In this episode of Talking Banking Matters, payments industry expert and McKinsey partner Roshan Varadarajan talks with Johnny Ayers, the founder and CEO of the digital identity verification and fraud prevention company Socure. As digital payments and commerce continue to expand throughout every facet of the economy, digital identity verification and fraud prevention are increasingly critical safeguards. The following edited transcript shares highlights from the conversation. For more discussions on the banking issues that matter, follow the series on your preferred podcast platform.
Roshan Varadarajan, McKinsey: As e-commerce, digital banking, and other digital-payments-related sectors continue to grow, so too does the need for digital identity verification and fraud prevention. The sector hit a new velocity between 2019 and 2023, raising over $10 billion in funding. Yet the complexity of the industry remains: fraudsters are becoming more sophisticated with generative-AI-enabled synthetic IDs; new fraud types are arising, such as “friendly fraud” in e-commerce; and scam fraud in push payments is also becoming more prevalent.
Among the companies looking to solve this is Socure, a private company last valued at $4.5 billion that offers a broad suite of products for every dimension of consumer ID establishment, including KYC [know your customer], AML [anti–money laundering], ID verification, and fraud prevention. Socure is playing in a market valued at about $20 billion in annual revenue and growing at over 10 percent per year. The company serves a wide range of customer types, including four of the top five banks, 13 of the 15 largest card issuers, and a vast array of household retailers and marketplaces, in addition to government agencies. Its platform-based approach allows it to serve large enterprise customers with a full suite of products while leveraging partnerships to deliver its offerings to smaller customers.
We spoke recently with Socure’s CEO, Johnny Ayers, who described for us how the company creates differentiated value in such an increasingly crowded market.
Johnny Ayers, Socure: When we think about identities in the banking sense, companies are trying to authenticate them for various reasons, and generally these authentication requests are problems that a customer is trying to solve—they want to open an account easily, they want to move money faster, and if they’re selling something, they want to say yes to every transaction possible while mitigating fraud risk.
From our perspective, the question is, how can you safely say yes as fast as you can? How do you passively approve the largest number of good identities at any point in the workflow? For example, maybe you want to place an online sports bet in the next 30 seconds; the game’s about to start, and you want to be able to place a bet immediately. Or a customer wants to open a new trading account. There is also e-commerce, where the merchant could lose a transaction or there’s a potential fraud loss if identity verification isn’t done right.
We play in spaces where identity is critically important, whether it’s for reputation, user experience, regulatory requirement, or fraud prevention. The ability to say yes to more good people is super important throughout so many different industries.
We started by building models off all the traditional data—credit header, utility data, tax data, student clearinghouse, et cetera. And then we also built thousands of features or independent variables on domain risk, looking at factors such as, Has the phone been ported? Has the SIM been swapped? Are you in the right time zone? Are you a Mac user on Google Chrome? Is English your native language? We also thought about how, when you go to the bank to open an account, they’re not trying to determine whether your email is risky but rather whether you are who you say you are. It’s not a phone problem or a device problem or an email problem. It’s a question of how you build a binary classification model across every dimension of a consumer’s identity.
We built a vertically integrated service to verify and build features or independent variables off every dimension of an identity, so when we see an identity, we don’t just generate 15 ID analytics variables. We actually generate 30,000 variables across every piece of an identity. That was a transformational shift in how you verify an identity on the internet. We’ve built the largest graph of known good and bad identities. This is what makes Socure really special.
The thing about fraud is it’s a big game of Whac-a-Mole. It never goes away; it just moves. The proliferation of so many new applications and websites has made the attack surface so large for fraudsters. They actually study consumer protections and abuse them in a very targeted, thoughtful way.
Johnny Ayers, founder and CEO, Socure
Roshan Varadarajan: Fraud checks have multiple steps, and there is often a debate over whether vendors should look to specify with one solution or offer a platform with multiple solutions that are either proprietary or resold. Most companies serving the digital identity verification space have tended to specialize in just one area of fraud prevention—say, email or phone number authentication—which has led to an ecosystem of “co-opetition” among them. Socure has pursued a platform strategy from the start, however, which is part of the reason the company has grown revenue at more than twice the rate of peers. We asked Johnny to describe his thinking on a platform-based approach and maintaining a data advantage in an increasingly competitive world.
Johnny Ayers: Our strategy has been to offer a wide range of services and to have quantitatively and qualitatively the best offering. We don’t feel customers will get the best offering by reselling someone else’s product. We want to be able to solve the problem ourselves. We feel that for most types of products, the best product out there is generally worth two or three times that of the second and third providers in a market. One of our advantages is that we spend a lot of money on data, which gives us a massive device graph around all the session and behavioral information. We get probably 15 to 17 billion rows [of data] pushed to us a week, so close to a hundred million inputs a month.
We typically sell to large enterprises where they’re buying a synthetic fraud model, which is a totally independent buying decision from document verification. And it is entirely independent from behavior biometrics, which is completely independent by device. So if you want to sell into the customers that we sell into, every single one of those services has to stand alone. We’ve built our products based on how we think about who we’re selling to.
And then, when we think about a lot of the platforms or orchestration or decisioning, those become distribution partners. We serve about 400 end users through Alloy, where we do the identity fraud, device fingerprinting, synthetic ID, KYC, and sanction screening. They do the orchestrating, the API integration, the no-code decision logic, and we just provide the answers within those pieces.
We want to build the best solutions for these things, because they are worth it based on performance, which can earn us better-than-software margins. Because our offerings can be justified based on their performance, we’re going to be able to sell them stand-alone to large enterprises as the best individual pieces that are required for identity proofing. And then we can sell to the midmarket and down market through folks that wrap our services into a larger suite of services.
Roshan Varadarajan: Fraudsters continually adapt to take advantage of new technologies and consumer protection measures. In particular, first-party fraud and scams that use peer-to-peer platforms and push payments are proliferating as digital payments become easier, leading to more than $100 billion in losses in the US alone. At the same time, consumer protections have shifted liability to banks, making first-party fraud a critical problem to solve. This is where customers defraud an institution themselves—for example, by claiming they didn’t make a purchase that they did, in fact, make. Given the unique challenges at play, we asked Johnny how Socure’s differentiated analytics are able to help address first-party fraud.
Johnny Ayers: The thing about fraud is it’s a big game of Whac-a-Mole. It never goes away; it just moves. The proliferation of so many new applications and websites has made the attack surface so large for fraudsters. They actually study consumer protections and abuse them in a very targeted, thoughtful way. This is why we’ve built first-party fraud capabilities. It’s a natural extension to move from identity fraud and synthetic fraud into more traditional first-party fraud, where we see the same users just jumping from institution to institution, committing the same types of things: they claim their money didn’t come out of an ATM, they overdraft and disappear, they make a crazy exotic parlay in their online betting and say they didn’t, or they make a crazy derivative trade at Robinhood and then say they didn’t make that trade.
We have a collective of large fintechs and banks that are contributing all their first-party data to be able to utilize our graph to stop this kind of fraud, or at least stop it from happening within their network. There are a lot of similar patterns you can see in it. For example, fraudsters can be lazy. They will use common email strings: they will actually just use “scam123,” “scam124,” “scam125,” and on and on as they repeatedly commit the same fraud. So we built an email similarity service that looks at all known prior fraudulent emails and does a huge lookup to give you a commonality score to compare against. That’s a really easy one.
We’ve had customers who use our document verification service for every high-value wire payment experience, and consumers try to engage in first-party fraud by calling in and claiming they didn’t send that wire transfer. Our customers are able to geolocate the person with their device and match images of their face across image sources to prove the consumer did, in fact, initiate the transfer. That level of precision and certainty puts our customers in a position to fight some of these more difficult types of scams.
Another area we’re working in is helping large banks do full-portfolio scrubs of their 50 million or more accounts. This came about with the launch of Zelle [the account-to-account money transfer system]. When banks first offer Zelle, they find that something like 2 to 4 percent of all Zelle transactions are fraudulent, which means an enormous number of fraudulent accounts already exist in their active-customer bases. We’re finding that, on average, somewhere between 3 and 5 percent of all active accounts in the US are some version of dead, synthetic, or completely invalid data—garbage social security numbers and dates of birth, invalid emails and phone numbers, or identifiers tied to prisons, PO boxes, or commercial drop zones. These are not accounts that any large, federally regulated bank should have on their books.
Roshan Varadarajan: One of the larger unsolved puzzles of digital identity verification is the concept of reusable digital identities, where a bank or retailer would be able to trust that an identity is authentic because another financial institution or payments-related entity has already verified it. In theory, this would unlock better and safer digital interactions. A principal challenge, however, is that the sources used to establish identity are distributed: for example, driver’s licenses are provided by different entities than passports. What is really needed is some kind of reusable digital identity that stores all of it and can be trusted by multiple users.
Another issue is the data feedback loop that results. How can a bank know that a user really is who they say they are? And how can another bank trust the first bank’s verification if some customers among their users are committing first-party fraud? At the moment, because every institution experiences fraud at some level, relying on another institution’s verification remains difficult.
Johnny Ayers: The problem is not actually a technological one; it’s not the reusability. It’s more a matter of creating a consistent standard that different counterparties will use: Can you trust the identity that’s being represented with that credential? I think there are ecosystems where reusability could potentially be super applicable, such as in e-commerce, where there isn’t a regulatory requirement and there’s limited information being collected already. You could imagine an ecosystem within one US state where a single credential could let you move cross-agency—say, filing for medical benefits and then getting a gun license. But where financial services are concerned, there are so many variations of credit underwriting, income verification, risk, and other standards around what a verified identity is.
I have not yet seen an elegant way to solve this in some of the very highly regulated industries that we’re in. And where one has been deployed in some of these highly regulated industries, you’ve seen massive amounts of fraud. I don’t know if we can attribute that to the idea of reusability or whether it is the service providers that are delivering it today. I would love to see someone get to some decent scale with the concept.
Roshan Varadarajan: As with most every other industry and sector, generative AI has the potential to alter the landscape for financial institutions and payments-related businesses, as well as for fraudsters. On the one hand, fraud companies can more quickly spin up training data. On the other hand, fraudsters can spin up much more sophisticated synthetic IDs. Johnny had good news and bad for us on this front.
Johnny Ayers: AI-generated images are getting really good these days, so it’s easy for people to buy driver’s licenses and manipulate the bar code to blur it so it can’t be read digitally. Then the person doing the authenticating will use OCR [optical character recognition] to capture the PII [personally identifiable information] on the front of the driver’s license, where there’s much less security. We use huge computer vision models that can unblur what the fraudsters tried to blur and generate a cleaner version of bar code from which we can predict and basically extract what was encoded in that bar code to see whether the rest of the document has been altered.
But that same technology can be used by fraudsters to create fraudulent, synthetic identities. It is without question a game of Whac-a-Mole and a question of how we live. We want to be privacy-centric, and obviously we want to be very security-centric, but fraudsters have no constraints. They have no rules. They can use any data anywhere they want, however they want it. But there are constraints and rules we have to operate within. As we think about regulation and privacy, we need to ensure that we don’t make it too hard for us to keep bad actors out of the system. You don’t want to create so many layers that it prevents us from stopping these types of complex and sophisticated attacks.
Roshan Varadarajan: Fintechs generally start in one market and look to scale quickly across geographies once they’ve reached a certain maturity point. One of the challenges with this approach in the fraud and identity verification space is how much differentiation there is in data quality and availability and in the laws and regulations around how the data can be used. So far, Socure has largely focused on the US market. We asked Johnny to talk about how Socure views harmonization of identity factors and solutions across regions.
Johnny Ayers: Historically, identity data has been header data that sits in [credit] bureaus. Bureaus are regionally structured, and they only exist in maybe 28 countries now. In other countries, the telcos or the insurance companies have the data. Different countries handle PII differently. Even in the US, we’re struggling with defining what is a data broker. What is a consumer reporting agency? What data is available? What are carriers allowed to expose? Are we moving to mobile driver’s licenses? Are we going to stay template based? And all those questions are just in one fairly developed country.
But other types of data have global standards. Devices, emails, geolocation, and passports increasingly have global standards. That means we are handling different types of identity documents across 180 countries. But we still don’t have global verification of phone numbers. That doesn’t exist. So it’s a patchwork of different folks trying to pull together different pieces of PII. In some cases, the PII access is more expensive than just verifying a document, so then you get into such questions as, What’s the actual data type? What’s the coverage of that data type? What’s the cost of that data type? What’s the regulatory requirement? Is it two plus two in that particular country or region?
There are so many layers to it in addition to those concerns. For example, our whole global expansion strategy has been serving US-based companies operating internationally, which means we have to support something like 14 different languages. And then there’s also the front-end SDK [standard data kit] and how you support ADA [Americans with Disabilities Act] accessibility. How do you support different languages in your API documentation? There are just lots and lots and lots of layers.
I don’t know if anyone is going to nail it. We just try to pick the set of problems where we can be the best in the world at these things. Then we think about the natural combinatorial areas where we are uniquely positioned and have earned the right to be the best at the next thing.
Roshan Varadarajan: Some observers have said the digital identity verification and fraud prevention start-up landscape is already saturated, and that might be so. But it’s a field that touches nearly everyone, whether in a B2B or enterprise setting, peer-to-peer lending, or gig workers. US consumer fraud alone totaled $8.8 billion in 2022, a 30 percent increase over the prior year. And the advent of publicly available generative AI chatbots seems at least in the short term to contain the potential for much broader scam and fraud efforts, much as happened when email became an easily accessible tool. Demand, at least, does not appear to be an issue for the identity verification and fraud prevention industry. However, the challenges posed by so much of identity being distributed across entities and borders—and by the inability of institutions to trust one another’s verification quality—make it hard to imagine the industry reaching its holy grail of reusable digital identities anytime soon. We are looking forward to seeing how new advances in AI and the continued evolution of digital commerce shape the field in the next few years.