern KYC solutions. If you need a KYC program in 2021, you need to make sure you’re doing everything you can to keep your systems relevant.

## Security and Compliance

Many industries, both financial and non-financial, must adhere to KYC compliance at some level. But KYC doesn’t just end after you’ve verified that your customer is who they say they are. In order to maintain optimum security and follow compliance regulations, ongoing actions are often needed. Here’s how that works.

**Low-Risk Customers:** If you’ve finished the CIP process, authenticated a customer and determined they are low risk, then you can just continue to follow basic compliance. This means making sure you update their information as necessary and you keep track of their risk status. Once a customer is determined to be low risk, they’re ready for onboarding.

**High-Risk Customers:** High-risk customers will require an extra level of due diligence, and more information will need to be collected. These clients are people whose business or occupation puts them at higher risk for financial crimes. They’ll require a more comprehensive investigation of their identity, their transactions and more.

With the right tools and resources, it can be a lot easier to handle and keep track of these higher risk customers. You don’t want to leave these factors up to chance, so it’s essential to use a dynamic KYC solution that has you covered on all fronts.

## Monitoring

Keep in mind that once you identify a customer as high risk, you need to continue to monitor them in order to adhere to KYC. This means you need to monitor them and also re-screen them in order to reassess their risk factor. Not only do you need to re-screen your high-risk customers, you also need to re-screen all of your low-risk customers regularly. They’re able to change their risk status as well, and if you miss their status changing, you risk being in violation of KYC compliance.

Re-screening all of your customers on an ongoing basis isn’t an easy feat. But with the right authentication solution, you can automatically re-screen your customers and never be in the dark about risks.

## Identity Verification Processes

Now that we understand how KYC works, let’s talk about the different identity verification processes available for non-financial and financial services.

There is a wide variety of customer authentication processes out there, but these are some of the most common.

**Knowledge Based Authentication (KBA):** Knowledge based authentication is extremely common — but also very flawed. With knowledge based authentication, questions are pulled from public records or customer-provided data. The customer then answers these questions to prove their identity. This method is prone to data breaches and hacks, however.

**Certificate Based Authentication (CBA):** Certificate based authentication requires clients to send documents that prove their identity. Things like bank statements, driver’s licenses and passports can be used. This process can sometimes be slow and inconvenient for customers.

**Biometric Based Authentication (BBA):** This is authentication that uses your physical biology — and very rarely behavioral signifiers — to verify your identity. Things like facial scanners, voice identification, retina or iris scans and fingerprint scanners are commonplace for this type of authentication. You wouldn’t think so, but these biometric signatures can also be prone to data collection and hacks. Since the information is gathered in a database, it can still be leaked. And the last thing you want hackers to have is biometric data, since you can’t change it.

**ID Based Authentication:** ID based authentication involves providing your full name and phone number in order to verify your identity. This is a fast, user-friendly and secure way to authenticate, since it requires you to prove your identity in real time. Although ID based authentication seems very simple, it’s also one of the best ways to verify your customers, and it provides your customers with one of the most seamless experiences.

Although these aren’t the only ways to authenticate your customers, they’re definitely some of the best known and most widely used. Which authentication process your company uses is going to depend on what works best for your customer base, but in general it’s best to choose something that goes well with your customer onboarding process and provides you with all of the tools you need to be as efficient and secure as possible.

## Applications for Authentication Solutions

Authentication solutions are necessary now more than ever. In order for businesses to keep up, they need authentication solutions that provide them with seamless, user-friendly and reliable authentication. If your industry requires KYC, you can’t afford to be doing things manually.

If you truly want to ensure you meet KYC compliance, ensure you provide a good experience for your customers and ensure you’re keeping their data safe, then you need a secure and reliable authentication solution. With the right authentication solution, you can take all of the pain and tediousness of the traditional way of doing things. This is better for both you and your customers.

These are some of the industries that can benefit most

### Banking and Investment

The financial sector is the reason that KYC exists in the first place. In order to reduce their own risk, banks and investment firms needed a way to understand the risks of taking on certain customers. Banks and financial services can’t afford anything less than the most efficient, secure KYC solutions out there. These solutions allow you to provide your customers with frictionless service while also maintaining high levels of security.

With an authentication solution, banks and investment companies can get a comprehensive picture of their clients, assess their level of risk and monitor their activities based on this assessment. With user authentication software, all of these processes can be made simple, automated and secure.

## Online Retail Sales

Ecommerce is another industry that can benefit from KYC solutions. With KYC compliance, you can avoid credit card fraud, payment fraud and more. It’s becoming increasingly important for online retail to have effective KYC so they can avoid pitfalls like this.

An authentication solution that is user friendly and efficient is essential. Online retailers depend on their customers making the decision to buy and not having many roadblocks to go through with the transaction. Don’t add obstacles for your customers by having difficult-to-use KYC that isn’t as effective as other approaches. When there are good solutions out there, there’s no reason to use methods that cause issues for your customers.

With automated and quick KYC, frustration and abandoned carts can be avoided.

### Insurance Companies

There are a number of issues that could happen if insurance companies don’t have proper KYC regulations in place. Without a KYC solution, insurance companies risk insurance fraud, money laundering through claims, cases of stolen identity, fake accounts and applications and more.

Fraudulent accounts and claims can lead to your company having to deal with tons of compliance issues, paying fines and managine the fallout. With the right KYC solution, you can avoid this happening.

With a KYC solution, insurance companies can verify their customers, assess their risk and monitor activity much more easily. This ensures that they don’t spend money on fraudulent claims and that errors with compliance can be completely avoided.

### Government Agencies

Government agencies are going to need to follow strict KYC regulations in order to keep their accounts safe, secure and verified. With the right KYC solution, you can ensure KYC compliance is met, no matter how strict the requirements. It will make it simple for you to get the account information verified without having to go through the typical, arduous process of manual verification.

## Deploy Advanced KYC With Cognito

No matter what level of KYC you need, a customer verification platform like Cognito can help. Cognito includes advanced KYC tools, such as screening, re-screening, automated compliance, high-level security and much more.

Cognito is a modern solution for modern businesses. No matter how fast your business grows and no matter what your customer onboarding process looks like, Cognito can seamlessly integrate with and grow with your company. When you use Cognito, you’ll see how much more efficient, effective and secure your business processes can be.

Cognito eliminates the old legacy way of verifying customers. With Cognito’s advanced technology and platform, you can make KYC simple. Never have to deal with slow, manual KYC again. Ensure that your customers are authenticated and ensure their information is safe at the same time. Your customers will also have a much more seamless and pain-free experience.

In short, Cognito makes everything easier for both you and your customers. If you’re looking for a modern KYC solution, then Cognito can provide you with the tools you need.

[Get Started with Cognito](https://playground.cognitohq.com/signup)


Modern businesses need to make sure they’re complying with the latest KYC regulations. But what is KYC verification, exactly? How has it changed for the modern landscape? Is KYC the same in 2021 as it was in 2020?

The Fundamentals of Verifying Know Your Customer Information


For financial institutions, an inadequate Know Your Customer (KYC) policy can lead to significant monetary loss due to fraud, fines, and negative publicity. While it has become standard practice for financial institutions to require clients to provide detailed information to ensure that they are not associated with illegal activities such as fraud, terrorist financing, corruption, or [money laundering,](https://www.finra.org/rules-guidance/key-topics/aml) the big question is if your KYC procedures robust enough to protect your business from bad actors?

### Verify Customer Identity

The first step to establishing a strong KYC procedure is to create an effective customer identification program (CIP). The purpose of a CIP is to allow the company to say with a reasonable amount of certainty that their customer is who they say they are. The basic information to verify for a CIP is:

- Name
- Date of birth
- Address
- Government-issued ID number (such as social security number or passport)

It is essential that this information is confirmed within a reasonable timeframe to quickly identify bad actors and maintain a smooth onboarding process for your law-abiding customers. Many companies use electronic identity verification for this purpose.

If your current process is high friction and/or generates a lot of support tickets, those are signs that your business should reconsider its CIP.

### Screening

Once a customer’s identity is verified, the next step of the KYC process is to screen them against lists of high-risk individuals issued by various government agencies around the globe.

It is also necessary to screen for customers who are _not_ associated with illegal activities, but, due to their social position and access to wealth, pose increased risk for bribery or money laundering. These individuals are known as Politically Exposed Persons (PEPs). Based on the findings of the screening, the customer is given a risk rating, which helps the company decide how closely to monitor the customer’s activity or whether to do business with them in the first place. Naturally, individuals in high risk categories are subject to a higher level of scrutiny. Your business should reconsider your screening service if you have issues with false negatives (or false positives) during the screening process, leading to bad actors slipping through the cracks or false positives creating too much review overhead.

### Ongoing Monitoring

The final step to a KYC procedure is to realize that KYC is an ongoing process. Just like how your company changes over time, so do your customers. Customers who were previously in the low risk category may transition to a high risk category, but the only way for you to realize that is to conduct frequent re-screening.

Given the number of customers that need to be monitored, it may be impossible to process manually. Thankfully, with modern technology, re-screening can be done in a matter of seconds.

### KYC Verification with Cognito

There’s a lot of ways for financial institutions to end up in hot water over inadvertently aiding a bad actor. That’s why forward-thinking companies maintain a robust KYC program. Together, Cognito’s [Identity Verification Service](https://plaid.com/products/identity-verification/) and [Watchlist Screening](/products/watchlist/) make the complexities of KYC verification simple. Cognito makes identity verification frictionless for you and your customers by beginning the verification process with as little as a name and phone number. Our identity verification protects against fraud, and is designed to integrate easily into your CIP based around your compliance requirements. Our Watchlist Screening uses extensive regulated databases from around the world to catch all kinds of bad actors and PEPs. Our screening extracts more than just names, allowing you to better understand the quality and likelihood of a watchlist-match. Cognito also makes sure that your company’s KYC procedure is an ongoing process rather than a one-off check. Our system automatically re-screens hundreds of millions of users per month, with ease, to catch any changes in their status. Cognito keeps track of how watchlist hits on your customers change over time, giving you a detailed breakdown of new names, locations, passports, dates of birth, and everything required to protect you from fraud. Craving the power of optimization? Cognito’s frictionless identity verification and watchlist screening are designed to fit seamlessly into your KYC process and protect your company, automatically. [Contact us](/contact/) today to learn more.


For financial institutions, an inadequate Know Your Customer (KYC) policy can lead to significant monetary loss due to fraud, fines, and negative publicity.

What is Required to Know Your Customer?


Today’s financial service providers are turning to digital apps and platforms to deliver seamless experiences for end users. But shouldn’t these platforms make life better for the people implementing them as well?

In our opinion, a platform isn’t a viable solution unless it improves developers’ workloads too. And this was a top priority for CEO Alain Meier when he co-founded Cognito.

“The whole reason we started the company was because we were consumers of the existing APIs and systems that Cognito’s competitors had created, and we had an absolutely horrible developer experience,” he explains. “I’m a developer — so is our CTO — and we saw a big opportunity to make a more developer-first verification system.”

When it comes to accessing third-party APIs, developers typically face two main challenges:

- **Automated solutions that operate as a black box** where the system’s behavior can’t be understood in a systematic or deterministic way — often because the abstraction has been programmed awkwardly without any thought for the end user experience.
- **Slow API response times**, because whoever built the solution didn’t care to optimize the API to operate with the efficiency that developers need.

Meier and team set out to change all that with Cognito’s identity verification (IDV) product. With the Cognito team, he focused on building extensive documentation and clear abstractions of identity concepts, a flexible API compatible with multiple programming languages, and a quick sign-up process. Here’s why that’s great news for developers.

## Easier for developers, easier for everyone

To solve common API frustrations, Meier and the Cognito team designed our API to be as developer-friendly as possible. We understood that by making it easier for the people building the software, Cognito supports both our customers and their clients.

It started with a simple premise: [the phone number is the ideal factor for IDV](/blog/why-phone-numbers-are-the-best-path-to-provable-possession/). “It’s so strong to be able to connect someone’s real-world identity with a verifiable number, which is the phone number,” says Meier. “Our customers can send their users a one-time SMS code to confirm that the user is in control of their device, and then Cogntio links that phone number to someone’s identity. Just that process alone increases the barrier to entry to fraud significantly.”

Anchoring IDV on a phone number eliminates many of the integrations that would otherwise be needed to comply with anti-fraud protocols. Developers often cobble together IDV solutions from several unrelated technologies in an attempt to provide a stronger signal about the end user’s identity. With Cognito, Meier notes, “We let you get an extremely strong signal with our single integration, which you can always tack on top of additional APIs — but for a lot of our customers, that’s not even a requirement anymore.” Score one for efficiency!

The Cognito team also set out to build a fast API. This focus on speed makes the application more responsive and user-friendly, increasing conversion rates and improving the developer feedback loop. “If you don’t have to wait as long to do a test call, it becomes faster to develop things,” says Meier.

## The documentation you need, when you need it

The Cognito team prioritized in-depth documentation from the start, with OpenAPI specifications to ensure that all aspects of the program could be easily understood by developers. “We wanted to make sure there was no situation where the API behaves one way and the API documentation says it behaves in a completely different way,” he says. “That’s exceedingly common in non-developer-centric APIs where it wasn’t correctly documented in the first place, and makes for a very annoying developer experience.”

Cognito’s [thorough documentation](/docs/) makes the integration process much faster and less frustrating for developers. Integrations are more likely to be done correctly the first time, preventing breakdowns in the future when edge cases come up. This result is reduced friction for Cognito customers and their end users, as they don’t require constant fixes or support on the basics.

## An API that’s transparent and accessible

A lot of API code is inflexible and operates like a black box — aside from an extremely high level match code, its processes are opaque. Cognito is different because it empowers developers to drill down into each of the individual components that make up an identity, and if an identity is unable to be verified, they can easily understand why.

“Developers like to have clear, consistent, deterministic responses,” explains Meier. “And we’ve done our best to make sure responses are as deterministic and understandable as possible, and that there are no surprises.”

Meier and the Cognito team also made sure to produce API client libraries in several different programming languages. “By providing those libraries, 95% of someone’s integration is already written for them, which makes it much easier to get started,” he says.

## On-hand support so you can keep building

Another Cognito differentiator is that developers can start experimenting with the Cognito API without having to talk to salespeople or sign contracts; they can simply go ahead and sign up for API keys. “This is a huge boon for people looking to get started quickly and evaluate if the solution will be good for them,” says Meier. “It’s definitely not something that the vast majority of our competitors would do.”

To further streamline efficiencies for developers, Cognito’s customer support is constantly available. “We make Slack rooms for all of our clients, so their developers and our developers can be in the same chat space and ask questions whenever they come up. We’re there to work through any integration questions they have about the product,” says Meier.

An ongoing relationship with development teams is important to Meier, as it’s not unusual to encounter unique edge cases when it comes to identity data — and sometimes these are discovered after a customer has already launched their product. “We’re not with them just for that original launch period,” he notes, “but through the lifetime of their customer relationship with us.”

For developers needing to implement responsive, deterministic IDV, Cognito addresses the common frustrations sparked by so many other solutions on the market. By keeping developers front and center, we ensure they can create a better product faster.

[_Try out our free trial today_](https://playground.cognitohq.com/signup)_, and see how Cognito can make your development life easier._


Today’s financial service providers are turning to digital apps and platforms to deliver seamless experiences for end users. But shouldn’t these platforms make life better for the people implementing them as well?

Why Cognito IDV Prioritizes Developer Experience


What’s the one thing you almost always have with you? Probably your cell phone. That’s one of the reasons why phone numbers are powerful and trustworthy credentials for confirming identity. While no system of identity verification (IDV) is perfect, you might be surprised to learn that your phone number may be the most secure — and convenient — option.

Let’s look at some of the challenges inherent in various forms of IDV and how, when it comes to phone numbers, [Cognito](https://plaid.com/products/identity-verification/) gives businesses a quick and secure path to identity authentication.

## Documentary verification is outdated

Documentary verification is the traditional type of IDV — and like all old methods, it adds friction for users and can deter them from finishing the sign-up process. Typically, customers are asked to present their government-issue ID, such as a driver’s license or passport.

While this can be done remotely, it requires customers to not only upload documents, but they often have to take a selfie _with_ the paperwork [to prove that it’s not a forgery](/blog/identity-verification-services-the-complete-guide/). Considering the amount of glitches that can occur in a documentary verification — from overexposure to blurriness to simple document deterioration — businesses stand to benefit from leaving paperwork in the past.

## Knowledge-Based Authentication has a questionable legacy

Have you been stopped by security questions when paying your phone bill or signing in to online banking? This is called Knowledge-Based Authentication (KBA), and [there are two types](https://www.forbes.com/sites/forbestechcouncil/2018/01/22/everybody-knows-how-knowledge-based-authentication-died/#fdb640d4eee3):

- **Static**, where you’ve selected your own security questions and provided the answers
- **Dynamic**, where questions and answers are drawn from legally obtainable documentation such as credit reports, direct marketing databases, and customer surveys

Unfortunately, your static KBA questions and answers — as well as the information that dynamic KBA is derived from — are stored on databases that can easily be hacked. In fact, there are darknet markets where [fraudsters can buy datasets](/blog/ssn-from-a-phone-number/) filled with this information at minimal cost.

Not to mention, your static KBA answers can often be uncovered through a Google or social media search. Simply put, this is a surprisingly weak source of authentication.

## Biometrics aren’t bulletproof

Conventional wisdom might hold that biometric verification is best: common methods include fingerprints, facial recognition, voice recognition, retina scans, or iris scans. The big selling point is that these factors are unique — but that’s also their biggest weakness.

Biometric data can’t simply be changed like a PIN or password if it’s stolen or replicated. And did you know your biometric identifiers can deteriorate due to physical alterations or injury?

Beyond that, biometric readers can be tricked. There’s no telling how far modern hackers will go, but in theory, anyone following you around could get their hands on your identity because no other authentication factor is [physically visible and photographable in the same way](https://www.csoonline.com/article/3330695/6-reasons-biometrics-are-bad-authenticators-and-1-acceptable-use.html).

You leave your fingerprints everywhere you go. They can be lifted from a glass or a door handle, and researchers have been able to [generate fake fingerprints](https://www.theguardian.com/technology/2018/nov/15/fake-fingerprints-can-imitate-real-fingerprints-in-biometric-systems-research), building an identity-hacking “master key” with a success rate of one in five.

Biometric systems are also in an arms race against hackers, as synthetic videos and media — known as [deepfakes](https://www.cnbc.com/2019/10/14/what-is-deepfake-and-how-it-might-be-dangerous.html) — create more convincing simulations of faces and voices. Even iris scanners have been fooled by covering a detailed picture of an eye with a wet contact lens. The bottom line is that even if biometric data seems more secure than other factors, it can still be replicated and stolen by nefarious parties.

## The power of the phone number

In the past, phone numbers have been problematic for identity verification because they can change or be stolen in data breaches. But when used properly, they can prove more secure than other IDV methods.

Phone numbers can be used to unlock a wealth of data from official, regulated sources. Connecting the dots of this data, the Cognito API forms a complex user profile for your customers, while remaining compliant with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations.

With these additional layers of assurance taking place behind the scenes in real time, Cognito helps businesses reduce fraud, actively flagging suspicious activity. By implementing a one-time passcode to authenticate a device, companies can use the [Cognito IDV product](https://plaid.com/products/identity-verification/) to confirm users are who they say they are — and are in possession of their phones at the time of sign-up.

When you only have one data source to rely on, there are serious risks to your identity verification capabilities — but by connecting a variety of regulated, authorized sources of information, a phone number is your best bet for secure, frictionless, and real-time IDV.

_Protect your business with_ [_the only identity verification service that starts with just a phone number_](https://plaid.com/products/identity-verification/)_. To learn more,_ [_get in touch_](/contact/) _— we’re here to answer your questions._


What’s the one thing you almost always have with you? Probably your cell phone. That’s one of the reasons why phone numbers are powerful and trustworthy credentials for confirming identity.

Why Phone Numbers Are the Best Path to Provable Possession


You have a new killer website or app where your users can get right down to business after completing a standard sign up form. Sounds great, right? Then why are mobile abandonment rates so high? The number users who view your site on their mobile phones is enormous and growing. If you’re tired of leaving money on the table when frustrated users ditch your lengthy mobile signup flow, it’s time to take action. Cognito can help.

It’s no secret that the attention span of millennials can be a short, and that’s ok. Who wouldn’t get bored with a ten field sign up form that needs to be verified by 12 different forms of government ID and all three of your neighbors? That might be a slight exaggeration, but the point is, the more fields there are to fill out in your signup, the higher your abandonment rate is going to be.

We’re all avid phone users, we love using our mobile devices for so many things because it’s easy. Want to order a pizza? No problem. Need to do some shopping? Two clicks and done. Want to apply for a loan? 12 forms of ID and your right arm please.

## What can you do about it?

By making your verification process easy. All you’ll need is your customer’s name and phone number. No wasting time with sending scanned pictures of IDs or making unnecessary visits to the bank just to show you’re really who you say you are. Cognito has developed an automated way to reliably pull back rich, regulated KYC data including name, date of birth, SSN, past addresses, and more with just a customer’s phone number. Our goal is to help you decrease customer abandonment and increase your profits.

Using a powerful ID verification method is a proven measure that leads to a higher conversion rate. Don’t leave money on the table by distracting your valued leads with a lengthy signup flow. In a world where attention comes at a premium, you can’t afford to lose customers simply because the verification process is too long. Cognito is the solution for improving your mobile signup conversion rate.

If you want to dramatically decrease your signup abandonment, see [Cognito](https://www.cognitohq.com/).


You have a new killer website or app where your users can get right down to business after completing a standard sign up form. Sounds great, right? Then why are mobile abandonment rates so high?

Why Startups Get Millennials and You Don’t


Most people [don’t read terms of service](https://tosdr.org/). For some products, it’s not a huge deal - but for ones like ours, it’s imperative that our customers understand what they’re agreeing to. It’s easy to obfuscate your terms of service and update it on a whim forcing your customers to manage their own copies of past terms and create their own red-lined comparisons.

We at BlockScore want to take a different approach to our public contracts. We believe that the burden of contractual clarity is on the seller, not the buyer, so we maintain all of our most important contracts, like our terms of service and privacy policy, in [a version controlled repository on GitHub](http://github.com/blockscore/legal). Not only does this allow customers to track changes that occurred since they signed up, but it also gives them the ability to understand how and why our contracts have evolved to become what they are today.

Our industry, the identity information space, has very complex and stringent regulations. As a result, our contracts and those of our competitors can be difficult to keep track of. We hope that by putting our standard contract online in an easy to understand, versioned format we will be able to help our customers save money on legal overhead. When your customers better understand what you expect of them, they are also better able to comply with your requirements.

We don’t believe that our industry is unique. Many companies can benefit from having more open and transparent contracts. At its most basic level, version controlling your company’s terms of service requires very little work but pays dividends for your customers.

## Plans for the future

At the moment, we work with our lawyer to draft new versions of our contracts and then upload the new version in one commit. In the future, we would like to be able to break each change down into its own individual commit affording us the ability to explain every change that occurs. Of course this requires more resources and time, so it will remain something to aspire to for now.

You can read the latest version of our terms [on our website](https://manage.blockscore.com/legal/terms).


Cognito Broadcast

How to Prevent the T-Mobile (or Experian or Target) Breach from Happening Again

What Current and Past T-Mobile Customers Should Do Now

The Future of Identity Security

Ready to get started?