Financial Services
Quite a scary new (although in some ways old) form of identity theft in the headlines recently. Here’s a link to the article, which talks about how children’s dormant Social Security numbers are being found and sold by companies online under the guise of CPN’s – aka credit profile numbers or credit protection numbers. Using deceased, “found”, or otherwise illicitly obtained Social Security numbers is not something new. Experian’s and any good identity verification tool is going to check against the Social Security Administration’s list of numbers listed as deceased as well as check to ensure the submitted number is in an SSA valid issue range. But the two things I find most troubling here are: One, the sellers have found a way around the law by not calling them Social Security numbers and calling them CPN’s instead. That seems ludicrous! But, in fact, the article goes on to state that “Because the numbers exist in a legal gray area, federal investigators have not figured out a way to prosecute the people involved”. Two, because of the anonymity and the ability to quickly set up and abandon “shop”, the online marketplace is the perfect venue for both buyer and seller to connect with minimal risk of being caught. What can we as consumers and businesses take away from this? As consumers, we’re reminded to be ever vigilant about the disclosure of not only OUR Social Security number but that of our family members as well. For businesses, it’s a reminder to take advantage of additional identity verification and fraud prediction tools, such as Experian’s Precise ID, Knowledge IQ, and BizID, when making credit decisions or opening accounts rather than relying solely on consumer credit scores.
Working with clients in the financial sector means keeping an eye toward compliance and regulations like the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). It doesn’t really matter what kind of product it is, if a client is a financial institution (FI) of some kind, one of these three pieces of legislation is probably going to apply. The good part is, these clients know it and typically have staff dedicated to these functions. In my experience, where most clients need help is in understanding which regulations apply or what might be allowed under each. The truth is, a product designed to minimize fraud, like knowledge based authentication, will function the same whether using FCRA regulated or non-FCRA regulated data. The differences will be in the fraud models used with the product, the decisioning strategies set-up, the questions asked and the data sources of those questions. Under GLB it is acceptable to use fraud analytics for detection purposes, as fraud detection is an approved GLB exception. However, under FCRA rules, fraud detection is not a recognized permissible purpose (for accessing a consumer’s data). Instead, written instructions (of the consumer) may be used as the permissible purpose, or another permissible purpose permitted under FCRA; such as legitimate business need due to risk of financial loss. Fraud best practices dictate engaging with clients, and their compliance teams, to ensure the correct product has been selected based on client fraud trends and client needs. A risk based authentication approach, using all available data and appropriately decisioning on that data, whether or not it includes out of wallet questions, provides the most efficient management of risk for clients and best experience for consumers.
Quite a scary new (although in some ways old) form of identity theft in the headlines recently. Here’s a link to the article, which talks about how children’s dormant Social Security numbers are being found and sold by companies online under the guise of CPN’s – aka credit profile numbers or credit protection numbers. Using deceased, “found”, or otherwise illicitly obtained Social Security numbers is not something new. Most identity theft prevention programs consider deceased and non-issued ranges as identity theft red flags under the FACTA Red Flag guidelines. In fact, Experian’s and any good identity verification tool is going to check against the Social Security Administration’s list of numbers listed as deceased as well as ensure the submitted number is in an SSA valid issue range – providing fraud alerts if not. A child’s valid but dormant Social Security number, however, would not flag as either. The two things I find most troubling here are: One, the sellers have found a way around the law by not calling them Social Security numbers and calling them CPN’s instead. That seems ludicrous! But, in fact, the article goes on to state that “Because the numbers exist in a legal gray area, federal investigators have not figured out a way to prosecute the people involved”. Two, because of the anonymity and the ability to quickly set up and abandon “shop”, the online marketplace is the perfect venue for both buyer and seller to connect with minimal risk of being caught. What can we as consumers and businesses take away from this? As consumers, we’re reminded to be ever vigilant about the disclosure of not only OUR Social Security number but that of our family members as well. For businesses, it’s a reminder to take advantage of additional identity verification and fraud prediction tools, such as Experian’s Precise ID, Knowledge IQ, and BizID, when making credit decisions or opening accounts rather than relying solely on consumer credit scores. Knowledge IQ’s knowledge based authentication offers out of wallet questions that may help ensure you’re dealing with the true consumer.
Ah…the summer vacation. I’ve just returned from mine and it got me wondering, “Do fraudsters take a vacation?” You know they must. Probably somewhere nice courtesy of their illicit activities. On our summer vacation, we stayed in rental homes rather than in hotels because of the convenience of having a kitchen, more space to move around, etc. There are many websites that provide vacation home rentals, either offered by an agency or directly by the owners themselves. It would be interesting to know how many (any?) of these sites have Identity Theft Prevention Programs in place for their clients and prospective renters. Although Red Flags rules do not apply to this industry, certainly some fraud best practices and a proactive risk management approach is good for business. In the case of the homeowners dealing directly with prospective renters, what struck me is that there is quite a bit of trust involved in these arrangements. It’s safe to say that most transactions, like ours, are conducted over email and/or the phone. Payment is collected in advance by check or credit card but in our case, and in many if not most others, there is no deposit. Since I work daily around commercial and consumer fraud, I couldn’t help but wonder what the exposure is for fraud risk and identity theft – both to the home owner as well as to the person renting the home. Just look at the information exchanged… The renter provides: name, address, phone number, email address, check (which would include account and routing number) OR credit card number and expiration date. The owner provides: name, phone number, email address, and a home or office address (to which the renter mails the payment). Additionally, the renter knows of a second address associated with the owner – the rental property itself! With account takeover fraud still quite prevalent, that’s quite a bit of personal information that both parties know about each other. Now, the fact that these types of rental transactions occur often and without many (at least publicized) known fraud and identity theft incidents seems to indicate that people on both sides are trustworthy. Still…it does make you think of the exposure if one of the parties is less than honest….say a fraudster on their summer vacation?
By: Kennis Wong In the last post, I emphasized the importance of fraud detection even after an account has been approved. If information gathered later indicates an application was fraudulent, credit issuers can still take action on the account to minimize fraud losses. Monitoring your internal systems to find suspicious activities is one way to do it. If the account holder has unusual purchase patterns, such as spending $2000 at a dry cleaner, you may want to stop and have a closer look. But more revealing would be the bigger picture – Is the account holder developing other financial relationships? Do these other applications indicate high identity theft risk? Are there any unusual patterns across the multiple financial relationships? The tricky part is finding the related applications. If you are looking for applications that use the same SSN, name, DOB, address and phone number, you may be missing information that helps detect fraud. Fraudsters often mutate elements of the PIIs when they use stolen identities to hide their fraudulent activity. If you link related applications together, you can then look for unusual patterns collectively. Find that the same social security number was used 10 times, with different addresses, all in the same week? Bad sign. Individual signs may help very little. False-positives and fraud referral rates may be too high if your action is based on just one or two signs. That’s why Experian recommends using a risk-based method for minimizing fraud instead of a rule-based method. You need fraud analytics to put all signs together in a way that is predictive of identity theft. Timeliness is the key to successful fraud account management. If the identity fraudster has already used all available credit on a credit line, then it is too late to minimize fraud and action on the account. The only benefit at that point -- saving time by telling your collection department not to waste effort attempting to collect on the account.
By: Kennis Wong Most lenders authenticate applicants before they extend credit. With identity theft so prevalent today, not ensuring you are dealing with the real consumer before starting a customer relationship is like playing Russian roulette. Especially for installment loans, when the goods are out, the chance of recouping the money in the case of identity theft is slim. Even for secured loans like car loans, fraudsters can always cash out the car in Mexico, and you will never see the shadow of it again. No wonder lenders place a lot of emphasis on checking people’s identities at application. For many cases, this is really the key point where identity fraud can be stopped. But it is not necessarily true for all type of lenders. For revolving loans, lenders could still minimize fraud losses after credit application is approved, as long as available credit still exists. You can imagine that once a fraudster gets hold of someone’s identity, s/he is likely to maximize its value by using it again and again. Therefore, there should be more credit activities, hence more evidence of misuse, by Day 7 than on Day 1. In the unfortunate event that a fraudster passes authentication on Day 1, it is still possible that you discover the fraud on Day 7 if you have new information. If you are a credit card issuer, it means you can still stop the action before the credit card gets to the fraudster’s hand and gets activated. Unfortunately for a lot of smaller lenders, the due diligence stops at the point of application. Even larger lenders only start their “account management” fraud detection at the point of high-risk transaction or payment. By not watching the new customer relationship closer and studying fraud trends, they are missing out fraud loss reduction opportunity.
By: Kristan Frend It seems as though desperate times call for desperate measures- with revenues down and business loans tougher than ever to get, “shelf” and “shell” companies appear to be on the rise. First let’s look at the difference between the two: Shelf companies are defined as corporations formed in a low-tax, low-regulation state in order to be sold off for its excellent credit rating. According to the Better Business Bureau, off-the-shelf structures were historically used to streamline a start-up, but selling them as a way to get around credit guidelines is new, making them unethical and possibly illegal. Shell companies are characterized as fictitious entities created for the sole purpose of committing fraud. They often provide a convenient method for money laundering because they are easy and inexpensive to form and operate. These companies typically do not have a physical presence, although some may set up a storefront. According to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network, shell companies may even purchase corporate office “service packages” in order to appear to have established a more significant local presence. These packages often include a state business license, a local street address, an office that is staffed during business hours, a local telephone listing with a receptionist and 24-hour personalized voice mail. In one recent bust out fraud scenario, a shell company operated out of an office building and signed up for service with a voice over Internet protocol (VoIP) provider. While the VoIP provider typically conducts on-site visits to all new accounts, this step was skipped because the account was acquired through a channel partner. During months one and two, the account maintained normal usage patterns and invoices were paid promptly. In month three, the account’s international toll activity spiked, causing the provider to question the unusual account activity. The customer responded with a seemingly legitimate business explanation of activity and offered additional documentation. However, the following month the account contact and business disappeared, leaving the VoIP provider with a substantial five figure loss. A follow-up visit to the business showed a vacant office suite. While it’s unrealistic to think all shelf and shell companies can be identified, there are some tools that can help you verify businesses, identify repeat offenders, and minimize fraud losses. In the example mention above, post-loss account review through Experian’s BizID identified an obvious address discrepancy - 12 businesses all listed at the same address, suggesting that the perpetrator set up numerous businesses and victimized multiple organizations. The moral of the story? Avoid being the next victim and refine and revisit your fraud best practices today. Click here for more information on Experian\'s BizID
The overarching ‘business driver’ in adopting a risk-based authentication strategy, particularly one that is founded in analytics and proven scores, is the predictive ‘lift’ associated with using scoring in place of a more binary rule set. While basic identity element verification checks, such as name, address, Social Security number, date-of-birth, and phone number are important identity proofing treatments, when viewed in isolation, they are not nearly as effective in predicting actual fraud risk. In other words, the presence of positive verification across multiple identity elements does not, alone, provide sufficient predictive value in determining fraud risk. Positive verification of identity elements may be achieved in customer access requests that are, in fact, fraudulent. Conversely, negative identity element verification results may be associated with both ‘true’ or ‘good’ customers as well as fraudulent ones. In other words, these false positive and false negative conditions lead to a lack of predictive value and confidence as well as inefficient and unnecessary referral and out-sort volumes. The most predictive authentication and fraud models are those that incorporate multiple data assets spanning traditionally used customer information categories such as public records and demographic data, but also utilize, when possible, credit history attributes, and historic application and inquiry records. A risk-based fraud detection system allows institutions to make customer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity theft, application fraud, or other fraud risk. To implement efficient and appropriate risk-based authentication procedures, the incorporation of comprehensive and broadly categorized data assets must be combined with targeted analytics and consistent decisioning policies to achieve a measurably effective balance between fraud detection and positive identity proofing results. The inherent value of a risk-based approach to authentication lies in the ability to strike such a balance not only in a current environment, but as that environment shifts as do its underlying forces.
By: Kristan Frend As if business owners need one more thing to worry about — according to the Javelin Strategy & Research’s 2010 Identity Fraud Survey Report, respondents who defined themselves as “self-employed” or “small business owners” were one-and-a-half times more likely to be victims of identity theft. Intuitively this makes sense- business owners exposure would be higher than the average consumer as their information is viewed more often due to the broad array of business service needs. Also consider the fact that until recently, multiple states had public records containing proprietors social security numbers as tax identification numbers readily accessible on-line. What a perfect storm this has all created! Javelin’s report also explained that while the average fraud incidence for business owners was lower than the average consumers, small business owner’s consumer costs were higher. In other words the small business owner suffered more out of pocket costs for identity theft losses than the average consumer. Experts believe this is due to the fact that commercial accounts often do not receive the same fraud guarantee protections that consumer accounts are afforded. While compliance regulations such as Red Flags Rules will enhance consumer safety, institutions must further develop their prevention and protection methods beyond what is legally required to sufficiently protect their small business customers from future fraud attacks. Small business owner fraud and the challenges organizations face in identifying and mitigating these losses are frequently overlooked and overshadowed by consumer fraud. Simply put, fraud is prevented because fraud is detected- verifying that the business owners is who they say they are using multiple data sources is critical to identifying applicant irregularities and protecting small business owners. A well-executed fraud strategy is more than just good business – it helps reduce small business customer acquisition costs and ultimately allows you to make better business decisions, creating a mutually beneficial relationship between your organization and the small business owner.
With the news from the Federal Reserve that joblessness is not declining, and in fact is growing, a number of consumers are going to face newly difficult times and be further challenged to meet their credit obligations. Thinking about how this might impact the already struggling mortgage market, I’ve been considering what the impact of joblessness is on the incidence of strategic default and the resulting risk management issues for lenders. Using the definitions from our previous studies on strategic default, I think it’s quite clear that increased joblessness will definitely increase the number of ‘cash-flow managers’ and ‘distressed borrowers’, as newly jobless consumers face reduced income and struggle to pay their bills. But, will a loss of income also mean that people become more likely to strategically default? By definition, the answer is no – a strategic defaulter has the capacity to pay, but chooses not to, mostly due to their equity position in the home. But, I can’t help but consider a consumer who is 20% underwater, but making payments when employed, deciding that the same 20% that used to be acceptable to bear, is now illogical and will simply choose to stop payment? Although only a short-term fix, since they can use far less of their savings by simply ceasing to pay their mortgage, this would free up significant cash (or savings) for paying car loans, credit cards, college loans, etc; and yet, this practice would maintain the profile of a strategic defaulter. While it’s impossible to predict the true impact of joblessness, I would submit that beyond assessing credit risk, lenders need to consider that the definition of strategic default may contain a number of unique, and certainly evolving consumer risk segments. __________________________ http://money.cnn.com/2010/08/19/news/economy/initial_claims/index.htm
With the recent release of first-time unemployment applications by the Labor Department showing weaker than expected results, it comes as no surprise that July foreclosure rates also reflect the on-going stress being experienced by consumers across the nation. When considering credit score trends and delinquency measures across credit products, it’s interesting to see how these trends appear to be playing out in terms of their impact on consumer score migration patterns. Over the past year or so, it appears that the impact of a struggling economy is the creation of a two-tier consumer credit system. On one hand, for consumers with stronger credit risk scores who are able to successfully manage their financial obligations, we see stability in the composition of the prime and super-prime population. On the other hand, as other consumers face challenging times, especially through joblessness and reductions in real-estate equity, there are consumers who experience significant credit management issues and subsequently, their risk scores decline. The interesting phenomenon is that there seems to be fewer and fewer consumers who remain in between these two segments. Credit score migration patterns suggest the evolution of two distinct consumer populations: a relatively stable, lower-risk segment, and a somewhat bottom-heavy higher-risk population, comprised of consumers with long-term repayment challenges, recent foreclosures, repossessions and higher delinquency rates. Clearly, this type of change in score distribution directly impacts lenders and their acquisition and account management strategies. With few signs of a pending economic recovery, it will be interesting to watch this pattern develop in the long-term to see if the chasm between these groups becomes wider and more measurable, or whether other economic influences will further transform the consumer credit landscape.
Recently, a number of media articles have discussed the task facing financial institutions today – find opportunities growth in a challenging and flat economy. The majority of perspectives discuss the fact that lenders will soon have no choice but to look to the ‘fringe’, by lowering score cut-offs, adjusting acquisition strategies and introducing greater risk into their portfolios in order to grow. Risk and marketing departments are sure to be creating and analyzing credit risk models and assessing credit risk in new, untapped markets in order to achieve these objectives. While it may appear to be oversimplifying the task, many lenders have the opportunity to grow simply by understanding more about two groups of consumers that are already sitting in their offices (or application queues) today: applicants who are approved, but book elsewhere, and applicants that are declined. There are a number of analytic techniques that can be utilized to understand these populations further. Lenders can study the characteristics of other loans originated by these lost consumers, and can also perform analyses of how these consumers performed after booking competitive offers. By understanding the credit characteristics and account delinquency trends of its current applicants, lenders can uncover a wealth of information and insight about the growth opportunities sitting right before them.
There are a number of people within the industry heralding the death of knowledge based authentication. To those people I would say, “In my humble opinion you are as wrong as those recent tweets proclaiming the death of Bill Cosby.” Before anyone’s head spins around, let me explain. When I talk about knowledge based authentication and out of wallet questions, I mean it in the truest sense, a la dynamic questions presented as a pop quiz and not the secret questions you answered when you set-up an account. Dynamic knowledge based authentication presents questions are generated from information known about the consumer, concerning things the true consumer would know and a fraudster wouldn’t. The key to success, and the key to good questions, is the data, which I have said many, many times before. The truth is every tool will let some fraud through; otherwise, you’re keeping too many good customers away. But if knowledge based authentication truly fails, there are two places to look: Data: There are knowledge based authentication providers who rely solely on public record data for their KBA solutions. In my opinion, that data is a higher data risk segment for compromise. Experian’s knowledge based authentication practice is disciplined and includes a mix of data. Our research has shown us that a question set should, ideally, include questions that are proprietary, non-credit, credit and innovative. Yes, it may make sense to include some public record data in a question set, but should it be the basis for the entire question set? Providers who can rely on their own data, or a strategic combination of data sources, rather than purchasing it from one of the large data aggregators are, in my opinion, at an advantage because fraudsters would need to compromise multiple sources in order to “game the system.” Actual KBA use: Knowledge based authentication works best as part of a risk management strategy where risk based authentication is a component within the framework and not the single, determining factor for passing a consumer. Our research has shown that clients who combine fraud analytics and a score with knowledge based authentication can increase authentication performance from 20% - 30% or more, depending on the portfolio and type of fraud (ID Fraud vs. First Party, etc.)… and adding a score has the obvious benefit of increasing fraud detection, but it also allows organizations to prioritize review rates efficiently while protecting the consumer experience. So before we write the obituary of KBA, let’s challenge those who tinker with out of wallet products, building lists of meaningless questions that a 5th grader could answer. Embrace optimized decisions with risk based authentication and employ fraud best practices in your use of KBA.
A few days ago I saw an article about hackers working from Russia, while committing check fraud in the United States. In what those investigating are calling a brilliant operation, the fraudsters compromised companies that archive and store records of check images or checks themselves. They then downloaded those check images and all available information. By printing new checks and using an old Internet “money mule” scheme, the fraudsters were able to send the bogus checks to ”the mule”, often as a payment, and have the check cashed at the mule’s bank to get the balance of the funds wired to an off-shore bank account. That article made me think about new breakthroughs in technology. What if those fraudsters had been a little savvier? What if they had the most recent smart phone application installed and didn’t need a mule to wire the money? They could have simply written checks and uploaded them for deposit to an account to which they had gained access with the hottest application du jour – deposit via photo image uploaded from a smart phone. That application would have allowed the fraudsters to cash the bogus check, gain access to the funds and move them to the next account at will. Or would it? Given the move toward mobile banking, it isn’t really a stretch to see this kind of thing happening. Probably not, but if organizations offering this kind of service use a risk based authentication approach it is more likely they use fraud models and decisioning strategies to minimize fraud and protect consumers while pushing out the latest technology. For those reasons, risk management solutions and enterprise fraud vendors need to not only keep pace with technology but also stay ahead of the curve in order to provide optimized decisions and the most relevant fraud analytics. Considering recent fraud trends and my love affair with mobile everything, I know I want the organizations I do business with to do everything they can to prevent fraud…and I’m positive I want my smart phone to be as smart as possible.
By: Kari Michel What are your acquisition strategies to increase consumer lending and gain market share? This blog will discuss new approaches to create segment-based targeting campaigns and the ability to precisely time the offer delivery with consumer needs. The most aggressive and successful banks are using need and attitudinal segmentation, coupled with models that identify consumers in the market for loan products. The return on marketing investment from these refined marketing efforts often exceed 350%, measured on a net of control basis, after all marketing costs. Here is a case study, using Experian tools, showing how one marketer used segment-based targeting, tailoring and timing to increase their response rate 145% over a competitor’s product. In the highly competitive credit card arena, a new business model is emerging that is dependent on acquiring new accounts from consumers that are grouped into specific behavior segments (Credit Hungry Card Switchers and Case Oriented Skeptics) and looking at consumers that were in the market, as well as had the highest likelihood of opening a bankcard account within the next 1 – 4 months. Test Results Total Competitor Experian Experian lift Quantity 624,000 623,953 Response Rate % 2.09% 3.03% 145% Actual Responses 13,035 18,902 Booked Rate % 1.64% 2.24% 137% Actual Booked 10,208 13,989 Approval Rate % 78.30% 74.01% 95% In addition to a 145% lift in response rate, over 3,700 more accounts were booked over the competition. These same tools, “In The Market Models” (developed using credit bureau data) and “Financial Personalities®”, can help your organization have a greater return on your direct marketing investment by increasing acquisition rates.
Learn More Image
