Fraud Alerts

--by Kennis Wong

It's true that intent is difficult to prove. It's also true that financial situations change. That's why financial institutions have not, yet, successfully fought off first-party fraud. However, there are some tell-tale signs of intent when you look at the consumer's behavior as a whole, particularly across all his/her financial relationships.

For example, in a classic bust out case, you would see that the consumer, with pristine credit history, applies for more and more credit cards while maintaining a relatively low balance and utilization across all issuers. If you graph the number of credit cards and number of credit applications over time, you would see two hockey-stick lines. When the accounts go bad, they do so at almost the same time. This pattern is not always apparent at the time of origination, that's why it's important to monitor frequently for account review and fraud database alerts.

On the other hand, consumers with financial difficulties have different patterns. They might have more credit lines over time, but you would see that some credit lines may go delinquent while others don't. You might also see that consumers cure some lines after delinquencies…you can see their struggle of trying to pay.

Of course the intent "pattern" is not always clear. When dealing with fraudsters in fraud account management, even with the help of the fraud database, fraud trends and fraud alert, change their behaviors and use new techniques.

--by Matt Ehrlich

On Friday, October 30th, the FTC again delayed enforcement of the “Red Flags” Rule – this time until June 1, 2010 – for financial institutions and creditors subject to the FTC’s enforcement.   Here’s the official release: http://www.ftc.gov/opa/2009/10/redflags.shtm. 

But this doesn’t mean, until then, businesses get a free pass.  The extension doesn’t apply to other federal agencies that have enforcement responsibilities for institutions under their jurisdiction.  And the extension also doesn’t alleviate an institution’s need to detect and respond to address discrepancies on credit reports.

Red Flag compliance

Implementing best practices to address the identity theft under the Red Flags Rule is not just the law, it’s good business.  The damage to reputations and consumer confidence from a problem gone unchecked or worse yet – unidentified – can be catastrophic.  I encourage all businesses – if they haven’t already done so – to use this extension as an opportunity to proactively secure a Red Flags Rule to ensure Red Flag compliance.  It’s an investment in protecting their most important asset – the customer.

--by Kari Michel

Most lenders use a credit scoring model in their decision process for opening new accounts; however, between 35 and 50 million adults in the US may be considered unscoreable with traditional credit scoring models. That is equivalent to 18-to-25 percent of the adult population. 

Due to recent market conditions and shrinking qualified candidates lenders have placed a renewed interest in assessing the risk of this under served population.  Unscoreable consumers could be a pocket of missed opportunity for many lenders. To assess these consumers, lenders must have the ability to better distinguish between consumers with a clear track record of unfavorable credit behaviors versus those that are just beginning to develop their credit history and credit risk models.

Unscoreable consumers can be split out into three populations:

• Infrequent credit users:  Consumers who have not been active on their accounts for the past six months, and who prefer to use non-traditional credit tools for their financial needs.

• New entrants:  Consumers who do not have at least one account with more than six months of activity; including young adults just entering the workforce,  recently divorced or widowed individuals with little or no credit history in their name, newly arrived immigrants, or people who avoid the traditional system by choice.

• Thin file consumers:  Consumers who have less than three accounts and rarely utilize traditional credit and likely prefer using alternative credit tools and credit score trends.

A study done by VantageScore® Solutions, LLC shows that a large percentage of the
unscoreable population can be scored with VantageScore* and a portion of these are credit-worthy (defined as the population of consumers who have a cumulative likelihood to become 90 days or more delinquent is less than 5 percent).  The following is a high-level summary of the findings for consumers who had at least one trade:

Lenders can review their credit decisioning process to determine if they have the tools in place to assess the risk of those unscoreable consumers.  As with this population there is an opportunity for portfolio expansion as demonstrated by the VantageScore study.

*VantageScore is a generic credit scoring model introduced to meet the market demands for a highly predictive consumer score. Developed as a joint venture among the three major credit reporting companies (CRCs) – Equifax, Experian and TransUnion.

-- by Wendy Greenawalt  

In the second installment of my three part series, dispelling credit attribute myths, we will discuss why attributes with similar descriptions are not always the same. The U.S. credit reporting bureaus are the most comprehensive in the world. Creating meaningful attributes requires extensive knowledge of the three credit bureaus’ data. Ensuring credit attributes are up-to-date and created by informed data experts.  Leveraging complete bureau data is also essential to obtaining long-term strategic success.

To illustrate why attributes with similar names may not be the same let’s discuss a basic attribute, such as “number of accounts paid satisfactory.” While the definition, may at first seem straight forward, once the analysis begins there are many variables that must be considered before finalizing the definition, including:

• Should the credit attributes include trades currently satisfactory or ever satisfactory?
• Do we include paid charge-offs, paid collections, etc.?
• Are there any date parameters for credit attributes?
• Are there any trades that should be excluded?
• Should accounts that have a final status of "paid” be included?

These types of questions and many others must be carefully identified and assessed to ensure the desired behavior is captured when creating credit attributes. Without careful attention to detail, a simple attribute definition could include behavior that was not intended.  This could negatively impact the risk level associated with an organization’s portfolio. Our recommendation is to complete a detailed analysis up-front and always validate the results to ensure the desired outcome is achieved. Incorporating this best practice will guarantee that credit attributes created are capturing the behavior intended.

 

--by Matt Ehrlich

In my last entry, I talked about the challenges clients face in trying to meet multiple and complex regulatory requirements, such as FACT Act’s Red Flags Rule and the USA Patriot Act.  While these regulations serve both different and shared purposes, there are some common threads between the two:

1. You must consider the type of accounts and methods of account opening: The type of account offered - credit or deposit, consumer or business – as well as the method of opening – phone, online, or face-to-face – has a bearing on the steps you need to take and the process that will be established.

2. Use of consumer name, address, and identification number:The USA Patriot Act requires each of these – plus date of birth – to open a new account.  Red Flags stops short of “requiring” these for new account openings, but it consistently illustrates the use of these Personally Identifiable Information (PII) elements as examples of reasonable procedures to detect red flags.

3. Establishing identity through non-documentary verification:Third party information providers, such as a credit reporting agency or data broker, can be used to confirm identity, particularly in the case where the verification is not done in person.

Knowing what’s in common means you can take a look at where to leverage processes or tools to gain operational and cost efficiencies and reduce negative impact on the customer experience.  For example, if you’re using any authentication products today to comply with the USA Patriot Act and/or minimize fraud losses, the information you collect from consumers and authentication steps you are already taking now may suffice for a large portion of your Red Flags Identity Theft Prevention Program. 

And if you’re considering fraud and compliance products for account opening or account management – it’s clear that you’ll want something flexible that, not only provides identity verification, but scales to the compliance programs you put in place, and those that may be on the horizon.

-- By Tracy Bremmer

In our last blog (July 30), we covered the first three stages of model development which are necessary whether developing a custom or generic model.  We will now discuss the next three stages, beginning with the “baking” stage:  scorecard development.
 
Scorecard development begins as segmentation analysis is taking place and any reject inference (if needed) is put into place. Considerations for scorecard development are whether the model will be binned (divides predictive attributes into intervals) or continuous (variable is modeled in its entirety), how to account for missing values (or “false zeros”), how to evaluate the validation sample (hold-out sample vs. an out-of-time sample), avoidance of over-fitting the model, and finally what statistics will be used to measure scorecard performance (KS, Gini coefficient, divergence, etc.).

Many times lenders assume that once the scorecard is developed, the work is done.   However, the remaining two steps are critical to development and application of a predictive model:  implementation/documentation and scorecard monitoring.   Neglecting these two steps is like baking a cake but never taking a bite to make sure it tastes good. 

Implementation and documentation is the last stage in developing a model that can be put to use for enhanced decisioning. Where the model will be implemented will determine the timeliness and complexity for when the models can be put into practice. Models can be developed in an in-house system, a third-party processor, a credit reporting agency, etc. Accurate documentation outlining the specifications of the model will be critical for successful implementation and model audits.

Scorecard monitoring will need to be put into place once the model is developed, implemented and put into use. Scorecard monitoring evaluates population stability, scorecard performance, and decision management to ensure that the model is performing as expected over the course of time. If at any time there are variations based on initial expectations, then scorecard monitoring allows for immediate modifications to strategies.

With all the right ingredients, the right approach, and the checks and balances in place, your model development process has the potential to come out “just right!”

-- By Kari Michel

What is your credit risk score?  Is it 300, 700, 900 or something in between?  In order to understand what it means, you need to know which score you are referencing.  Lenders use many different scoring models to determine who qualifies for a loan and at what interest rate. For example, Experian has developed many scores, such as VantageScore®..  Think of VantageScore® as just one of many credit scores available in the marketplace.

While all credit risk models have the same purpose, to use credit information to assess risk, each credit model is unique in that each one has its own proprietary formula that combines and calculates various credit information from your credit report.  Even if lenders used the same credit risk score, the interpretation of risk depends on the lender, and their lending policies and criteria may vary.

Additionally, each credit risk model has its own score range as well.  While the score range may be relatively similar to another score range, the meaning of the score may not necessarily be the same.   For example, a 640 in one score may not mean the same thing or have the same credit risk as a 640 for another score.  It is also possible for two different scores to represent the same level of risk. If you have a good credit score with one lender, you will likely have a good score with other lenders, even if the number is different.
 

One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315.  Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy. 

A couple of common questions and answers to get us started:

1.  How do the credit reporting agencies display an address discrepancy?

Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry.

2.  How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested?

Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly.

In my last posting, I discussed the value of a risk-based approach to Red Flag compliance.  Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report.

Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program.  There are many tools available that can detect Red Flag conditions.  The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions.  Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change.

A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores.  Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center.  Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.
 

Here are a few more frequently asked questions.

1. Am I a “creditor” under the rule?
The term “creditor” has the same meaning as under the Equal Credit Opportunity Act (ECOA) and is defined as a person who regularly participates in credit decisions, including, for example, a mortgage broker, a person who arranges credit or a servicer of loans who participates in “workout” decisions. The term “credit” is defined, as in the ECOA, as the right granted by a creditor to defer payment for goods or services. It is important to note that commercial, as well as consumer, credit accounts may be covered by the Rule.

2. We are an insurance company that uses credit reports to underwrite insurance. Does the Red Flags Rule apply to us?
The Red Flag Rule applies to creditors and depository institutions and should not apply to an insurer when engaged in activities related to insurance underwriting. To the extent that you extend credit, however, you may be covered. For example, you may wish to examine whether you permit consumers to finance their premiums; whether you extend credit to vendors, independent agents or other business partners; or whether you extend credit in connection with your investment activities, including real-estate investments.

3. I am an auto dealer. Does the rule apply to me?
If the business extends auto credit to consumers or arranges auto credit for consumers, the Red Flag guidelines may apply.
 

Address discrepancies aren't the end of the road, but they sure can be a bump in it. One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315.  Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy. 

A couple of common questions and answers to get us started:

1.  How do the credit reporting agencies display an address discrepancy?

Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry.

2.  How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested?

Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly.

In my last posting, I discussed the value of a risk-based approach to Red Flag compliance.  Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report.

Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program.  There are many tools available that can detect Red Flag conditions.  The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions.  Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change.

A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores.  Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center.  Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.
 

One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315.  Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy. 

A couple of common questions and answers to get us started:

1.  How do the credit reporting agencies display an address discrepancy?

Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry.

2.  How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested?

Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly.

In my last posting, I discussed the value of a risk-based approach to Red Flag compliance.  Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report.

Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program.  There are many tools available that can detect Red Flag conditions.  The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions.  Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change.

A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores.  Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center.  Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.