Integrated IDV Webinar: Mitigate Fraud and Consumer Friction
Outdated IDV is Impacting Consumer Experiences
Financial institutions face a delicate balancing act that pits the requirements of fraud mitigation against concerns that requisite authentication processes may frustrate legitimate consumers and drive operational costs higher. If a business doesn't invest in fraud prevention, it opens itself up to financial losses and reputational damages. But if a business places too much friction on the consumer experience, consumer satisfaction will drop significantly, leading to lost consumers.
Neustar wanted to hear directly from industry leaders regarding their current state of fraud prevention, challenges, and the effectiveness of various account takeover fraud mitigation techniques. Neustar commissioned Forrester Consulting to conduct a survey of 204 decision-makers in fraud management, authentication, and customer experience to explore fraud mitigation and consumer friction with integrated identity verification.
Watch this webinar for a review of the survey results.
Good afternoon. My name is Lou Carlozo, and I'm the managing editor of BAI and host of the BAI Banking Strategies podcast.
It's our goal at BAI to provide you with actionable insights that can help you make smart business decisions every day. We do this by providing financial services leaders with powerful tools, meaningful connections, and relevant content, including the insights that will be shared on today's webinar, Mitigate Fraud and Consumer Friction with Integrated Identity Verification.
Now, before I introduce today's speaker, I'd like to review a few housekeeping items. First, a recording of this webinar will be available after today's session. Each person who is registered for this webinar will receive an email within 24 hours from BAI that contains a link to the recording.
Second, we'll conclude this webinar with a question and answer period. At any time during the presentation, please type your question in the Q&A box on your screen and we'll address your questions at the end of the presentation.
Finally, at the end of today's webinar, you'll see an online evaluation on your screen. Your feedback is important to BAI, as we strive to address the key issues impacting the industry in a way that helps you plan for tomorrow while performing better today. Please, take a few minutes to complete the survey.
Now on today's webinar, you'll hear from an industry expert who will share insights into key findings from a Forrester fraud survey commissioned by Neustar. It's my pleasure to introduce our speaker, Bob McKay.
Bob McKay serves as the Vice President and General Manager of Neustar's Risk Solutions Division, with responsibility for leading a cross-functional team of product technology, marketing, sales, and business development team members, developing a differentiated product strategy with defined product growth and business plans, as well as a clearly articulated unique selling proposition, as we drive the plan to execution. Wow, that is a terrific list of qualifications. Bob, take it away.
Thanks, Lou. And just a word of introduction about who Neustar is, for those that perhaps are less familiar with the organization. Neustar is a data-driven technology firm that specializes in gathering and supplying detailed information about phones, mobile devices, IP networks, combining that all within easy to conceive technologies that help address fundamental problems, specifically in the areas to mitigate fraud.
In today's session, we're going to go through a few different things. Spend a brief moment or two discussing the work that we had commissioned with Forrester. It was a survey that we did in the marketplace to really just understand the drivers of an integrated identity verification platform, what did that look like, and all of those shaping going forward, and then delve more deeply into the outputs from this survey. And I think what we hope to do along the way is highlight some of the fundamental flaws within an identity verification program and what we see as some best practices from the organizations that really are doing it right. And doing it right really is a combination of helping to mitigate fraud, or reduce it to the absolute most tolerable level, while at the same time getting the amount of customer friction at the lowest possible levels at the same time.
So Forrester is a well-known industry analyst in the space, and they have a specific practice that focuses on identity and identity verification businesses. We worked very closely with them to conduct a survey to really get as far reaching a pull of the identity verification strategies being employed in as many marketplaces as possible.
We were really pleased with the results, because the participants that responded spanned a few different areas. First of all, size. As you would imagine, we had high levels of participation from the largest organizations, large being defined as total revenue. But we also had really healthy participation from small to medium-sized enterprises.
What our takeaway from that is this is a top of mind kind of problem for all sorts of organizations, whether it's compelled specifically by a set of regulations, or these firms just recognize it's in the best interests of their firm, and more specifically, the best interests of their customers, to have fundamental processes in place that try to manage these fraud risks.
The other takeaway was how widespread across the relevant verticals. We had good, almost even participation, as you can see in that pie chart, across financial services, those firms that participate in retail and e-commerce, insurance, and third party call centers that support a lot of those functional areas, as well. So it gave us a wide swath of inputs I think are really representative. And hopefully, there are some takeaways that can help your organizations as you consider your way forward.
The good news is, if I take the headlines from the survey itself, is that 91% of the firms have them employed some degree of integrated identity verification, or IDV, as a way of mitigating the fraud. Now, we set a pretty low bar. Our question was really have you employed at least one of the techniques defined in offline, online, and device-based identification, at least one? It is a fairly low threshold for many organizations to say they do.
Forms of Identity Verification
Now, just a word of clarification. What do we mean by offline, online, and device-based intelligence? Offline is perhaps less well known. These are the types of document-based identification that are gathered often at the time an account is opened. So a driver's license is typically the form of ID that's captured and verified. Perhaps even information is added into a CRM or similar customer database.
Online identity data could include aspects that are very verified through social identities, but also may include other aspects of online. So many firms employ an IP or DNS blacklist, just to ascertain where, if this is a digital experience, where the customer is coming in from and whether that is from a site that is scary, for example.
And then finally, what do we mean by device-based identity? It is perhaps the quickest growing space, and it generally includes ways of identifying the mobile device or the device being used to access the web platforms, and connecting that to an identity.
Now when we dig a little bit deeper, while 91% of the firms have implemented some sort of combination of offline, online, and device-based capabilities, only about half are actually expanding these current capabilities in all three categories. Now, we found that the significant maturity in both customer-centricity and fraud strategy and the overall effectiveness of the strategy really do dictate whether or not they're finding these programs successful.
Recent credit bureau breaches and data privacy scandals have left many savvy customers and consumers worried about their own privacy and the firms that they interact with, their ability to protect them from fraudsters. And these customers and businesses really have a reason to be concerned.
Identify Theft and Fraud Are on the Rise
The survey confirmed that identity theft and fraud are on the rise. 61% of the surveyed firms report that they've witnessed an increase in fraud or fraud attempts over the last 12 months. Moreover, 23% saw that the incident rate had increased by more than 5%, quite a dramatic rise.
Now, fraud causes customers to lose trust, and it hurts the bottom line. Now, that can be manifest in a reduction in the share of wallet, so that while they still may be your customer, you just may not be getting as much of their business that they could be offering. Or in extreme examples, you could see a complete abandonment or switching of their account activity to one of your competitors.
More commonly, the cited impact is the loss of fraud. But equally, customers cite a drop in customer confidence, an increase in the number of complaints that they have to address through customer service representatives, and an overall damage to their brand.
On average, three different sources of customer data are typically involved in these incidents. And what Forrester found in the survey is there's too heavily a reliance on PII-driven or knowledge-based authentication.
Limitations of Knowledge-based Authentication
KBA, or knowledge-based authentication, is expanding in use in 59% of the firms, and validation against data bureau data is expanding in 43% of the firms. Now, this is especially concerning, given that the prominent credit bureau data breaches of the past few years has basically made this personally identifiable information readily available in the dark web. So it does raise a question of how much firms place of reliance upon knowledge-based authentication. Where Forrester's found it, it makes these firms more susceptible to fraud and more vulnerable, and it does result in a bad experience rate, or worsened customer satisfaction scores.
Well, we look at the top three data elements used in knowledge-based authentication. It's interesting to note these, like date of birth, the questions that are often left to the customer itself to define, or the current addresses, are easily available from data breaches, from social engineering, or just poor privacy controls on social media. Who hasn't seen a celebrated birth date on Facebook, or even LinkedIn, for example? And how many use date of birth as a specific data point in a knowledge-based authentication program?
Financial institutions, particularly, are looking to prevent fraud, but they often have to come at the sacrifice of customer experience. As more and more customer experiences shift to virtual experiences, so customer interactions that happen through the phone center, contact centers, through IVR, through web portals or mobile applications, a balance must be struck between mitigating these frauds and reducing friction.
Let's pause now and have our first polling question.
So at an interactive session, I invite each of you to participate in taking a poll. I'll try to explain some of the questions here.
What is the greatest issue facing your account? Takeover incidents? Friction negatively affecting the customer experience? They are equal weight, or neither is an issue?
Account Takeover Fraud
Now, a word on account takeover frauds. When an account is taken over by a fraudster, sometimes the chromatin is not felt by the institution itself, or perhaps it's felt by the institution but not in the same channel in which the breach has occurred, but rather in another channel. It's really hard to find.
OK, if you want to broadcast those results. Interesting.
So most of the people participating today have weighted account takeover threats, or ATO, as the leading concern in the programs that they're facing to mitigate fraud. That's consistent with what we saw with the Forrester, as well. But equally, I think there's a sensitivity to customer friction, as well. Well, let's continue on with our presentation.
Reducing or preventing fraud has become a top priority for nearly 70% of the firms. I think that's consistent with the polling we just performed. However, customers also have high expectations for fast and efficient services that sometimes go at odds with fraud prevention.
If consumers can't easily engage digitally, they will take their business elsewhere. The firms that we have surveyed have taken note. There's a need that needs to be struck for speedy, seamless digital interactions, and how that gets highly influenced with fraud detection. When considering the fraud detection tools, if there are misplaced settings that place legitimate customers in a false rejection or a false positive detection rate for a fraud, that also needs to be weighed. These false reject rates may not only deteriorate the customer experience, but may also realize higher operation us and lower customer satisfaction scores.
Many decision makers we surveyed are measured on increasing customer satisfaction-- 53% of those people said as such-- as well as reducing false reject rates, 49%.
So let's pause. What are some of the things we've heard from the survey in the first part? Well, overall, there has been a movement to have an integrated identity-based program in place, because I think everyone recognizes the susceptibility of identity-based fraud growth rates impact on the businesses. Unfortunately, though, too many firms have relied on outdated fraud strategies, and 52% of the firms have low customer satisfaction scores if they have an overly exhaustive, prescription-filled experience to reduce those fraud rates.
So what's the answer, then? How do we improve upon the experience of getting the balance between an integrated identity verification program? Let's talk about some of the best practices that were witnessed by Forrester in the survey.
Benefits of Integrated IDV
As we've talked about in the past, an integrated identity verification program really is the one that advances and integrates all three facets of offline, online, and device-based IDV. But more so, it's perhaps a shift, a fundamental shift from too heavy a reliance on the offline knowledge-based data and more increasing prominence of online and device-based data. Combining all of these three into a way of better identifying a consumer is where the first takeaway is important. And more so, the firms that really are doing it well particularly have near real time access to information for the online and device-based data.
The firms that are really doing it well also have a remarkable difference in the way they have improved operations. For example, the firms that have already expanded or continuing to expand integrated IDV programs have greater transparency in the way they go about making broad decisions, long decisions, in a way that's explainable not only to their senior management, but also to their customers. And as an internal metric, their overall cost of operations is much, much lower.
Those also expanding integrated IDV are less reliant on date of birth and are more likely to ask for one time passcodes or a physical ID than those that are still kind of antiquated.
So let's go to our next polling question. So I'll read this out.
Based on the survey definitions we just reviewed for an integrated identity verification, is your institution investing in a combination of offline, online, and device-based capabilities for its fraud prevention? So there's just three options, yes, no, or uncertain.
OK, let's broadcast those results.
OK, so I think some encouraging results. I think people are starting to recognize that there is a need for the combination of offline, online, and device-based identity verification into a holistic program. More so, they're actively investing in those, so that's a very good and encouraging result. So let's continue on.
So when looking at deploying an integrated identity verification program, the methods that are employed need to strike a balance between reducing the fraud as well as reducing the friction, because ultimately what we want is a speedy and seamless digital transaction. So Conclusions, Part 2.
When done correctly, the individual capabilities of reducing identity theft and reduction of fraud needs to strike a balance between the amount of friction that gets introduced. And what Forrester found from the survey is those firms that have an active integration of all three, offline, online, and digital, and more so those that have access to real time information and a mental shift that deprioritizes knowledge-based information towards online and digital-based information that can be accessed in near real time have much more improved customer satisfaction scores, lower customer friction, and reduction in fraud.
Forward Thinking Fraud Prevention
So key takeaways. Characteristics of forward thinking fraud prevention. Really someone who's doing a right, as we've talked about already. It has an emphasis on an integrated strategy, not one that's merely placed on just one or two of those.
More so, they treat the initial identity verification and authentication as the same kind of thing. Gone are the days where it was sufficient to gather information at an account opening, add that to a CRM or customer database, and never revisit that. Rather, every time there's an interaction with that customer, that customer's data and the customer itself needs to be authenticated in real time, with the most current information that encompasses the data and intelligence that can be gathered from online and digital platforms, as well.
When looking at some of the verbatims that came from our customer center, the ones that really had achieved some of the best results in this said many interesting things. I'll call out just two.
If we first focus on let's say the 2 o'clock here, 2 o'clock position, a CTO for a financial services firm, I'll read this off to it.
We are expanding into additional markets, and we need to add a layer of protection. So this firm recognized that it wasn't efficient not only to protect their existing customers database. An integrated IDV strategy really was a way of facilitating penetration into new markets and driving new revenue growth.
Another quote that I thought was perhaps really striking was let's say at the 9 o'clock position here, from an IT director of an insurance. This person said, their integrated IDV strategy really was organized around enhancing the customer service, improving fraud management system, and increasing the overall business performance. It was interesting to note that this firm placed equal weighting on metrics around customer satisfaction scores with the ability to reduce fraud and have an overall operational efficiency. So really kind of getting buy in from a number of stakeholders across the organization, and their support was used in rallying the overall approach to the integrated identity verification program that they employed.
Fraud Mitigation Q&A
So we're going to move to a Q&A. Some have already started to trickle in. I invite others, as well, to type in questions into the Q&A box. While that's happening, I'll go into some that are early. Here's one.
Are you saying that KBA, or knowledge-based authentication, should never be used?
No, let me be very clear. It's not prudent to entirely abandon KBA, or knowledge-based authentication. What we are saying is it probably should be lowered in its priority, or its reliance on it in almost exclusivity. Because the amount that is available makes a lot of the information that has been captured at account opening, and is using some of these KBA policies, readily available. You cannot rely upon it too much. So instead what we're suggesting is supplementing KBA with online and digital-based identity, and over time perhaps shifting the prioritization and weight to those channels and integrating those holistically.
Let's see, what else did we say here?
Can a firm go about building this integrated identity verification through their own means, or should they go through a provider? And if they go through a provider, what are the characteristics they are looking for?
OK. Yeah, I think certainly, many firms of scale probably could pull together the information needed to have an integrated-- certainly, they have direct access to the consumers to get a lot of the documentary-based information. What perhaps is the most tricky and where most firms kind of rely on third party vendors is for getting the device-based information and the online information. More so, you're not looking for raw supplies of information. The ones that really do it well and really help advance fraud reduction are those that have ability to link those specific nodes of information to an individual. So what does Bob McKay and his devices that he uses and the websites that he visits and the other characteristics of his behaviors across those devices and those IPs mean holistically, to gain some trust about this?
So here's one. How does synthetic fraud play into this? Well, synthetic fraud is really quite a growing and prominent problem. Let me try to at least put a definition so we have a normal conversation here. Bob A adds an account holder to a bank, and all the information that I have in the account itself that the bank knows about me. Certainly, the bank needs to go through all of the various kind of-- any interaction that I have with the bank to validate and authenticate I am who I say I am, and have a trustworthy experience, whether it's through a digital platform or an IVR platform.
When we're talking synthetic identity, it's fraudsters stealing and creating identities unrelated to myself. They may have stolen a specific PII and created a new account at a new institution unrelated to the one that I have, and opening up a lines credit and other types of instruments. And the validation that happened by the institution with that synthetic identity might pass a lot of the number of tests, particularly the knowledge-based ones, where PII was used to open an account. And that's particularly why this is not if you rely solely on KBA, it is not sufficient. You need to kind of have more of a holistic one.
Potential of Voice Recognition
Here's another question. What are our thoughts on voice recognition technology?
Voice recognition technology is very good and can be very useful in helping authenticate a customer, particularly through call centers and IDRs. One of their biggest hurdles, however, are participation rates. Fundamentally, for voice biorecognition condition to work, the consumer, well, fundamentally, number 1, has to call. A number of customers may never actually ever call. So when considering the totality of a customer base, inviting all of those customers to have a reason to call in to a call center in which a voice recording capture could happen may be daunting or expensive for an institution to overtake. Doing it reactively is fine. A lot of organizations do it that way.
So if and when a consumer has a need to call into a call center, capturing that voice, either passively just through the interactions that they have, or actively with direct knowledge participation of a customer vary by state the state or vertical by vertical. Some organizations must abide by regulations where that is not an implicit but rather explicit participation.
And there lies the problem. Do you have enough captured in your database, your voice bio database, enough imprints to have a meaningful way of mitigating fraud? When they are there, it is a powerful example. It's really about. It's about that critical mass built up. Let me try to see some more.
Complexity of IDV
The biggest issues seem to be around silos. How can financial institutions get around it with an integrated IDV? All right, so I'm going to try to interpret the question specifically around the word silo used there. So while, for example, there might be some identity verification techniques and processes and systems in place, let's say, for example, at the IVR, within a call center, does that same set of technology or the same set of processes and data get deployed against their web platforms or their native mobile application platforms?
The actual answer is in today's world, not enough is a simple answer more and more organizations are looking to deploy those systems horizontally across all of those channels. Some of them I'd often characterize that as omnichannel. so the same set of practices and policies and systems and tools used to validate and authenticate their customers, whether it's through a call center, through an IPR, through a web portal, through a native application and in the mobile device. All relied upon the same set of data, and in fact helped feed the same kind of modeling, that helps become more deterministic, and the frauds are where we see more and more institutions moving, too.
Passcode Verification Scenario
Here's a new question. What are the what are your thoughts on a code going to a customer's device that is on a file? How much can you can those be relied upon?
I'm trying to interpret that in real time. So what are your thoughts on a code, like a passcode, I'm interpreting, being sent to a device, particularly on file?
So one time passcodes are certainly used frequently, and can be pretty powerful. But there also is another susceptibility, let's say a customer calling into a call center, or an IVR, has a specific question and their own account, and the amount of validation or authentication that was required for the specific work activity that this consumer was acting for did not meet a sufficient level of validation, and a one time passcode is being sent. Maybe the customer needed to access something highly confidential, or is asking-- they've lost their password to their web platform, where they're asking for a one time passcode be sent to their multiple device. That happens all the time.
What organizations need to do is to ensure that when they do issue that one time passcode that the device it's being sent to in fact belongs to the consumer and has not been diverted in any ways. Diverted can happen in lots of different ways. Sim swapping or porting are the most common examples of that.
So in real time, an institution must have an ability to understand not only the name of the consumer, the phone number, perhaps, of the mobile device, but some of the specific information sets about the device itself, what is the NZ or EEOMNI identifiers of the actual device? What other type of characteristics about the seven, has there been any porting recently or call forwarding that might suggest that the device itself has been compromised and moved to somebody else who is not in control-- or the person who is controlling it isn't the consumer. Those are definitely what we see as techniques when done well.
OK, well, thank you for the time. I think there's been some questions whether the presentation was going to be recorded. It in fact was. I think there'll be a determination about whether that call, the recording of this presentation will be shared. I'm sure that'll be sorted, as well. For those that were shy, they perhaps had questions but did not want them openly asked, we're always open to fielding questions. So you can contact Neustar, and I'm happy to address any questions that you want to point my way.
Lou, the Neustar team is complete. I don't know if you have to do any wrap up.
Great. I think Lou is offline now.
So we're going to conclude the session today, as is shown there. If you want a copy for today's presentation, contact Lucas King at the email address shown on the slide today. Thank you.
Yeah, Bob, it looks like our line is back on. We got dropped. Are you still there? Is everybody still there? Bob is still here.
OK, great. Yeah, if it's OK with you, a bunch of questions came in on this end, and we would like to ask those. And my apologies to everybody in the webinar audience. We just happened to drop out. We are back online. Here's one.
The survey today indicated that account takeover is the biggest problem facing financial institutions. How might this compare to the state of things, say, five years ago, and what explains the proliferation of account takeovers?
Yeah, I'm confused by your statement, because I answered a bunch of questions. I'm not sure who heard what. So are you saying nobody heard? Because I answered a bunch of questions that were submitted in.
Rise in Account Takeovers
Well, this would be another question that came in. We had a few more come in. So I don't know if that question sounds familiar to you, or if it's something that you can address. In a nutshell, it was just what explains this proliferation of account takeover?
Well, a lot of it can be attributed to a few different things. First, data breaches make all of that data available. And so the availability to fraudsters to usurp systems is much cheaper, to be real honest.
The other byproduct is chip and pin has made fraud in card present transactions almost too difficult, so the fraudsters are finding the least paths of resistance. So they're moving away from card-based transaction fraud to card present fraud to account takeover. If I can take over an account and do more than just transactions, I can create a fake identity. I can move money in and out of their accounts. I can do a whole bunch of things. All of those have kind of conspired together.
Great. Thank you so much, Bob. There have been a number of really crucial topics brought up today, and I hope after the presentation you see the value of integrated identity verification. And at this point, I'd like to encourage you to take a few moments to fill out the survey that should be going live on your screen momentarily. There we go.
And once again, Bob, thank you so much for sharing your expertise and insights today. As a follow up to today's session, you'll receive an email within 24 hours from BAI that will include a link to a recording of today's webinar. I encourage you to share the link with your team or other peers who might benefit from the insights shared today.
You can learn more about BAI and other thought leadership opportunities on our website, bai.org. We also encourage you to check out the BAI Banking Strategies podcast, with new episodes weekly and an archive of engaging shows hosted by yours truly. Be sure to check out the podcast at bai.org.
This concludes our session. I'm Lou Carlozo, the managing editor at BAI. Thanks again for joining us. Enjoy the rest of your day.