Resource Center

Adam Elliott, President and Co-founder of ID Insight, explains how account takeover has evolved in the digital age and what credit unions can do to protect themselves. Read the full Credit Union Times article.

Much has evolved since the enactment of the Bank Secrecy Act, and the majority of financial institutions have a relatively simple process when it comes to ID verification. While this process is straightforward and meets compliance requirements, it is by no means optimal.

Let’s take a look at the two huge problems with today’s ID verification solutions: 1) believing matching is a silver bullet, and 2) not effectively resolving verification failures due to the mailing address.

Matching is NOT a Silver Bullet

Matching identity credentials to external databases reduces fraud and identity theft risk, but by no means eliminates it by itself. With massive data breaches, consumer identity data is available in bulk on the black market, exposing more and more customers to new account fraud. According to the Identity Theft Resource Center, there were 781 reported data breaches that left more than 169 million identities vulnerable in 2015 alone.

With more compromised identities in the marketplace, the criminals are able to purchase the actual “match key” to evade ID verification systems that rely on matching only. As you can imagine, it’s pretty easy for the identity thief to fill out a new account application that matches together the name, address, and Social Security Number (SSN).

The implications for a match-only ID verification process are most troubling when a physical card is not required to access the funds (e.g., online ACH products). When the criminal does need the card, then the mailing address comes into the picture.

Address Verification Failures

Traditional ID verification systems typically do a great job of taking the name, SSN and date-of-birth (DOB) that is provided on the application and matching them to verification sources such as credit bureau headers, phone directories, utilities databases and other public sources. Most ID verification vendors utilize similar data sources and therefore deliver similar match rates. Because SSN and DOB don’t change and names change infrequently, verifying names to SSNs is really not that difficult—the static nature of the data leads to match rates that often exceed 90 percent if matching is good.

Mailing addresses are a different animal. Because of the 15-20 percent of Americans who move each year, verifying a name to an address is much trickier. When legitimate consumers move, banks who are bureau focused are much less likely to find them in any external database with the new address. This can result in 10 to 40 percent of all credit-approved applications failing on the mailing address component of ID verification—credit issuers and regulators refer to this problem as “address discrepancies.”

These address discrepancies are a major problem for financial institutions. Before the Fair and Accurate Credit Transactions Act (FACTA) was put in place in 2008, many credit issuers played the odds and approved accounts even if the application address did not match the address on the credit bureau report. FACTA no longer allows this “fraud toleration approach” in order to protect consumers from identity theft–so even if an issuer felt like they could tolerate the losses based on a low fraud rate, it’s no longer an option.

To comply with FACTA, most issuers simply deploy a standard ID verification system to form a reasonable proof of identity. While this process solves for compliance, it is not even close to being optimal from a business perspective. When consumers legitimately move and an address discrepancy occurs, standard ID verification tools only resolve about half of the cases.

What happens to those applications where the standard tools can’t resolve the discrepancy? Some issuers do little or nothing with the unverified discrepancies. That is, if they can’t verify the consumer, they simply decline the applicant, resulting in the loss of many new customers. More commonly, issuers have implemented processes such as running address discrepancy applications through “out-of-wallet” solutions, conducting manual reviews and even reaching out to the customers directly. These approaches are very costly and result in too many legitimate customers either abandoning the process or being tagged as “unverified” and not booked.

Besides compliance rules, let’s not lose sight of the fact that address discrepancies are indicative of fraud—that’s why the regulations were written in the first place. The criminals still need an alternate address to complete the new account fraud scheme, so they can receive the credit card or debit card instead of the victim. Preventing these fraud losses using traditional ID verification processes is difficult to manage profitably: high intervention costs combined with low fraud incident rates can easily put issuers upside-down.

In our final post of this three-part series, we’ll tell you how to overcome the problems and close the gaps associated with current ID verification solutions.