Increasingly, companies doing business online will face regulatory pressure to know their customers, Munford says
More than most people, Steve Munford knows how costly a case of mistaken identity can be for businesses. Cybersecurity veteran Munford took over as CEO of Trulioo, the leading online identity verification provider, at the start of the pandemic. The Vancouver-based regtech company, now valued at US$1.75 billion, serves some five billion consumers and 330 million organizations worldwide.
We chatted with Munford about Trulioo’s origins, the new dangers of online fraud and the future of identity verification.
For the complete interview, check out The BCBusiness Podcast.
Tell us a bit about you and Trulioo.
Trulioo has been around for about 10 years here in Vancouver. We are an online digital identity marketplace, but what does that mean? Essentially, we’re the first step in the on-boarding process if you’re signing up for accounts or beginning to interact with someone digitally. Where maybe previously you went to a bank and showed a couple pieces of ID, now you’re trying to do that all over the web.
Fundamentally, the challenge that is out there is if that services and GDP are all moving to the web, then how do you establish trust with someone online? So we’re essentially that layer that helps organizations on-board new customers or new businesses digitally.
What are the company’s roots? How did it begin, and how did it grow over the past decade?
The company was founded by two folks, Stephen Ufford and Tanis George. They’re serial entrepreneurs, and they had been doing various things around digital identity or trust. They started off with this notion that, hey, listen, if this whole internet is going to work, we need to be able to build a profile on an individual and help them establish their reputation online.
They talked about a bunch of different use cases initially and then eventually got into how do you solve for more fintechs or marketplaces—people-solving for problems like know your customer or anti-money-laundering or fraud, those use cases. So it’s been doing what it’s doing now for the last five years, and it started out by building this notion of the platform and then beginning to partner with some very significant organizations. And then as those organizations grew or expanded globally, it invested in its product and its infrastructure, and it’s really grown on the backs of some of these very large platform vendors.
And you came in during the pandemic, right? You were brought in at an interesting time.
It was an interesting time. I came from the information security market. I have worked with a number of different companies, both private and public, and the one consistency is, I’ve had the great pleasure of partnering with various founders as their company has grown and they’re looking to really, really expand, whether it’s globally, their product set or enter new markets, and they’re looking for someone to take over running the company.
And so I’d met Stephen Ufford a couple of years ago. He has an investor that I know very well and have done some work with. And as I talked to him, I really got excited about the space and this whole notion that, hey, if all seven billion people in the world would be able to be identified and participate in global commerce and get access to service, geez, that would be a much better world. And if we could establish that trust layer, we could be a pretty significant company. And also, it is really hard to do.
In the so-called digital economy, what are the biggest fraud threats?
Fraud can come in many, many different forms. But I think the one that we work to solve today—and we are part of a set of solutions that tries to solve this, because there’s no silver bullet—if you want to begin to move money back and forth between someone, or you want someone to come on and operate on your marketplace, the first step you have to do is establish is that person a real person, or have they created some synthetic or fake ID?
Once you can establish that, then you can start to have a layer of trust. It doesn’t mean that they could be masquerading as someone or they could be obfuscating who they are, but it is that establishment of that identity that’s the first step in reducing fraud.
If you look around the world, what’s the awareness level among organization of these kinds of dangers?
Whether it’s any kind of cybercrime, there’s a huge level of awareness that where there’s money, there’s going to be bad actors. I spent 20 years in information security, and that bad actor was often someone that would email you or get you to click on a link or maybe encrypt your hard drive and ask for money or maybe try to sell you fake goods.
Those still exist today, but the new forms of fraud are when so much of the financial transactions are happening digitally, it’s fraudulent users—people pretending to be different people and then either taking over someone’s bank account, taking over someone’s credit card or simply getting on and applying for a loan and maybe not being that real person.
When you think about these threats on a global scale, are there a lot of differences from country to country, or region to region, as far as customer expectations?
The threats will differ by region, but there’s a lot of common things to how fraud is done. I think the interesting thing that’s happened now is that you’ve got this balance. If I’ve got this online platform and I want people to come and open up a bank account, a trading account or start to interact with me, whatever way it is, the users today have very limited patience for a lot of friction.
So this notion that you’re going to spend a lot of time really establishing that trust relationship with me—getting me submit documents, getting me to submit passport information…getting me to have a phone call or a video conference with someone—the level of friction that people are willing to go through before they abandon trying to open that account increasingly gets lower.
So the challenge for an organization is, how do they balance compliance and fraud with friction for the users in that whole marketing journey [where] someone’s paying a lot of money to get you to that website? So I think the big focus we hear from our customers is, Hey, I can never reduce the risk 100 percent, but how do I reduce the risk to the lowest point and cause the least amount of friction? And the level of friction someone’s willing to go through is going to be different depending on what they’re doing, but it is constantly this tug of war between compliance, the people looking after fraud and the people who manage that person’s journey.
As our attention spans get shorter and shorter, we’re just not willing to wait for much of anything online.
Earlier in the year, we saw…this meme stock trading. There could be a level of excitement about GameStop or whatever stock was out there in the spring, and we would see hundreds of thousands of new trading accounts opened across various customers in hours, depending on the rumours in the market or the news.
If you think about those people that are opening those accounts digitally, they don’t have the patience to show up at a bank. They don’t have the patience with some of the things that are forced upon them with their traditional banks or financial institutions. They want to open up and trade within minutes, if not hours, and be approved. The new platforms are really focused on that on-boarding, versus traditional non-digital-first are going to be in a period of catchup.
Beyond becoming one of your customers, do you have any advice for organizations that want to get better at dealing with these different types of fraud? Are there three steps they can take?
If you are starting to build a platform that is going to have people sign up and begin to interact with them, there’s many things you need to consider. What is that optimal customer journey? What compliance needs do you have? So are you under FINTRAC in Canada? Are you under AML, anti-money-laundering, jurisdiction? So there’s a whole set of things that you need to solve for before can you start to exchange money with people.
And this is beyond someone just paying for something with a credit card. If you just have a store that’s going to have someone send you money via credit card, often the credit-card or other people uphold that risk for you. But if you’re going to be a real fintech platform and establish some kind of marketplace or place where people can exchange money or move money around, then you’ve got to really get under the hood and understand the compliance regulations you’re in and then begin to think about what are the platforms that you can embed in your system to solve those.
So it’s not a one-two-three step, but it’s also more than just solving for fraud. And it also is very dependent on what your digital company is doing and what regulations and risks are associated with that. Maybe it’s as simple as, look at what your peers are doing, and then have some conversations with other folks in the industry and start to narrow down your choices.
What does the future hold for identity verification? Where are things headed?
We’re here in Vancouver, and we power some of the biggest brands in the fintech industry. And what we hear from them is, they’re being very disruptive in the markets, and they’ve got this desire to go global, they’ve got the desire to grow the number of people on their platforms, and they’ve got this real need to streamline that journey and still solve all the fraud and regulatory needs that they have.
So we’re looking to build this end-to-end identity platform that not only works on… Today, we operate in about 195 markets, and we’ll expand that. But also, we want to get much better and much more complete about managing that whole identity workflow so it’s easier for the consumers and there’s less chance of either compliance errors or fraud.
So we’d say as a company, even though we’re 10 years into it, we’re really in the early innings of solving what is an incredibly big, hard, complex global problem.
As for the whole identity space, I think you’re going to see an increasing amount of regulations coming and requirements for companies to know their customer, know their business. I don’t know if you follow the Panama Papers or the Paradise Papers. I find it fascinating. All this need for transparency when people register businesses or start to move money between businesses—who are the ultimate people behind that? So you’re going to see a lot more regulation around that.
You’re going to see governments dabble in more national IDs that will provide some of that verification for individuals. We’re seeing that on some state levels; we’re seeing that on some country levels. And then you’re eventually going to see platforms like Trulioo emerge trying to manage all that complexity and compliance needs for companies.