INTERVIEW: Stephen Stuut, CEO, Jumio on Frictionless Banking, GDPR and Verifying Over 120 Million IDs in a Year

INTERVIEW: Stephen Stuut, CEO, Jumio on Frictionless Banking, GDPR and Verifying Over 120 Million IDs in a YearJumio is a rising star in the biometrics industry thanks to its multiple award-winning mobile ID verification software: Netverify. Mobile ID World President Peter O’Neill recently interviewed Jumio CEO Stephen Stuut, along with the company’s VP of Marketing, Dean Nicholls. The conversation begins with talk about Jumio’s accelerating rate of success, and the drivers behind it. The discussion turns to the importance of having a human element in remote identity verification in order to establish a ground truth, why frictionless experiences in banking are crucial for the millennial generation, and the myriad use cases for Jumio’s technology. Stuut and Nicholls conclude the interview with talk of GDPR and how Jumio can aid in continued compliance with new privacy regulations.

Read our full interview with Stephen Stuut, CEO, Jumio and Dean Nicolls, VP of Marketing, Jumio:


Peter O’Neill, President, Mobile ID World:  What a year for Jumio, a hundred million ID’s processed in the past year! Please tell us about this.

Stephen Stuut, CEO, Jumio: Well, the first thing is to correct your question, it is one hundred and twenty million, and by now it is probably one hundred and thirty million! That was last year’s total and we did more last year than all the other year’s combined so it is not just growing it is accelerating and it is continuing into this year. So, the overall trend lines are very positive for us and that is in terms of both our customers expanding their usage; our customers increasing their volumes in their business and then new customers coming in and they find themselves with the value proposition. Those first two by the way are people like HSBC — people we step into in one business unit and now we are in five business units in 30 countries. So, we’re expanding volumes within our customer base, but then you have something like an Airbnb who just grows inexorably.

Mobile ID World: That has to be a very positive way to grow your business: seeing it start off in one region then expand to other regions. What are some of the key drivers pushing this type of growth?

Stephen Stuut, CEO, Jumio: The fundamental underpinning of this is actually universal for a lot of the industries that we serve, in that they are digitizing the journey for their customers. That may be in response to pressure from an all digital competitor if they are all brick and mortar version. It could just be they are getting on with the idea that you don’t need to be anywhere in particular to access them. So, when they do the digital journey they are going away from all these things that universally might be called knowledge-based authentication, or just friction-full ways of getting you into their relationship. Because the internet is anonymous, that doesn’t mean that you can drive off with that Mercedes just because you have a Gmail address. So, the key is to know the real identity of online users.

For us in particular we have positioned ourselves as, we will get you the right answer; it isn’t a quick answer that’s wrong, it is the right answer. Within that, all of us and our competitors work really hard to catch the fraudsters, that is not the economic proposition for our customers meaning that is like one percent of the transaction but we don’t want to miss the other 99 percent. We always give an answer, yes or no – and we never return a value of “caution” or “suspect.” Frequently if you are doing it other ways you come back with a “we’re not sure what we’re looking at,” as the computer can’t figure it out. Our hybrid, which is truly a hybrid, uses the best of both worlds. We are a technology enabled, machine learning-based service, but we are also a human augmented service. However you want to view it.

Mobile ID World: That is a very interesting combination, having both AI and human factors. It is really a plus for your company, isn’t it?

Stephen Stuut, CEO, Jumio: Yes, and it extends further than, “We get it right.” We are all working on using machine learning, deep learning on the data that flows through us but given that we’ve done more than everybody combined times several times, we have seen so much more of every type of ID document from just about every country or territory on the planet. The whole idea of a machine learning model is: it’s not the model, it is the data, and you need to have the right data going in. Effectively, because of how we have approached it, we’ve tagged every single one of these transactions because even if the computer figured it out, they’ve sanctified it and said yes indeed, and we’ve gone back and started doing it more methodically on request of the computer vision team to say, “Find us examples of things.” And we did recently 1.5 million taggings specifically for a specific request of theirs, and the reason we can do that is because we are at scale where we have the verification experts who, by definition, can establish ground truth. The other thing I like to point out is when solutions are 100 percent automated – which may sound fancy and sexy – but you really don’t have anything if you don’t know what ground truth is.

So, how do you get ground truth? The algorithm doesn’t have any idea. You have to start with, and I hate to point this out to everybody, but a human has to decide this was indeed a hole punch for an expired ID, this was indeed an ‘R’, and then you start training the machine. And if you are an identity verification solution that lacks data and scale, you haven’t seen all the different kinds of fraudulent Pakistani ID’s. We see them every single day; we’ve seen so many so we really do know what the fraudsters do. Put that into the machine learning algorithm and now you have some serious value creation.

Mobile ID World: You spoke a little bit about friction, and Javelin Research recently published a report stating 38 percent of millennials are abandoning their mobile banking activities because the process took too long. And of course the always present, “I forgot my password.” Thirty-eight percent. That is outstanding, but what can you do to help resolve this situation?

Stephen Stuut, CEO, Jumio: Well, we take care of it in a way that the millennials in particular, but anybody does like, and that is how the company was founded – to make it dead easy for the end user, and then our customer is the one that gets the benefit. How hard is it to take a picture of your ID and, if needed, to take a picture of your face? Click, click – how easy is that? It’s so oriented towards the millennials. My own millennial kids, I don’t think they have ever walked into a bank, and they don’t need to. So, this whole frictionless approach to what we do – and 38 percent is just the beginning of it because if you loose 38 percent of your potential customers that means a lot more than the 1 percent of fraud that you are trying to stop but on top of that. If you gave them a bad user experience they don’t ever come back. That is a bigger number then.

Dean Nicolls, VP of Marketing, Jumio: We launched a custom UI within our mobile SDK and what that allows banks to do, for example, is to go from five or sex steps in terms of the online verification to just virtually three steps in the process. Some of the banks have done a great job with this and simplified the process by asking for a picture of the ID and a selfie, and then they go on to the next stage of the online onboarding process, and while they are capturing that we are processing that verification in the background. For the customer it is all seamless because, whether we have verified them or not, they continue the next steps in the application process. So for them it is seamless and there is minimal delay in getting verified online.

Just as important as what we are doing it is the messaging the banks do. The better banks that have integrated us also explain to the customers why they are asking for the ID and selfie, and the rationale behind it. In some of the better experiences we’ve seen, when they have taken the time to explain that to the customers, they have seen the abandonment rates cut in half.

Mobile ID World:  That is spectacular. I can see a lot of use cases for your technology, we’ve talked a lot about financial and fintech, what are some of the other key ones? Also, talk a little bit about future potential areas as well.

Stephen Stuut, CEO, Jumio: Sure. I’ll set the stage. We may have parts of our business aimed at specific verticals. If you look at online gambling in Europe, we have nine of the top ten gaming operators …and are hoping to soon have all 10.  For cryptocurrency exchanges, I think we have got seven of the top 10 accounts. Those verticals each sort of represent a use case and in both of those cases, the use cases are KYC & AML compliance requirements from a regulator. They are the very favorite route for money launderers. But that use case of account opening when you are regulated is a really specific one and there is a lot of others.

Account opening, let’s be honest, is an obvious thing for many industries and we are perfectly set for that. But you can also have challenges with that. Say, for example, you can have a bank account however you set it up and suddenly you withdraw $50,000 and want to wire it to Belarus. That might be a suspicious activity they might want to challenge. Or we have social media customers who want to verify that their users are real human beings, not bots. The use cases proliferate and include age verification – are you old enough to do whatever you are claiming to do (i.e. you want to be the guy who is driving with Instant Car to deliver groceries and there is alcohol involved, you have to prove you are 18 to do that). Or you are at work and they want to give you beer on Fridays, they want to use us for that. So, there are many use cases.

Dean Nicolls, VP of Marketing, Jumio: Around the last one, thanks to the legislation around cannabis a lot of states and countries are looking at this as well for age verification, so it is a big deal in Canada and we are looking to get it opened up in all the provinces. They are looking for a solution that can provide age verification and obviously we are well suited for that.

Stephen Stuut, CEO, Jumio: There is one more customer that I would like to highlight – who we actually signed this week, but we can’t divulge their name …yet. But it is a global company that wants to create a social network for children so the children can talk to each other. To do that you need to verify that the parent has given permission and that indeed it is the parent. I never would have thought of that use case but it is a trust environment like Airbnb. They don’t have to do anything, but they do it because they want everybody to trust each other.

These trends are taking Jumio into uncharted territory. For instance, GDPR is a big topic all over the planet right now because on May 25 it becomes a law in the EU and there is a whole lot of American companies who clearly haven’t thought it through and I don’t think they realize that an EU citizen standing in New York is covered by it with very onerous penalties. But, the key thing to remember with GDPR is that there are different rules for data controllers and data processors. For instance, contact an entity that has your identity and transfer it to another one like if you are moving banks or you would be able to call Airbnb for example and tell them to… forget me. How do you know it was me who called up and said to do either one of those? Now, with GDPR, there are new use cases emerging such as user reverification.

As a matter of fact, we are solely positioned to be really, really good with the GDPR; we’ve spent a lot of time on this. We are a data processor under GDPR and the data controllers are our customers so we perform tasks intended to perform whatever they ask us to do and enhance those services as we go. In the US you don’t have that distinction but with all the news about Cambridge Analytica and people wanting to beat Facebook, those elements are going to come here too and we’ve been very active in Europe and have been GDPR compliant from day one. We’ve made sure that on a global basis we will just use that standard and then when the US catches up we will be ready for it.

Dean Nicolls, VP of Marketing, Jumio: We’ve also created a webpage with links to a data sheet, a new eBook, and a short webcast about the five must-haves of any GDPR compliant online identity verification solution.

Stephen Stuut, CEO, Jumio: There are a number of things that a US company, or any company, needs to understand and one is human review. You have to be able to respond to a customer with a query on why they got turned down for a bank account or an Airbnb host role. Why? And you can’t just say an algorithm kicked you out and it can’t be “let me give you the machine code that was produced.”

GDPR gives data subjects (i.e., your online customers) the right not to be subject to decisions solely based on automated processing that produce ‘legal effects’ or other significant effects.

By definition we are compliant. Compliant machine learning, it’s the same thing actually. If you call and ask why you got turned down and they said the algorithm thinks you are a fraud and you answer, “Why does it think that?” and they just answer, “Because the algorithm said so,” that is not good enough.

One of the big advantages and head starts we have with GDPR is that we’re already PCI-DSS compliant.

There is some basic stuff that you have to do, and because we have been PCI compliant forever that is how we go about data security, privacy and encryption. You have to have data retention policies that meet their requirements, data breach notification requirements, data encryption requirements and PCI-DSS is probably the gold standard for doing that. There are other things that you can do but that is the way you can do it properly. PCI-DSS doesn’t address human review and compliant machine learning, but it helps us with several other key GDPR requirements.

Because of how we perform online identity verification, and because of our scale, we do actually know what ground truth is and we can tell basically the machine said so because the letter “R” has been turned backwards and it’s not the right font for a Pakistani’s driver’s licence.

As far as future applications, that is a very real application for us and it is also something we are compliant with, and I suspect none of our competitors have even thought about it to be honest.

Mobile ID World: We were talking about GDPR this morning in our staff meeting because we are writing a lot about it and it will be a hot topic at Money20/20 in Amsterdam. So, congratulations on that and thank you for describing that for our readers and also for describing the success of your company. We’ve been actively following you for several years now and it is just remarkable to see the growth. Also, congratulations on the awards you have won which I discovered in my research for this interview. Even last week you won one and you keep winning these rewards around the world. So, obviously you are doing things well, Steve. So, thank you very much for covering that off and giving us an update and all the wonderful things going on at Jumio.

Stephen Stuut, CEO, Jumio: Great. I appreciate your time and look forward to seeing you in Amsterdam.