Self-Service KYC and User Authentication and Identity with Twilio Trust Hub

Self-Service KYC and User Authentication and Identity with Twilio Trust Hub

If your product offers enhanced voice or messaging capabilities to your customers, you are aware of increased requirements to capture details about their business and use case. These requirements are needed for you to use certain communication channels, such as Verified Toll-Free or US A2P 10DLC messaging.

These efforts are a part of broader industry regulations referred to as Know-Your-Customer or KYC for short. Over the past decade, carriers and regulators around the world have been diligently working to create a more trusted and verified messaging and voice ecosystem for businesses to engage with consumers to protect consumers from spam, fraud, and bad actors.  While there are currently different requirements based on channel, country, and number type, we expect to see a continued shift towards more KYC requirements around the world.

Fortunately, Twilio has a solution to help customers navigate the current requirements, comply with new channel registration requirements, anticipate future needs, and enable additional features for voice and messaging using the KYC information they collect: Trust Hub.

Using Twilio’s Trust Hub through the Console or our API, developers can submit the necessary information for a single customer profile or business identity and use it to register for multiple trusted communications channels on behalf of their end users.

Consider your new user onboarding process: is it self service? If so, this post is for you. We’ll look at ways to capture necessary details from your end users at sign up, submit the information to Twilio Trust Hub, and tee your customers up for success with Twilio’s trusted voice and messaging products.

Why leverage Twilio KYC products in your user onboarding funnel?         

Over the past few years, the telecommunications landscape underwent a massive phase change regarding how businesses contact their customers. Starting with who those businesses are, their intended use-case, and whether they have consent from consumers to receive their messages and voice calls, communications look a lot different than they did in the past.

Already within the US, customers wishing to use local and toll-free numbers for notifications and marketing SMS/MMS messages must either register their local numbers for US A2P 10DLC or have their Toll-free numbers verified in order to start sending messages from these sender types.

While number registration is now mandatory in the US for A2P 10DLC and verified Toll-Free messaging, you can expect that similar requirements may roll out in other countries as well. Twilio’s aim with Trust Hub is to help you fulfill KYC or compliance mandates in other channels and locales by reusing or building on top of information contained within Trust Hub customer profiles.

The one business profile to rule them all

Direct vs. ISV

You should first determine whether or not you are a direct customer or Independent Software Vendor (ISV). Direct customers utilize Twilio for their businesses’ own communications needs. ISVs, or independent software vendors, are Twilio customers who utilize Twilio APIs to support their own software solutions. ISVs then sell this software to their own clients, who will each have their own uniquely branded communications, be it via messaging, voice, or another channel such as email.

If your business fits into the ISV category, then you will have the additional requirement to create a Primary Business Profile in Trust Hub within the Console, along with a Secondary Business Profile which can be submitted via API for each additional client you need to support.

What KYC data should you collect and submit to Trust Hub?

Often within a product’s account sign up process, various information about the user or business is captured, regardless – for example, First Name, Last Name, Address, Email, Phone Number, etc. Typically, this information is needed for account creation, billing setup, user verification, account notifications, opting into product marketing campaigns, etc.

If you’re an ISV, creating and submitting a Secondary Business Profile via API is a multi-step process. Let’s take a look at the high-level flow and what you need to submit. For the full list of parameters and their accepted values, be sure to review our full documentation (you'll also find a larger version of the below flowchart).

Business Information

First, you will need to capture and submit basic information about the business or customer for which you are trying to create a compliant Secondary Customer Profile on Trust Hub. Many of these will be predetermined accepted values through the Trust Hub API which you will need to select from, others will be freeform strings.

See full documentation for required Business Information needed for a compliant Secondary Customer Profile.

• Business Identity (required) e.g., Direct_customer
• Business Type (required) e.g., Limited Liability Corporation
• Business Industry (required) e.g., Retail
• Business Registration ID Type (required) e.g., EIN
• Business Registration Number (required) e.g., 12-3456789
• Business Regions of Operations (required) e.g., USA_AND_CANADA
• Website Url (required) e.g., test.com

Authorized Representatives

Next, you will need to submit some basic contact information for authorized representative(s) of this company.

See our full documentation for required details for Authorized Representative(s) needed for a compliant Secondary Customer Profile.

• Last Name (required) e.g., Doe
• First Name (required) e.g., John
• Email (required) e.g., johndoe@email.com
• Business Title (required) e.g., ceo
• Job Position (required) e.g., CEO
• Phone Number (required) e.g., +11112223333

Address

See full documentation for required details for Address information needed to compliant Secondary Customer Profile.

• Address Friendly Name (required) e.g., Headquarters
• Country (required) e.g., US
• Street Address 1 (required) e.g., 123 Main St
• City (required) e.g., San Francisco
• State/Province/Region (required) e.g., CA
• Postal Code (required) e.g., 94016

Once you have gone through the necessary API steps to create a Secondary Customer Profile with the above information, you will then submit the profile to Twilio to review.

After a Business Profile has been submitted, it is vetted by our expert operations team. This process can take up to 72 hours. The team will confirm the supplied business information and then approve or reject the submission. We will notify you via email about the outcome of the vetting process and the status of the Business Profile.

During the vetting process, Twilio may reach out to the authorized representatives included in your Business Profiles to confirm your business identity.

Next, let’s take a look at which Trust Products you can enable using an approved Trust Hub Business Profile.

Enable Trust Products

US SMS/MMS Messaging

US A2P 10DLC

Registering a campaign for US A2P 10DLC requires that you first register an A2P brand. Twilio uses the information within a Trust Hub customer profile to register a brand for A2P messaging. This will go into determining messaging throughput and the types of campaigns your users will be able to register.

If you have already undergone A2P 10DLC registration for your company or your customer’s, then there’s a good chance you already have the necessary Trust Hub customer profiles necessary to register for other trust products as well.

Verified Toll-Free Messaging

In order to send SMS/MMS from a US Toll-Free number, customers are required to verify their Toll-Free Numbers in the console or via API. Similar to A2P 10DLC brand registration, a Trust Hub customer profile is required to associate the basic information about a business with a specific Toll-Free number along with additional information  

Enhanced Voice Capabilities

Shaken/STIR

Signature-based Handling of Asserted Information using toKENs and Secure Telephone Identity Revisited ( "SHAKEN/STIR" or "STIR/SHAKEN" for short) are two of the latest industry protocols for voice; these technologies aim to combat caller ID spoofing and verify the authenticity of voice calls placed to subscribers. To learn more, see: Trusted Calling with SHAKEN/STIR. Twilio can enable SHAKEN/STIR on Programmable Voice in customer’s call flows, allowing them to place more trustworthy calls while improving answer rates.

Shaken/STIR implementation on Twilio Programmable Voice requires the creation of a trust product, which is based on the information contained within a Trust Hub Business Profile.  

Prevent Spam Labeling with Voice Integrity (Public Beta)

Have you ever received a phone call with an ominous “Spam” or “Scam Likely” label applied to it? This is because unwanted spam and robocalls have become much more prevalent in recent years, and carriers and handset makers are cracking down with features such as these to warn subscribers of potential spam calls. However, if legitimate businesses aren’t taking the necessary steps, their calls may be labeled as “Spam” or “Scam Likely” as well.

Twilio announced the Public Beta Availability of Twilio's Voice Integrity to Remediate Spam Labels, a feature that allows businesses to submit information about their company and use case to analytic vendors who monitor and apply spam labels to calls placed over carrier networks.

Once again, to enable this feature and increase the trustworthiness and consumer answer rate of outbound voice calls, customers will need to use an existing Trust Hub Business profile and create a Voice Integrity trust product.

Branded Calling (Public Beta)

Twilio recently announced Public Availability of Branded Calling, which allows customers to add a display name to outbound calls. This offers a unique branded call experience for businesses. Along with some of the aforementioned voice enhancements such as SHAKEN/STIR and Voice Integrity, Branded Calling will help to increase the reputation and trust of voice calls placed through Twilio Programmable Voice.

You guessed it – to create and enable a Branded Calling trust product, customers will need an approved primary or secondary customer profile within Trust Hub.

Complete your self service onboarding process with User Authentication and Identity

Self service onboarding is a great time and opportunity to implement some form of user verification. At Twilio, we think about this in terms of a broader category: User Authentication and Identity. To us, this means confirming the authenticity of user-provided contact information, reducing the friction to authenticate legitimate users, and preventing unwanted or bad actors from exploiting your account sign-up process.

Within User Authentication and Identity, Twilio has two primary product offerings: Lookup and Verify.  

Lookup API

Using the Lookup API, Twilio customers can submit user-provided data (such as a phone number) and receive an API response indicating whether it’s an SMS-capable mobile phone number or incompatible landline. Verifying this type of information on the front end is very valuable if you want to ensure you can reach your customers with SMS account notifications or marketing campaigns. Better yet, it allows you to implement handlers on your sign-up forms, which can ask users to provide alternative values, for example, instruct a user to provide an SMS-capable number or invalidate their submission of a landline or VOIP phone number if you so choose.

Additional payloads can be requested as well, such as Identity Match: this allows you to pass information about the user (e.g., Firstname Lastname) and in conjunction with a provided phone number, check data provided by authoritative sources (e.g., mobile carriers, government agencies) to help determine if a person is in fact the owner of that phone number.

Verify API

With Verify, Twilio customers can take advantage of a purpose-built user verification API to deliver One-Time Passwords over multiple channels such as SMS, WhatsApp, Email, and Voice. Verify offers built-in code delivery and validation logic without the need for a customer to host this infrastructure themselves.

In addition, users of Twilio Verify can customize various aspects of their OTP messages with adjustable timeouts and failover logic, as well as the option for custom message templates and codes.

Verify is built on top of Twilio’s Super Network and offers a shared-number pool (which also reduces the overhead of number management) which eliminates guesswork for customers and ensures OTP messages are delivered over optimal routes and senders regardless of destination country.  

Enhanced Capabilities: Fraud Guard and SNA.

When setting up a Verify service on your Twilio account, you will immediately have access to Verify Fraud Guard, a default feature that proactively detects SMS Pumping Fraud, preventing suspicious OTP (one-time-passcode) requests over SMS. This can be adjusted to basic, standard, and max levels of protection depending on your preference.  

Sign-up forms which collect mobile numbers for purposes of SMS OTP are often exploited by bad actors who supply fraudulent numbers and request OTP codes over and over to collect on any associated delivery fees. This is known as Toll Fraud, and it can cost companies a lot of money unless they take preventative measures. To learn more see: Twilio Verify Fraud Guard: 100% guaranteed protection against SMS Pumping Fraud and our Verify Fraud Guard documentation.

Silent Network Authentication, or SNA, is an exciting new form of user authentication which can be implemented in the background of your application (read: silently) to verify a user is in possession of their provided phone number. Twilio works behind the scenes with carriers to confirm information about the end user, their device, and its network authentication. This happens in a way that is more secure than OTP over SMS, while also providing a frictionless user experience compared to traditional means of a user being asked to verify their phone or email address. Users do not need to input a code manually. To learn more see: What is Silent Network Authentication? and our Verify SNA documentation.  

Conclusion

As you’ve learned, there are several pieces of information to capture and submit to Twilio Trust Hub if you want to enable your customers with enhanced messaging and voice products.

Each business or brand you support will assemble its Business Profile within Trust Hub. That profile will be used as the foundation and starting point to register for a number of trusted communications channels, such as US A2P 10DLC, Verified Toll-Free messaging, and SHAKEN/STIR for voice, to name a few. And as we mentioned, we expect creating high-quality profiles in Trust Hub will help you with anticipated future KYC requirements.

Finally, we looked at ways to harden your self-service flow with User Authentication and Identity products such as Lookup and Verify.  

For more comprehensive information about Trust Hub, please see our Trust Hub Overview documentation as well as links to the products it supports.

Casey Runnells is a Senior Solutions Engineer at Twilio and is passionate about helping businesses grow and redefine their strategies around enhanced customer communication and data. You can reach Casey at crunnells [at] twilio.com