Trustopia Frictionless Authentication Processes Trust Systems Software

Trustopia Frictionless Authentication Processes

Trust Systems Software (UK) (t/a TRUSTOPIA) (Revision November 2019)

The Frictionless Authentication Process Option (“FAPO”) forms part of the Master Subscription Agreement or other written or electronic agreement between TRUSTOPIA and YOU (the Customer) for the purchase of online services (including associated TRUSTOPIA offline or mobile components) from TRUSTOPIA (identified either as “Services” or otherwise in the applicable agreement, and hereinafter defined as “Services”) (the “Agreement”) to reflect the parties’ agreement with regard to the Processing of Personal Data, in accordance with the requirements of applicable Data Protection Laws and Regulations.

By signing the Agreement, a Customer acknowledges the existence of FAPO on behalf of itself and, to the extent required under applicable Data Protection Laws and Regulations, in the name and on behalf of its Authorised Affiliates, if and to the extent TRUSTOPIA processes Personal Data for which such Authorised Affiliates qualify as the Controller.

For the purposes of this DPA only, and except where indicated otherwise, the term "Customer" shall include Customer and Authorised Affiliates. All capitalised terms not defined herein shall have the meaning set forth in the Agreement.

DIGITAL REALITY

The new economy provides each of us with more ways of transacting than ever before including in-person and person-not present transactions utilising web services, mobile devices and apps.

The evolving landscape of digital trust and the convergence of physical and digital identity is the singular focus of TRUSTOPIA’s process-as-a-service.

IDENTIFYING & MANAGING LEVELS OF RISK AND ASSURANCE

With digital trust, there is no one size fits all formula for identity verification solutions.

The first step is always for any business to identify the level of risk it is willing to accept. For example, a financial institution will undoubtedly have more security concerns than say…a bike-sharing app with a much lower security threshold and regulatory protocols.

Once a business defines what its level of acceptable risk is, it has already determined the levels of assurance for identity and other human attributes it requires.

AUTHENTICATION CONTINUUM

In today’s trust environment, when it comes to managing levels of risk and assurance; TRUSTOPIA addresses the need for an authentication continuum with its in-built frictionless Authenticate function which seamlessly automates simultaneous multi-factor with multi-source authentication processing.

Copyright 2019 TRUSTOPIA All rights reserved. Trustopia is a trading brand name of Trust Systems Software (UK), as are other names and marks. Other marks appearing herein may be trademarks of their respective owners. Page 1

Trustopia Frictionless Authentication Processes

When it comes to external data sources for verification: TRUSTOPIA is by design (and business model) agnostic in respect of the sources a client user organisation may choose to reference, not least because both the choice and indeed quantity of sources required for surety is more often than not a client preference in our experience. TRUSTOPIA is always ready to independently advise its client organisations on authentication options just as it is happy to digitally wire in any specific or required client reference source preference(s).

By contrast, TRUSTOPIA is unashamedly NOT agnostic when it comes to the inherent necessity for simultaneous multi-factor with multi-source authentication in any credible digital trust process.

TRUSTOPIA chooses to call its collective verification process - frictionless authentication – because having been configured on a process basis with or by a client directly; the authentication process is designed to run in real-time silently and automatically, in the background.

IDENTITY PROOFING

For TRUSTOPIA, identity proofing is the process that demonstrates with sufficient confidence that the user is who they claim they are, thereby helping to establish and maintain trust in the identity throughout a relationship.

Within TRUSTOPIA’s unique digital trust process-as-a-service - an industry first - multi-factor with multi-source authentication simply means that when it comes to identity proofing:

1. A user or candidate must by default successfully meet and pass at least 2 of 3 authentication categories (or all 3 if so required by a client’s standard) and

2. Each of those “passes” must be seamlessly corroborated (in respect of all captured claims, assertions and documentary evidence) by reference to independent validation via a unique combination of internal algorithmic cross checks and external reference data service check(s) including those relating to human footprints and ID documents.

TRUSTOPIA’s AUTHENTICATION LEVELS/CATEGORIES

For simplicity, TRUSTOPIA describes the 3 in-built authentication levels/category options available to its customers, subject to the customer choosing to subscribe to any/all of these options as available (and their related underlying frictionless authentication processes) as being focused on:

LEVEL 0 - Something The Data Subject Knows. LEVEL 1 - Something The Data Subject Has.

LEVEL 2 - Something The Data Subject Is.

Trustopia Frictionless Authentication Processes

1. LEVEL 0 - Something The Data Subject Knows (e.g. personal details captured incl: name, postcode, nationality, residency, history and responses to whatever array of personal attribute questions as might be required by clients).

There are an infinite array of credible national, global and industry reference verification sources available to corroborate or query any subject’s assertions against external reference information from electoral roll to fraud & death registers to political sanctions to global watch lists and credit referencing data.

TRUSTOPIA’s default baseline ID Process service reference searches in real-time against

Acuant Corp; Jade (a unique TRUSTOPIA UK Data set containing 34m unique education records); Equifax, GB Group, GDC, Veriphy and others, the combination of which ensure default identity reference checks that include:

Provides checking of a first and last name at an address against Mortality check the registered deceased person’s database. Database that provides authentication of name and address; Electoral Roll including 5 year history and some date of birth coverage. Credit Header Identity Provides authentication of name, address and date of birth Data against Credit Header information. Provides authentication of name, address and date of birth Anti-Money Laundering against AML Register This provides the ability to return how many credit agreements Credit Header Enhanced are active for an individual in country. Provides authentication against electricity supply number and Electricity Bill address information from details on an electricity bill. Passport Machine Readable Zone (MRZ) Algorithm check. UK Passport MRZ Check Provides authentication of passport MRZ number against date of birth, date of expiry and gender (UK Passports only). UK Driving Licence Provides authentication of UK driver’s license number against first Number Check initial, middle initial(s), surname, date of birth and gender. Provides authentication against the first, last name, date of birth Births Index Check registration and mother’s maiden name for individuals born in England and Wales between 1984 and 2003 inclusive. Provides a set of fraud flag warnings against name and address of individuals who have moved house and registered on the NCOA Alert – Flag national change of address database (provides flags for Current, Expired, Cancelled and Pending redirects) International Passport Machine Readable Zone (MRZ) Algorithm International Passport check. Provides authentication of passport MRZ number against Check date of birth, date of expiry, country of origin and gender. Provides authentication against multiple Sanctions and Enhanced Sanctions and Enforcement lists across the globe (lists are selectable at profile Enforcements level)

Trustopia Frictionless Authentication Processes

Provides authentication against Politically Exposed Persons lists Enhanced PEP from across the globe (contains known associates and known Intelligence alias details) Enhanced UK Driving Provides authentication of driver’s license number (including Part Licence Check 4), name, date of birth and gender details. National Insurance Provides a format check of the National Insurance Number Number Check Verification of computer’s location anywhere in the world. IP Address Validation Enables businesses to verify that the potential customer is residing in country of listed citizenship Mobile Phone Validation Verification of status for mobile numbers around the world. This check enables you to tie a Bank Sort Code to a Bank Bank Account Validation Account Number and reduce the risk of fraudulent bank account details being entered. Ties the bank account number and sort code to the individual and Bank Account Verification the address that they have supplied. 40m Individuals – Unique File of non-credit financial consented National Register transactions. This verifies first, last name, date of birth, address and phone numbers against UK National Identity Register. UK Card Verification Verifies Credit & Debit card details issued from all major card Check providers in the UK. Provides an algorithmic check against national identity cards and National ID Card any other international machine readable travel document that conforms to the ICAO ID1 Card format. Provides ability to search for full UK address details from partial UK Address Lookup address data (usually postcode is provided) Authenticates images of identity documents and uniquely Document Image triangulates extracted data by comparing it with multiple Validation proprietary sources of data (passports, driving licences, ID cards and visas) Global Watch lists Provides authentication against multiple Global Watch Lists (lists are selectable at profile level) HM Treasury Provides authentication against UK HM Treasury

The Office of Foreign Provides authentication against OFAC Assets Control Directors Register(s) Provides authentication against Directors Registers Provides authentication against International Telephone Telephone Directories Directories

By definition and design, a client’s needs determine what is captured, what is corroborated and the levels of certainty required and provided by this authentication factor. TRUSTOPIA’s service ability to enable a client request ‘what they know’ and choose what and where to authenticate it to a preferred level of certainty is industry unique.

Trustopia Frictionless Authentication Processes

2. LEVEL 1 - Something The Data Subject Has (i.e. supporting ID Docs or Credentials)

There are various strengths of ID scanning solutions out there today; some simply scan the ID’s barcode while more robust software performs forensic and biometric tests to ensure that an ID is not forged. Identity documents, such as driver’s licenses and passports, are typically scanned either on premise or remotely with mobile devices to test various elements of an ID.

For example, shining a UV light on a hologram may prove that the ID passes this test, while a simple scan of a barcode may show that the card appears to have valid data.

In choosing the right solution, businesses seeking to authenticate identity documents should look for multiple tests depending on the use case and level of risk associated with the transaction. The stronger the tests, the easier it is to approve (or deny) transactions!

AUTHENTICATE (See Appendix A)

TRUSTOPIA’s Authenticate performs a number of frictionless authentication tests on a document to determine its authenticity.

TRUSTOPIA’s proprietary document capture and verify technology achieves this by seamlessly extracting biometric and alphanumeric data contained in any identity document to authenticate it by applying 50+ real-time forensic document-specific tests (see Appendix A) utilising the world’s largest identification document reference library (supplied by Acuant Corp) which supports 200+ countries (See Appendix B) and 3600+ document types while simultaneously checking both the document and its data in real-time by API against global watch lists that include Interpol, Office of Foreign Assets Control (OFAC) and Politically Exposed Persons (PEP) to provide the utmost security.

Each document type undergoes a defined set of individual authentication tests that is relevant for that particular document type only. The set of authentication tests performed on one type of document will not be the same as the set of tests performed on another type, although many of the same tests are used.

The number and types of real-time authentication tests will vary for a particular document, but a typical document will be subjected to 10–50 individual authentication tests. For example, one test may confirm the presence of security features and/or patterns on the document under one or more light sources, and another may compare the data from different sources on the document (such as MRZ and e-Passport chip). Another test may validate the document response under different light sources (such as UV and IR).

For a full list of TRUSTOPIA’s proprietary document specific checks – see Appendix A.

Trustopia Frictionless Authentication Processes

IDENTIFICATION DOCUMENT REFERENCE LIBRARY (See Document Types By Region/Country Supported by Trustopia Assurance Forensics v.18)

A robust document library to compare captured IDs against is vital. A comprehensive and regularly updated library cuts down the time that machines must process data on their own, and maximises data extraction and authentication capabilities.

Semi-supervised Machine Learning enables adjustment of the direction of the logic without interfering with the insights that authenticate documents or slowing down data processing.

TRUSTOPIA’s document reference library supports 3600+ international document types including driver's licenses, national IDs, military IDs, voter cards, resident cards, visas, passports, border crossing cards, medical & auto insurance cards, credit cards and more.

ADDITIONAL DOCUMENT ASSURANCE LEVEL OPTIONS

TRUSTOPIA CHIP performs a comprehensive series of authentication tests including:

 Basic Access Control (BAC) to cryptographically access the document chip contents;  Active Authentication to confirm the authenticity of the chip (and that it has not been cloned);  Data Group Hash Authentication to confirm that data group files have not been modified; and  Document Signer Authentication to confirm the authenticity of the Data Group hashes.

TRUSTOPIA CHIP technology is designed to provide the ability to read data and verify the authenticity of e-chips present in IDs and Passports on both mobile and desktop devices, if required.

TRUSTOPIA DX Service allows you to mitigate fraud in high risk environments by employing an escalated manual review of the document in question conducted by a verified credential expert.

The expert is assisted by patented document authentication technology to analyse anomalies that automated document authentication and facial review processes identify, including damaged identity documents and poor image quality when applicable.

A TRUSTOPIA expert will make and report a judgement for exceptions (pass, fail, unable to decide) based on the data provided.

AUTHENTICATION RESULTS

The failure of a single authentication test will not necessarily result in overall document authentication failure. Rather than a simple pass/fail result, each test is evaluated for proximity to an expected result. This value is then used to calculate the authentication result of the test itself that indicates whether this particular test passed or failed.

Trustopia Frictionless Authentication Processes

By performing more authentication tests, the sensitivity of the individual tests can be reduced, which will result in fewer false rejects (authentic documents being flagged as suspect). In most cases, fraudulent documents will tend to fail a number of authentication tests.

There are several variables that are more likely to cause a document to fail:

▪ Image capture quality (for example blurriness or reflection) ▪ Personalisation of the document (such as especially long names) ▪ Variations in manufacturing techniques (for example card printed on wrong side or slight variations in printing location) ▪ Wear and aging of the document (a worn or dirty card can cause failure) ▪ Tampering and counterfeiting (unlawful changes or reproduction of documents)

EVALUATING AUTHENTICATION RESULTS

These are the possible results that may be returned from an individual authentication test:

RESULT DESCRIPTION

Pass Trustopia’s document authentication tests confirm this is an acceptable document. You do not need to investigate further.

Fail One or more of Trustopia’s document authentication tests have failed and this document has therefore failed the authentication process. Further investigation should be conducted either by manual inspection or by using other means to authenticate the document.

Unknown The document type could not be determined; therefore, it cannot be authenticated by Trustopia. This result may occur when a document is inserted incorrectly, overly skewed, badly cropped, moved during the image capture process or less commonly, when a new type of document is captured that is not yet supported by the Trustopia document library. This result does not indicate that the document is fraudulent, however further investigation should be conducted either by manual inspection or by using other means to authenticate the document.

Caution A borderline individual document forensic test result has been identified that is between a Pass and a Fail indicating that a Trustopia document authentication test finding is not ideal. While this may not necessarily be a strong indicator of any problem with the document: further investigation should be conducted

Trustopia Frictionless Authentication Processes

either by manual inspection or by using other means to satisfy yourself as to the document’s authenticity.

Attention The document has passed the Trustopia document authentication process. There is, however, something of note that you should be aware of. Most commonly this result is returned when an expired document is encountered in which case the document may be authentic but has expired. You should closely review the tests that were attributed to the result in this instance.

No Check No Forensic checks have been performed on this document. You should closely review the document to satisfy yourself as to its content and authenticity.

ATTENTION RESULT EXPLAINED

If a document passes with Attention for the document result, clients should always review the tests that were attributed to the result.

For example, an Attention can occur if a document has expired. Depending on your business rules, this may be very important (such as in the case of passport validity).

An Attention can also occur if the back side of the document could not be classified, for example, possibly indicating that someone has falsified the document.

If you have a document that has failed some individual authentication tests, the authentication sensitivity can be modified and tests rerun to see what overall result changes occur.

WORN OR DAMAGED DOCUMENTS

Automatically passing worn or damaged IDs that otherwise would be marked as bad is a key technology that minimises friction for both the business and customer. Ultimately more good transactions are approved. If a good customer is unable to make a high value purchase is denied credit or a loan, or is unable to gain access (physical or digital), or a good prospective hire cannot be hired, everyone loses and there is little benefit to automation. It is instances such as this where semi-supervised machine learning benefits are evident.

Trustopia Frictionless Authentication Processes

FRAUDULENT DOCUMENTS

There are a number of reasons a document might be suspected as being potentially fraudulent. The procedures and technology we utilise at Trustopia to identify fraudulent documents includes:

1. Checksum Warning Flags

Trustopia’s MRZ reader assesses the validity of documents with a Machine Readable Zone, such as a Passport or a National Identity Card.

A Machine Readable Zone or ‘MRZ’ is one, two, or three lines of code unique to the holder of the identity document. This code contains the holder’s name, date of birth, their document number and other relevant information.

Trustopia’s software can scan an MRZ code to identify a document’s holder, as well as assess its validity and detect tampering.

Below is an annotation showing how the MRZ matches with the constituent parts of the identity document.

Within these documents, MRZ codes are computer-generated numbers called ‘checksums,’ which correspond with the holders’ unique information (annotated with arrows below).

Trustopia Frictionless Authentication Processes

If a document has been tampered with, or the MRZ has been recreated altogether, these checksums will be faulty and detected by the Trustopia engine. This is the surest indicator of a fraudulent document.

If a document has incorrect checksums, these will be indicated to you through warning flags on the ‘data validation’ section, as seen in the example below;

2. Document Consistency

Another way to detect document fraudulence is to compare the information in the MRZ to the information in the rest of the document. The information between corresponding areas of the document should be exactly the same; the document is potentially fraudulent if they are not.

This will be indicated through the ‘data consistency’ section, with warning flags next to the inconsistent information.

Note differences in DOB in personalisation section and MRZ.

3. Fonts and Security Features

Identity document fonts are designed to be difficult to replicate for security purposes. Factories that produce fraudulent documents often use basic, ‘pc-style’ fonts that can easily be detected as they differ from secure fonts. a) Note differences in fraudulent UK Driving Licence (top) and genuine UK Driving Licence (bottom), in particular, the small dots in the digit 0.

Trustopia Frictionless Authentication Processes

b) Differences in the font in genuine French Passport (right) and fraudulent document (left). The genuine document has a much more sophisticated font with a complex background.

Counterfeit documents also fail to properly replicate key security features such as holograms, laser-engraved printing or watermarks. You can see below for examples of differences in security features: a) UK Driving Licences have the surname (1) laser engraved onto the document (right).

Note the difference between the genuine document and the fraudulent document (left), where the surname is bold as opposed to laser engraved - an imitation of the security feature.

b) Note the differences in a genuine Italian passport photo and its holograms (right) and a fraudulent document. The holograms over the fraudulent document say ‘genuine’, a common hologram in counterfeit documents.

Trustopia Frictionless Authentication Processes

For these reasons, it’s very important that good quality images are provided. It allows us to see as many of these security features as clearly as possible, and to make an assessment based on the genuine article. Often, fraudsters will submit poor quality documents in an attempt to complicate the fraud-detection process.

4. Digital and Physical Tampering

Counterfeit documents, i.e. complete imitations of genuine documents, are not the only types of fraudulent documents we receive.

More difficult to detect are signs of digital or physical tampering, whereby a fraudster has taken a genuine document and changed only certain elements.

Above are three examples of digitally manipulated documents where the digit ‘7’ has been altered so that the document expiry date is extended. Note the difference in font and the way the background is matted and interrupted. This is a clear sign of tampering.

Again, these examples should demonstrate why good quality images are needed in order to make an assessment of whether documents are genuine. It is much easier deceive when submitting a poor quality image, where the differences in lettering may be put down to low resolution.

Trustopia Frictionless Authentication Processes

3. LEVEL 2 - Something The Data Subject Is (Including Biometrics: Fingerprint, Facial Recognition and/or Voice etc)

CONSUMERS ARE QUICKLY ADOPTING BIOMETRICS

While it is certainly the case that when biometric technologies first rolled out, consumers were apprehensive and sometimes refused to use them; this apprehension towards biometrics is being steadily broken down through consumerisation. Technologies that were previously used only for official purposes are now embedded and available on the market for consumers to buy.

For example, while the use and collection of fingerprints is often correlated with law enforcement, Apple now allows users to unlock their devices through their fingerprints, which has helped break down the apprehension of using biometrics for everyday use.

The use of selfies in general has allowed people to use photos in a variety of ways, and Facebook and Instagram have capitalised on that by using facial recognition.

Because the biometric technologies that consumers once rejected have become the norm for many consumers - paving the way for much tighter security processes – TRUSTOPIA is seeking to be ahead of the curve with its integration of biometrics within its digital trust solutions.

BIOMETRIC VERIFICATION

Biometric identity verification methods implement a biometric measure, such as facial or voice recognition, to strengthen the identity proofing process. Biometric verification is a more passive experience for consumers.

Biometric applications can be used in any industry for initial or recurring transactions to match a person to their ID on file or to confirm with liveness detection and image spoofing tests that a real person that matches the ID on file is trying to access information, service or location.

FACIAL RECOGNITION

TRUSTOPIA Facial Recognition is as easy as taking a selfie and comparing it to extracted biometric data contained in an issued ID.

Results are given in seconds reducing fraud by matching the face biometrics of a selfie to the face image on the ID and authenticating they match.

Facial recognition match technology makes it easier and more user-friendly to verify identities and integrate with existing apps or systems. It utilises Deep Learning to learn to match the image on the ID to a person’s face. When the selfie is processed, the algorithm looks for certain patterns such as basic shapes (eyes, mouth, nose) and complex shapes (complete faces and distinctive shapes), and finally returns an output that indicates whether the image matches the IDs face or not.

Trustopia Frictionless Authentication Processes

Just doing facial recognition by itself isn’t sufficient most of the time. Tying facial with identity, document authentication, other attributes and biometrics builds a stronger authentication continuum that leads to a greater level of certainty.

With biometric technology continuously evolving and the increasing sophistication of hackers and identity thieves, the future of identity verification may more closely resemble science fiction than our current reality!

LIVENESS DETECTION

TRUSTOPIA Liveness Detection is designed to prevent fraudsters from using static images. This ensures that not only does the face match but there is indeed a live person in front of the camera.

Both TRUSTOPIA FR and LD allow for the option of using a local camera for desktop environments.

GEO-LOCATION

TRUSTOPIA’s additional security features include geo-location services so you know where the person is scanning an ID from to flag suspicious behaviour, and the ability to check against established (or custom) watch lists such as Interpol and OFAC.

FRICTIONLESS AUTHENTICATION CLIENT USE CASES

Client use cases include:

 Identity Verification  Age Verification  Visitor Verification  Authentication to Identify Fraudulent ID’s  Card/Person-Not-Present Transactions  Highest Level Security Checks/Watch Lists  Mobile & Sharing Economy Apps  Customer & Employee On-boarding

FRICTIONLESS AUTHENTICATION SOLUTION DEPLOYMENT

Beyond easy integration, TRUSTOPIA provides multiple deployment options to match any client organisation’s specific needs, operating environments and use cases; allowing clients to deliver iOS, Android and Windows based applications using existing skills and teams with TRUSTOPIA’s configurable cloud service.

Trustopia Frictionless Authentication Processes

Appendix A

TRUSTOPIA Proprietary Document-Specific Check Parameters include*:

Colour Check - Checked the document layout and verified against reference images. Composite Check Digit TESTED - that the ID Number check digit is correct. Date of Birth Index Check Digit TESTED - that the Date of Birth Index is valid. Date of Birth Index Crosscheck - the machine-readable Date of Birth Index field against the data read through OCR in the photographic Date of Birth region Date of Birth Index Valid TESTED - that the composite check digit is correct. Document Classification TESTED - the presence of a pattern on the near-infrared image. Document Crosscheck Aggregation - Compared the machine-readable fields to the human- readable fields. Document Expired TEST - Expired Document Test Expiry Date Check Digit TESTED - that the issue date is valid. Expiry Date Crosscheck TEST - the Machine Readable Zone Expiry date field to the data read through OCR in the photographic Expiry date field. Expiry Date Valid TESTED - that the issuing country, county, state, region is valid. Family Name Crosscheck TEST - the Machine Readable Zone Family Name field to the data read through OCR in the photographic Family Name field. FOG Check - Checked the identity against the global fraudulently obtained genuine document checker. Format Check - Verified different regions data is represented using the correct format. Gender Crosscheck TEST - the Machine Readable Zone surname field to the data read through OCR in the photographic surname field. ID Number Check Digit TESTED - that the Expiry date is valid. ID Number Crosscheck TEST - the machine-readable ID Number field to the data read through OCR in the photographic ID Number field. Issue Date Valid TESTED - that the personal number check digit is correct. Issuing State Valid TESTED - that the type of document is supported and is able to be fully authenticated or classified for OCR Machine Readable Zone Crosscheck - Compare the machine-readable Machine Readable Zone field to the data read through OCR in the photographic Machine Readable Zone field. Nationality Code Crosscheck TEST - the Machine Readable Zone personal number field to the data read through OCR in the photographic personal number field. Optically Variable Ink Pattern TESTED - the presence of an optically variable ink pattern on the document. OVD (Optically Variable Devices) Check - Detected existence of any optically variable device on the document and the assessed light reflection. OVD (Optically Variable Devices) Check - checked authenticity of any state seals & holograms present. Personal Number Check Digit TESTED - the presence of a pattern on the document overlay. Segmentations Check - Checked the document different regions are located in the correct position on the document. Surname Crosscheck TESTED - the digital signature of the data group against the signer certificate. Template Check - Checked the document layout and verified against reference images. Gender Crosscheck - the genders match. Geometry TEST - between features on a document. Photo Substitution TEST OCR and Barcodes Comparison Check Facial Recognition Test - comparison of selfie to extracted biometric data contained in an issued ID

Trustopia Frictionless Authentication Processes

Liveness Test - confirmation a live person is providing the selfie Basic Access Control - Verified that secure communication with the contactless chip in the document was established. Biometric RFID chip Content TEST - Content of Biometric RFID Chip containing bio-data Biometric RFID chip Presence TEST - Biometric RFID Chip containing bio-data is available Biometric RFID chip Read TESTED - that the Expiry date check digit is correct. Active Authentication TEST - confirmed the authenticity of the chip (and that it has not been cloned) Data Group Hash Authentication - Confirmation that data group files have not been modified. Document Signer Authentication - confirmation of the authenticity of the Data Group hashes. Infrared Check - Tested screen vision infrared oblique image. Near-Infrared Pattern TESTED - the presence of a pattern on the Visible image. Near-Infrared Response - Verified the response of an element on the near-infrared image. Visible Pattern TESTED - the response of an element on the near-infrared image. Confirmation of B900 Ink Patterns Test - under near-infrared lighting Overlay Pattern TESTED - the presence of a pattern on the ultraviolet image. Ultraviolet Check - Performed generic checks against the ultraviolet image and detected type of paper used accordingly. Ultraviolet Material Response TESTED - the response of the document material to ultraviolet light. Ultraviolet Pattern TESTED - the response of an element on the document overlay. Microprint Text & Security Thread Check - Confirmation of genuine Microprint Text & Security Threads Special Paper & Ink Check - validation of special paper and ink use

*Forensic checks carried out will differ dependent on 1. Capture/Service Medium Used – Mobile or Scanner 2. Security Features of the Document Type 3. Image Light Captures – White, Ultraviolet, Infra-red

Trustopia Frictionless Authentication Processes

Appendix B

TRUSTOPIA Document-Specific International Coverage includes:

Africa

Algeria Egypt Macedonia Somalia

Angola Eritrea Madagascar South Africa

Benin Ethiopia Malawi South Sudan

Botswana Gabon Mali Sudan

Burkina Faso Gambia Mauritius Swaziland

Burundi Ghana Morocco Togo

Cameroon Guinea Mozambique Tunisia

Cape Verde Guinea-Bissau Namibia Uganda

Chad Ivory Coast Niger Zambia

Comoros Kenya Nigeria Zimbabwe

Cote D’Ivoire Lesotho Rwanda

Congo Liberia Senegal

Djibouti Libya Sierra Leone

Trustopia Frictionless Authentication Processes

Asia

Afghanistan Indonesia Malaysia South Korea

Armenia Iran Maldives Sri Lanka

Azerbaijan Iraq Mongolia Syrian Arab Republic

Bahrain Israel Myanmar Taiwan

Bangladesh Japan Nepal Tajikistan

Bhutan Jordan Oman Thailand

Brunei Kazakhstan Pakistan Turkmenistan

Cambodia Kuwait Palestine United Arab Emirates

China Kyrgyzstan Philippines Uzbekistan

North Korea Lao Qatar Vietnam

Hong Kong Lebanon Saudi Arabia Yemen

India Macao Singapore

Australia

Australia Guam Northern Mariana Solomon Islands

American Samoa Micronesia Palau Tonga

Fiji New Zealand Papa New Guinea Tuvalu

Trustopia Frictionless Authentication Processes

Central & South America & the Caribbean Islands

Aruba Costa Rica Honduras Saint Lucia

Argentina Cuba Jamaica St Maarten

Bahamas Curaçao Marshall Islands St Christopher Nevis

Barbados Dominica Mexico Suriname

Belize Dominican Republic Netherlands Antilles Trinidad

Bermuda Ecuador Nicaragua Turks and Caicos

Bolivia El Salvador Panama Uruguay

Brazil Grenada Paraguay Venezuela

Cayman Islands Guatemala Peru Virgin Islands (US)

Chile Guyana Puerto Rico

Colombia Haiti Saint Kitts and Nevis

Trustopia Frictionless Authentication Processes

Europe

Austria Finland Italy Romania

Albania France Kosovo Russia

Andorra Georgia Latvia San Marino

Belarus Germany Liechtenstein Serbia

Belgium Greece Lithuania Slovakia

Bosnia Guernsey Luxembourg Slovenia

Bulgaria Holland Malta Spain

Croatia Holy See State Moldova Sweden

Cyprus Hungary Monaco Switzerland

Czech Republic Iceland Montenegro Turkey

Denmark Ireland Poland Ukraine

Estonia Isle of Man Portugal United Kingdom

North America

Canada Nunavut United States

Manitoba Prince Edward Island

Trustopia Frictionless Authentication Processes

Appendix C

TRUSTOPIA Default Authentication Enumeration Policy

1. Overall Authentication Sensitivity Level Trustopia’s ID document forensic authentication provides for a range of levels of sensitivity when determining the authentication result for an ID document transaction as follows: (Trustopia default settings are indicated where appropriate)

Normal – (Trustopia Default) authentication sensitivity level which provides the optimal balance between fraudulent document detection and genuine document rejection rates. Low – Provides a lower fraudulent document detection rate, while possibly resulting in lower genuine document rejection rates. This is not recommend for use in applications where fraudulent document detection is critical. High – provides a higher fraudulent document detection rate, while possibly resulting in a higher genuine rejection rate. This is recommended for use in high-security applications.

2. Forensic Rating Labels Explained Unknown = 0, Passed = 1, Failed = 2, Skipped = 3, Caution = 4, Attention = 5 Trustopia uses labels not the numbers

3. Chip Authentication Result (Android Only) Not Performed = 0, Passed = 1, Failed = 2 Trustopia uses labels not the numbers

4. Chip Authentication/Type (Android Only) Active Authentication = 0, Basic Access Control = 1, Chip Authentication = 2, Passive Authentication = 3, Supplemental Access Control = 4, Terminal Authentication = 5 Trustopia uses labels not the numbers

5. Cropping Classification Mode Automatic = 0, Manual = 1 Trustopia uses Automatic = 0

6. Cropping Expected Size None = 0, ID1 = 1, ID2 = 2, ID3 = 3 Trustopia uses 1, 2 and 3 for ID1, ID2 & ID3 respectively.

7. Cropping Mode None = 0, Automatic = 1, Interactive = 2, Always = 3 Trustopia uses Automatic = 1

8. Document Class Unknown = 0, Passport = 1, Visa = 2, Driver’s License = 3, Identification Card = 4, Permit = 5, Currency = 6, Residence Document = 7, Travel Document = 8, Birth Certificate = 9, Vehicle Registration = 10, Other = 11, Weapon License = 12, Tribal Identification = 13, Voter Identification = 14 Trustopia uses labels not the numbers

Trustopia Frictionless Authentication Processes

9. Document Data Source None = 0, Barcode1D = 1, Barcode2D = 2, Contactless Chip = 3, Machine Readable Zone = 4, Magnetic Stripe = 5, Visual Inspection Zone = 6, Other = 7 Trustopia uses labels not the numbers

10. Document Data Type

Barcode2D = 0, Machine Readable Zone = 1, Magnetic Stripe = 2 Trustopia uses labels not the numbers

11. Document Element Unknown = 0, None = 1, Photo = 2, Data = 3, Substrate = 4, Overlay = 5 Trustopia uses labels not the numbers

12. Document Process Mode Default = 0, Capture Data = 1, Authenticate = 2, Barcode = 3 Trustopia uses labels not the numbers

13. Document Side Front = 0, Back = 1 Trustopia uses labels not the numbers

14. Document Size Unknown = 0, ID1 = 1, ID2 = 2, ID3 = 3, Letter = 4, Check Currency = 5, Custom = 6 Trustopia uses labels not the numbers

15 Light Source White = 0, Near Infrared = 1, Ultraviolet A = 2, Coaxial White = 3, Coaxial Near Infrared = 4 Trustopia uses labels not the numbers

16. Document Status None = 0, Classified = 1, Complete = 2, Error = 3 Trustopia uses labels not the numbers

17. Gender Type Unspecified = 0, Male = 1, Female = 2, Unknown = 3 Trustopia uses labels not the numbers

18. Sensor Type Unknown = 0, Camera = 1, Scanner = 2, Mobile = 3 Trustopia uses labels not the numbers