How Red Flags Rule affects risk managers and compliance officers, Part 2

Thursday, October 15, 2009 by Fraud and Identity Solutions Team

--by Matt Ehrlich

In my last entry, I talked about the challenges clients face in trying to meet multiple and complex regulatory requirements, such as FACT Act’s Red Flags Rule and the USA Patriot Act.  While these regulations serve both different and shared purposes, there are some common threads between the two:

1. You must consider the type of accounts and methods of account opening: The type of account offered - credit or deposit, consumer or business – as well as the method of opening – phone, online, or face-to-face – has a bearing on the steps you need to take and the process that will be established.

2. Use of consumer name, address, and identification number:The USA Patriot Act requires each of these – plus date of birth – to open a new account.  Red Flags stops short of “requiring” these for new account openings, but it consistently illustrates the use of these Personally Identifiable Information (PII) elements as examples of reasonable procedures to detect red flags.

3. Establishing identity through non-documentary verification:Third party information providers, such as a credit reporting agency or data broker, can be used to confirm identity, particularly in the case where the verification is not done in person.

Knowing what’s in common means you can take a look at where to leverage processes or tools to gain operational and cost efficiencies and reduce negative impact on the customer experience.  For example, if you’re using any authentication products today to comply with the USA Patriot Act and/or minimize fraud losses, the information you collect from consumers and authentication steps you are already taking now may suffice for a large portion of your Red Flags Identity Theft Prevention Program. 

And if you’re considering fraud and compliance products for account opening or account management – it’s clear that you’ll want something flexible that, not only provides identity verification, but scales to the compliance programs you put in place, and those that may be on the horizon.



 


0 Comments »

Why risk-based authentication…and what is it, for that matter?

Thursday, September 24, 2009 by Fraud and Identity Solutions Team

-- by Keir Breitenfeld

The term “risk-based authentication” means many things to many institutions.  Some use the term to review to their processes; others, to their various service providers.  I’d like to establish the working definition of risk-based authentication for this discussion calling it:  “Holistic assessment of a consumer and transaction with the end goal of applying the right authentication and decisioning treatment at the right time.” 

Now, that “holistic assessment” thing is certainly where the rubber meets the road, right? 

One can arguably approach risk-based authentication from two directions.  First, a risk assessment can be based upon the type of products or services potentially being accessed and/or utilized (example: line of credit) by a customer.  Second, a risk assessment can be based upon the authentication profile of the customer (example: ability to verify identifying information).  I would argue that both approaches have merit, and that a best practice is to merge both into a process that looks at each customer and transaction as unique and therefore worthy of  distinctively defined treatment.

In this posting, and in speaking as a provider of consumer and commercial authentication products and services, I want to first define four key elements of a well-balanced risk based authentication tool: data, detailed and granular results, analytics, and decisioning.

1.  Data: Broad-reaching and accurately reported data assets that span multiple sources providing far reaching and comprehensive opportunities to positively verify consumer identities and identity elements.

2.  Detailed and granular results: Authentication summary and detailed-level outcomes that portray the amount of verification achieved across identity elements (such as name, address, Social Security number, date of birth, and phone) deliver a breadth of information and allow positive reconciliation of high-risk fraud and/or compliance conditions.  Specific results can be used in manual or automated decisioning policies as well as scoring models,

3.  Analytics:  Scoring models designed to consistently reflect overall confidence in consumer authentication as well as fraud-risk associated with identity theft, synthetic identities, and first party fraud.  This allows institutions to establish consistent and objective score-driven policies to authenticate consumers and reconcile high-risk conditions.  Use of scores also reduces false positive ratios associated with single or grouped binary rules.  Additionally, scores provide internal and external examiners with a measurable tool for incorporation into both written and operational fraud and compliance programs,

4.  Decisioning: Flexibly defined data and operationally-driven decisioning strategies that can be applied to the gathering, authentication, and level of acceptance or denial of consumer identity information.  This affords institutions an opportunity to employ consistent policies for detecting high-risk conditions, reconcile those terms that can be changed, and ultimately determine the response to consumer authentication results – whether it be acceptance, denial of business or somewhere in between (e.g., further authentication treatments).

In my next posting, I’ll talk more specifically about the value propositions of risk-based authentication, and identify some best practices to keep in mind.

 

 


 


0 Comments »