All posts by Keir Breitenfeld
Managing your customer accounts at the identity level is ambitious and necessary, but possible Identity-related fraud exposure and losses continue to grow. The underlying schemes have elevated in complexity. Because it’s more difficult to perpetrate “card present” fraud in the post–chip-and-signature rollout here in the United States, bad guys are more motivated and getting better at identity theft and synthetic identity attacks. Their organized nefarious response takes the form of alternate attack vectors and methodologies — which means you need to stamp out any detected exposure point in your fraud prevention strategies as soon as it’s detected. Experian’s recently published 2018 Global Fraud and Identity Report suggests two-thirds, or 7 out of every ten, consumers want to see visible security protocols when they transact. But an ever-growing percentage of them, fueled in no small part by those tech-savvy millennials, expect to be recognized with little or no friction. In fact, 42 percent of the surveyed consumers who stated they would do more transactions online if there weren’t so many security hurdles to overcome were — you guessed it — millennials. So how do you implement identity and account management procedures that are effective and, in some cases, even obvious while being passive enough to not add friction to the user experience? In other words, from the consumer’s perspective, “Let me know you know me and are protecting me but not making it too difficult for me when I want to access or manage my account.” Let’s get one thing out of the way first. This isn’t a one-time project or effort. It is, however, a commitment to the continued informing of your account management strategies with updated identity intelligence. You need to make better decisions on when to let a low-risk account transaction (monetary or nonmonetary) pass and when to double down a bit and step up authentication or risk assessment checks. I’d suggest this is most easily accomplished through a single, real-time access point to myriad services that should, at the very least, include: Identity verification and reverification checks for ongoing reaffirmation of your customer identity data quality and accuracy. Know Your Customer program requirements, anyone? Targeted identity risk scores and underlying attributes designed to isolate identity theft, first-party fraud and synthetic identity. Fraud risk comes in many flavors. So must your analytics. Device intelligence and risk assessment. A customer identity is no longer just their name, address, Social Security number and date of birth. It’s their phone number, email address and the various devices they use to access your services as well. Knowing how that combination of elements presents itself over time is critical. Layered passive or more active authentication options such as document verification, biometrics, behavioral metrics, knowledge-based verification and alternative data sources. Ongoing identity monitoring and proactive alerting and segmentation of customers whose identity risk has shifted to the point of required treatment. Orchestration, workflow and decisioning capabilities that allow your team to make sense of the many innovative options available in customer recognition and risk assessment — without a “throw the kitchen sink at this problem” approach that will undoubtedly be way too costly in dollars spent and good customers annoyed. Fraud attacks are dynamic. Your customers’ perceptions and expectations will continue to evolve. The markets you address and the services you provide will vary in risk and reward. An innovative marketplace of identity management services can overwhelm. Make sure your strategic identity management partner has good answers to all of this and enables you to future-proof your investments.
June 2018 will mark the one-year anniversary of the National Institute of Standards and Technology (NIST) release of Special Publication 800-63-3, Digital Identity Guidelines. While federal agencies are the most directly impacted, this guidance signals a seismic shift in identity proofing across the entire ecosystem of consumers, private sector businesses and public sector agencies. It’s the clearest claim I’ve seen to date that traditional, and rather basic, personally identifiable information (PII) verification should no longer be trusted for remote user interaction. For those of us in the fraud and identity space, this isn’t a new revelation, but one we as an industry have been dealing with for years. As the data breach floodgates continue to be pushed further open, PII is a commodity for the fraudsters, evident in PII prices on the dark web, which are often lower than your favorite latte. Identity-related schemes have increased due to fraud attacks shifting away from card compromise (due to the U.S. rollout of chip-and-signature cards), double-digit growth in online and mobile consumer channels, and high-profile fraud events within both the public and private sector. It’s no shock that NIST has taken a sledgehammer to previous guidance around identity proofing and replaced it with an aggressive and rather challenging set of requirements seemingly founded in the assumption that all PII (names, addresses, dates of birth, Social Security numbers, etc.) is either compromised or easily can be compromised in the future. So where does this leave us? I applaud the pragmatic approach to the new NIST standards and consider it a signal to all of us in the identity marketplace. It’s aggressive and aspirational in raising the bar in identity proofing and management. I welcome the challenge in serving our public sector clients, as we have done for nearly a decade. Our innovative approach to layered levels of identity verification, validation, risk assessment and monitoring adhere to the recommendations of the new NIST standards. I do, however, recommend that any institution applying these standards to their own processes and applications ensure they place equal focus on comparable alternatives for those addressable populations and users who are likely to either opt out of, or fail, initial verification steps stringently aligned with the new requirements. While too early to accurately forecast, it’s relatively safe to assume that the percentage of the population “falling out of the process” may easily be counted in the double digits. It’s only through advanced analytics and technology reliant on a significant breadth and depth of identity data and observations that we can provide trust and confidence across such a diverse population in age, demographics, expectations and access.
Experian on the State of Identity podcast In today’s environment, any conversation on the identity management industry needs to include some mention of synthetic identity risk. The fact is, it’s top of mind for almost everyone. Institutions are trying to scope their risk level and identify losses, while service providers are innovating ways to solve the problem. Even consumers are starting to understand the term, albeit via a local newscast designed to scare the heck out of them. With all this in mind, I was very happy to be invited to speak with Cameron D’Ambrosi at One World Identity (OWI) on the State of Identity podcast, focusing on synthetic identity fraud. Our discussion focused on some of the unique findings and recommended best practices highlighted in our recently published white paper on the subject, Synthetic identities: getting real with customers. Additionally, we discussed how a lack of agreement on the definition and size of the synthetic identity problem further complicates the issue. This all stems from inconsistent loss reporting, a lack of confirmable victims and an absence of an exact definition of a synthetic identity to begin with. Discussions must continue to better align us all. I certainly appreciate that OWI dedicated the podcast to this subject. And I hope listeners take away a few helpful points that can assist them in their organization’s efforts to better identify synthetic identities, reduce financial losses and minimize reputation risks.
The sheer range of dynamic and emerging fraud tactics can impede agencies from achieving security. These threats must be met with a variety of identity proofing and management tactics. Without monitoring, performance assessments and tuning, a singular and static identity proofing strategy can be exposed by evolving schemes and the use of high-quality compromised identity data. Traditional verification and validation parameters alone are simply too obtuse and can be circumvented easily by those with criminal intent. Static rules based on overly simplistic verification and validation checks can be outsmarted by intelligent fraudsters. Conversely, those same static rules must also have built-in mechanisms to accommodate true-name users who initially may not meet that criteria for identity proofing. Vast and diverse user populations, more arduous — and arguably more difficult to achieve — digital identity guidelines put forth by the National Institute of Standards and Technology, and operational constraints all pose significant challenges for government. But there are ways for government to modernize identity proofing successfully. Modern fraud and identity strategies There are many emerging trends and best practices for modern fraud and identity strategies, including: Applying right-sized fraud and identity proofing solutions. To reduce user friction or service disruption and manage fraud risk appropriately, agencies need to apply fraud mitigation strategies. Such strategies reflect the cost, measured risk and level of confidence, as well as compliance needed, for each interaction. This is called right-sizing the fraud solution. For example, agencies can cater a fraud solution that ensures a seamless experience when a citizen is calling a service center, versus an online interaction, versus a face-to-face one. Maintaining a universal view of the user. Achieved by employing a diverse breadth and depth of data assets and applied analytics, this tactic is the core of modern fraud mitigation and identity management. Knowing the individual user extends beyond a traditional 360-degree view. It means having knowledge of a person’s offline and online behavior, not only with your agency, but also with other agencies with which that user has a relationship. Expanding user view through a blended ecosystem. Increasingly, agencies are participating in a blended ecosystem — working with vendors, peer agencies and partners. There exists a collaborative culture in identity and fraud management that doesn’t exist in more competitive commercial environments. Fraudsters easily share information with one another, so those combatting it need to share information as well. Achieving agility and scale using service-based models. More agencies are adopting service-based models that provide greater agility and response to dynamic fraud threats, diverse population changes, and evolving compliance requirements or guidance. Service-based identity proofing provides government agencies the benefit of regularly updated data assets, analytics and expertise in strategy design. These assets are designed to respond to fraud or identity intelligence observed across various markets and industries, often protecting proactively rather than reactively. Future-proofing fraud solution choices. Technical and operational resources are always in relatively short supply compared to demand. Agencies need the ability to “code once” in order to expand and evolve their fraud strategies with ease. Future-proofing solutions must also be combined with an ever-changing set of identity proofing requirements and best practices, powered by a robust and innovative marketplace of service providers. The future of identity proofing in the public sector is more than just verifying individual identities. New standards in digital identity proofing are a responsive result of mass data compromise and failures in legacy techniques. Achieving compliant and confident identity assurance requires a layered approach, flexibly designed and orchestrated to accommodate diverse identity assertions, evidence, and contextual invocation of technologies and data assets. Government must now use risk-based approaches and mitigation strategies to identity threats quickly and determine the type of fraud before damage is done. Download our recent report in which we discuss the primary challenges of identity proofing in the public sector and what modernization of identity proofing looks like.
The data to create synthetic identities is available. And the marketplace to exchange and monetize that data is expanding rapidly. The fact that hundreds of millions of names, addresses, dates of birth, and Social Security numbers (SSNs) have been breached in the last year alone, provides an easy path for criminals to surgically target new combinations of data. Armed with an understanding of the actual associations of these personally identifiable information (PII) elements, fraudsters can better navigate the path to perpetrate identity theft, identity manipulation, or synthetic identity fraud schemes on a grand scale. Using information such as birth dates and addresses in combination with Social Security numbers, criminals can target new combinations of data to yield better results with lower risk of detection. Some examples of this would be: identity theft, existing account takeovers, or the deconstruction and reconstruction of those PII elements to better create effective synthetic identities. Experian has continued to evolve and innovate against fraud risks and attacks with an understanding of attack rates, vectors, and the shifting landscape in data availability and security. In doing so, we’ve historically operated under the assumption that all PII is already compromised in some way or is easily done so. Because of this, we employ a layered approach, providing a more holistic view of an identity and the devices that are used over time by that identity. Relying solely on PII to validate and verify an identity is simply unwise and ineffective in this era of data compromise. We strive to continuously cultivate the broadest and most in-depth set of traditional, innovative and alternative data assets available. To do this, we must enable the integration of diverse identity attributes and intelligence to balance risk, while maintaining a positive customer experience. It’s been quite some time since the use of basic PII verification alone has been predictive of identity risk or confidence. Instead, validation and verification is founded in the ongoing definition and association of identities, the devices commonly used by those individuals, and the historical trends in their behavior. Download our newest White Paper, Synthetic Identities: Getting real with customers, for an in-depth Experian perspective on this increasingly significant fraud risk.
The creation of synthetic identities (synthetic id) relies upon an ecosystem of institutions, data aggregators, credit reporting agencies and consumers. All of which are exploited by an online and mobile-driven market, along with an increase in data breaches and dark web sharing. It’s a real and growing problem that’s impacting all markets. With significant focus on new customer acquisition and particular attention being paid to underbanked, emerging, and new-to-country consumers, this poses a large threat to your onboarding and customer management policies, in addition to overall profitability. Synthetic identity fraud is an epidemic that does more than negatively affect portfolio performance. It can hurt your reputation as a trusted organization and expose institutions, like yours, as paths of lesser resistance for fraudsters to use in the creation and farming of synthetic identities. Here is a suggested four-pronged approach to mitigate this type of fraud: The first step is knowing your risk exposure to synthetic identity fraud. Identify how much you could lose or are losing today using a targeted segmentation analysis to examine portfolios or customer populations. Next, review your front- and back-end identity screening operational processes and procedures and analyze that information to ensure you have industry best practices, procedures and verification tools deployed. Then incorporate data, analytics and some of the industry’s cutting edge tools. This enables you to perform targeted consumer authentication and identify opportunities to better capture the majority of fraud and operational waste. Lastly, ensure your organization is part of the solution – not the problem. Analyze your portfolio data quality as reported to credit reporting agencies and then minimize your exposure to negative compliance audit results and reputational risk. Our fraud and identity management consultants can help you reduce synthetic identity fraud losses through a multilayer methodology design that combats the rise in synthetic identity creation and use in fraud schemes.
How will the FinCEN revisions impact your business? (Part 2) I recently discussed the new FinCEN requirements to Customer Due Diligence. This time, I’d like to focus on the recent FinCEN advisory regarding “email-compromise fraud.” This new advisory sheds additional light on the dual threats of both Email Account Compromise impacting the general public and Business Email Compromise that targets businesses. FinCEN has rightly identified and communicated several high-risk conditions common to the perpetration of scams such as varied languages, slight alterations in email addresses, out-of-norm account and transaction information, and social engineering in the form of follow-up requests for additional transfers. In addition to introducing operational standards to detect such conditions, institutions also would benefit from these other tactics and focal points as they respond to email requests for financial transfers: Email validation and verification — use of third-party vendor services that can deliver a measurable level of confidence in the association of an email address to an actual, true identity. Multifactor authentication — use of dual-step or out-of-band verification of the requested transaction using alternate channels such as phone. Robust KYC/CIP at application and account opening to ensure that name, address, date of birth and Social Security number are verified and positively and consistently linked to a single identity, as well as augmented with phone and email verification and association for use in customer communications and multifactor authentications. Customer transactional monitoring in the form of establishing typical or normal transfer activity and thresholds for outlying variations of concern. Known and suspected fraud databases updated in real time or near real time for establishing blacklist emails to be segmented as high risk or declines upon receipt. Identity application and transactional link analysis to monitor for and detect the use of shared and manipulated email addresses across multiple transaction requests for disparate identities. Access to device intelligence and risk assessment to ensure consistent association of a true customer with one or more trusted devices and to detect variance in those trusted associations. Which of these 7 tactics are you using to stop email-compromise fraud?
Reinventing Identity for the Digital Age Electronic Signature & Records Association (ESRA) conference I recently had the opportunity to speak at the Electronic Signature & Records Association (ESRA) conference in Washington D.C. I was part of a fantastic panel delving into the topic, ‘Reinventing Identity for the Digital Age.’ While certainly hard to do in just an hour, we gave it a go and the dialogue was engaging, healthy in debate, and a conversation that will continue on for years to come. The entirety of the discussion could be summarized as: An attempt to directionally define a digital identity today The future of ownership and potential monetization of trusted identities And the management of identities as they reside behind credentials or the foundations of block chain Again, big questions deserving of big answers. What I will suggest, however, is a definition of a digital identity to debate, embrace, or even deride. Digital identities, at a minimum, should now be considered as a triad of 1) verified personally identifiable information, 2) the collective set of devices through which that identity transacts, and 3) the transactional (monetary or non-monetary) history of that identity. Understanding all three components of an identity can allow institutions to engage with their customers with a more holistic view that will enable the establishment of omni-channel communications and accounts, trusted access credentials, and customer vs. account-level risk assessment and decisioning. In tandem with advances in credentialing and transactional authorization such as biometrics, block chain, and e-signatures, focus should also remain on what we at Experian consider the three pillars of identity relationship management: Identity proofing (verification that the person is who they claim to be at a specific point in time) Authentication (ongoing verification of a person’s identity) Identity management (ongoing monitoring of a person’s identity) As stronger credentialing facilitates more trust and open functionality in non-face-to-face transactions, more risk is inherently added to those credentials. Therefore, it becomes vital that a single snapshot approach to traditionally transaction-based authentication is replaced with a notion of identity relationship management that drives more contextual authentication. The context thus expands to triangulate previous identity proofing results, current transactional characteristics (risk and reward), and any updated risk attributes associated with the identity that can be gleaned. The bottom line is that identity risk changes over time. Some identities become more trustworthy … some become less so. Better credentials and more secure transactional rails improve our experiences as consumers and better protect our personal information. They cannot, however, replace the need to know what’s going on with the real person who owns those credentials or transacts on those rails. Consumers will continue to become more owners of their digital identity as they grant access to it across multiple applications. Institutions are already engaged in strategies to monetize trusted and shareable identities across markets. Realizing the dynamic nature of identity risk, and implementing methods to measure that risk over time, will better enable those two initiatives. Click here to read more about Identity Relationship Management.
How will the FinCEN revisions impact your business? (Part 1) Some recently published FinCEN revisions and advisories are causing a stir. First, let’s look at revisions to Customer Due Diligence that require compliance by May 2018. Under the updated requirements for Customer Due Diligence, covered financial institutions must expand programs, including Customer Identification Programs (CIP), to include Beneficial Owners of Legal Entity customers. Under the new rule, financial institutions must collect and verify identity information (name, address, date of birth, Social Security number or passport number for foreign individuals): For each Natural Person with at least 25% ownership in the Legal entity and For an individual with significant responsibility for managing or controlling the business — for example, a chief executive officer, a chief financial officer, a chief operating officer, a managing member, a general partner, a president, a vice president or a treasurer The U.S. Treasury estimates that illicit proceeds generated in the United States alone total $400 billion annually. These requirements are intended to prevent anonymous access to financial systems through shielded or minority ownership. While the effort to stem the tide of illicit proceeds is laudable, the impact to business may be significant. Most organizations will need to audit their data collection practices, and many will need to make changes to either data collection or workflow processes to ensure compliance. While quite simple and straightforward on paper, the standardization of additional CIP policies and procedures tend to create substantive impact to the customer experience as well as operational resource allocations and utilization. Covered financial institutions should already be discussing with their current or prospective fraud risk and identity management vendors to ensure that: There is a clear path to altering both data collection and verification of these additional identity elements. Clear and accurate benchmarking around expected verification rates is available ahead of the compliance date to allow for operational workflow design to accommodate both ‘verifications’ and ‘referrals stemming from lack of full verification.’ Service providers are granting access to best-in-class data assets and search & match logic related to identity element verification and risk assessment, along with multi-layered options to reconcile those initial verification ‘fails.’ Full business reviews and strategy design sessions are underway or being scheduled to align and document overall objectives of the program, benchmarking of leading industry practices, current and future state gaps, near- and long-term initiatives and a prioritized roadmap, a viable business case toward additional investment in services and resources, and a plan of execution. Will this impact your business? Will you need to make any changes? Click here to read part two - FinCEN and email-compromise fraud.
We all know that first party fraud is a problem. No one can seem to agree on the definitions of first party fraud and who is on the hook to find it, absorb the losses and mitigate the risk going forward. More often than not, first-party fraud cases and associated losses are simply combined with the relatively big “bucket” of credit losses. More importantly, the means of quickly detecting potential first-party fraud, properly segmenting it (as either true credit risk or malicious behavior) and mitigating losses associated with it usually lies within more general credit policies instead of with unique, targeted strategies designed to combat this type of fraud. In order to create a frame of reference, it’s helpful to have some quick — and yes, arguable — definitions: Synthetic identity: the fabrication of an identity with the intention of perpetrating fraudulent applications for, and access to, credit or other financial services Bust-out: the substantive building of positive credit history, followed by the intentional, high-velocity opening of several new accounts with subsequent line utilization and “never payment” Default payment: intentionally allowing credit lines to default to avoid payments Straight-roller: an account opened with immediate utilization followed by default without any attempt to make a payment Never pay: a form of straight-roller that becomes delinquent within the first few months of opening the account So what’s a risk manager to do? In my opinion, the best methods to consider in the fight against first-party fraud include analytical solutions that take multiple data points into consideration and focus on a risk-based approach. For my money, the four most important are: Models and scores developed with the proper set of identity and credit risk attributes derived from current and historic identity and account usage patterns (in other words, ANALYTICS) — Used at both the account opening and account management phases of the Customer Life Cycle, such analytics can be customized for each addressable market and specific first-party fraud threat The monitoring of individual identity elements at a portfolio level and beyond — This type of monitoring and LINK ANALYSIS allows organizations to detect the creation of synthetic identities Reasonable (e.g., one-to-one) identity and device associations over time versus a cluster of devices or coordinated attacks stemming from a single device — Knowing a customer’s device profile and behavioral usage with DEVICE INTELLIGENCE provides assurance that applications and account access are conducted legitimately Leveraging industry experts who have worked with other institutions to design and implement effective first-party fraud detection and loss-mitigation strategies — This kind of OPERATIONAL CONSULTING can save time and money in the long run and afford an opportunity to avoid mistakes By active use of these methods, you are applying a risk-based approach that will allow you to realize substantial savings in the forms of loss reduction and operational efficiencies associated with non-acquisition of high-risk first-party fraud applications, more effective credit line management of potentially high-risk accounts, better segmentation of treatment strategies and associated spend against high-risk identities, and removal of first-party fraud accounts from traditional collections processes that will prove futile. Download our recent White Paper, Data confidence realized: Leveraging customer intelligence in the age of mass data compromise, to understand how data and technology are needed to strengthen fraud risk strategies through comprehensive customer intelligence.
What the EMV Shift means for you I recently facilitated a Webinar looking at myths and truths in the market regarding the EMV liability shift and what it means for both merchants and issuers. I found it to be a very beneficial discussion and wanted to take some time to share some highlights from our panel with all of you. Of course, if you prefer to hear it firsthand, you can download the archive recording here. Myth #1: Oct. 1 will change everything Similar to the hype we heard prior to Y2K, Oct. 1, 2015, came and went without too much fanfare. The date was only the first step in our long and gradual path to EMV adoption. This complex, fragmented U.S. migration includes: More than 1 billion payment cards More than 12 million POS terminals Four credit card networks Eighteen debit networks More than 12,000 financial institutions Unlike the shift in the United Kingdom, the U.S. migration does not have government backing and support. This causes additional fragmentation and complexity that we, as the payments industry, are forced to navigate ourselves. Aite Group predicts that by the end of 2015, 70 percent of U.S. credit cards will have EMV capabilities and 40 percent of debit cards will be upgraded. So while Oct. 1 may not have changed everything, it was the start of a long and gradual migration. Myth #2: Subscription revenues will plummet due to reissuances According to Aite, EMV reissuance is less impactful to merchant revenues than database breaches, since many EMV cards are being reissued with the same pan. The impact of EMV on reoccurring transactions is exaggerated in the market, especially when you look at the Update Issuer provided by the transaction networks. There still will be an impact on merchants, coming right at the start of the holiday shopping season. The need for consumer education will fall primarily on merchants, given longer lines at checkout and unfamiliar processes for consumers. Merchants should be prepared for charge-back amounts on their statements, which they aren’t used to seeing. Lastly, with a disparate credit and debit user experience, training is needed not just for consumers, but also for frontline cashiers. We do expect to see some merchants decide to wait until after the first of the year to avoid impacting the customer experience during the critical holiday shopping season, preferring to absorb the fraud in the interest of maximizing consumer throughout. Myth #3: Card fraud will decline dramatically We can look to countries that already have migrated to see that card fraud will not, as a whole, decline dramatically. While EMV is very effective at bringing down counterfeit card fraud, organized crime rings will not sit idly by while their $3 billion business disappears. With the Canadian shift, we saw a decrease in counterfeit card loss but a substantial increase in Card Not Present (CNP) fraud. In Canada and Australia, we also saw a dramatic, threefold increase in fraudulent applications. When criminals can no longer get counterfeit cards, they use synthetic and stolen identities to gain access to new, legitimate cards. In the United States, we should plan for increased account-takeover attacks, i.e., criminals using compromised credentials for fraudulent CNP purchases. For merchants that don’t require CVV2, compromised data from recent breaches can be used easily in an online environment. According to Aite, issuers already are reporting an increase in CNP fraud. Fraudsters did not wait until the Oct. 1 shift to adjust their practices. Myth #4: All liability moves to the issuer EMV won’t help online merchants at all. Fraud will shift to the CNP channel, and merchants will be completely responsible for the fraud that occurs there. We put together a matrix to illustrate where actual liability shifts and where it does not. Payments liability matrix Note: Because of the cost and complexity of replacing POS machines, gas stations are not liable until October 2017. For more information, or if you’d like to hear the full discussion, click here to view the archive recording, which includes a great panel question-and-answer session.
What will the EMV shift really mean for consumers and businesses here in the U.S.? Businesses and consumers across the U.S. are still adjusting to their new EMV credit cards. The new credit cards are outfitted with computer chips in addition to the magnetic strips to help prevent point-of-sale (POS) fraud. The new system, called EMV (which stands for Europay, MasterCard and Visa), requires signatures for all transactions. EMV is a global standard for credit cards. In the wake of the rising flood of large-scale data breaches at major retailers – and higher rates of counterfeit credit card fraud – chip-and-signature, as it is also called, is designed to better authenticate credit card transactions. Chip-and-signature itself is not new. It has been protecting consumers and businesses in Europe for several years and now the U.S. is finally catching up. But what will the EMV system really mean for consumers and businesses here in the U.S.? There is the potential for businesses that sell both offline and online, to see an increase in fraud that takes place online called Card Not Present (CNP) fraud. Will credit card fraud ever really be wiped out? Can we all stop worrying that large-scale point-of-sale breaches will happen again? Will the EMV shift affect holiday shopping and should retailers be concerned? Join us as we explore these questions and more on an upcoming Webinar, Chipping Away at EMV Myths. Our panel of experts includes: David Britton, Vice President, Industry Solutions, Experian Julie Conroy, Research Director, Aite Group Mike Klumpp, Director of Fraud Prevention, Citibank Moderated by: Keir Breitenfeld, Vice President, Product Management, Experian
Protecting your customer The impact of fraud on the customer relationship Sadly fraudsters seem to always be one-step ahead of fraud-prevention strategies, causing organizations to play catch-up to the criminals. And as information security tightens and technologies evolve, so does the industrious nature of organized identity and online fraud. It should be no surprise then that fraud risk mitigation and management will continue to be an ongoing issue for organizations. But what continues to drive investment in identity management and online risk tools is the arms race across organizations to deliver superior customer experience and functionality. While the monetary cost of fraud losses can be high and rather detrimental, the impact of lost customers and overall reputational decline due to poor customer experiences can be higher. The key is finding the right balance between identifying and segmenting likely fraudulent customers across the vast majority of legitimate customers and transactions. I want to share a recent interactive eBook we launched which outlines the authentication and identity management balance with a focus on the consumer. We highlight current trends and what organizations should be thinking about and doing to protect their business, institution, or agency and customers. I hope you enjoy this look at the impact of fraud on the customer relationship.
Recently, I sat down to answer three questions for “The Year of Payments - 2015: One Quarter in” for PYMNTS.com on the topic of mobile payments in regards to: How Q1 2015 is different than Q1 2014 What’s the most significant development so far this year? If “Payments 2015” were a brand and had a tagline, what would it be and why? A significant factor in shaping the next frontier in fraud management is the continued rapid growth in online and mobile payments as the preferred methods of doing business for many consumers. With more than a third of customers interacting with a single business in five or more channels and more than 85 percent of consumers using online or mobile to conduct business, the need for omnichannel fraud prevention becomes a requirement. These trends make mobile-device intelligence as important to the authentication process as traditional personally identifiable information. As a result, the need to integrate device intelligence into the authentication process to associate a consumer to a known device is critical. Companies already are beginning to incorporate device intelligence into their authentication strategies. The ability to verify a customer through his or her device is a huge benefit to the overall customer experience and not only makes it easier for the customer to do business with you, but also adds an additional layer of validation. The challenge with any new emerging business or new technology is maintaining a frictionless customer experience foremost because fraudsters are always the early adopters. Make sure to read our perspective paper to see why emerging channels call for advanced fraud identification techniques and what myself and other industry leaders had to say on the topic of mobile payments:
Not long ago, I spoke at the eSign Records conference in NYC. During Q&A, someone asked a question that comes up often: What is the future of knowledge-based authentication (KBA)? It is no secret that there are people in the industry who believe the usefulness of KBA has run its course; however, I have to respectfully disagree. Industry guidance such as the FFIEC Guidance of Authentication in an Internet Banking Environment is a solid foundational direction that calls out the need for institutions to move beyond simple device to more complex device intelligence and more complex out-of-wallet identity verification procedures. Institutions across all markets, both private and public sectors, should be exploring all available services and technologies in an effort to reduce reliance on one or only a few methods of authentication and identity management. Particularly, again, assuming that the one method an institution may rely on could be greatly weakened or without value if subject to mass compromise. KBA continues to be a valuable component in a layered authentication strategy as it effectively reduces both false positives and false negatives in the fast majority of authentication processes, leaving improved customer experience and better use of limited resources to treat true fraud risk. Experian has been hosting the Future of Fraud and Identity events discussing current fraud and authentication trends aimed at helping the industry. Make sure to download our fraud prevention protect whitepaper to gain more insight on regulations affecting financial institutions and how you can prepare your business.
Learn More Image
