Roughly 35 million Americans move each year, so evaluating address-change requests can be a challenge for financial institutions. While the majority of change requests are legitimate, the number of fraudulent requests is rising as criminals focus their attention on account takeover (ATO). The problem is getting costly for banks and credit unions.
In a recent Aite Group survey, 43 percent of respondents reported that ATO fraud attempts for demand deposit accounts (DDAs) were up over the past year, and 41 percent said they experienced higher losses in DDAs because of ATO. According to the 2018 Identity Fraud Study by Javelin Strategy & Research, ATO losses have reached $5.1 billion, a 120-percent increase from 2016.
How do you distinguish legitimate address changes from fraudulent ones without causing undue customer friction?
What you DON’T do: Rely on change notification letters
The practice of sending change notification letters to comply with Section 114b of the FACT Act Red Flags Rule does almost nothing to proactively prevent fraud. That’s because, while first class mail is fast, fraudsters are faster. They can liquidate an account in a matter of hours. Additionally, letters often get lost in the clutter. Although they are from the customer’s bank, they are often mistaken for direct mail offers and end up in the trash.
The notification letter process can also create a financial burden for institutions. Postage is costly in itself, but there are additional costs associated with producing letters, handling returned undeliverable mail, losing interchange revenue due to card “holds,” incurring losses and damages associated with fraud, and suffering the reputational loss that comes from needlessly inconveniencing an honest customer.
What you SHOULD do: Identify and pursue the most suspicious changes
Financial institutions concerned about balancing fraud risk and customer friction are using automated approaches to handling address changes.
An automated solution runs behind the scenes, using massive databases and context-aware scoring to assess the riskiness of the address-change request. To significantly reduce operational and investigative expenses, this method uses data-driven intelligence to answer the fundamental question: “Based on all of the information available, does this address change make sense?” If the address change is below a certain risk threshold, then the institution can accept the change without any manual intervention—and satisfy compliance requirements.
In cases where the solution identifies the address change as suspicious, the institution has the information needed to act. Sample alert messages might include: Address is a temporary address; Artificially manufactured address; Address is not currently receiving delivery; Known fraud address; Address recently associated with several different last names; and more.
This automated approach is more efficient, cost effective, and better at reducing fraud losses. In addition, it satisfies compliance obligations and results in less customer friction.
While you’re at it, monitor email and phone changes, too.
While there are clear compliance requirements for address changes, the guidance is less clear regarding phone number and email changes. Now that customers (and criminals) use online and mobile banking, fraud has evolved to the point where a cash-out doesn’t necessarily require a physical address change. That’s why banks should apply the same rigor to screening phone and email changes as they do to scrutinizing address changes. Doing so will go a long way in protecting the bottom line and customer relationships.