Much has evolved since the enactment of the Bank Secrecy Act, and the majority of financial institutions have a relatively simple process when it comes to ID verification. While this process is straightforward and meets compliance requirements, it is by no means optimal.
Let’s take a look at the two huge problems with today’s ID verification solutions: 1) believing matching is a silver bullet, and 2) not effectively resolving verification failures due to the mailing address.
Matching is NOT a Silver Bullet
Matching identity credentials to external databases reduces fraud and identity theft risk, but by no means eliminates it by itself. With massive data breaches, consumer identity data is available in bulk on the black market, exposing more and more customers to new account fraud. According to the Identity Theft Resource Center, there were 781 reported data breaches that left more than 169 million identities vulnerable in 2015 alone.
With more compromised identities in the marketplace, the criminals are able to purchase the actual “match key” to evade ID verification systems that rely on matching only. As you can imagine, it’s pretty easy for the identity thief to fill out a new account application that matches together the name, address, and Social Security Number (SSN).
The implications for a match-only ID verification process are most troubling when a physical card is not required to access the funds (e.g., online ACH products). When the criminal does need the card, then the mailing address comes into the picture.
Address Verification Failures
Traditional ID verification systems typically do a great job of taking the name, SSN and date-of-birth (DOB) that is provided on the application and matching them to verification sources such as credit bureau headers, phone directories, utilities databases and other public sources. Most ID verification vendors utilize similar data sources and therefore deliver similar match rates. Because SSN and DOB don’t change and names change infrequently, verifying names to SSNs is really not that difficult—the static nature of the data leads to match rates that often exceed 90 percent if matching is good.
Mailing addresses are a different animal. Because of the 15-20 percent of Americans who move each year, verifying a name to an address is much trickier. When legitimate consumers move, banks who are bureau focused are much less likely to find them in any external database with the new address. This can result in 10 to 40 percent of all credit-approved applications failing on the mailing address component of ID verification—credit issuers and regulators refer to this problem as “address discrepancies.”
These address discrepancies are a major problem for financial institutions. Before the Fair and Accurate Credit Transactions Act (FACTA) was put in place in 2008, many credit issuers played the odds and approved accounts even if the application address did not match the address on the credit bureau report. FACTA no longer allows this “fraud toleration approach” in order to protect consumers from identity theft–so even if an issuer felt like they could tolerate the losses based on a low fraud rate, it’s no longer an option.
To comply with FACTA, most issuers simply deploy a standard ID verification system to form a reasonable proof of identity. While this process solves for compliance, it is not even close to being optimal from a business perspective. When consumers legitimately move and an address discrepancy occurs, standard ID verification tools only resolve about half of the cases.
What happens to those applications where the standard tools can’t resolve the discrepancy? Some issuers do little or nothing with the unverified discrepancies. That is, if they can’t verify the consumer, they simply decline the applicant, resulting in the loss of many new customers. More commonly, issuers have implemented processes such as running address discrepancy applications through “out-of-wallet” solutions, conducting manual reviews and even reaching out to the customers directly. These approaches are very costly and result in too many legitimate customers either abandoning the process or being tagged as “unverified” and not booked.
Besides compliance rules, let’s not lose sight of the fact that address discrepancies are indicative of fraud—that’s why the regulations were written in the first place. The criminals still need an alternate address to complete the new account fraud scheme, so they can receive the credit card or debit card instead of the victim. Preventing these fraud losses using traditional ID verification processes is difficult to manage profitably: high intervention costs combined with low fraud incident rates can easily put issuers upside-down.
In our final post of this three-part series, we’ll tell you how to overcome the problems and close the gaps associated with current ID verification solutions.
Not long ago, verifying the true identity of customers meant that financial institutions ran an off-the-shelf ID verification (IDV) solution and simply confirmed that all the identity credentials presented had been seen before. If the information checked out, then it was business as usual.
For more than three decades, legislation of the financial services sector designed to combat criminal money laundering, terrorism and, more recently, to address identity theft, has required financial providers to implement procedures to track customer information. While the financial services industry has grown much more sophisticated in developing systems and solutions to minimize fraud and criminal activity, fraudsters have also been able to morph and adapt their tactics to defeat these systems.
Fortunately, new tactics and procedures are now being developed to address the changing fraud landscape. But in order to understand where ID verification is going, it is important to begin with its history.
The Simple Beginnings
In 1970, the Foreign Transactions Reporting Act, known as the Bank Secrecy Act (BSA) provided the first regulation of bank practices aimed at curbing money-laundering activities. The BSA established record-keeping and reporting requirements for individuals, banks and other financial institutions and required that banks have a Customer Identification Program (CIP) that is appropriate for their size and type of business. As part of the CIP, banks were required to use documentary or non-documentary methods of identification to form a reasonable belief that it knew the true identity of each customer. For most banking institutions, this meant that when a prospective customer came into the branch to open a new account, the account opening representative simply got a copy of a driver’s license and dropped it into a file. It wasn’t a sophisticated solution, but it was effective enough at the time.
The Internet and being “Not Present”
The next evolution in the ID verification market came in the mid to late 1990’s with the advent of the Internet and the subsequent dot-com explosion. The banking industry realized that there would now be millions of “Not Present” transactions, as the customer would no longer be present at the bank branch; they would now be sitting at the other end of a computer connection. As an industry, banks realized they would still need to “know the customer” even though they were not physically present.
This need gave way to new forms of electronic IDV. Instead of comparing identity credentials to a physical document (such as the driver’s license), IDV solutions emerged to compare identity credentials with a separate known repository of those same identity credentials. Typically, this meant electronically verifying that the identity credentials matched these same credentials at a credit bureau. If the name, social security number and date of birth all matched, presumably that was the correct individual and financial services companies would be in compliance with BSA and the CIP requirements.
Then, just as the Internet had done in the 1990s, the September 11 attacks changed everything again in the 2000s.
9/11 Ups the Ante
Up to this point, IDV systems and solutions focused on combatting fraud and organized crime. With 9/11, however, the world of IDV changed once again. Suddenly it became about protecting ourselves from terrorism. In the days after the attack, Congress enacted the USA PATRIOT Act, placing even more scrutiny on the individuals and organizations banks were doing business with. This was based on the realization that many of the 19 hijackers had successfully opened and maintained banking accounts at some of the largest banking institutions in the country. The fact that the terrorists had opened those accounts using false and fictitious information was difficult for banks to swallow. IDV solutions were no longer about saving a few bucks, but protecting the home front.
Identity Theft Epidemic
Then, starting in 2003, identity theft became front-page news, rising at a rate of 30 to 40 percent annually with one in 20 consumers being impacted. While this was alarming to the average consumer and certainly newsworthy, it really didn’t register for financial institutions as a major problem, as identity theft still represented a relatively small financial liability.
In talking to victims of identity theft, a common theme began to emerge. Repeatedly, victims described how identity thieves had used their identifying information to open up new accounts in their names. They would apply for credit instruments using the victim’s correct name, social security number and date of birth. However, the thieves would then alter the physical address on the application. Why? Because when it was approved, the corresponding credit cards, debit cards, and statements would be delivered to the thief and not the real person.
This rise in identity theft gave rise to the Fair and Accurate Credit Transactions Act (FACT Act) of 2003, which added several new sections and amended the Fair Credit Reporting Act of 1970. With regards to this address loophole that the criminals exposed, Section 315 of the FACT Act now required that financial institutions resolve these address discrepancies.
In our next post in this three-part series, we’ll examine the current state of ID verification and assess the challenges and gaps most frequently encountered with existing ID verification solutions.
Opening up a new checking or savings account at a bank or credit union has been and remains a common and fairly simple process. Typically, the consumer fills out an application and provides identification such as a driver’s license. Then the bank does a bit of research to make sure the consumer isn’t a fraudster and hasn’t abused checking or savings accounts elsewhere.
This process is not treated with the same scrutiny of opening a new credit card account or a loan, nor should it be. The risk and potential loss is much less on average. When assessing the process, it can be broken into three components: risk, fraud and compliance. Financial institutions need to understand the risk associated with the account, manage the potential fraud and also make sure they are compliant with all necessary regulations.
On the risk side, the information solutions are very mature. Virtually all banks and credit unions use ChexSystems, Early Warning (EWS) or credit bureau solutions to understand the risk associated with a customer. In addition to managing risk, financial service companies have deployed solutions to meet their fraud detection and compliance needs. When talking to bankers about the new accounts desk these days, it can be a pretty sleepy subject. The typical banker does not want to think about the new accounts desk, make changes to the new account desk platform or think about bringing a new vendor into the picture.
However, this is beginning to change dramatically. There are a variety of market forces driving this change and the industry is going to see some massive shifts in new account decisioning. While it can be a sleepy subject, checking and savings accounts are still the anchor accounts used to build deeper and more lucrative customer relationships.
CFPB Having Impact on Risk
The Consumer Financial Protection Bureau (CFPB) has been very active recently, strongly suggesting that banks provide banking options for everyone. In addition, they are warning banks to be wary of using what they call “negative lists” such as ChexSystems and EWS to open accounts, claiming the data is not always correct. The CFPB is making these recommendations and the banks are following suit. Some banks have gone so far as to shut off all access to negative databases. Additionally, banks have already started to create new low-risk products that will allow anyone to open an account.
This is changing the paradigm of the risk component. Whereas the negative databases and bureau information historically has been used to accept or decline accounts, it is increasingly going to be used to assign the right product. The value of the data itself has shifted, from a negative impediment to new account decisioning to a positive source of marketing intelligence. Financial institutions that are able to manage the early lifecycle of the account stand to win.
Despite the CFPB’s initiatives to increase access to financial services for all, financial institutions are not obligated to do business with fraudsters. Fraud continues to be a top-of-mind issue and will receive even more focus – especially as the ability goes away to use risk data (non-fraud) for straight-up declines. There is an emerging need for much more sophisticated fraud solutions given the abundance of consumer identity data on the black market and the increased sophistication and complexity of these fraud schemes.
Like fraud, compliance is not going away and will continue to be a primary focus. Meeting and exceeding all compliance needs is mandatory. Appropriately screening against terrorist and other watch lists, running Identity Verification, complying with FACTA Red Flag rules is paramount.
Online Account Opening
More and more banks are allowing and encouraging consumers to open up new accounts over the internet. To do so requires more security and fraud solutions than in the branch. As such, banks are typically investing more in the digital channel than in their legacy branch systems, including the new account opening process. It stands to reason that at some point, these new, security-rich online new account platforms and legacy branch platforms will eventually merge, with the online platforms being the winner. This is already happening. For some mega banks, when you walk into the branch – instead of having the banker collect the application and the identification, the banker is directing them to an iPad where they capture an image of the driver’s license, populate the application electronically and the submit through their online account opening system.
The Vendor Landscape
A continued focus on security, regulations and data breaches are going to place an increased burden on banks with respect to vendors of these solutions. Five years ago, getting a new vendor through the process was relatively easy. These days, that is not the case. Getting a new vendor set up and approved can be a very lengthy and difficult process. This will put additional pressure on the vendor landscape. Expect to see more mergers and acquisitions to leverage existing vendor relationships. This will drive even more business to a bank’s core processor. Accordingly, companies like Fiserv and FIS can expect to continue to grow their businesses by solving their customer’s ongoing problems.
The new account desk of the future may look substantially different when compared to its current incarnation. Online and branch platforms will continue to consolidate, with the more secure online platforms being the winner. Nearly every new account will be opened but with a special emphasis on “putting consumers into the right product” from day one. Fraud and compliance solution needs will continue to expand and evolve, and regional and community banks will continue to look to their core processors for these solutions.
Despite everything that’s changing at the new accounts desk (or the virtual desk), the principles and objectives stay the same – make smart, information-driven decisions to manage risk and cover compliance while pursuing financial success and customer satisfaction. Easier said than done!