Financial Services

The Communications Fraud Control Association’s annual meeting and educational event was held last week (June 14 – 16) at the Allerton hotel in Chicago, IL.   The Communications Fraud Control Association is made up of communications and security professionals, fraud investigators, analysts, and managers, law enforcement, those in risk management, and many others.   As an organization, they started out as a small group of communications professionals from the major long distance carriers who were looking for a better and more collaborative way to address communications fraud. Now, almost 30 years later, they’ve got over 60 members – a great representation of the industry yet still a nimble size. From what I hear, this makes for a specialized but quite effective “working” conference. Unfortunately I was not able to attend the conference but my colleague, Kennis Wong, attended and presented on the topic of Account Takeover and existing account fraud. It’s an area of fraud and compliance that Experian has spent some R&D on recently, with some interesting findings. In the past, we’ve been more focused on helping clients prevent new account and application fraud. It might seem like an interesting time to expand into this area, with some studies citing large drops in existing account fraud (2011 Identity Fraud Survey Report by Javelin).  BUT...consumer costs in this area are way UP, not to mention the headline-grabbing news stories about small business account takeover.  Which means it’s still a large pain point for financial institutions.   Experian’s research and development in existing account fraud, combined with our expertise in fraud scores and identity theft detection, has resulted in a new product which is launching at the end of this month: Precise ID for Customer Management. Stay tuned for more exciting details.

Whether you call it small business, commercial, or corporate account takeover, this form of existing account fraud has been in the headlines lately and seems to be on the rise. While account takeover happens to individual consumers quite frequently, it’s the sensational loss amounts and the legal battles between companies and their banks that are causing this form of commercial fraud to make the news. A recent BankInfoSecurity.com article, Fraud Verdict: Opinions Vary, is about a court opinion on a high profile ACH fraud case - Experi-Metal Inc. vs. Comerica Bank – that cites a number of examples of corporate account takeover cases with substantial losses: ·         Village View Escrow of Redondo Beach, Calif.:  lost $465,000 to an online hack ·         Hillary Machinery: settled with its bank for undisclosed terms in 2010. ·         The Catholic Diocese of Des Moines, Iowa:  lost $600,000 in fraudulent ACH transactions. I was curious what information was out there and publicly available to help businesses protect themselves and minimize fraud losses / risk. NACHA, the electronics payment association, had some of the best resources on their website.  Labeled the  “Corporate Account Takeover Resource Center”, it has a wide variety of briefs, papers, and recommendations documents including prevention practices for companies, financial institutions, and third-party service providers. There’s even a podcast on how to fight ACH fraud!  One thing was interesting to note, though. NACHA makes a point to distinguish between ACH fraud and corporate account takeover in this statement at the top of the web page: Corporate Account Takeover is a form of corporate identity theft where a business’ online credentials are stolen by malware. Criminal entities can then initiate fraudulent banking activity. Corporate Account Takeover involves compromised identity credentials and is not about compromises to the wire system or ACH Network. ACH fraud and wire fraud, terms mistakenly used to describe this type of criminal activity, are a misnomer. The ACH Network is safe and secure. Mostly I agree –the ACH Network is safe and secure. But from an F.I.'s or company’s perspective, corporate account takeover and ACH Fraud often go hand in hand.

For communications companies, acquiring new accounts is an ongoing challenge. However, it is critical to remember that managing new and existing accounts – and their respective risks – is of tremendous importance. A holistic view of the entire customer lifecycle is something every communications organization can benefit from. The following article was originally posted by Mike Myers on the Experian Business Credit blog. Most of us are pretty familiar with credit reports and scores, but how many of you are aware of the additional tools available to help you manage the entire credit risk lifecycle? I talk to credit managers everyday and as we’re all trying to do more with less, it’s easy to forget that opening accounts is just the first step. Managing risk on these accounts is as critical, if not more so, than opening them. While others may choose to “ship and chase”, you don’t need to. Proactive alert/monitoring services, regular portfolio scoring and segmentation are key components that a successful credit department needs to employ in the constant battle against “bad” accounts. Use these tools to proactively adjust credit terms and limits, both positively and negatively. Inevitably some accounts will go bad, but using collection research tools for skip tracing and targeting services for debt collection will put you first in line for collections. A journey of 1,000 miles begins with a single step; we have tools that can help you with that journey and all can be accessed online.

At Experian’s recent client conference, Vision 2011, there was a refreshing amount of positive discussion and outlook on origination rates and acquisition strategies for growth. This was coming not only from industry analysts participating in the conference but from clients as well. As a consumer, I’d sensed the ‘cautious optimism’ that we keep hearing about because my mailbox(the ‘original’ one, not email) has slowly been getting more and more credit card offer letters over the last 6 months.   Does this mean a return to prospecting and ultimately growth for financial institutions and lenders? It’s a glimmer of hope, for sure, although most agree that we’re a long way from being out of the woods, particularly with unemployment rates still high and the housing market in dire shape. Soooo…..you may be wondering where I’m going with this…. Since my job is to support banks, lenders, utilities and numerous other businesses’ in their fraud prevention and compliance efforts, where my mind goes is: how does a return to growth – even slight – impact fraud trends and our clients’ risk management policies? While many factors remain to be seen, here are a few early observations: ·         Account takeover, bust out fraud, and other types of existing account fraud had been on the rise while application fraud had declined or stayed the same (relative to the decrease in new originations); with prospecting and acquisition activity starting to increase, we will likely see a resurgence in new account fraud attempts and methods. ·         Financial institutions and consumers are under increasing risk of malware attacks; with more sophisticated malware technology popping up every day, this will likely be a prime means for fraudsters to commit identity theft and exploit potentially easier new account opening policies. ·         With fraud loss numbers flat or down, the contracted fraud budgets and delayed technology investments by companies over the last few years are a point of vulnerability, especially if the acquisition growth rate jumps substantially.  

By: Kennis Wong  Data is the very core of fraud detection. We are constantly seeking new and mining existing data sources that give us more insights into consumers’ fraud and identity theft risk. Here is a way to categorize the various data sources. Account level - When organizations detect fraud, naturally they leverage the data in-house. This type of data is usually from the individual account activities such as transactions, payments, locations or types of purchases, etc. For example, if there’s a purchase $5000 at a dry cleaner, the transaction itself is suspicious enough to raise a red flag. Customer level - Most of the times we want to see a bigger picture than only at the account level. If the customer also has other accounts with the organization, we want to see the status of those accounts as well. It’s not only important from a fraud detection perspective, but it’s also important from a customer relationship management perspective. Consumer level - As Experian Decision Analytics’ clients can attest, sometimes it’s not sufficient to look only at the data within an organization but also to look at all the financial relationships of the consumer. For example, in the situation of bust out fraud or first-party fraud, if you only look at the individual account, it wouldn’t be clear whether a consumer has truly committed the fraud. But when you look at the behavior of all the financial relationships, then the picture becomes clear. Identity level - Fraud detection can go into the identity level. What I mean is that we can tie a consumer’s individual identity elements with those of other consumers to discover hidden inconsistencies and relationships. For example, we can observe the use of the same SSN across different applications and see if the phones or addresses are the same. In the account management environment, when detecting existing account fraud or account takeover, this level of linkage is very useful as more data becomes available after the account is open. Loading...

It’s that time of year again – when people all over the U.S. take time away from life’s daily chores and embark upon that much-needed refresh: vacation! But just as fraud activity spikes during the holidays, there are also fraud trends suggesting spikes in fraudster activity during the summer. With consumers on vacation, identity theft becomes easier. Consumers are most likely to break their normal spending trends and break patterns established by fraud analytics; and consumers are less likely to be as attentive to elements that can help minimize fraud while out of town. There has been plenty of research to demonstrate that fraudsters perpetrate account takeover by changing the pin, address, or email address of an account. Now, fraudsters are more likely to add themselves as an authorized user to the account, which may not be considered a high-risk flag in transactional decisioning strategies. By identifying risky behaviors or patterns outside of a consumer’s normal behavior and an engaging in a knowledge based authentication session with the consumer, it is possible to help minimize the risk of fraud. Knowledge based authentication provides strong authentication and can be part of a risk-based approach to on-going account management, protecting both businesses and consumers from being burned, at least by fraudsters, while on vacation.

By: Kari Michel On March 18th 2011 the Federal Reserve Board approved a rule amending Regulation Z (Truth in Lending) to clarify portions of the final rules implementing the Credit CARD Act of 2009. Specific to ability to pay requirements, the new rule states that credit card applications generally cannot request a consumer's "household income" because that term is too vague to allow issuers to properly evaluate the consumer's ability to pay. Instead, issuers must consider the consumer's individual income or salary. The new ruling will be effective October 2011. Given the new direction outlined in the latest rules, we've been hard at work on developing 2 income models to support these regulatory obligations and enhance the underwriting and risk assessment process - Income InsightSM and Income Insight W2SM.  Both income models estimate an individual’s income based on an individual credit report and can be used in acquisition strategies, account management review and collection processes.  Why two models? Income InsightSM estimates the consumer’s total income, including wages, investments, rentals and other income. Income Insight W2SM estimates wages only.  Check them out - and let us know what you think! We want to hear from you.

By: Kennis Wong When we think about fraud prevention, naturally we think about mininizing fraud at application. We want to ensure that the identities used in the application truly belong to the person who applies for credit, and not identity theft. But the reality is that some fraudsters do successfully get through the defense at application. In fact, according to Javelin’s 2011 Identity Fraud Survey Report, 2.5 million accounts were opened fraudulently using stolen identities in 2010, costing lenders and consumers $17 billion. And these numbers do not even include other existing account fraud like account takeover and impersonation (limited misusing of account like credit/debit card and balance transfer, etc.). This type of existing account fraud affected 5.5 million accounts in 2010, costing another $20 billion. So although it may seem like a no brainer, it’s worth emphasizing that we need to have fraud account management system and continue to detect fraud for new and established accounts. Existing account fraud is unlikely to go away any time soon.  Lending activities have changed significantly in the last couple of years. Origination rate in 2010 is still less than half of the volume in 2008, and booked accounts become riskier. In this type of environment, when regular consumers are having hard time getting new credits, fraudsters are also having hard time getting credit. So they will switch their focus to something more profitable like account takeover. In addition to application fraud, does your organization have appropriate tools and decisioning strategy to minimize fraud loss from existing account fraud?  

The next time a consumer asks about his or her credit score, consider it an opportunity. Recent changes to the Risk-Based Pricing (RBP) rule may provide new opportunities to strengthen relationships by educating consumers about what their credit scores mean, how they’re used, and how they can be improved. For many lenders and other businesses, this could be the first time they’ve had a chance to speak directly and openly with customers about their credit scores. The RBP rule is intended to improve financial literacy As we’ve discussed, the Risk-Based Pricing Rule was instituted in response to policymaker concerns that consumers were not being sufficiently informed of the impact that credit reports can have on their annual percentage rate (APR). Now, when a lender makes a credit decision based on a consumer credit report and does not offer the best possible rate, or denies credit, the RBP Rule requires lenders to notify the customer about the decision – through either an explanation of the rate offered or disclosing a credit score. New requirements take effect on July 21 RBP compliance is changing following recent passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Companies will now be required to provide all customers with a credit score within a Risk Based Pricing Notice, along with educational material. The new requirement is effective July 21, 2011. This is also the date when the new Bureau of Consumer Financial Protection (CFPB) is set to be fully operational. How to prepare for consumer questions about credit scores Experian offers a number of resources to help lenders answer consumer questions. Online resources, including the Ask Experian column and our extensive Credit Education section, provide fundamental information to help consumers better understand credit scores and credit reports. The Experian Credit Score Basics booklet, plus more than 20 other educational documents, are available electronically and formatted for easy printing and distribution. All documents, PowerPoint presentations, virtual seminars and education videos are available on a free mini-disk. Customized training and education is available The Experian Public Education team can also provide customized, live Internet-based training and education for our clients’ employees to help them effectively answer customer questions about credit reports and credit scores. For a free mini-disk or more information about training events, please contact Rod Griffin, Experian’s Director of Public Education, at 1 (972) 390-3528, or email clientcorner@experian.com. Take a moment to check out our Risk-Based Pricing microsite, too. Note: While Experian is happy to provide our observations related to the new Risk-Based Pricing Rule, please work with your own legal counsel to ensure that you comply with your obligations under the rule.

By: Kristan Frend Small business owners appear to be lucrative targets for identity fraud perpetrators, alarming banking institutions, payment processors, and B2B service providers. According to Javelin’s 2011 Small Business Owners (SMBO) Identity Fraud report, the cost of fraud and identity theft “hit SMBO constituents particularly hard. Javelin research uncovered what was previously an undocumented cost to the industry of $5 billion as a direct result of this fraud. In addition, financial institutions (FIs) lost over $590 million in clients and revenue opportunities over a five‐year period.” Additionally, the report indicated that small business owners mean fraud amount is about 5% higher than that for all consumers ($4,851 vs. $4,607). Even more alarming was the fact that the SMBO’s mean victim cost is 150% higher than consumer costs ($1,574 vs. $631). So what does all of this mean? If you’re a small business lender or service provider, having a robust multi-layered SMBO fraud prevention program in place is essential for client retention and avoiding reputational risk.   You can take control of the situation with more proactive fraud prevention strategies which will improve your relationships with SMBO customers and save them (and you) money in the long run.

By: Staci Baker It seems like every time I turn on the TV there is another natural disaster. Tsunami in Japan, tornadoes and flooding in the Mid-West United States, earthquakes and forest fires – everywhere; and these disasters are happening worldwide. They are not confined to one location. If a disaster were to happen near any of your offices, would you be prepared? Living in Southern California, this is something I think of often. Especially, since we are supposed to have had “the big one” for the past several years now. When developing a preparedness plan for a company, there are several things to take into consideration. Some are obvious, such as how to keep employees safe, developing steps for IT  to take to ensure data is protected , including an identity theft prevention program, and establishing contingency business plans in case a disaster directly hits your business and doors need to remain closed for several days, weeks, or …. But, what about the non-obvious items that should be included in a disaster preparedness plan? When a natural disaster hits, there is an increase in fraud. So much so, that after Hurricane Katrina battered the Gulf, the Hurricane Katrina Fraud Task Force, now known as the National Center for Disaster Fraud, was created. In addition to the items listed above, I recommend including the following. Create a plan that will put fraud alerts in place to minimize fraud.  Fraud alerts are not just to notify your clients when there is fraudulent activity on their accounts. Alerts should also be put in place to let you know when there is fraudulent activity within your own business as well. Depending on the type of disaster, delinquency rates may increase, since borrower funds may be diverted to other needs. Implement a disaster collections strategy, which may include modifying credit terms, managing credit risk, and loan loss provisioning. Although these are only a few things to be considered when developing a disaster preparedness plan, I hope it gets you thinking about what your company needs to do to be prepared. What are some things you have already done, or that are on your to do list to prepare your company for the next big event that may affect you?

Last week I attended the Merchant Risk Council’s 2011 MRC Annual e-Commerce Payments & Risk Conference.  I presented a session titled “Efficiency and Empowerment in Risk-based Authentication” with a client who has been able to use knowledge based authentication as a sales enabler - Home Shopping Network.  You might be wondering what I mean by this.  It is actually pretty simple:  Home Shopping Network already has a fraud prevention program in place and utilizes risk based authentication to send a percentage of orders to an outsort queue.  By using knowledge based authentication to further verify the true consumer, Home Shopping Network has been able to release an increased portion of those orders for shipping, increasing both revenue and the customer experience.  The paradigm shift was thinking of knowledge based authentication as a sale enabler, rather than just a fraud tool.  It was a great experience, to help share the story of this client’s success.   If you are interested in the Merchant Risk Council:  The Merchant Risk Council (MRC) is a merchant-led trade association focused on electronic commerce risk and payments.  They lead industry networking, education, benchmarking and advocacy programs to make electronic commerce more efficient, safe and profitable. For more information on the Home Shopping Network, visit: http://www.hsn.com

By: Kristan Frend I was recently pleased to see that the state I reside in, Minnesota finished in the bottom third of a state ranking.  Luckily the rankings weren’t about overall health (#6), high school graduation (#3), or SAT scores (#2); instead it was the Federal Trade Commission’s state identity theft complaint ranks.  Minnesota has just 49.2 complaints per 100,000 population, whereas the highest ranked state, Florida, as 114.8 complaints per 100,000 population.   The top three states leading identity theft consumer complaints (per 100,000 population) included Florida, Arizona, and California.   Besides warm sunshine and top-tier golf courses, what do these three states have in common?  According to the February 2011 RealtyTrac U.S. Foreclosure Market Report™, all three rank in the top 5 states for foreclosure, and two of the three (Florida and California) rank #49 and #50 in unemployment rates, according to a March 2011 report released by the Bureau of Labor Statistics.    On a national level unemployment rates and identity fraud incidence rates both improved from 2009 to 2010.  From 2009 to 2010, unemployment rates went from 10.0% to 9.4% while according to Javelin’s 2010 Annual Identity Fraud Survey Report, identity fraud incidence rates fell from 4.8% to 3.5%.    While it may be inaccurate to state that economic distress causes higher rates of identity fraud, there does seem to be a natural correlation between economic downswings and fraudulent activity.   As we move further into 2011, it will be interesting to see if identity fraud incidence rates will continue to decrease as unemployment and economic outlook is on the upward swing. 

Well, actually, it isn’t. The better question to ask is when to use knowledge based authentication (KBA). I know I have written before about using it as part of a risk based authentication approach to fraud account management, but I am often asked what I mean by that statement. So, I thought it might be a good idea to provide a few more details and give some examples. Basically, what I mean is this: risk segmentation based on binary verification is unwise. Binary verification can occur based on identity elements, or it can occur based on pass/fail performance from out of wallet questions, but the fact remains that the primary decisioning strategy is relying on a condition with two outcomes – verified or not verified, pass or fail – and that is unwise. When we recommend a risk based authentication approach, the view is more broadly based. We advocate using analytics and weighting many factors, including those identity elements and knowledge based authentication performance as part of an overall decision, rather than an as end-all decision. If you take this kind of approach, when might you want to use this kind of approach? The answer to that is just about any time a transaction contains a level of risk, understanding that each organization will have a unique definition and tolerance for “risk”. It could be an origination or account opening scenario, when you do not yet have a relationship with a consumer. It could be in an account management setting, when you have a relationship with the consumer and know their expected behavior (and therefore anything outside of expected behavior is risk). It could be in transactional settings where there is an exchange of money or information belonging to the consumer. All of these are appropriate uses for KBA as part of a risk based approach.

Application risk management processes for deposits has remained relatively unchanged for decades. Typically, it involves credit bureau data and a secondary check of “debit bureau” data. A “debit bureau” typically gathers information regarding known fraud and compiles a fraud database of perpetrators. Every applicant who passes the credit risk strategies is checked against this database. The challenge is that this process can be very expensive. Among a new class of fraud best practices is the idea of applying fraud models/fraud analytics as a filter upstream from the debit bureau’s fraud database. This practice enables deposit institutions to still identify known fraud and minimize fraud losses on those applicants that carry the highest risk. At the same time, costs are reduced by removing low risk accounts from the debit bureau check.    In addition to reducing costs, these revised acquisition strategies help reduce fraud referral rates while ensuring that application fraud does not increase. As deposit institutions look for ways to significantly reduce costs without suffering additional application fraud, look for the continued emergence of fraud analytics among 2011’s fraud best practices.