Fraudsters seek out institutions that have weaknesses in their fraud defenses. Once they find these institutions, they capitalize on their opportunities to launder and steal money until the institutions detect them and reinforce their defenses. This may stop the fraudsters temporarily, but unfortunately, not permanently.
Free money is a powerful motivator, which is why fraudsters refuse to be deterred. Their working philosophy is, “when one door closes, another door opens.” They will search the universe of financial institutions for new weaknesses to exploit. In Kevari’s experience, the most vulnerable financial institutions are those that are:
- Underestimating their fraud risk – Not prioritizing fraud-detection because they may be unaware of the scope of their fraud problem
- Distracted by digital transformation – Unwittingly creating access points for fraudsters as they race through the digital transformation process in an effort to remain competitive and enhance customer experiences
- Not collaborating – Missing obvious fraud by not sharing identity- and fraud-related data, insights, and activities because of siloed organizational structures and disparate fraud solutions
It’s hard to imagine that any institution would still be underestimating their fraud problem – but it does happen. When Kevari provides institutions with retrospective data studies to show the number of account takeover or new-account fraud schemes that could have been thwarted with data, analytics, and collaboration, institutions are often shocked at the incidence rate. They also have to come to terms with the fact that the incidence rate in their digital channels is upward of 10x higher than in the branch.
Consumers want to handle their banking digitally, but the quest to empower consumers has created a whole new set of problems when it comes to proving identity. Fraudsters have found ways to trick many of the traditional identity verification methods because they have access to consumers’ personal identifying information, answers to out-of-wallet questions, secret password hints, and contact information. As we look at our data, we can see that fraudsters are using Social Security numbers, addresses, emails, and phone numbers – repeatedly, and varying combinations – across multiple institutions for both account takeover and new-account fraud.
In short, fraudsters are getting their money’s worth from every identity they steal, manufacture, or buy from the dark web. And it’s only going to get worse.
Record-setting number of data compromises
According to a report by the Identity Theft Resource Center, the number of data compromises in the first half of 2021 made up 76 percent of 2020’s total compromises. The report warns that if the current pace of compromises continues, 2021 will end with a record-setting number of compromises, exceeding the current highwater mark of 1,632 set in 2017.
With more data available with which to commit identity-related fraud schemes, financial institutions must continue to improve the sophistication of their identity verification approaches. Most fraud rings have automated their criminal activity, so when they hit roadblocks, they can quickly evolve their strategies and technologies. To prevent financial write-offs, customer loss, and reputational damage, institutions must go well beyond an identity verification approach that simply satisfies the minimal Know Your Customer requirements.
Coordinated identity management is needed
The best-practices approach to proving identity is an automated, adaptive, identity-management system. These systems are designed to be the centralized information hub for the multiple technologies needed for enterprise-wide, cross-network, cross-channel identity management. Identity-management systems are absolutely necessary – and in fact, easier to implement – now that most banking transactions take place digitally.
But financial institutions still have a long way to go in building such systems. The lack of automation in verifying identity is currently problematic for 53% of U.S. and Canadian banks, according to respondents of FICO’s Banking Survey 2020. To help remedy the problem, a full three-fourths say they are planning to invest in an identity-management platform within the next three years.
The FICO report goes on to say that “the resulting more integrated and strategic approach to identity proofing and identity authentication means banks will be able to meet customer expectations and deliver consistently positive digital banking experiences across online channels.” However, what is not mentioned is that three years is an eternity in “fraud time.” The pace with which fraudsters evolve their tactics is dizzying.
With fraud incidents and losses already soaring, waiting even a year or two is risky. Just recently, Javelin Strategy & Research announced that 2020 combined identity fraud losses for consumers and businesses reached $56 billion. Fraudsters cunningly extracted billions of monetary and non-monetary data attributes from consumers, most of which will now be repeatedly used in fraud schemes for years to come.
Customer relationships are on the line
Much is at stake each time a fraudster or organized fraud ring capitalizes on a weakness in your fraud defenses, including loss of business. A study by Aite Group found that 12% to 13% of consumers are unlikely to do future business with financial institution where a checking account, credit card, or loan was opened in their name – even when the consumer claims to have been satisfied with the assistance provided by the institution.
“However, among those who were dissatisfied with the assistance provided to them, between 42% (credit card) and 56% (consumer loan) of consumers are unlikely to do business with the FI in the future, depending on the type of account involved,” writes Aite researcher Shirley Inscoe in the study report.
Customers will also leave after an account takeover incident, according to the study, especially if it is the customer who discovers the fraud first. They feel a loss of confidence that is difficult to overcome. To help ensure that the institution detects account takeover attempts quickly, Kevari has jointly developed solutions with Fiserv and FIS that assess the likely fraud risk of profile changes (email, address, phone number) in real time.
What to do next
Because of the magnitude of current identity fraud problems, institutions must resist pushing a centralized fraud-detection strategy to the back burner while they focus on putting out today’s fires. Institutions of all sizes must continue their work to:
- Create a multi-layered approach to detecting identity-related fraud attacks and schemes. Fraudsters will continue to adapt their methods and technologies to find new weaknesses in your defenses. If they breach the outer-most perimeter of your defenses, you need to make sure they don’t breach the next one, or the next one.
- Design an automated, enterprise-wide system that hosts multiple solutions and allows sharing of data and insights across channels, products, and departments to thwart fraud holistically.
- Challenge-test your fraud defenses continuously. You should find any weaknesses before the fraudsters do.
- Know the fraud-solution providers in the marketplace and understand what they offer. If you – or fraudsters – identify a gap in your defenses, you’ll need to know who you can call to quickly implement new protections.