Topics

By: Kennis Wong When we think about fraud prevention, naturally we think about mininizing fraud at application. We want to ensure that the identities used in the application truly belong to the person who applies for credit, and not identity theft. But the reality is that some fraudsters do successfully get through the defense at application. In fact, according to Javelin’s 2011 Identity Fraud Survey Report, 2.5 million accounts were opened fraudulently using stolen identities in 2010, costing lenders and consumers $17 billion. And these numbers do not even include other existing account fraud like account takeover and impersonation (limited misusing of account like credit/debit card and balance transfer, etc.). This type of existing account fraud affected 5.5 million accounts in 2010, costing another $20 billion. So although it may seem like a no brainer, it’s worth emphasizing that we need to have fraud account management system and continue to detect fraud for new and established accounts. Existing account fraud is unlikely to go away any time soon.  Lending activities have changed significantly in the last couple of years. Origination rate in 2010 is still less than half of the volume in 2008, and booked accounts become riskier. In this type of environment, when regular consumers are having hard time getting new credits, fraudsters are also having hard time getting credit. So they will switch their focus to something more profitable like account takeover. In addition to application fraud, does your organization have appropriate tools and decisioning strategy to minimize fraud loss from existing account fraud?  

The next time a consumer asks about his or her credit score, consider it an opportunity. Recent changes to the Risk-Based Pricing (RBP) rule may provide new opportunities to strengthen relationships by educating consumers about what their credit scores mean, how they’re used, and how they can be improved. For many lenders and other businesses, this could be the first time they’ve had a chance to speak directly and openly with customers about their credit scores. The RBP rule is intended to improve financial literacy As we’ve discussed, the Risk-Based Pricing Rule was instituted in response to policymaker concerns that consumers were not being sufficiently informed of the impact that credit reports can have on their annual percentage rate (APR). Now, when a lender makes a credit decision based on a consumer credit report and does not offer the best possible rate, or denies credit, the RBP Rule requires lenders to notify the customer about the decision – through either an explanation of the rate offered or disclosing a credit score. New requirements take effect on July 21 RBP compliance is changing following recent passage of the Dodd-Frank Wall Street Reform and Consumer Protection Act. Companies will now be required to provide all customers with a credit score within a Risk Based Pricing Notice, along with educational material. The new requirement is effective July 21, 2011. This is also the date when the new Bureau of Consumer Financial Protection (CFPB) is set to be fully operational. How to prepare for consumer questions about credit scores Experian offers a number of resources to help lenders answer consumer questions. Online resources, including the Ask Experian column and our extensive Credit Education section, provide fundamental information to help consumers better understand credit scores and credit reports. The Experian Credit Score Basics booklet, plus more than 20 other educational documents, are available electronically and formatted for easy printing and distribution. All documents, PowerPoint presentations, virtual seminars and education videos are available on a free mini-disk. Customized training and education is available The Experian Public Education team can also provide customized, live Internet-based training and education for our clients’ employees to help them effectively answer customer questions about credit reports and credit scores. For a free mini-disk or more information about training events, please contact Rod Griffin, Experian’s Director of Public Education, at 1 (972) 390-3528, or email clientcorner@experian.com. Take a moment to check out our Risk-Based Pricing microsite, too. Note: While Experian is happy to provide our observations related to the new Risk-Based Pricing Rule, please work with your own legal counsel to ensure that you comply with your obligations under the rule.

By: Kristan Frend Small business owners appear to be lucrative targets for identity fraud perpetrators, alarming banking institutions, payment processors, and B2B service providers. According to Javelin’s 2011 Small Business Owners (SMBO) Identity Fraud report, the cost of fraud and identity theft “hit SMBO constituents particularly hard. Javelin research uncovered what was previously an undocumented cost to the industry of $5 billion as a direct result of this fraud. In addition, financial institutions (FIs) lost over $590 million in clients and revenue opportunities over a five‐year period.” Additionally, the report indicated that small business owners mean fraud amount is about 5% higher than that for all consumers ($4,851 vs. $4,607). Even more alarming was the fact that the SMBO’s mean victim cost is 150% higher than consumer costs ($1,574 vs. $631). So what does all of this mean? If you’re a small business lender or service provider, having a robust multi-layered SMBO fraud prevention program in place is essential for client retention and avoiding reputational risk.   You can take control of the situation with more proactive fraud prevention strategies which will improve your relationships with SMBO customers and save them (and you) money in the long run.

By: Staci Baker It seems like every time I turn on the TV there is another natural disaster. Tsunami in Japan, tornadoes and flooding in the Mid-West United States, earthquakes and forest fires – everywhere; and these disasters are happening worldwide. They are not confined to one location. If a disaster were to happen near any of your offices, would you be prepared? Living in Southern California, this is something I think of often. Especially, since we are supposed to have had “the big one” for the past several years now. When developing a preparedness plan for a company, there are several things to take into consideration. Some are obvious, such as how to keep employees safe, developing steps for IT  to take to ensure data is protected , including an identity theft prevention program, and establishing contingency business plans in case a disaster directly hits your business and doors need to remain closed for several days, weeks, or …. But, what about the non-obvious items that should be included in a disaster preparedness plan? When a natural disaster hits, there is an increase in fraud. So much so, that after Hurricane Katrina battered the Gulf, the Hurricane Katrina Fraud Task Force, now known as the National Center for Disaster Fraud, was created. In addition to the items listed above, I recommend including the following. Create a plan that will put fraud alerts in place to minimize fraud.  Fraud alerts are not just to notify your clients when there is fraudulent activity on their accounts. Alerts should also be put in place to let you know when there is fraudulent activity within your own business as well. Depending on the type of disaster, delinquency rates may increase, since borrower funds may be diverted to other needs. Implement a disaster collections strategy, which may include modifying credit terms, managing credit risk, and loan loss provisioning. Although these are only a few things to be considered when developing a disaster preparedness plan, I hope it gets you thinking about what your company needs to do to be prepared. What are some things you have already done, or that are on your to do list to prepare your company for the next big event that may affect you?

It seems as though every day the news headlines trumpet another high-profile data breach.  The most recent marquee breach is courtesy of a Sony PlayStation Network hacker, whose attack on the Sony and Qriocity servers between April 17th and 19th have compromised the personal data and, possibly, stored credit card information of 77 million players.  (Yes, you read that right; 77 million.)  Combine that with other recent cyber-heists affecting millions of unsuspecting consumers or residents, and many organizations have been forced to send out a dizzying array of email notifications to their customer base, many – if not all – of whom are now vulnerable to spear-phishing attacks. With numerous different breaches affecting so many people as of late, millions of consumers are receiving emails from trusted brands noting that customer emails (and perhaps other information) have been compromised, so consumers should be wary of future emails that may appear to be sent from them…like the one they’re reading now. Got that? This begs the question of whether customers are starting to tune out to the onslaught of breach alerts flooding their email in-boxes. Some security gurus believe that notifications aren’t effective and customers become numb to these alerts.  Others are convinced that breach information overload is a good thing, educating people to the dangers lurking in the cybershadows and their vulnerability to identity thieves.  After all, how do you know to watch out for email “bait” if you’re not aware there’s a phishing hook with your name on it? Furthermore, the flip side of over-notification is under-notification.  This is something that Sony is now being accused of in a lawsuit that claims the company waited too long to notify its PlayStation customers of the recent breach, which only exacerbated customer vulnerability to credit card fraud. The irony is that while the dramatic breaches of late have been stealing headlines (as well as data), a 2011 Data Breaches Investigations Report by Verizon indicates that total thefts from data breaches have in fact declined significantly over the past few years.  The total number of records actually compromised from these breaches was a “mere” 4 million in 2010, quite a drop from the 144 million records compromised in 2009, and the 361 million compromised records in 2008.  The bad news?  If you look at actual data breaches versus compromised records, the numbers this year are up; 760 breaches last year, an increase from 141 in 2009. The bottom line: while fraudsters haven’t been able to recently score as much cyber-loot as in times past, this is no time to relax. Just be aware that with the steep increase in breaches comes an equally steep increase in breach notifications, and the associated risk that breach notification fatigue will put your customers to sleep. Learn more about our Data Breach solutions

Unless you’ve been hiding under a rock, you are undoubtedly aware that the 4G ship has sailed into port. The 4G network is a completely different technology as compared to 3G, the network it is replacing. 3G was fast, but 4G will set the world on fire. It’s kind of like the difference between a farm tractor and a Lamborghini. Rather than just being able to check email and (slowly) surf the net (as with 3G), 4G users will be able to watch live television and rip through online content like nobody’s business. So what does this mean for communications companies? Change device, change carrier? The big question for wireless providers is whether or not customers will change carriers as they upgrade to new, 4G-supported devices. The simple answer is, it depends. Customers who are currently under contract will not likely jump ship for the simple fact that it will cost too much. For example, let’s say I want to upgrade five devices. I can probably buy these less expensively by changing carriers (due to attractive introductory offers). However, if I have to cancel three contracts prior to term end to do it, it may cost me upwards of $1,000—probably more than I can save by changing carriers. For customers who are at the end of a contract term, upgrading to 4G presents a golden opportunity to change providers, if that’s something they’ve been considering. Wireless providers will obviously need to contact these customers well before their contracts are up and make them an offer they simply can’t refuse. Other concerns for wireless providers Obviously, key players in the market have invested a significant amount of money to develop the 4G infrastructure, and sooner or later they’re going to want to recoup those costs. Introductory offers will motivate many to upgrade to 4G, but will all these new/upgrade customers be able to pay the higher monthly bills that will likely come with their new 4G devices? While locking in all these new contracts will positively affect sales quotas, it will be more important than ever to assess these customers’ cash flow situations and credit-worthiness, so they don’t end up negatively affecting the bottom line. Concerns for other telecommunications companies One other interesting aspect to consider is this: With a 4G device, consumers can effectively create their own “hot spot.” So the question is, just as many people are dropping their landlines in favor of wireless, will 4G device users decide to drop their Internet providers? How about their cable television service? I intend to revisit this topic in 3-6 months to see whether early 4G adopters are in fact jumping to different carriers and/or dropping other services. What do you think might happen as 4G becomes the new normal? Leave a comment and share your thoughts.

Last week I attended the Merchant Risk Council’s 2011 MRC Annual e-Commerce Payments & Risk Conference.  I presented a session titled “Efficiency and Empowerment in Risk-based Authentication” with a client who has been able to use knowledge based authentication as a sales enabler - Home Shopping Network.  You might be wondering what I mean by this.  It is actually pretty simple:  Home Shopping Network already has a fraud prevention program in place and utilizes risk based authentication to send a percentage of orders to an outsort queue.  By using knowledge based authentication to further verify the true consumer, Home Shopping Network has been able to release an increased portion of those orders for shipping, increasing both revenue and the customer experience.  The paradigm shift was thinking of knowledge based authentication as a sale enabler, rather than just a fraud tool.  It was a great experience, to help share the story of this client’s success.   If you are interested in the Merchant Risk Council:  The Merchant Risk Council (MRC) is a merchant-led trade association focused on electronic commerce risk and payments.  They lead industry networking, education, benchmarking and advocacy programs to make electronic commerce more efficient, safe and profitable. For more information on the Home Shopping Network, visit: http://www.hsn.com

By: Kristan Frend I was recently pleased to see that the state I reside in, Minnesota finished in the bottom third of a state ranking.  Luckily the rankings weren’t about overall health (#6), high school graduation (#3), or SAT scores (#2); instead it was the Federal Trade Commission’s state identity theft complaint ranks.  Minnesota has just 49.2 complaints per 100,000 population, whereas the highest ranked state, Florida, as 114.8 complaints per 100,000 population.   The top three states leading identity theft consumer complaints (per 100,000 population) included Florida, Arizona, and California.   Besides warm sunshine and top-tier golf courses, what do these three states have in common?  According to the February 2011 RealtyTrac U.S. Foreclosure Market Report™, all three rank in the top 5 states for foreclosure, and two of the three (Florida and California) rank #49 and #50 in unemployment rates, according to a March 2011 report released by the Bureau of Labor Statistics.    On a national level unemployment rates and identity fraud incidence rates both improved from 2009 to 2010.  From 2009 to 2010, unemployment rates went from 10.0% to 9.4% while according to Javelin’s 2010 Annual Identity Fraud Survey Report, identity fraud incidence rates fell from 4.8% to 3.5%.    While it may be inaccurate to state that economic distress causes higher rates of identity fraud, there does seem to be a natural correlation between economic downswings and fraudulent activity.   As we move further into 2011, it will be interesting to see if identity fraud incidence rates will continue to decrease as unemployment and economic outlook is on the upward swing. 

Well, actually, it isn’t. The better question to ask is when to use knowledge based authentication (KBA). I know I have written before about using it as part of a risk based authentication approach to fraud account management, but I am often asked what I mean by that statement. So, I thought it might be a good idea to provide a few more details and give some examples. Basically, what I mean is this: risk segmentation based on binary verification is unwise. Binary verification can occur based on identity elements, or it can occur based on pass/fail performance from out of wallet questions, but the fact remains that the primary decisioning strategy is relying on a condition with two outcomes – verified or not verified, pass or fail – and that is unwise. When we recommend a risk based authentication approach, the view is more broadly based. We advocate using analytics and weighting many factors, including those identity elements and knowledge based authentication performance as part of an overall decision, rather than an as end-all decision. If you take this kind of approach, when might you want to use this kind of approach? The answer to that is just about any time a transaction contains a level of risk, understanding that each organization will have a unique definition and tolerance for “risk”. It could be an origination or account opening scenario, when you do not yet have a relationship with a consumer. It could be in an account management setting, when you have a relationship with the consumer and know their expected behavior (and therefore anything outside of expected behavior is risk). It could be in transactional settings where there is an exchange of money or information belonging to the consumer. All of these are appropriate uses for KBA as part of a risk based approach.

This paraphrased lament from Coleridge’s Rime of the Ancient Mariner may loosely reflect the predicament facing many communications companies today: afloat on vast sea of customer information, yet, lacking resources or expertise, unable to draw from it much new or actionable intelligence. Not that data mining is ever a small or insignificant task. It isn’t. Even when resources are plentiful, obstacles can loom large—especially across numerous lines of business, where risk can multiply exponentially. Siloed data, disparate customer records and other challenges also make the work difficult, as do: The dynamic nature of consumer information Inconsistent data quality and match logic throughout the enterprise The inability to reliably link active and inactive accounts failing to identify existing customer relationships at the point of application The missing link Experian has seen many communications companies overcome these issues through database linking—that is, connecting, integrating and packaging customer information from several sources into a more cohesive and accessible structure. Linking reduces risk by identifying overlap of consumers with multiple accounts across several lines of business. It also reveals duplicate records, as well as active accounts that may be current in one line of business, but delinquent or inactive in another. The benefits The broader perspective gained through database linking can drive new efficiencies and profitability in many vital areas of your business, from fraud prevention to skip tracing and collections. Should the need arise, newly linked information can also be used to locate elusive customers or former employees for legal purposes. What you can do right now Even if resources are currently limited you can still begin discovery—the process of identifying precisely what data you have, where it resides within the enterprise, how it’s being used, and by whom. This information, perhaps combined with guidance from an experienced external service, can provide a solid foundation from which to begin leveraging (and if indicated, supplementing) existing customer data. We know communications clients who have identified millions of dollars in uncollected bad debt that was linked directly to current, active customers, using a couple of “next generation” data tools. Like the old Mariner, your in-house data has a big story to tell. Question is, are you equipped to hear it? If you like this topic, click here to read the post entitled “Leveraging Internal Data to Create a Holistic View of Your Customers.

Application risk management processes for deposits has remained relatively unchanged for decades. Typically, it involves credit bureau data and a secondary check of “debit bureau” data. A “debit bureau” typically gathers information regarding known fraud and compiles a fraud database of perpetrators. Every applicant who passes the credit risk strategies is checked against this database. The challenge is that this process can be very expensive. Among a new class of fraud best practices is the idea of applying fraud models/fraud analytics as a filter upstream from the debit bureau’s fraud database. This practice enables deposit institutions to still identify known fraud and minimize fraud losses on those applicants that carry the highest risk. At the same time, costs are reduced by removing low risk accounts from the debit bureau check.    In addition to reducing costs, these revised acquisition strategies help reduce fraud referral rates while ensuring that application fraud does not increase. As deposit institutions look for ways to significantly reduce costs without suffering additional application fraud, look for the continued emergence of fraud analytics among 2011’s fraud best practices.

By: Kari Michel In January, Experian announced the inclusion of positive rental data from its RentBureau division into the traditional credit file. This is great news for an estimated 50 million underbanked consumers - everyone from college students and recent graduates to immigrants - to build credit with continuous on-time rental payments. With approximately 1/3 of Americans renting, lenders who are using VantageScore will benefit from the inclusion of RentBureau data into the score calculation.  VantageScore from Experian is able to both enhance its predictive ability for those that can already be scored as well as provide scores for those that previously could not be scored. With the inclusion of RentBureau data, 34% of thin file consumers increased their score from an ‘F’ (VantageScore 501 – 599) to a ‘D’ (VantageScore 600 – 699). For those consumers that did not have a prior credit history, 70% of them were able to be scored after the inclusion of RentBureau data into the credit repository.  As a result, fewer consumers will get a “no hit” returned to lenders during a credit inquiry. Lenders will now have a comprehensive understanding of a consumer’s total monthly obligations to assist with offering credit to emerging consumers.

I love a good analogy, and living in Southern California, lately I’ve been thinking a lot about earthquakes, and how lenders might want to start thinking like seismologists when considering the risk levels in their portfolios. Currently, scientists that study earthquakes review mountains of data around fault movement, tidal forces, even animal behavior, all in an attempt to find a concrete predictor of ‘the big one’. Small tremors are inputs, but the focus is on predicting and preparing for the large shock and impact of large earthquakes. Credit risk modeling, conversely, seems to focus on predicting the tremors, (risk scores that predict the risk of individual default) and less so the large-shock risk to the portfolio. So what are lenders doing to forecast ‘the big one’?  Lenders are building sophisticated models that contemplate the likelihood of the big event – developing risk models and econometric models that look at loan repayment, house prices, unemployment rates – all in an attempt to be ahead of the credit version of ‘the big one’.  This type of model and perspective is at a nascent stage for many lenders, but like the issues facing the people of Southern California, preparing for the big-one is an essential part of every lender’s planning in today’s economy.

Exciting research leveraging Experian’s fraud analytics and credit risk modeling are now enabling deposit institutions to understand the impacts of first party fraud and identity theft on their portfolios. Historically, deposit institutions have not considered application fraud to be a major concern and legislation regarding overdraft fees and the opt-in provision for overdraft services will reduce a deposit customer’s ability to spend the bank’s money; however, a determined thief can still: kite checks to commit first party fraud perpetrate an account takeover/identity theft   The result is that deposit institutions will continue to face losses that can be prevented using fraud best practices. The challenge for the institution is knowing whether it is facing first party fraud or identity theft. Increasingly, deposit institutions are turning to Experian to analyze customers that create losses early in the account life cycle in order to make the right modifications to their acquisitions strategies.  Using a combination of fraud analytics built to target specific types of fraud trends, deposit institutions can get a clear picture of the type of behavior that is generating their losses. This type of analysis is quickly climbing the list of fraud best-practices. Armed with the right diagnosis, deposit institutions can respond by prioritizing the right set of fraud alerts.    

By: Kristan Frend Imagine you’re on the #1 ranked relay swim team at the World Championships and you’re leading off. You finish your leg of the race with the team in first place. As your third teammate approaches the wall, your team is in first by a full body length. You’re on pace to set a new world record. Yet the anchor of your team is nowhere to be found, ultimately resulting in your team being disqualified.   If only your fourth teammate would have made it to the blocks in time…. When you take a step back and look at your fraud risk management solutions, do you ever feel like you have all of the tools and processes available yet feel like the anchor is missing? Perhaps it’s time to reexamine your internal resources. You may have an assembly of sophisticated and robust online fraud detection tools from vendors, but you may be missing a critical piece if you’re not also effectively leveraging internal data. Through our work with clients, we’re found that it is not uncommon for organizations to manage the customer relationship through different departments or silos within the organization.   All too often there is less than optimal coordination between these functional areas in taking advantage of their own internal negative data to combat application fraud. Additionally some organizations may have negative internal data but do not incorporate the check within their verification or risk based authentication tool, creating multiple steps and operational inefficiencies. One of the ways to overcome some of these issues is by incorporating internal negative data within an automated front-end check.  Once loss data is loaded into a historical database, the next time that name, phone, address, driver’s license or SSN reappears on a new application, the data element is immediately identified as one associated with a previous loss. The negative data is securely stored for only your organization’s use and is not shared with users outside of your organization.