A coalition of 31 U.S. attorneys general has requested that the FTC modify its Identity Theft Rules (aka Red Flags Rule) to ensure their continued relevance.
In a letter to Donald S. Clark, Secretary of the Commission, the AGs wrote that one important modification to 16 C.F.R. §681.2 would “account for changes in email addresses, cell phone numbers or other means of communication” with the goal of detecting, preventing, and deterring identity-related fraud.
Data breaches are fueling fraud. Through no fault of individual consumers, the AGs warn, profile and personal identifying information are stolen and available for purchase on the dark web.
Account takeover tripled during 2017, according to Javelin Research, hitting a four-year high. Some of this is because institutions don’t have a consistent, thorough process for vetting phone number and email changes/additions to ensure they are legitimate rather than a set-up for account takeover.
Financial institutions and creditors are in a unique position to curb fraud and protect consumers. Whether or not the FTC amends the Identity Theft Rules, it is prudent to establish automated controls to evaluate profile-change requests that impact customer communications channels—mailing addresses, phone numbers, and email addresses; keeping these channels secure will help prevent fraud losses, preserve customer relationships, and protect your institution’s reputation.
Find risky behavior right away
Without an automated system that screens every request as it comes in, you may not be able to tell risky from safe – until it’s too late. The behaviors of fraudsters and the legitimate activities of your customers can look the same. Consider the following:
- A customer adds an email address to an existing account and immediately tokenizes their card in a mobile wallet app.
- A customer adds an authorized user and wants the user’s debit card shipped to a new address.
- A customer adds a new cell phone number and wants all future communication to come via SMS.
- An automated system allows you to make decisions based on data, not guesswork.
Interface with the CIF
Operationally speaking, deploying an automated screening system is easier than you might think. The system of record for identity and profile information is most commonly the Customer Information File (CIF) on the institution’s account-processing platform. As such, the ideal solution for identity maintenance interfaces directly with the CIF, monitoring for potentially high-risk changes to your customer’s identity or contact information.
What you should expect
Ultimately, your screening process should be score-based, using sophisticated matching algorithms and profile-proving methodology to determine whether a change to the customer’s address, phone number, or email is valid, accurate and safe – or whether it looks like a setup for account takeover.
Additionally, it should be able to:
- Screen across channels – so you can detect cross-channel attacks
- Screen across products – so you can detect fraud regardless of silos
- Reduce customer friction – by proving legitimate behaviors
- Reduce investigation burden – by identifying the riskiest profile changes for follow up
As banking continues to shift from branches to digital channels, the use of phones and emails will increase. Screening phone number and email changes is the right thing to do from a business standpoint – and soon the FTC’s Identity Theft Rules may require it.
About the Author
Jack Sundstrom is ID Insight’s Chief Product and Marketing Officer. For the past 25 years he has built advanced analytic solutions on behalf of Fortune 500 clients across a variety of industries including financial services, retail, telecommunications, consumer packaged goods and automotive. Contact him at firstname.lastname@example.org.