Fraud & Identity Management
It’s that time of year again – when people all over the U.S. take time away from life’s daily chores and embark upon that much-needed refresh: vacation! But just as fraud activity spikes during the holidays, there are also fraud trends suggesting spikes in fraudster activity during the summer. With consumers on vacation, identity theft becomes easier. Consumers are most likely to break their normal spending trends and break patterns established by fraud analytics; and consumers are less likely to be as attentive to elements that can help minimize fraud while out of town. There has been plenty of research to demonstrate that fraudsters perpetrate account takeover by changing the pin, address, or email address of an account. Now, fraudsters are more likely to add themselves as an authorized user to the account, which may not be considered a high-risk flag in transactional decisioning strategies. By identifying risky behaviors or patterns outside of a consumer’s normal behavior and an engaging in a knowledge based authentication session with the consumer, it is possible to help minimize the risk of fraud. Knowledge based authentication provides strong authentication and can be part of a risk-based approach to on-going account management, protecting both businesses and consumers from being burned, at least by fraudsters, while on vacation.
By: Kennis Wong When we think about fraud prevention, naturally we think about mininizing fraud at application. We want to ensure that the identities used in the application truly belong to the person who applies for credit, and not identity theft. But the reality is that some fraudsters do successfully get through the defense at application. In fact, according to Javelin’s 2011 Identity Fraud Survey Report, 2.5 million accounts were opened fraudulently using stolen identities in 2010, costing lenders and consumers $17 billion. And these numbers do not even include other existing account fraud like account takeover and impersonation (limited misusing of account like credit/debit card and balance transfer, etc.). This type of existing account fraud affected 5.5 million accounts in 2010, costing another $20 billion. So although it may seem like a no brainer, it’s worth emphasizing that we need to have fraud account management system and continue to detect fraud for new and established accounts. Existing account fraud is unlikely to go away any time soon. Lending activities have changed significantly in the last couple of years. Origination rate in 2010 is still less than half of the volume in 2008, and booked accounts become riskier. In this type of environment, when regular consumers are having hard time getting new credits, fraudsters are also having hard time getting credit. So they will switch their focus to something more profitable like account takeover. In addition to application fraud, does your organization have appropriate tools and decisioning strategy to minimize fraud loss from existing account fraud?
By: Kristan Frend Small business owners appear to be lucrative targets for identity fraud perpetrators, alarming banking institutions, payment processors, and B2B service providers. According to Javelin’s 2011 Small Business Owners (SMBO) Identity Fraud report, the cost of fraud and identity theft “hit SMBO constituents particularly hard. Javelin research uncovered what was previously an undocumented cost to the industry of $5 billion as a direct result of this fraud. In addition, financial institutions (FIs) lost over $590 million in clients and revenue opportunities over a five‐year period.” Additionally, the report indicated that small business owners mean fraud amount is about 5% higher than that for all consumers ($4,851 vs. $4,607). Even more alarming was the fact that the SMBO’s mean victim cost is 150% higher than consumer costs ($1,574 vs. $631). So what does all of this mean? If you’re a small business lender or service provider, having a robust multi-layered SMBO fraud prevention program in place is essential for client retention and avoiding reputational risk. You can take control of the situation with more proactive fraud prevention strategies which will improve your relationships with SMBO customers and save them (and you) money in the long run.
By: Staci Baker It seems like every time I turn on the TV there is another natural disaster. Tsunami in Japan, tornadoes and flooding in the Mid-West United States, earthquakes and forest fires – everywhere; and these disasters are happening worldwide. They are not confined to one location. If a disaster were to happen near any of your offices, would you be prepared? Living in Southern California, this is something I think of often. Especially, since we are supposed to have had “the big one” for the past several years now. When developing a preparedness plan for a company, there are several things to take into consideration. Some are obvious, such as how to keep employees safe, developing steps for IT to take to ensure data is protected , including an identity theft prevention program, and establishing contingency business plans in case a disaster directly hits your business and doors need to remain closed for several days, weeks, or …. But, what about the non-obvious items that should be included in a disaster preparedness plan? When a natural disaster hits, there is an increase in fraud. So much so, that after Hurricane Katrina battered the Gulf, the Hurricane Katrina Fraud Task Force, now known as the National Center for Disaster Fraud, was created. In addition to the items listed above, I recommend including the following. Create a plan that will put fraud alerts in place to minimize fraud. Fraud alerts are not just to notify your clients when there is fraudulent activity on their accounts. Alerts should also be put in place to let you know when there is fraudulent activity within your own business as well. Depending on the type of disaster, delinquency rates may increase, since borrower funds may be diverted to other needs. Implement a disaster collections strategy, which may include modifying credit terms, managing credit risk, and loan loss provisioning. Although these are only a few things to be considered when developing a disaster preparedness plan, I hope it gets you thinking about what your company needs to do to be prepared. What are some things you have already done, or that are on your to do list to prepare your company for the next big event that may affect you?
Last week I attended the Merchant Risk Council’s 2011 MRC Annual e-Commerce Payments & Risk Conference. I presented a session titled “Efficiency and Empowerment in Risk-based Authentication” with a client who has been able to use knowledge based authentication as a sales enabler - Home Shopping Network. You might be wondering what I mean by this. It is actually pretty simple: Home Shopping Network already has a fraud prevention program in place and utilizes risk based authentication to send a percentage of orders to an outsort queue. By using knowledge based authentication to further verify the true consumer, Home Shopping Network has been able to release an increased portion of those orders for shipping, increasing both revenue and the customer experience. The paradigm shift was thinking of knowledge based authentication as a sale enabler, rather than just a fraud tool. It was a great experience, to help share the story of this client’s success. If you are interested in the Merchant Risk Council: The Merchant Risk Council (MRC) is a merchant-led trade association focused on electronic commerce risk and payments. They lead industry networking, education, benchmarking and advocacy programs to make electronic commerce more efficient, safe and profitable. For more information on the Home Shopping Network, visit: http://www.hsn.com
Normal 0 false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4 /* Style Definitions */ table.MsoNormalTable {mso-style-name:\"Table Normal\"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:\"\"; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:\"Calibri\",\"sans-serif\"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:\"Times New Roman\"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} Normal 0 false false false EN-US X-NONE X-NONE MicrosoftInternetExplorer4 /* Style Definitions */ table.MsoNormalTable {mso-style-name:\"Table Normal\"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:\"\"; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:\"Calibri\",\"sans-serif\"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:\"Times New Roman\"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;} By: Kristan Frend I was recently pleased to see that the state I reside in, Minnesota finished in the bottom third of a state ranking. Luckily the rankings weren’t about overall health (#6), high school graduation (#3), or SAT scores (#2); instead it was the Federal Trade Commission’s state identity theft complaint ranks. Minnesota has just 49.2 complaints per 100,000 population, whereas the highest ranked state, Florida, as 114.8 complaints per 100,000 population. The top three states leading identity theft consumer complaints (per 100,000 population) included Florida, Arizona, and California. Besides warm sunshine and top-tier golf courses, what do these three states have in common? According to the February 2011 RealtyTrac U.S. Foreclosure Market Report™, all three rank in the top 5 states for foreclosure, and two of the three (Florida and California) rank #49 and #50 in unemployment rates, according to a March 2011 report released by the Bureau of Labor Statistics. On a national level unemployment rates and identity fraud incidence rates both improved from 2009 to 2010. From 2009 to 2010, unemployment rates went from 10.0% to 9.4% while according to Javelin’s 2010 Annual Identity Fraud Survey Report, identity fraud incidence rates fell from 4.8% to 3.5%. While it may be inaccurate to state that economic distress causes higher rates of identity fraud, there does seem to be a natural correlation between economic downswings and fraudulent activity. As we move further into 2011, it will be interesting to see if identity fraud incidence rates will continue to decrease as unemployment and economic outlook is on the upward swing. Normal 0 false false false EN-US X-NONE X-NONE /* Style Definitions */ table.MsoNormalTable {mso-style-name:\"Table Normal\"; mso-tstyle-rowband-size:0; mso-tstyle-colband-size:0; mso-style-noshow:yes; mso-style-priority:99; mso-style-qformat:yes; mso-style-parent:\"\"; mso-padding-alt:0in 5.4pt 0in 5.4pt; mso-para-margin-top:0in; mso-para-margin-right:0in; mso-para-margin-bottom:10.0pt; mso-para-margin-left:0in; line-height:115%; mso-pagination:widow-orphan; font-size:11.0pt; font-family:\"Calibri\",\"sans-serif\"; mso-ascii-font-family:Calibri; mso-ascii-theme-font:minor-latin; mso-fareast-font-family:\"Times New Roman\"; mso-fareast-theme-font:minor-fareast; mso-hansi-font-family:Calibri; mso-hansi-theme-font:minor-latin;}
Well, actually, it isn’t. The better question to ask is when to use knowledge based authentication (KBA). I know I have written before about using it as part of a risk based authentication approach to fraud account management, but I am often asked what I mean by that statement. So, I thought it might be a good idea to provide a few more details and give some examples. Basically, what I mean is this: risk segmentation based on binary verification is unwise. Binary verification can occur based on identity elements, or it can occur based on pass/fail performance from out of wallet questions, but the fact remains that the primary decisioning strategy is relying on a condition with two outcomes – verified or not verified, pass or fail – and that is unwise. When we recommend a risk based authentication approach, the view is more broadly based. We advocate using analytics and weighting many factors, including those identity elements and knowledge based authentication performance as part of an overall decision, rather than an as end-all decision. If you take this kind of approach, when might you want to use this kind of approach? The answer to that is just about any time a transaction contains a level of risk, understanding that each organization will have a unique definition and tolerance for “risk”. It could be an origination or account opening scenario, when you do not yet have a relationship with a consumer. It could be in an account management setting, when you have a relationship with the consumer and know their expected behavior (and therefore anything outside of expected behavior is risk). It could be in transactional settings where there is an exchange of money or information belonging to the consumer. All of these are appropriate uses for KBA as part of a risk based approach.
Application risk management processes for deposits has remained relatively unchanged for decades. Typically, it involves credit bureau data and a secondary check of “debit bureau” data. A “debit bureau” typically gathers information regarding known fraud and compiles a fraud database of perpetrators. Every applicant who passes the credit risk strategies is checked against this database. The challenge is that this process can be very expensive. Among a new class of fraud best practices is the idea of applying fraud models/fraud analytics as a filter upstream from the debit bureau’s fraud database. This practice enables deposit institutions to still identify known fraud and minimize fraud losses on those applicants that carry the highest risk. At the same time, costs are reduced by removing low risk accounts from the debit bureau check. In addition to reducing costs, these revised acquisition strategies help reduce fraud referral rates while ensuring that application fraud does not increase. As deposit institutions look for ways to significantly reduce costs without suffering additional application fraud, look for the continued emergence of fraud analytics among 2011’s fraud best practices.
Exciting research leveraging Experian’s fraud analytics and credit risk modeling are now enabling deposit institutions to understand the impacts of first party fraud and identity theft on their portfolios. Historically, deposit institutions have not considered application fraud to be a major concern and legislation regarding overdraft fees and the opt-in provision for overdraft services will reduce a deposit customer’s ability to spend the bank’s money; however, a determined thief can still: kite checks to commit first party fraud perpetrate an account takeover/identity theft The result is that deposit institutions will continue to face losses that can be prevented using fraud best practices. The challenge for the institution is knowing whether it is facing first party fraud or identity theft. Increasingly, deposit institutions are turning to Experian to analyze customers that create losses early in the account life cycle in order to make the right modifications to their acquisitions strategies. Using a combination of fraud analytics built to target specific types of fraud trends, deposit institutions can get a clear picture of the type of behavior that is generating their losses. This type of analysis is quickly climbing the list of fraud best-practices. Armed with the right diagnosis, deposit institutions can respond by prioritizing the right set of fraud alerts.
By: Kristan Frend Imagine you’re on the #1 ranked relay swim team at the World Championships and you’re leading off. You finish your leg of the race with the team in first place. As your third teammate approaches the wall, your team is in first by a full body length. You’re on pace to set a new world record. Yet the anchor of your team is nowhere to be found, ultimately resulting in your team being disqualified. If only your fourth teammate would have made it to the blocks in time…. When you take a step back and look at your fraud risk management solutions, do you ever feel like you have all of the tools and processes available yet feel like the anchor is missing? Perhaps it’s time to reexamine your internal resources. You may have an assembly of sophisticated and robust online fraud detection tools from vendors, but you may be missing a critical piece if you’re not also effectively leveraging internal data. Through our work with clients, we’re found that it is not uncommon for organizations to manage the customer relationship through different departments or silos within the organization. All too often there is less than optimal coordination between these functional areas in taking advantage of their own internal negative data to combat application fraud. Additionally some organizations may have negative internal data but do not incorporate the check within their verification or risk based authentication tool, creating multiple steps and operational inefficiencies. One of the ways to overcome some of these issues is by incorporating internal negative data within an automated front-end check. Once loss data is loaded into a historical database, the next time that name, phone, address, driver’s license or SSN reappears on a new application, the data element is immediately identified as one associated with a previous loss. The negative data is securely stored for only your organization’s use and is not shared with users outside of your organization.
Let’s face it – not all knowledge based authentication (KBA) is created equal. I, too, have read horror stories of consumers forced to answer questions about a deceased relative or ex-spouse, or KBA sessions that went on far too long for anyone’s benefit. I have to attribute this to vendor inexperience and a lack of consulting with clients. An experienced vendor will use a fraud best practice such as a fraud analytics model to determine that some consumers do not even need questions and then a “Progressive Question” feature, which uses consumer performance on an initial question set to determine if it is necessary for the consumer to answer additional questions. This way, the true consumer completes the process quickly, improving the customer experience. The product of choice should also use a question mix that balances three factors: · how easily the true consumer can answer the question; · the fraud separation of the question (effectively the measured delta over time between how well true consumers answer the question vs. how well fraudsters do); · how many consumers overall the question can be generated. A list of hundreds of possible questions doesn’t mean much if the questions can only be generated for one quarter of one percent of the population, as is the case for something like airplane ownership or pilot’s license. Ultimately, out of wallet questions should be generated for a large part of the population, easily answered by the true consumer but difficult for a fraudster; and not offensive or what a consumer would consider “creepy” (such as their child’s birthday or name). Well designed questions will be personal but not intrusive and mindful of personal relationships that may have changed. The purpose of a knowledge based authentication session is risk management and/or consumer authentication for fraud prevention and compliance purposes – not to cause the loss of business because the fraud tool crossed the line in the mind of your customer.
Experian Decision Analytics has recorded increased demand from the marketplace for service integrations with interactive voice response (IVR), a phone technology that allows for automated detection of both voice and touch–tones. In the past quarter, there has been a more than 70 percent increase in IVR interest and it continues to grow. Why is there a demand for knowledge based authentication through IVR? Besides consumer acceptance of out of wallet questions, there is a dramatic increase in the need for remote authentication and fraud analytics that are accurate, not a burden to the consumer, cost–effective for organizations and part of an overall risk based authentication approach. Consumers stay connected in a number of ways — phone, online, mobile and short message service (SMS) — and are demanding the means to remain safe without compromising convenience. Knowledge based authentication through IVR provides this safety. Organizations must consider all the tools at their disposal to keep consumer data protected while preserving and promoting a positive customer experience. Given the interactive nature of knowledge based authentication, it is quite adaptable to various customer access channels, such as IVR, and it enables full automation of both inbound and outbound authentication calls. We know from both our own experience and from working with clients that consumers are more connected, more mobile and more networked than ever before - and fraud trends demonstrate this increases risk. As consumers continue to expand online profiles and fraud artists continue to seek out victims, successful fraud prevention will become paramount to financial survival. Leveraging products already in use by combining the technology capitalizes on an existing investment and is good business.
Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time\") offers institutions a viable strategy for balancing the following competing forces and pressures: Compliance – the need to ensure each transaction is approved only when compliance requirements are met; Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions; Risk mitigation – the need to minimize fraud exposure at the account and transaction level. A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling. Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.
Experian’s Fraud and Identity Solutions team recently conducted a webinar entitled: “A risk-based approach to finding opportunity in today’s market: New approaches to fraud, compliance, and operational efficiency in an evolving economy.” I specifically discussed the current business drivers and fraud trends we, as a consumer and commercial authentication services provider, hear most often from our existing and potential clients. I was encouraged to have the following forces validated by our audience, and I thought they’d be worth sharing with you via this forum. In what I believe to be rank order with most influencing first: Customer experience is king. The addressable market for most of our clients is effectively an ever more limited pool of viable consumers. From the consumer’s perspective it’s a ‘buyer’s market’. ‘Good’ consumers know they are ‘good’ and those 750 scorers don’t tolerate poor customer service. Risk seeking credit policies may be making a comeback. Many of our clients are starting to heal from the past few years, and are ready to get back on the bike. However, this does open the door more widely for application fraud activity and risk. New products and associated solicitations and access channels translate to higher risk as fraud prevention and fraud detection processes may be less robust in the early launch stages and certainly less time-tested. Human & IT resources are still in short supply. As these new channels open and fraud risk increases, necessary fraud prevention and authentication oriented resources are still overly constrained and often significantly lagging in proportionality behind the recovery-minded marketing minds. Regulatory pressures continue to equate to higher operational costs, in the form of fraud referral rates, in process engineering and human intervention and activities, not to mention the opportunity costs associated with denial of service to those ‘good’ consumers I just mentioned. So, hosted services and solutions are where it’s at these days. Our clients want their vendors, including us at Experian, to save their IT resources, deliver quicker to market services, such as fraud models, knowledge based authentication, and other authentication tools, and provide collective capabilities that would otherwise be years away if left to the mercy of their internal development queues. All products and processes are under review, as you might imagine. Cost control is no longer a back-burner policy and focus. ROI is the key metric these days, and likely above any other. Our clients demand flexible tools that can be deployed in multiple process points and across multiple business units. Blanket policies (including fraud prevention and authentication) are no longer good enough. Our clients’ tailored products, access channels, and market segmentations require the same level of unique design in the products we deliver.
Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time\") offers institutions a viable strategy for balancing the following competing forces and pressures: Compliance – the need to ensure each transaction is approved only when compliance requirements are met; Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions; Risk mitigation – the need to minimize fraud exposure at the account and transaction level. A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling. Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.
Learn More Image
