On Friday, October 30th, the FTC again delayed enforcement of the “Red Flags” Rule – this time until June 1, 2010 – for financial institutions and creditors subject to the FTC’s enforcement.   Here’s the official release: http://www.ftc.gov/opa/2009/10/redflags.shtm. But this doesn’t mean, until then, businesses get a free pass.  The extension doesn’t apply to other federal agencies that have enforcement responsibilities for institutions under their jurisdiction.  And the extension also doesn’t alleviate an institution’s need to detect and respond to address discrepancies on credit reports. Red Flag compliance Implementing best practices to address the identity theft under the Red Flags Rule is not just the law, it’s good business.  The damage to reputations and consumer confidence from a problem gone unchecked or worse yet – unidentified – can be catastrophic.  I encourage all businesses – if they haven’t already done so – to use this extension as an opportunity to proactively secure a Red Flags Rule to ensure Red Flag compliance.  It’s an investment in protecting their most important asset – the customer.  

By: Kari Michel Most lenders use a credit scoring model in their decision process for opening new accounts; however, between 35 and 50 million adults in the US may be considered unscoreable with traditional credit scoring models. That is equivalent to 18-to-25 percent of the adult population. Due to recent market conditions and shrinking qualified candidates, lenders have placed a renewed interest in assessing the risk of this under served population.  Unscoreable consumers could be a pocket of missed opportunity for many lenders. To assess these consumers, lenders must have the ability to better distinguish between consumers with a clear track record of unfavorable credit behaviors versus those that are just beginning to develop their credit history and credit risk models. Unscoreable consumers can be divided into three populations: • Infrequent credit users:  Consumers who have not been active on their accounts for the past six months, and who prefer to use non-traditional credit tools for their financial needs. • New entrants:  Consumers who do not have at least one account with more than six months of activity; including young adults just entering the workforce, recently divorced or widowed individuals with little or no credit history in their name, newly arrived immigrants, or people who avoid the traditional system by choice. • Thin file consumers:  Consumers who have less than three accounts and rarely utilize traditional credit and likely prefer using alternative credit tools and credit score trends. A study done by VantageScore® Solutions, LLC shows that a large percentage of the unscoreable population can be scored with the VantageScore® credit score* and a portion of these are credit-worthy (defined as the population of consumers who have a cumulative likelihood to become 90 days or more delinquent is less than 5 percent).  The following is a high-level summary of the findings for consumers who had at least one trade: Lenders can review their credit decisioning process to determine if they have the tools in place to assess the risk of those unscoreable consumers.  As with this population there is an opportunity for portfolio expansion as demonstrated by the VantageScore® study. *The VantageScore® credit score model is a generic credit scoring model introduced to meet the market demands for a highly predictive consumer score. Developed as a joint venture among the three major credit reporting companies (CRCs) – Equifax, Experian and TransUnion.    

Well, here we are nearly at the beginning of November and the Red Flags Rule has been with us for nearly two years and the FTC’s November 1, 2009 enforcement date is upon us as well (I know I’ve said that before).  There is little value in me chatting about the core requirements of the Red Flags Rule at this point.  Instead, I’d like to shed some light on what we are seeing and hearing these days from our clients and industry experts related to this initiative: Red Flags Rule responses clients 1. Most clients have a solid written and operational Identity Theft Prevention Program in place that arguably meets their interpretation of the Red Flags Rule requirements. 2. Most clients have a solid written and operational Identity Theft Prevention Program in place that creates a boat-load of referrals due to the address mismatches generated in their process(es) and the requirement to do something with them. 3. Most clients are now focusing on ways in which to reduce the number of referrals generated and procedures to clear the remaining referrals via a cost-effective and automated manner…of course, while preventing fraud and staying compliant to Red Flags Rule. In 2008, a key focus at Experian was to help educate the market around the Red Flags Rule concepts and requirements. The concentration in 2009 has nearly fully shifted to assisting the market in creating risk-based authentication programs that leverage holistic views of a consumer, flexible tools that are pointed to a consumer based on that person’s authentication and risk profile. There is also an overall decisioning strategy that balances risk, compliance, and resource constraints. Spirit of Red Flags Rule The spirit of the Red Flags Rule is intended to ensure all covered institutions are employing basic identity theft prevention procedures (a pretty good idea).  I believe most of these institutions (even those that had very robust programs in place years before the rule was introduced) can appreciate this requirement that brings all institutions up to speed.  It is now, however, a matter of managing process within the realities of, and costs associated with, manpower, IT resources, and customer experience sensitivities.  

Recent findings on vintage analysis Source: Experian-Oliver Wyman Market Intelligence Reports Analyzing recent vintage analysis provides insights gleaned from cursory review Analyzing recent trends from vintages published in the Experian-Oliver Wyman Market Intelligence Reports, there are numerous insights that can be gleaned from just a cursory review of the results. Mortgage vintage analysis trends As noted in an earlier posting, recent mortgage vintage analysis' show a broad range of behaviors between more recent vintages and older, more established vintages that were originated before the significant run-up of housing prices seen in the middle of the decade. The 30+ delinquency levels for mortgage vintages in 2005, 2006, and 2007 approach and in two cases exceed 10 percent of trades in the last 12 months of performance, and have spiked from historical trends, beginning almost immediately after origination. On the other end of the spectrum, the vintages from 2003 and 2002 have barely approached or exceeded 5 percent for the last 6 or 7 years. Bandcard vintage analysis trends As one would expect, the 30+ delinquency trends demonstrated within bankcard vintage analysis are vastly different from the trends of mortgage vintages. Firstly, card delinquencies show a clear seasonal trend, with a more consistent yearly pattern evident in all vintages, resulting from the revolving structure of the product. The most interesting trends within the card vintages do show that the more recent vintages, 2005 to 2008, display higher 30+ delinquency levels, especially the Q2 2007 vintage, which is far and away the underperformer of the group. Within each vintage pool, an analysis can extend into the risk distribution and details of the portfolio and further segment the pool by credit score, specifically the VantageScore® credit score.  In other words, the loans in this pool are only for the most creditworthy customers at the time of origination. The noticeable trend is that while these consumers were largely resistant to deteriorating economic conditions, each vintage segment has seen a spike in the most recent 9-12 months. Given that these consumers tend to have the highest limits and lowest utilization of any VantageScore® credit score band, this trend encourages further account management consideration and raises flags about overall bankcard performance in coming months. Even a basic review of vintage analysis pools and the subsequent analysis opportunities that result from this data can be extremely useful. This vintage analysis can add a new perspective to risk management, supplementing more established analysis techniques, and further enhancing the ability to see the risk within the risk. Purchase a complete picture of consumer credit trends from Experian’s database of over 230 million consumers with the Market Intelligence Brief.

As I wrote in my previous posting, a key Red Flags Rule challenge facing many institutions is one that manages the number of referrals generated from the detection of Red Flags conditions.  The big ticket item in referral generation is the address mismatch condition. Identity Theft Prevention Program I’ve blogged previously on the subject of risk-based authentication and risk-based pricing, so I won’t rehash that information.  What I will suggest, however, is that those institutions who now have an operational Identity Theft Prevention Program (if you don’t, I’d hurry up) should continue to explore the use of alternate data sources, analytics and additional authentication tools (such as knowledge-based authentication) as a way to detect Red Flags conditions and reconcile them all within the same real-time transaction. Referral rates Referral rates stemming from address mismatches (a key component of the Red Flags Rule high risk conditions) can approach or even surpass 30 percent.  That is a lot.  The good news is that there are tools which employ additional data sources beyond a credit profile to “find” that positive address match.  The use of alternate data sources can often clear the majority of these initial mismatches, leaving the remaining transactions for treatment with analytics and knowledge-based authentication and Identity Theft Prevention Program. Whatever “referral management” process you have in place today, I’d suggest exploring risk-based authentication tools that allow you to keep the vast majority of those referrals out of the hands of live agents, and distanced from the need to put your customers through the authentication wringer.  In the current marketplace, there are many services that allow you to avoid high referral costs and risks to customer experience.  Of course, we think ours are pretty good.  

By: Wendy Greenawalt In the last installment of my three part series dispelling credit attribute myths, we’ll discuss the myth that the lift achieved by utilizing new attributes is minimal, so it is not worth the effort of evaluating and/or implementing new credit attributes. First, evaluating accuracy and efficiency of credit attributes is hard to measure. Experian data experts are some of the best in the business and, in this edition, we will discuss some of the methods Experian uses to evaluate attribute performance. When considering any new attributes, the first method we use to validate statistical performance is to complete a statistical head-to-head comparison. This method incorporates the use of KS (Kolmogorov–Smirnov statistic), Gini coefficient, worst-scoring capture rate or odds ratio when comparing two samples. Once completed, we implement an established standard process to measure value from different outcomes in an automated and consistent format. While this process may be time and labor intensive, the reward can be found in the financial savings that can be obtained by identifying the right segments, including: • Risk models that better identify “bad” accounts and minimizing losses • Marketing models that improve targeting while maximizing campaign dollars spent • Collections models that enhance identification of recoverable accounts leading to more recovered dollars with lower fixed costs Credit attributes Recently, Experian conducted a similar exercise and found that an improvement of 2-to-22 percent in risk prediction can be achieved through the implementation of new attributes. When these metrics are applied to a portfolio where several hundred bad accounts are now captured, the resulting savings can add up quickly (500 accounts with average loss rate of $3,000 = $1.5M potential savings). These savings over time more than justify the cost of evaluating and implementing new credit attributes.  

By: Wendy Greenawalt In the second installment of my three part series, dispelling credit attribute myths, we will discuss why attributes with similar descriptions are not always the same. The U.S. credit reporting bureaus are the most comprehensive in the world. Creating meaningful attributes requires extensive knowledge of the three credit bureaus’ data. Ensuring credit attributes are up-to-date and created by informed data experts.  Leveraging complete bureau data is also essential to obtaining long-term strategic success. To illustrate why attributes with similar names may not be the same let’s discuss a basic attribute, such as “number of accounts paid satisfactory.” While the definition, may at first seem straight forward, once the analysis begins there are many variables that must be considered before finalizing the definition, including: Should the credit attributes include trades currently satisfactory or ever satisfactory? Do we include paid charge-offs, paid collections, etc.? Are there any date parameters for credit attributes? Are there any trades that should be excluded? Should accounts that have a final status of "paid” be included? These types of questions and many others must be carefully identified and assessed to ensure the desired behavior is captured when creating credit attributes. Without careful attention to detail, a simple attribute definition could include behavior that was not intended.  This could negatively impact the risk level associated with an organization’s portfolio. Our recommendation is to complete a detailed analysis up-front and always validate the results to ensure the desired outcome is achieved. Incorporating this best practice will guarantee that credit attributes created are capturing the behavior intended.  

By: Wendy Greenawalt This blog kicks off a three part series exploring some common myths regarding credit attributes. Since Experian has relationships with thousands of organizations spanning multiple industries, we often get asked the same types of questions from clients of all sizes and industries. One of the questions we hear frequently from our clients is that they already have credit attributes in place, so there is little to no benefit in implementing a new attribute set. Our response is that while existing credit attributes may continue to be predictive, changes to the type of data available from the credit bureaus can provide benefits when evaluating consumer behavior. To illustrate this point, let’s discuss a common problem that most lenders are facing today-- collections. Delinquency and charge-off continue to increase and many organizations are having difficulty trying to determine the appropriate action to take on an account because consumer behavior has drastically changed regarding credit attributes. New codes and fields are now reported to the credit bureaus and can be effectively used to improve collection-related activities. Specifically, attributes can now be created to help identify consumers who are rebounding from previous account delinquencies. In addition, lenders can evaluate the number and outstanding balances of collection or other types of trades.  This can be achieved while considering the percentage of accounts that are delinquent and the specific type of accounts affected after assessing credit risk. The utilization of this type of data helps an organization to make collection decisions based on very granular account data.  This is done while considering new consumer trends such as strategic defaulters. Understanding all of the consumer variables will enable an organization to decide if the account should be allowed to self-cure.  If so, immediate action should be taken or modification of account terms should be contemplated. Incorporating new data sources and updating attributes on a regular basis allows lenders to react to market trends quickly by proactively managing strategies.  

--by Mike Sutton In today’s collections environment, the challenges of meeting an organization’s financial objectives are more difficult than ever.  Case volumes are higher, accounts are more difficult to collect and changing customer behaviors are rendering existing business models less effective. When responding to recent events, it is not uncommon for organizations to take what may seem to be the easiest path to success — simply hiring more staff. Perhaps in the short-term there may appear to be cash flow improvements, but in most cases, this is not the most effective way to cope with long-term business needs. As incremental staff is added to compensate for additional workloads, there is a point of diminishing return on investment and that can be difficult to define until after the expenditures have been made. Additionally, there are almost always significant operational improvements that can be realized by introducing new technology.  Furthermore, the relevant return on investment models often forecast very accurately. So, where should a collections department consider investing to improve financial results? The best option may not be the obvious choice, and the mere thought can make the most seasoned collections professionals shutter at the thought of replacing the core collections system with modern technology. That said, let’s consider what has changed in recent years and explore why the replacement proposition is not nearly as difficult or costly as in the past. Collection Management Software The collections system software industry is on the brink of a technology evolution to modern and next-generation offerings. Legacy systems are typically inflexible and do not allow for an effective change management program. This handicap leaves collections departments unable to keep up with rapidly changing business objectives that are a critical requirement in surviving these tough economic times. Today’s collections managers need to reduce operational costs while improving these objectives: reducing losses, improving cash flow and promoting customer satisfaction (particularly with those who pose a greater lifetime profit opportunity).  The next generation collections software squarely addresses these business problems and provides significant improvement over legacy systems. Not only is this modern technology now available, but the return on investment models are extremely compelling and have been proven in markets where successful implementations have already occurred. As an example of modern collections technologies that can help streamline operations, check out the overview and brief demonstration that is on this link: www.experian.com/decision-analytics/tallyman-demo.html.  

In my last entry, I talked about the challenges clients face in trying to meet multiple and complex regulatory requirements, such as FACT Act’s Red Flags Rule and the USA Patriot Act.  While these regulations serve both different and shared purposes, there are some common threads between the two: 1. You must consider the type of accounts and methods of account opening: The type of account offered - credit or deposit, consumer or business – as well as the method of opening – phone, online, or face-to-face – has a bearing on the steps you need to take and the process that will be established. 2. Use of consumer name, address, and identification number:The USA Patriot Act requires each of these – plus date of birth – to open a new account.  Red Flags stops short of “requiring” these for new account openings, but it consistently illustrates the use of these Personally Identifiable Information (PII) elements as examples of reasonable procedures to detect red flags. 3. Establishing identity through non-documentary verification:Third party information providers, such as a credit reporting agency or data broker, can be used to confirm identity, particularly in the case where the verification is not done in person. Knowing what’s in common means you can take a look at where to leverage processes or tools to gain operational and cost efficiencies and reduce negative impact on the customer experience.  For example, if you’re using any authentication products today to comply with the USA Patriot Act and/or minimize fraud losses, the information you collect from consumers and authentication steps you are already taking now may suffice for a large portion of your Red Flags Identity Theft Prevention Program. And if you’re considering fraud and compliance products for account opening or account management – it’s clear that you’ll want something flexible that, not only provides identity verification, but scales to the compliance programs you put in place, and those that may be on the horizon.  

--by Mike Sutton I recently interviewed a number of Experian clients to determine how they believe their organizations and industry peers will prioritize collections process improvement over the next 24 months. Additional contributions were collected by written surveys. Here are several interesting observations:   Improve Collections survey results: Financial services professionals, in general, ranked “loss mitigation / risk management improvement” as the most critical area of focus. Credit unions were the financial services group’s exception and placed” customer relationship management / attrition control” at the top of their priority list. Healthcare providers ranked both “general delinquency management” and “improving cash flow / receivables” as their primary area of focus for the foreseeable future. Almost all of the first-party contributors, across all industries polled, ranked “operational expense management / cost reductions” as being very important or at least a high priority. This category was also rated the most critical by utilities. “External partner management (agencies, repo vendors and debt buyers)” also ranked high, but did not stand out on its own, as a top priority for any particular group.     All of the categories mentioned above were considered important by every respondent, but the most urgent priorities were not consistent across industries.        

While the FACT Act’s Red Flags Rule seems to capture all of the headlines these days, it’s just one of a number of compliance challenges that banks, credit unions, and a myriad of other institutions face on a daily basis.  And meeting today’s regulatory requirements is more complicated than ever.  Risk managers and compliance officers are asked to consider many questions, including: 1. Do FACTA Sections 114 and 315 apply to me? 2. What do I have to do to comply? 3. What impact does this have on the customer’s experience? 4. What is this going to cost me in terms of people and process? Interpretation of the law or guideline – including who it applies to and to whom it does not - varies widely.  Which types of businesses are subject to the Red Flags Rule?  What is a “covered account?”  If you’re not sure, you’re not alone - it’s a primary reason why the Federal Trade Commission (FTC) continues to postpone enforcement of the rule, while this healthy debate continues. And by the way, FTC – it’s almost November 1st…aren’t we about due for another delay? But we’re not talking about just protecting consumers from identity theft and reducing fraud and protecting themselves using the Identity Theft Prevention Program. The USA Patriot Act and “Know Your Customer” requirements have been around much longer, but there are current challenges of interpretation and practical application when it comes to identifying customers and performing due diligence to deter fraud and money laundering.  Since Customer Identification Programs require procedures based on the bank’s own “assessment of the relevant risks,” including types of accounts opened, methods of opening, and even the bank’s “size, location, and customer base,” it’s safe to say that each program will differ slightly – or even greatly. So it’s clear there’s a lack of specificity in the regulations of the Red Flags Rule which cause heartburn for those tasked with compliance…but are there some common themes and requirements across the two?  The short answer is Yes.  In my next post, I’ll talk about the elements in common and how authentication products can play a part in addressing both.  

In my previous three postings, I’ve covered basic principles that can define a risk-based authentication process, associated value propositions, and some best-practices to consider. Finally, I’d like to briefly discuss some emerging informational elements and processes that enhance (or have already enhanced) the notion of risk-based authentication in the coming year.  For simplicity, I’m boiling these down to three categories: 1. Enterprise Risk Management – As you’d imagine, this concept involves the creation of a real-time, cross channel, enterprise-wide (cross business unit) view of a consumer and/or transaction.  That sounds pretty good, right?  Well, the challenge has been, and still remains, the cost of developing and implementing a data sharing and aggregation process that can accomplish this task.  There is little doubt that operating in a more silo’d environment limits the amount of available high-risk and/or positive authentication data associated with a consumer…and therefore limits the predictive value of tools that utilize such data.  It is only a matter of time before we see more widespread implementation of systems designed to look at a single transaction, an initial application profile, previous authentication results, or other relationships a consumer may have within the same organization -- and across all of this information in tandem.  It’s simply a matter of the business case to do so, and the resources to carry it out. 2. Additional Intelligence – Beyond some of the data mentioned above, some additional informational elements emerging as useful in isolation (or, even better, as a factor among others in a holistic assessment of a consumer’s identity and risk profile) include these areas:  IP address vs. physical address comparisons; device ID or fingerprinting; and biometrics (such as voice verification).  While these tools are being used and tested in many organizations and markets, there is still work to be done to strike the right balance as they are incorporated into an overall risk-based authentication process.  False positives, cost and implementation challenges still hinder widespread use of these tools from being a reality.  That should change over time, and quickly to help with the cost of credit risk. 3. Emerging Verification Techniques – Out-of-band authentication is defined as the use of two separate channels, used simultaneously, to authenticate a customer.  For example: using a phone to verify the identity of that person while performing a Web transaction.  Similarly, many institutions are finding success in initiating SMS texts as a means of customer notification and/or verification of monetary or non-monetary transactions.  The ability to reach out to a consumer in a channel alternate to their transaction channel is a customer friendly and cost effective way to perform additional due diligence.  

By: Kennis Wong In Part 1 of Generic fraud score, we emphasized the importance of a risk-based approach when it comes to fraud detection. Here are some further questions you may want to consider. What is the performance window? When a model is built, it has a defined performance window. That means the score is predicting a certain outcome within that time period. For example, a traditional risk score may be predicting accounts that are decreasing in twenty-four months. That score may not perform well if your population typically worsens in two months. This question is particularly important when it relates to scoring your population. For example, if a bust-out score has a performance window of three months, and you score your accounts at the time of acquisition, it would only catch accounts that are busting-out within the next three months. As a result, you should score your accounts during periodic account reviews in addition to the time of acquisition to ensure you catch all bust-outs.  Therefore, bust out fraud is an important indicator. Which accounts should I score? While it’s typical for creditors to use a fraud score on every applicant at the time of acquisition, they may not score all their accounts during review. For example, they may exclude inactive accounts or older accounts assuming those with a long history means less likelihood of fraud. This mistake may be expensive. For instance, the typical bust-out behavior is for fraudsters to apply for cards way before they intend to bust out. This may be forty-eight months or more. So when you think they are good and profitable customers, they can strike and leave you with seriously injury. Make sure that your fraud database is updated and accurate.  As a result, the recommended approach is to score your entire portfolio during account review. How often do I validate the score? The answer is very often -- this may be monthly or quarterly. You want to understand whether the score is working for you – do your actual results match the volume and risk projections? Shifts of your score distribution will almost certainly occur over time. To meet your objectives over the long run, continue to monitor and adjust cutoffs.  Keep your fraud database updated at all times.    

When reviewing offers for prospective clients, lenders often deal with a significant amount of missing information in assessing the outcomes of lending decisions, such as: Why did a consumer accept an offer with a competitor? What were the differentiating factors between other offers and my offer, i.e. what were their credit score trends? What happened to consumers that we declined? Do they perform as expected or better than anticipated? What were their credit risk models? While lenders can easily understand the implications of the loans they have offered and booked with consumers, they often have little information about two important groups of consumers: 1. Lost leads: consumers to whom they made an offer but did not book 2. Proxy performance: consumers to whom financing was not offered, but where the consumer found financing elsewhere. Performing a lost lead analysis on the applications approved and declined, can provide considerable insight into the outcomes and credit performance of consumers that were not added to the lender’s portfolio. Lost lead analysis can also help answer key questions for each of these groups: How many of these consumers accepted credit elsewhere? What were their credit attributes? What are the credit characteristics of the consumers we're not booking? Were these loans booked by one of my peers or another type of lender? What were the terms and conditions of these offers? What was the performance of the loans booked elsewhere? Who did they choose for loan origination? Within each of these groups, further analysis can be conducted to provide lenders with actionable feedback on the implications of their lending policies, possibly identifying opportunities for changes to better fulfill lending objectives. Some key questions can be answered with this information: Are competitors offering longer repayment terms? Are peers offering lower interest rates to the same consumers? Are peers accepting lower scoring consumers to increase market share? The results of a lost lead analysis can either confirm that the competitive marketplace is behaving in a manner that matches a lender’s perspective.  It can also shine a light into aspects of the market where policy changes may lead to superior results. In both circumstances, the information provided is invaluable in making the best decision in today’s highly-sensitive lending environment.