Cloud vs. On-Premises Identity Verification: Which Approach Is Right for You?

Сapital investment is a good analogy for this subject. Everyone follows the same rules, but how much risk you’re comfortable with varies. In the case of identity verification, the rulebook is made up of regulatory documents. However, how you use that rulebook depends on your business. Some can take more risks, while others have to play it safe, or even are obliged to stick to the most conservative strategies.

Let’s take a look at two extremes to make this clearer: Banking and Gambling & Betting.

One thing these two sectors share in common is that both are risking their license if serious troubles arise. But there’s a world of difference between the consequences for companies from these two domains. Whereas a casino can land in another jurisdiction and get a new license, losing a license for a bank means it’s gone for good.

Also, these businesses work with assets in completely different ways. Casinos have more freedom in their business strategy, but banks have to stick to the rules set by the national bank of a given country. In particular, this means they are obliged to invest only in assets of a certain quality. In this case, the debate between cloud and on-prem doesn’t matter much. What’s crucial is the quality of the vendor.

For starters, let’s define the attributes of a high-quality cloud solution. This is essential because there are numerous providers on the market, but not all of them can deliver equally good results.

First, a top-tier solution should have a robust infrastructure with data centers in different regions, ensuring clients receive dedicated instances in their target locations. This not only guarantees quick response times but also aligns with data residency requirements for handling personal data.

Second, there must be sufficient security controls. By security controls, we mean a range of tools to mitigate all possible risks associated with data leakage and compromise, as well as comprehensive policies for a vendor’s actions in case of an emergency. For the worst-case scenario, a client should have a “red button”—i.e., the capability to instantly delete all existing personal data.

Total data erasure, of course, is an extreme measure. In practice, you’ll benefit more from the ability not only to delete your data but to take it with you, for example, when migrating to another service. Not every cloud provider is ready to provide such an option.

Third, the solution should provide a convenient user interface which can be customized according to their needs.

Last but not least, there should be a professional support team which is available 24/7.

→ Increased collaboration. Imagine that your end client faces an unknown issue, so you have to request help from your vendor. With SaaS, your vendor’s support team can peek into the system right away, spot the issue, and guide you through fixing it (of course, if they know what’s up and how to tackle it).

In this respect, it’s a benefit that a cloud provider has many other clients. If the provider fixes an issue for any of them, you get the solution automatically as well.

→ It helps you discover new presentation attack vectors early. This is a big one. Having access to large volumes of data, a cloud vendor can quickly spot emerging threats. They can rapidly release hotfixes or workarounds; i.e., provide you with a fast reaction time. This is where SaaS is hands-down the winner, provided that it’s a really top-performing SaaS.

→ You need to mitigate higher security risks. The implications of the fact that a third party has access to your clients’ personal data are among the most serious things to consider when choosing a cloud solution. 

Which brings us back to the security controls we mentioned earlier. If they’re rock-solid and the solution is genuinely compliant, you’re in good hands. But if not, the consequences fall on you. Even if the vendor misled you, you can’t pass the blame to avoid punishment and damage to your reputation.

This means that, despite cloud solutions being positioned as the ones you can have up and running fast, you’ll have to spend time digging into the system and seeing how things work on the vendor’s side.

Also, leaks may happen even with the most reliable cloud solutions. That’s why the top-tier cloud IDV vendors should ideally have a robust insurance policy that covers the financial risks you might face if the worst-case scenario becomes a reality.

Last but not least, your metadata is also on the line. Metadata includes the details tied to your business operations, like the number of new customers, as well as their geography, age, etc. While not personal in itself, this is still private commercial information which is of huge value for any competitor. That’s yet another substantial business risk.

→ It gets expensive at scale. The price tag depends on the number of transactions. As you scale up, the price goes up too. Even though vendors charge less per single check at large volumes, the total amount can still be impressive. 

So if a business verifies, say, 1,000 new customers each month, SaaS is their go-to because on-prem is overkill in this case. However, when their monthly bill hits $5,000 or $10,000, it’s a different story. At that point, it becomes more cost-effective to invest in setting up an on-premise solution that will save them money in the long run.

The attributes of a top-tier on-prem solution include robust technology, versatility, and the ability to adapt to the unique needs of each client. It's like wearing a custom-made suit tailored just for you. The solution adapts according to your existing workflows, policies, and preferences, so you don’t have to tinker with it.

Another important feature of a good on-prem vendor is the support of a wide range of technology platforms. For example, if it supports most modern databases, this is a huge benefit as the customer doesn’t have to build a process around a different type of database.

→ You have full control over the data. The major benefit of on-prem is that you don’t have to share sensitive data with any third parties. Since all operations happen within your perimeter, you maintain control over how the data is stored, secured, and managed, thus minimizing the risk of leaks.

If you are a large organization, chances are you’ve already set up top-notch security controls for your infrastructure. With on-prem, you don't have to repeat the whole drill, as your existing controls seamlessly keep you in compliance.

It goes without saying that on-prem solutions are often the only possible option for all sorts of public services, border controls, and even some private banks. When it comes to safeguarding crucial information at this level, on-premises identity verification isn’t just a choice—it’s often the only game in town.

→ You get a multi-use asset. When you obtain an on-prem technology, you can literally build your own in-house SaaS to cater to all the possible needs of your organization. That’s especially beneficial for large-scale businesses with a robust ecosystem of services and products. Once integrated, your on-prem solution can be stretched to cover all use cases without having to pay extra—from onboarding new clients to verifying every employee before they access confidential information.

→ It provides a higher ROI in the long run. While implementing an on-prem solution implies deployment and orchestration in your infrastructure, if you can bear the costs, the price tag is significantly lower than for SaaS. It's a long-term game, though. 

Think of on-prem as an investment that needs a bit of time to mature. From Regula’s experience, it usually takes about two years to see a savings 3-4x compared to a cloud solution of the same quality.

It’s important to note, however, that the above analysis considers only the things (integration, deployments, etc.) that are under the control of companies themselves. Lurking right around the corner are fraud risks and related financial and reputational losses, which can be avoided thanks to the proper solution. Regula found out that identity fraud caused an average of $300,000 in damage to enterprises in 2022. Preventing just one such case results in top-tier on-prem paying off immediately.

→ It requires significant upfront costs. These expenses are surely higher than for cloud solutions. However, no one can say how much higher exactly, because these costs will be different for different companies. It depends on numerous factors, such as:

• Customer-owned or cloud Infrastructure

• Depth of integration

• Skills of the team

• Hosting 

The last one, though, isn’t an issue for large companies as they usually have it up and running, so the cost will be shared with other in-house services. 

→ Deployment requires more tech-savvy staff. The more robust a technology is, the trickier it is to integrate. If it's done clumsily, you might not get the full value for the cost. As a result, the entry threshold and the employee skill requirements are usually higher than for SaaS that deliberately limits the number of methods (which can be both a pro and a con, depending on your case). 

However, if the team is serious about their mission and they’re willing to delve into the specifics of IDV, they acquire much more than just a technology. They build their own knowledge base and unique in-house expertise.

Good vendors, in their turn, should help with the task as much as possible: provide all necessary scripts and configurations for fast deployment. All instructions on how to get a sustainable system up and running should be clear and comprehensive.

→ System updates may require more effort. Due to the specifics of on-prem, clients are responsible for their updates, meaning they’ll need to configure the process on their part themselves. This isn’t necessarily a burden but will require attention nonetheless.

On the other hand, this gives more control over the changes made and the overall state of the system.

There’s one more important aspect that lies beyond the technical side of the matter. It’s the role IDV plays in your business. That’s the crucial factor you need to consider before deciding whether to “rent or buy.” 

Speaking of rental, let’s say there’s a boat rental business. IDV isn’t at the heart of what makes them money. On the contrary, it’s an expense item because it’ll require some resources to have this box checked. In situations like these, it just makes sense to outsource it as much as possible.

On the opposite end of the spectrum is when identity verification is an important part of the business that allows it to make money—or, at least, save it from losing huge sums on compliance fines. 

Take a global fintech company, for instance. They go big on on-prem IDV tech, deploying it across the board. It becomes an asset, a one-time investment that pays dividends everywhere—from snagging a new digital audience for B2C products and streamlining B2B processes to onboarding employees and improving fraud prevention efforts. For them, it's a smart investment that keeps on giving without extra costs.

The above point highlights a universal principle in business decision-making—ROI matters.

Whether it’s identity verification or any other aspect of business, companies naturally assess the correlation between investments and returns. When the link is clear and promising, businesses are willing to invest. If the connection isn’t apparent, the tendency is to seek compliance while minimizing costs.