In the "Insic Update" series of articles, we offer a comprehensive overview of the software necessary to meet compliance requirements under German and European regulations.
All articles in this series are available on our multilingual overview page.
Challenges in Selecting Suitable ID Procedures
Trust in a user's identity is the foundation for legally compliant and processing of online transactions. To choose the right provider(s) of identification solutions, a deep understanding of identity verification processes is crucial to ensure long-term value.
When selecting ID procedures, the classic five-step approach for software solutions requires an expanded process.
1. Positioning
Regulations require us to clearly identify ourselves in digital interactions. The chosen services must meet regulatory requirements, the precise interpretation of which presents a significant challenge.
In practice, we navigate a complex legal landscape, dealing with trade law, youth protection laws, the Interstate Treaty on the Protection of Minors in the Media (JMStV), the Interstate Gambling Treaty, the Interstate Media Treaty, the Money Laundering Act, the Payment Services Supervision Act, as well as various application and implementation guidelines. Additionally, each of the 16 federal states in Germany has its own standards and legislation. Ministries of the interior and local trade supervisory authorities often operate with varying internal standards. Further, institutions like the FSK, USK, KJM, GGL, FIU, and BaFin set guidelines for action within their respective regulatory frameworks.
While complete security in identification—especially in distance selling—is not always achievable or required by law, different confidence levels exist. These range from voluntary self-assessment (e.g., FSK/USK) to official authorisation (e.g., GGL, BaFin).
Without strong legal backing, all providers face significant regulatory risks that could jeopardise their business. After identifying the relevant legal requirements, a service provider must determine its risk appetite. In highly regulated markets, this includes assessing the risks of inaccurate identification. You must decide which risks can be consciously accepted, with consideration of the likelihood of occurrence, to meet business objectives. This requires determining affected processes and risk mitigation measures.
For instance, under KJM requirements in the JMStV, a 15% deviation in the spelling of names is generally allowed. As a provider, you must decide whether such deviations are acceptable or if stricter checks should be implemented—such as exact name matching with payment data to avoid payment defaults.
A thorough risk analysis should evaluate customer verification processes, handling of provisional identifications, confirmation of data changes, and renewed checks after identity expiry, as required by law. Given the number of departments and stakeholders involved, this analysis should ideally be supported by a risk management system.
2. Target definition
Key Performance Indicators (KPIs) such as success, cancellation, and conversion rates for individual procedures provide initial insights but are insufficient as the sole basis for selecting ID methods.
Different customer groups require tailored ID procedures with varying levels of testing. For instance, a method suited for the under-thirty age group (e.g., Video-Autoident) will lead to significantly different success rates in the over-sixty age group. There is no one-size-fits-all solution.
If you already use multiple ID processes, conducting a strengths and weaknesses analysis can help in decision-making. We recommend a thorough SWOT analysis for each ID method, followed by an overall comparison. This will allow you to better define the requirements for new ID processes, particularly addressing current weaknesses.
Start by determining a realistic target range for your desired conversion rate. Be practical, keeping in mind factors such as: 5% of new registrations may not want to enter real data, 10% may not enter correct data, 10% may prefer registering with competitors offering less protection, and another 5% may avoid using the available ID procedures. Based on these assumptions, achieving a conversion rate higher than 70% may be unrealistic. Moreover, opting for stricter protection measures may further reduce the conversion rate.
If you use multiple ID procedures simultaneously, the first method might achieve a 40% success rate, while the second and third methods contribute 20% and 10% respectively.
Introducing a new ID process to an existing mix often shifts success rates among the methods, making it difficult to predict overall performance. If a new method captures 20% of the share, it typically cannibalises existing methods, leading to a net improvement across all methods of perhaps 7%. If a leading method is moved from the first position in the front end to the last position, the share immediately falls by half. Try it out and then define your KPIs.
Find the right balance between meeting the needs of your target groups and complying with applicable regulations.
3. Preselection of ID procedures
Providers of online services face with a wide range of ID methods, each with varying levels of compliance. Understanding these methods and classifying them into appropriate risk categories requires extensive training.
Ideally, good user experience (UX) in the verification process should align with high verification quality. However, in practice, the most thorough verification methods often involve complex and expensive procedures, which may result in over-compliance for certain applications and do not always guarantee high conversion rates.
There are essentially five groups of ID procedures to choose from, each offering different forms of interaction depending on the specific application:
- Database queries – These range from simple location queries via services like Google to more comprehensive address verification through reliable third parties, such as SCHUFA.
- Interactive queries – These involve access to previous identifications stored in ID wallets, with user consent, or verification via electronic identification (eID).
- Fintech bank access – This method involves accessing bank accounts using open banking protocols to confirm identity.
- Video identification – An interactive process involving ID recognition through video chat, liveness checks, or selfie verification.
- On-site identification – This involves using identification processes at physical locations, such as lottery outlets or Deutsche Post's PostIdent service.
Decide which form of interaction is still useful or even necessary for your specific use case.
In addition to the requirements for individual ID procedures, data protection is critically important. A key criterion for selecting an appropriate ID service is the form of data storage, particularly regarding its location and duration.
We can distinguish the following data protection-relevant forms of technical processing:
- On-premise hosting: Data is processed and stored directly on your e-commerce or gaming platform.
- Private cloud hosting: Data is processed and stored on a cloud platform on behalf of and under the control of the provider. Examples include virtual servers hosted on platforms like Amazon Web Services (AWS), Microsoft Azure, or Google Cloud.
- External data matching: Data is sent to an external database for comparison, but is not stored. Only the result of the check is returned.
- Data transfer: Data is sent to an external database, stored for further use, and compared. The result is returned along with the user's data.
- External collection: Data is sent to an external ID-Wallet, where identification occurs. The result, along with updated user data, is returned. The Wallet operator retains the identity information for reuse.
Data storage in the first three forms of processing is typically unproblematic. However, the "data transfer" and "external collection" methods should be carefully evaluated by your internal data protection officer. It's important to assess whether sharing user data with a third-party service provider is advisable, especially when the provider could potentially enable easier access to competitors' platforms. In this context, you must evaluate the risk of contributing more value to the external database than you gain in return. The customer lifetime value (CLV) should factor into this decision.
Additionally, the technology used for data exchange is crucial for quantifying the effort and project timeline, especially when many interfaces need to be connected. Common data exchange formats include JSON, XML, and CSV, while additional authentication formats—such as passwords, certificates, or access tokens—must be implemented in line with ISO standards beyond basic network protocols.
For example, a typical identification process with three main procedures may require up to 15 external interfaces with varying technical specifications in the German regulated gaming industry. Due to the differences in technical implementation, ID procedures should ideally be selected based on their compatibility with similar technical standards.
4. Provider Selection
The selection of ID providers can be based on criteria such as regulation, risk appetite, KPIs, user-friendliness, data protection, data storage methods, and preferred technologies.
Beyond commercial considerations, the flexibility of different ID workflows must be evaluated in light of continuous market changes. Every year, approximately 20% of interfaces change fundamentally, and some ID providers either exit the market or withdraw from specific target markets. Many new providers are in the start-up phase, often funded by external sources, which offers maximum flexibility but also comes with implementation risks. Ongoing technology and release changes in ID processes contribute to a significant technical maintenance burden that must be managed by the service provider.
In addition to service availability, the optimal sequencing and parallelism of identification workflows must also be considered.
Once a process implementation decision is made, it must be continually reassessed and adapted for specific target groups. Comparative group tests place high demands on the ability to design open and flexible ID processes. Furthermore, constantly evolving regulations require a high degree of adaptability, often with tight deadlines for implementation. What is permissible today may become non-compliant tomorrow, subject to potential legal penalties.
ID procedures in a multi-step verification process, along with the respective verification results, dictate the next steps. There is no strict linear progression in verification; outcomes depend on the user's situation, the availability and quality of data, and regulatory requirements. The levels of identification are as follows:
- Identification failed: The user could not be verified using any ID procedure. Additional queries and data correction attempts were unsuccessful. Alternative verification methods should be offered.
- Identification partially successful: Some user data was verified, e.g., via external databases, but certain requirements, such as proof of genuine presence via face-to-face verification, are still missing.
- Successful identification: User data was unambiguously linked to a real person, and presence was verified through an appropriate method.
- Outdated identification: The age of the user data determines its validity. Depending on the regulation, profiles expire after one, two, or more years, requiring regular re-verification. If the initial identification used an ID document with an expiry date within this period, that date must also be taken into account.
Consider whether open Workflow Management to control ID processes is important for your operations.
If your customer base is homogenous and subject to simple regulations, you may opt to integrate long-standing service providers directly into your application via a dedicated interface.
However, for most service providers, the constant adaptation of parallel processes—such as those for new customers, existing customers, or scoring—remains a constant challenge to maintain high conversion rates.
The Total Cost of Ownership (TCO) should be factored into the selection process. The variable costs of one to two euros per identification can be justified when considering the broader costs involved. The real concern lies in the costs associated with poor conversion rates in the identification process. In practice, customer lifetime values (CLV) range from 50 to 200 euros per new customer, while customer acquisition costs (CAC) can range from 20 to 50 euros per active user. Therefore, it is always worth striving for even marginal improvements in conversion.
Decision
Based on this comprehensive approach, we recommend the following procedural model for selecting ID procedures:
- Determine the regulatory framework and the associated minimum testing requirements.
- Conduct a risk assessment to establish your risk tolerance.
- Identify relevant KPIs and set realistic objectives.
- Define the degree of interaction and level of user experience (UX) that users will accept.
- Set objectives related to data protection, focusing on long-term data storage and third-party reuse of data.
- Establish the technical procedures for data exchange, considering complexity, time-to-market, and maintainability.
- Analyse the ID workflow to manage alternative processes for failed, incomplete, or outdated ID verifications.
- Define the degree of flexibility required for processes, allowing parallel operations for different use cases.
- Calculate the impact of additional conversions based on Customer Lifetime Value (CLV) and determine the Total Cost of Ownership (TCO) necessary to meet your goals.
Consider to use this framework for your next ID selection decision!
Do you think a risk assessment is unnecessary? Or that the process is simpler in practice? We'd love to hear your thoughts—discuss this model with us and share your feedback. We look forward to exchanging ideas with you!
Quelle: insic GmbH