In Praise of (Identity) Maintenance
I recently listened to an episode of the Freakonomics Radio podcast titled “In Praise of Maintenance.” This episode explores the tradeoffs between innovation and maintenance, and raises the question if this is just a false dilemma. Do we really need to choose between building new things and maintaining the things we already have, or can we have both? This question reminded me of a common challenge faced by financial institutions (FIs) when contemplating their identity fraud protections throughout the customer account lifecycle. While the parallels between fraud prevention strategy and the question of whether to invest in space exploration versus bridge repair are loose at best, they both circle around the same core question… does the choice to actively maintain what is already established necessarily come at the expense of investing in what is new?
When it comes to identity fraud strategy, unfortunately, FIs don’t have any other choice but to walk and chew gum at the same time. When onboarding a brand new customer, it is critical for an FI to thoroughly proof the new customer’s identity and ensure that the person is who they say they are. Failing to verify the identity of a new customer could result in fraud loss, non-compliance, and reputational damage. And for these reasons, most FIs (to varying degrees) do a decent job vetting the identities of their new account applicants. But then what happens once that account is established? The FI has gone through all the paces to establish true belief of identity at the outset of the relationship, why not maintain the identity – making sure it remains solid and uncompromised throughout the entire account lifecycle?
A growing body of evidence suggests that many FIs are not approaching “identity maintenance” with the appropriate level of rigor. But as identity takeover fraud continues to gain steam, this issue is becoming more and more important. Fraudsters are exploiting this lack of focus on existing account maintenance events (e.g., phone changes, online account changes, address changes, etc.) to fly under the radar and commit account takeover.
So what can you do to actively “maintain” your customer identities? In the simplest terms, when some aspect of your customer’s “identity” changes from what has previously been established… take a closer look and make sure the change can be explained. Here a few examples:
• When you receive a request to update an existing customer’s account with a new phone number and you send account notifications via SMS, check to make sure that phone change is not subterfuge – a fraudster trying to route account alerts away from your true customer.
• When you a receive a request to add an authorized user on an existing account and they ask for a new card shipped to a different address, check it out to make sure it isn’t a ploy by a fraudster to get their hands on a working card.
• When someone adds an email address to an existing account and shortly after tries to tokenize their card in a mobile wallet app, make sure it isn’t a fraudster trying to hide the notification from the true account holder.
While all of these examples seem worthy of a closer review, the truth is that many FIs today are not screening for these kinds of events in an automated, score-based, cross-enterprise way. But there are solutions that can help. Operationally speaking, installing these tools is easier than you might think. The system of record for “identity” is most commonly the Customer Information File (CIF) on the FI’s account processing platform. As such, the ideal solution for “identity maintenance” interfaces directly with the CIF, monitoring for potentially high-risk changes to your customer’s identity or contact information.
Integrating a score-based solution that detects risky account changes to the CIF can yield the following benefits:
• It ensures that all identity or account changes are properly screened, regardless of channel. This puts you in a better position to detect cross-channel identity fraud attacks.
• It ensures that all identity or account changes are properly screened, regardless of product. This puts you in a better position to see across product siloes and detect instances of full relationship takeover.
• By automating the screening process, it removes the burden of manual review and staff training.
• By automating the screening process, it ensures compliance with Red Flag on every applicable account change (i.e., address changes).
As banking continues to shift away from branches to digital channels, FIs rely increasingly on phone numbers and email addresses as critical contact points for interacting with their customers. Having the right controls deployed in the right systems can ensure that the contact information in the customer profile authentically belongs to the actual customer, thus thwarting identity takeover attacks and maintaining trusted relationships with your customers.
Some things really are worth the maintenance, don’t you think?
Written by Matt Schraan
Vice President, Product Development and Client Solutions
Matt has dedicated his professional life to building products that reduce fraud risk, meet compliance requirements, and maximize value from fraud detection techniques. He has presented at numerous industry conferences on counter-fraud topics such as account takeover, application fraud, identity verification, and compliance strategies.