Fraud & Identity Management
In “An ounce of prevention is worth a pound of cure” Kristan Frend touched on the vulnerabilities faced by members of our Armed Services. That post made me think about recent fraud trends. Over the course of this spring and summer, I attended a few conferences and at one of these events something a bit disturbing occurred – a staff member for one of the exhibitors was victimized during the event. The individual’s wallet, containing cash and credit cards, was stolen along with the person’s passport and the victim didn’t realize it until they received their wake-up call the next morning. The few people who heard about it wondered “How could this happen at an event of industry professionals?” The answer is simple. Even industry professionals are every-day consumers, vulnerable to attack. As part of our Knowledge Based Authentication practice, Experian engages in blind focus group interviews with “every-day consumers” facilitated by an independent consulting group on Experian’s behalf. What we learn during those sessions informs our best practices for many of the fraud products and guides our process for new question generation in Knowledge Based Authentication. It is also an eye-opening experience. Through our research we have learned that participant consumers are now more aware and accepting of Knowledge Based Authentication than in past years. Knowledge Based Authentication has become a bellwether, consumers expect it. They also expect organizations they deal with to have an Identity Theft Prevention Program – and the ability to recognize when something “just isn’t right” about a situation. However, few participants cited a comprehensive strategy to protect themselves against identity theft, and even fewer actually demonstrated a commitment to follow a strategy, even when they had one. During open and honest conversation in a relaxed setting, participants revealed their true behavior. Many admitted they still use the same password for all their accounts, write their passwords down, and keep copies of their passwords in easily accessible places, such as a purse or a wallet, a desk drawer or an online application. The bottom line is this: Most people will attempt to do what they think they should to protect themselves from identity theft, including shredding or tearing up mail offers, selectively using credit cards and/or monitoring their garbage. However, if the process is too cumbersome or if it requires that they remember too much, they will default to old habits. As Kristan pointed out, thieves may increasingly rely on computer attacks to gather data, but many still resort to low-tech methods like dumpster diving, mail tampering, and purse and wallet theft to obtain privacy sensitive information. When that purse or wallet contains not only personally identifiable information, but also account passwords, the risk levels are significantly higher. Cyber attacks are a threat, but a consumer’s own behavior may be just as risky. As for the victim in this story… a very sharp desk clerk at a neighboring hotel thought it strange that someone was checking-in for a number of days without a reservation at full rate and without luggage, which started the ball rolling and led to the perpetrator being caught and the victim getting everything back except for some cash that had been spent at a coffee merchant. Clearly, this close call didn’t turn-out as badly as it could have.
By: Kristan Frend Last week I came across a news article that said the NYPD arrested 26 people who allegedly took at least $5 million from stealing identities. What I found most disturbing was that criminals allegedly affected more than 200 soldiers, including many of whom were unaware of what was happening, since they were serving overseas. To help reduce the risk of identity theft and minimize fraud losses, all three major credit bureaus provide Active- Duty Alerts, which allow deployed soldiers to have their credit frozen while they are overseas. While these fraud alerts, coupled with financial institutions implementing identity theft programs, can help prevent identity theft losses, what is being done to reduce the risk of military personnel data being exposed and stolen? As social security numbers play a key role in identity theft, I was surprised and disturbed to learn that government issued military ID cards include the card holder’s social security number in full on the front. This creates an obvious security vulnerability to the card holder. Especially considering that the military ID card must be shown in a number of situations, such as getting on and off base, medical care, picking up prescriptions, entering a base shopping exchange, mess hall, etc. There are many situations where the service member encounters people in positions that were once filled by military personnel but are now filled by civilians, who may not have the same code of honor toward others in the military community. While it’s true that thieves are increasingly using computer hacking, phishing, malware, spyware and key stroke loggers to gather SSNs, thieves still resort to low-tech methods like dumpster diving, mail tampering, and purse and wallet theft to obtain privacy sensitive information. The need to show ID so often and the fact that it contains all of their pertinent data, puts service members at particular risk when they may be in harm’s way, focused more on missions than money missing from their bank account. The good news is that the Department of Defense launched a Social Security Number reduction initiative consisting of a phased removal of SSNs. Phase one, removal of dependent SSNs from ID cards is underway. Phase two, removal of printed SSNs from all cards has been placed on hold indefinitely, and phase three, removal of SSNs embedded in barcodes will begin in 2012. My point is not to be critical of the use of SSNs; I think we all can agree that the use of SSNs have become an integral part of our culture. However, we should look to see that organizations carefully balance the value of how SSNs are used with the vulnerabilities that its use creates. The old adage “an ounce of prevention is worth a pound of cure” could never be truer than with identity theft. The easiest way to minimize fraud is to avoid it by not giving criminals the opportunity to perpetrate identity theft against individuals.
By: Kennis Wong Several weeks ago, I attended and presented at Experian’s sold-out annual conference, Vision, in Phoenix, Arizona. One of the guest speakers was Malcolm Gladwell, best-selling author of The Tipping Point, Blink, Outliers and What the Dog Saw: And Other Adventures. Since I've read three of his four books, I could be considered a fan. And yes, his hair did look as wild in person as it appears in the pictures on the insides of his book covers. But that was not why I was so impressed by his speech. The real reason was that his topic was so relevant to how Experian Decision Analytics delivers value to our clients. Gladwell spent the whole hour addressing the difference between “puzzle” and “mystery”, providing abundant examples for both. The puzzle-versus-mystery topic was from one of his articles in The New Yorker. To solve a puzzle, one or more pieces of information are needed. The source of the problem is that insufficient data is available to have a conclusive answer to the question. An example would be finding Osama Bin Laden’s whereabouts. We simply do not have enough information to locate him, and we need more intelligence. On the other hand, a mystery is not solved by simply gathering more information. It is a matter of making sense out of a massive amount of data available, using analysis and judgment. Enron’s creative accounting was an example of a mystery. All the information was out in the open. Pages and pages of SEC filings and annual reports were there for anyone who was willing and able to analyze them. All that was needed to solve the mystery was to make sense out of the data. In the Fraud and Identity Solutions team, we satisfy clients’ needs by providing solutions for both puzzles and mysteries to fend off fraudsters. Besides the core credit bureau data, we have demographic data, fraud consortium data, past application data, automotive data and much more. We also have strategic partnerships to deliver demand deposit account, cell phone, and device data. All these data sources ensure that our clients get the data they need to piece the puzzle together. Our consulting and analytics, on the other hand, help clients to solve mysteries. Looking at individual pieces of disparate data is inefficient and provides little or no value. That’s why our numerous scoring solutions combine the available data in a way that is most predictive of various fraud outcomes. For example, our Precise ID Score and Fraud Shield Score Plus predict first- and third-party fraud; our BustOut Score predicts the likelihood of bust outs; our Never Pay score predicts the likelihood of a consumer never making a payment. As more data are available, we incorporate them into existing or new models if it increases the effectiveness of the models. So we have both the puzzle and mystery grounds covered. A note to Malcolm Gladwell: Great job at Vision! If you write a book about this topic, I’ll definitely buy it.
With the upcoming changes to overdraft fee policies coming to the banking industry July 1st, courtesy of the Federal Reserve, banks and credit unions are re-examining the revenue growth opportunities through their new account opening process. We frequently hear from our fraud risk and operations client partners that when there is a push for revenue growth, fraud detection gets de-prioritized as a trade off to bringing in more new customers. A DDA-friendly risk based authentication approach may offer some compromise to this seemingly “one for one” exchange. Here are some quick revenue-friendly, risk-averse practices being seen in the branches, call centers, and online channels of Experian clients: • Drive referrals to knowledge based authentication (KBA), negative record checks (account abuse, fraud records) or both off of an upfront fraud score, such as the Precise ID(SM) for Account Opening score. Segmenting based on risk is cost efficient and promotes an improved customer experience. • Bolster the fraud defenses of your online channel by raising the “pass” or “accept” threshold. The lower acquisition costs for this online account opening are tempting but this is also the venue most exploited by fraudsters. Some incremental manual reviews should work out as a small price to pay to catch the higher prevalence of fraud. • Cross sell and up sell with confidence based on more comprehensive authentication. By applying appropriate risk based authentication strategies, more products can be offered and exposure is reduced because you know you are dealing with the true consumer.
I often provide fraud analyses to clients, whereby they identify fraudsters that have somehow gotten through the system. We then go in and see what kinds of conditions exist in the fraudulent population that exist to a much lesser degree in the overall population. We typically do this with indicators, flags, match codes, and other conditions that we have available on the Experian end of things. But that is not to say there aren't things on your side of the fence that could be effective indicators of fraud risk as well! One simple example could be geography. If 50% of your known frauds are coming from a state that only sees 5% of your overall population, then that state sounds like a great indicator of fraud risk! What action you take based on this knowledge is up to you (and, I suppose, government regulation). One option would be to route the risky customers through a more onerous authentication procedure. For example, they might have to come into a branch in person to validate their identity. Geography is certainly not the only potential indicator of fraud risk. Be creative! There might be previously untapped indicators of fraud risk lurking in your customer databases. Do not limit yourself to intuition either. Oftentimes the best indicators of fraud risk that I find are counterintuitive. Just compare the percentage of time a condition occurs in your fraud population to the percentage of time it occurs in the overall population. It might be that you have a fraud ring that is leaving some telltale fingerprint on their behavior--one that is actionable in ways that will jumpstart your fraud prevention practices and minimize fraud losses!
In case you’ve never heard of it, a Babel fish is a small translator; that allows a carrier to understand anything said in any form of language. Alta Vista popularized the name but I believe Douglas Adams, author of The Hitchhiker’s Guide to the Galaxy, should be given credit for coining the term. So, what does a Babel fish have to do with Knowledge Based Authentication? Knowledge Based Authentication is always about the data – I have said this before. There is one universal truth: data doesn’t lie. However, that doesn’t mean it is easy to understand what the data is saying. It is a bit like a foreign language. You may have taken classes, and you can read the language or carry on a passable conversation, but that doesn’t mean it’s a good idea to enter into a contract – at least, not without an attorney who speaks the language, or your very own Babel fish. Setting up the best Knowledge Based Authentication configuration for risk management of your line of business can sometimes seem like that contract in a foreign language. There are many decisions to be made and the number of questions to present and which questions to ask is often the easy part. To truly get the most out of fraud models, it is necessary to consider where the score cuts that will be used with your Knowledge Based Authentication session will be set and what methodology will be used to invoke the Knowledge Based Authentication session: objective score performance, manual review and decision, etc. It is also important to consider the “kind of fraud” you might be seeing. This is where it is helpful to have your very own Babel fish – one designed specifically for fraud trends, fraud data, fraud models and Knowledge Based Authentication. If your vendor doesn’t offer you a Babel fish, ask for one. Yours could have one of many titles, but you will know this person when you speak with them, for their level of understanding of not only your business but, more importantly, your data and what it means. Sometimes the Babel fish will work in Consulting, sometimes in Product Management, sometimes in Analytics – the important thing is that there are fraud-specific experts available to you. Think about that for a minute. Business today is a delicate balance between customer experience/relationship management and risk management. If your vendor can’t offer you a Babel fish, tell them you have fish to fry – elsewhere.
We've blogged about fraud alerts, fraud analytics, fraud models and fraud best practices. Sometimes, though, we delude ourselves into thinking that fraud prevention strategies we put into place today will be equally effective over time. Unfortunately, when a rat finds a dead-end in a previously-learned maze, it just keeps hunting for an exit. Fraudsters are no different. Ideally we want to seal off all the exits, and teach the rats to go and do something productive with their lives, but sadly that is not always the case. We also don't want to let too many good consumers get stuck either, so we cannot get too trigger-happy with our fraud best practices. Fraud behavior is dynamic, not static. Fraudsters learn and adapt to the feedback they receive through trial and error. That means when you plug a hole in your system today, there will be an increased push to seek out other holes tomorrow. This underscores the importance of keeping a close eye on your fraudsters' behavior trends. But there must be some theoretical breaking point where the fraudsters simply give up trying--at least with your company. This behavioral extinction may be idealistic in the general sense, but is nonetheless a worthy goal as related to your business. One of the best things you can do to prevent fraud is to gain a reputation amongst the fraudsters of, "Don't even try, it's not even worth it." And even if you don't succeed in getting them to stop trying altogether, it's still satisfying to know you are lowering their ROI while improving yours
Well, in my last blog, I was half right and half wrong. I said that individual trade associations and advocacy groups would continue to seek relief from Red Flag Rules ‘coverage’ and resultant FTC enforcement. That was right. I also said that I thought the June 1 enforcement date would ‘stick’. That was wrong. Said FTC Chairman Jon Leibowitz, “Congress needs to fix the unintended consequences of the legislation establishing the Red Flag Rule – and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift. As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.” I think the key words here are ‘unintended consequences’. It seems to me that the unintended consequences of the Red Flag Rules reach far beyond just which industries are covered or not covered (healthcare, legal firms, retailers, etc). Certainly, the fight was always going to be brought on by non-financial institutions that generally may not have had a robust identity authentication practice in place as a general baseline practice. What continues to be lost on the FTC is the fact that here we are a few years down the road, and I still hear so much confusion from our clients as to what they have to do when a Red Flag compliance condition is detected. It’s easy to be critical in hindsight, yes, but I must argue that if a bit more collaboration with large institutions and authentication service providers in all markets had occurred, creating a more detailed and unambiguous Rule, we may have seen the original enforcement date (or at least one of the first or second postponement dates) ‘stick’. At the end of the day, the idea of mandating effective and market defined identity theft protection programs makes a lot of sense. A bit more intelligence gathering on the front end of drafting the Rule may, however, have saved time and energy in the long run. Here’s hoping that December 31st ‘sticks’…I’m done predicting.
By: Kristan Frend I recently gave a presentation on small business fraud at the annual National Association of Credit Managers (NACM) Credit Congress. Following the session, several B2B credit professionals shared recent fraud issues The attendees confirmed what we’ve been hearing from our customers: fraudsters are shifting from consumer to business/commercial fraud and they’re stepping up their game. One of the schemes mentioned by an attendee included fraudsters obtaining parcel provider’s tracking numbers to reroute shipments meant for their B2B customer. The perpetrator calls the business’s call center, impersonates the legitimate business customer to place an order, obtains the tracking number, and then calls back with the tracking number to request that the shipment be rerouted. Often the new shipping location is a residential address where an individual has been recruited for a work-at-home employment opportunity. The individual is instructed to sign for deliveries and then reship merchandise to a freight company within the country or directly to destinations outside the United States. The fraud is uncovered once the legitimate B2B customer receives an invoice for goods which they never ordered or received. I encourage you to take a look at your business’s policies and procedures on handling change of address shipment requests. What tools do you employ to verify the individual making the request? Are you verifying who the new address belongs to? You may also want to ask your parcel provider about account setting options available for when your employees submit reroute requests. While a shipping reroute request isn’t always indicative of fraud, I recommend you assess your fraud risk and consider whether your fraud-related business processes need refining. Keep an eye out here for postings on these topics: known fraud, bust out fraud, and how best to minimize fraud loss.
Well, here we are about two weeks from the Federal Trade Commission’s June 1, 2010 Red Flags Rule enforcement date. While this date has been a bit of a moving target for the past year or so, I believe this one will stick. It appears that the new reality is one in which individual trade associations and advocacy groups will, one by one, seek relief from enforcement and related penalties post-June 1. Here’s why I say that: The American Bar Association has already file suit against the FTC, and in October, 2009, The U.S. District Court for the District of Columbia ruled that the Red Flags Rule is not applicable to attorneys engaged in the practice of law. While an appeal of this case is still pending, in mid-March, the U.S. District Court for the District of Columbia issued another order declaring that the FTC should postpone enforcement of the Red Flags Rule “with respect to members of the American Institute of Certified Public Accountants” engaged in practice for 90 days after the U.S. Court of Appeals for the District of Columbia renders an opinion in the American Bar Association’s case against the FTC.” Slippery slope here. Is this what we can expect for the foreseeable future? A rather ambiguous guideline that leaves openings for specific categories of “covered entities” to seek exemption? The seemingly innocuous element to the definition of “creditor” that includes “businesses or organizations that regularly defer payment for goods or services or provide goods or services and bill customers later” is causing havoc among peripheral industries like healthcare and other professional services. Those of you in banking are locked in for sure, but it ought to be an interesting year as the outliers fight to make sense of it all while they figure out what their identity theft prevention programs should or shouldn’t be.
I received a call on my cell phone the other day. It was my bank calling because a transaction outside of my normal behavior pattern tripped a flag in their fraud models. “Hello!" said the friendly, automated voice, “I’m calling from [bank name] and we need to talk to you about some unusual transaction activity on your account, but before we do, I need to make sure Monica Bellflower has answered the phone. We need to ask you a few questions for security reasons to protect your account. Please hold on a moment.” At this point, the IVR (Interactive Voice Response) system invoked a Knowledge Based Authentication session that the IVR controlled. The IVR, not a call center representative, asked me the Knowledge Based Authentication questions and confirmed the answers with me. When the session was completed, I had been authenticated, and the friendly, automated voice thanked me before launching into the list of transactions to be reviewed. Only when I questioned the transaction was I transferred, immediately – with no hold time, to a human fraud account management specialist. The entire process was seamless and as smooth as butter. Using IVR technology is not new, but using IVR to control a Knowledge Based Authentication session is one way of controlling operational expenses. An example of this is reducing the number of humans that are required, while increasing the ROI made in both the Knowledge Based Authentication tool and the IVR solution. From a risk management standpoint, the use of decisioning strategies and fraud models allows for the objective review of a customer’s transactions, while employing fraud best practices. After all, an IVR never hinted at an answer or helped a customer pass Knowledge Based Authentication, and an IVR didn't get hired in a call center for the purpose of committing fraud. These technologies lend themselves well, to fraud alerts and identity theft prevention programs, and also to account management activities. Experian has successfully integrated Knowledge Based Authentication with IVR as part of relationship management and/or risk management solutions. To learn more, visit the Experian website at: https://www.experian.com/decision-analytics/fraud-detection.html?cat1=fraud-management&cat2=detect-and-reduce-fraud). Trust me, Knowledge Based Authentication with IVR is only the beginning. However, the rest will have to wait; right now my high-tech, automated refrigerator is calling to tell me I'm out of butter.
By: Ken Pruett I want to touch a bit on some of the third party fraud scenarios that are often top of mind with our customers: identity theft; synthetic identities; and account takeover. Identity Theft Identity theft usually occurs during the acquisition stage of the customer life cycle. Simply put, identity theft is the use of stolen identity information to fraudulently open up a new account. These accounts do not have to be just credit card related. For example, there are instances of people using others identities to open up wireless phone and utilities accounts Recent fraud trends show this type of fraud is on the rise again after a decrease over the past several years. A recent Experian study found that people who have better credit scores are more likely to have their identity stolen than those with very poor credit scores. It does seem logical that fraudsters would likely opt to steal an identity from someone with higher credit limits and available purchasing power. This type of fraud gets the majority of media attention because it is the consumer who is often the victim (as opposed to a major corporation). Fraud changes over time and recent findings show that looking at data from a historical perspective is a good way to help prevent identity theft. For example, if you see a phone number being used by multiple parties, this could be an indicator of a fraud ring in action. Using these types of data elements can make your fraud models much more predictive and reduce your fraud referral rates. Synthetic Identities Synthetic Identities are another acquisition fraud problem. It is similar to identity theft, but the information used is fictitious in nature. The fraud perpetrator may be taking pieces of information from a variety of parties to create a new identity. Trade lines may be purchased from companies who act as middle men between good consumers with good credit and perpetrators who creating new identities. This strategy allows the fraud perpetrator to quickly create a fictitious identity that looks like a real person with an active and good credit history. Most of the trade lines will be for authorized users only. The perpetrator opens up a variety of accounts in a short period of time using the trade lines. When creditors try to collect, they can’t find the account owners because they never existed. As Heather Grover mentioned in her blog, this fraud has leveled off in some areas and even decreased in others, but is probably still worth keeping an eye on. One concern on which to focus especially is that these identities are sometimes used for bust out fraud. The best approach to predicting this type of fraud is using strong fraud models that incorporate a variety of non-credit and credit variables in the model development process. These models look beyond the basic validation and verification of identity elements (such as name, address, and social security number), by leveraging additional attributes associated with a holistic identity -- such as inconsistent use of those identity elements. Account Takeover Another type of fraud that occurs during the account management period of the customer life cycle is account takeover fraud. This type of fraud occurs when an individual uses a variety of methods to take over an account of another individual. This may be accomplished by changing online passwords, changing an address or even adding themselves as an authorized user to a credit card. Some customers have tools in place to try to prevent this, but social networking sites are making it easier to obtain personal information for many consumers. For example, a person may have been asked to provide the answer to a challenge question such as the name of their high school as a means to properly identify them before gaining access to a banking account. Today, this piece of information is often readily available on social networking sites making it easier for the fraud perpetrators to defeat these types of tools. It may be more useful to use out of wallet, or knowledge-based authentication and challenge tools that dynamically generate questions based on credit or public record data to avoid this type of fraud.
There seems to be two viewpoints in the market today about Knowledge Based Authentication (KBA): one positive, one negative. Depending on the corner you choose, you probably view it as either a tool to help reduce identity theft and minimize fraud losses, or a deficiency in the management of risk and the root of all evil. The opinions on both sides are pretty strong, and biases “for” and “against” run pretty deep. One of the biggest challenges in discussing Knowledge Based Authentication as part of an organization’s identity theft prevention program, is the perpetual confusion between dynamic out-of-wallet questions and static “secret” questions. At this point, most people in the industry agree that static secret questions offer little consumer protection. Answers are easily guessed, or easily researched, and if the questions are preference based (like “what is your favorite book?”) there is a good chance the consumer will fail the authentication session because they forgot the answers or the answers changed over time. Dynamic Knowledge Based Authentication, on the other hand, presents questions that were not selected by the consumer. Questions are generated from information known about the consumer – concerning things the true consumer would know and a fraudster most likely wouldn’t know. The questions posed during Knowledge Based Authentication sessions aren’t designed to “trick” anyone but a fraudster, though a best in class product should offer a number of features and options. These may allow for flexible configuration of the product and deployment at multiple points of the consumer life cycle without impacting the consumer experience. The two are as different as night and day. Do those who consider “secret questions” as Knowledge Based Authentication consider the password portion of the user name and password process as KBA, as well? If you want to hold to strict logic and definition, one could argue that a password meets the definition for Knowledge Based Authentication, but common sense and practical use cause us to differentiate it, which is exactly what we should do with secret questions – differentiate them from true KBA. KBA can provide strong authentication or be a part of a multifactor authentication environment without a negative impact on the consumer experience. So, for the record, when we say KBA we mean dynamic, out of wallet questions, the kind that are generated “on the fly” and delivered to a consumer via “pop quiz” in a real-time environment; and we think this kind of KBA does work. As part of a risk management strategy, KBA has a place within the authentication framework as a component of risk- based authentication… and risk-based authentication is what it is really all about.
When a client is selecting questions to use, Knowledge Based Authentication is always about the underlying data – or at least it should be. The strength of Knowledge Based Authentication questions will depend, in large part, on the strength of the data and how reliable it is. After all, if you are going to depend on Knowledge Based Authentication for part of your risk management and decisioning strategy the data better be accurate. I’ve heard it said within the industry that clients only want a system that works and they have no interest where the data originates. Personally, I think that opinion is wrong. I think it is closer to the truth to say there are those who would prefer if clients didn’t know where the data that supports their fraud models and Knowledge Based Authentication questions originates; and I think those people “encourage” clients not to ask. It isn’t a secret that many within the industry use public record data as the primary source for their Knowledge Based Authentication products, but what’s important to consider is just how accessible that public record information is. Think about that for a minute. If a vendor can build questions on public record data, can a fraudster find the answers in public record data via an online search? Using Knowledge Based Authentication for fraud account management is a delicate balance between customer experience/relationship management and risk management. Because it is so important, we believe in research – reading the research of well-known and respected groups like Pew, Tower, Javelin, etc. and doing our own research. Based on our research, I know consumers prefer questions that are appropriate and relative to their activity. In other words, if the consumer is engaged in a credit-granting activity, it may be less appropriate to ask questions centered on personal associations and relatives. Questions should be difficult for the fraudster, but not difficult or perceived as inappropriate or intrusive by the true consumer. Additionally, I think questions should be applicable to many clients and many consumers. The question set should use a mix of data sources: public, proprietary, non-credit, credit (if permissible purpose exists) and innovative. Is it appropriate to have in-depth data discussions with clients about each data source? Debatable. Is it appropriate to ensure that each client has an understanding of the questions they ask as part of Knowledge Based Authentication and where the data that supports those questions originates? Absolutely.
My last entry covered the benefits of consortium databases and industry collaboration in general as a proven and technologically feasible method for combating fraud across industries. They help minimize fraud losses. So – with some notable exceptions – why are so few industries and companies using fraud consortiums and known fraud databases? In my experience, the reasons typically boil down to two things: reluctance to share data and perception of ROI. I say "perception of ROI" because I firmly believe the ROI is there – in fact it grows with the number of consortium participants. First, reluctance to share data seems to stem from a few areas. One is concern for how that data will be used by other consortium members. This is usually addressed through compelling reciprocation of data contribution by all members (the give to get model) as well as strict guidelines for acceptable use. In today’s climate of hypersensitivity, another concern – rightly so – is the stewardship of Personally Identifiable Information (PII). Given the potentially damaging effects of data breaches to consumers and businesses, smart companies are extremely cautious and careful when making decisions about safeguarding consumer information. So how does a data consortium deal with this? Firewalls, access control lists, encryption, and other modern security technologies provide the defenses necessary to facilitate protection of information contributed to the consortium. So, let’s assume we’ve overcome the obstacles to sharing one’s data. The other big hurdle to participation that I come across regularly is the old “what’s in it for me” question. Contributors want to be sure that they get out of it what they put into it. Nobody wants to be the only one, or the largest one, contributing records. In fact, this issue extends to intracompany consortiums as well. No line of business wants to be the sole sponsor just to have other business units come late to the party and reap all the benefits on their dime. Whether within companies or across an industry, it’s obvious that mutual funding, support, equitable operating rules, and clear communication of benefits – to those contributors both big and small – is necessary for fraud consortiums to succeed. To get there, it’s going to take a lot more interest and participation from industry leaders. What would this look like? I think we’d see a large shift in companies’ fraud columns: from “Discovered” to “Attempted”. This shift would save time and money that could be passed back to the legitimate customers. More participation would also enable consortiums to stay on top of changing technology and evolving consumer communication styles, such as email, text, mobile banking, and voice biometrics to name a few.