Application Risk Management

--by Keir Breitenfeld
 
Many compliance regulations such the Red Flags Rule, USA Patriot Act, and ESIGN require specific identity elements to be verified and specific high risk conditions to be detected. However, there is still much variance in how individual institutions reconcile referrals generated from the detection of high risk conditions and/or the absence of identity element verification. With this in mind, risk-based authentication, (defined in this context as the “holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time") offers institutions a viable strategy for balancing the following competing forces and pressures:

• Compliance – the need to ensure each transaction is approved only when compliance requirements are met;
• Approval rates – the need to meet business goals in the booking of new accounts and the facilitation of existing account transactions;
• Risk mitigation – the need to minimize fraud exposure at the account and transaction level.

A flexibly-designed risk-based authentication strategy incorporates a robust breadth of data assets, detailed results, granular information, targeted analytics and automated decisioning. This allows an institution to strike a harmonious balance (or at least something close to that) between the needs to remain compliant, while approving the vast majority of applications or customer transactions and, oh yeah, minimizing fraud and credit risk exposure and credit risk modeling.

 Sole reliance on binary assessment of the presence or absence of high risk conditions and identity element verifications will, more often than not, create an operational process that is overburdened by manual referral queues. There is also an unnecessary proportion of viable consumers unable to be serviced by your business. Use of analytically sound risk assessments and objective and consistent decisioning strategies will provide opportunities to calibrate your process to meet today’s pressures and adjust to tomorrow’s as well.
 
 
 

-- by Keir Breitenfeld

The term “risk-based authentication” means many things to many institutions.  Some use the term to review to their processes; others, to their various service providers.  I’d like to establish the working definition of risk-based authentication for this discussion calling it:  “Holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time.” 

Now, that “holistic assessment” thing is certainly where the rubber meets the road, right? 

One can arguably approach risk-based authentication from two directions.  First, a risk assessment can be based upon the type of products or services potentially being accessed and/or utilized (example: line of credit) by a customer.  Second, a risk assessment can be based upon the authentication profile of the customer (example: ability to verify identifying information).  I would argue that both approaches have merit, and that a best practice is to merge both into a process that looks at each customer and transaction as unique and therefore worthy of  distinctively defined treatment.

In this posting, and in speaking as a provider of consumer and commercial authentication products and services, I want to first define four key elements of a well-balanced risk based authentication tool: data, detailed and granular results, analytics, and decisioning.

1.  Data: Broad-reaching and accurately reported data assets that span multiple sources providing far reaching and comprehensive opportunities to positively verify consumer identities and identity elements.

2.  Detailed and granular results: Authentication summary and detailed-level outcomes that portray the amount of verification achieved across identity elements (such as name, address, Social Security number, date of birth, and phone) deliver a breadth of information and allow positive reconciliation of high-risk fraud and/or compliance conditions.  Specific results can be used in manual or automated decisioning policies as well as scoring models,

3.  Analytics:  Scoring models designed to consistently reflect overall confidence in consumer authentication as well as fraud-risk associated with identity theft, synthetic identities, and first party fraud.  This allows institutions to establish consistent and objective score-driven policies to authenticate consumers and reconcile high-risk conditions.  Use of scores also reduces false positive ratios associated with single or grouped binary rules.  Additionally, scores provide internal and external examiners with a measurable tool for incorporation into both written and operational fraud and compliance programs,

4.  Decisioning: Flexibly defined data and operationally-driven decisioning strategies that can be applied to the gathering, authentication, and level of acceptance or denial of consumer identity information.  This affords institutions an opportunity to employ consistent policies for detecting high-risk conditions, reconcile those terms that can be changed, and ultimately determine the response to consumer authentication results – whether it be acceptance, denial of business or somewhere in between (e.g., further authentication treatments).

In my next posting, I’ll talk more specifically about the value propositions of risk-based authentication, and identify some best practices to keep in mind.

2007 and 2008 saw a rapid change of consumer behaviors and it is no surprise to most collections professionals that the existing collections scoring models and strategies are not working as well as they used to. These tools and collections workflow practices were mostly built from historical behavioral and credit data and assume that consumers will continue to behave as they had in the past. We all know that this is not the case, with an example being prioritization of debt and repayment patterns.

Its been assumed and validated for decades that consumers will let their credit card lines go before an auto loan and that the mortgage obligations would be the last trade to remain standing before bankruptcy. Today, that is certainly not the case and there are other significant behavior shifts that are contributing to today's weak business models.

There are at least three compelling reasons to believe now is the right time for updates:

• It appears that most of the consumer behavioral shift is over for collections. While economic recovery will take many years, more radical changes in the economy are unlikely. Most experts are calling for a housing bottom sometime in 2009 and there are already signs of hope on Wall Street.
   
• What is built now shouldn't be obsolete next year. A slow economic recovery probably means that the life of new models will be fairly long and most consumers won't be able to improve their credit and collections scores anytime soon. Even after financial recovery (which at this point is not likely over the short term for many that are already in trouble), it can take two to seven years of responsible payment history before a risk assessment is improved.
   
• We now have the data with which to make the updates. It takes six to12 months of stability to accumulate sufficient data for proper analysis and so far 2009 hasn't seen much behavioral volatility. Whether you build or buy, the process takes awhile, so if you still need a few more months of history in will be in hand when needed if the projects are kicked off soon.

At which stage of the application process does the Red Flags Rule apply?

The Red Flag Rule would apply whenever you detect a Red Flag in connection with an application. This could occur as soon as you receive an application, for example:

• if the application appears to have been altered or forged; or
• the consumer’s identification appears to be forged or is inconsistent with the information on the application.

Is the social security number (SSN) check a requirement?

No, but an invalid SSN may be a Red Flag – i.e., an indicator of possible identity theft – and obtaining and verifying a SSN may be a reasonable means of application risk management to detect this Red Flag when opening accounts. You may be able to utilize your existing procedures under your Customer Identification Program under the USA PATRIOT Act.
 

“Unprecedented times,” “financial crisis,” “credit crisis” and many other terms continue to be buzzwords that we hear every day.  We are almost becoming desensitized to the terms, yet we feel the impact on a daily basis.  Everyone is waiting for some positive news in the financial services industry and more bad news keeps coming.

Each quarter we continue to read about financial institutions claiming that the worst is over. They have recognized the risk in their portfolios through risk assessment, set aside adequate reserves or loan loss allowances and are now ready to turn the corner.  Yet we continue to read about these same institutions coming back with more bad news, more credit losses and a restatement of the assurance that the problems have been recognized. As a result, this financial risk management has brought to light all of the high-risk accounts and the trend will begin to change.

Why does this story keep repeating itself? 

Reason one 
Management assesses to what extent the market (both stock market and the client base) will tolerate the level or degree of bad news, recognize losses to that extent and will then work hard to try to correct any known issues before we actually have to report the next quarter.  Unfortunately, this approach simply delays the inevitable and brings into question the risk management practices of the particular institution.  Like the boy who cried wolf, the more times you make a statement and it proves to be false, the less likely you will be believed the next time. 

Reason two
The financial institutions are actually surprised each quarter with a new batch of credit losses.  The institution, its credit management team and workout areas are diligently trying to address the current problem. But, just when they start to see the light at the end of the tunnel, a new batch of credit problems arise.  For the most part, the credit issues still persist in the high-volume, low-dollar credits such as residential mortgages, home equity loans, automobiles, credit cards and small business loans.  Due to the sheer volume of clients/loans, it becomes more difficult to assess what issues may be brewing in the portfolio.  For the large volume, small dollar portfolios, the notion of a pending credit issue comes when the delinquency starts to rise to a delinquency of 60 or 90 days. The real issue is identifying those accounts that are likely to go 60 or 90 days past due and then assess the likelihood that they will go into charge-off.

Regardless of the reason, we have a “credibility” problem in addition to a “credit” problem.
 

In my last blog, I talked about the overall need for a vision for your loan portfolio and the similarity of a loan portfolio to that of an investment portfolio.  Now that we have that vision in place, we can focus on the overall strategy to achieve that vision. 

A valuable first step in managing an investment portfolio is to establish a targeted value by a certain time (say, our targeted retirement age).  Similarly, it’s important that we establish our vision for the loan portfolio regarding overall diversification, return and risk levels.

The next step is to create a strategy to achieve the targeted state.  By focusing on the gaps between our current state and the vision state we have created, we can develop an action plan for achieving the future/vision state.  I am going to introduce some rather unique ideas here. 

Consider which of your portfolio segments are overweight?  One that comes to mind would be the commercial real estate portfolio.  The binge that has taken place over the past five plus years has resulted in an unhealthy concentration of loans in the commercial real estate segment.  In this one area alone, we will face the greatest challenge of right-sizing our portfolio mix and achieving the appropriate risk model per our vision. 

We have to assess our overall credit risk in the portfolios next.  For small business and consumer portfolios, this is relatively easy using the various credit scores that are available to assess the current risk.  For the larger commercial and industrial portfolios and the commercial real estate portfolios, we must employ some more manual processes to assess risk.  Unfortunately, we have to perform appropriate risk assessments (current up-to-date risk assessments) in order to move on to the next stage of this overall process (which is to execute on the strategy).

Once we have the dollar amounts of either growth or divestiture in various portfolio segments, we can employ the risk assessment to determine the appropriate execution of either growth or divestiture.

Stick with me on this topic because in my next blog we will discuss appropriate risk assessment methodologies and determine appropriate portfolio distributions/segmentations.