Tag: fraud
Working with clients in the financial sector means keeping an eye toward compliance and regulations like the Gramm-Leach-Bliley Act (GLB), the Fair Credit Reporting Act (FCRA) or Fair and Accurate Credit Transactions Act (FACTA). It doesn’t really matter what kind of product it is, if a client is a financial institution (FI) of some kind, one of these three pieces of legislation is probably going to apply. The good part is, these clients know it and typically have staff dedicated to these functions. In my experience, where most clients need help is in understanding which regulations apply or what might be allowed under each. The truth is, a product designed to minimize fraud, like knowledge based authentication, will function the same whether using FCRA regulated or non-FCRA regulated data. The differences will be in the fraud models used with the product, the decisioning strategies set-up, the questions asked and the data sources of those questions. Under GLB it is acceptable to use fraud analytics for detection purposes, as fraud detection is an approved GLB exception. However, under FCRA rules, fraud detection is not a recognized permissible purpose (for accessing a consumer’s data). Instead, written instructions (of the consumer) may be used as the permissible purpose, or another permissible purpose permitted under FCRA; such as legitimate business need due to risk of financial loss. Fraud best practices dictate engaging with clients, and their compliance teams, to ensure the correct product has been selected based on client fraud trends and client needs. A risk based authentication approach, using all available data and appropriately decisioning on that data, whether or not it includes out of wallet questions, provides the most efficient management of risk for clients and best experience for consumers.
Ah…the summer vacation. I’ve just returned from mine and it got me wondering, “Do fraudsters take a vacation?” You know they must. Probably somewhere nice courtesy of their illicit activities. On our summer vacation, we stayed in rental homes rather than in hotels because of the convenience of having a kitchen, more space to move around, etc. There are many websites that provide vacation home rentals, either offered by an agency or directly by the owners themselves. It would be interesting to know how many (any?) of these sites have Identity Theft Prevention Programs in place for their clients and prospective renters. Although Red Flags rules do not apply to this industry, certainly some fraud best practices and a proactive risk management approach is good for business. In the case of the homeowners dealing directly with prospective renters, what struck me is that there is quite a bit of trust involved in these arrangements. It’s safe to say that most transactions, like ours, are conducted over email and/or the phone. Payment is collected in advance by check or credit card but in our case, and in many if not most others, there is no deposit. Since I work daily around commercial and consumer fraud, I couldn’t help but wonder what the exposure is for fraud risk and identity theft – both to the home owner as well as to the person renting the home. Just look at the information exchanged… The renter provides: name, address, phone number, email address, check (which would include account and routing number) OR credit card number and expiration date. The owner provides: name, phone number, email address, and a home or office address (to which the renter mails the payment). Additionally, the renter knows of a second address associated with the owner – the rental property itself! With account takeover fraud still quite prevalent, that’s quite a bit of personal information that both parties know about each other. Now, the fact that these types of rental transactions occur often and without many (at least publicized) known fraud and identity theft incidents seems to indicate that people on both sides are trustworthy. Still…it does make you think of the exposure if one of the parties is less than honest….say a fraudster on their summer vacation?
By: Kristan Frend It seems as though desperate times call for desperate measures- with revenues down and business loans tougher than ever to get, “shelf” and “shell” companies appear to be on the rise. First let’s look at the difference between the two: Shelf companies are defined as corporations formed in a low-tax, low-regulation state in order to be sold off for its excellent credit rating. According to the Better Business Bureau, off-the-shelf structures were historically used to streamline a start-up, but selling them as a way to get around credit guidelines is new, making them unethical and possibly illegal. Shell companies are characterized as fictitious entities created for the sole purpose of committing fraud. They often provide a convenient method for money laundering because they are easy and inexpensive to form and operate. These companies typically do not have a physical presence, although some may set up a storefront. According to the U.S. Department of the Treasury’s Financial Crimes Enforcement Network, shell companies may even purchase corporate office “service packages” in order to appear to have established a more significant local presence. These packages often include a state business license, a local street address, an office that is staffed during business hours, a local telephone listing with a receptionist and 24-hour personalized voice mail. In one recent bust out fraud scenario, a shell company operated out of an office building and signed up for service with a voice over Internet protocol (VoIP) provider. While the VoIP provider typically conducts on-site visits to all new accounts, this step was skipped because the account was acquired through a channel partner. During months one and two, the account maintained normal usage patterns and invoices were paid promptly. In month three, the account’s international toll activity spiked, causing the provider to question the unusual account activity. The customer responded with a seemingly legitimate business explanation of activity and offered additional documentation. However, the following month the account contact and business disappeared, leaving the VoIP provider with a substantial five figure loss. A follow-up visit to the business showed a vacant office suite. While it’s unrealistic to think all shelf and shell companies can be identified, there are some tools that can help you verify businesses, identify repeat offenders, and minimize fraud losses. In the example mention above, post-loss account review through Experian’s BizID identified an obvious address discrepancy - 12 businesses all listed at the same address, suggesting that the perpetrator set up numerous businesses and victimized multiple organizations. The moral of the story? Avoid being the next victim and refine and revisit your fraud best practices today. Click here for more information on Experian\'s BizID
The overarching ‘business driver’ in adopting a risk-based authentication strategy, particularly one that is founded in analytics and proven scores, is the predictive ‘lift’ associated with using scoring in place of a more binary rule set. While basic identity element verification checks, such as name, address, Social Security number, date-of-birth, and phone number are important identity proofing treatments, when viewed in isolation, they are not nearly as effective in predicting actual fraud risk. In other words, the presence of positive verification across multiple identity elements does not, alone, provide sufficient predictive value in determining fraud risk. Positive verification of identity elements may be achieved in customer access requests that are, in fact, fraudulent. Conversely, negative identity element verification results may be associated with both ‘true’ or ‘good’ customers as well as fraudulent ones. In other words, these false positive and false negative conditions lead to a lack of predictive value and confidence as well as inefficient and unnecessary referral and out-sort volumes. The most predictive authentication and fraud models are those that incorporate multiple data assets spanning traditionally used customer information categories such as public records and demographic data, but also utilize, when possible, credit history attributes, and historic application and inquiry records. A risk-based fraud detection system allows institutions to make customer relationship and transactional decisions based not on a handful of rules or conditions in isolation, but on a holistic view of a customer’s identity and predicted likelihood of associated identity theft, application fraud, or other fraud risk. To implement efficient and appropriate risk-based authentication procedures, the incorporation of comprehensive and broadly categorized data assets must be combined with targeted analytics and consistent decisioning policies to achieve a measurably effective balance between fraud detection and positive identity proofing results. The inherent value of a risk-based approach to authentication lies in the ability to strike such a balance not only in a current environment, but as that environment shifts as do its underlying forces.
By: Kristan Frend As if business owners need one more thing to worry about — according to the Javelin Strategy & Research’s 2010 Identity Fraud Survey Report, respondents who defined themselves as “self-employed” or “small business owners” were one-and-a-half times more likely to be victims of identity theft. Intuitively this makes sense- business owners exposure would be higher than the average consumer as their information is viewed more often due to the broad array of business service needs. Also consider the fact that until recently, multiple states had public records containing proprietors social security numbers as tax identification numbers readily accessible on-line. What a perfect storm this has all created! Javelin’s report also explained that while the average fraud incidence for business owners was lower than the average consumers, small business owner’s consumer costs were higher. In other words the small business owner suffered more out of pocket costs for identity theft losses than the average consumer. Experts believe this is due to the fact that commercial accounts often do not receive the same fraud guarantee protections that consumer accounts are afforded. While compliance regulations such as Red Flags Rules will enhance consumer safety, institutions must further develop their prevention and protection methods beyond what is legally required to sufficiently protect their small business customers from future fraud attacks. Small business owner fraud and the challenges organizations face in identifying and mitigating these losses are frequently overlooked and overshadowed by consumer fraud. Simply put, fraud is prevented because fraud is detected- verifying that the business owners is who they say they are using multiple data sources is critical to identifying applicant irregularities and protecting small business owners. A well-executed fraud strategy is more than just good business – it helps reduce small business customer acquisition costs and ultimately allows you to make better business decisions, creating a mutually beneficial relationship between your organization and the small business owner.
There are a number of people within the industry heralding the death of knowledge based authentication. To those people I would say, “In my humble opinion you are as wrong as those recent tweets proclaiming the death of Bill Cosby.” Before anyone’s head spins around, let me explain. When I talk about knowledge based authentication and out of wallet questions, I mean it in the truest sense, a la dynamic questions presented as a pop quiz and not the secret questions you answered when you set-up an account. Dynamic knowledge based authentication presents questions are generated from information known about the consumer, concerning things the true consumer would know and a fraudster wouldn’t. The key to success, and the key to good questions, is the data, which I have said many, many times before. The truth is every tool will let some fraud through; otherwise, you’re keeping too many good customers away. But if knowledge based authentication truly fails, there are two places to look: Data: There are knowledge based authentication providers who rely solely on public record data for their KBA solutions. In my opinion, that data is a higher data risk segment for compromise. Experian’s knowledge based authentication practice is disciplined and includes a mix of data. Our research has shown us that a question set should, ideally, include questions that are proprietary, non-credit, credit and innovative. Yes, it may make sense to include some public record data in a question set, but should it be the basis for the entire question set? Providers who can rely on their own data, or a strategic combination of data sources, rather than purchasing it from one of the large data aggregators are, in my opinion, at an advantage because fraudsters would need to compromise multiple sources in order to “game the system.” Actual KBA use: Knowledge based authentication works best as part of a risk management strategy where risk based authentication is a component within the framework and not the single, determining factor for passing a consumer. Our research has shown that clients who combine fraud analytics and a score with knowledge based authentication can increase authentication performance from 20% - 30% or more, depending on the portfolio and type of fraud (ID Fraud vs. First Party, etc.)… and adding a score has the obvious benefit of increasing fraud detection, but it also allows organizations to prioritize review rates efficiently while protecting the consumer experience. So before we write the obituary of KBA, let’s challenge those who tinker with out of wallet products, building lists of meaningless questions that a 5th grader could answer. Embrace optimized decisions with risk based authentication and employ fraud best practices in your use of KBA.
A few days ago I saw an article about hackers working from Russia, while committing check fraud in the United States. In what those investigating are calling a brilliant operation, the fraudsters compromised companies that archive and store records of check images or checks themselves. They then downloaded those check images and all available information. By printing new checks and using an old Internet “money mule” scheme, the fraudsters were able to send the bogus checks to ”the mule”, often as a payment, and have the check cashed at the mule’s bank to get the balance of the funds wired to an off-shore bank account. That article made me think about new breakthroughs in technology. What if those fraudsters had been a little savvier? What if they had the most recent smart phone application installed and didn’t need a mule to wire the money? They could have simply written checks and uploaded them for deposit to an account to which they had gained access with the hottest application du jour – deposit via photo image uploaded from a smart phone. That application would have allowed the fraudsters to cash the bogus check, gain access to the funds and move them to the next account at will. Or would it? Given the move toward mobile banking, it isn’t really a stretch to see this kind of thing happening. Probably not, but if organizations offering this kind of service use a risk based authentication approach it is more likely they use fraud models and decisioning strategies to minimize fraud and protect consumers while pushing out the latest technology. For those reasons, risk management solutions and enterprise fraud vendors need to not only keep pace with technology but also stay ahead of the curve in order to provide optimized decisions and the most relevant fraud analytics. Considering recent fraud trends and my love affair with mobile everything, I know I want the organizations I do business with to do everything they can to prevent fraud…and I’m positive I want my smart phone to be as smart as possible.
I often provide fraud analyses to clients, whereby they identify fraudsters that have somehow gotten through the system. We then go in and see what kinds of conditions exist in the fraudulent population that exist to a much lesser degree in the overall population. We typically do this with indicators, flags, match codes, and other conditions that we have available on the Experian end of things. But that is not to say there aren\'t things on your side of the fence that could be effective indicators of fraud risk as well! One simple example could be geography. If 50% of your known frauds are coming from a state that only sees 5% of your overall population, then that state sounds like a great indicator of fraud risk! What action you take based on this knowledge is up to you (and, I suppose, government regulation). One option would be to route the risky customers through a more onerous authentication procedure. For example, they might have to come into a branch in person to validate their identity. Geography is certainly not the only potential indicator of fraud risk. Be creative! There might be previously untapped indicators of fraud risk lurking in your customer databases. Do not limit yourself to intuition either. Oftentimes the best indicators of fraud risk that I find are counterintuitive. Just compare the percentage of time a condition occurs in your fraud population to the percentage of time it occurs in the overall population. It might be that you have a fraud ring that is leaving some telltale fingerprint on their behavior--one that is actionable in ways that will jumpstart your fraud prevention practices and minimize fraud losses!
I have already commented on “secret questions” as the root of all evil when considering tools to reduce identity theft and minimize fraud losses. No, I’m not quite ready to jump off that soapbox….not just yet, not when we’re deep into the season of holiday deals, steals and fraud. The answers to secret questions are easily guessed, easily researched, or easily forgotten. Is this the kind of security you want standing between your account and a fraudster during the busiest shopping time of the year? There is plenty of research demonstrating that fraud rates spike during the holiday season. There is also plenty of research to demonstrate that fraudsters perpetrate account takeover by changing the pin, address, or e-mail address of an account – activities that could be considered risky behavior in decisioning strategies. So, what is the best approach to identity theft red flags and fraud account management? A risk based authentication approach, of course! Knowledge Based Authentication (KBA) provides strong authentication and can be a part of a multifactor authentication environment without a negative impact on the consumer experience, if the purpose is explained to the consumer. Let’s say a fraudster is trying to change the pin or e-mail address of an account. When one of these risky behaviors is initiated, a Knowledge Based Authentication session begins. To help minimize fraud, the action is prevented if the KBA session is failed. Using this same logic, it is possible to apply a risk based authentication approach to overall account management at many points of the lifecycle: • Account funding • Account information change (pin, e-mail, address, etc.) • Transfers or wires • Requests for line/limit increase • Payments • Unusual account activity • Authentication before engaging with a fraud alert representative Depending on the risk management strategy, additional methods may be combined with KBA; such as IVR or out-of-band authentication, and follow-up contact via e-mail, telephone or postal mail. Of course, all of this ties in with what we would consider to be a comprehensive Red Flag Rules program. Risk based authentication, as part of a fraud account management strategy, is one of the best ways we know to ensure that customers aren’t left singing, “On the first day of Christmas, the fraudster stole from me…”
Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time\") offers institutions a viable strategy for balancing the following competing forces and pressures: • Compliance – the need to ensure each transaction is approved only when compliance requirements are met; • Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions; • Risk mitigation – the need to minimize fraud exposure at the account and transaction level. A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling. Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.
On Friday, October 30th, the FTC again delayed enforcement of the “Red Flags” Rule – this time until June 1, 2010 – for financial institutions and creditors subject to the FTC’s enforcement. Here’s the official release: http://www.ftc.gov/opa/2009/10/redflags.shtm. But this doesn’t mean, until then, businesses get a free pass. The extension doesn’t apply to other federal agencies that have enforcement responsibilities for institutions under their jurisdiction. And the extension also doesn’t alleviate an institution’s need to detect and respond to address discrepancies on credit reports. Red Flag compliance Implementing best practices to address the identity theft under the Red Flags Rule is not just the law, it’s good business. The damage to reputations and consumer confidence from a problem gone unchecked or worse yet – unidentified – can be catastrophic. I encourage all businesses – if they haven’t already done so – to use this extension as an opportunity to proactively secure a Red Flags Rule to ensure Red Flag compliance. It’s an investment in protecting their most important asset – the customer.
By: Kennis Wong In Part 1 of Generic fraud score, we emphasized the importance of a risk-based approach when it comes to fraud detection. Here are some further questions you may want to consider. What is the performance window? When a model is built, it has a defined performance window. That means the score is predicting a certain outcome within that time period. For example, a traditional risk score may be predicting accounts that are decreasing in twenty-four months. That score may not perform well if your population typically worsens in two months. This question is particularly important when it relates to scoring your population. For example, if a bust-out score has a performance window of three months, and you score your accounts at the time of acquisition, it would only catch accounts that are busting-out within the next three months. As a result, you should score your accounts during periodic account reviews in addition to the time of acquisition to ensure you catch all bust-outs. Therefore, bust out fraud is an important indicator. Which accounts should I score? While it’s typical for creditors to use a fraud score on every applicant at the time of acquisition, they may not score all their accounts during review. For example, they may exclude inactive accounts or older accounts assuming those with a long history means less likelihood of fraud. This mistake may be expensive. For instance, the typical bust-out behavior is for fraudsters to apply for cards way before they intend to bust out. This may be forty-eight months or more. So when you think they are good and profitable customers, they can strike and leave you with seriously injury. Make sure that your fraud database is updated and accurate. As a result, the recommended approach is to score your entire portfolio during account review. How often do I validate the score? The answer is very often -- this may be monthly or quarterly. You want to understand whether the score is working for you – do your actual results match the volume and risk projections? Shifts of your score distribution will almost certainly occur over time. To meet your objectives over the long run, continue to monitor and adjust cutoffs. Keep your fraud database updated at all times.
By: Kennis Wong In this blog entry, we have repeatedly emphasized the importance of a risk-based approach when it comes to fraud detection. Scoring and analytics are essentially the heart of this approach. However, unlike the rule-based approach, where users can easily understand the results, (i.e. was the S.S.N. reported deceased? Yes/No; Is the application address the same as the best address on the credit bureau? Yes/No), scores are generated in a black box where the reason for the eventual score is not always apparent even in a fraud database. Hence more homework needs to be done when selecting and using a generic fraud score to make sure they satisfy your needs. Here are some basic questions you may want to ask yourself: What do I want the score to predict? This may seem like a very basic question, but it does warrant your consideration. Are you trying to detect these areas in your fraud database? First-party fraud, third-party fraud, bust out fraud, first payment default, never pay, or a combination of these? These questions are particularly important when you are validating a fraud model. For example, if you only have third-party fraud tagged in your test file, a bust out fraud model would not perform well. It would just be a waste of your time. What data was used for model development? Other important questions you may want to ask yourself include: Was the score based on sub-prime credit card data, auto loan data, retail card data or another fraud database? It’s not a definite deal breaker if it was built with credit card data, but, if you have a retail card portfolio, it may still perform well for you. If the scores are too far off, though, you may not have good result. Moreover, you also want to understand the number of different portfolios used for model development. For example, if only one creditor’s data is used, then it may not have the general applicability to other portfolios.
By: Kristan Keelan What do you think of when you hear the word “fraud”? Someone stealing your personal identity? Perhaps the recent news story of the five individuals indicted for gaining more than $4 million from 95,000 stolen credit card numbers? It’s unlikely that small business fraud was at the top of your mind. Yet, just like consumers, businesses face a broad- range of first- and third-party fraud behaviors, varying significantly in frequency, severity and complexity. Business-related fraud trends call for new fraud best practices to minimize fraud. First let’s look at first-party fraud. A first-party, or victimless, fraud profile is characterized by having some form of material misrepresentation (for example, misstating revenue figures on the application) by the business owner without that owner’s intent or immediate capacity to pay the loan item. Historically, during periods of economic downturn or misfortune, this type of fraud is more common. This intuitively makes sense — individuals under extreme financial pressure are more likely to resort to desperate measures, such as misstating financial information on an application to obtain credit. Third-party commercial fraud occurs when a third party steals the identification details of a known business or business owner in order to open credit in the business victim’s name. With creditors becoming more stringent with credit-granting policies on new accounts, we’re seeing seasoned fraudsters shift their focus on taking over existing business or business owner identities. Overall, fraudsters seem to be migrating from consumer to commercial fraud. I think one of the most common reasons for this is that commercial fraud doesn’t receive the same amount of attention as consumer fraud. Thus, it’s become easier for fraudsters to slip under the radar by perpetrating their crimes through the commercial channel. Also, keep in mind that businesses are often not seen as victims in the same way that consumers are. For example, victimized businesses aren’t afforded the protections that consumers receive under identity theft laws, such as access to credit information. These factors, coupled with the fact that business-to-business fraud is approximately three-to-ten times more “profitable” per occurrence than consumer fraud, play a role in leading fraudsters increasingly toward commercial fraud.
By: Kennis Wong As I said in my last post, when consumers and the media talk about fraud and fraud risk, they are usually referring to third-party frauds. When financial institutions or other organizations talk about fraud and fraud best practices, they usually refer to both first- and third-party frauds. The lesser-known fraud cousin, first-party fraud, does not involve stolen identities. As a result, first-party fraud is sometimes called victimless fraud. However, being victimless can’t be further from the truth. The true victims of these frauds are the financial institutions that lose millions of dollars to people who intentionally defraud the system. First-party frauds happen when someone uses his/her own identity or a fictitious identity to apply for credit without the intention to fulfill their payment obligation. As you can imagine, fraud detection of this type is very difficult. Since fraudsters are mostly who they say they are, you can’t check the inconsistencies of identities in their applications. The third-party fraud models and authentication tools will have no effect on first-party frauds. Moreover, the line between first-party fraud and regular credit risk is very fuzzy. According to Wikipedia, credit risk is the risk of loss due to a debtor\'s non-payment of a loan or other line of credit. Doesn’t the definition sound similar to first-party fraud? In practice, the distinction is even blurrier. That’s why many financial institutions are putting first-party frauds in the risk bucket. But there is one subtle difference: that is the intent of the debtor. Are the applicants planning not to pay when they apply or use the credit? If not, that’s first-party fraud. To effectively detect frauds of this type, fraud models need to look into the intention of the applicants.
Learn More Image
