Fraud & Identity Management

Each year, more than $1 billion is stolen from accounts at small and mid-sized banks across the U.S. and Europe. Unless the nature of the threat is recognized and addressed, this amount will only continue to grow. This week, we released of our latest webinar, Fraud Moving Downstream: Navigating Through the Rough Waters Ahead. Julie Conroy, research director at Aite Group and I team together to address this growing risk for regional and mid-sized banks, providing an overview of the current threat landscape and explain how the existing conditions are creating the perfect storm for fraudsters. Key topics discussed in this webinar include: How Regional Banks are Enhancing Online Offerings: Regional banks are responding to customer demand for more offerings, especially mobile banking options, which exposes them to new threats. The Rise in Sophisticated Fraud Attacks: Fraud rings and other new attack types (malware, man-in-the-middle, man-in-the-browser, etc.) are occurring at a higher rate than ever and pose serious threats to regional banks that lack strong, multi-layered defenses. Regional Banks’ Lack of Resources: Second and third tier banks have less manpower and less sophisticated solutions in place, which makes reviewing transactions and identifying repeat and cross-channel attacks incredibly difficult. You can access the on-demand webinar here. Also be sure to check out our infographic that illustrates this growing threat of fraud for small and mid-size banks, found here.

First, it aims to drastically reduce payment acceptance costs through any and all means and Secondly – keep merchant data firmly within their purview. MCX – MerChants reduX: The post that follows is a collection of thoughts around MCX, why it deserves respect, and yet how it is indeed mortal and bleeds like all others. For those who are not familiar with MCX – it’s a consortium of over 30 leading national retailers with a singular purpose – that is, to create a seamlessly integrated mobile commerce platform. The website for MCX is http://www.mcx.com. The consortium is led by merchants like Walmart, Target, CVS, BestBuy, Gap, Sears etc. By 2012, the mobile payments space was fragmented as it is, which itself may have precipitated the launch of MCX. And to a number of solutions looking for traction, things ground to a halt when MCX conceptualized to the merchants a solution that needed no costly upgrades and a promise to route the transaction over low cost routing options. My friends on the issuer side privately confide that MCX has infact succeeded in throwing a monkey wrench in their mobile payment plans – and merchant acceptance looks to be ambiguous around incumbent initiatives such as Isis and GoogleWallet, as well as for alternative payment initiatives. It had been easy to call it mere posturing and ignore it in the early days, but of late there is a lot of hand wringing behind the scenes and too many furrowed brows, as if the realization finally struck that merchants were indeed once again crucial to mobile payment adoption. MCX – It’s raison d’etre Meanwhile, the stakeholders behind MCX have been religious in their affirmation that MCX lives by two core tenets: First, it aims to drastically reduce payment acceptance costs through any and all means and Secondly – keep merchant data firmly within their purview. I can’t seem to think that the latter was any more than an after thought, because merchants individually can choose to decide if they wish to share customer preferences or Level III data with third parties, but they need all the collective clout they can muster to push networks and issuers to agree to reduce card acceptance costs. So if one distils MCX down to its raison d’etre, then it looks that it is aimed squarely at No.1. Which is fair when you consider that the merchants believe card fees are one of their biggest operating expenses. In 2007, 146,000 convenience stores and gas stations nationwide made a total of $3.4B in profits, yet they paid out $7.6B in card acceptance costs(Link). And MCX is smart to talk about the value of merchant data, the need to control it, yada yada yada. But if that were indeed more important, Isis could have been the partner of choice – someone who would treat customer and transaction data as sacrosanct and leave it behind for the merchants to fiddle with(vs. GoogleWallet’s mine..mine..mine.. strategy). But the same way HomeDepot was disappointed when they first saw GoogleWallet – no interchange relief, incremental benefits at the point-of-sale, and swoops all their data in return, Isis also offers little relief to MCX or its merchants, even without requiring any transaction or SKU level data in return. Does it mean that Carriers have no meaningful role to play in commerce? Au contraire. They do. But its around fraud and authentication. Its around Identity. And creating a platform for merchants to deliver coupons, alerts to opted-in customers. But they seem to be stuck imitating Google in figuring out a play at the front end of the purchase funnel, to become a consumer brand. The last thing they want to do is leave it to Apple to figure out the “Identity management” question, which the latter seems best equipped to answer by way of scale, the control it exerts in the ecosystem, its vertical integration strategy that allows it to fold in biometrics meaningfully in to its lineup, and to start with its own services to offer customer value. Did we say Apple? Its a bit early to play fast and loose with Apple predictions, but its Authentec acquisition should rear its head sometime in the near future (2013 – considering Apple’s manufacturing lead times), that a biometric solution packaged neatly with an NFC chip and secure element could address three factors that has held back customer adoption of biometrics: Ubiquity of readers, Issues around secure local storage and retrieval of biometric data, Standardization in accessing and communicating said data. An on-chip secure solution to store biometric data – in the phone’s secure element can address qualms around a central database of biometric data open to all sorts of malicious attacks. Standard methods to store and retrieve credentials stored in the SE will apply here as well. Why NFC? If NFC was originally meant to seamlessly and securely share content, what better way to sign that content, to have it be attributable to its original author, or to enforce one’s rights to said content – than to sign it with one’s digital signature. Identity is key, not just when enforcing digital rights management on shared content, but also to secure commerce and address payment/fraud risk. Back to MCX.  The more I read the more it seems MCX is trying to imitate Isis in competing for the customer mindshare, in attempting to become a consumer brand – than simply trying to be a cheaper platform for payment transactions. As commerce evolved beyond being able to be cleanly classified under “Card Present” and “Card Not Present” – as transactions originate online but get fulfilled in stores, merchants expect rules to evolve alongside reality. For example, when customers are able to order online, but pick up in-store after showing a picture ID, why would merchants have to pay “Card not Present” rates when risk is what we attribute higher CNP rates to, and why is there an expectation of the same amount of risk even in this changed scenario? And beyond, as technology innovation blurs the lines that neatly categorized commerce, where we replace “Card Present” with “Mobile Present”, and mobile carry a significant amount of additional context that could be scored to address or quantify risk, why shouldn’t it be?. It’s a given that networks will have to accommodate for reduced risk in transactions where mobile plays a role, where the merchant or the platform enabling the transaction can meaningfully use that context to validate customer presence at the point-of-sale – and that they will expect appropriate interchange reduction in those scenarios. MCX – A brand like Isis or a platform? But when reading portions of the linked NRF blog, and elsewhere – it reflects a misplaced desire on MCX’s part to become a consumer facing solution – an app that all MCX partners will embrace for payment. This is so much like the Isis solution of today – that I have written about – and why it flies in the face of reason. Isis – the nexus between Carriers and FI’s – is a powerful notion, if one considers the role it could play in enabling an open platform – around provisioning, authentication and marketing. But for that future to materialize, Isis has to stop competing with Google, and must accept that it has little role to play by itself at the front end of the funnel, and must recede to its role of an enabler – one that puts its partner FI brands front and center, allows Chase’s customers to pay using Chase’s mobile app instead of Isis, and drives down the fraud risk at the point of sale by meaningfully authenticating the customer via his location and mobile assets Carriers control, and further – the historical data they have on the customer. It’s those three points of data and the scale Isis can bring, that puts them credibly in the payments value chain – not the evaporating control around the Secure Element. In the same vein, the value MCX brings to merchants – is the collective negotiating power of over 30 national merchants. But is it a new consumer brand, or is it a platform focused on routing the transaction over the least cost routing option. If its the latter, then it has a strong parallel in Paypal. And as we may see Paypal pop-up as legal tender in many a retailer’s mobile apps and checkout aisles going forward, MCX is likely to succeed by emulating that retailer aligned strategy than follow a brand of its own. Further, If MCX wants customers to pay using less costly means – whether they be private label, prepaid or ACH – then it and its partners must do everything they can to shift the customer focus away from preferred payment methods and focus on the customer experience and resulting value around loyalty. MCX must build its value proposition elsewhere, and make their preferred payment methods the bridge to get the customer there. Another example where the retailer focused too much on the payment, and less so on the customer experience is the Safeway Fast Forward program. The value proposition is clear for the customer – Pay using your Safeway Fast Forward card number and a self assigned PIN for simpler checkout. However to set up your account, the customer must provide a State issued ID (Drivers License) and on top of it – his Social Security Number(Safeway Fast Forward Requirements Here). What customer would, for the incremental convenience of paying via his Fast Forward Card and PIN, be willing to entrust Safeway with his Social Security Number? Clearly Safeway’s Risk team had a say in this and instead of coming up with better ways to answer questions around Risk and Fraud, they introduced a non-starter, which killed any opportunity for meaningful adoption. MCX & adoption So where does that leave MCX? Why will I use it? How will it address questions around adoption? It’s a given that it will have to answer the same questions around fraud and authentication during customer on-boarding or at a transactional level. Further, its not enough these days to simply answer questions pertaining to the customer. Further, one must address questions relating to the integrity and reputation of the device the customer use – whether that be a mobile device or a Laptop PC. But beyond fraud and auth, there are difficult questions around what would compel a techno-luddite who has historically paid using a credit instrument to opt for an ACH driven(i am guessing) MCX payment scheme. Well, for one: MCX and its retail partners can control the purchasing power parity of MCX credits. If they so wish, and after aggregating customer profiles across retailers, MCX determines that the Addams family spends a collective $400 on average per month between all the MCX retailers. MCX could propose that if instead, the Addams family were to commit to buy $450 in MCX credits each month, they could increase their purchasing power an additional $45 credits that could be used on specific retail categories (or flat out across all merchandise)? Would Morticia be interested? If she did, what does that mean to MCX? It eliminated having to pay interchange on approx $500, and further it enabled its partners to capture an incremental spend of 10% that did not exist before. Only merchants will be able to pull this off – by leveraging past trends, close relationships with CPG manufacturers and giving Morticia new reasons to spend in the manner they want her to. But then again, where does MCX stop in providing a level playing field for its partners, and step back – so that merchants can start to compete for their customers and their spend? And finally, can it survive the natural conflicts that will arise, and limit its scope to areas that all can agree – for long enough for it to take root? Should MCX become the next Isis or the next Paypal? Which makes most sense? What do you think? Please leave your opinions below... (This blog post is an adaptation of its original post found - http://www.droplabs.co/?p=662)  

By: Maria Moynihan Fact:  In fiscal year 2011, the federal government allocated ~$608M to investigate and prosecute cases of alleged fraud in health care programs Fact:  Medicare and Medicaid related scams cost taxpayers more than $60B a year These statistics are profound, especially when so many truly need–and rightfully deserve–access to health benefits.  To make the facts a bit more tangible, how would you feel if you heard that neighbors of yours were submitting claims to Medicare for treatments that were never provided? In essence, you’ve got thieves for neighbors, don’t you? Thankfully, government agencies are responding. Even while being challenged with reduced budgets and limited resources; they are investing in efficient processes, advanced data, analytics and decisioning tools to improve their visibility into individuals at the point of application. By simply making adjustments to one or all of these areas, agencies can pinpoint whether or not individuals are who they say they are. Only with precision, relevancy, and efficiency of information, can fraud and abuse be curtailed. Below are a few examples of how to improve your eligibility systems or processes today. Or, simply download the Issue Brief, Beyond Traditional Eligibility Verification, for more detail. Use scores, models, and screening questions to assess a beneficiary’s true identity or level of identity fraud risk. Use income and asset estimation models to compare to stated income as a validation step in determination of benefits eligibility. Create a single system for automatic identification and verification of beneficiaries and businesses applying for service. Tighten controls around business identity to weed out fraud rings, syndicates and other forms of business fraud. The Bottom Line: Only with process, information, or system improvements, can government agencies move the needle on the growing and pressing issue of fraud and abuse.

By: Maria Moynihan Cyber Monday recently passed and I'm curious to know if you were one of the many who contributed to the $1.465 billion spend online that day?  ‘Tis the season - not only for increased online shopping, but for increased ID theft or risk of fraudulent activity. With a quick online search, you can find some good tips on how to protect your information.  Here’s a great read on password protection. Other sources offer added tips, like the below, when submitting information online: 1)  Ensure sensitive information is secure before submitting 2) Only access websites you know you can trust 3)  Be sure you are comfortable with the information your mobile device is asking you to provide in specific apps Beyond the holidays and even beyond the type of organization you are interacting with, these online tips apply. Government agencies for instance, encourage similar cautionary behavior when interacting with them. In fact, several have even implemented tools and processes to ensure the proper level of information security, authentication, and checking occur. Take the Social Security Administration for example. Here is an agency that implemented a secure process for individuals to access their benefits online. By incorporating a step to quickly and efficiently cross check an individual’s identity, the agency was able to validate information, ensuring people seeking access to their information are truly who they say they are. Watch a video to see how the Social Security Administration offers secure real-time access to individuals’ benefits. And, most importantly, keep these important information safety tips in mind every day and enjoy a stress-free and peaceful holiday!  

Six states are the top producers of turkeys: Minnesota at 46 million, North Carolina at 36 million, Arkansas at 29 million, Missouri at 17.5 million, Virginia at 17 million and Indiana at 16.5 million. This accounts for nearly two-thirds of turkeys produced in the United States as of September 2012. The average wholesale price for frozen whole turkey during fourth-quarter 2012 is projected to range from $1.10 to $1.14 per pound -- similar to the 2011 fourth-quarter average price of $1.11 per pound. The average retail price for whole frozen turkeys in September 2012 was $1.62, about 6 cents lower than the average retail price for whole frozen turkeys in September 2011. Source: National Agricultural Statistics Service (NASS), Agricultural Statistics Board and United States Department of Agriculture (USDA).

According to a recent Ponemon Institute study, 44 percent of consumers who were notified about a data breach believed the breached company was hiding something. When data breaches occur, it is extremely important to be there for customers and to address their concerns. When companies hide a data breach, impacted consumers begin to suspect the breach is actually much worse than the company claims, and trust in the organization begins to wane. Find out more by downloading the data breach case study of lessons learned from the field.

I'm here in Vegas at the Mobile2020 conference and I am fascinated by my room key. This is not the usual “insert in to the slot, wait for it turn green or hear it chime” key cards, these are “tap and hold to a door scanner till the door opens” RFID key card. It is befitting the event I am about to attend – Money2020 – the largest of its kind bringing together over 2000 mobile money aficionados, strategists and technologists from world over for a couple of days to talk about how payment modalities are shifting and the impact of these shifts to existing and emerging players. Away from all the excitement of product launches, I hope some will be talking about one of the major barriers for consumer adoption towards alternate payment modalities such as mobile – security and fraud.  I was in Costa Mesa last week and in the process of buying something for my wife with my credit card, triggered the card fraud alert. My card was declined and I had to use a different card to complete my transaction. As I was walking out, my smartphone registers a text alert from the card issuer – asking me to confirm that it was actually I who attempted the transaction. And If so, Respond by texting 1 – if Yes Or 2 – if No. All good and proper up till this point. If someone had stolen my card or my identity, this would have been enough to stop fraud from re-occurring. In this scenario the payment instrument and the communication device were separate – my plastic credit card and my Verizon smartphone. In the next couple of years, these two will converge, as my payment instrument and my smartphone will become one. At that point, will the card issuer continue to send me text alerts asking for confirmation? If instead of my wallet, my phone was stolen – what good will a text alert to that phone be of any use to prevent the re-occurrence of fraud? Further if one card was shut down, the thief could move to other cards with in the wallet – if, just as today, there are no frameworks for fraud warnings to permeate across other cards with in the wallet. Further, fraud liability is about to shift to the merchant with the 2013 EMV Mandate. In the recent years, there has been significant innovation in payments – to the extent that we have a number of OTT (Over the Top) players, unencumbered by regulation, who has been able to sidestep existing players – issuers and card networks, in positioning mobile as the next stage in the evolution of payments. Google, PayPal, Square, Isis (a Carrier consortium formed by Verizon, T-Mobile and AT&T), and a number of others have competing solutions vying for customer mind share in this emerging space. But when it comes to security, they all revert to a 4 digit PIN – what I call as the proverbial fig leaf in security. Here we have a device that offers a real-time context – whether it be temporal, social or geo-spatial – all inherently valuable in determining customer intent and fraud, and yet we feel its adequate to stay with the PIN, a relic as old as the payment rails these newer solutions are attempting to displace. Imagine what could have been – in the previous scenario where instead of reaching for my card, I reach for my mobile wallet. Upon launching it, the wallet, leveraging the device context, determines that it is thousands of miles away from the customer’s home and should score the fraud risk and appropriately ask the customer to answer one or more “out-of-wallet” questions that must be correctly answered. If the customer fails, or prefers not to, the wallet can suggest alternate ways to authenticate – including IVR. Based on the likelihood of fraud, the challenge/response scenario could include questions about open trade lines or simply the color of her car. Will the customer appreciate this level of pro-activeness on the issuer’s part to verify the legality of the transaction? Absolutely. Merchants, who so far has been on the sidelines of the mobile payment euphoria, but for whom fraud is a real issue affecting their bottom-line, will also see the value. The race to mobile payments has been all about quickly shifting spend from plastic to mobile, and incenting that by enabling smartphones to store and deliver loyalty cards and coupons. The focus need to shift, or to include, how smartphones can be leveraged to address and reduce fraud at the point-of-sale – by bringing together context of the device and a real-time channel for multi-factor authentication. It’s relevant to talk about Google Wallet (in its revised form) and Fraud in this context. Issuers have been up in arms privately and publicly, in how Google displaces the issuer from the transaction by inserting itself in the middle and settles with the merchant prior to firing off an authorization request to the issuer on the merchant’s behalf. Issuers are worried that this could wreak havoc with their inbuilt fraud measures as the authorization request will be masked by Google and could potentially result in issuer failing to catch fraudulent transactions. Google has been assuaging issuer’s fears on this front, but has yet to offer something substantial – as it clearly does not intent to revert to where it was prior – having no visibility in to the payment transaction (read my post here). This is clearly shaping up to be an interesting showdown – would issuers start declining transactions where Google is the merchant of record? And how much more risk is Google willing to take, to become the entity in the middle? This content is a re-post from Cherian's personal blog: http://www.droplabs.co/?p=625

By: Ken Pruett The great thing about being in front of customers is that you learn something from every meeting.  Over the years I have figured out that there is typically no “right” or “wrong” way to do something.  Even in the world of fraud and compliance I find that each client's approach varies greatly.  It typically comes down to what the business need is in combination with meeting some sort of compliance obligation like the Red Flag Rules or the Patriot Act.  For example, the trend we see in the prepaid space is that basic verification of common identity elements is really the only need.   The one exception might be the use of a few key fraud indicators like a deceased SSN.  The thought process here is that the fraud risk is relatively low vs. someone opening up a credit card account.  So in this space, pass rates drive the business objective of getting customers through the application process as quickly and easily as possible….while meeting basic compliance obligations. In the world of credit, fraud prevention is front and center and plays a key role in the application process.  Our most conservative customers often use the traditional bureau alerts to drive fraud prevention.  This typically creates high manual review rates but they feel that they want to be very customer focused. Therefore, they are willing to take on the costs of these reviews to maintain that focus.  The feedback we often get is that these alerts often lead to a high number of false positives. Examples of messages they may key off of are things like the SSN not being issued or the On-File Inquiry address not matching.  The trend is this space is typically focused on fraud scoring. Review rates are what drive score cut-offs leading to review rates that are typically 5% or less.  Compliance issues are often resolved by using some combination of the score and data matching. For example, if there is a name and address mismatch that does not necessarily mean the application will kick out for review.  If the Name, SSN, and DOB match…and the score shows very little chance of fraud, the application can be passed through in an automated fashion.  This risk based approach is typically what we feel is a best practice.  This moves them away from looking at the binary results from individual messages like the SSN alerts mentioned above. The bottom line is that everyone seems to do things differently, but the key is that each company takes compliance and fraud prevention seriously.  That is why meeting with our customers is such an enjoyable part of my job.

Last week, a group of us came together for a formal internal forum where we had the opportunity to compare notes with colleagues, hear updates on the challenges clients are facing and brainstorm solutions to client business problems across the discipline areas of analytics, fraud and software.   As usual, fraud prevention and fraud analytics were key areas of discussion but what was also notable was how big a role compliance is playing as a business driver.  First party fraud and identity theft detection are important components, sure, but as the Consumer Financial Protection Bureau (CFPB) gains momentum and more teeth, the demand for compliance accommodation and consistency grows critical as well.  The role of good fraud management is to help accomplish regulatory compliance by providing more than just fraud risk scores, it can help to: Know Your Customer (KYC) or Customer Information Program (CIP) details such as the match results and level of matching across name, address, SSN, date of birth, phone, and Driver’s License. Understand the results of checks for high risk identity conditions such as deceased SSN, SSN more frequently used by another, address mismatches, and more. Perform a check against the Office of Foreign Asset Control’s SDN list and the details of any matches. And while some fraud solutions out there make use of these types of comparisons when generating a score or decision, they may not pass these along to their customers.  And just think how valuable these details can be for both consistent compliance decisions and creating an audit trail for any possible audits.  

Consumers want to hear about data breaches - Eighty five percent of respondents in a recent study say learning about the loss of their data is pertinent to them. However, when they do, 72 percent indicated that they are dissatisfied with the notification letters they receive. Companies need to take note of these findings because more than one-third of consumers who receive a notification letter contemplate ending their relationship with the company. Providing affected individuals with a membership in an identity protection product is extremely important since 58 percent of consumers consider identity protection to be favorable compensation after a breach. Learn five pitfalls to avoid in your notification letters and how Experian Data Breach Resolution can help. Source: Download the complete 2012 consumer study on data breach notification.

2011 was the 12th consecutive year that identity theft topped the list of FTC consumer complaints. Florida had the highest rate of complaints, followed by Georgia and California. Rank State Complaints per 100,000 population 1 Florida 179 2 Georgia 120 3 California 104 Learn how to detect and manage fraud activity while meeting regulatory requirements. Source: Consumer info.com infographic and FTC's Consumer Sentinel Network Data Book for January-December 2011.

The Consumer Financial Protection Bureau (CFPB) now has the ability to write and enforce 18 consumer protection laws that guide financial products and services. The new regulator has signaled the following issues as priorities: Clarity on how credit scores affect lender decisions: Beginning July 21, 2011, lenders were required to disclose the credit score that they used in all risk-based pricing notices and adverse action notices Shorter and simpler consumer disclosure forms: One of the first priorities is to make the terms and conditions associated with purchasing a mortgage or applying for a credit card shorter and clearer Enforcing the Fair Debt Collection Practices Act: The CFPB will enforce the Fair Debt Collection Practices Act and review current debt collector practices Learn more about the CFPB  

This is last question in our five-part series on the FFIEC guidance on what it means to Internet banking, what you need to know and how to prepare for the January 2012 deadline.   Q: How are organizations responding? Experian estimates that less than half of the institutions impacted by this guidance are prepared for the examinations.   Many of the fraud tools in the marketplace, particularly those that are used to authenticate individuals were deployed as point-solutions.  Few support the need for a feedback loop to identify vulnerabilities, or the ability to employ a risk-based, “layered” approach that the guidance is seeking. _____________ This is the last of our five-part series but we're happy to answer more questions as we know you need to know how to prepare for the January 2012 deadline.    

This is fourth question in our five-part series on the FFIEC guidance and what it means Internet banking. Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline.  If you missed parts 1-3, there's no time to waste, check them out here: Go to question one: What does “multi-factor” authentication actually mean? Go to question two: Who does this guidance affect?  And does it affect each type  of credit grantor/ lender differently? Go to question three: What does “layered security” actually mean? Today's Q&A: What will the regulation do to help mitigate fraud risk in the near-term, and long-term? The FFIEC’s guidance will encourage financial institutions to re-examine their processes. The guidance is an important reinforcement of several critical ideas: Fraud losses undermine faith in our financial system by exposing vulnerabilities in the way we exchange goods, services and currencies. It is important that members of the financial services community understand their role in protecting our economy from fraud. Fraud is not the result of a static set of tactics employed by criminals. Fraud tactics evolve constantly and the tools that combat them have to evolve as well.   Considering the impact that technology is having on commerce, it is more important than ever to review the processes that we once thought made our businesses “safe.” The architecture and flexibility of fraud prevention “capabilities” is a weapon unto itself. The guidance provides a perspective on why it is important to be able to understand the risk and to respond accordingly. At the end of the day, the guidance is less about a need to take a specific action---and more about the “capability” to recognize when those actions are needed, and how they should be structured so that high-risk actions are met with strong and sophisticated defenses. _____________ Look for part five, the final in our series tomorrow. 

  This is third question in our five-part series on the FFIEC guidance and what it means Internet banking.  If you missed the firstand second question, you can still view - our answer isn't going anywhere.  Check back each day this week for more Q&A on what you need to know and how to prepare for the January 2012 deadline. Question: Who does this guidance affect? And does it affect each type of credit grantor/ lender differently? The guidance pertains to all financial institutions in the US that fall under the FFIEC’s influence. While the guidance specifically mentions authenticating in an on-line environment, it’s clear that the overall approach advocated by the FFIEC applies to authentication in any environment. As fraud professionals know, strengthening the defenses in the on-line environment will drive the same fraud tactics to other channels. The best way to apply this guidance is to understand its intent and apply it across call centers and in-person interactions as well. _____________ Look for part four of our five-part series tomorrow.  If you have a related question that needs an answer, submit in the comments field below and we'll answer those questions too.  Chances are if you are questioning something, others are too - so let's cover it here!  Or, if you would prefer to speak with one of our Fraud Business Consultants directly, complete a contact form and we'll follow up promptly.