Stop guessing: Identity Theft Prevention Programs Require Consistency

Published: November 20, 2008 by Keir Breitenfeld

I’m working with many of our clients in reviewing their existing or evolving Red Flags Identity Theft Prevention Programs. While the majority of them appear to be buttoned up from the perspective of identifying covered accounts and applicable Red Flag conditions, as well as establishing detection methodologies, I often still see too much subjectivity in their response and reconciliation procedures.

Here are a few reasons why the “response” portion of a strong Red Flags Identity Theft Prevention program needs to employ consistent and objective process, decisioning, and actions:

1.Inconsistent or subjectively varied responses and actions greatly reduce the ability to measure process effectiveness over time. It becomes increasingly difficult for retro-analysis to identify which processes and specific steps in those processes were successful in either positively or negatively reconciling potential fraudulent activity. Subsequently, it clouds any ability to make effective or necessary changes to specific activities that may not be working well.

2.Examiners may focus heavily on the response portion of your program. During operational side by sides, or even written program reviews, the less ambiguity and inconsistency identified or perceived, the better. A quick rule of thumb for any examination: preempt any questions with exhaustive information and clarity. Examiners that don’t need to ask many, or any, questions are happy examiners.

3.Objective and consistent process allows for more manageable staff training. It is much easier to educate your staff around a justified and effective uniform process than around intuitive and haphazard procedures and consumer interactions. It is tough to set expectations with your staff if there are gaping holes in the activities they are expected to execute.

4.Customer experience will certainly be more positive, and less of a worry for managers, as inequity of treatment is removed from the equation. It is better to have each customer progress through similar steps toward authentication than varied ones from the perspective of time, perception, effectiveness, and convenience. Now, certainly, a risk-based approach allows for varied treatment based on that risk. The point here is more toward the need to apply those varied techniques consistently.

5.Social engineering. Fraudsters are pretty good at figuring out if an operational process is open to interpretation and manipulation. They’ll continue to engage in a process with the goal of landing with the right associate who may be following a more easily penetrable fraud detection method. Bottom line: keep the walls around your business the same height throughout.

Until next time, best of luck as you continue to develop and improve your Red Flags programs.