Welcome to Breaking Banks, the number one global fintech radio show and podcast. I’m Brett King. And I’m Jason Henricks.
Every week since 2013, we explore the personalities, startups, innovators, and industry players driving disruption in financial services. From incumbents to unicorns, and from cutting edge technology to the people using it to help create a more innovative, inclusive, and healthy financial future. I’m J.P. Nichols, and this is Breaking Banks.
It’s my pleasure now to welcome Domingo Guerra from ENCODE. Tell us a little bit about ENCODE and what you’re working on, and particularly around the ideas of identity and fraud. Hi J.P., it’s great to connect and glad we were able to get together today.
ENCODE is a biometric identity company, so we help humans verify themselves, whether it’s verifying an employee or verifying a customer, we just help humans verify to make sure that we know who they say they are and it’s someone that we want to do business with. Well it’s becoming such a problem as the products are becoming more digital, the customer experiences are becoming more digital, and there’s been so much focus on reducing the friction, but at the same time that means it reduces friction for fraudsters too. So how are you thinking about that, you know, not only on the onboarding, but then throughout the customer interactions with customers? How are you thinking about this problem? I think it’s an interesting problem in the sense that it’s always been the age-old problem of do we want higher friction or do we want lower fraud? So that or discussion is now amplified with market trends.
One, in a down economy, you have the original fraudsters plus the folks that were maybe on the fringes and are forced to do fraud as a way to make ends meet. There’s also better technology for the fraudsters and the attackers, and we can talk a little bit more about AI and how it’s being used now by the attackers as well. On the flip side, the consumers now, they’ve spent the last few years of opening their phones or unlocking their phones with a selfie that’s at the speed of nothing we’ve seen before.
So the old models of verifying users that might take minutes or hours are dead. And I think the user expectations, they want better experience than ever, and the business need of reducing fraud is bigger than ever. So it presents a big challenge where I think that the new technology, the new players are starting to make a big impact, and we see that in the market.
You bring up an interesting point that not that long ago, the idea of biometrics was scary and seemed very science fiction like, but you’re right. Many, many millions of people are looking at their phone or their computer every day and using at least facial recognition to log on. What’s your research show about acceptance from the consumer side over the past few years? I think it’s all about the experience at the end of the day.
What might seem scary, and then you come in from flying overseas and now you don’t even have to present your passport, like the global entry just recognizes you. Yeah, I literally just did that on Friday. Yeah, it’s like hands-free travel now.
You don’t have to dig around and look for stuff. So I think it’s all about being used to it. A friend of mine joked that when elevators first came out, there needs to be an attendant because people were scared to do it.
And now you don’t think twice. And self-driving cars are scary until you ride one. And then it’s not so scary.
I don’t know, they’re still pretty scary right now. I think we’re on the path to those, but yeah. I think biometrics, when presented as a better user experience and we can back it up with better ways to protect that user data where we’re not actually shipping documents and pictures all over the world to like a remote data center so a human can verify it, when the machine can do it at the edge on the device, on the user’s phone and give you an instant verification, then you reduce that friction from a fear of the technology with a better user experience.
So I think convenience will trump a lot of concerns. But at the end of the day, we still need to invest in obviously better encryption, better data protection or better design by privacy, privacy by design to not be sending copies of our documents all over the place. And I think biometrics are now at a place where they can allow us to do reusable IDs for reusable verifications.
And again, that lowers that friction and improves that user experience and lowers the security threat as well. Got it. Tokenization of identification.
Absolutely. Also seeing a big struggle with passwords, right? And folks losing their passwords or being phished at other MFA tokens or now even internally, some employees or pretend to be employees, they contact IT to reset their device or their two-factor authentication. And now IT or the security team gave password access to an attacker.
So social engineering, account takeover have also shown us that as humans, it’s very difficult to come up with tough passwords and to protect them. And then we still need to, at the end of the day, identify not that the person has possession of a device, but the person is the actual person. So I think it still comes back to biometrics.
Yeah. I have a new part-time job just deleting all of the phishing attempts that I get every day via phone and email and all of these things. And some are pretty good.
You could see how you might be tempted to click on that link and subject yourself to some malware or worse. And being able to have a biometric authentication, it does feel like a pretty important backstop to all of that. But you mentioned a minute ago about AI.
Talk to me about how you’re using AI and what problems is it solving beyond biometrics alone? Yeah, I think from an AI perspective, we look at it as an enhancement tool, an enhancement technology that can speed up our development, but also speed up the confidence that we can get on verifying someone because you’re able to analyze a lot more data points in real time and just making real-time, smart, more intelligent decisions in a system that can then also continuously improve. So it’s always going to be a cat and mouse game between the fraudsters and the folks preventing them, where there’s new technologies, new techniques, new approaches. But it just means that there has to be innovation and evolution on both sides.
A quick example is a few years ago, we saw a big increase in voice biometrics. So you might call somewhere, log into your bank or try to call in for help at the help desk, and your voice or a certain sentence you mentioned can be part of your password. Well, now with AI and deepfakes, it’s trivial, especially for you, JP, that there’s hours and hours and hours of your voice online, right? So you can feed just a few minutes.
But it’s crazy. A teenager can do this. It’s not a sophisticated attacker that you can feed an AI model a few minutes of audio and then just type whatever you want to say.
And it’s going to say with the exact same voice. So again, not all biometrics are created equal. Some of them have been very trivially spoofed now, where I think those companies or those approaches are having an existential threat.
And I think where the biometrics of someone’s face come into play is that now it’s not just the AI to analyze the face, it’s the AI to make sure that it’s not tampered, that it’s not a presentation attack or not a spoof, and making sure that in real time we have that confidence that there is a human at the other end of that experience and that that human is the person we’re saying that it is. Because it is a two-sided arms race, isn’t it? You mentioned this, the fraudsters are using AI in the deepfakes. And yeah, it’s really scary some of the things that are out there.
How do you stay one step ahead of them? I think it’s an exciting challenge. I mean, before identity, I was in the cybersecurity space and it’s the exact same thing. It’s the constant arms race where there’s a new attack vector and then there’s a race to stay ahead of that.
I think the innovation has to go and look beyond just the initial problem, which is maybe a biometric scan, but also in, for example, how do we look for patterns that might be invisible to the human? And sometimes that’s for fraud detection. Sometimes that’s for onboarding. So why are we seeing maybe better onboarding in this state or this region versus the other? There might be some hidden clues there into how to improve user experience.
On the flip side, why are we seeing more fraud here? What can we learn from that? What’s the techniques that are being used? So by increasing the breadth and the depth of what we’re looking at, but still being able to take fast analysis and determinations, I think that’s how you stay ahead. The other way to stay ahead is really to raise the cost on the attackers. If we think of synthetic identities or device-based identities or behavioral-based identities, well, at the end of the day, it’s somewhat trivial for the attacker to maybe use a new phone or a new IP address or use a VPN or change their behavior a little bit.
But if we are then being able to then tie it back again, linking it back to the biometric, now we can block an attacker so they would have to get someone else to do the next attack and someone else to do the next attack. So how do we make these block lists global so that one bank doesn’t block a bad actor and then the next bank has to learn the hard way that that person was a bad actor and then the next bank and the next bank? So by making it trivial to share, again, not the actual face, I mean, we have to do it in a privacy-preserving way, but being able to share a hash or a vector of a bad actor or just a real-time computation of saying, hey, you don’t want to do business with this person because they’ve defrauded X, Y, Z. I think that becomes very valuable and it shifts the cost and the burden on the attackers instead of on the banks or the customers. Well, and then on the defensive side, it becomes a network effects play, right? The number of users and pieces of data that you have makes it more valuable.
How are you structuring that today and what are the long-term plans to try to build that global database? That’s a great point, JP, because in finance, we see credit bureaus and a lot of different ways of monitoring someone’s maybe credit worthiness and that helps businesses make better decisions. But I think as a consortium, as an industry, we can create an identity bureau, which is doing essentially the same way as just, can I trust this person? Is this person even real? We’ve done a lot around that in terms of better ways to, in a privacy-preserving way, share information and signals, but then we don’t stop there. Obviously, it’s trying to connect the disconnected silos.
Sometimes even at a big bank, the hard loan department doesn’t talk to the mortgage department that they might ask you to verify multiple times. So it’s breaking those silos internally, but more importantly, breaking the silos among what otherwise would be competitors and realizing that as an industry, if we facilitate this data sharing, everybody wins. And by lowering fraud, lowers our cost to business, we can offer better loans, more people.
So the good actors have a huge benefit in this kind of approach. The last approach we take that I think is very unique is that we don’t want to always rely on a confidence interval. At the end of the day, that’s a probabilistic approach of saying, yeah, this is JP or not JP.
But if we can integrate to what we call as a source of truth, integrate to the government database that issued that identity and verify not just the name on the ID, but the biometric. Again, in a privacy preserving way, we’re just sharing a hash and seeing if that result at the other end is a match or not. You eliminate fraud basically completely because now I know that the government, the issuing authority has the same face as the person in front of me.
There is a huge, there it’s not a probabilistic approach anymore. It’s a deterministic approach to identity. And that brings a lot of value to the ecosystem.
Is that something you’re doing now? Absolutely. So we’ve done that in Mexico, Colombia, Brazil, Argentina, Chile, and Peru. A lot of the, we started in a lot of the high crime and high fraud areas for our multinational customers.
And now we’re doing that in the US. It’s a little bit more time consuming because there’s 51 DMVs and they all have their own systems. But I think the customers are really helping us lean in there.
And the DMVs, they know the responsibility they have. They own identity in the US and we might have a negative connotation of the DMV as a consumer, but they’re actually pretty innovative. So we’ve been very happy to work with them and the large banks together at forming these identity networks that can just eliminate identity fraud and obviously make huge improvements for the consumer in terms of better rates, lower APRs, faster and better loans as well.
Well, you also have been working beyond the onboarding. So not just the initial know your customer, but, you know, AML checks and so on. How, maybe walk us through that journey a little bit of, you know, where did you start? How have you been expanding that and where does it go from here? Yeah, I think the industry in general started with that KYC or know your customer use case, ID proofing, ID verification.
There’s many names, but it was just taking a selfie, scanning an ID and saying, is this the right person? And very quickly the industry has grown where customers demand more than just IDV. They want an identity platform. Realizing that it’s not just when the user onboards, but if they’re going to make a high value transaction or a risky wire transfer, they want to send a credit card to a new address.
They want to change their address, change their password. Why make the user have to verify their identity a different way? We already have that on file. We already have the token stored.
So a quick selfie can give that call center, that customer support agent, instant confidence that it is the right person. They’re still the right person. Further, we can augment that beyond identity signals.
Is this a known device? Has this device tried to open a hundred accounts, for example? Is this using a VPN? Is their behavior of the user changed the way they click on their device? So bringing in device intelligence, bringing in payments intelligence and fraud information from there, and then augmenting with different data signals is again, what customers are looking for. Lastly, I think we touched about it a little bit, but we mentioned KYC. I think the new trend now is also KYE, or know your employee.
We have a lot of customers that… And KYB. Know your business. Yeah, KYB.
Absolutely. We launched KYB a bit ago and it’s seen huge traction because it’s verifying that the company or the entity that wants to open an account is real. Maybe a marketplace and the seller is real.
It’s not like money laundering or some other front. But then it could be a real company, but not a real person that owns that company or that it’s the UBO, the registered owner. Well, now we can do KYC on the person that submitted the KYB as well.
This platform approach has really helped our customers expand the confidence they have and who they’re working with. And then on the KYE, or know your employee, it’s how do we know that the person we hired remotely is actually the person that’s going to do the work? How do we know that the employee that wants to change their password or access a sensitive file is the right person that should have access? And again, it’s all leveraging these same technologies that can do a biometric identity verification in real time and just bring that confidence back into the system. You’ve also been working across multiple industries, not just financial services.
What are you learning from these different industries? Maybe who’s ahead of the game? Who’s behind you? Where are you finding the best lessons learned to apply to financial services? Yeah, I think financial services, we saw a huge adoption, especially during and after COVID, where folks couldn’t go in person to verify their identity. So the remote onboarding really took off. And companies were forced to accelerate their digital transformation timelines to weeks or months instead of years.
But it didn’t stop there. As you mentioned, we’ve seen it in gaming. So both from like casinos and sports and entertainment and gambling to kids games.
And how do we keep adults out of the kids’ website and kids out of the adult website to social media? Now, there’s a lot of regulation around children’s access to online media to sporting events. We’re live at big events. So just like you experienced at the airport where you can just biometrically arrive and be checked in, so can you do now at stadiums where your face is your ticket.
And if you are a bad actor, if you’ve been in fights or something, you could be barred from coming in for one or two games, like a few games suspension to a lifetime ban. And this is changing the way people look at physical security as well. I think the last example is in the gig economy, where now you’re getting into people’s cars or you’re staying in people’s homes.
And folks want to know that the other person, they’re not a risky individual. And with fake identities, as easy as they are to create, that can be a big problem. If you don’t have a way to more accurately don’t verify who someone is.
Well, if you have your way, what’s this all look like five years from now? How’s the world different? I think that it’s really about reshaping the way we authenticate as well. I think biometric login is going to become a lot more popular, especially if we see I mean, for my parents, I know that I’m changing the passwords all the time. And now if all their banking institutions are going online and digital as well, and you start talking about the retiring workforce and all their financial transactions are going to have to be digital, it became a huge honeypot for the attackers.
And I think we’ve seen that passwords are difficult. We’ve seen the multi-factor tokens are difficult. I really do think that biometrics are coming in very strong because of the ease of use and that there is no technological barrier.
Like no one has to learn how to take a selfie. I think people know how to do that. You can’t forget your face.
So I think we’ll see a lot more adoption across every industry. Well, you mentioned a couple of times doing it in a privacy protected way that has challenges in and of itself. And it only gets worse, right? If we breach those privacy protections, what are you doing to make sure that that doesn’t get in the way? Yeah, we see that as one of the biggest threats long term is that folks don’t properly protect the data.
There’s going to be a massive breach. There’s going to be the additional regulation, which makes everything more difficult. So our approach has been to what should have been since the beginning is that the user owns their data.
The bank doesn’t own the ID that you gave them with the data or your birth date or your social security number or anything like that. So if the users own this data, how do we empower them to keep that data safe? But now we’re thinking more like at the approach, it’s an identity vault that the user has. And when a bank asks for that information or where they want to create a new account at a website or do a check in at a hotel or airline, they can exchange more of a confirmation at a station that it is them without sending the physical document or a copy of the document without sharing the sensitive data as well.
So I think with the advances in encryption, that’s a reality today. And with advances in the speed and the power that the phones have. I mean, these are computers in our pockets now that can do that computation at the edge and on the device.
So we don’t increase our data footprint by shipping this data all over the world. And as a user at the end of the year, I might not remember which websites I uploaded my documents. So even if I wanted to, I can’t go and ask them to delete it from this model.
Again, we call it Input ID, but it’s just a reusable digital ID. The user can always see who they shared what data with and when they want to recall or delete it. So I think this new architecture of reusable digital IDs both help adoption but also help protect the users.
What do you say to the people that just are dreading the surveillance state that we’re already living in and maybe heading towards if that’s what the future does look like? And it probably does. And in many respects, it is already here. Yeah, I think so.
How do we ameliorate those concerns? Just, gosh, everywhere I go, can’t I just quietly walk into an airport or check into a hotel anymore? They’re checking photo IDs anyway. But it does feel another level of, I’m going to say the word surveillance because that’s the word that’s used. But yeah, I mean, I think the big difference is going to be consent versus non-consent based, right? So when you manage your digital identity and you choose when to share it and when to be identified, then the user owns that data.
They opt in for that better user experience or whatever benefits might be available, like skip the line or like you could still do it the old way, but you have to go in in person. Like those kinds of things have to exist. I think users need to have choice and consent in the matter.
The flip side is that right now there are already basically cameras everywhere and the devices in our pockets that are great for some things are also not so great in other things in terms of privacy and ability for folks to track us via IP address or triangulation and GPS and the apps on our phones. I think the balance has to come around the optionality. If you want to delete your digital ID, you should be able to do so.
If you want to stop sharing your digital ID, you should be able to do so as well. I think that’s the only approach that I can think of where you can have access to the benefits if you want them while still preserving your rights as a consumer and as an individual. We also as a company, just as a side, like we choose not to work with a lot of the surveillance products.
I mean, the technology would work to just scan anyone on the street and try to identify who they are. But we choose not to participate in that because, again, that doesn’t involve the user’s consent. There’s plenty of business in our world where it’s all consenting consumers that are granting access or sharing access to their data to verify who they are.
And we chose that very early as a company because you’re right, it could get pretty dystopian pretty quickly if this technology is used in the wrong way. Well, I love that as an ending note. Is there anything else you want to make sure that we talk about? I think it’s been a great conversation, JP.
I think just the fact that things are not the way they started in the industry. So I know from our customers’ perspective, a lot of times they felt that they’re stuck in the way they do ID verification because that’s what they first deployed and they’re afraid of ripping and replacing and changing a lot of the code. I just invite folks to take a look at the next generation of technologies because there’s innovation, obviously, in the way that we verify users, but also in the way that there’s no code or low code integration that can just plug and play directly into the apps and websites that consumers are already using for that better user experience.
So I just invite folks to branch out and take a look and see what the new vendors and new innovation is coming. It’s really exciting. And I think it’s going to really change in the next two to three years.
And how can people find out more? You can visit us at incode.com. That’s I-N-C-O-D-E dot com. And I’m Domingo Guerra. Again, happy to talk to anyone and appreciate the opportunity, JP.
Domingo, great to have you. Thanks for being here. Absolutely.
Thank you. Thanks. This show is brought to you by Alloy Labs.
As much as we love talking on the show, we believe that action is more valuable than talk. Alloy Labs is the industry leader in helping fearless bankers drive exponential growth through collaboration, exclusive partnerships, and powerful network effects that give them an unfair advantage. Learn more at AlloyLabs.com. Alloy Labs, banking unbound.
That’s it for another week of the world’s number one fintech podcast and radio show, Breaking Banks. This episode was produced by our U.S.-based production team, including producer Lisbeth Severance, audio engineer Kevin Hirsham, with social media support from Carlo Navarro and Sylvie Johnson. If you like this episode, don’t forget to tweet it out or post it on your favorite social media.
Or leave us a five-star review on iTunes, Google Podcasts, Facebook, or wherever it is that you listen to our show. Those actions help other people find our podcast. And in return, that helps us build an audience that can be supported by sponsorship so we can continue to provide you with our award-winning content every week.
Thanks again for joining us. We’ll see you on Breaking Banks next week.
