Identity Theft Prevention Program

 I’ve talked (sorry, blogged) previously about taking a risk-based approach to reconciling initial Red Flag Rule conditions in your applications, transactions, or accounts.  In short, that risk-based approach incorporates a more holistic view of a consumer in determining overall risk associated with that identity.  This risk can be assessed via an authentication score, alternate data sources and/or verification results.  I also want to point out the potential value of knowledge-based authentication (a.k.a. out-of-wallet questions) in providing an extra level of confidence in progressing a consumer transaction or application in light of an initially detected Red Flag condition.

In Experian’s Fraud and Identity Solutions business, we have some clients who are effectively embedding the use of knowledge-based authentication into their overall Red Flags Identity Theft Prevention Program.  In doing so, they are able to identify the majority of higher risk conditions and transactions and positively authenticate those initiating consumers via a series of interactive questions designed to be more easily answered by a legitimate individual -- and more difficult for a fraudster.  Using knowledge-based authentication can provide the following values to your overall process:

1. Consistency: Utilizing a hosted and standard process can reduce potential subjectivity in decisioning.  Subjectivity is not a friend to examiners or to your bottom line.

2. Measurability: Question performance and reporting allows for ongoing monitoring and optimization of decisioning strategies.  Plus, examiners will appreciate the metrics.

3. Customer Experience: This is a buzzword these days for sure.  Better to place a customer through a handful of interactive questions, than to ask them to fax in documentation --or to take part in a face-to-face authentication.

4. Cost: See the three values above…Plus, a typical knowledge-based authentication session may well be more cost effective from an FTE/manual review perspective.

Now, keep in mind that the use of knowledge-based authentication is certainly a process that should be approved by your internal compliance and legal teams for use in your Red Flags Identity Theft Prevention Program.  That said, with sound decisioning strategies based on authentication question performance in combination with overall authentication results and scores, you can be well-positioned to positively progress the vast majority of consumers into profitable accounts and transactions without incurring undue costs.

Hello Red Flaggers!  I’m still getting some questions from our clients these days around the FTC enforcement extension.  My concern is that there seems to be a perception that May 1, 2009 is the enforcement date for all of the guidelines in the Red Flags Rule.  In reading through the recently released FTC Enforcement Policy (Identity Theft Red Flags Rule, 16 CFR, 681.2), it clearly states the following:

This delay in enforcement is limited to the Identity Theft Red Flags Rule (16 CFR
681.2), and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 CFR 681.1), or to the rule regarding changes of address applicable to card issuers (16 CFR 681.3).

So, while you may be breathing a sigh of relief as far as the implementation of your overall Identity Theft Prevention Program is concerned, be advised that the May 1, 2009 extension does not cover the need to detect and/or respond to address discrepancies on consumer reports or during address changes on card accounts.

As previously mentioned in an earlier blog of mine (see Nov. 13 blog), responding to address discrepancies on consumer reports may be the biggest challenge for many of our clients, as (depending on market served) the percentage of consumer reports with an address discrepancy can number over 20 percent.  This can create an operational burden from the perspective of cost, customer experience, and the ability to quickly book legitimate and profitable customers.  Have a look at my previous blog on a risk based approach to address discrepancies for a refresher on this subject.  Good luck!!

We get the following question quite a bit:

Would the regulators expect to see a log of detected activity and resulting mitigation?

Short answer:

The Red Flags Rule does not specifically require you to maintain a log, nor do the guidelines suggest that a log should be maintained. However, covered institutions are required to prepare regular reports around the effectiveness of their program.  Additionally, there exists the requirement to incorporate an institution’s own experiences with identity theft when reviewing and updating their program.

Long answer:

Think now about the value of incorporating robust (and, optimally, transaction level) reporting into your program for a few key reasons:

1. Reporting allows you to more easily and comprehensively create and disseminate board-level reports related to program effectiveness.  These aren’t a bad thing to show a regulator either.

2. Detailed reporting provides you an opportunity to more accurately monitor your program’s performance with respect to decisioning strategies, false positives, false negatives, fraud detection and prevention rates, resultant losses and legitimate costs.

3. The more historic detail you have compiled, the easier it will be to make educated, analytically based, and quantifiable updates to your program over time.  Without this, you may be living and dying with anecdotal decision making….never good.

4. Finally, maintaining program performance data will afford you the ability to work with other service providers in validating their capabilities against known transactional or account level outcomes.  We, at Experian, certainly find this useful in working with our clients to deliver optimal strategies.

Thanks as always.

The Federal Trade Commission (FTC) suspended enforcement of the new Red Flag Rule until May 1, 2009.  According to the FTC’s Enforcement Policy, “…during the course of the Commission’s education and outreach efforts following publication of the rule, the Commission has learned that some industries and entities within the FTC’s jurisdiction have expressed confusion and uncertainty about their coverage under the rule.  These entities indicated that they were not aware that they were undertaking activities that would cause them to fall within FACTA Sections 114 and 315 definitions of ‘creditor’ or ’financial institution’.”

So, depending upon which enforcement entity (or entities) will be knocking on your door in the coming months, you may (and I emphasize “may”) have some extra time to get your house in order.   While many of you are likely confident that you have a compliant written and operational Identity Theft Prevention Program, this break in the action can be a great time to take care of setting up some ongoing procedures for keeping your program up to date.  Here are some ideas to keep in mind along the way:

1. Make sure you have clear responsibilities and accountabilities identified and assigned to appropriate persons.  Lack thereof may lead to everyone thinking someone else is keeping tabs.

2. Start setting the stage for a process to update your program based on:

a. Your new experiences with identity theft;
b. Changes in methods of identity theft;
c. Changes in methods to detect, prevent, and mitigate identity theft;
d. Changes in the types of accounts you offer or maintain; and
e. Changes in your business arrangements, including mergers, acquisitions, alliances, joint ventures and service provider arrangements.

3. Set up a process for program review at the board level.  Remember that your program does not have to be approved by your board of directors annually, but the board (or a committee of the board) or senior management must review reports regarding your program each year.  They must approve any material changes to your program should they occur.

4. Prepare now for follow up actions associated with your first Red Flag Rule examination(s).  There will surely be suggestions or mandates stemming from that exercise, and now is a good time to start securing appropriate resources and time.

My key message here is that, while there may be lull in the world of Red Flags activity, this is a great time to keep momentum in your program development and upkeep by planning for the next wave of updates and your impending examinations.  Best of luck.

I’m working with many of our clients in reviewing their existing or evolving Red Flags Identity Theft Prevention Programs.  While the majority of them appear to be buttoned up from the perspective of identifying covered accounts and applicable Red Flag conditions, as well as establishing detection methodologies, I often still see too much subjectivity in their response and reconciliation procedures.

Here are a few reasons why the “response” portion of a strong Red Flags Identity Theft Prevention program needs to employ consistent and objective process, decisioning, and actions:

1. Inconsistent or subjectively varied responses and actions greatly reduce the ability to measure process effectiveness over time.  It becomes increasingly difficult for retro-analysis to identify which processes and specific steps in those processes were successful in either positively or negatively reconciling potential fraudulent activity.  Subsequently, it clouds any ability to make effective or necessary changes to specific activities that may not be working well.

2. Examiners may focus heavily on the response portion of your program.  During operational side by sides, or even written program reviews, the less ambiguity and inconsistency identified or perceived, the better.  A quick rule of thumb for any examination: preempt any questions with exhaustive information and clarity.  Examiners that don’t need to ask many, or any, questions are happy examiners.

3. Objective and consistent process allows for more manageable staff training.  It is much easier to educate your staff around a justified and effective uniform process than around intuitive and haphazard procedures and consumer interactions.  It is tough to set expectations with your staff if there are gaping holes in the activities they are expected to execute.

4. Customer experience will certainly be more positive, and less of a worry for managers, as inequity of treatment is removed from the equation.  It is better to have each customer progress through similar steps toward authentication than varied ones from the perspective of time, perception, effectiveness, and convenience.   Now, certainly, a risk-based approach allows for varied treatment based on that risk.  The point here is more toward the need to apply those varied techniques consistently.

5. Social engineering.  Fraudsters are pretty good at figuring out if an operational process is open to interpretation and manipulation.  They’ll continue to engage in a process with the goal of landing with the right associate who may be following a more easily penetrable fraud detection method.  Bottom line: keep the walls around your business the same height throughout.

Until next time, best of luck as you continue to develop and improve your Red Flags programs.

One of the handful of mandatory elements in the Red Flag guidelines, which focus on FACTA Sections 114 and 315, is the implementation of Section 315.  Section 315 provides guidance regarding reasonable policies and procedures that a user of consumer reports must employ when a consumer reporting agency sends the user a notice of address discrepancy. 

A couple of common questions and answers to get us started:

1.  How do the credit reporting agencies display an address discrepancy?

Each credit reporting agency displays an “address discrepancy indicator,” which typically is simply a code in a specified field. Each credit reporting agency uses a different indicator. Experian, for example, supplies an indicator for each displayable address that denotes a match or mismatch to the address supplied upon inquiry.

2.  How do I “form a reasonable belief” that a credit report relates to the consumer for whom it was requested?

Following procedures that you have implemented as a part of your Customer Identification Program (CIP) under the USA PATRIOT Act can and should satisfy this requirement. You also may compare the credit report with information in your own records or information from a third-party source, or you may verify information in the credit report with the consumer directly.

In my last posting, I discussed the value of a risk-based approach to Red Flag compliance.  Foundational to that value is the ability to efficiently and effectively reconcile Red Flag conditions…including addressing discrepancies on a consumer credit report.

Arguably, the biggest Red Flag problem we solve for our clients these days is in responding to identified and detected Red Flag conditions as part of their Identity Theft Prevention Program.  There are many tools available that can detect Red Flag conditions.  The best-in-class solutions, however, are those that not only detect these conditions, but allow for cost-effective and accurate reconciliation of high risk conditions.  Remember, a Red Flag compliant program is one that identifies and detects high risk conditions, responds to the presence of those conditions, and is updated over time as risk and business processes change.

A recent Experian analysis of records containing an address discrepancy on the credit profile showed that the vast majority of these could be positively reconciled (a.k.a. authenticated) via the use of alternate data sources and scores.  Layer on top of a solid decisioning strategy using these elements, the use of consumer-facing knowledge-based authentication questions, and nearly all of that potential referral volume can be passed through automated checks without ever landing in a manual referral queue or call center.  Now that address discrepancies can no longer be ignored, this approach can save your operations team from having to add headcount to respond to this initially detected condition.

For those of us that have been following the Red Flag Rules adoption for more than a year now, the recent arrival and passing of the November 1 compliance deadline allows us to pause to assess where we are -- and where we are heading.  One question seems to surface regularly these days:

How ready or compliant is the market today?

Well, I think it’s safe to say that the market is certainly not 100% home when it comes to compliance readiness. 

Experian surveys registrants on our Red Flags online resource site.  As of October 31 -- a.k.a. ‘Compliance Eve’ -- nearly half of the registrants (48%) fell into the category of ‘just starting to review the rules and determine a compliance plan’.  Other industry surveys, interviews, and analyst reports suggest an even lower rate of compliance (closer to only one-third of covered institutions) in the market. 

The Federal Trade Commission seemed to sense this market condition, and granted a six-month reprieve from Red Flags compliance enforcement – to May 1, 2009.  While this extension is welcome news for those institutions falling under the FTC’s jurisdictional umbrella, other institutions are arguably out of compliance today, and face pending examinations in the coming months. 

So, is the market ready today?  The broad answer is a resounding ‘no.’ 

Much of the market’s effort has gone into the creation of written Identity Theft Prevention Programs as part of the Red Flag Rule requirements.  How well will these written procedures be received by the examining agencies?  How will these written programs translate into effective and (as importantly) manageable operational processes?  The first wave of examinations will help answer some of these questions and concerns….and ongoing cost analysis (associated with: referral volumes; application acceptance rates; manual or automated processes; and, of course, fraud losses) will help paint a clearer picture in the months to come.