KYC, or “Know Your Customer,” refers to the due diligence processes used to verify customers’ identities. KYC is completed not only when a company is first introduced to a customer, but also during various times throughout the customer/company relationship. Financial institutions use various KYC strategies as part of their required effort to ensure that none of their customers are engaged in terrorist financing (as is required for OFAC compliance), international money laundering (as is required for AML compliance), and other forms of fraud. Of all the KYC strategies that companies use, one of the most popular is to require that customers pass a knowledge-based authentication process prior to servicing the account. 

A knowledge-based authentication process uses either static or dynamic data to verify a customer’s identity. In the static method, the customer knows in advance what exact knowledge they will need to provide. For example, to reset their password for their online banking account, they have to supply the answer to the security question they chose at setup, such as “What is your mother’s maiden name?” In the dynamic method, the question is generated ad hoc, based on data from public and other proprietary sources – so the customer doesn’t know in advance what exact question(s) they will be asked.

Most companies train their customer service representatives (CSRs) to follow a multi-step knowledge-based authentication process for validating callers before proceeding with service on an account. CSRs are also trained to service customers quickly and keep them happy. Unfortunately, this can increase the risk of an information security breach via social engineering – when a fraudster, posing as their target (the account’s true owner), manipulates CSRs into granting access to the target’s account or providing private information.

Person-to-person interactions typically don’t undergo the same digital fraud checks as online transactions. Whether it’s because the caller becomes agitated, or is presumed to be “low-risk” because they passed some parts of the authentication process (usually with information trawled from the internet), CSRs may inadvertently share information that risks security with the intent of providing good customer service.

To avoid confusion and ensure KYC compliance, companies should have a flowchart of authentication steps with clear explanations of what CSRs should do when callers can’t provide the required information. To prevent CSRs from foregoing these steps out of concern for their customer satisfaction ratings, it’s important to ensure that managers are trained to understand social engineering and provide their staff with the necessary support during those scenarios. With those in place, you’ll be in a much stronger position to stop social engineering and protect customer data without sacrificing service when using knowledge-based authentication.