Responsible AI at Socure

Responsible AI at Socure

Socure uses artificial intelligence (AI) and machine learning to combat identity fraud at scale so that our customers can seamlessly and safely grant consumers access to valued goods and services. 

But how does Socure use AI, how does it affect people, and why should it be trusted? We welcome this opportunity to explain, beginning with our principles.

Socure’s Principles for Responsible AI

  • Trustworthiness.  AI should be safe and effective, accurate, and reliable.
  • Transparency.  We will be forthright about how we build AI and explain what its outputs mean to customers and to the public.
  • Accountability.  We govern our AI throughout its lifecycle, especially to protect against bias and discriminatory effects.
  • Protected.  Our AI practices will align to our privacy and data security responsibilities and commitments.

What AI does Socure produce and how?

Socure develops products for fraud prevention and identity verification, used by customers in sectors including financial services, HR solutions, ecommerce, the gig economy, government, and more.

AI enables computers to perform tasks usually associated with human intelligence and problem-solving capabilities. AI can enable machines to understand, translate and produce written language; to analyze data and make recommendations based on that data; to “see” and identify objects; and much more. 

Socure mainly uses a subset of AI called machine learning (“ML”), the science of studying large datasets to learn insights and patterns to answer questions or solve problems. Data scientists use these findings to build algorithms and models that produce answers and outcomes at scale. 

Socures uses machine learning to answer one primary question:

Is this a legitimate person who is who they say they are?

Legitimate   ≠ fraudster or bot

                    ≠ sanctioned entity

                    ≠ someone misusing someone else’s personal information

                    ≠ someone lying about themself, such as their age

 

To answer this question, we study and utilize data relevant to identity, especially for online interactions: 

  • Personal identifiers (name, address, phone, email, DOB, and national identifier)
  • Device intelligence (hardware, software and details on how people act during legitimate activity that tend to be different between fraudsters and genuine people, so are useful for rooting out fraud)
  • Government-issued ID documents plus selfies for comparison against those asserted IDs 

From this data, we develop insights that help us pinpoint the differences between good and bad events. Of the thousands of insights we’ve learned, here are a few examples. 

  • Bad actors often use gibberish emails or recently ported phone numbers.
  • Good people sometimes transpose digits related to their phone number, so a simple inversion of numbers may not mean that it’s a bad actor.
  • Fraudsters will copy/paste information into forms but good people generally do not copy/paste their name or other key identifiers.
  • People often use nicknames or suffixes so it’s important not to disqualify someone if there is not an exact match against our records.

Guided by these insights, our models will then produce fraud and compliance scores and reason codes for explainability. In the actual use of Socure services, customers are in the decisioning loop because they choose how to react to the scores and reason codes, establishing guidelines and making decisions allowing individuals to go forward or be declined or subject to additional review.

Now let’s talk about how Socure incorporates AI solutions into our products, consistent with our principles for Responsible AI.

Trustworthy

Socure Principle: AI should be safe and effective, accurate and reliable.

Socure services are used in many sectors, millions of times each day, to help individuals access online accounts and services. We continually pressure test our solutions to make sure they are accurate and reliable.  

Accuracy refers to how right we are – each particular time, and overall for an account, specific use cases and industries. 

Reliability means the services work as expected with regards to speed and quality of the technology for all the contexts in which customers deploy us. Their scenarios include granting access to websites via initial account opening, password resets, non-monetary account changes, and other uses for one-time passwords. They include know-your-customer and sanctions screening compliance for regulated and unregulated entities. Some even use Socure solutions for call center interactions.

We maintain high standards across all these contexts and throughout the product lifecycle with continuous design, testing, monitoring and oversight.

  • Data sourcing is governed by rigorous testing, our third-party risk management program, and ongoing quality checks. Our data sources provide us intelligence and reference checks on the submitted identifiers. It’s essential that their services and data are also accurate and reliable, so we put them through careful performance testing and security/compliance assessments. Then we continuously monitor its quality and effect on our services.
  • Ongoing testing & monitoring happens during model development and also after they are deployed into use by our customers. Many customers scrutinize our performance statistics and test our services before buying them. This means that our people and systems constantly test and track performance in a measurable and consistent way. 

These metrics assess the accuracy and effectiveness of fraud detection and identity verification systems. Key indicators include false positives, false negatives, true accept rates and true reject rates; these measure how well transactions are classified as fraudulent or legitimate. Broader success metrics, such as auto-approval rates, fraud detection/capture rates, and the good-to-fraud ratio, evaluate overall fraud prevention performance. Other metrics, such as the Population Stability Index, ensure that models perform consistently across datasets. Product-specific metrics, like classification rates (accuracy in identifying document issuers and types) and barcode/MRZ decode rates (success in reading encoded data), are insightful as to the performance of each product. System performance metrics, such as response times and uptime, ensure reliability and speed. Additionally, we provide customer-facing statistics such as score distributions, reason code firing rates, PII firing rates, and suspicious patterns to provide them actionable insights for internal decision-making.

  • Feedback loops are a key component of ML because models need to be fine-tuned and keep learning to remain effective. After some time has passed, long enough for most fraud to have surfaced, our customers tell us whether the responses were correct or not. Feedback doesn’t require the sharing of personal information. For example, feedback may say, “Socure was correct, this turned out to be fraud”  or it may say, “Socure was incorrect, we didn’t see this become fraud. Feedback is especially important in a dynamic environment such as fraud, where fraudsters regularly change their tactics.
  • In-house Fraud Investigators regularly review and analyze a sampling of our results, employing their decades of experience investigating fraud across all sectors. This is an important layer of human involvement and validation. 

Transparent

Socure Principle: We will be forthright about how we build AI and explain what its outputs mean to customers and to the public.

For customers, we provide: 

  • Reason codes, which describe pertinent information or risk insights we found.
  • Dashboard account analytics – Customers can log in anytime to see how their account is performing.
  • Ongoing account analysis and fraud alerts – Our tech support and technical account managers are available to troubleshoot or answer other questions about account performance.
  • Model governance documentation, as described above.

For the public, we provide this report and these summary statistics.

AI Facts

Model type Machine learning
Model training Trained with customer data
Data sharing All customer data remains confidential
Data disclosure Customer data is not shared with third parties (all U.S. AI products).
Model governance Yes – for inputs, processing & outputs
Model validation Yes
Fairness testing Yes, for Fraud products
Independent validation Yes, for Verify and Watchlist products
Human in the loop At the account level, customers choose how to use Socure responses to treat individuals. At the transaction level, Socure provides troubleshooting and investigation services.
Privacy rights Yes, in our contracts and Global Privacy Statement, we comply with consumer privacy rights.
Data security Yes, we are audited against SOC2 and ISO 27001, 27017, 27018, & 27701. Our public sector offering is FedRAMP Moderate Authorized, StateRAMP authorized, and TX-Ramp Authorized.

 

Accountable

Socure Principle:  We govern our AI throughout its lifecycle, especially to protect against bias and inadvertent discriminatory effects.

Model governance is the oversight we exercise over the whole model development process. Socure follows a rigorous framework that has worked well in financial services for decades. Model risk management is a regulation that expects financial institutions to perform ongoing governance over a model’s inputs, processing components, and outputs. All of our customers benefit from this approach. It includes model validation processes, which check if the models are working as expected and as described above. To be most effective, we have stakeholders from data science, product, and legal all involved in the model governance process.

Bias testing is a distinct part of our governance. We follow the fair lending rules and test for any disparate impact of our responses on people of protected demographics. Federal law protects people from discrimination in the lending and housing sectors, though we perform this testing across all customers and uses. Although Socure does not use any protected class status in its models, we look for inadvertent bias in the form of unjustified and disproportionate results according to race, color, sex, and age. 

We embrace fairness in product design and improvement.  We strive to ensure strong and consistent performance across diverse demographic groups, including different genders, ages, races, and skin tones We specially curate benchmark datasets that are representative of these characteristics so that we can test performance on them.

Protected

Socure Principle: Our AI practices will align to our privacy and data security responsibilities and pledges.

Socure has a privacy program, a data governance council, and security team to support our responsible use of data, especially personal information. Our Privacy Statement is available to the public on our website. It includes a link for individuals to exercise their privacy rights. We also provide educational resources such as blogs and webinars on privacy issues of public interest. 

As for data security,  we work hard to maintain independently audited standards and government standards. We are audited annually against the SOC2 and ISO 27001, 27017-18, and 27701 frameworks for personal information management, especially in cloud services. We provide services to government agencies in environments that are certified against the FedRAMP, StateRAMP and TX-RAMP requirements. 

Socure remains steadfast in its commitment to leveraging artificial intelligence responsibly to combat identity fraud and enhance trust in digital interactions. By adhering to our principles of trustworthiness, transparency, accountability, and protection, we ensure our AI solutions uphold the highest standards of accuracy, fairness, and security. As we continue to innovate and evolve, we welcome dialogue with our customers, partners, and the public to foster greater understanding and confidence in the transformative power of AI. Thank you for taking the time to learn more about our approach, and we invite you to reach out with any questions or feedback.