All posts by Keir Breitenfeld
I’m working with many of our clients in reviewing their existing or evolving Red Flags Identity Theft Prevention Programs. While the majority of them appear to be buttoned up from the perspective of identifying covered accounts and applicable Red Flag conditions, as well as establishing detection methodologies, I often still see too much subjectivity in their response and reconciliation procedures. Here are a few reasons why the “response” portion of a strong Red Flags Identity Theft Prevention program needs to employ consistent and objective process, decisioning, and actions: 1. Inconsistent or subjectively varied responses and actions greatly reduce the ability to measure process effectiveness over time. It becomes increasingly difficult for retro-analysis to identify which processes and specific steps in those processes were successful in either positively or negatively reconciling potential fraudulent activity. Subsequently, it clouds any ability to make effective or necessary changes to specific activities that may not be working well. 2. Examiners may focus heavily on the response portion of your program. During operational side by sides, or even written program reviews, the less ambiguity and inconsistency identified or perceived, the better. A quick rule of thumb for any examination: preempt any questions with exhaustive information and clarity. Examiners that don’t need to ask many, or any, questions are happy examiners. 3. Objective and consistent process allows for more manageable staff training. It is much easier to educate your staff around a justified and effective uniform process than around intuitive and haphazard procedures and consumer interactions. It is tough to set expectations with your staff if there are gaping holes in the activities they are expected to execute. 4. Customer experience will certainly be more positive, and less of a worry for managers, as inequity of treatment is removed from the equation. It is better to have each customer progress through similar steps toward authentication than varied ones from the perspective of time, perception, effectiveness, and convenience. Now, certainly, a risk-based approach allows for varied treatment based on that risk. The point here is more toward the need to apply those varied techniques consistently. 5. Social engineering. Fraudsters are pretty good at figuring out if an operational process is open to interpretation and manipulation. They’ll continue to engage in a process with the goal of landing with the right associate who may be following a more easily penetrable fraud detection method. Bottom line: keep the walls around your business the same height throughout. Until next time, best of luck as you continue to develop and improve your Red Flags programs.
As someone heavily engaged with the market and our clients discussing Red Flag Rule compliance, Red Flag guidelines, etc...this question has come up over and over again. You’d think by now I’d have a simple, clever, and strategically created product name to throw out there. Well, I don’t, and here’s why: we had Red Flag relevant products before Red Flags were in vogue. So, why didn’t we just rename them under the Red Flag brand? Because honestly, that would border on irresponsibility. Let me explain briefly… If you recall, the Red Flags Rule requires that covered institutions employ a written and operational Program that addresses the four mandatory elements of: • Identifying Red Flags applicable to covered accounts and incorporating them into the Program; • Detecting and evaluating the Red Flags included in the Program; • Responding to the Red Flags detected in a manner that is appropriate to the degree of risk they pose; and • Updating the Program to address changes in the risks to customers, and to the financial institution’s or creditor’s safety and soundness, from identity theft. You read in these requirements words like “applicable” and “appropriate” and “degree of risk.” You don’t read words like “use this tool” or “detect this specific set of conditions.” My point here is that, over the past year, we’ve been working with our clients to map in the “appropriate” and “applicable” set of products and services to allow them to become Red Flag compliant. These products and services range in data leverage and provision, predictive power, decisioning, and of course, cost. That is a good thing, as our clients require individualized tool sets and processes based on their serviced market, gathered information, consumer relationships, products offered, and risk associated with all of those factors. We don’t offer an unlimited or overwhelming number of Red Flag relevant products, but we do offer a diverse enough set that has afforded our clients an opportunity to select the best fit. Whether you choose to adopt Experian as your Red Flag partner or another service provider, keep in mind that one size does not fit all, and be wary of those claiming to be just that. As Red Flag examinations start rolling out in the coming months, there will be a focus on ensuring that your programs are comprehensive and effective. Examiners will be looking at your programs, not your service provider. Be sure to collaborate with your partners to meticulously apply the best solution. At Experian, we’ve taken this collaborative approach with each of our clients, and have employed products ranging from our robust Precise ID SM consumer authentication platform to our Fraud Shield SM risk warning product. Time spent up front in identifying your Red Flag requirements and working with your service provider to determine the best course of action will pay dividends down the road, and ensure you implement a compliant process once….not twice.
One of the more significant operational concerns around Red Flags compliance centers on the management of resultant referral volumes, i.e., the potential that the account origination or maintenance process will get bogged down due to a significant number of red flags detected. These concerns are not without merit, and are arguably the most frequently discussed Red Flag issue with our client base. Organizations may be able to control referral volumes through the use of automated tools that evaluate the level of identity theft risk in a given transaction. For example, customers with a low-risk authentication score can be moved quickly through the account origination process absent any additional red flags detected in the ordinary course of the application or transaction. In fact, using such tools may allow organizations to speed up the origination process for these customers and identify and focus resources on those transactions that pose the greatest potential for identity theft. A risk-based approach to Red Flags compliance affords an institution the ability to reconcile the majority of detected Red Flag conditions efficiently, consistently and with minimal consumer impact. Detection of Red Flag conditions is literally only half the battle. In fact, responding to those Red Flag conditions is a substantial problem to solve for most institutions. A response policy that incorporates scoring, alternate data sources and flexible decisioning can reduce the vast majority of referrals to real-time approvals without staff intervention or customer hardship. Rather than implementing a “rules-based” program (one in which particular Red Flags are identified, detected and used in isolation or near isolation in decisioning), many institutions are opting to approach Red Flag compliance from a “risk-based” perspective. This “risk-based” approach assumes that no single Red Flag Rule or even set of rules provides a comprehensive view of a consumer’s identity and associated fraud risk. Instead, a “risk-based” systematic approach to consumer authentication employs a process by which an appropriately comprehensive set of consumer data sources can provide the foundation for highly effective fraud prediction models in combination with detailed consumer authentication conditions (such as address mismatches or Social Security number inconsistencies). A risk-based fraud detection system allows institutions to make consumer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a consumer’s identity and predicted likelihood of associated identity theft. Many, if not all, of the suggested Rules in the published guidelines are not “silver bullets” that ensure the presence or absence of identity theft. A substantial ratio of false positives will comprise the set of consumers and accounts being reviewed as having met one or more of the suggested Red Flag rule conditions. These rules and guidelines are intended neither to prevent legitimate consumers from establishing relationships with institutions nor create a burdensome and prohibitive volume of consumer “referrals.” While those rules incorporated into an institution’s Program must be addressed when detected, a risk-based system allows for an operationally efficient method of reconciliation in tandem with identity theft mitigation.
For those of us that have been following the Red Flag Rules adoption for more than a year now, the recent arrival and passing of the November 1 compliance deadline allows us to pause to assess where we are -- and where we are heading. One question seems to surface regularly these days: How ready or compliant is the market today? Well, I think it’s safe to say that the market is certainly not 100% home when it comes to compliance readiness. Experian surveys registrants on our Red Flags online resource site. As of October 31 -- a.k.a. ‘Compliance Eve’ -- nearly half of the registrants (48%) fell into the category of ‘just starting to review the rules and determine a compliance plan’. Other industry surveys, interviews, and analyst reports suggest an even lower rate of compliance (closer to only one-third of covered institutions) in the market. The Federal Trade Commission seemed to sense this market condition, and granted a six-month reprieve from Red Flags compliance enforcement – to May 1, 2009. While this extension is welcome news for those institutions falling under the FTC’s jurisdictional umbrella, other institutions are arguably out of compliance today, and face pending examinations in the coming months. So, is the market ready today? The broad answer is a resounding ‘no.’ Much of the market’s effort has gone into the creation of written Identity Theft Prevention Programs as part of the Red Flag Rule requirements. How well will these written procedures be received by the examining agencies? How will these written programs translate into effective and (as importantly) manageable operational processes? The first wave of examinations will help answer some of these questions and concerns….and ongoing cost analysis (associated with: referral volumes; application acceptance rates; manual or automated processes; and, of course, fraud losses) will help paint a clearer picture in the months to come.
Learn More Image
