PYMNTS-MonitorEdge-May-2024

Navigating ID Verification For Business Credit

Verifying the identity of a business quickly — and accurately — is critical when performing credit checks on SMBs. Yet, commonly used knowledge-based authentication (KBA) questions come with drawbacks. In this month’s Digital Identity Tracker, PYMNTS talks with Caton Hanson, co-founder and chief legal officer for the financial management and business credit check app Nav, about how KBA, done correctly, checks that box.

Identity security is key when it comes to protecting financial information, and it can be devastating if sensitive documents from credit checks fall into the wrong hands, making authentication critical. Nav — a financial management app for small businesses that helps users access credit reports from commercial and consumer credit bureaus — is well aware of lackluster authentication procedures’ consequences.

“If we had a data breach, it [would] probably mean [we’d be] out of business,” said Caton Hanson, Nav’s co-founder and chief legal officer.

PYMNTS recently spoke with Hanson about how the company authenticates its customers, and the challenges it faces in the digital identity realm.

How Nav Works

Nav was founded in 2012 as Creditera, an online credit-monitoring service that helped small business owners track their personal and business credit information on one platform. The company’s scope increased over time to include educating users about business credit. When it took its current name in 2016, the company expanded its offerings to match businesses with different loan products.

“Sometimes, you’ll hear folks here at Nav describe it as sort of [a] Credit Karma for small business owners,” Hanson said. “We have all the information on the personal and commercial credit side, [and] we pull in additional data sets — as well as user-provided data — that we use to pre-underwrite users, and then match them with appropriate loan products and business credit cards.”

Nav offers a monthly subscription credit-check service, as well as a product that allows businesses to check their credit once for free. Hanson estimated that the latter comprises approximately 90 percent of its customer base.

Authenticating Users

Information as valuable and sensitive as credit scores naturally requires rigorous authentication to access. The U.S. government has strict standards regarding credit check regulations, and Nav’s investor and partner Experian sets its own expectations.

“This is something that’s super important in our industry because we house consumer credit data,” Hanson noted. “You can’t be negligent in trying to verify or determine the authenticity of users before they access consumer credit.”

Nav’s primary tool in determining that authenticity is Experian’s Precise ID platform, which leverages knowledge-based authentication (KBA) by asking users questions about their credit reports.

“The idea is that you should be the only person [who] actually knows that information, because it comes directly from your consumer credit report,” he explained. “As part of the sign-up [process], the user provides us with [their] full name, address and Social Security number. That information goes to the [credit] bureau, and the bureau sends back questions on the ID verification tool, and the user has to pass that tool.”

Questions can cover a variety of topics, ranging from house payments to salary information to Zodiac signs, which the platform infers from birthday data. The system has never fallen victim to fraud, despite several attempts by bad actors, according to Hanson. Experian also keeps track of credit check attempts on the back end as a further precaution against fraud.

“If the system gets pinged three or five times in a 24-hour period, it won’t let you do it again until the next 24 hours,” he added.

The Right Questions Are Key

Precise ID has come with its share of challenges, however. Despite its so-far perfect security record, one of its largest issues has been the questions themselves.

“[We’re talking about] certain questions that are always hard for people to answer,” Hanson explained. “[It] could ask you a question like, ‘What was the monthly payment on the car you owned 10 years ago?’ That’s not always the easiest thing to remember. It’s not like you keep that information readily available.”

Other questions are simply misleading. One example he pointed out lists several names, and asks users to identify individuals with whom they have lived. This might seem easy on paper, but the credit bureau does not actually verify roommates — just finds matching addresses in its system, and assumes that individuals lived together. Users do not recognize the names of those who resided at their addresses before or after they lived there, though, and thus fail the question.

Question format can also trip users up, Hanson noted.

“They’re all multiple choice, and there’s always a none-of-the-above answer,” he said. “It’s a psychological issue, where you just feel like you have to answer. ‘None of the above’ doesn’t seem like the right answer, and people will get those questions wrong all the time.”

Precise ID allows Nav to remove questions it feels are too challenging or misleading by filing an order request with Experian. Nav has removed several questions in the past, Hanson said, including one related to license plate numbers with a particularly dismal pass rate.

Moving To A More Seamless Experience

Nav hopes to eventually phase out KBA entirely, and replace it with a new Experian tool that relies on IP addresses and location data to authenticate users in real time. Hanson feels this will provide a much more seamless experience, in addition to being more secure, but its implementation is still far off.

“It’ll definitely be something that we’ll end up doing down the road as that product gets better developed,” he said. “But, as a startup, it’s always tough to find the time to change the system.”

For now, KBA is here to stay. Hackers and fraudsters are continually getting smarter, however, and it is anyone’s guess as to how much longer the current system can keep them at bay.

PYMNTS-MonitorEdge-May-2024