The term “risk-based authentication” means many things to many institutions. Some use the term to review to their processes; others, to their various service providers. I’d like to establish the working definition of risk-based authentication for this discussion calling it: “Holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time.”
Now, that “holistic assessment” thing is certainly where the rubber meets the road, right?
One can arguably approach risk-based authentication from two directions. First, a risk assessment can be based upon the type of products or services potentially being accessed and/or utilized (example: line of credit) by a customer. Second, a risk assessment can be based upon the authentication profile of the customer (example: ability to verify identifying information). I would argue that both approaches have merit, and that a best practice is to merge both into a process that looks at each customer and transaction as unique and therefore worthy of distinctively defined treatment.
In this posting, and in speaking as a provider of consumer and commercial authentication products and services, I want to first define four key elements of a well-balanced risk based authentication tool: data, detailed and granular results, analytics, and decisioning.
1. Data: Broad-reaching and accurately reported data assets that span multiple sources providing far reaching and comprehensive opportunities to positively verify consumer identities and identity elements.
2. Detailed and granular results: Authentication summary and detailed-level outcomes that portray the amount of verification achieved across identity elements (such as name, address, Social Security number, date of birth, and phone) deliver a breadth of information and allow positive reconciliation of high-risk fraud and/or compliance conditions. Specific results can be used in manual or automated decisioning policies as well as scoring models,
3. Analytics: Scoring models designed to consistently reflect overall confidence in consumer authentication as well as fraud-risk associated with identity theft, synthetic identities, and first party fraud. This allows institutions to establish consistent and objective score-driven policies to authenticate consumers and reconcile high-risk conditions. Use of scores also reduces false positive ratios associated with single or grouped binary rules. Additionally, scores provide internal and external examiners with a measurable tool for incorporation into both written and operational fraud and compliance programs,
4. Decisioning: Flexibly defined data and operationally-driven decisioning strategies that can be applied to the gathering, authentication, and level of acceptance or denial of consumer identity information. This affords institutions an opportunity to employ consistent policies for detecting high-risk conditions, reconcile those terms that can be changed, and ultimately determine the response to consumer authentication results – whether it be acceptance, denial of business or somewhere in between (e.g., further authentication treatments).
In my next posting, I’ll talk more specifically about the value propositions of risk-based authentication, and identify some best practices to keep in mind.