When a client is selecting questions to use, Knowledge Based Authentication is always about the underlying data – or at least it should be. The strength of Knowledge Based Authentication questions will depend, in large part, on the strength of the data and how reliable it is. After all, if you are going to depend on Knowledge Based Authentication for part of your risk management and decisioning strategy the data better be accurate. I’ve heard it said within the industry that clients only want a system that works and they have no interest where the data originates. Personally, I think that opinion is wrong.
I think it is closer to the truth to say there are those who would prefer if clients didn’t know where the data that supports their fraud models and Knowledge Based Authentication questions originates; and I think those people “encourage” clients not to ask. It isn’t a secret that many within the industry use public record data as the primary source for their Knowledge Based Authentication products, but what’s important to consider is just how accessible that public record information is. Think about that for a minute. If a vendor can build questions on public record data, can a fraudster find the answers in public record data via an online search?
Using Knowledge Based Authentication for fraud account management is a delicate balance between customer experience/relationship management and risk management. Because it is so important, we believe in research – reading the research of well-known and respected groups like Pew, Tower, Javelin, etc. and doing our own research. Based on our research, I know consumers prefer questions that are appropriate and relative to their activity. In other words, if the consumer is engaged in a credit-granting activity, it may be less appropriate to ask questions centered on personal associations and relatives. Questions should be difficult for the fraudster, but not difficult or perceived as inappropriate or intrusive by the true consumer. Additionally, I think questions should be applicable to many clients and many consumers. The question set should use a mix of data sources: public, proprietary, non-credit, credit (if permissible purpose exists) and innovative.
Is it appropriate to have in-depth data discussions with clients about each data source? Debatable. Is it appropriate to ensure that each client has an understanding of the questions they ask as part of Knowledge Based Authentication and where the data that supports those questions originates? Absolutely.