Fraud & Identity Management

There was a recent discussion among members of the Anti Fraud experts group on LinkedIn regarding collaboration among financial institutions to combat fraud.  Most posters agreed on the benefits of such collaboration but were cynical when it came to anything of substance, such as a shared data network, getting off the ground.  I happen to agree with some of the opinions on the primary challenges faced in getting cross industry (or even single industry!) cooperation to prevent both consumer and commercial fraud.  Those being: 1) sharing data and 2) return on investment. Despite the challenges, there are some fraud prevention and “negative” file consortium databases available in the market as fraud prevention tools.  They’re often used in conjunction with authentication products in an overall risk based authentication / fraud deterrence strategy. Some are focused on the Demand Deposit Account (DDA) market, such as Fidelity’s DebitBureau, while others, like Experian’s own National Fraud Database, address a variety of markets.  Early Warning Services has a database of both “account abuse” – aka DDA financial mismanagement – and fraud records.  Still others like Ethoca and the UK’s 192.com seem focused on merchant data and online retailers. Regardless of the consortium, they share some common traits.  Most: - fall under Fair Credit Reporting Act regulation - are used in the acquisition phase as part of the new account decision - require contribution of data to access the shared data network Given the seemingly general reluctance to participate in fraud consortiums, as evidenced by the group described above, how do we assess value in these consortium databases?  Well, for one, most U.S. banks and credit unions participate in and contribute customer behavior data to a consortium.  Safe to say, then, that the banking industry has recognized the value of collaboration and sharing data with each other – if not exclusively to minimize fraud losses but at least to manage potential risk at acquisition.  I’m speaking here of the DDA financial mismanagement data used under the guiding principle of “past performance predicts future results”. Consortium data that includes confirmed fraud records make the value of collaboration even more clear: a match to one of these records compels further investigation and a more cautious review of the transaction or decision.  With this much to gain, why aren’t more companies and industries rushing to join or form a consortium? In my next post, I’ll explore the common objections to joining consortiums and what the future may look like.  

By: Ken Pruett I thought it might be helpful to give an example of a recent performance monitoring engagement to show just how the performance monitoring process can help.  The organization to which I'm referring has been using Knowledge Based Authentication for several years. They are issuing retail credit cards for their online channel. This is an area that usually experiences a higher rate of fraud.  The Knowledge Based Authentication product is used prior to credit being issued. The performance monitoring process involved the organization providing us with a sample of approximately 120,000 records of which some were good and some were bad.  Analysis showed that they had a 25 percent referral rate -- but they were concerned about the number of frauds they were catching.  They felt that too many frauds were getting through; they believed the fraud process was probably too lenient. Based on their input, we started a detailed analytic exercise with the intention, of course, to minimize fraud losses.  Our study found that, by changing several criteria items with the set-up, the organization was able to get the tool to be more in-line with expectations.  So, by lowering the pass rate by only 9 percent they increased their fraud find rate by 27 percent.  This was much more in-line with their goals for this process. In this situation, a score was being used, in combination with the organization's customer's ability to answer questions, to determine the overall accept or refer decision.  The change to the current set-up involved requiring customers to answer at least one more question in combination with certain scores.  Although the change was minor in nature, it yielded fairly significant results. Our next step in the engagement involved looking at the questions. Analysis showed that some questions should be eliminated due to poor performance.  They were not really separating fraud; so, removing them would be beneficial to the overall process.  We also determined that some questions performed very well.  We recommended that these questions should carry a higher weight in the overall decision process.  An example would be that a customer be required to answer only two questions correct for the higher weighted questions versus three of the lesser performing questions.  The key here is to help keep pass rates up while still preventing fraud.  Striking this delicate balance is the key objective. As you can see from this example, this is an ongoing process, but the value in that process is definitely worth the time and effort.

Meat and potatoes Data are the meat and potatoes of fraud detection.  You can have the brightest and most capable statistical modeling team in the world.  But if they have crappy data, they will build crappy models.  Fraud prevention models, predictive scores, and decisioning strategies in general are only as good as the data upon which they are built. How do you measure data performance? If a key part of my fraud risk strategy deals with the ability to match a name with an address, for example, then I am going to be interested in overall coverage and match rate statistics.  I will want to know basic metrics like how many records I have in my database with name and address populated.  And how many addresses do I typically have for consumers?  Just one, or many?  I will want to know how often, on average, we are able to match a name with an address.  It doesn’t do much good to tell you your name and address don’t match when, in reality, they do. With any fraud product, I will definitely want to know how often we can locate the consumer in the first place.  If you send me a name, address, and social security number, what is the likelihood that I will be able to find that particular consumer in my database?  This process of finding a consumer based on certain input data (such as name and address) is called pinning.  If you have incomplete or stale data, your pin rate will undoubtedly suffer.  And my fraud tool isn’t much good if I don’t recognize many of the people you are sending me. Data need to be fresh.  Old and out-of-date information will hurt your strategies, often punishing good consumers.  Let’s say I moved one year ago, but your address data are two-years old, what are the chances that you are going to be able to match my name and address?  Stale data are yucky. Quality Data = WIN It is all too easy to focus on the more sexy aspects of fraud detection (such as predictive scoring, out of wallet questions, red flag rules, etc.) while ignoring the foundation upon which all of these strategies are built.  

By: Ken Pruett The use of Knowledge Based Authentication (KBA) or out of wallet questions continues to grow. For many companies, this solution is used as one of its primary means for fraud prevention.  The selection of the proper tool often involves a fairly significant due diligence process to evaluate various offerings before choosing the right partner and solution.  They just want to make sure they make the right choice. I am often surprised that a large percentage of customers just turn these tools on and never evaluate or even validate ongoing performance.  The use of performance monitoring is a way to make sure you are getting the most out of the product you are using for fraud prevention.  This exercise is really designed to take an analytical look at what you are doing today when it comes to Knowledge Based Authentication. There are a variety of benefits that most customers experience after undergoing this fraud analytics exercise.  The first is just to validate that the tool is working properly.  Some questions to ponder include: Are enough frauds being identified? Is the manual review rate in-line with what was expected?  In almost every case I have worked on as it relates to these engagements, there were areas that were not in-line with what the customer was hoping to achieve.  Many had no idea that they were not getting the expected results. Taking this one step further, changes can also be made to improve upon what is already in place.  For example, you can evaluate how well each question is performing.  The analysis can show you which questions are doing the best job at predicting fraud.  The use of better performing questions can allow you the ability to find more fraud while referring fewer applications for manual review.  This is a great way to optimize how you use the tool. In most organizations there is increased pressure to make sure that every dollar spent is bringing value to the organization.  Performance monitoring is a great way to show the value that your KBA tool is bringing to the organization.  The exercise can also be used to show how you are proactively managing your fraud prevention process.   You accomplish this by showing how well you are optimizing how you use the tool today while addressing emerging fraud trends. The key message is to continuously measure the performance of the KBA tool you are using.  An exercise like performance monitoring could provide you with great insight on a quarterly basis.  This will allow you to get the most out of your product and help you keep up with a variety of emerging fraud trends. Doing nothing is really not an option in today’s even changing environment.  

Conducting a validation on historical data is a good way to evaluate fraud models; however, fraud best practices dictate that a proper validation uses properly defined fraud tags. Before you can determine if a fraud model or fraud analytics tool would have helped minimize fraud losses, you need to know what you are looking for in this category.  Many organizations have difficulty differentiating credit losses from fraud losses.  Usually, fraud losses end up lumped-in with credit losses. When this happens, the analysis either has too few “known frauds” to create a business case for change, or the analysis includes a large target population of credit losses that result in poor results. By planning carefully, you can avoid this pitfall and ensure that your validation gives you the best chance to improve your business and minimize fraud losses. As a fraud best practice for validations, consider using a target population that errs on the side of including credit losses; however, be sure to include additional variables in your sample that will allow you and your fraud analytics provider to apply various segmentations to the results.  Suggested elements to include in your sample are; delinquency status, first delinquency date, date of last valid payment, date of last bad  payment and indicator of whether the account was reviewed for fraud prior to booking. Starting with a larger population, and giving yourself the flexibility to narrow the target later will help you see the full value of the solutions you evaluate and reduce the likelihood of having to do an analysis over again.  

In a previous blog, we shared ideas for expanding the “gain” to create a successful ROI to adopt new fraud best practices  to improve.  In this post, we’ll look more closely at the “cost” side of the ROI equation. The cost of the investment- The costs of fraud analytics and tools that support fraud best practices go beyond the fees charged by the solution provider.  While the marketplace is aware of these costs, they often aren’t considered by the solution providers.  Achieving consensus on an ROI to move forward with new technology requires both parties to account for these costs.  A more robust ROI should these areas: • Labor costs- If a tool increases fraud referral rates, those costs must be taken into account. • Integration costs- Many organizations have strict requirements for recovering integration costs.  This can place an additional burden on a successful ROI. • Contractual obligations- As customers look to reduce the cost of other tools, they must be mindful of any obligations to use those tools. • Opportunity costs- Organizations do need to account for the potential impact of their fraud best practices on good customers.  Barring a true champion/challenger evaluation, a good way to do this is to remain as neutral as possible with respect to the total number of fraud alerts that are generated using new fraud tools compared to the legacy process As you can see, the challenge of creating a compelling ROI can be much more complicated than the basic equation suggests.  It is critical in many industries to begin exploring ways to augment the ROI equation.  This will ensure that our industries evolve and thrive without becoming complacent or unable to stay on top of dynamic fraud trends.  

By definition, “Return on Investment” is simple: (The gain from an investment - The cost of the investment) _______________________________________________ The cost of the investment With such a simple definition, why do companies that develop fraud analytics and their customers have difficulty agreeing to move forward with new fraud models and tools?   I believe the answer lies in the definition of the factors that make up the ROI equation: “The gain from an investment”- When it comes to fraud, most vendors and customers want to focus on minimizing fraud losses.  But what happens when fraud losses are not large enough to drive change? To adopt new technology it’s necessary for the industry to expand its view of the “gain.”  One way to expand the “gain” is to identify other types of savings and opportunities that aren’t currently measured as fraud losses.  These include: Cost of other tools - Data returned by fraud tools can be used to resolve Red Flag compliance discrepancies and help fraud analysts manage high-risk accounts.  By making better use of this information, downstream costs can be avoided. Other types of “bad” organizations are beginning to look at the similarities among fraud and credit losses.  Rather than identifying a fraud trend and searching for a tool to address it, some industry leaders are taking a different approach -- let the fraud tool identify the high-risk accounts, and then see what types of behavior exist in that population.  This approach helps organizations create the business case for constant improvement and also helps them validate the way in which they currently categorize losses. To increase cross sell opportunities - Focus on the “good” populations.  False positives aren’t just filtered out of the fraud review work flow, they are routed into other work flows where relationships can be expanded.    

By: Heather Grover In my previous entry, I covered how fraud prevention affected the operational side of new DDA account opening. To give a complete picture, we need to consider fraud best practices and their impact on the customer experience. As earlier mentioned, the branch continues to be a highly utilized channel and is the place for “customized service.” In addition, for retail banks that continue to be the consumer's first point of contact, fraud detection is paramount IF we should initiate a relationship with the consumer. Traditional thinking has been that DDA accounts are secured by deposits, so little risk management policy is applied. The reality is that the DDA account can be a fraud portal into the organization’s many products. Bank consolidations and lower application volumes are driving increased competition at the branch – increased demand exists to cross-sell consumers at the point of new account opening. As a result, banks are moving many fraud checks to the front end of the process: know your customer and Red Flag guideline checks are done sooner in the process in a consolidated and streamlined fashion. This is to minimize fraud losses and meet compliance in a single step, so that the process for new account holders are processed as quickly through the system as possible. Another recent trend is the streamlining of a two day batch fraud check process to provide account holders with an immediate and final decision. The casualty of a longer process could be a consumer who walks out of your branch with a checkbook in hand – only to be contacted the next day to tell that his/her account has been shut down. By addressing this process, not only will the customer experience be improved with  increased retention, but operational costs will also be reduced. Finally, relying on documentary evidence for ID verification can be viewed by some consumers as being onerous and lengthy. Use of knowledge based authentication can provide more robust authentication while giving assurance of the consumer’s identity. The key is to use a solution that can authenticate “thin file” consumers opening DDA accounts. This means your out of wallet questions need to rely on multiple data sources – not just credit. Interactive questions can give your account holders peace of mind that you are doing everything possible to protect their identity – which builds the customer relationship…and your brand.  

By: Heather Grover In past client and industry talks, I’ve discussed the increasing importance of retail branches to the growth strategy of the bank. Branches are the most utilized channel of the bank and they tend to be the primary tool for relationship expansion. Given the face-to-face nature, the branch historically has been viewed to be a relatively low-risk channel needing little (if any) identity verification – there are less uses of robust risk-based authentication or out of wallet questions. However, a now well-established fraud best practice is the process of doing proper identity verification and fraud prevention at the point of DDA account opening. In the current environment of declining credit application volumes and approval across the enterprise, there is an increased focus on organic growth through deposits.  Doing proper vetting during DDA account openings helps bring your retail process closer in line with the rest of your organization’s identity theft prevention program. It also provides assurance and confidence that the customer can now be cross-sold and up-sold to other products. A key industry challenge is that many of the current tools used in DDA are less mature than in other areas of the organization. We see few clients in retail that are using advanced fraud analytics or fraud models to minimize fraud – and even fewer clients are using them to automate manual processes - even though more than 90 percent of DDA accounts are opened manually. A relatively simple way to improve your branch operations is to streamline your existing ID verification and fraud prevention tool set: 1. Are you using separate tools to verify identity and minimize fraud? Many providers offer solutions that can do both, which can help minimize the number of steps required to process a new account; 2. Is the solution realtime? To the extent that you can provide your new account holders with an immediate and final decision, the less time and effort you’ll spend after they leave the branch finalizing the decision; 3. Does the solution provide detail data for manual review? This can help save valuable analyst time and provider costs by limiting the need to do additional searches. In my next post, we’ll discuss how fraud prevention in DDA impacts the customer experience.

The definition of account management authentication is:  Keep your customers happy, but don’t lose sight of fraud risks and effective tools to combat those risks. In my previous posting, I discussed some unique fraud risks facing institutions during the account management phase of their customer lifecycles.  As a follow up, I want to review a couple of effective tools that allow you to efficiently minimize fraud losses during post-application: Knowledge Based Authentication (KBA) — this process involves the use of challenge/response questions beyond "secret" or "traditional" internally derived questions (such as mother's maiden name or last transaction amount). This tool allows for measurably effective use of questions based on more broad-reaching data (credit and noncredit) and consistent delivery of those questions without subjective question creation and grading by call center agents. KBA questions sourced from information not easily accessible by call center agents or fraudsters provide an additional layer of security that is more impenetrable by social engineering. From a process efficiency standpoint, the use of automated KBA also can reduce online sessions for consumers, and call times as agents spend less time self-selecting questions, self-grading responses and subjectively determining next steps. Delivery of KBA questions via consumer-facing online platforms or via interactive voice response (IVR) systems can further reduce operational costs since the entire KBA process can be accommodated without call center agent involvement. Negative file and fraud database – performing checks against known fraudulent and abuse records affords institutions an opportunity to, in batch or real time, check elements such as address, phone, and SSN for prior fraudulent use or victimization.  These checks are a critical element in supplementing traditional consumer authentication processes, particularly in an account management procedure in which consumer and/or account information may have been compromised.  Transaction requests such as address or phone changes to an account are particularly low-hanging fruit as far as running negative file checks are concerned.    

--by Andrew Gulledge Intelligent use of features Question ordering: You want some degree of randomization in the questions that are included for each session. If a fraudster (posing as you) comes through Knowledge Based Authentication, for two or three sessions, wouldn’t you want them to answer new questions each time? At the same time, you want to try to use those questions that perform better more often. One way to achieve both is to group the questions into categories, and use a fixed category ordering (with the better-performing categories being higher up in the batting line up)—then, within each category, the question selection is randomized. This way, you can generally use the better questions more, but at the same time, make it difficult to come through Knowledge Based Authentication twice and get the same questions presented back to you. (You can also force all new questions in subsequent sessions, with a question exclusion strategy, but this can be restrictive and make the “failure to generate questions” rate spike.) Question weighting: Since we know some questions outperform others, both in terms of percentage correct and in terms of fraud separation, it is generally a good idea to weight the questions with points based on these performance metrics. Weighting can help to squeeze out some additional fraud detection from your Knowledge Based Authentication tool.  It also provides considerable flexibility in your decisioning (since it is no longer just “how many questions were answered correctly” but it is “what percentage of points were obtained”). Usage Limits: You should only allow a consumer to come through the Knowledge Based Authentication process a certain number of times before getting an auto-fail decision. This can take the form of x number of uses allowable within y number of hours/days/etc. Time out Limit: You should not allow fraudsters to research the questions in the middle of a Knowledge Based Authentication session. The real consumer should know the answers off the top of their heads. In a web environment, five minutes should be plenty of time to answer three to five questions. A call center environment should allow for more time since some people can be a bit chatty on the phone.  

Account management fraud risks: I “think” I know who I’m dealing with… Risk of fraudulent account activity does not cease once an application has been processed with even the most robust authentication products and tools available.  These are a few market dynamics are contributing to increased fraud risk to existing accounts: -          The credit crunch is impacting bad guys too! Think it’s hard to get approved for a credit account these days? The same tightened lending practices good consumers now face are also keeping fraudsters out of the “application approval” process too. While that may be a good thing in general, it has caused a migratory focus from application fraud to account takeover fraud.  -          Existing and viable accounts are now much more appealing to fraudsters given a shortage of application fraud opportunities, as financial institutions have reduced solicitation volume. A few other interesting challenges face organizations with regards to an institution’s ability to minimize fraud losses related to existing accounts: -  Social engineering — the "human element" is inherent in a call center environment and critical from a customer experience perspective. This factor offers the opportunity for fraudsters to manipulate representatives to either gain unauthorized access to accounts or, at the very least, collect consumer and account information that may help them perpetrate fraud later. - Automatic Number Identification (ANI) spoofing — this technology allows a caller to alter the true displayable number from which he or she is calling to a falsely portrayed number. It's difficult, if not impossible, to find a legitimate use for this technology. However, fraudsters find this capability quite useful as they try to circumvent what was once a very effective method of positively authenticating a consumer based on a "good" or known incoming phone number. With ANI spoofing in play, many call centers are now unable to confidently rely on this once cost-effective and impactful method of authenticating consumers.    

--by Andrew Gulledge General configuration issues Question selection- In addition to choosing questions that generally have a high percentage correct and fraud separation, consider any questions that would clearly not be a fit to your consumer population. Don’t get too trigger-happy, however, or you’ll have a spike in your “failure to generate questions” rate. Number of questions- Many people use three or four out-of-wallet questions in a Knowledge Based Authentication session, but some use more or less than that, based on their business needs. In general, more questions will provide a stricter authentication session, but might detract from the customer experience. They may also create longer handling times in a call center environment. Furthermore, it is harder to generate a lot of questions for some consumers, including thin-file types. Fewer Knowledge Based Authentication questions can be less invasive for the consumer, but limits the fraud detection value of the KBA process. Multiple choice- One advantage of this answer format is that it relies on recognition memory rather than recall memory, which is easier for the consumer. Another advantage is that it generally prevents complications associated with minor numerical errors, typos, date formatting errors and text scrubbing requirements. A disadvantage of multiple-choice, however, is that it can make educated guessing (and potentially gaming) easier for fraudsters. Fill in the blank- This is a good fit for some KBA questions, but less so with others. A simple numeric answer works well with fill in the blank (some small variance can be allowed where appropriate), but longer text strings can present complications. While undoubtedly difficult for a fraudster to guess, for example, most consumers would not know the full, official and (correct spelling) of the name to which they pay their monthly auto payment. Numeric fill in the blank questions are also good candidates for KBA in an IVR environment, where consumers can use their phone’s keypad to enter the answers.  

--by Andrew Gulledge Where does Knowledge Based Authentication fit into my decisioning strategy? Knowledge Based Authentication can fit into various parts of your authentication process. Some folks choose to put every consumer through KBA, while others only send their riskier transactions through the out-of-wallet questions. Some people use Knowledge Based Authentication to feed a manual review process, while others use a KBA failure as a hard-decline. Uses for KBA are as sundry and varied as the questions themselves. Decision Matrix- As discussed by prior bloggers, a well-engineered fraud score can provide considerable lift to any fraud risk strategy. When possible, it is a good idea to combine both score and questions into the decisioning process. This can be done with a matrixed approach—where you are more lenient on the questions if the applicant has a good fraud score, and more lenient on the score if the applicant did well on the questions. In a decision matrix, a set decision code is placed within various cells, based on fraud risk. Decision Overrides- These provide a nice complement to your standard fraud decisioning strategy. Different fraud solution vendors provide different indicators or flags with which decisioning rules can be created. For example, you might decide to fail a consumer who provides a social security number that is recorded as deceased. These rules can help to provide additional lift to the standard decisioning strategy, whether it is in addition to Knowledge Based Authentication questions alone, questions and score, etc. The overrides can be along the lines of both auto-pass and auto-fail.  

In my last post I discussed the problem with confusing what I would call “real” Knowledge Based Authentication (KBA) with secret questions.   However, I don’t think that’s where the market focus should be.  Instead of looking at Knowledge Based Authentication (KBA) today, we should be looking toward the future, and the future starts with risk-based authentication. If you’re like most people, right about now you are wondering exactly what I mean by risk-based authentication.  How does it differ from Knowledge Based Authentication, and how we got from point A to point B? It is actually pretty simple.  Knowledge Based Authentication is one factor of a risk-based authentication fraud prevention strategy.  A risk- based authentication approach doesn’t rely on question/answers alone, but instead utilizes fraud models that include Knowledge Based Authentication performance as part of the fraud analytics to improve fraud detection performance.  With a risk-based authentication approach, decisioning strategies are more robust and should include many factors, including the results from scoring models. That isn’t to say that Knowledge Based Authentication isn’t an important part of a risk-based approach.  It is.  Knowledge Based Authentication is a necessity because it has gained consumer acceptance. Without some form of Knowledge Based Authentication, consumers question an organization’s commitment to security and data protection. Most importantly, consumers now view Knowledge Based Authentication as a tool for their protection; it has become a bellwether to consumers. As the bellwether, Knowledge Based Authentication has been the perfect vehicle to introduce new and more complex authentication methods to consumers, without them even knowing it.  KBA has allowed us to familiarize consumers with out-of-band authentication and IVR, and I have little doubt that it will be one of the tools to play a part in the introduction of voice biometrics to help prevent consumer fraud. Is it always appropriate to present questions to every consumer?  No, but that’s where a true risk-based approach comes into play.  Is Knowledge Based Authentication always a valuable component of a risk based authentication tool to minimize fraud losses as part of an overall approach to fraud best practices?  Absolutely; always. DING!