Resource Center

ID Verification: The Current and Flawed State

Much has evolved since the enactment of the Bank Secrecy Act, and the majority of financial institutions have a relatively simple process when it comes to ID verification. While this process is straightforward and meets compliance requirements, it is by no means optimal.

Let’s take a look at the two huge problems with today’s ID verification solutions: 1) believing matching is a silver bullet, and 2) not effectively resolving verification failures due to the mailing address.

Matching is NOT a Silver Bullet

Matching identity credentials to external databases reduces fraud and identity theft risk, but by no means eliminates it by itself. With massive data breaches, consumer identity data is available in bulk on the black market, exposing more and more customers to new account fraud. According to the Identity Theft Resource Center, there were 781 reported data breaches that left more than 169 million identities vulnerable in 2015 alone.

With more compromised identities in the marketplace, the criminals are able to purchase the actual “match key” to evade ID verification systems that rely on matching only. As you can imagine, it’s pretty easy for the identity thief to fill out a new account application that matches together the name, address, and Social Security Number (SSN).

The implications for a match-only ID verification process are most troubling when a physical card is not required to access the funds (e.g., online ACH products). When the criminal does need the card, then the mailing address comes into the picture.

Address Verification Failures

Traditional ID verification systems typically do a great job of taking the name, SSN and date-of-birth (DOB) that is provided on the application and matching them to verification sources such as credit bureau headers, phone directories, utilities databases and other public sources. Most ID verification vendors utilize similar data sources and therefore deliver similar match rates. Because SSN and DOB don’t change and names change infrequently, verifying names to SSNs is really not that difficult—the static nature of the data leads to match rates that often exceed 90 percent if matching is good.

Mailing addresses are a different animal. Because of the 15-20 percent of Americans who move each year, verifying a name to an address is much trickier. When legitimate consumers move, banks who are bureau focused are much less likely to find them in any external database with the new address. This can result in 10 to 40 percent of all credit-approved applications failing on the mailing address component of ID verification—credit issuers and regulators refer to this problem as “address discrepancies.”

These address discrepancies are a major problem for financial institutions. Before the Fair and Accurate Credit Transactions Act (FACTA) was put in place in 2008, many credit issuers played the odds and approved accounts even if the application address did not match the address on the credit bureau report. FACTA no longer allows this “fraud toleration approach” in order to protect consumers from identity theft–so even if an issuer felt like they could tolerate the losses based on a low fraud rate, it’s no longer an option.

To comply with FACTA, most issuers simply deploy a standard ID verification system to form a reasonable proof of identity. While this process solves for compliance, it is not even close to being optimal from a business perspective. When consumers legitimately move and an address discrepancy occurs, standard ID verification tools only resolve about half of the cases.

What happens to those applications where the standard tools can’t resolve the discrepancy? Some issuers do little or nothing with the unverified discrepancies. That is, if they can’t verify the consumer, they simply decline the applicant, resulting in the loss of many new customers. More commonly, issuers have implemented processes such as running address discrepancy applications through “out-of-wallet” solutions, conducting manual reviews and even reaching out to the customers directly. These approaches are very costly and result in too many legitimate customers either abandoning the process or being tagged as “unverified” and not booked.

Besides compliance rules, let’s not lose sight of the fact that address discrepancies are indicative of fraud—that’s why the regulations were written in the first place. The criminals still need an alternate address to complete the new account fraud scheme, so they can receive the credit card or debit card instead of the victim. Preventing these fraud losses using traditional ID verification processes is difficult to manage profitably: high intervention costs combined with low fraud incident rates can easily put issuers upside-down.

In our final post of this three-part series, we’ll tell you how to overcome the problems and close the gaps associated with current ID verification solutions.

ID Verification: The History of “Knowing Your Customer”

Not long ago, verifying the true identity of customers meant that financial institutions ran an off-the-shelf ID verification (IDV) solution and simply confirmed that all the identity credentials presented had been seen before. If the information checked out, then it was business as usual.

For more than three decades, legislation of the financial services sector designed to combat criminal money laundering, terrorism and, more recently, to address identity theft, has required financial providers to implement procedures to track customer information. While the financial services industry has grown much more sophisticated in developing systems and solutions to minimize fraud and criminal activity, fraudsters have also been able to morph and adapt their tactics to defeat these systems.

Fortunately, new tactics and procedures are now being developed to address the changing fraud landscape. But in order to understand where ID verification is going, it is important to begin with its history.

The Simple Beginnings

In 1970, the Foreign Transactions Reporting Act, known as the Bank Secrecy Act (BSA) provided the first regulation of bank practices aimed at curbing money-laundering activities. The BSA established record-keeping and reporting requirements for individuals, banks and other financial institutions and required that banks have a Customer Identification Program (CIP) that is appropriate for their size and type of business. As part of the CIP, banks were required to use documentary or non-documentary methods of identification to form a reasonable belief that it knew the true identity of each customer. For most banking institutions, this meant that when a prospective customer came into the branch to open a new account, the account opening representative simply got a copy of a driver’s license and dropped it into a file. It wasn’t a sophisticated solution, but it was effective enough at the time.

The Internet and being “Not Present”

The next evolution in the ID verification market came in the mid to late 1990’s with the advent of the Internet and the subsequent dot-com explosion. The banking industry realized that there would now be millions of “Not Present” transactions, as the customer would no longer be present at the bank branch; they would now be sitting at the other end of a computer connection. As an industry, banks realized they would still need to “know the customer” even though they were not physically present.

This need gave way to new forms of electronic IDV. Instead of comparing identity credentials to a physical document (such as the driver’s license), IDV solutions emerged to compare identity credentials with a separate known repository of those same identity credentials. Typically, this meant electronically verifying that the identity credentials matched these same credentials at a credit bureau. If the name, social security number and date of birth all matched, presumably that was the correct individual and financial services companies would be in compliance with BSA and the CIP requirements.

Then, just as the Internet had done in the 1990s, the September 11 attacks changed everything again in the 2000s.

9/11 Ups the Ante

Up to this point, IDV systems and solutions focused on combatting fraud and organized crime. With 9/11, however, the world of IDV changed once again. Suddenly it became about protecting ourselves from terrorism. In the days after the attack, Congress enacted the USA PATRIOT Act, placing even more scrutiny on the individuals and organizations banks were doing business with. This was based on the realization that many of the 19 hijackers had successfully opened and maintained banking accounts at some of the largest banking institutions in the country. The fact that the terrorists had opened those accounts using false and fictitious information was difficult for banks to swallow. IDV solutions were no longer about saving a few bucks, but protecting the home front.

Identity Theft Epidemic

Then, starting in 2003, identity theft became front-page news, rising at a rate of 30 to 40 percent annually with one in 20 consumers being impacted. While this was alarming to the average consumer and certainly newsworthy, it really didn’t register for financial institutions as a major problem, as identity theft still represented a relatively small financial liability.

In talking to victims of identity theft, a common theme began to emerge. Repeatedly, victims described how identity thieves had used their identifying information to open up new accounts in their names. They would apply for credit instruments using the victim’s correct name, social security number and date of birth. However, the thieves would then alter the physical address on the application. Why? Because when it was approved, the corresponding credit cards, debit cards, and statements would be delivered to the thief and not the real person.

This rise in identity theft gave rise to the Fair and Accurate Credit Transactions Act (FACT Act) of 2003, which added several new sections and amended the Fair Credit Reporting Act of 1970. With regards to this address loophole that the criminals exposed, Section 315 of the FACT Act now required that financial institutions resolve these address discrepancies.

In our next post in this three-part series, we’ll examine the current state of ID verification and assess the challenges and gaps most frequently encountered with existing ID verification solutions.