All posts by Chris Ryan
This is third question in our five-part series on the FFIEC guidance and what it means Internet banking. If you missed the firstand second question, you can still view - our answer isn\'t going anywhere. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. Question: Who does this guidance affect? And does it affect each type of credit grantor/ lender differently? The guidance pertains to all financial institutions in the US that fall under the FFIEC’s influence. While the guidance specifically mentions authenticating in an on-line environment, it’s clear that the overall approach advocated by the FFIEC applies to authentication in any environment. As fraud professionals know, strengthening the defenses in the on-line environment will drive the same fraud tactics to other channels. The best way to apply this guidance is to understand its intent and apply it across call centers and in-person interactions as well. _____________ Look for part four of our five-part series tomorrow. If you have a related question that needs an answer, submit in the comments field below and we\'ll answer those questions too. Chances are if you are questioning something, others are too - so let\'s cover it here! Or, if you would prefer to speak with one of our Fraud Business Consultants directly, complete a contact form and we\'ll follow up promptly.
This is second question in our five-part series on the FFIEC guidance and what it means Internet banking. If you missed the first question, don\'t worry, you can still go back. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. Question: What does “multi-factor” authentication actually mean? “Multi- Factor” authentication refers to the combination of different security requirements that would be unlikely to be compromised at the same time. A simple example of multi-factor authentication is the use of a debit card at an ATM machine. The plastic debit card is an item that you must physically possess to withdraw cash, but the transaction also requires the PIN number to complete the transaction. The card is one factor, the PIN is a second. The two combine to deliver a multi-factor authentication. Even if the customer loses their card, it (theoretically) can’t be used to withdraw cash from the ATM machine without the PIN. _____________ Look for part three of our five-part series tomorrow.
This first question in our five-part series on the FFIEC guidance and what it means Internet banking. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. Question: What does “layered security” actually mean? “Layered” security refers to the arrangement of fraud tools in a sequential fashion. A layered approach starts with the most simple, benign and unobtrusive methods of authentication and progresses toward more stringent controls as the activity unfolds and the risk increases. Consider a customer who logs onto an on-line banking session to execute a wire transfer of funds to another account. The layers of security applied to this activity might resemble: 1. Layer One- Account log-in. Security = valid ID and Password must be provided 2. Layer Two- Wire transfer request. Security= IP verification/confirmation that this PC has been used to access this account previously. 3. Layer Three- Destination Account provided that has not been used to receive wire transfer funds in the past. Security= Knowledge Based Authentication Layered security provides an organization with the ability to handle simple customer requests with minimal security, and to strengthen security as risks dictate. A layered approach enables the vast majority of low risk transactions to be completed without unnecessary interference while the high-risk transactions are sufficiently verified. _____________ Look for part two of our five-part series tomorrow.
Application risk management processes for deposits has remained relatively unchanged for decades. Typically, it involves credit bureau data and a secondary check of “debit bureau” data. A “debit bureau” typically gathers information regarding known fraud and compiles a fraud database of perpetrators. Every applicant who passes the credit risk strategies is checked against this database. The challenge is that this process can be very expensive. Among a new class of fraud best practices is the idea of applying fraud models/fraud analytics as a filter upstream from the debit bureau’s fraud database. This practice enables deposit institutions to still identify known fraud and minimize fraud losses on those applicants that carry the highest risk. At the same time, costs are reduced by removing low risk accounts from the debit bureau check. In addition to reducing costs, these revised acquisition strategies help reduce fraud referral rates while ensuring that application fraud does not increase. As deposit institutions look for ways to significantly reduce costs without suffering additional application fraud, look for the continued emergence of fraud analytics among 2011’s fraud best practices.
Exciting research leveraging Experian’s fraud analytics and credit risk modeling are now enabling deposit institutions to understand the impacts of first party fraud and identity theft on their portfolios. Historically, deposit institutions have not considered application fraud to be a major concern and legislation regarding overdraft fees and the opt-in provision for overdraft services will reduce a deposit customer’s ability to spend the bank’s money; however, a determined thief can still: kite checks to commit first party fraud perpetrate an account takeover/identity theft The result is that deposit institutions will continue to face losses that can be prevented using fraud best practices. The challenge for the institution is knowing whether it is facing first party fraud or identity theft. Increasingly, deposit institutions are turning to Experian to analyze customers that create losses early in the account life cycle in order to make the right modifications to their acquisitions strategies. Using a combination of fraud analytics built to target specific types of fraud trends, deposit institutions can get a clear picture of the type of behavior that is generating their losses. This type of analysis is quickly climbing the list of fraud best-practices. Armed with the right diagnosis, deposit institutions can respond by prioritizing the right set of fraud alerts.
Conducting a validation on historical data is a good way to evaluate fraud models; however, fraud best practices dictate that a proper validation uses properly defined fraud tags. Before you can determine if a fraud model or fraud analytics tool would have helped minimize fraud losses, you need to know what you are looking for in this category. Many organizations have difficulty differentiating credit losses from fraud losses. Usually, fraud losses end up lumped-in with credit losses. When this happens, the analysis either has too few “known frauds” to create a business case for change, or the analysis includes a large target population of credit losses that result in poor results. By planning carefully, you can avoid this pitfall and ensure that your validation gives you the best chance to improve your business and minimize fraud losses. As a fraud best practice for validations, consider using a target population that errs on the side of including credit losses; however, be sure to include additional variables in your sample that will allow you and your fraud analytics provider to apply various segmentations to the results. Suggested elements to include in your sample are; delinquency status, first delinquency date, date of last valid payment, date of last bad payment and indicator of whether the account was reviewed for fraud prior to booking. Starting with a larger population, and giving yourself the flexibility to narrow the target later will help you see the full value of the solutions you evaluate and reduce the likelihood of having to do an analysis over again.
In a previous blog, we shared ideas for expanding the “gain” to create a successful ROI to adopt new fraud best practices to improve. In this post, we’ll look more closely at the “cost” side of the ROI equation. The cost of the investment- The costs of fraud analytics and tools that support fraud best practices go beyond the fees charged by the solution provider. While the marketplace is aware of these costs, they often aren’t considered by the solution providers. Achieving consensus on an ROI to move forward with new technology requires both parties to account for these costs. A more robust ROI should these areas: • Labor costs- If a tool increases fraud referral rates, those costs must be taken into account. • Integration costs- Many organizations have strict requirements for recovering integration costs. This can place an additional burden on a successful ROI. • Contractual obligations- As customers look to reduce the cost of other tools, they must be mindful of any obligations to use those tools. • Opportunity costs- Organizations do need to account for the potential impact of their fraud best practices on good customers. Barring a true champion/challenger evaluation, a good way to do this is to remain as neutral as possible with respect to the total number of fraud alerts that are generated using new fraud tools compared to the legacy process As you can see, the challenge of creating a compelling ROI can be much more complicated than the basic equation suggests. It is critical in many industries to begin exploring ways to augment the ROI equation. This will ensure that our industries evolve and thrive without becoming complacent or unable to stay on top of dynamic fraud trends.
By definition, “Return on Investment” is simple: (The gain from an investment - The cost of the investment) _______________________________________________ The cost of the investment With such a simple definition, why do companies that develop fraud analytics and their customers have difficulty agreeing to move forward with new fraud models and tools? I believe the answer lies in the definition of the factors that make up the ROI equation: “The gain from an investment”- When it comes to fraud, most vendors and customers want to focus on minimizing fraud losses. But what happens when fraud losses are not large enough to drive change? To adopt new technology it’s necessary for the industry to expand its view of the “gain.” One way to expand the “gain” is to identify other types of savings and opportunities that aren’t currently measured as fraud losses. These include: Cost of other tools - Data returned by fraud tools can be used to resolve Red Flag compliance discrepancies and help fraud analysts manage high-risk accounts. By making better use of this information, downstream costs can be avoided. Other types of “bad” organizations are beginning to look at the similarities among fraud and credit losses. Rather than identifying a fraud trend and searching for a tool to address it, some industry leaders are taking a different approach -- let the fraud tool identify the high-risk accounts, and then see what types of behavior exist in that population. This approach helps organizations create the business case for constant improvement and also helps them validate the way in which they currently categorize losses. To increase cross sell opportunities - Focus on the “good” populations. False positives aren’t just filtered out of the fraud review work flow, they are routed into other work flows where relationships can be expanded.
Learn More Image
