Today\u2019s financial technology startups (\u201cfintech\u201d for short) are taking on some of today\u2019s greatest security challenges. Armed with drive and a need for innovation, these companies have created new services and security approaches that are changing the financial industry. Here\u2019s how three such companies are competing based on security.\nKnow your client\nProving personal identity is a key component of security for the financial industry. Most major financial institutions require customers to open accounts in person, present government-issued identity documents and wait hours or days to open an account. But customers today expect faster services \u2014 including the account opening process.\n\nFounded in 2010, Vancouver, British Columbia-based Trulioo, whose customer base includes well-known technology firms such as eBay, Kickstarter, Square and PayPal, has pioneered a new approach to verifying identity. While financial institutions typically rely on a small handful of identity documents, Trulioo uses a wider variety of data sources to verify identity, including property files, utility data, credit histories, watch lists, national health numbers and direct marketing data. This allows the company to issue a \u201cverified\u201d or \u201cnot verified\u201d rating in seconds.\n\u201cThe core information we verify are name, address, ID number and date of birth (i.e., DOB) \u2013 attributes which are core to KYC [know your client] compliance \u2013 but also extend to phone and email,\u201d says Trulioo CEO Jon Jones. \u201cWe customize the data sources for each client\u2019s situation: in some cases, a data source may require an ID number to be provided to access but the client may not capture that information so the source is not applicable, in other cases they may want a strict multi-source rule configured which means we need to incorporate several vendors, in other cases they may require a single-source rule where we can configure a waterfall approach to roll from data source to data source to minimize cost.\u201d\n\u201cThe growing demand for KYC and compliance expectations mean it is important to have a high degree of confidence regarding customer identity,\u201d Jones says. \u201cThe next frontier for us to is make greater use of nontraditional data sets to verify identity such as customer payment records.\u201d\nPassword reuse (the good kind)\n\u201cAuthentication is a burden to the user,\u201d says Andre Boysen, chief identity officer at Toronto-based identity and authentication provider SecureKey Technologies.\u201cAn early insight for us was to segment password management into a spectrum. On one end, you have high velocity passwords like online banking that are used daily or weekly. At the other end of the spectrum, there are low velocity passwords such as online tax services that are used annually,\u201d Boysen says. For example, each year, millions of people go to the Canada Revenue Agency (CRA) website to check on income tax returns, so access is important. Yet, the vast majority of users only access their accounts during income tax season.\nSecureKey\u2019s solution lets CRA users sign in with their bank user ID. \u201cIn contrast to many online services and accounts, bank account IDs are verified through an in-person inspection of identity documents and other means. That\u2019s why it makes sense to use these IDs in other situations such as accessing online government services,\u201d Boysen says.\nPassing demanding government requirements for security is part of the SecureKey approach. \u201cWe go through Government of Canada audits twice per year and continue to be used by the government,\u201d explained Dmitry Barinov, CTO at SecureKey Technologies. \u201cWe also use protocols such as Security Assertion Markup Language (SAML) and OpenID Connect in our products to enhance security,\u201d Barinov said.\nProtecting payments\nDelivering payment services, especially across borders, remains an expensive and slow process. \u201cAt present, most banks do not have the infrastructure to support instant payments,\u201d says David Schwartz, chief cryptographer at Ripple. Founded in 2012 and headquartered in San Francisco, Ripple seeks to deliver instant, certain, low-cost international payments. Ripple\u2019s customer base includes Germany\u2019s Fidor Bank AG and Earthport, a payment service provider.\n\u201cMany attacks on payment systems today focus on breaking into the system and entering false payment items,\u201d says Schwartz. \u201cOur approach is to provide cryptographic proof for each payment. This approach means that users can track payment status and misuse is much more difficult,\u201d Schwartz says.\n\u201cEvery account on the Ripple consensus ledger has up to three public keys associated with it. First, there is a master public key that proves ownership of the account. Second, we have a regular public key that can sign normal transactions. Finally, the third key is a message key that's used to attach messages to transactions that only the account can read. Typical transactions have to be signed by either the regular key or the master key,\u201d says David Patterson, director of corporate communications at Ripple. \u201cDigital signatures can use either ECDSA SECp256K1 or Ed25519 and Schnorr signatures,\u201d he adds.\nRipple is also reviewing ways to reduce its security management burden by adjusting information gathering processes. \u201cOne interesting recommendation that we got from a third party audit was to reduce the amount of information we log. There's a tendency to log everything in case you need it, often with the idea that you can turn the auditing down later if it turns out not to be needed. A glut of data can reduce the amount of history you can keep, discourage analysis of the data and hurt performance,\u201d Patterson says.