“Why are 25 people from all over the country moving to a vacant lot in Brooklyn?”
Adam Elliott not only asks questions like that, his company, ID Insight, was founded on designing algorithms that can help companies like banks ask such questions, in an automated fashion.
Elliott explains that the sheer volume of data breaches in recent years has stocked the shelves of the “dark web” and other sources of illegally obtained consumer data with a massive supply of raw material.
Read Full Article: Banking Exchange: Beware address hijacking.
New enhancements protect phone and digital communications channels
Anti-fraud technology leader ID Insight today announced the most comprehensive update yet to its fraud prevention platform, responding to the industry’s need for a more robust solution for verifying identity profile changes in an increasingly complex, multi-layered fraud environment.
ID Insight’s new solution will help a wide range of financial institutions reduce fraud losses and improve compliance processes while achieving a more than 10-to-1 return-on-investment ratio through more efficient customer profile-change verification processes. The company, which maintains the largest proprietary database of financial service customers’ address changes, is countering a shift in financial fraud that exploits non-monetary setup events – such as phone and email changes – as a precursor for account takeover.
“ID Insight started more than 13 years ago to fill a specific market need: fraud prevention related to address changes,” said Adam Elliott, founder and president of ID Insight. “As the illicit business of financial fraud continues to evolve, so have our solutions.”
The shifting fraud landscape and a specific customer need for better intelligence about phone number changes inspired ID Insight’s latest platform expansion. An ID Insight customer – and one of the country’s largest financial institutions – reported a sharp rise in account takeover cases where fraudsters first changed a customer’s phone number before requesting a large ACH transfer. When the bank called to approve the transfer, the identity thief answered the call, posed as the legitimate customer, and falsely verified the request. In response to this scheme, ID Insight leveraged its extensive profile-change database to tailor a solution that also included phone, email and IP address verification.
“Our customer’s urgent need reflects how account profile information beyond addresses are all emerging as setup events for account takeover,” Elliott said. “Without a solution for fraud identification for all pieces of customer information, financial institutions may be unwittingly sending account verification details and fraud alerts directly to criminals.”
With the rise of mobile banking, online account opening and mobile wallet technologies, mobile phones and computers are vital communications channels for both customers and financial institutions. Having controls in place to ensure that phone numbers, email and IP addresses in the customer profile actually belong to the legitimate customer is critical to reducing fraud risk.
Despite advancements in point-of-sale transaction security, financial institutions are more vulnerable to fraud than ever before. Data breaches have made consumer identity data available in bulk on the black market, exposing more and more customers to account takeover and leaving banks open to fraud losses. ID Insight’s expanded solution helps defend against these attacks by using data and analytics to separate fraudulent profile changes from legitimate customer activity, while significantly improving fraud detection rates.
The updated solution also allows customers to accept data via a flexible API, run the data through a configurable flow based on risk, business process and cost requirement, and return results that the client can act upon for fraud investigation and compliance. ID insight solutions are also easily accessible through many of the nation’s core banking platforms.
Historically, ID verification solutions have been deployed to verify a consumer’s identity. Whether it is a new loan application, credit card application, new checking account or other, the financial institution has relied on ID verification solutions to confirm that the applicant’s identity credentials are correct. Verifying this information stems from a critical need to combat identity fraud, as well as to meet various compliance needs such as Bank Secrecy Act, Patriot Act and the Fair and Accurate Credit Transactions Act (FACTA).
However, over the past few years, it has become much more difficult to do because of the explosion in data breaches. According to the Identity Theft Resource Center (ITRC), there were 781 reported data breaches that left more than 169 million identities vulnerable in 2015 alone. The ITRC also found an additional 489 breaches through June 21, 2016. When an identity has been breached and the fraudster is using the victim’s identity credentials to attempt to open a new account, traditional ID verification solutions are simply confirming that the fraudster has the correct credentials.
Playing the “match game” is not a fraud prevention strategy
When consumers apply for a new loan, deposit account or other financial account, they typically provide their name, address, social security number (SSN) and date of birth (DOB). As part of the financial institution’s fraud and/or compliance strategy, the FI attempts to verify that the information provided is correct. When you look at the individual data elements, the match rates for Name, SSN and DOB are typically very high, sometimes approaching 100 percent. Why? Because the verification solutions compare these credential to what is maintained at the credit bureaus. When you consider that consumer’s name, SSN and DOB rarely change, it makes sense that these credit worthy consumers will “match” to these identifying identity credentials at the credit bureaus.
Also, as we discussed, if the identity has been breached, we would simply be verifying that the fraudster has the correct credentials of the victim.
However, when it comes to address, it is a very different story. Every year 15-20 percent of consumers will change their address. On top of that, the credit bureaus are notoriously slow at updating a consumer address. As such, the address verification rates are typically much lower. Typically, 75-80 percent of new account applications will “match” on address to the credit bureau or other verification sources. This leaves 20-25 percent of all credit worthy applications that need to be resolved.
Address changes are a top set-up event for fraud
From an identity fraud perspective, address is the key. When the fraudster has a compromised identity, they can and do use the correct name, SSN and DOB of the victim. However, when it comes to address, they don’t list the victim’s address. They list the address that they control. Why? Because, when the account is approved, they want to ensure that all credit cards, debit cards, checks, and statements are delivered to that address – not the victim.
To compound this issue, the Fair and Accurate Credit Transactions Act (FACTA) Red Flags now require financial institutions to resolve these address discrepancies before opening the account. This new regulation was put in place exactly for the reason we just covered. Because this is precisely how fraudsters open up new accounts in the victim’s name.
So we have two issues to tackle: identifying whether an address belongs to a legitimate customer, and verifying whether that address matches the rest of the customer information on file. Address discrepancies are the biggest pain point of any ID verification solution as it drives so many mismatches and it is where the identity thieves are hiding.
The standard approach is to take these mismatches and use manual methods to resolve them with other verification sources, for instance, using the white pages and confirming the name to address or other sources. Typically this can resolve up to 50 percent of address mismatches. The end result is very high manual review costs and, more importantly, this still leaves up to 10-13 percent of applications in an unresolved state. Financial institutions understand that the vast majority are good and valuable applications, but are unable to open the accounts due to compliance reasons. Historically, this issue has been perceived as a “cost of doing business.”
However, this does not have to be the case. We understand that doing a much better job at understanding and verifying the address issue is the key to the next generation of ID verification solutions. No longer is it viable to verify the name, SSN and DOB and fail on address. If financial institutions continue to treat this issue as a “cost of doing business,” they will continue to decline good accounts while leaving the door open to identity theft and fraud.
So how can we do it better?
The first thing we need to focus on is having more data related to address. The most important data needed is new mover information. When a consumer moves, if we can identify that move as soon as it occurs, then our address verification rates will go up significantly. Traditional ID verification hits every available public source of new mover data such as utility directories, National Change of Address (NCOA), etc. However, this still leaves a large gap. Why? Because these directories are not always up to date. Also, only about half of consumers actually report an address change through the NCOA process.
So how do we get better new mover information? This is exactly what we have been doing at ID Insight for over 10 years. In addition to hitting all of the standard public sources that all traditional ID verification solutions access, ID Insight maintains a comprehensive, up-to-date database of new mover information. Each day, over 500 financial institutions report new address changes to us simultaneously as customers request address changes. They do this to screen their customer portfolio for potential account takeover.
Because ID Insight sees address changes before other sources, we are able to increase our address verification rates by 15 percent or more compared to traditional ID verification solutions. This results in booking significantly more new accounts while reducing the costs of manual intervention.
In addition to verifying more addresses through superior data, solving the problem also requires scoring. The traditional “match” indicators are important, but there is so much more to understand – especially with respect to address. When you think about a nine-digit SSN and what it tells us, we can only determine if it matches, and we may be able to determine if is associated with a dead person. Similar situation with a name or a date of birth. And as we discussed – if it is the victim, then we are only confirming that the information matches.
But when it comes to address, there is additional context to consider. Beyond verifying, we can understand if it is a business or a residential address, we can determine the value of the property, whether it is an apartment, whether it is a rented mail box and so on. Just as a simple example, we know that rented mailboxes are a favorite address for fraudsters. The typical fraudster loves anonymity. They are committing fraud and because of that, they tend to list various anonymous, nomadic addresses –places where they can set up shop, commit the fraud and vacate as fast as possible. As we like to say, they are answering the door when the Postal Inspector shows up to make the arrest.
Now that we have the best verification data available and have ascertained everything there is to know about the address, we can go beyond all of the raw information and score every transaction for the likelihood of fraud or identity theft. Much like a credit score, we can rank every transaction we see. Banks and credit unions can then use the score as the anchor of their compliance and fraud strategy. By focusing their investigative resources on the highest risk transactions, financial institutions are able to verify many more good accounts while significantly reducing fraud. Our typical customer is able to resolve and approve 90-95 percent of all address discrepancies. The end result is more profit, less fraud and lower costs.
To summarize, closing the gaps of traditional ID verification caused by address discrepancies can be achieved by:
- Accessing relevant, recent and proprietary address change data–better data coverage means better verification rates.
- Scoring new account applications to resolve address discrepancies in an automated way that allows financial institutions to approve more accounts, reduce fraud and comply with FACTA Red Flag rules.
Knowing where people live is the single most difficult part of any ID verification solution, and ID Insight’s proprietary address change database allows us to resolve this problem.