<style type='text/css'> /**figure { display: block; margin-left: auto; margin-right: auto; width: 75%; margin-top: 50px; margin-bottom: 50px; }**/ .image-caption{ text-align: center; padding: 5px; font-size: 80%; color: #AAA; } .code-caption{ padding: 5px; font-size: 80%; color: #AAA; text-align: left; } h2{ padding-top: 50px; } </style> # Login and KYC ## Login security and recovery Borrowers login to the Q mobile app by providing their phone number, which is confirmed via one-time passcode, and configuring FaceID/TouchID for future re-entry. OTP's are [Twilio Verify API](https://www.twilio.com/docs/verify/api). Q does not use emails or passwords, which reduces the attack surface for account access — passwords can't be guessed or cracked, and a malicious access to a borrower's email can't be used to reset their account. In the event of a lost or wiped phone, the borrower can re-download the Q app and regain access to their account via one-time passcode to their phone number. In the event of a phone number chance, the borrower can regain access by going through the first-time photo ID identity verification onboarding. ## Identity verification Q checks the borrower's ID for built-in security features and signs of tampering. Police databases are also searched for reports of the document being lost or stolen, protecting against forged, counterfeit, stolen, and compromised IDs. ```json= "breakdown": { "age_validation": { "breakdown": { "minimum_accepted_age": { "properties": {}, "result": "clear" } }, "result": "clear" }, "compromised_document": { "result": "clear" }, "data_comparison": { "breakdown": { "date_of_birth": { "properties": {}, "result": "clear" }, "date_of_expiry": { "properties": {}, "result": "clear" }, "document_numbers": { "properties": {}, "result": "clear" }, "document_type": { "properties": {}, "result": "clear" }, "first_name": { "properties": {}, "result": "clear" }, "gender": { "properties": {}, "result": "clear" }, "issuing_country": { "properties": {}, "result": "clear" }, "last_name": { "properties": {}, "result": "clear" } }, "result": "clear" }, "data_consistency": { "breakdown": { "date_of_birth": { "properties": {}, "result": "clear" }, "date_of_expiry": { "properties": {}, "result": "clear" }, "document_numbers": { "properties": {}, "result": "clear" }, "document_type": { "properties": {}, "result": "clear" }, "first_name": { "properties": {}, "result": "clear" }, "gender": { "properties": {}, "result": "clear" }, "issuing_country": { "properties": {}, "result": "clear" }, "last_name": { "properties": {}, "result": "clear" }, "multiple_data_sources_present": { "properties": {}, "result": "clear" }, "nationality": { "properties": {}, "result": "clear" } }, "result": "clear" }, "data_validation": { "breakdown": { "date_of_birth": { "properties": {}, "result": "clear" }, "document_expiration": { "properties": {}, "result": "clear" }, "document_numbers": { "properties": {}, "result": "clear" }, "expiry_date": { "properties": {}, "result": "clear" }, "gender": { "properties": {}, "result": "clear" }, "mrz": { "properties": {}, "result": "clear" } }, "result": "clear" }, "image_integrity": { "breakdown": { "colour_picture": { "properties": {}, "result": "clear" }, "conclusive_document_quality": { "properties": {}, "result": "clear" }, "image_quality": { "properties": {}, "result": "clear" }, "supported_document": { "properties": {}, "result": "clear" } }, "result": "clear" }, "police_record": { "result": "clear" }, "visual_authenticity": { "breakdown": { "digital_tampering": { "properties": {}, "result": "clear" }, "face_detection": { "properties": {}, "result": "clear" }, "fonts": { "properties": {}, "result": "clear" }, "original_document_present": { "properties": {}, "result": "clear" }, "other": { "properties": {}, "result": "clear" }, "picture_face_integrity": { "properties": {}, "result": "clear" }, "security_features": { "properties": {}, "result": "clear" }, "template": { "properties": {}, "result": "clear" } }, "result": "clear" } } ``` :::info ℹ️ Onfido report callback, notice 'results' for each check, including ID imagine integrity and cross referencing of police DBs ::: If the ID is clear, Q leverages facial recognition to compare the borrower's photo ID to the borrower's selfie video, ensuring that the ID belongs to the person using the mobile device. The process also checks the image data coming from the mobile device's image sensor for signs of additional manipulation, protecting against malicious users trying to manipulate their selfie by: * taking a selfie of a photo from the web * taking a selfie of a screenshot * using a photo of a photo or digital screen for their selfie * using digitally-modified selfies or IDs * or using a 2D mask / printout to augment their selfie  ```json= { "created_at": "2019-12-11T09:39:05Z", "href": "/v3.1/reports/<REPORT_ID>", "id": "<REPORT_ID>", "name": "facial_similarity_photo", "properties": {}, "result": "clear", "status": "complete", "sub_result": null, "breakdown": { "face_comparison": { "result": "clear", "breakdown": { "face_match": { "result": "clear", "properties": { "score": 0.6512 } } } }, "image_integrity": { "result": "clear", "breakdown": { "face_detected": { "result": "clear", "properties": {} }, "source_integrity": { "result": "clear", "properties": {} } } }, "visual_authenticity": { "result": "clear", "breakdown": { "spoofing_detection": { "result": "clear", "properties": { "score": 0.9512 } } } } }, "check_id": "<CHECK_ID>", "documents": [] } ``` :::info Facial similarity result from Onfido ::: Once a borrower's identification is validated, Q extracts PIIs from their ID. Data retrieved from the ID includes name, address, and DOB ```json= { "check_id": "<CHECK_ID>", "created_at": "2021-03-22T17:13:12Z", "documents": [ { "id": "<DOCUMENT_ID>" } ], "href": "/v3.1/reports/<REPORT_ID>", "id": "<REPORT_ID>", "name": "document", "properties": { "date_of_birth": "1990-01-01", "date_of_expiry": "2030-01-01", "document_numbers": [ { "type": "document_number", "value": "999999999" } ], "document_type": "drivers_license", "first_name": "Jane", "gender": "", "address": "2570 24TH STREET ANYTOWN, CA 95018", "issuing_country": "USA", "issuing_state": "CA", "last_name": "Doe", "nationality": "" }, "result": "clear", "status": "complete", "sub_result": "clear", ... ``` ## KYC -- Know your customer Q cross references the extracted PII above across 400+ identity databases and watchlists, using Onfido's KYC checks and Socure's Identity API, confirming that the person is not a potential risk to transact with, and to satisfy all KYC / AML compliance requirements. Q specifically scans for: * Sanctions - Government and International Organizations Sanctions Lists * Politically Exposed Persons - Proprietary database of Politically Exposed Persons sourced from government lists, websites and other media sources * Monitored Lists - Law-enforcement and Regulatory bodies Monitored Lists (including Terrorism, Money Laundering and Most Wanted lists) * Adverse Media - Negative events reported by publicly and generally available media sources Across the following databases: ```csvpreview {header=true} Source,Definition Credit Agencies,Data comprised of consumer credit applications, Voting Register,Data comprised of voter registration within a country, Telephone Database,Data provided by both landline and mobile providers., Government,"Any standard publicly accessible data collected by government entities. These include driving licence data, motor vehicle registration, court filings, property ownership registers, permanent place of residence registration and other similar data sets", Business Registration,"Data comprised of business registrations, corporate directors filings and business hierarchy data", Consumer Database,Opt-in consumer data leveraging database marketing and other similar opt-in data sources, Utility Registration,"Data comprised of utility registrations such as electricity, gas, water accounts", Postal Authorities,Data provided by postal authorities, Commercial Database,These are corporate/private databases where users have opted-in and allowed for their information to be used for the purpose of verification of their identities, Proprietary,"This is when a data provider chooses not to divulge the source of the data to us for varied reasons, and also includes social media based data", ``` ## Location confirmation Real-time location data is collected from the borrower's mobile device’s GPS to check that the borrower is located in the home they are mortgaging. Q also checks any spending transactions collected from bank data collected later in the application process [detailed in financial verification]. Combined, Q can confirm the statistical probability of the current location being a primary residence (i.e. a property occupancy check).