All posts by Keir Breitenfeld

Well, here we are nearly at the beginning of November and the Red Flags Rule has been with us for nearly two years and the FTC’s November 1, 2009 enforcement date is upon us as well (I know I’ve said that before).  There is little value in me chatting about the core requirements of the Red Flags Rule at this point.  Instead, I’d like to shed some light on what we are seeing and hearing these days from our clients and industry experts related to this initiative: Red Flags Rule responses clients 1. Most clients have a solid written and operational Identity Theft Prevention Program in place that arguably meets their interpretation of the Red Flags Rule requirements. 2. Most clients have a solid written and operational Identity Theft Prevention Program in place that creates a boat-load of referrals due to the address mismatches generated in their process(es) and the requirement to do something with them. 3. Most clients are now focusing on ways in which to reduce the number of referrals generated and procedures to clear the remaining referrals via a cost-effective and automated manner…of course, while preventing fraud and staying compliant to Red Flags Rule. In 2008, a key focus at Experian was to help educate the market around the Red Flags Rule concepts and requirements. The concentration in 2009 has nearly fully shifted to assisting the market in creating risk-based authentication programs that leverage holistic views of a consumer, flexible tools that are pointed to a consumer based on that person’s authentication and risk profile. There is also an overall decisioning strategy that balances risk, compliance, and resource constraints. Spirit of Red Flags Rule The spirit of the Red Flags Rule is intended to ensure all covered institutions are employing basic identity theft prevention procedures (a pretty good idea).  I believe most of these institutions (even those that had very robust programs in place years before the rule was introduced) can appreciate this requirement that brings all institutions up to speed.  It is now, however, a matter of managing process within the realities of, and costs associated with, manpower, IT resources, and customer experience sensitivities.  

As I wrote in my previous posting, a key Red Flags Rule challenge facing many institutions is one that manages the number of referrals generated from the detection of Red Flags conditions.  The big ticket item in referral generation is the address mismatch condition. Identity Theft Prevention Program I’ve blogged previously on the subject of risk-based authentication and risk-based pricing, so I won’t rehash that information.  What I will suggest, however, is that those institutions who now have an operational Identity Theft Prevention Program (if you don’t, I’d hurry up) should continue to explore the use of alternate data sources, analytics and additional authentication tools (such as knowledge-based authentication) as a way to detect Red Flags conditions and reconcile them all within the same real-time transaction. Referral rates Referral rates stemming from address mismatches (a key component of the Red Flags Rule high risk conditions) can approach or even surpass 30 percent.  That is a lot.  The good news is that there are tools which employ additional data sources beyond a credit profile to “find” that positive address match.  The use of alternate data sources can often clear the majority of these initial mismatches, leaving the remaining transactions for treatment with analytics and knowledge-based authentication and Identity Theft Prevention Program. Whatever “referral management” process you have in place today, I’d suggest exploring risk-based authentication tools that allow you to keep the vast majority of those referrals out of the hands of live agents, and distanced from the need to put your customers through the authentication wringer.  In the current marketplace, there are many services that allow you to avoid high referral costs and risks to customer experience.  Of course, we think ours are pretty good.  

In my previous three postings, I’ve covered basic principles that can define a risk-based authentication process, associated value propositions, and some best-practices to consider. Finally, I’d like to briefly discuss some emerging informational elements and processes that enhance (or have already enhanced) the notion of risk-based authentication in the coming year.  For simplicity, I’m boiling these down to three categories: 1. Enterprise Risk Management – As you’d imagine, this concept involves the creation of a real-time, cross channel, enterprise-wide (cross business unit) view of a consumer and/or transaction.  That sounds pretty good, right?  Well, the challenge has been, and still remains, the cost of developing and implementing a data sharing and aggregation process that can accomplish this task.  There is little doubt that operating in a more silo’d environment limits the amount of available high-risk and/or positive authentication data associated with a consumer…and therefore limits the predictive value of tools that utilize such data.  It is only a matter of time before we see more widespread implementation of systems designed to look at a single transaction, an initial application profile, previous authentication results, or other relationships a consumer may have within the same organization -- and across all of this information in tandem.  It’s simply a matter of the business case to do so, and the resources to carry it out. 2. Additional Intelligence – Beyond some of the data mentioned above, some additional informational elements emerging as useful in isolation (or, even better, as a factor among others in a holistic assessment of a consumer’s identity and risk profile) include these areas:  IP address vs. physical address comparisons; device ID or fingerprinting; and biometrics (such as voice verification).  While these tools are being used and tested in many organizations and markets, there is still work to be done to strike the right balance as they are incorporated into an overall risk-based authentication process.  False positives, cost and implementation challenges still hinder widespread use of these tools from being a reality.  That should change over time, and quickly to help with the cost of credit risk. 3. Emerging Verification Techniques – Out-of-band authentication is defined as the use of two separate channels, used simultaneously, to authenticate a customer.  For example: using a phone to verify the identity of that person while performing a Web transaction.  Similarly, many institutions are finding success in initiating SMS texts as a means of customer notification and/or verification of monetary or non-monetary transactions.  The ability to reach out to a consumer in a channel alternate to their transaction channel is a customer friendly and cost effective way to perform additional due diligence.  

In my previous two blog postings, I’ve tried to briefly articulate some key elements of and value propositions associated with risk-based authentication.  In this entry, I’d like to suggest some best-practices to consider as you incorporate and maintain a risk-based authentication program. 1. Analytics – since an authentication score is likely the primary decisioning element in any risk-based authentication strategy, it is critical that a best-in-class scoring model is chosen and validated to establish performance expectations.  This initial analysis will allow for decisioning thresholds to be established.  This will also allow accept and referral volumes to be planned for operationally.  Further more, it will permit benchmarks to be established which follow on performance monitoring that can be compared. 2. Targeted decisioning strategies – applying unique and tailored decisioning strategies (incorporating scores and other high-risk or positive authentication results) to various access channels to your business just simply makes sense.  Each access channel (call center, Web, face-to-face, etc.) comes with unique risks, available data, and varied opportunity to apply an authentication strategy that balances these areas; risk management, operational effectiveness, efficiency and cost, improved collections and customer experience.  Champion/challenger strategies may also be a great way to test newly devised strategies within a single channel without taking risk to an entire addressable market and your business as a whole. 3. Performance Monitoring – it is critical that key metrics are established early in the risk-based authentication implementation process.  Key metrics may include, but should not be limited to these areas: • actual vs. expected score distributions; • actual vs. expected characteristic distributions; • actual vs. expected question performance; • volumes, exclusions; • repeats and mean scores; • actual vs. expected pass rates; • accept vs. referral score distribution; • trends in decision code distributions; and • trends in decision matrix distributions. Performance monitoring provides an opportunity to manage referral volumes, decision threshold changes, strategy configuration changes, auto-decisioning criteria and pricing for risk based authentication. 4. Reporting – it likely goes without saying, but in order to apply the three best practices above, accurate, timely, and detailed reporting must be established around your authentication tools and results.  Regardless of frequency, you should work with internal resources and your third-party service provider(s) early in your implementation process to ensure relevant reports are established and delivered. In my next posting, I will be discussing some thoughts about the future state of risk based authentication.  

In my last blog posting, I presented the foundational elements that enable risk-based authentication.  These include data, detailed and granular results, analytics and decisioning.  The inherent value of risk-based authentication can be summarized as delivering an holistic assessment of a consumer and/or transaction with the end goal of applying the right authentication and decisioning treatment at the right time.  The opportunity, especially, to minimize fraud losses using fraud analytics as part of your assessment is significant. What are some residual values of risk-based authentication? 1. Minimized fraud losses involves the use of fraud analytics, and a more comprehensive view of a consumer identity (the good and the bad), in combination with consistent decisioning over time.  This analysis will outperform simple binary rules and more subjective decisioning. 2. Improved consumer experience.  By applying the right authentication and  treatment at the right time, consumers are subjected to processes that are proportional to the risk associated with their identity profile.  This means that lower-risk consumers are less likely to be put through more arduous courses of action, preserving a streamlined and often purely “behind the scenes” authentication process for the majority of consumers and potential consumers.  In other words, you are saving the pain for the bad guys -- and that can be a good thing. 3. Operational efficiencies can be successful with the implementation of a well-designed program. Much of the decisioning can be done without human intervention and subjective contemplation.  Use of score-driven policies affords businesses the opportunity to use automated authentication processes for the majority of their applicants or account management cases.  Fewer human resources will be required which usually means lower costs.  Or, it can mean the human resources you possess are more appropriately focused on the applications or transactions that warrant such attention. 4. Measurable performance is critical because understanding the past and current performance of risk-based authentication policies allows for the adjustment over time of such policies.  These adjustments can be made based on evolving fraud risks, resource constraints, approval rate pressures, and compliance requirements, just to name a few.  Given its importance, Experian recommends performance monitoring for our clients using our authentication products. In my next posting, I’ll discuss some best practices associated with implementing and managing a risk-based authentication program.    

The term “risk-based authentication” means many things to many institutions.  Some use the term to review to their processes; others, to their various service providers.  I’d like to establish the working definition of risk-based authentication for this discussion calling it:  “Holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time.” Now, that “holistic assessment” thing is certainly where the rubber meets the road, right? One can arguably approach risk-based authentication from two directions.  First, a risk assessment can be based upon the type of products or services potentially being accessed and/or utilized (example: line of credit) by a customer.  Second, a risk assessment can be based upon the authentication profile of the customer (example: ability to verify identifying information).  I would argue that both approaches have merit, and that a best practice is to merge both into a process that looks at each customer and transaction as unique and therefore worthy of  distinctively defined treatment. In this posting, and in speaking as a provider of consumer and commercial authentication products and services, I want to first define four key elements of a well-balanced risk based authentication tool: data, detailed and granular results, analytics, and decisioning. 1.  Data: Broad-reaching and accurately reported data assets that span multiple sources providing far reaching and comprehensive opportunities to positively verify consumer identities and identity elements. 2.  Detailed and granular results: Authentication summary and detailed-level outcomes that portray the amount of verification achieved across identity elements (such as name, address, Social Security number, date of birth, and phone) deliver a breadth of information and allow positive reconciliation of high-risk fraud and/or compliance conditions.  Specific results can be used in manual or automated decisioning policies as well as scoring models, 3.  Analytics:  Scoring models designed to consistently reflect overall confidence in consumer authentication as well as fraud-risk associated with identity theft, synthetic identities, and first party fraud.  This allows institutions to establish consistent and objective score-driven policies to authenticate consumers and reconcile high-risk conditions.  Use of scores also reduces false positive ratios associated with single or grouped binary rules.  Additionally, scores provide internal and external examiners with a measurable tool for incorporation into both written and operational fraud and compliance programs, 4.  Decisioning: Flexibly defined data and operationally-driven decisioning strategies that can be applied to the gathering, authentication, and level of acceptance or denial of consumer identity information.  This affords institutions an opportunity to employ consistent policies for detecting high-risk conditions, reconcile those terms that can be changed, and ultimately determine the response to consumer authentication results – whether it be acceptance, denial of business or somewhere in between (e.g., further authentication treatments). In my next posting, I’ll talk more specifically about the value propositions of risk-based authentication, and identify some best practices to keep in mind.      

There were always questions around the likelihood that the August 1, 2009 deadline would stick.  Well, the FTC has pushed out the Red Flag Rules compliance deadline to November 1, 2009 (from the previously extended August 1, 2009 deadline). This extension is in response to pressures from Congress – and, likely, "lower risk" businesses questioning their being covered under the Red Flag Rule to begin with (businesses such as those related to healthcare, retailers, small businesses, etc). Keep in mind that the FTC extension on enforcement of Red Flag Guidelines does not apply to address discrepancies on credit profiles, and that those discrepancies are expected to be worked TODAY.  Risk management strategies are key to your success. To view the entire press release, visit: http://www.ftc.gov/opa/2009/07/redflag.shtm

As I've suggested in previous postings, we've certainly expected more clarifying language from the Red Flags Rule drafting agencies.  Well, here is some pretty good information in the form of another FAQ document created by the Board of Governors of the Federal Reserve System (FRB), Federal Deposit Insurance Corporation (FDIC), National Credit Union Administration (NCUA), Office of the Comptroller of the Currency (OCC), Office of Thrift Supervision (OTS), and Federal Trade Commission (FTC). This is a great step forward in responding to many of the same Red Flag guidelines questions that we get from our clients, and I hope it's not the last one we see.  You can access the document via any of the agency website, but for quick reference, here is the FDIC version: http://www.fdic.gov/news/news/press/2009/pr09088.html

We at Experian have been conducting a survey of visitors to our Red Flag guidelines microsite (www.experian.com/redflags). Some initial findings show that approximately 40 percent of those surveyed were "ready" by the original November 1, 2008 deadline.  However, nearly 50 percent of the respondents found the Identity Theft Red Flag deadline extension(s) helpful. For those of you that have not taken the survey, please do so.  We welcome your feedback.  

As most industry folks are aware, the FTC recently pushed out their Red Flags Rule enforcement deadline to August 1, 2009.  It is important to note, however, that this extension does not apply to the specific requirement that institutions with covered accounts detect and respond to address discrepancies related to consumer credit profiles.  The original November 1, 2008 deadline is, and has been, the line in the sand for this requirement.  I recommend that those institutions still working toward a compliant written and operational Identity Theft Prevention Program ensure that they have in place today a process to detect and respond to address discrepancies noted on credit profiles.

One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315.  Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy.  A couple of common questions and answers to get us started: 1.  How do the credit reporting agencies display an address discrepancy? Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry. 2.  How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested? Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly. In my last posting, I discussed the value of a risk-based approach to Red Flag compliance.  Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report. Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program.  There are many tools available that can detect Red Flag conditions.  The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions.  Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change. A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores.  Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center.  Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.  

What are your thoughts on the third extension to the Identity Theft Red Flags Rule deadline? Was your institution ready to meet Red Flag guidelines? 

  Does the rule list the Red Flags? The Identity Theft Red Flags Rule provides several examples of Red Flags in four separate categories: 1. alerts and notifications recieved from credit reporting agencies and third-party service providers; 2. the presentation of suspicious documents or suspicious identifying information;   3. unusual or suspicious account usage patterns; and 4. notices from a customer, identity theft victim or law enforcement.    

The Federal Trade Commission announced on April 30, one day before the intended May 1 Red Flags Rule enforcement deadline, a third extension of that deadline to August 1, 2009.  It's like showing up to class without your homework and the teacher is out sick that day….kind of.  The first extension from November 1, 2008 to May 1, 2009 seems to center on the general confusion among many market sectors around their level of coverage under the Identity Theft Red Flags Rule.  This latest delay seems to be a result of pushback from businesses with a lower risk of identity theft occurrences and a more "known" consumer base.So, it looks like we have at least three more months of preparation time.  This can be a good thing for all institutions regardless of their current Red Flag guidelines readiness status.  Those who scrambled to get a program in place now have time to fine tune it.  Those that were hoping for another extension have it.  Those who still question what their program should look like or if they are even covered can look forward to some more clarifying information out soon.Some key takeaways from the announcement:The FTC announcement does not impact other federal agency enforcement deadlines dating back to November 1, 2008.Specific to institutions that may have a perceived lower risk of identity theft, or businesses that generally know their customers personally, the Commission will be publishing more clarifying language and sample process (in the form of a template) to help those types of businesses comply with the Rule.Finally, this quote from the announcement sums it up:  “Given the ongoing debate about whether Congress wrote this provision too broadly, delaying enforcement of the Red Flags Rule will allow industries and associations to share guidance with their members, provide low-risk entities an opportunity to use the template in developing their programs, and give Congress time to consider the issue further,” FTC Chairman Jon Leibowitz said. 

I was recently asked in a comment, "What do we have to do to become compliant?" Great question.  There is not a single path to compliance when it comes to Red Flags compliance.  Effectively, an institution that has covered accounts under the Rule must implement both a written and operational Identity Theft Prevention Program.    The Red Flags Rule requires financial institutions and creditors to establish and maintain a written Program designed to detect, prevent and mitigate identity theft in connection with their covered accounts. The Program is a self-prescribed system of checks and balances that each financial institution and creditor implements to reach compliance with the Red Flags Rule. The goal of the provisions is to drive organizations to put into place a system that identifies patterns, practices and forms of activities that indicate the possible existence of identity theft. The provisions are not designed to steer the market to a “one size fits all” compliance platform. In essence, how businesses choose to meet the requirements will depend on the business size, operational complexity, customer transaction processes and risks associated with each of these characteristics.   A compliant Program must contain reasonable policies and procedures to address four mandatory elements: Identifying Red Flags applicable to covered accounts and incorporating them into the Program Detecting and evaluating the Red Flags included in the Program Responding to the Red Flags detected in a manner that is appropriate to the degree of risk they pose and Updating the Program to address changes in the risks to customers, and to the financial institution’s or creditor’s safety and soundness, from identity theft  The Red Flags Rule includes 26 illustrative examples of possible Red Flags financial institutions and creditors should consider when implementing a written Program. While implementation of any predetermined number of the 26 Red Flag examples is not mandatory, financial institutions and creditors should consider those that are applicable to their business processes, consumer relationships and levels of risk.   The Red Flags Rule requires financial institutions and creditors to focus on identifying Red Flags applicable to their account opening activities, existing account maintenance, and new activity on an account that has been inactive for two years or more. Some mandatory requirements include: Keeping a current, written Identity Theft Prevention Program that contains reasonable policies and procedures to identify, detect and respond to Red Flags, and keeping the Program updated Confirming that the consumer reports requested from consumer reporting agencies are related to the consumer with whom the financial institution or creditor are doing business Reviewing address discrepancies