Self Verification: Building a Cross-Country Security Layer

Industry

Digital Banking

Client

Nubank

Focus Area

Platform Design

Timeline

2023

Industry

Digital Banking

Client

Nubank

Focus Area

Platform Design

Timeline

2023

1. Overview

For years, phone authentication at Nubank relied heavily on manual questioning by agents. Customers were asked to confirm personal information while already stressed, frustrated, or dealing with urgent financial issues.

The process was slow, inconsistent, and increasingly vulnerable to fraud and social engineering. As call volumes grew across Latin America, manual verification became one of the most fragile parts of the support operation.

This case describes how we designed Self Verification: a secure, app-based identity layer that shifted authentication from human interrogation to digital confirmation, enabling scalable, multi-country verification infrastructure.

For years, phone authentication at Nubank relied heavily on manual questioning by agents. Customers were asked to confirm personal information while already stressed, frustrated, or dealing with urgent financial issues.

The process was slow, inconsistent, and increasingly vulnerable to fraud and social engineering. As call volumes grew across Latin America, manual verification became one of the most fragile parts of the support operation.

This case describes how we designed Self Verification: a secure, app-based identity layer that shifted authentication from human interrogation to digital confirmation, enabling scalable, multi-country verification infrastructure.

For years, phone authentication at Nubank relied heavily on manual questioning by agents. Customers were asked to confirm personal information while already stressed, frustrated, or dealing with urgent financial issues.

The process was slow, inconsistent, and increasingly vulnerable to fraud and social engineering. As call volumes grew across Latin America, manual verification became one of the most fragile parts of the support operation.

This case describes how we designed Self Verification: a secure, app-based identity layer that shifted authentication from human interrogation to digital confirmation, enabling scalable, multi-country verification infrastructure.

How do we move identity verification from fragile human processes to secure digital infrastructure across countries?

2. Strategic Context

As call volumes grew across Latin America, manual verification became one of the most fragile operational components. It generated:

  • High exposure of sensitive data

  • Long handling times (40–90s)

  • Inconsistent security standards

  • High training costs

  • Fraud vulnerability

Meanwhile, the Nubank app already supported secure authentication. The strategic opportunity was to extend this trust infrastructure to the phone channel.

As call volumes grew across Latin America, manual verification became one of the most fragile operational components. It generated:

  • High exposure of sensitive data

  • Long handling times (40–90s)

  • Inconsistent security standards

  • High training costs

  • Fraud vulnerability

Meanwhile, the Nubank app already supported secure authentication. The strategic opportunity was to extend this trust infrastructure to the phone channel.

As call volumes grew across Latin America, manual verification became one of the most fragile operational components. It generated:

  • High exposure of sensitive data

  • Long handling times (40–90s)

  • Inconsistent security standards

  • High training costs

  • Fraud vulnerability

Meanwhile, the Nubank app already supported secure authentication. The strategic opportunity was to extend this trust infrastructure to the phone channel.

3. Role & Scope

My central responsibility was ensuring that security improvements translated into usable, trustworthy experiences. Responsibilities:

  • Designing cross-channel authentication journeys

  • Defining interaction patterns between phone and app

  • Structuring experimentation frameworks

  • Coordinating with Fraud, Risk, Legal, and Engineering

  • Adapting flows for Brazil, Mexico, and Colombia

  • Establishing success and guardrail metrics


My central responsibility was ensuring that security improvements translated into usable, trustworthy experiences. Responsibilities:

  • Designing cross-channel authentication journeys

  • Defining interaction patterns between phone and app

  • Structuring experimentation frameworks

  • Coordinating with Fraud, Risk, Legal, and Engineering

  • Adapting flows for Brazil, Mexico, and Colombia

  • Establishing success and guardrail metrics


My central responsibility was ensuring that security improvements translated into usable, trustworthy experiences. Responsibilities:

  • Designing cross-channel authentication journeys

  • Defining interaction patterns between phone and app

  • Structuring experimentation frameworks

  • Coordinating with Fraud, Risk, Legal, and Engineering

  • Adapting flows for Brazil, Mexico, and Colombia

  • Establishing success and guardrail metrics


4.Design Workflow

4. Design Workflow

  1. Designing the digital verification layer

    We designed Self Verification around a simple principle: let customers confirm identity in an environment they already trusted — the Nubank app. Core flow:

    • Customer calls support

    • Identifies via IVR

    • Receives a secure push notification

    • Authenticates in-app

    • Confirms or denies the call

    • Returns to the conversation

    This transformed verification into a lightweight, familiar action.


  2. Making verification operationally viable

    For digital verification to create real impact, it had to integrate deeply with agent workflows. We redesigned internal tools so agents could:

    • Instantly see verification status

    • Avoid redundant questioning

    • Escalate when needed

    • Trust system outcomes

    This alignment between customer and operator experience was critical for adoption.


  3. Designing for inclusion and failure

    Not all customers could access the app during calls. Some had connectivity issues. Others used shared devices. Some were elderly or had limited digital literacy. Instead of enforcing a single path, we designed structured fallback routes:

    • Delayed transfers

    • Manual verification escalation

    • Retry scheduling

    • Assisted enrollment

    Failure was treated as a first-class scenario, not an exception.

  1. Designing the digital verification layer

    We designed Self Verification around a simple principle: let customers confirm identity in an environment they already trusted — the Nubank app. Core flow:

    • Customer calls support

    • Identifies via IVR

    • Receives a secure push notification

    • Authenticates in-app

    • Confirms or denies the call

    • Returns to the conversation

    This transformed verification into a lightweight, familiar action.


  2. Making verification operationally viable

    For digital verification to create real impact, it had to integrate deeply with agent workflows. We redesigned internal tools so agents could:

    • Instantly see verification status

    • Avoid redundant questioning

    • Escalate when needed

    • Trust system outcomes

    This alignment between customer and operator experience was critical for adoption.


  3. Designing for inclusion and failure

    Not all customers could access the app during calls. Some had connectivity issues. Others used shared devices. Some were elderly or had limited digital literacy. Instead of enforcing a single path, we designed structured fallback routes:

    • Delayed transfers

    • Manual verification escalation

    • Retry scheduling

    • Assisted enrollment

    Failure was treated as a first-class scenario, not an exception.

  1. Designing the digital verification layer

    We designed Self Verification around a simple principle: let customers confirm identity in an environment they already trusted — the Nubank app. Core flow:

    • Customer calls support

    • Identifies via IVR

    • Receives a secure push notification

    • Authenticates in-app

    • Confirms or denies the call

    • Returns to the conversation

    This transformed verification into a lightweight, familiar action.


  2. Making verification operationally viable

    For digital verification to create real impact, it had to integrate deeply with agent workflows. We redesigned internal tools so agents could:

    • Instantly see verification status

    • Avoid redundant questioning

    • Escalate when needed

    • Trust system outcomes

    This alignment between customer and operator experience was critical for adoption.


  3. Designing for inclusion and failure

    Not all customers could access the app during calls. Some had connectivity issues. Others used shared devices. Some were elderly or had limited digital literacy. Instead of enforcing a single path, we designed structured fallback routes:

    • Delayed transfers

    • Manual verification escalation

    • Retry scheduling

    • Assisted enrollment

    Failure was treated as a first-class scenario, not an exception.

“He designed verification systems that were intuitive for both customers and operations teams, reducing training needs and increasing security.”

Operations Manager

5. Trade-offs & Decisions

  1. Security vs Accessibility

    Digital-first verification improved security but risked excluding users without reliable app access. Overly strict enforcement would increase abandonment. We designed structured fallback routes to balance protection and inclusion.


  2. Critical Trade-offs

    • Digital-first vs Inclusivity

    • Speed vs Fraud Resistance

    • Standardization vs Localization


  3. Missteps & Corrections

    • Early MVPs showed low engagement and confusion around instructions.

    • We redesigned prompts, simplified flows, and adjusted timing.

    • Regional friction required further adaptation.

  1. Security vs Accessibility

    Digital-first verification improved security but risked excluding users without reliable app access. Overly strict enforcement would increase abandonment. We designed structured fallback routes to balance protection and inclusion.


  2. Critical Trade-offs

    • Digital-first vs Inclusivity

    • Speed vs Fraud Resistance

    • Standardization vs Localization


  3. Missteps & Corrections

    • Early MVPs showed low engagement and confusion around instructions.

    • We redesigned prompts, simplified flows, and adjusted timing.

    • Regional friction required further adaptation.

  1. Security vs Accessibility

    Digital-first verification improved security but risked excluding users without reliable app access. Overly strict enforcement would increase abandonment. We designed structured fallback routes to balance protection and inclusion.


  2. Critical Trade-offs

    • Digital-first vs Inclusivity

    • Speed vs Fraud Resistance

    • Standardization vs Localization


  3. Missteps & Corrections

    • Early MVPs showed low engagement and confusion around instructions.

    • We redesigned prompts, simplified flows, and adjusted timing.

    • Regional friction required further adaptation.

7. Experimentation

  1. From MVP to maturity

    We launched Self Verification through successive experimental phases.


    MVP: Brazil

    Initial pilots focused on validating behavioral adoption. Results:

    • ~30% engagement

    • No negative impact on satisfaction

    • 18-second average handling time reduction

    • R$2.6M annual savings potential

    These signals justified national rollout.


    V1: Security stress tests

    As adoption grew, we expanded challenge mechanisms and stress-tested fraud resilience. Initial results revealed increased friction and drop-offs. Rather than abandoning the system, we redesigned interaction pacing and fallback logic.


    V2: Engagement optimization

    Engagement plateaued around 34%. We ran multi-armed experiments testing:

    • Announcement framing

    • Audio scripts

    • Fallback timing

    • Automatic drop logic

    Best-performing variants increased engagement by more than 10 percentage points.


  2. Multi-country expansion: Designing for regulation

    Scaling to Mexico and Colombia introduced new regulatory constraints. Mexican regulations required stronger authentication categories and additional password-based validation.

    We redesigned the platform to support country-specific rules without fragmenting the experience. This involved:

    • Localized scripts (Spanish and Portuguese)

    • Regulatory alignment

    • Market-specific fallback logic

    • Legal review cycles

    The result was a reusable framework adaptable across geographies.


  3. Content and voice design

    Security experiences are strongly shaped by language. I led the definition of IVR scripts and in-app copy, balancing:

    • Authority

    • Emotional reassurance

    • Actionability

    • Cultural adaptation

    Standardized voice and screen systems reduced confusion and increased compliance.

  1. From MVP to maturity

    We launched Self Verification through successive experimental phases.


    MVP: Brazil

    Initial pilots focused on validating behavioral adoption. Results:

    • ~30% engagement

    • No negative impact on satisfaction

    • 18-second average handling time reduction

    • R$2.6M annual savings potential

    These signals justified national rollout.


    V1: Security stress tests

    As adoption grew, we expanded challenge mechanisms and stress-tested fraud resilience. Initial results revealed increased friction and drop-offs. Rather than abandoning the system, we redesigned interaction pacing and fallback logic.


    V2: Engagement optimization

    Engagement plateaued around 34%. We ran multi-armed experiments testing:

    • Announcement framing

    • Audio scripts

    • Fallback timing

    • Automatic drop logic

    Best-performing variants increased engagement by more than 10 percentage points.


  2. Multi-country expansion: Designing for regulation

    Scaling to Mexico and Colombia introduced new regulatory constraints. Mexican regulations required stronger authentication categories and additional password-based validation.

    We redesigned the platform to support country-specific rules without fragmenting the experience. This involved:

    • Localized scripts (Spanish and Portuguese)

    • Regulatory alignment

    • Market-specific fallback logic

    • Legal review cycles

    The result was a reusable framework adaptable across geographies.


  3. Content and voice design

    Security experiences are strongly shaped by language. I led the definition of IVR scripts and in-app copy, balancing:

    • Authority

    • Emotional reassurance

    • Actionability

    • Cultural adaptation

    Standardized voice and screen systems reduced confusion and increased compliance.

  1. From MVP to maturity

    We launched Self Verification through successive experimental phases.


    MVP: Brazil

    Initial pilots focused on validating behavioral adoption. Results:

    • ~30% engagement

    • No negative impact on satisfaction

    • 18-second average handling time reduction

    • R$2.6M annual savings potential

    These signals justified national rollout.


    V1: Security stress tests

    As adoption grew, we expanded challenge mechanisms and stress-tested fraud resilience. Initial results revealed increased friction and drop-offs. Rather than abandoning the system, we redesigned interaction pacing and fallback logic.


    V2: Engagement optimization

    Engagement plateaued around 34%. We ran multi-armed experiments testing:

    • Announcement framing

    • Audio scripts

    • Fallback timing

    • Automatic drop logic

    Best-performing variants increased engagement by more than 10 percentage points.


  2. Multi-country expansion: Designing for regulation

    Scaling to Mexico and Colombia introduced new regulatory constraints. Mexican regulations required stronger authentication categories and additional password-based validation.

    We redesigned the platform to support country-specific rules without fragmenting the experience. This involved:

    • Localized scripts (Spanish and Portuguese)

    • Regulatory alignment

    • Market-specific fallback logic

    • Legal review cycles

    The result was a reusable framework adaptable across geographies.


  3. Content and voice design

    Security experiences are strongly shaped by language. I led the definition of IVR scripts and in-app copy, balancing:

    • Authority

    • Emotional reassurance

    • Actionability

    • Cultural adaptation

    Standardized voice and screen systems reduced confusion and increased compliance.

8. Impact

At maturity, Self Verification became foundational infrastructure. Key outcomes:

  • Millions of automated verifications

  • Multi-country deployment

  • Significant reduction in manual questioning

  • Lower fraud exposure

  • Multi-million BRL operational savings

  • Reduced average handling time across priority flows

Verification evolved from cost center to efficiency lever.

At maturity, Self Verification became foundational infrastructure. Key outcomes:

  • Millions of automated verifications

  • Multi-country deployment

  • Significant reduction in manual questioning

  • Lower fraud exposure

  • Multi-million BRL operational savings

  • Reduced average handling time across priority flows

Verification evolved from cost center to efficiency lever.

At maturity, Self Verification became foundational infrastructure. Key outcomes:

  • Millions of automated verifications

  • Multi-country deployment

  • Significant reduction in manual questioning

  • Lower fraud exposure

  • Multi-million BRL operational savings

  • Reduced average handling time across priority flows

Verification evolved from cost center to efficiency lever.