Articles

Announcing the start of B Corp Month

We’re really proud to be one of the UK’s founding B Corps, and every March, purposeful businesses come together to celebrate B Corp month. It’s a time for B Corps to raise awareness of just how important it is to move away from the outdated “business as usual” approach, and instead demonstrate how business, if done right, can be a force for good.   But what is a B Corp? Certified B Corporations, also known as B Corps, are companies that are said to meet high standards of social and environmental performance, transparency and accountability. There are now over 6,000 B Corps in 89 countries, across 159 industries. By being part of the B Corp movement, we recognise that the most challenging global problems cannot be solved by governments and NGOs alone. By harnessing the power of business, we know that as B Corps we have the ability to commit positively to impact all stakeholders.   How does a company become a B Corp? Qualifying to be a B Corp is a comprehensive and rigorous journey, where aspiring B Corps must have their processes verified by the B Lab, who oversee certification. B Corporation believes that businesses should exist to deliver impact above and beyond just profit. As such, businesses are assessed in five key areas: governance, workers, community, environment and customers. On top of these, if a company has what is known as an Impact Business Model (IBM), they can gain extra points. An IBM refers to the way that a business is designed to create a specific positive outcome for one of its stakeholders. An IBM may be based on a product, a particular process or activity, or the structure of the business.   Where do we fit in? Our Governance One area of being a B Corp that we think we excel in is our governance. Yoti is proud to be one of the UK’s founding B Corps, having received its first certification back in August 2015, the same year that B Corp launched in the UK. Before we’d even thought about how to turn a profit, we knew that as a company, we wanted to do business in the right way. We were well aware that in this industry, we would come up against complex ethical questions, simply because of the nature of what we do. So we had to find a way of ensuring that we had a robust framework to work against. In response to this, we came up with our seven founding principles, which have remained unchanged since the day we adopted them. That’s not to say that we won’t change them if we think they could be improved, but we think they’ve stood the test of time, and still hold strong as our foundations. Alongside these, we also have a comprehensive Code of Ethics, which we must abide by in every decision we make. This covers how we treat our employees, customers, business partners, and all remaining stakeholders. To demonstrate our commitment to being a B Corp, we have also made changes to our governing documents. We have made changes to our company’s Articles of Association, meaning that our business is held legally accountable to a broader purpose and is committed to considering the interests of all stakeholders. We also are held to account by our Guardian Council which consists of external, independently appointed experts in relevant fields such as human rights, data privacy and last mile tech. Alongside the Council, we have an Internal Ethics and Trust Committee, which oversees the development and implementation of ethical approaches at Yoti. We have made public pledges by signing up to the Fair Tax Charter, Responsible 100, 5Rights and the Biometrics Institute, all of which guide us in ensuring that we build ethical technology. And that’s only some of what we do. Keep an eye out for our upcoming governance series, where we’ll delve a bit deeper into our governance practices and what they mean on a practical level.   But we know we can still do better We’re committed to launching our Digital Identity Toolkit, which we hope will help demystify the world of digital identity. It is aimed at those who want to learn more about digital identity and how they might be relevant to people in their lives or their work. We hope that by making digital identity more accessible, readers will be able to make more informed decisions about whether they want to make a digital identity or integrate the technology into their organisations.   If you want to know more… We’re currently in the process of recertifying for B Corp status (since companies must recertify every three years). You can check out our most recently available B Corp score and impact report if you’d like to know more, or you can get in touch. Otherwise, keep an eye out for our upcoming governance series, Digital Identity Toolkit and new B Corp report.

5 min read

Global retail report: Exploring how facial age estimation improves the self-checkout

Nearly four years ago we integrated our facial age estimation technology into retail self-checkouts. Since then, it has been trialled by retailers in the US and Estonia, with further pilots taking place in Germany, Poland and Czech Republic. And last year UK supermarkets – including Asda, Morrisons, Tesco and Co-op – tested the technology as part of a Home Office regulatory sandbox. The aim of the sandbox was to trial digital age verification for the sale of alcohol under the UK Licensing Act (2003).  Detailed reports from the Home Office and the supermarkets who participated in the sandbox are due to be published. But in the interests of transparency, we have shared our own insights from both the Home Office trials and our wider learnings of how our technology works in a retail setting. We hope this helps to answer common questions and dispel misconceptions, and build trust and understanding in this new approach to age verification, which can make the lives of retail staff easier and improve compliance rates.    Key takeaways from the report: Customers like the experience Our technology gives customers a more private way to prove their age  Digital age verification has the potential to improve retail staff safety and reduce friction between staff and customers  Retail staff have more time to focus on other tasks, including spotting proxy sales and ‘walkaways’  Our technology is inclusive for those who do not own or have access to an ID document  Lighting conditions and environmental factors impact success rates Anti-spoofing is key to the success of digital age verification     A note from our CEO “Our age verification technology can help make retail stores safer and give customers privacy-preserving ways to prove their age, without needing to show physical ID to staff. During the Home Office trials, I was particularly happy to see that some of the self-checkouts could successfully estimate over 90% of shoppers at the first attempt. This will be a game changer for retailers both here in the UK and abroad, who can use our technology to improve compliance rates and enhance the checkout experience for shoppers” – Robin Tombs, CEO of Yoti. Download the retail report 

2 min read

How Yoti can help the financial services industry

In today’s world, the financial services industry needs to be protected now more than ever. It’s critical to the growth of the UK economy but is constantly under attack from online actors on the hunt for money.  With cyber security risks increasing, we’ve been working hard to build solutions that offer as much security as possible to such an important industry, and protection from these growing threats. The need for financial institutions to have customised systems is greater than ever due to the sophisticated nature of frequent cyberattacks. As these bad actors become more sophisticated with their approaches, we’ve had to make sure that our tech matches them.  As financial institutions are beginning to make bold changes to adapt to a new generation’s demands, it’s only right that our identity verification technology feels smarter as well – an instant, accessible, well-sharpened weapon to bring to the fight against fraud.    We can help automate your KYC and AML checks KYC (Know Your Customer) guidance in financial services asks companies to ensure they’re able to verify the identity of those they’re going into business with, as well as assessing any risks involved within the relationship. Our all-in-one KYC and AML platform is the faster way to verify customers and launch risk-based fraud mechanisms that won’t impact the user experience.  Using our KYC processes and our AI-powered solution that boasts a 97% completion rate, you’ll be able to reduce regulatory costs. We know that sometimes a human touch is reassuring though, so we’ll also provide you with the added comfort of human fallback to ensure that all bases are covered and that you don’t miss out on those genuine customers.  We don’t want outdated systems to hold you back. Instead, we provide all the confidence you need during the onboarding process by screening customer information against our award-winning AML data.  We connect to thousands of global sanctions and watchlists, PEPs and adverse media in real-time, allowing you to detect risk and react quickly.  Using our flexible platform, you will also be armed with the ability to be across anti-money laundering and accurately detect any risks according to your risk profile. You can monitor the ongoing process by receiving real-time alerts to changes in risk status and ensure your compliance team always stays a step ahead.   Doing things your way We seamlessly bring together both the customer and KYC experience in the space of minutes. Equipped with live user feedback, customers can prove their identity in one go, receiving verification just minutes later.  The verification process is yours to tailor. Our suite of services support what you need, whether its ID document authentication or anti-impersonation checks.   When we take things offline  Our unique partnership with Post Office offers world-leading online and in-branch verification solutions. Together, we’ve set our sights on providing businesses across the UK with secure solutions that tackle identity fraud as well as giving people a safer way to prove their identity.  We always strive to build tech that’s inclusive, making our solutions accessible and available to everyone, regardless of their ability to access online services themselves. And that’s what lies at the heart of this partnership with Post Office – the shared core belief that everyone should have the right to prove their identity.    No-code portal = no problem.  We know that IT resource is always at a premium so we’ve put systems in place to ensure your customers get where they need to be. Our no-code portal allows you to get started quickly and offer a smoother user journey, likely to increase conversion. No integration is needed – your customers can be sent a link and complete verification in one go. You can get set up within 24 hours and start sending identity checks.  You can find out more about our solutions here 

4 min read

How Yoti can help combat injection attacks

As use of online verification grows, there inevitably follows increasing temptation for bad actors to develop ways to exploit the process. As a provider of verification services we must show businesses, regulators and governments that we have robust anti-spoofing technology, checks and processes. An emerging but rapidly growing threat for verification services are injection attacks.   What are injection attacks? Injection attacks are a form of attack on remote verification services. Direct attacks are the most common attempt to spoof systems. Examples of direct attacks are: Paper image 2D and 3D masks  Screen image Video imagery Direct attacks are an attempt to spoof a verification system that a person is real, older, or someone else altogether. Our facematch and liveness technologies use layers of anti-spoofing to determine that the person is real (not a picture or mask, for example) and that they are who they say they are.  An injection attack is an indirect attack and attempts to bypass liveness detection. It involves injecting an image or video designed to pass authentication, rather than the one captured on the live camera. It is a rapidly emerging threat to digital verification services. Using free software and some limited technical ability, a bad actor is able to overwrite the image or video of the camera with pre-prepared images.   How can Yoti help prevent injection attacks? We have developed a patent-pending solution that makes injection attacks considerably more difficult for imposters. It is a new way of adding security at the point an image is being taken for a liveness or facematch check.  There are two parts to this. As well as obfuscating the code, Yoti adds a cryptographic signature key. As such, a potential hacker needs to both reverse engineer the obfuscation and infer or guess the cryptographic signature key. Yoti frequently changes the obfuscation and the signature key. This means that if the hacker were to reverse engineer the obfuscated code, by the time they have done so, the signature key will have changed, and vice-versa. There remain ways to spoof this (not that we’d say how) but it significantly adds to the effort, time, skill and cost of spoofing verification checks, moving bad actors on to less secure opportunities.  If you’d like to learn more about our NIST approved liveness products, please do get in touch.

2 min read

NIST Certification explained

Many companies in the identity space talk of NIST certification. What does this mean for you as a user of identity services and what does it mean for your customers? Who is NIST? NIST is the National Institute of Standards and Technology (NIST), a non-regulatory agency of the United States Department of Commerce. NIST’s remit is to create and certify measures, standards and technology to enhance trade and productivity. Formed in 1901, their remit is to provide standards and certification for business. At first this included clocks and thermometers, all kinds of ‘weights and measures’.  But over time the agency has grown to include tech, such as election technology and, of interest to us, cybersecurity. What is NIST compliance? Broadly, NIST certification means the product in question meets defined standards. Liveness is an anti-spoofing process that checks to ensure we are dealing with a real person. Not someone who is, for example, wearing a mask or using a photo or image of someone else. We use it across our suite of solutions including identity verification, digital ID and age verification.  What does NIST certified liveness mean? NIST provides a framework for testing performance levels of liveness.  NIST Level 1 involves testing using things that could be found in a normal home or office. Materials used for testing should not cost more than $30. Masks are excluded. To pass NIST Level 1, you must detect every attack and limit false negatives to less than 15%.  NIST Level 2. Involves testing against more specialist attacks, such as latex facemasks or 3D printers. Materials used for testing should not cost more than $300.To pass NIST Level 2, the you must detect 99% of attacks and limit false negatives to less than 15%. Once a liveness service has passed testing, they will be issued with a Presentation Attack Detection (PAD) Confirmation letter that provides results and methodology used and what product was tested.  To learn more about our liveness products, please do get in touch.

2 min read
Woman sat at desk looking at laptop

Digital identity verification for DBS checks

The Disclosure and Barring Service (DBS) has updated its guidance on how to check someone’s identity for a criminal record check. Previously, the process was only possible by seeing physical documents. During the pandemic, employers enjoyed relaxed rules which allowed them to do this via video call. However, the government has now updated their guidance to allow for digital ID verification technology.  This means candidates can prove their identity online, which is an absolute game changer for employers grappling with a remote-first world. But how does the process work and should you use it? Here’s our guide to digital ID for DBS checks.   What is a DBS check? A DBS check allows employers to see any criminal convictions a candidate may have on record. In some jobs, this is a legal requirement, particularly when working with vulnerable people, such as in healthcare or childcare. The check itself is processed by the Disclosure and Barring Service (DBS) and was previously called a CRB check. There are four types of DBS checks: Basic: shows unspent convictions and conditional cautions Standard: shows spent and unspent convictions and cautions Enhanced: shows the same as a standard check plus any information held by local police that’s considered relevant to the role Enhanced with barred lists: shows the same as an enhanced check plus whether the applicant is on the list of people barred from doing the role   Anyone can request a Basic DBS check on themselves directly through the government website.  Employers that want to request a Basic DBS check on an employee must use a ‘responsible organisation’ (RO), which is a company registered with the DBS to submit checks. To request a Standard or Enhanced DBS check on an employee, employers must use a company known as an ‘umbrella body’. Employers that process over 100 checks a year can also choose to register with DBS.   Verifying identity for DBS Before a DBS check can be processed, you first need to confirm the identity of the person being checked. Until this year, this relied on seeing original documents. However, the new guidelines now allow employers to collect and verify documents digitally. For candidates, this is as simple as submitting their documents and a selfie online. The verification process is mostly automated and uses facial matching to compare a selfie to an ID document. In addition, checks are done to make sure the image is of a real person and that the document is genuine. In addition, further checks are often completed to reach the correct level of confidence under GPG45 as required by DBS, such as a check against data held by credit reference agencies.  Employers don’t have to use digital identity verification but if they do, it must be undertaken by a certified identity service provider (IDSP). Make sure you check with your chosen DBS provider if they accept digital identity checks.   GPG45 for DBS When done digitally, the identity checking process must follow the government’s Good Practice Guide (GPG)45. This involves gathering evidence that supports someone’s identity and is split in five parts: Get evidence of the claimed identity Check the evidence is genuine or valid Check the claimed identity has existed over time Check if the claimed identity is at high risk of identity fraud Check that the identity belongs to the person who’s claiming it   Each step in this process is scored and combined to reach a level of confidence. There are four levels of confidence: low, medium, high and very high.  The levels of confidence required for DBS are:  ‘Medium confidence’ for DBS Basic  ‘High confidence’ for Standard and Enhanced   Identity profiles for DBS There are many ways to reach a GPG45 level of confidence, depending on how each step of the identity checking process has been carried out.  Different types of evidence are scored differently. For example, an ePassport scores more than a non-electronic passport or a driving licence.  Similarly, the way you collect evidence is important. You can gather and verify proof of address from a driving licence or typed in by the individual and checked with a credit reference agency.  The different ways you gather and check evidence to reach a specific level of confidence are called ‘identity profiles’.  There are lots of identity profiles and IDSPs must be audited for each one they offer. Not all IDSPs will offer the same number of identity profiles, which means some providers will offer candidates more flexibility and less friction than others.   Should you use digital identity for DBS? Digital identity is a game change for remote and hybrid working practices. Not only does it allow you to onboard employees from anywhere in the world, but it also helps you stand out in a competitive marketplace with an unbeatable candidate experience. In addition, for organisations that need to prove right to work eligibility and carry out a DBS check, some IDSPs like Yoti and Post Office are certified for both. This means you can use the same ID check for both processes, allowing you to streamline your internal practices.  Of course, digital isn’t for everybody. We believe in choice and inclusivity. Candidates that would like a little assistance can verify their identity at a Post Office. Their data is digitised and returned to the business in the same way as in the online service, only they haven’t had to touch a keyboard.   How Yoti and Post Office are digitising the DBS process Yoti and Post Office were the first government-certified IDSP for both DBS and Right to Work. Since the change in guidance, we’ve helped some of the UK’s biggest background screening companies make huge efficiencies in their processes. We’ve continued to add more identity profiles to our Identity Verification Service, to give candidates more flexibility and less friction over the documents they use. For DBS basic, candidates can complete the process using just their UK driving licence. To meet the required ‘medium’ level of assurance, we run an activity history check without adding any friction to the user experience. For DBS Standard and Enhanced, candidates can complete the process using an ePassport or a non-chipped passport. This new profile opens up the process to a wider range of ID documents and customers across the globe. Candidates can also prove their identity for a DBS check using our reusable Digital ID app. Alternatively, candidates that prefer some human assistance can verify their identity in-person at a Post Office.   Digitise the ID process for DBS  It’s been a really exciting time for Yoti and Post Office as we see what happens when innovation meets legislation. And we’ve loved hearing the feedback from valued partners like David Hutchinson, CEO at PeopleCheck: “I want to applaud your internal teams with how they have been supporting and working with the PeopleCheck tech team. The result is an exceptional candidate journey and a great product. This is a significant game changer for both on-site and remote hiring – with companies now being able to fully outsource UK Right to Work credibly and compliantly, at scale and at speed.” If you’re looking to digitise the DBS and right to work process, get in touch and we’d be happy to help.