The identity verification gap: Why KYC at onboarding is no longer enough

Organizations in regulated industries usually take identity seriously. Well, at least at the beginning. During application or onboarding, a customer is asked for all kinds of documents and may undergo a background check and even biometric screening. It's part of know-your-customer (KYC) requirements: proving that someone is who they say they are.

Then something odd happens. When that same customer actually signs a contract or a loan document, authentication is surprisingly weak, often requiring only access to an email account or a cell phone. How can signing something so important be so easy?

This is known as the identity verification gap, and it's one of the easiest places for fraud to happen.

The problem

You already know how crucial KYC is, so we won't bore you with lots of details. But, in short, here's what normally happens:

• An organization, such as a bank or a law firm, verifies a customer's identity in depth at the start of a new relationship. It's the law.
• Pay stubs, tax documents, photo ID, Social Security number - all of this is typically required.
• When everything checks out, trust is established.

But later, the same rules don't seem to apply. The customer receives an email, enters a one-time passcode and signs a contract with an eSignature. No further checks are needed.

Here, KYC goes out the window. The organization just assumes that whoever clicks 'sign' is the same person they checked out ages ago. This assumption is dangerous because high-value documents almost always carry legal and financial consequences. So why is verification so much weaker at signing than onboarding?

The identity verification gap leaves the front door open to fraudsters, especially now that artificial intelligence makes impersonating customers easier than ever.

KYC fails at eSigning

The scary thing is that most digital signing workflows just confirm that someone has access to an email or phone. They rarely verify the identity of the person signing.

This can lead to the following problems:

• Account takeovers: Once a fraudster gains control of someone's inbox, they can sign every document that gets sent to it — contracts, loan agreements, you name it. At this point, those early KYC checks are useless. An organization has no real way of knowing who's signing.
• SMS interception: Text-based codes are a solid security measure on paper. In practice, they're pretty easy for a fraudster to intercept, especially if they hijack someone's phone number through SIM swapping.
• MFA exploitation: Even multi-factor authentication (MFA) can be bypassed. Fraudsters might trick your customers into approving access through social engineering.
• Synthetic identity fraud: This is when fraudsters combine real customer data with fake information to create new identities that bypass standard checks.

What do all these have in common? Nobody is actually checking who's signing.

How the identity verification gap affects your business

Lumin and MATTR dig deeper into this problem in our new white paper, and what we discovered is crystal clear. The massive gap between KYC during onboarding and weak authentication at eSigning creates real risks for businesses like yours.

Consider the following stats:

• The average organization loses an eye-watering $7 million (USD) annually to identity fraud, according to third-party research.
• Nasty legal disputes are more likely when organizations have weak signature authentication.
• Contract cycles lengthen when organizations manually check signatures.
• Using paper agreements for high-value deals undermines digital transformation.

So, what can you do about all this?

Closing the identity verification gap for good

Nobody's saying you have to do KYC again every time a document's signed. But identity verification at signing should be just as strong as it was at onboarding, especially with high-value transactions. Otherwise, you run the risk of fraud and delays - the very things eSignatures were supposed to eliminate in the first place.

It's time to move beyond one-time codes and actually confirm:

• Who's signing
• What they're signing
• When they're signing

Verified Digital Signing, available with Lumin Sign, does all of this. It brings identity verification smack-bang into the middle of the eSigning process, ensuring that every signature is secure and legally binding. That's more important than ever right now with AI impersonation.

Instead of assuming, Verified Digital Signing relies on cryptographic proof and trusted digital identities. Your customers authenticate themselves with a simple, speedy biometric action, such as face recognition or a fingerprint scan. The whole process typically takes just seconds. No fuss, no friction.

The result? Your contracts and other legally binding docs remain fully digital, but now you have real, indisputable proof of who signed what and when.

Dig deeper

Want to learn more? Check out our new white paper, Securing digital agreements in the age of AI deception.