All posts by Matt Ehrlich
I don’t know about your neighborhood this past Fourth of July, but mine contained an interesting mix of different types of fireworks. From our front porch, we watched a variety of displays simultaneously: an organized professional fireworks show several miles away, our next-door neighbor setting off the “Safe and Sane” variety and the guy at the end of the street with clearly illegal ones. This made me think about how our local police approach this night. There’s no way they can investigate every report or observance of illegal fireworks as well as all of the other increased activity that occurs on a holiday. So it must come down to prioritization, resources and risk assessment. When it comes to fraud prevention, compliance and risk, businesses — much the same as the police — have a lot of ground to cover and limited resources. Consider the bureau alerts (aka high-risk conditions) on a credit report. They’re an easy, quick tool that can help mitigate risk and save money cost-effectively. When considering bureau alerts, clients commonly ask the following questions: How do I investigate all of the alerts with the limited resources I have? How should I prioritize the ones I am able to review? I usually recommend that, if possible, they incorporate a fraud risk score into their evaluation process. The job of the fraud risk score is to take a very large amount of data and put it into an easy-to-understand and actionable form. It is built to evaluate negative or risky information (at Experian, this includes bureau alerts and many other items) as well as positive or low-risk information (analysis of address, Social Security number, date of birth, and other current and historical personal information). The result is a holistic assessment rather than a binary flag, which can be tuned to resource levels, risk tolerance or other drivers. That’s always where I start. If a fraud score is not an option, then I suggest prioritizing the alerts by the most risk and the frequency of occurrence. With some light analysis, you’ll typically see that the frequency of the most risky alerts is often low, so you can be sure to review each one — or as many as possible. As the frequency of occurrence increases, you then can make decisions about which ones to review or how many of them you can handle. For example, I worked with a client recently to prioritize high-risk but low-frequency alerts. Almost all involved the Social Security number (SSN): The inquiry SSN was recorded as deceased The report contained a security statement There was a high probability that the SSN belongs to another person The best on-file SSN was recorded as deceased I would expect other organizations to have a similar prioritized risk-to-frequency ratio. However, it’s always good (and pretty easy) to make sure your data backs this up. That way, you’re making the most of your limited resources and your tools.
Last week, a group of us came together for a formal internal forum where we had the opportunity to compare notes with colleagues, hear updates on the challenges clients are facing and brainstorm solutions to client business problems across the discipline areas of analytics, fraud and software. As usual, fraud prevention and fraud analytics were key areas of discussion but what was also notable was how big a role compliance is playing as a business driver. First party fraud and identity theft detection are important components, sure, but as the Consumer Financial Protection Bureau (CFPB) gains momentum and more teeth, the demand for compliance accommodation and consistency grows critical as well. The role of good fraud management is to help accomplish regulatory compliance by providing more than just fraud risk scores, it can help to: Know Your Customer (KYC) or Customer Information Program (CIP) details such as the match results and level of matching across name, address, SSN, date of birth, phone, and Driver’s License. Understand the results of checks for high risk identity conditions such as deceased SSN, SSN more frequently used by another, address mismatches, and more. Perform a check against the Office of Foreign Asset Control’s SDN list and the details of any matches. And while some fraud solutions out there make use of these types of comparisons when generating a score or decision, they may not pass these along to their customers. And just think how valuable these details can be for both consistent compliance decisions and creating an audit trail for any possible audits.
The Communications Fraud Control Association’s annual meeting and educational event was held last week (June 14 – 16) at the Allerton hotel in Chicago, IL. The Communications Fraud Control Association is made up of communications and security professionals, fraud investigators, analysts, and managers, law enforcement, those in risk management, and many others. As an organization, they started out as a small group of communications professionals from the major long distance carriers who were looking for a better and more collaborative way to address communications fraud. Now, almost 30 years later, they’ve got over 60 members – a great representation of the industry yet still a nimble size. From what I hear, this makes for a specialized but quite effective “working” conference. Unfortunately I was not able to attend the conference but my colleague, Kennis Wong, attended and presented on the topic of Account Takeover and existing account fraud. It’s an area of fraud and compliance that Experian has spent some R&D on recently, with some interesting findings. In the past, we’ve been more focused on helping clients prevent new account and application fraud. It might seem like an interesting time to expand into this area, with some studies citing large drops in existing account fraud (2011 Identity Fraud Survey Report by Javelin). BUT...consumer costs in this area are way UP, not to mention the headline-grabbing news stories about small business account takeover. Which means it’s still a large pain point for financial institutions. Experian’s research and development in existing account fraud, combined with our expertise in fraud scores and identity theft detection, has resulted in a new product which is launching at the end of this month: Precise ID for Customer Management. Stay tuned for more exciting details.
Whether you call it small business, commercial, or corporate account takeover, this form of existing account fraud has been in the headlines lately and seems to be on the rise. While account takeover happens to individual consumers quite frequently, it’s the sensational loss amounts and the legal battles between companies and their banks that are causing this form of commercial fraud to make the news. A recent BankInfoSecurity.com article, Fraud Verdict: Opinions Vary, is about a court opinion on a high profile ACH fraud case - Experi-Metal Inc. vs. Comerica Bank – that cites a number of examples of corporate account takeover cases with substantial losses: · Village View Escrow of Redondo Beach, Calif.: lost $465,000 to an online hack · Hillary Machinery: settled with its bank for undisclosed terms in 2010. · The Catholic Diocese of Des Moines, Iowa: lost $600,000 in fraudulent ACH transactions. I was curious what information was out there and publicly available to help businesses protect themselves and minimize fraud losses / risk. NACHA, the electronics payment association, had some of the best resources on their website. Labeled the “Corporate Account Takeover Resource Center”, it has a wide variety of briefs, papers, and recommendations documents including prevention practices for companies, financial institutions, and third-party service providers. There’s even a podcast on how to fight ACH fraud! One thing was interesting to note, though. NACHA makes a point to distinguish between ACH fraud and corporate account takeover in this statement at the top of the web page: Corporate Account Takeover is a form of corporate identity theft where a business’ online credentials are stolen by malware. Criminal entities can then initiate fraudulent banking activity. Corporate Account Takeover involves compromised identity credentials and is not about compromises to the wire system or ACH Network. ACH fraud and wire fraud, terms mistakenly used to describe this type of criminal activity, are a misnomer. The ACH Network is safe and secure. Mostly I agree –the ACH Network is safe and secure. But from an F.I.\'s or company’s perspective, corporate account takeover and ACH Fraud often go hand in hand.
At Experian’s recent client conference, Vision 2011, there was a refreshing amount of positive discussion and outlook on origination rates and acquisition strategies for growth. This was coming not only from industry analysts participating in the conference but from clients as well. As a consumer, I’d sensed the ‘cautious optimism’ that we keep hearing about because my mailbox(the ‘original’ one, not email) has slowly been getting more and more credit card offer letters over the last 6 months. Does this mean a return to prospecting and ultimately growth for financial institutions and lenders? It’s a glimmer of hope, for sure, although most agree that we’re a long way from being out of the woods, particularly with unemployment rates still high and the housing market in dire shape. Soooo…..you may be wondering where I’m going with this…. Since my job is to support banks, lenders, utilities and numerous other businesses’ in their fraud prevention and compliance efforts, where my mind goes is: how does a return to growth – even slight – impact fraud trends and our clients’ risk management policies? While many factors remain to be seen, here are a few early observations: · Account takeover, bust out fraud, and other types of existing account fraud had been on the rise while application fraud had declined or stayed the same (relative to the decrease in new originations); with prospecting and acquisition activity starting to increase, we will likely see a resurgence in new account fraud attempts and methods. · Financial institutions and consumers are under increasing risk of malware attacks; with more sophisticated malware technology popping up every day, this will likely be a prime means for fraudsters to commit identity theft and exploit potentially easier new account opening policies. · With fraud loss numbers flat or down, the contracted fraud budgets and delayed technology investments by companies over the last few years are a point of vulnerability, especially if the acquisition growth rate jumps substantially.
When we think about fraud prevention, naturally we think about mininizing fraud at application. We want to ensure that the identities used in the application truly belong to the person who applies for credit, and not from some stolen identities. But the reality is that some fraudsters do successfully get through the defense at application. In fact, according to Javelin’s 2011 Identity Fraud Survey Report, 2.5 million accounts were opened fraudulently using stolen identities in 2010, costing lenders and consumers $17 billion. And these numbers do not even include other existing account fraud like account takeover and impersonation (limited misusing of account like credit/debit card and balance transfer, etc.). This type of existing account fraud affected 5.5 million accounts in 2010, costing another $20 billion. So although it may seem like a no brainer, it’s worth emphasizing that we need to continue to detect fraud for new and established accounts. Existing account fraud is unlikely to go away any time soon. Lending activities have changed significantly in the last couple of years. Origination rate in 2010 is still less than half of the volume in 2008, and booked accounts become riskier. In this type of environment, when regular consumers are having hard time getting new credits, fraudsters are also having hard time getting credit. So naturally they will switch their focus to something more profitable like account takeover. Does your organization have appropriate tools and decisioning strategy to fight against existing account fraud?
In my last entry I mentioned how we’re working with more and more clients that are ramping up their fraud and compliance processes to ensure Red Flag compliance. But it’s not just the FACT Act Identity Theft Program requirements that are garnering all the attention. As every financial institution is painfully aware, numerous compliance requirements exist around the USA PATRIOT Act and Know Your Customer, Anti-Money Laundering, e-Signature and more. Legislation for banks, lenders, and other financial services organizations are only likely to increase with President Obama’s appointment of Elizabeth Warren to the new Bureau of Consumer Financial Protection. Typically FI’s must perform due diligence across more than one of these requirements, all the while balancing the competing pressures of revenue growth, customer experience, fraud referral rates, and risk management. Here’s a case where we were able to offer a solution to one client’s complex needs. Recently, we were approached by a bank’s sales channel that needed to automate their Customer Information Program (CIP). The bank’s risk and compliance department had provided guidelines based on their interpretation of due diligence appropriate for CIP and now the Sales group had to find a tool that could facilitate these guidelines and decision appropriately. The challenge was doing so without a costly custom solution, not sacrificing their current customer service SLA’s, and being able to define the criteria in the CIP decisioning rather than a stock interpretation. The solution was to invest in a customer authentication product that offered flexible, adaptable “off the shelf” decisioning along with knowledge based authentication, aka out of wallet questions. The fact that the logic was hosted reduced costly and time consuming software and hardware implementations while at the same time allowing easy modification should their CIP criteria change or pass and review rates need to be tweaked. The net result? Consistent customer treatment and objective application of the CIP guidelines, more cross selling confidence, and the ability to refer only those applicants with fraud alerts or who did not meet the name, address, SSN, and DOB check for further authentication.
Another consumer protection article in the news recently highlighted some fraud best practices for social networking sites. Click here to read the article. When I say fraud best practices, I mean best practices to minimize fraud and identity theft risk…not best practices for fraudsters. Although I wonder if by advising consumers about new fraud trends and methods, some fraudsters are picking up new tips and tricks? Anyway, many of the suggestions in the article are common sense items that have been making the rounds for some time now: don’t post vacation plans, things that might provide clues to your passwords or secret questions, etc. What I found surprising was that this list of “6 Things You Should Never Reveal on Facebook” still included birth date and place and home address. Are people overly trusting or just simply unaware of the risk of providing personal identifying information out in cyber space, unsecured? The US government has gone to a lot of trouble to protect consumers from identity theft through its issuance of the Red Flags rule and Red Flags guidelines for financial institutions of all types. I work with many clients that are going to large efforts to meet these important goals for fraud and compliance. Not just because the legislation requires it but because they know it is in the best interest of fostering long term and trust-based relationships with their customers. But just as much responsibility lies on us as consumers to protect ourselves. Each individual or family should have their own little identity theft prevention program that includes: guidelines for sharing information on social networking sites, shredding of paper documents with personal data, safe storage of passwords (i.e. not written down by your computer!), and up to date virus and malware protection on their computer.
Quite a scary new (although in some ways old) form of identity theft in the headlines recently. Here’s a link to the article, which talks about how children’s dormant Social Security numbers are being found and sold by companies online under the guise of CPN’s – aka credit profile numbers or credit protection numbers. Using deceased, “found”, or otherwise illicitly obtained Social Security numbers is not something new. Experian’s and any good identity verification tool is going to check against the Social Security Administration’s list of numbers listed as deceased as well as check to ensure the submitted number is in an SSA valid issue range. But the two things I find most troubling here are: One, the sellers have found a way around the law by not calling them Social Security numbers and calling them CPN’s instead. That seems ludicrous! But, in fact, the article goes on to state that “Because the numbers exist in a legal gray area, federal investigators have not figured out a way to prosecute the people involved”. Two, because of the anonymity and the ability to quickly set up and abandon “shop”, the online marketplace is the perfect venue for both buyer and seller to connect with minimal risk of being caught. What can we as consumers and businesses take away from this? As consumers, we’re reminded to be ever vigilant about the disclosure of not only OUR Social Security number but that of our family members as well. For businesses, it’s a reminder to take advantage of additional identity verification and fraud prediction tools, such as Experian’s Precise ID, Knowledge IQ, and BizID, when making credit decisions or opening accounts rather than relying solely on consumer credit scores.
Quite a scary new (although in some ways old) form of identity theft in the headlines recently. Here’s a link to the article, which talks about how children’s dormant Social Security numbers are being found and sold by companies online under the guise of CPN’s – aka credit profile numbers or credit protection numbers. Using deceased, “found”, or otherwise illicitly obtained Social Security numbers is not something new. Most identity theft prevention programs consider deceased and non-issued ranges as identity theft red flags under the FACTA Red Flag guidelines. In fact, Experian’s and any good identity verification tool is going to check against the Social Security Administration’s list of numbers listed as deceased as well as ensure the submitted number is in an SSA valid issue range – providing fraud alerts if not. A child’s valid but dormant Social Security number, however, would not flag as either. The two things I find most troubling here are: One, the sellers have found a way around the law by not calling them Social Security numbers and calling them CPN’s instead. That seems ludicrous! But, in fact, the article goes on to state that “Because the numbers exist in a legal gray area, federal investigators have not figured out a way to prosecute the people involved”. Two, because of the anonymity and the ability to quickly set up and abandon “shop”, the online marketplace is the perfect venue for both buyer and seller to connect with minimal risk of being caught. What can we as consumers and businesses take away from this? As consumers, we’re reminded to be ever vigilant about the disclosure of not only OUR Social Security number but that of our family members as well. For businesses, it’s a reminder to take advantage of additional identity verification and fraud prediction tools, such as Experian’s Precise ID, Knowledge IQ, and BizID, when making credit decisions or opening accounts rather than relying solely on consumer credit scores. Knowledge IQ’s knowledge based authentication offers out of wallet questions that may help ensure you’re dealing with the true consumer.
Ah…the summer vacation. I’ve just returned from mine and it got me wondering, “Do fraudsters take a vacation?” You know they must. Probably somewhere nice courtesy of their illicit activities. On our summer vacation, we stayed in rental homes rather than in hotels because of the convenience of having a kitchen, more space to move around, etc. There are many websites that provide vacation home rentals, either offered by an agency or directly by the owners themselves. It would be interesting to know how many (any?) of these sites have Identity Theft Prevention Programs in place for their clients and prospective renters. Although Red Flags rules do not apply to this industry, certainly some fraud best practices and a proactive risk management approach is good for business. In the case of the homeowners dealing directly with prospective renters, what struck me is that there is quite a bit of trust involved in these arrangements. It’s safe to say that most transactions, like ours, are conducted over email and/or the phone. Payment is collected in advance by check or credit card but in our case, and in many if not most others, there is no deposit. Since I work daily around commercial and consumer fraud, I couldn’t help but wonder what the exposure is for fraud risk and identity theft – both to the home owner as well as to the person renting the home. Just look at the information exchanged… The renter provides: name, address, phone number, email address, check (which would include account and routing number) OR credit card number and expiration date. The owner provides: name, phone number, email address, and a home or office address (to which the renter mails the payment). Additionally, the renter knows of a second address associated with the owner – the rental property itself! With account takeover fraud still quite prevalent, that’s quite a bit of personal information that both parties know about each other. Now, the fact that these types of rental transactions occur often and without many (at least publicized) known fraud and identity theft incidents seems to indicate that people on both sides are trustworthy. Still…it does make you think of the exposure if one of the parties is less than honest….say a fraudster on their summer vacation?
With the upcoming changes to overdraft fee policies coming to the banking industry July 1st, courtesy of the Federal Reserve, banks and credit unions are re-examining the revenue growth opportunities through their new account opening process. We frequently hear from our fraud risk and operations client partners that when there is a push for revenue growth, fraud detection gets de-prioritized as a trade off to bringing in more new customers. A DDA-friendly risk based authentication approach may offer some compromise to this seemingly “one for one” exchange. Here are some quick revenue-friendly, risk-averse practices being seen in the branches, call centers, and online channels of Experian clients: • Drive referrals to knowledge based authentication (KBA), negative record checks (account abuse, fraud records) or both off of an upfront fraud score, such as the Precise ID(SM) for Account Opening score. Segmenting based on risk is cost efficient and promotes an improved customer experience. • Bolster the fraud defenses of your online channel by raising the “pass” or “accept” threshold. The lower acquisition costs for this online account opening are tempting but this is also the venue most exploited by fraudsters. Some incremental manual reviews should work out as a small price to pay to catch the higher prevalence of fraud. • Cross sell and up sell with confidence based on more comprehensive authentication. By applying appropriate risk based authentication strategies, more products can be offered and exposure is reduced because you know you are dealing with the true consumer.
My last entry covered the benefits of consortium databases and industry collaboration in general as a proven and technologically feasible method for combating fraud across industries. They help minimize fraud losses. So – with some notable exceptions – why are so few industries and companies using fraud consortiums and known fraud databases? In my experience, the reasons typically boil down to two things: reluctance to share data and perception of ROI. I say \"perception of ROI\" because I firmly believe the ROI is there – in fact it grows with the number of consortium participants. First, reluctance to share data seems to stem from a few areas. One is concern for how that data will be used by other consortium members. This is usually addressed through compelling reciprocation of data contribution by all members (the give to get model) as well as strict guidelines for acceptable use. In today’s climate of hypersensitivity, another concern – rightly so – is the stewardship of Personally Identifiable Information (PII). Given the potentially damaging effects of data breaches to consumers and businesses, smart companies are extremely cautious and careful when making decisions about safeguarding consumer information. So how does a data consortium deal with this? Firewalls, access control lists, encryption, and other modern security technologies provide the defenses necessary to facilitate protection of information contributed to the consortium. So, let’s assume we’ve overcome the obstacles to sharing one’s data. The other big hurdle to participation that I come across regularly is the old “what’s in it for me” question. Contributors want to be sure that they get out of it what they put into it. Nobody wants to be the only one, or the largest one, contributing records. In fact, this issue extends to intracompany consortiums as well. No line of business wants to be the sole sponsor just to have other business units come late to the party and reap all the benefits on their dime. Whether within companies or across an industry, it’s obvious that mutual funding, support, equitable operating rules, and clear communication of benefits – to those contributors both big and small – is necessary for fraud consortiums to succeed. To get there, it’s going to take a lot more interest and participation from industry leaders. What would this look like? I think we’d see a large shift in companies’ fraud columns: from “Discovered” to “Attempted”. This shift would save time and money that could be passed back to the legitimate customers. More participation would also enable consortiums to stay on top of changing technology and evolving consumer communication styles, such as email, text, mobile banking, and voice biometrics to name a few.
There was a recent discussion among members of the Anti Fraud experts group on LinkedIn regarding collaboration among financial institutions to combat fraud. Most posters agreed on the benefits of such collaboration but were cynical when it came to anything of substance, such as a shared data network, getting off the ground. I happen to agree with some of the opinions on the primary challenges faced in getting cross industry (or even single industry!) cooperation to prevent both consumer and commercial fraud. Those being: 1) sharing data and 2) return on investment. Despite the challenges, there are some fraud prevention and “negative” file consortium databases available in the market as fraud prevention tools. They’re often used in conjunction with authentication products in an overall risk based authentication / fraud deterrence strategy. Some are focused on the Demand Deposit Account (DDA) market, such as Fidelity’s DebitBureau, while others, like Experian’s own National Fraud Database, address a variety of markets. Early Warning Services has a database of both “account abuse” – aka DDA financial mismanagement – and fraud records. Still others like Ethoca and the UK’s 192.com seem focused on merchant data and online retailers. Regardless of the consortium, they share some common traits. Most: - fall under Fair Credit Reporting Act regulation - are used in the acquisition phase as part of the new account decision - require contribution of data to access the shared data network Given the seemingly general reluctance to participate in fraud consortiums, as evidenced by the group described above, how do we assess value in these consortium databases? Well, for one, most U.S. banks and credit unions participate in and contribute customer behavior data to a consortium. Safe to say, then, that the banking industry has recognized the value of collaboration and sharing data with each other – if not exclusively to minimize fraud losses but at least to manage potential risk at acquisition. I’m speaking here of the DDA financial mismanagement data used under the guiding principle of “past performance predicts future results”. Consortium data that includes confirmed fraud records make the value of collaboration even more clear: a match to one of these records compels further investigation and a more cautious review of the transaction or decision. With this much to gain, why aren’t more companies and industries rushing to join or form a consortium? In my next post, I’ll explore the common objections to joining consortiums and what the future may look like.
On Friday, October 30th, the FTC again delayed enforcement of the “Red Flags” Rule – this time until June 1, 2010 – for financial institutions and creditors subject to the FTC’s enforcement. Here’s the official release: http://www.ftc.gov/opa/2009/10/redflags.shtm. But this doesn’t mean, until then, businesses get a free pass. The extension doesn’t apply to other federal agencies that have enforcement responsibilities for institutions under their jurisdiction. And the extension also doesn’t alleviate an institution’s need to detect and respond to address discrepancies on credit reports. Red Flag compliance Implementing best practices to address the identity theft under the Red Flags Rule is not just the law, it’s good business. The damage to reputations and consumer confidence from a problem gone unchecked or worse yet – unidentified – can be catastrophic. I encourage all businesses – if they haven’t already done so – to use this extension as an opportunity to proactively secure a Red Flags Rule to ensure Red Flag compliance. It’s an investment in protecting their most important asset – the customer.
Learn More Image
