Tag: risk assessment

This article was updated on February 12, 2024. The Buy Now, Pay Later (BNPL) space has grown massively over the last few years. But with rapid growth comes an increased risk of fraud, making "Buy Now, Pay Never" a crucial fraud threat to watch out for in 2024 and beyond. What is BNPL? BNPL, a type of short-term financing, has been around for decades in different forms. It's attractive to consumers because it offers the option to split up a specific purchase into installments rather than paying the full total upfront. The modern form of BNPL typically offers four installments, with the first payment at the time of purchase, as well as 0% APR and no hidden fees. According to an Experian survey, consumers cited managing spending (34%), convenience (31%), and avoiding interest payments (23%) as main reasons for choosing BNPL. Participating retailers generally offer BNPL at point-of-sale, making it easy for customers to opt-in and get instantly approved. The customer then makes a down payment and pays off the installments from their preferred account. BNPL is on the rise The fintech and online-payment-driven world is seeing a rise in the popularity of BNPL. According to Experian research, 3 in 4 consumers have used BNPL in 2023, with 11% using BNPL weekly to make purchases. The interest in BNPL also spans generations — 36% of Gen Z, 43% of Millennials, 32% of Gen X, and 12% of Baby Boomers have used this payment method. The risks of BNPL While BNPL is a convenient, easy way for consumers to plan for their purchases, experts warn that with lax checkout and identity verification processes it is a target for digital fraud. Experian predicts an uptick in three primary risks for BNPL providers and their customers: identity theft, first-party fraud, and synthetic identity fraud. WATCH: Fraud and Identity Challenges for Fintechs Victims of identity theft can be hit with charges from BNPL providers for products they have never purchased. First-party and synthetic identity risks will emerge as a shopper's buying power grows and the temptation to abandon repayment increases. Fraudsters may use their own or fabricated identities to make purchases with no intent to repay. This leaves the BNPL provider at the risk of unrecoverable monetary losses and can impact the business' risk tolerance, causing them to narrow their lending band and miss out on properly verified consumers. An additional risk lies with fraudsters who may leverage account takeover to gain access to a legitimate user's account and payment information to make unauthorized purchases. READ: Payment Fraud Detection and Prevention: What You Need to Know Mitigating BNPL risks Luckily, there are predictive credit, identity verification, and fraud prevention tools available to help businesses minimize the risks associated with BNPL. Paired with the right data, these tools can give businesses a comprehensive view of consumer payments, including the number of outstanding BNPL loans, total BNPL loan amounts, and BNPL payment status, as well as helping to detect and apply the relevant treatment to different types of fraud. By accurately identifying customers and assessing risk in real-time, businesses can make confident lending and fraud prevention decisions. To learn more about how Experian is enabling the protection of consumer credit scores, better risk assessments, and more inclusive lending, visit us or request a call. And keep an eye out for additional in-depth explorations of our Future of Fraud Forecast. Learn more Future of Fraud Forecast

Previously, we discussed the risks of account takeover and how a Defense in Depth strategy can protect your business. Before implementation it’s important to understand the financial benefits of the strategy. There are a few key steps to assessing and quantifying the value of Defense in Depth. Transaction risk assessment: This requires taking inventory of all possible transactions. Session-level risk analysis: With the transactions categorized by risk level, the next step is to review session history based on the highest risk activity within the session. Quantify the cost of a challenge: There are multiple costs associated with challenging a user using step-up authentication. Consider both direct and indirect costs – failure rate, contact center operational cost, and attrition rate following failed challenges (consider lifetime value of account) Quantify the expected challenge rate: This can be done by comparing the Defense in Depth approach to a traditional approach. Below is a calculator that will help determine the cost of the reduced challenges associated with a Defense in Depth strategy versus a traditional strategy. initIframe('5f039d2e4c508b1b0aafa4bd'); In addition to the quantitative benefits, it is important to consider some of the qualitative benefits of this approach: Challenging at moments that matter: Customers appreciate and expect protection in online banking, especially when moving money externally or updating contact information. This is a great way to achieve both convenience and security. Improved fraud management: By staging the risk decision at the transaction level, the business can balance the type of challenge with the transaction risk. There are incremental cost considerations to include in the business case as well. For instance, there is an increase in transaction calls for a risk assessment at the medium/high risk transactions – about 10% in the example above. Generally, the increased transaction cost is more than offset by the reduction in cost of challenges alone. A Defense in Depth strategy can help businesses manage fraud risk and prevent account takeover in online banking without sacrificing user experience. If you are interested in assistance with building your business case and understanding the strategies to implement a successful Defense in Depth strategy, contact us today. Contact us 1Identity Fraud in the Digital Age, Javelin Strategy & Research, September 2020

Preventing account takeover (ATO) fraud is paramount in today’s increasingly digital world. In this two-part series, we’ll explore the benefits and considerations of a Defense in Depth strategy for stopping ATO. The challenges with preventing account takeover Historically, managing fraud and identity risk in online banking has been a trade-off between customer experience and the effectiveness of fraud controls. The basic control structure relies on a lock on the front door of online banking front door—login—as the primary authentication control to defend against ATO. Within this structure, there are two choices. The first is tightening the lock, which equals a higher rate of step-up authentication challenges and lower fraud losses. The second is loosening the lock, which results in a lower challenge rate and higher fraud loses. Businesses can layer in more controls to reduce the false positives, but that only allows marginal efficiency increases and usually represents a significant expense in both time and budget to add in new controls. Now is the perfect time for businesses reassess their online banking authentication strategy for a multitude of reasons: ATO is on the rise: According to Javelin Strategy & Research, ATO increased 72% in 2019.1 Users’ identities and credentials are at more risk than ever before: Spear phishing and data breaches are now a fact of life leading to reduced effectiveness of traditional authentication controls. Online banking enrollments are on the rise: According to BioCatch, in the months following initial shelter-in-place orders across the country, banks have seen a massive spike in first time online banking access. Users expect security in online banking: Half of consumers continue to cite security as the most important factor in their online experience. Businesses who reassess the control structure for their online banking will increase the effectiveness of their tools and reduce the number of customers challenged at the same time – giving them Defense in Depth. What is Defense in Depth? Defense in Depth refers to a strategy in which a series of defense mechanisms are layered in order to protect data and information. The basic assumptions underlying the value of a Defense in Depth strategy are: Different types of transactions within online banking have different levels of inherent risk (e.g., external money movement is considerably higher risk compared to viewing recent credit card transactions) At login, the overall transaction risk associated with the session risk is unknown The risk associated with online banking is concentrated in relatively small populations – the vast majority of digital transactions are low risk This is the Pareto principle at play – i.e., about 80% of online banking risk is concentrated within about 20% of sessions. Experian research shows that risk is even more concentrated – closer to >90% of the risk is concentrated in <10% of transactions. This is relatively intuitive, as the most common activities within online banking consist of users checking their balance or reviewing recent transactions. It is much less common for customers to engage in higher risk transaction. The challenge is that businesses cannot know the session risk at the time of challenge, thus their efficiency is destined to be sub-optimal. The benefits of Defense in Depth A Defense in Depth strategy can really change the economics of an online banking security program. Adopting a strategy that continuously assesses the overall session risk as a user navigates through their session allows more efficient risk decisions at moments that matter most to the user. With that increased efficiency, businesses are better set up to prevent fraud without frustrating legitimate users. Defense in Depth allows businesses to intelligently layer security protocols to protect against vulnerability – helping to prevent theft and reputational losses and minimize end-user frustration. In addition to these benefits, a continuous risk-based approach can have lower overall operational costs than a traditional security approach. The second part of this series will explore the cost considerations associated with the Defense in Depth strategy explored above. In the meantime, feel free to reach out to discuss options. Contact us 1Identity Fraud in the Digital Age, Javelin Strategy & Research, September 2020

In 2015, U.S. card issuers raced to start issuing EMV (Europay, Mastercard, and Visa) payment cards to take advantage of the new fraud prevention technology. Counterfeit credit card fraud rose by nearly 40% from 2014 to 2016, (Aite Group, 2017) fueled by bad actors trying to maximize their return on compromised payment card data. Today, we anticipate a similar tsunami of fraud ahead of the Social Security Administration (SSA) rollout of electronic Consent Based Social Security Number Verification (eCBSV). Synthetic identities, defined as fictitious identities existing only on paper, have been a continual challenge for financial institutions. These identities slip past traditional account opening identity checks and can sit silently in portfolios performing exceptionally well, maximizing credit exposure over time. As synthetic identities mature, they may be used to farm new synthetics through authorized user additions, increasing the overall exposure and potential for financial gain. This cycle continues until the bad actor decides to cash out, often aggressively using entire credit lines and overdrawing deposit accounts, before disappearing without a trace. The ongoing challenges faced by financial institutions have been recognized and the SSA has created an electronic Consent Based Social Security Number Verification process to protect vulnerable populations. This process allows financial institutions to verify that the Social Security number (SSN) being used by an applicant or customer matches the name. This emerging capability to verify SSN issuance will drastically improve the ability to detect synthetic identities. In response, it is expected that bad actors who have spent months, if not years, creating and maturing synthetic identities will look to monetize these efforts in the upcoming months, before eCBSV is more widely adopted. Compounding the anticipated synthetic identity fraud spike resulting from eCBSV, financial institutions’ consumer-friendly responses to COVID-19 may prove to be a lucrative incentive for bad actors to cash out on their existing synthetic identities. A combination of expanded allowances for exceeding credit limits, more generous overdraft policies, loosened payment strategies, and relaxed collection efforts provide the opportunity for more financial gain. Deteriorating performance may be disguised by the anticipation of increased credit risk, allowing these accounts to remain undetected on their path to bust out. While responding to consumers’ requests for assistance and implementing new, consumer-friendly policies and practices to aid in impacts from COVID-19, financial institutions should not overlook opportunities to layer in fraud risk detection and mitigation efforts. Practicing synthetic identity detection and risk mitigation begins in account opening. But it doesn’t stop there. A strong synthetic identity protection plan continues throughout the account life cycle. Portfolio management efforts that include synthetic identity risk evaluation at key control points are critical for detecting accounts that are on the verge of going bad. Financial institutions can protect themselves by incorporating a balance of detection efforts with appropriate risk actions and authentication measures. Understanding their portfolio is a critical first step, allowing them to find patterns of identity evolution, usage, and connections to other consumers that can indicate potential risk of fraud. Once risk tiers are established within the portfolio, existing controls can help catch bad accounts and minimize the resulting losses. For example, including scores designed to determine the risk of synthetic identity, and bust out scores, can identify seemingly good customers who are beginning to display risky tendencies or attempting to farm new synthetic identities. While we continue to see financial institutions focus on customer experience, especially in times of uncertainty, it is paramount that these efforts are not undermined by bad actors looking to exploit assistance programs. Layering in contextual risk assessments throughout the lifecycle of financial accounts will allow organizations to continue to provide excellent service to good customers while reducing the increasing risk of synthetic identity fraud loss. Prevent SID

This week, Experian released a new version of our CrossCore® digital identity and fraud risk platform, adding new tools and functionality to help businesses quickly respond to today’s emerging fraud threats. The ability to confidently recognize your customers and safeguard their digital transactions is becoming an increasing challenge for businesses. Fraud threats are already rising across the globe as fraudsters take advantage of the global health crisis and rapidly shifting economic conditions. CrossCore combines risk-based authentication, identity proofing and fraud detection into a single cloud platform, which means businesses can more quickly respond to an ever-changing environment. And with flexible decisioning orchestration and advanced analytics, businesses can make real-time risk decisions throughout the customer lifecycle. “Now more than ever, businesses need to lean on capabilities and technology that will allow them to rapidly respond in these challenging times, increase identity confidence in every transaction, and provide a safe and convenient experience for customers,” said E.K. Koh, Experian’s Senior Vice President of Global Identity & Fraud Solutions in a recent press release. “This new CrossCore release enables businesses to easily leverage best-in-class, pre-integrated identity and fraud services through simple self-service.” This new version of CrossCore features a cloud architecture, modern user interface, progressive risk assessments, faster response times, self-service workflow configuration, and a transactional volume reporting dashboard. These enhancements give you a simpler way to manage how backing applications are utilized, allow you to analyze key performance indicators in near real-time, and empower you to catch more fraud faster - without impacting the customer experience. “Recent Aite Group research shows that many banks have seen digital channel usage increase 250% in the wake of the pandemic, so ensuring a seamless and safe customer experience is more important than ever,” said Julie Conroy, Research Director at Aite Group. “Platforms such as CrossCore that can enable businesses to nimbly respond to changing patterns of customer behavior as well as rapidly evolving attack tactics are more important than ever, as financial services firms work to balance fraud mitigation with the customer experience.” CrossCore is the first identity and fraud platform that enables you to connect, access, and orchestrate decisions across multiple solutions. With the newest version, Experian enhances your ability to consolidate numerous fraud risk signals into a single, holistic assessment to improve operational processes, stay ahead of fraudsters, and protect your customers. Read Press Release Learn More About CrossCore