All posts by Chris Ryan
Since 2002, lenders have been aware of the importance of Know Your Customer (KYC) and the associated Customer Identification Program (CIP) requirements. As COVID-19 has changed procedures and priorities for businesses and consumers across the board, it’s more important than ever for institutions to ensure their CIP process includes ongoing monitoring of identity risk. What is CIP? Standard KYC programs include a Customer Identification Program to verify and validate identities along with due diligence to assess the risks associated with each identity. CIP defines the process by which a business collects data to establish a reasonable belief that the identity is valid, and that the individual is eligible to participate in our financial system. While this process works in conjunction with other fraud mitigation tactics, they serve different purposes. A good CIP program emphasizes the customer experience, regulatory compliance, cost control, and smart growth. Fraud mitigation focuses on ensuring that an eligible identity is being presented by its true owner, rather than as part of a scheme to acquire goods and services with intent to default on repayment obligations. Businesses who focus on solely on fraud mitigation rather than complying with KYC and CIP regulations run the risk of potential harm to business reputation, and of course, financial penalties. Fenergo found that as of the end of 2019, global penalties for AML and KYC non-compliance totaled $36 billion. CIP vs. Fraud Mitigation Many financial institutions equate a CIP program with efforts to mitigate fraud. It’s understandable, as both processes include emphasis on the accuracy of an identity as it’s presented by a consumer. It is assumed that only the true owner of the identity would possess the detailed information necessary to meet CIP requirements and therefore would not likely be committing fraud. There was a time—prior to large scale thefts of stored information, personal details shared through social media and other behavior changes that made personal information very public—when this would have been true. Unfortunately, those days have passed and even an amateur criminal with limited experience and resources could find current, accurate identity information for sale online, information good enough to pass the CIP test and be considered a legitimate consumer. The real challenge is that when they go through CIP, many real consumers may inadvertently provide true information that doesn’t meet the verification standard. This is a result of consumer lifestyle changes outpacing the sources of data used to verify the information they’ve provided. It makes sense; in most years roughly 13% of American adults change their address. New homes, job changes and changes in marital status impact a large number of people every day. Adding to the confusion—it’s life’s changes that prompt people to borrow and purchase. The result is that many of the people that are more likely to fail CIP verification are the very people trying to legitimately access financial services. The result is that CIP verification often isn’t a challenge for those intending to commit fraud, but it can be for genuine consumers. The challenges of CIP In a recent internal study, Experian reviewed the ability to pass a standard CIP strategy that assessed the accuracy of the name, current address, date of birth and Social Security number provided by a large sample of consumers. We then compared legitimate consumers to those later confirmed to have been identity thieves impersonating a victim. Consistently, the identity thieves were at least as proficient at passing CIP as their true-consumer counterparts. In a second step, we applied a fraud score that looked for identity theft by assessing the past uses of the identities, their consistency, velocity and many other characteristics unrelated to the accuracy of the data. The difference between CIP verification and a fraud risk assessment was striking. Across the entire range of fraud risk, the percentage of records that passed CIP verification remained the same. That said, CIP still plays a very important role in risk mitigation. In fact, CIP and fraud prevention are inextricable in financial services. Just as a CIP verified identity can still be fraud, a record that may appear to be low fraud risk may not pass CIP. Since both processes have existed side by side for nearly two decades, each presumes that the other is in place and both are necessary to detect and prevent fraud. Striking a balance CIP verification and fraud mitigation strategies are both necessary and important to protecting assets and the broader financial system from fraud. It’s important to leverage a layered approach where both eligibility and risk are assessed, and next steps for verification include resolution of identity discrepancies alongside verification that ensures an identity is not being misused for fraud. Experian can help you confidently verify customer identities, understand and anticipate customer activities, and implement ongoing monitoring. If you’d like to set up a review of your current strategy or learn more about how we can help you with CIP and fraud mitigation to strengthen your ability to know your customer compliantly, let us know. Contact us
Over the last several weeks, I’ve shared articles about the problems surrounding third-party, first-party and synthetic identity fraud. To wrap up this series, I’d like to talk about account takeover fraud and how digital transformation has impacted it over the last year. What is account takeover fraud? Account takeover fraud is a form of identity theft that involves unauthorized access to a user’s online accounts to enable financial crimes. Criminals can obtain information in a number of ways, including the dark web, spyware and malware, and phishing to allow them to make unauthorized transactions with the user’s account. Fraudsters have made efforts to also gain control of mobile or email accounts so they can intercept one-time passwords or password change instructions to retain control of the account. Once fraudsters have control of one account, they can use it to access other personal information to breach additional accounts and graduate to full-scale identity theft. How does account takeover fraud impact me? Account takeover fraud is damaging to businesses and consumers. It leads to losses and well as resources invested to confirm fraud. The potential losses from account takeover fraud have spiked over the last year, in large part due to the opportunities created by the rapid increase of digital interactions and the influx of users interacting with merchants and financial institutions online for the first time. Aite research shows that 64% of financial institutions are seeing higher rates of ATO fraud attacks now than prior to the pandemic. – Trace Fooshee, Senior Analyst, Aite Group1 Account takeover can also be difficult to detect. Unlike credit card fraud where the true owner might quickly notice suspicious charges, an account takeover attack can go undetected for long periods of time. That’s because the criminal can change login and contact information, ensuring that the real accountholder doesn’t realize they’ve been compromised immediately. Solving the account takeover fraud problem A good account takeover fraud prevention strategy requires two things: frictionless customer experience and robust risk management. It’s clear that customers expect seamless interactions with merchants and lenders. At the same time, businesses need to be able to spot risky or suspicious behavior before a bad transaction occurs. That’s where a layered fraud management solution comes into play. With the right tools—including risk-based identity and device authentication and targeted step-up authentication—businesses can provide a good customer experience and only pull in staff for deeper investigations where necessary. With this strategy in place, businesses can easily recognize good customers and provide a more personalized experience, while at the same time combatting fraud – boosting growth and minimizing losses in the long run. I hope this series has helped provide insights into the different types of fraud and why each of them requires different treatment. To learn more about the risks of account takeover and how a layered fraud management strategy can help protect your business and your customers, feel free to contact us. 1Key Trends Driving Fraud Transformation in 2021 and Beyond, Aite Group, December 2020
Recently, I shared articles about the problems surrounding third-party and first-party fraud. Now I’d like to explore a hybrid type – synthetic identity fraud – and how it can be the hardest type of fraud to detect. What is synthetic identity fraud? Synthetic identity fraud occurs when a criminal creates a new identity by mixing real and fictitious information. This may include blending real names, addresses, and Social Security numbers with fabricated information to create a single identity. Once created, fraudsters will use their synthetic identities to apply for credit. They employ a well-researched process to accumulate access to credit. These criminals often know which lenders have more liberal identity verification policies that will forgive data discrepancies and extend credit to people who appear to be new or emerging consumers. With each account that they add, the synthetic identity builds more credibility. Eventually, the synthetic identity will “bust out,” or max out all available credit before disappearing. Because there is no single person whose identity was stolen or misused there’s no one to track down when this happens, leaving businesses to deal with the fall out. More confounding for the lenders involved is that each of them sees the same scam through a different lens. For some, these were longer-term reliable customers who went bad. For others, the same borrower was brand new and never made a payment. Synthetic identities don\'t appear consistently as a new account problem or a portfolio problem or correlate to thick- or thin-filed identities, further complicating the issue. How does synthetic identity fraud impact me? As mentioned, when synthetic identities bust out, businesses are stuck footing the bill. Annual SIF (synthetic identity fraud) charge-offs in the United States alone could be as high as $11 billion. – Steven D’Alfonso, research director, IDC Financial Insights1 Unlike first- and third-party fraud, which deal with true identities and can be tracked back to a single person (or the criminal impersonating them), synthetic identities aren’t linked to an individual. This means that the tools used to identify those types of fraud won’t work on synthetics because there’s no victim to contact (as with third-party fraud), or real customer to contact in order to collect or pursue other remedies. Solving the synthetic identity fraud problem Preventing and detecting synthetic identities requires a multi-level solution that includes robust checkpoints throughout the customer lifecycle. During the application process, lenders must look beyond the credit report. By looking past the individual identity and analyzing its connections and relationships to other individuals and characteristics, lenders can better detect anomalies to pinpoint false identities. Consistent portfolio review is also necessary. This is best done using a risk management system that continuously monitors for all types of fraudulent activities across multiple use cases and channels. A layered approach can help prevent and detect fraud while still optimizing the customer experience. With the right tools, data, and analytics, fraud prevention can teach you more about your customers, improving your relationships with them and creating opportunities for growth while minimizing fraud losses. To wrap up this series, I’ll explore account takeover fraud and how the correct strategy can help you manage all four types of fraud while still optimizing the customer experience. To learn more about the impact of synthetic identities, download our “Preventing Synthetic Identity Fraud” white paper and call us to learn more about innovative solutions you can use to detect and prevent fraud. Contact us Download whitepaper 1Synthetic Identity Fraud Update: Effects of COVID-19 and a Potential Cure from Experian, IDC Financial Insights, July 2020
A few weeks ago, I shared the first in a series of articles about understanding the different types of fraud and how to solve for them. In that article, I likened the fraud problem to baking. Continuing that theme, I’m going to explore first-party fraud by comparing it to biting into a cookie you think is chocolate chip, only to find that it’s filled with raisins. The raisins in the cookie were hiding in plain sight, indistinguishable from chocolate chips without a closer look, much like first-party fraudsters. What is first-party fraud? First-party fraud refers to instances when an individual makes a promise of future repayments in exchange for goods or services without the intent to repay. The fraudster might accomplish this by applying for a loan or credit card they won’t pay back, or misrepresenting their financial situation to get a more favorable rate. First-party fraud sometimes presents via “mules” or consumers who are persuaded to use their own information to obtain credit or merchandise on behalf of a larger fraud ring. This type of fraud has become especially prevalent in 2020 due to the increases in online activity for both work and purchasing. Mule activity has increased by 41% in 2020 in comparison to attack rates prior to the pandemic. – Julie Conroy, Research Director, Aite Group First-party fraud is often miscategorized as credit loss and written off as bad debt, which causes problems when businesses later try to determine how much they’ve lost to fraud versus credit risk, and then make future lending decisions. How does first-party fraud impact me? Firstly, there are often substantial losses associated with first-party fraud. According to Payments Journal, 60% of financial institutions report first-party fraud as the prominent source of fraud losses. The ranks of those who commission the attacks, as well as the mules who provide logistical support, will continue to increase at the same pace, if not more quickly, as economic conditions remain suppressed. The result will be an increase in the volume of attacks in general but with a particular emphasis on the kinds of fraud that typically accompany prolonged recessions, most notably first-party fraud.1 – Trace Fooshee, Senior Analyst, Aite Group An imperfect first-party fraud solution can also strain relationships with good customers and hinder growth. When lenders have to interpret actions and behavior to assess customers, there’s a lot of room for error and losses. Those same losses hinder growth when, as mentioned before, businesses anticipate credit losses that aren’t actually credit losses. This type of fraud isn’t a single-time event, and it doesn’t occur at just one point in the customer lifecycle. It occurs when good customers develop fraudulent intent, when new applicants who have positive history with other lenders have recently changed circumstances, or when seemingly good applicants have manipulated their identities to mask previous defaults. Finally, first-party fraud impacts how your organization categorizes and manages risk – and that’s something that touches every department. Solving the first-party fraud problem Preventing first-party fraud requires a change in how we think about the fraud problem. It starts with the ability to separate first- and third-party fraud to treat them differently. Because first-party fraud doesn’t have a victim, you can’t work with the person whose information was stolen to confirm the fraud. Instead, you’ll have to work implement a consistent monitoring system and make a determination internally when fraud is suspected. As we’ve already discussed, the fraud problem is complex. However with a partner like Experian, you have the tools required to perform a closer examination and the ability to differentiate between the types of fraud so you can determine the best course of action moving forward. In the coming weeks, I’ll continue my exploration of this topic with a dive into synthetic identity and account takeover fraud, and how a layered fraud management strategy can help you minimize customer friction to improve and deepen your relationships while preventing fraud. Contact us if you’d like to learn more about how Experian is using our identity expertise, data, and analytics to detect and prevent all types of fraud. Contact us 1Key Trends Driving Fraud Transformation in 2021 and Beyond, December 2020
Fraud – it’s a word that comes up in conversations across every industry. While there’s a general awareness that fraud is on the rise and is constantly evolving, for many the full impact of fraud is misunderstood and underestimated. At the heart of this challenge is the tendency to lump different types of fraud together into one big problem, and then look for a single solution that addresses it. It’s as if we’re trying to figure out how to un-bake a terrible cake instead of thinking about the ingredients and the process needed to put them together in the first place. This is the first of a series of articles in which we’ll look at some of the key ingredients that create different types of fraud, including first party, third party, synthetic identity, and account takeover. We’ll talk about why they’re unique and why we need to approach each one differently. At the end of the series, we’ll get a result that’s easier to digest. I had second thoughts about the cake metaphor, but in truth it really works. Creating a good fraud management process is a lot like baking. We need to know the ingredients and some tried-and-true methods to get the best result. With that foundation in place, we can look for ways to improve the outcome every time. Let’s start with a look at the best known type of fraud, third party. What is third-party fraud? Third-party fraud – generally known as identity theft – occurs when a malicious actor uses another person’s identifying information to open new accounts without the knowledge of the individual whose information is being used. This type of fraud is unique from first party or synthetic identity fraud because it involves an identifiable victim that’s willing to collaborate in the investigation and resolution, for the simple reason that they don’t want to be responsible for the obligation made under their name. Third-party fraud is often the only type of activity that’s classified as fraud by financial institutions. The presence of an identifiable victim creates a high level of certainty that fraud has indeed occurred. That certainty enables financial institutions to properly categorize the losses. Since there is a victim associated with it, third party fraud tends to have a shorter lifespan than other types. When victims become aware of what’s happening, they generally take steps to protect themselves and intervene where they know their identity has been potentially misused. As a result, the timeline for third-party fraud is shorter, with fraudsters acting quickly to maximize the funds they’re able to amass before busting out. How does third-party fraud impact me? As the digital transformation continues, more and more personally identifiable information (PII) is available on the dark web due to data breaches and phishing scams. Given that half of consumers anticipate increasing their online spending in the coming year, we anticipate that the amount of PII readily available to criminals will only continue to grow. All of this will lead to identity theft and increase the risk of third-party fraud. Third-party fraud has been on businesses\' radar throughout 2020, with account takeover and account opening fraud representing high opportunities for risk. While we don’t yet know the full financial impact of COVID-19, it’s clear that it has created both opportunity—increased online presence and interaction—and need—in the form of financial distress for businesses and consumers—when it comes to third-party fraud. Solving the third-party fraud problem We’ve examined one part of the fraud problem, and it is a complex one. With Experian as your partner, solving for it isn’t. Continuing my cake metaphor, by following the right steps and including the right ingredients, businesses can detect and prevent fraud. Preventing third-party fraud involves two distinct steps. Analytics: Driven by extensive data that captures the ways in which people present their identity—plus artificial intelligence and machine learning—good analytics can detect inconsistencies, and patterns of usage that are out of character for the person, or similar to past instances of known fraud. Verification: The advantage of dealing with third-party fraud is the availability of a victim that will confirm when fraud is happening. The verification step refers to the process of making contact with the identity owner to obtain that confirmation. It does require some thought and discipline to make sure that the contact information used leads to the identity owner—and not to the fraudster. Over the coming weeks, I’ll be exploring first-party fraud, synthetic identity fraud, and account takeover fraud and how a layered fraud management strategy can help keep your business and customers safe from all types. Let us know if you’d like to learn more about how Experian is using our identity expertise, data, and analytics to detect and prevent fraud. Contact us
Experian is excited to have been chosen as one of the first data and analytics companies that will enable access to Social Security Administration (SSA) data for the purposes of verifying identity against the Federal Agency’s records. The agency’s involvement in the wake of Congressional interest and successful legislation will create a seismic shift in the landscape of identity verification. Ultimately, the ability to leverage SSA data will reduce the impact of identity fraud and synthetic identity and put real dollars back into the pockets of people and businesses that absorb the costs of fraud today. As this era of government and private sector collaboration begins, many of our clients and partners are breathing a sigh of relief. We see this in a common question our customers ask every day, “Do I still need an analytical solution for synthetic ID now that eCBSV is on the horizon?” The common assumption is that help is on the way and this long tempest of rising losses and identity uncertainty is about to leave us. Or is it? We don’t believe it’s the end of the synthetic ID storm. This is the eye. Rather than basking in the calm light of this moment, we should be thinking ahead and assessing our vulnerabilities because the second half of this storm will be worse than the first. Consider this: The people who develop and exploit synthetic IDs are playing a long game. It takes time, research, planning and careful execution to create an identity that facilitates fraud. The bigger the investment, the bigger the spoils will be. Synthetic ID are being used to purchase luxury automobiles. They’re passing lender marketing criteria and being offered credit. The criminals have made their investment, and it’s unlikely they will walk away from it. So, what does SSA’s pending involvement mean to them? How will they prepare? These aren’t hard questions. They’ll do what you would do in the eye of a storm — maximize the value of the preparations that are in place. Gather what you can quickly and brace yourself for the uncertainty that’s coming. In short, there’s a rush to monetize synthetic IDs on the horizon, and this is no time to declare ourselves safe. It’s doubtful that the eCBSV process will be the silver bullet that ends synthetic ID fraud — and certainly not on day one. It’s more likely that the physical demands of the data exchange, volume constraints, response times and the actionability of the results will take time to optimize. In the meantime, the criminals aren’t going to sit by and watch as their schemes unravel and lose value. We should take some comfort that we’ve made it through the first half of the storm, but recognize and prepare for what still needs to be faced.
For most businesses, building the best online experience for consumers requires a balance between security and convenience. But the challenge has always been finding a happy medium between the two – offering enough security that won’t get in the way of convenience and vice versa. In the past, it was always believed that one would always come at the expense of the other. But technology and innovation is changing how businesses approach security and is allowing them to give the maximum potential of both. Consumers want security AND convenience Consumers consider security and convenience as the foundation of their online experience. Findings from our 2019 Global Identity and Fraud Report revealed approximately 74 percent of consumers ranked security as the most important part of their online experience, followed by convenience. In other words, they expect businesses to provide them with both. We see this with how consumers are typically using the same security information each time they open a new digital account – out of convenience. But if one account is compromised, the consumer becomes vulnerable to possible fraudulent activity. With today’s technology, businesses can give consumers an easier and more secure way to access their digital accounts. Creating the optimal online experience More security usually meant creating more passwords, answering more security questions, completing CAPTCHA tests, etc. While consumers are willing to work through these friction-inducing methods to complete a transaction or access an account, it’s not always the most convenient process. Advanced data and technology has opened doors for new authentication methods, such as physical and behavioral biometrics, digital tokenization, device intelligence and machine learning, to maximize the potential for businesses to provide the best online experience possible. In fact, consumers have expressed greater confidence in businesses that implement these advanced security methods. Rates of consumer confidence in passwords was only 44 percent, compared to a 74 percent rate of consumer confidence in physical biometrics. Consumers are willing to embrace the latest security technology because it provides the security and convenience they want from businesses. While traditional forms of security were sufficient, advanced authentication methods have proven to be more reliable forms of security that consumers trust and can improve their online experience. The optimal online experience is a balance between security and convenience. Innovative technologies and data are helping businesses protect people’s identities and provide consumers with an improved online experience.
Be warned. I’m a Philadelphia sports fan, and even after 13 months, I still relish in the only Super Bowl victory I’ve ever known as a fan. Having spent more than two decades in fraud prevention, I find that Super Bowl LII is coalescing in my mind with fraud prevention and lessons in defense more and more. Let me explain: It’s fourth-down-and-goal from the one-yard line. With less than a minute on the clock in the first half, the Eagles lead, 15 to 12. The easy option is to kick the field goal, take the three points and come back with a six-point advantage. Instead of sending out the kicking squad, the Eagles offense stays on the field to go for a touchdown. Broadcaster Cris Collingsworth memorably says, “Are they really going to go for this? You have to take the three!” On the other side are the New England Patriots, winners of two of the last three Super Bowls. Love them or hate them, the Patriots under coach Bill Belichick are more likely than any team in league history to prevent the Eagles from scoring at this moment. After the offense sets up, quarterback Nick Foles walks away from his position in the backfield to shout instructions to his offensive line. The Patriots are licking their chops. The play starts, and the ball is snapped — not to Foles as everyone expects, but to running back Corey Clement. Clement takes two steps to his left and tosses the ball the tight end Trey Burton, who’s running in the opposite direction. Meanwhile, Foles pauses as if he’s not part of the play, then trots lazily toward the end zone. Burton lobs a pass over pursuing defenders into Foles’ outstretched hands. This is the “Philly Special” — touchdown! Let me break this down: A third-string rookie running back takes the snap, makes a perfect toss — on the run — to an undrafted tight end. The tight end, who hasn’t thrown a pass in a game since college, then throws a touchdown pass to a backup quarterback who hasn’t caught a ball in any athletic event since he played basketball in high school. A play that has never been run by the Eagles, led by a coach who was criticized as the worst in pro football just a year before, is perfectly executed under the biggest spotlight against the most dominant team in NFL history. So what does this have to do with fraud? There’s currently an outbreak of breach-fueled credential stuffing. In the past couple of months, billions of usernames and passwords stolen in various high-profile data breaches have been compiled and made available to criminals in data sets described as “Collections 1 through 5.” Criminals acquire credentials in large numbers and attack websites by attempting to login with each set — effectively “stuffing” the server with login requests. Based on consumer propensity to reuse login credentials, the criminals succeed and get access to a customer account between 1 in 1,000 and 1 in 50 attempts. Using readily available tools, basic information like IP address and browser version are easy enough to alter/conceal making the attack harder to detect. Credential stuffing is like the Philly Special: Credential stuffing doesn’t require a group of elite all-stars. Like the Eagles’ players with relatively little experience executing their roles in the Philly Special, criminals with some computer skills, some initiative and the guts to try credential stuffing can score. The best-prepared defense isn’t always enough. The Patriots surely did their homework. They set up their defense to stop what they expected the Eagles to do based on extensive research. They knew the threats posed by every Eagle on the field. They knew what the Eagles’ coaches had done in similar circumstances throughout their careers. The defense wasn’t guessing. They were as prepared as they could have been. It’s the second point that worries me when I think of credential stuffing. Consumers reuse online credentials with alarming frequency, so a stolen set of credentials is likely to work across multiple organizations, possibly even yours. On top of that, traditional device recognition like cookies can’t identify and stop today’s sophisticated fraudsters. The best-prepared organizations feel great about their ability to stop the threats they’re aware of. Once they’ve seen a scheme, they make investments, improve their defenses, and position their players to recognize a risk and stop it. Sometimes past expertise won’t stop the play you can’t see coming.
Synthetic identities come from accounts held not by actual individuals, but by fabricated identities created to perpetrate fraud. It often starts with stealing a child’s Social Security number (SSN) and then blending fictitious and factual data, such as a name, a mailing address and a telephone number. What’s interesting is the increase in consumer awareness about synthetic identities. Previously, synthetic identity was a lender concern, often showing itself in delinquent accounts since the individual was fabricated. Consumers are becoming aware of synthetic ID fraud because of who the victims are — children. Based on findings from a recent Experian survey, the average age of child victims is only 12 years old. Children are attractive victims since fraud that uses their personal identifying information can go for years before being detected. I recently was interviewed by Forbes about the increase of synthetic identities being used to open auto loans and how your child’s SSN could be used to get a phony auto loan. The article provides a good overview of this growing concern for parents and lenders. A recent Javelin study found that more than 1 million children were victims of fraud. Most upsetting is that children are often betrayed by people close to them -- while only 7 percent of adults are victimized by someone they know, 60 percent of victims under 18 know the fraudster. Unfortunately, when families are in a tight spot financially they often resort to using their child’s SSN to create a clean credit record. Fraud is an issue we all must deal with — lenders, consumers and even minors — and the best course of action is to protect ourselves and our organizations.
First-party fraud is an identity-centric risk that changes over time. And the fact that no one knows the true size of first-party fraud is not the problem. It’s a symptom. First-party fraud involves a person making financial commitments or defaulting on existing commitments using their own identity, a manipulated version of their own identity or a synthetic identity they control. With the identity owner involved, a critical piece of the puzzle is lost. Because fraud “treatments” tend to be all-or-nothing and rely on a victim, the consequences of applying traditional fraud strategies when first-party fraud is suspected can be too harsh and significantly damage the customer relationship. Without feedback from a victim, first-party fraud hides in plain sight — in credit losses. As a collective, we’ve created lots of subsets of losses that nibble around the edges of first-party fraud, and we focus on reducing those. But I can’t help thinking if we were really trying to solve first-party fraud, we would collectively be doing a better job of measuring it. As the saying goes, “If you can’t measure it, you can’t improve it.” Because behaviors exhibited during first-party fraud are difficult to distinguish from those of legitimate consumers who’ve encountered catastrophic life events, such as illness and unemployment, individual account performance isn’t typically a good measurement. First-party fraud is a person-level event rather than an account-level event and needs to be viewed as such. So why does first-party fraud slip through the cracks? Existing, third-party fraud prevention tools aren’t trained to detect it. Underwriting relies on a point-in-time assessment, leaving lenders blind to intentions that may change after booking. When first-party fraud occurs, the different organizations that suffer losses attach different names to it based on their account-level view. It’s hidden in credit losses, preventing you from identifying it for future analysis. As an industry, we aren’t going to be able to solve the problem of first-party fraud as long as three different organizations can look at an individual and declare, “Never pay!” “No. Bust-out!” “No! Charge-off!” So, what do we need to stop doing? Stop thinking that it’s a different problem based on when you enter the picture. Whether you opened an account five years ago or 5 minutes ago doesn’t change the problem. It’s still first-party fraud if the person who owns the identity is the one misusing it. Stop thinking that the financial performance of an account you maintain is the only relevant data. And what do we need to start doing? See and treat first-party fraud as a continuous Leverage machine learning techniques and robust data (including your own observations) to monitor for emerging risk over Apply multiple levels of treatments to respond and tighten controls/reduce exposure as risk Define first-party fraud using a broader set of elements beyond your individual observations.
Customer Identification Program (CIP) solution through CrossCore® Every day, I work closely with clients to reduce the negative side effects of fraud prevention. I hear the need for lower false-positive rates; maximum fraud detection in populations; and simple, streamlined verification processes. Lately, more conversations have turned toward ID verification needs for Customer Information Program (CIP) administration. As it turns out, barriers to growth, high customer friction and high costs dominate the CIP landscape. While the marketplace struggles to manage the impact of fraud prevention, CIP routinely disrupts more than 10 percent of new customer acquisitions. Internally at Experian, we talk about this as the biggest ID problem our customers aren’t solving. Think about this: The fight for business in the CIP space quickly turned to price, and price was defined by unit cost. But what’s the real cost? One of the dominant CIP solutions uses a series of hyperlinks to connect identity data. Every click is a new charge. Their website invites users to dig into the data — manually. Users keep digging, and they keep paying. And the challenges don’t stop there. Consider the data sources used for these solutions. The winners of the price fight built CIP solutions around credit bureau header data. What does that do for growth? If the identity wasn’t sufficiently verified when a credit report was pulled, does it make sense to go back to the same data source? Keep digging. Cha-ching, cha-ching. Right about now, you might be feeling like there’s some sleight of hand going on. The true cost of CIP administration is much more than a single unit price. It’s many units, manual effort, recycled data and frustrated customers — and it impacts far more clients than fraud prevention. CIP needs have moved far beyond the demand for a low-cost solution. We’re thrilled to be leading the move toward more robust data and decision capabilities to CIP through CrossCore®. With its open architecture and flexible decision structure, our CrossCore platform enables access to a diverse and robust set of data sources to meet these needs. CrossCore unites Experian data, client data and a growing list of available partner data to deliver an intelligent and cost-conscious approach to managing fraud and identity challenges. The next step will unify CIP administration, fraud analytics and a range of verification treatment options together on the CrossCore platform as well. Spoiler alert. We’ve already taken that step.
Part 3 in our series on Insights from the Vision 2016 fraud and identity track Our Vision 2016 fraud track session titled “Deployment Made Easy — solving new fraud problems by Adapting Legacy Solutions” offered insights into the future of analytics and the mechanisms for delivering them. The session included two case studies, the first of which highlighted a recently completed project in which an Experian client struggling with rising application fraud losses had to find a way to deploy advanced analytics without any IT resources. To assist the customer, data passing through an existing customer interface was reformatted and redirected to our Precise ID® platform. Upon arrival in Precise ID, a custom-built fraud scoring model was invoked. The results were then translated back into the format used by the legacy interface so that they could be ingested by the customer’s systems. This case study illustrates the key value proposition of Experian’s new CrossCoreTM fraud and identity platform. CrossCore features a similar “translation layer” for inquiries coming into Experian’s fraud and identity tools that will allow customers to define fraud-screening workflows that call a variety of services. The IT burden for connecting the inquiry to various Experian and non-Experian services will fall on Experian — sparing the customer from the challenge of financing and prioritizing IT resources. Similarly, the output from CrossCore will provide a ready-to-consume response that integrates directly with our customers’ host systems. The audience showed keen interest in the “here and now” illustration of what CrossCore will enable. Our second case study was provided by Eric Heikkila at Amazon Web Services™ and focused on the future of analytics. For an audience accustomed to the constraints of developing advanced analytics in a rigid data-structure, Amazon’s description of a “data lake” was a fascinating picture of what’s possible. The data lake offers the simultaneous ability to accommodate existing structured customer data along with new unstructured data in an infinitely scalable data set. Equally important is the data lake’s ability to accommodate an unlimited array of data mining and analytical tools. Amazon’s message was clear and simple — the fraud industry’s trepidation around the use of big data is misplaced. The fear of making the wrong choice of data storage and analytical tools is unnecessary. To illustrate this point, Eric shared an Amazon Web Services case study that used FINRA (Financial Industry Regulatory Authority). FINRA is responsible for overseeing U.S. securities markets to ensure that rules are followed and integrity is maintained. Amid a bewildering set of ever-changing regulations and peak volumes of 35 trillion per day — yes, trillion — Amazon’s data lake supports both the scale and analytical demands of a complex industry. As the delivery and access to fraud products is made easy by CrossCore, the data and analytics will expand through the use of services like Amazon’s data lake. As the participants will agree, the future of fraud technology is closer than you think!
Understanding and managing first party fraud Background/Definitions Wherever merchants, lenders, service providers, government agencies or other organizations offer goods, services or anything of value to the public, they incur risk. These risks include: Credit risk — Loosely defined, credit risk arises when an individual receives goods/services in exchange for a promise of future repayment. If the individual’s circumstances change in a way that prevents him or her from paying as agreed, the provider may not receive full payment and will incur a loss. Fraud risk — Fraud risk arises when the recipient uses deception to obtain goods/services. The type of deception can involve a wide range of tactics. Many involve receiving the goods/services while attributing the responsibility for repayment to someone else. The biggest difference between credit risk and fraud risk is intent. Credit risk usually involves customers who received the goods/services with intent to repay but simply lack the resources to meet their obligation. Fraud risk starts with the intent to receive the goods/services without the intent to repay. Between credit risk and fraud risk lies a hybrid type of risk we refer to as first-party fraud risk. We call this a hybrid form of risk because it includes elements of both credit and fraud risk. Specifically, first party fraud involves an individual who makes a promise of future repayment in exchange for goods/services without the intent to repay. Challenges of first party fraud First party fraud is particularly troublesome for both administrative and operational reasons. It is important for organizations to separate these two sets of challenges and address them independently. The most common administrative challenge is to align first-party fraud within the organization. This can be harder than it sounds. Depending on the type of organization, fraud and credit risk may be subject to different accounting rules, limitations that govern the data used to address risk, different rules for rejecting a customer or a transaction, and a host of other differences. A critical first step for any organization confronting first-party fraud is to understand the options that govern fraud management versus credit risk management within the business. Once the administrative options are understood, an organization can turn its attention to the operational challenges of first-party fraud. There are two common choices for the operational handling of first-party fraud, and both can be problematic. First party fraud is included with credit risk. Credit risk management tends to emphasize a binary decision where a recipient is either qualified or not qualified to receive the goods/services. This type of decision overlooks the recipient’s intent. Some recipients of goods/services will be qualified with the intent to pay. Qualified individuals with bad intentions will be attracted to the offers extended by these providers. Losses will accelerate, and to make matters worse it will be difficult to later isolate, analyze and manage the first party fraud cases if the only decision criteria captured pertained to credit risk decisions. The end result is high credit losses compounded by the additional first party fraud that is indistinguishable from credit risk. First party fraud is included with other fraud types. Just as it’s not advisable to include first party fraud with credit risk, it’s also not a good idea to include it with other types of fraud. Other types of fraud typically are analyzed, detected and investigated based on the identification of a fraud victim. Finding a person whose identity or credentials were misused is central to managing these other types of fraud. The types of investigation used to detect other fraud types simply don’t work for first-party fraud. First party fraudsters always will provide complete and accurate information, and, upon contact, they’ll confirm that the transaction/purchase is legitimate. The result for the organization will be a distorted view of their fraud losses and misconceptions about the effectiveness of their investigative process. Evaluating the operational challenges within the context of the administrative challenges will help organizations better plan to handle first party fraud. Recommendations Best practices for data and analytics suggest that more granular data and details are better. The same holds true with respect to managing first party fraud. First party fraud is best handled (operationally) by a dedicated team that can be laser-focused on this particular issue and the development of best practices to address it. This approach allows organizations to develop their own (administrative) framework with clear rules to govern the management of the risk and its prevention. This approach also brings more transparency to reporting and management functions. Most important, it helps insulate good customers from the impact of the fraud review process. First-party fraudsters are most successful when they are able to blend in with good customers and perpetrate long-running scams undetected. Separating this risk from existing credit risk and fraud processes is critical. Organizations have to understand that even when credit risk is low, there’s an element of intent that can mean the difference between good customers and severe losses. Read here for more around managing first party fraud risk.
This is last question in our five-part series on the FFIEC guidance on what it means to Internet banking, what you need to know and how to prepare for the January 2012 deadline. Q: How are organizations responding? Experian estimates that less than half of the institutions impacted by this guidance are prepared for the examinations. Many of the fraud tools in the marketplace, particularly those that are used to authenticate individuals were deployed as point-solutions. Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, “layered” approach that the guidance is seeking. _____________ This is the last of our five-part series but we\'re happy to answer more questions as we know you need to know how to prepare for the January 2012 deadline.
This is fourth question in our five-part series on the FFIEC guidance and what it means Internet banking. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. If you missed parts 1-3, there\'s no time to waste, check them out here: Go to question one: What does “multi-factor” authentication actually mean? Go to question two: Who does this guidance affect? And does it affect each type of credit grantor/ lender differently? Go to question three: What does “layered security” actually mean? Today\'s Q&A: What will the regulation do to help mitigate fraud risk in the near-term, and long-term? The FFIEC’s guidance will encourage financial institutions to re-examine their processes. The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system by exposing vulnerabilities in the way we exchange goods, services and currencies. It is important that members of the financial services community understand their role in protecting our economy from fraud. Fraud is not the result of a static set of tactics employed by criminals. Fraud tactics evolve constantly and the tools that combat them have to evolve as well. Considering the impact that technology is having on commerce, it is more important than ever to review the processes that we once thought made our businesses “safe.” The architecture and flexibility of fraud prevention “capabilities” is a weapon unto itself. The guidance provides a perspective on why it is important to be able to understand the risk and to respond accordingly. At the end of the day, the guidance is less about a need to take a specific action---and more about the “capability” to recognize when those actions are needed, and how they should be structured so that high-risk actions are met with strong and sophisticated defenses. _____________ Look for part five, the final in our series tomorrow.
Learn More Image
