The Modern Hyper-Connected World Requires You To Establish Identity Quickly and Accurately
In today’s highly competitive market, financial institutions and businesses must walk a fine line between streamlining customer experiences and preventing fraud. Customers expect interactions to be fast and easy on every device. Slow them down and they’ll go elsewhere. But fail to properly authenticate them, and fraudulent activity skyrockets.
In the following Aite Group Report you will gain an understanding of the impact years of data breaches and the subsequent release of a tremendous volume of Personally Identifiable Information (PII) is having on identity theft. Fraudulent use of this available PII is projected to double fraud related losses in the financial services market over the next five years. This report also highlights the importance of going beyond verifying identities, the importance of connecting users to the digital devices and how critical customer experience is when implementing solutions to minimize fraud.
Neustar Identification and Fraud Prevention solutions enable you to know exactly who you are doing business with across mobile and online channels so that you can create trusted interactions. Neustar solutions authoritatively and transparently identify customers in real-time allowing our clients to answer three essential questions when allowing customer interactions:
- Can the customer’s identity be verified?
- Can the device being used for access be verified?
- What level of trust can be assigned to the identity and device combination?
Utilizing the industry’s most extensive offline customer data to verify offline identities then linking those identities to verified digital identities enhanced with phone and mobile number operator data—Neustar can provide financial institutions and businesses the intelligence required to make high-value decisions regarding who’s at the end of every transaction.
New-account acquisition is an increasingly challenging proposition for FIs of all sizes. Consumers are transitioning their commerce to the online and mobile channels, particularly the digital native millennials. Dodd-Frank dramatically changed the economics of retail banking in the United States, while the Consumer Financial Protection Bureau (CFPB) is intensely scrutinizing new-account risk assessment practices, pushing FIs toward greater financial inclusion.
At the same time, identity fraud is on the rise, fueled by reams of personal data compromised in data breaches. The U.S. migration to EMV also promises further application fraud increases, as criminals shift their tactics from counterfeit to other forms of fraud. This Impact Report examines how U.S. FIs assess new-account risk for demand deposit accounts (DDAs) and credit cards, and how these practices will evolve over the next couple years.
In November and December 2015 Aite Group surveyed 88 executives from 83 U.S. FIs to understand the trends in new-account risk assessment and also interviewed leading vendors in the space. The data from the total sample has a 10.5-point margin of error at the 95% level of confidence. Statistical tests of significance were conducted at the 90% level of confidence.
The idea that PII is personal or private anymore is an illusion. More than 477 million records were compromised in data breaches in 2015 alone, many of which included PII. Criminals are quick to monetize breaches by selling the data on the underweb.
These breaches have provided criminals with an ample inventory of PII, which they are using to escalate their identity fraud activity. Criminals employ a variety of application fraud tactics, as described in Table A.
Table A: Types of Identity Fraud
| Fraud type | Definition |
|---|---|
| Identity theft | The theft and fraudulent use of another individual’s PII. This is also known as third-party identity fraud, since there is a fraud victim. |
| Identity manipulation | Identity manipulation entails slight changes to the identity data, often enabling the fraudster to pass application fraud procedures without triggering manual review flags. |
| True name fraud | The fraudster uses his or her own identity to perpetrate the scam. A portion of this fraud is opportunistic, committed by people who are driven to fraud by dire straits. The more severe impact of true name fraud is driven by organized crime rings that induce people to open accounts by posting ads on college campuses or online. The crime rings behind this fraudulent activity also assume the identities of the deceased, buy identities from foreigners who are leaving the country, or bring people from other countries for the express purpose of using their identities for these scams. |
| Synthetic identity fraud | Synthetic identity fraud occurs when the fraudster creates a whole new identity using false information. This phenomenon is by no means limited to consumer accounts— this type of fraud is problematic among business accounts as well. In the United States, credit bureaus do not use an individual’s Social Security number as a primary key, so queries using synthetic identities can result in the creation of a new consumer record, which then adds legitimacy to the fake identity. |
| Springboarding | Springboarding takes place when an individual with the intent to defraud is added as an additional signatory to an already established account. |
First-party fraud categories, including true name fraud, springboarding, synthetic fraud, and identity manipulation are particularly pernicious for credit card issuers, since often the fraud winds up written off as a credit loss. Not only does this make it difficult for issuers to grasp the full scope of their application fraud problem but the cases often wind up being actively worked in collections queues—a complete waste of resources, since the customer initiated the relationship for the sole purpose of defrauding the FI.
EMV: ADDING FUEL TO THE FIRE
History shows that as the U.S. migration to EMV proceeds, criminals will shift from counterfeit cards to other forms of fraud.2 Canada’s experience is a prime example. Once the March 2011 Visa and MasterCard liability shift made it difficult for criminals to buy stolen card data in the underweb and use it to make counterfeit cards, they switched instead to application fraud to get cards of their own using stolen and synthetic identities. While Canadian counterfeit card fraud sharply declined, FIs’ application fraud losses increased nearly 500% in the wake of its EMV migration.
The U.S. migration to EMV brings together a perfect storm: Criminals will be searching for other ways to perform fraud, while there is a robust stock of compromised PII available on the black market. More than half of executives surveyed at the large FIs believe that application fraud in the United States will rise in the wake of the U.S. migration to EMV. Interestingly, the expectations differ between the large and small institutions, as the majority of small FIs do not anticipate EMV to have an impact on application fraud.
The criminals did not wait for the U.S. October 1, 2015 liability shift date; the majority of FIs surveyed (excluding those who responded “don’t know” or “not applicable”) say that application fraud has increased in the online, mobile, and call center channels over the past two years. One large FI said that it believes that the industry is poised to return to a state in which “identity theft is one of the most pressing problems for the industry.” Another said that 2015 marked an all-time high for application fraud losses, with the attack rate rising every month. For a number of the FIs interviewed, the majority of the fraud is third-party, although synthetic fraud and true name fraud are also on the rise. The branch fraud rate has stayed flat for the majority of respondents, reflective of the fact that fraud is much easier to perpetrate in a faceless environment.
This trend will continue, as PII continues to be readily accessible for organized crime as well as willing participants in first-party fraud schemes. U.S. DDA application fraud losses due to first- and third-party fraud will total US$466 million in 2016 and will grow to US$694 million by 2020.
Credit card application fraud losses will also experience a significant increase, from US$1.2 billion in 2016 to US$2.1 billion in 2020. As the profitability of DDA accounts has been gutted in the wake of Dodd-Frank for FIs above US$10 billion in assets, many regional banks are trying to expand their credit card business by marketing to non-DDA customers. This represents a significant change in onboarding risk, and a number of the FIs interviewed are retooling their credit card risk assessment processes accordingly. While the official application fraud numbers that issuers report to the payment networks amount to around 2% of total credit card fraud, the problem is substantially bigger than that, since first-party fraud is often misclassified as a credit loss.
Fraud prevention is not the only driver of new-account risk assessment spending; compliance with the identity verification requirements of the USA PATRIOT Act also drives FI spend. FIs’ spending on new-account fraud solutions for both DDAs and credit cards will continue to rise through 2020. Solutions that focus on digital channel risk assessment will be a primary beneficiary of the increase in spend, as FIs seek to bolster their digital identity assessment capabilities. The credit card spending numbers do not include the credit score; while this has fraud mitigation implications, it is a required element of credit risk assessment as well, and therefore out of scope for this analysis.
NEW-ACCOUNT RISK ASSESSMENT TECHNOLOGIES
When it comes to boarding new DDA customers, FIs have three basic risk appetites:
- Open door: Some FIs take a very liberal approach, in the words of one executive interviewed, boarding “anyone with a pulse.” While that’s a bit of an exaggeration, many FIs prefer to let borderline risks in the door, then manage the risk on the back end.
- Guarded fort: At the other end of the spectrum are those FIs whose onboarding process is much more conservative. These FIs are much more risk-averse and decline a much higher percentage of new accounts.
- Optimization: A number of FIs are increasingly looking to better utilize data and analytics to help find that “just right” point where they can optimize the balance between risk and growth.
There is no shortage of vendors to help financial institutions assess new-account risk. Historically, new-account risk assessment practices were developed in silos, with the credit card business using an entirely separate process from the DDA side of the bank. While these processes continue to be segregated in some FIs (particularly the largest), a handful of the banks interviewed have worked to create a more consistent onboarding routine across products. The goal here is to improve the user experience while reducing the data silos in the hopes of increasing cross-sale opportunities. The online and mobile channels will continue to require additional vendors and risk checks, however, due to the added risk inherent in the faceless environment. The ensuing sections describe the categories of technology solutions FIs use to assess the risk of new accounts.
IDENTITY VERIFICATION
Identity verification solutions compare the data provided by the applicant to databases of identity records for fraud prevention purposes as well as Know Your Customer (KYC) compliance. These databases can be compiled from public record data, credit bureau data, and/or proprietary data sources. The solutions not only perform data matching but also look for a number of suspicious indicators such as data inconsistencies, an address that is a mail drop, or a high velocity of applications for a certain identity across multiple businesses. These will either trigger rules, augment scoring routines, or a combination of both.
A challenge with identity verification routines is the multiple variations of the database records and the data inputs, which can cause false positives at the time of screening. These variations are compounded by the transitory nature of identity data over time as people change residences, phone numbers, and even last names as they change marital status. A further complication is the fact that younger consumers, immigrants, and the underbanked are often not yet present in these databases. All this results in applications that require manual review, in which the FI staff will use investigative databases to further analyze the data and may request verifying documentation, such as a copy of a driver’s license or utility bill, in order to open the account. Manual review processes are not only costly for the FI but can result in considerable attrition, because consumers decide to skip the hassle and open an account elsewhere.
KNOWLEDGE -BASED AUTHENTICATION
Knowledge-based authentication (KBA) questions provide an additional layer of identity verification by establishing that the end user knows the answer to one or more personal questions. KBA questions were one of the early authentication technologies designed to protect remote-channel transactions and are in widespread use today in financial services.
For new-account opening, many FIs use dynamic KBA, which generates multiple-choice questions on the fly using data gleaned from repositories of personal data about the consumer, such as credit files, demographic databases, or internal data sources. The goal of KBA is to provide questions that are difficult enough that a fraudster cannot answer them but not so difficult that the genuine consumer will fail the authentication. This is much easier said than done, especially because the voluntary sharing of personal data via social media and involuntary data sharing via data breaches put the answers to many KBA questions in the hands of fraudsters. Table B provides a list of the leading identity verification providers in the U.S. market, their identity verification solutions, and whether they have a KBA offering.
Table B: Identity Verification Vendor Solutions
| Vendor | Solution(s) | KBA offering? |
|---|---|---|
| Acxiom | Acxiom Verification and Authentication | Yes |
| Deluxe | Deluxe Detect | No |
| Dragnet Solutions | Accelerated Insight | No |
| Early Warning | Identity Chek (Real-time and Batch) ID Confidence Score |
No |
| Equifax | eID ID Reveal ID Scan |
Yes |
| Experian | Fraud Shield Identity Element Network KnowledgeIQ Precise ID |
Yes |
| FIS | ID Authentication ID Verification |
Yes |
| Fiserv | Onboard Advisor | Yes |
| ID Analytics | ID Score Verify 360 |
Yes |
| IDology | Expect ID ExpectID IQ |
Yes |
| LexisNexis Risk Solutions | FlexID FraudPoint InstantID InstantID Q&A Instant Verify |
Yes |
| Neustar | Trusted ID | No |
| TransUnion | ID Manager | Yes |
| WhitePages Pro | Identity Check | No |
CONSORTIUM DATA
Consortium databases leverage data from a number of different participants to help assess the applicant’s risk. This data often consists of negative data, such as the fact that a customer has previously perpetrated fraud at another institution or committed account abuse, i.e., he or she has abandoned an account after racking up a bunch of fees. Consortium data can also be used to positively verify the consumer; for example, a long-standing positive history with members of a consortium can result in a higher score at the time of new-account risk assessment.
Consortium data can be quite valuable for FIs—fraudsters rarely limit their attacks to one FI, and knowledge that an applicant has either previously caused losses at another FI or has a strong, positive history can be very helpful in the risk assessment process. A number of the banks interviewed for this report spoke very highly of the performance of Early Warning’s Shared Fraud database; one depository FI said that it consistently provides a 4.5 to 1 false positive rate and helps the FI prevent “several hundred thousand dollars in losses each month.” Similarly, one of the credit card issuers interviewed was very pleased with its use of ID Analytics’ consortium-based score for its Day 1 risk screening.
FIs must consider a number of factors as they evaluate their use of consortium data:
- Regulatory pressure: U.S. regulators are closely scrutinizing the use of consortium data for new-account opening. Amid pressure from the New York Attorney General in 2014 and 2015, Capital One, Citibank, and Santander all publicly agreed to change the way in which they use ChexSystems account abuse and fraud data to decision new-account applications. The CFPB has also been focusing on this arena, with a number of public statements and bulletins. In February 2016, the agency sent letters to the top 25 banks in the U.S. market, encouraging them to develop entry-level products that would promote financial inclusion. At the same time, it issued a bulletin reminding institutions of their Regulation V obligation to provide accurate data to consumer-reporting agencies, signaling a continued focus on this area, and if history is any indication, potential enforcement actions to come.
- Data integrity and governance: With this level of regulatory attention, data integrity and sound governance is more important than ever. Regulators’ concern is that consumers are being unjustly excluded from the financial system. Therefore, when using consortium data, it is important that the vendor has rules that govern the accuracy of contributed data, that the vendor enforces these rules, and the solution provides a Fair Credit Report Act (FCRA)-compliant dispute process to consumers. A sound set of operating rules that clearly defines the type of loss and when it was incurred is also important (e.g., was this a deliberate attempt to defraud, such as kiting, or was the write-off a result of fees due to account mismanagement?).
- Model risk management: To the extent that scoring models are being used, FIs need to have a clear understanding of how they work and be prepared to explain them to regulators.
Table C provides a list of leading account abuse and/or fraud consumer consortium solutions in use by U.S. FIs. While many digital identity solutions also include a consortium data component, those solutions are generally deemed outside FCRA and discussed separately in the next section.
Table C: Account Abuse and/or Fraud Consumer Data Consortium Solutions
| Vendor | Solution(s) | Description |
|---|---|---|
| Deluxe | Deluxe Detect | Deluxe has white-labeled Early Warning’s Identity Chek, Account Abuse, and Shared Fraud solutions, providing turnkey connectivity via its Deluxe One platform. |
| Early Warning | Account Abuse Account Default Score First-party Fraud Score Shared Fraud |
Early Warning’s Account Abuse and Shared Fraud data are contributed by U.S. FIs to its National Shared Database. Account Default and First-party Fraud behavioral scores apply predictive analytics to deposit account information. At new-account opening, these scores use deposit performance information to predict the likelihood that a consumer will default due to account mismanagement or first-party fraud within nine months. |
| Experian | National Fraud Database | The National Fraud Database includes fraudsters’ identifying data; contributors include banks, card issuers, and retailers. |
| FIS | Qualifile | FIS’ contributory solutions combine closed-for-cause and fraud data from FIs with bounced check data from retailers. |
| ID Analytics | ID Score Verify 360 |
ID Analytics’ score incorporates unique, proprietary data from a wide range of industries, including more than 3.3 million client-reported frauds. |
| LexisNexis Risk Solutions | Fraud Defense Network | Fraud intelligence based on suspicious activity LexisNexis detects in its data repository, leveraging data from banking, retailers, insurance, health care, communications, law enforcement, collections, and government sources. |
DIGITAL IDENTITY ASSESSMENT
FIs are increasingly focusing on digital account acquisitions as they look to expand their reach, reduce operating expense, and increase their relevance with digital natives. As shown in Figure 10 and Figure 11, account originations are steadily shifting from the branch to digital channels. Larger FIs are very much leading the way on this front; in fact, a number of the smaller regional and community FIs interviewed for this report lamented their relatively flat growth in DDA accounts, particularly among the millennial population, and blamed that stagnation on their digital channel capabilities (or lack thereof, as the case may be).
While FIs are trying to shift applications to digital channels to both expand their footprint and reduce operational expenses, there is certainly a price to be paid in the form of higher risk. On average, respondents report a fraud rate eight times higher in the online channel compared to the branch. As a result of the elevated risk, FIs also decline a far higher proportion of accounts in the digital channels. One large regional bank is declining just over 50% of all of its online applications, with 83% of those declines attributable to ChexSystems. Another large regional bank stated that after its Day 1 and Day 2 screenings are complete, only 8% of the applications it receives online result in an opened account.
A variety of technologies can help pierce the digital veil and assist FIs to assess the risk associated with digital account originations, as described below.
- Mobile operator data: A handful of vendors provide device authentication services in the North American market through direct, real-time interfaces with mobile operators. These vendors use the same device hardware-based network authentication as mobile operators to secure their own services (e.g., SIM card) to provide positive verification that the device belongs to the person authorized on the mobile account as well as to provide notification if the device is lost or stolen. A couple of the large FIs interviewed for this report are building a mobile carrier query into their initial onboarding risk assessment.
- Behavioral biometric: Behavioral biometrics, also known as cognitive analytics, evaluate the manner in which a person is interacting with his or her device (PC, tablet, or smartphone) to determine whether it is indicative of bot activity or a fraudster. Fraudsters input data differently than genuine consumers—they don’t have the same level of familiarity with the data, so are more likely to have to repeatedly erase to fix typos. Criminals are more likely to copy and paste data (pulling it from a data dump purchased off the underweb), and they will have more familiarity with the application layout given their frequent use, which manifests in a much different rate and pattern of interaction than a genuine consumer. Biocatch has developed scoring algorithms to detect these new-account fraud “tells.”
- Device/digital identity: Digital identity technology examines a combination of identifiable hardware and software attributes associated with a computer or mobile device. The resulting unique fingerprint can be used to provide recognition of devices associated with fraudulent activity as well as ongoing recognition of devices with trusted reputations. The mobile browser environment can be challenging to fingerprint, since there are fewer parameters to track than in the online browser environment. Mobile apps are just the opposite—digital identity vendors provide SDKs to dive deep into the device and create a footprint around parameters such as the number of contacts, number of songs in playlists, etc., as well as create behavioral analytics around the ways in which those parameters change. The device reputation providers that have deep consortiums are also valuable in proactive detection of repeat offenders. The ability to track personas created by combining multiple device fingerprints with other data elements such as email address are increasingly important to a number of executives interviewed for this report. One of the banks that is using ThreatMetrix for its new-account risk assessment was very pleased with its performance, saying it is “a really powerful tool” for new-account risk assessment.
- Behavioral analytics: Behavioral analytics detect fraud by monitoring the user session to detect suspicious activities or patterns. These manifest in a couple ways:
- Transactional anomalies: The user is performing transactions that are out-of-pattern compared with normal behavior.
- Navigational anomalies: The manner in which the user is navigating the website is inconsistent with his or her own usual pattern, the pattern of his or her peer group, or is indicative of the navigational pattern of a bot.
- Social media: Social media analytics combine public and private data sources with the consumer’s social media presence to help verify consumers. A number of FIs interviewed for this report expressed interest in incorporating this type of data feed, particularly given the extent to which PII has been compromised and is thus less reliable. This type of analysis is also helpful for thin file consumers that can’t be readily verified by traditional data sources.
FUNDING
Funding the new account represents another risk assessment challenge for FIs, particularly in the remote channel environment. A Q2 2015 survey of consumers found that the majority of funding activities take place via cash. This stands to reason, since the vast majority (73%) of account openings still take place in the branch. That said, the other 52% of funding activities represent risk exposure for the FI. One of the most common mechanisms for funding in remote channels is an ACH transfer from another account. Fiserv’s CashEdge is the most common provider of deposit verification in this environment among the interviewees.
A fair amount of friction comes with the online verification of a funding account—the most common mechanism is the challenge deposit, where the vendor will place two small deposits in the funding account and the applicant must subsequently verify the amount of those challenge deposits. While quite effective at verifying account ownership, the friction associated with the process results in attrition. The service is also fairly expensive; FIs report the all-in expense for the funding service as well as the associated fraud evaluation (identity verification, KBA) costs between US$5 and US$7 per transaction.
Vendors such as Early Warning and FIS offer services that can verify account ownership based on their account data on file. Early Warning’s data is directly contributed by the FIs participating in its consortium solutions, while FIS’ data comes from a variety of FI and retail sources. These services promise both a lower price tag and less friction than challenge deposits, but the coverage of their respective databases is not universal across the U.S. consumer population.
Some FIs are also enabling account funding via debit or credit card. While this certainly provides a more user-friendly solution, it also entails a high degree of risk, thanks to all those data breaches; a significant number of the records compromised include payment card numbers, and digital account funding represents a great way for criminals to monetize that data.
MANAGING RISK POST-BOARDING
Some FIs choose to let borderline DDA applicants in the door and manage the risk on the back end once the client account is boarded. One way to mitigate this risk is via early life models that monitor the activity on the account post-onboarding (usually for the first 30 to 120 days). Twenty-two percent of respondents use these today (the vast majority of these are FIs with more than US$20 billion in assets), while another 27% plan to use these within the next one to two years.
Another way to mitigate post-onboarding risk is through product restrictions. The CFPB is pressuring large FIs to increase financial inclusion and create entry-level products that can mitigate risk while enabling financial inclusion. A number of banks have answered the call, including Bank of America with its Safe Balance account and Fifth Third Bank with its February 2016 launch of its Express Banking product.
Not all FIs implement product restrictions via specially branded entry products; many do so with risk controls on their mass-market offering. Seventy-one percent of FIs restrict use of mobile remote deposit capture (mRDC) during the first 30 to 90 days of the account’s life; just 11% of respondents offer unrestricted use from day one. In contrast, only 16% of respondents restrict debit card use during the account’s early life.
Social network analytics provide FIs with another way to manage risk post-onboarding. These provide the ability to sift through the data repositories and discover connections between customers and accounts. Some connections are innocuous, others highly suspicious (e.g., individuals within the network have already perpetrated fraud against the FI, or multiple individuals have the same Social Security number). Effective social network analytics can differentiate between these, prioritizing the suspicious networks and providing users with a visualization tool that helps them understand and investigate the linkages.
This technology is very effective at detecting bust-out activity. Table E lists leading vendors offering social network analytics.
Table E: Social Network Analysis Solutions
| Vendor | |
|---|---|
| BAE Systems | ID Analytics |
| FICO | Nice Actimize |
| IBM | SAS |
| Intellinx | |
DECISIONING AND INVESTIGATIONS
This plethora of new-account risk assessment solutions provides FIs with a variety of exceptions and alerts that they must manage as part of the onboarding process. Many FIs use either a homegrown or vendor-supplied decisioning engine to status the alerts. Equifax, Zoot Enterprises, and Experian were mentioned by interviewees who use their engines to status the alerts. Figure 15 depicts the variety of processes in place among FIs as they manage the output from their onboarding risk processes.
A handful of large FIs and vendors are moving beyond the waterfall process and are instead using big-data techniques to analyze and score multiple inputs simultaneously. This not only has the potential to improve false positive and false negative rates but helps to convert many historical Day 2 processes into real-time risk assessment. Aite Group sees this trend picking up pace, as analytically derived scores increasingly supplant rules, with the credit card business line leading the way on investment. In the words of one interviewee, “the days are over of single-source modeling.” FIs and vendors employing these techniques will need to provide clear documentation to regulators to meet their model risk management requirements.
MANUAL REVIEW
While many applications are automatically evaluated, a fair number of exceptions require manual review. Often this consists of using tools that can help the fraud investigator take a deep dive into public data to determine whether the customer’s identity is legitimate, such as LexisNexis’ Accurint or TransUnion’s TLOxp, as well as free services such as Google Maps.
Manual review rates can vary widely from solution to solution. Figure 16 shows respondents’ current and target manual review rates across the breadth of their application risk assessment solutions. Thirty percent of FIs’ review rates are between 5 to 1 and 10 to 1, which means one true fraud hit for every five to 10 false positives.
For many regional banks and smaller FIs, a DDA relationship is required to obtain a credit card, so these banks rely heavily on the risk assessment process used by the DDA side of the business. For this reason, it’s even more important that these banks identify high-risk applicants early on, since they can springboard that relationship over to credit card and loan activity and magnify the loss potential. Figure 18 shows the vendors in use by respondents for DDA risk assessment. A handful of the banks interviewed rely heavily on documentary verification of the driver’s license or equivalent identity credential in branch, then bolster that with a Day 2 risk screening. The sheer number of solutions in use by respondents is reflective of the fact that many FIs have multiple solutions in place, providing identity verification, consortium-based intelligence, and digital identity risk assessment.
In a cautionary tale for vendors about the potential for regulators to drive market swings, many of the large FIs interviewed reported a significant shift in their onboarding risk assessment routines over the past few years. While the use of the ChexSystems database is still widespread among small FIs, only six of the 14 large FIs surveyed still rely on ChexSystems for their onboarding process. Some specifically cited the regulatory interest as a key driver of the change. Others discontinued use prior to the regulatory scrutiny, stating that given the constrained economics of the DDA product in the wake of Dodd-Frank, it is more cost-effective to manage risk post-onboarding.
FINANCIAL INSTITUTIONS’ EVOLVING USE OF TECHNOLOGY
Half of large FIs plan to add or change DDA risk assessment vendors over the next couple years, while just one in five FIs with less than US$1 billion in assets plan to do so (Figure 19). This increased appetite for change among large FIs is likely attributable to a couple factors. First, larger FIs show greater awareness of the imminent impact of the U.S. migration to EMV and the escalating application fraud risk environment. Larger FIs also board a larger proportion of their accounts in a remote channel environment; therefore, they experience higher fraud rates than do their smaller brethren. When asked about the specifics of their vendor changes, many FIs say their plans center on digital channel risk evaluation. Digital identity risk assessment solutions are highlighted by many of the FI respondents as being on their one-to-two-year roadmap for new account onboarding.
The bulk of the credit card respondents are from large banks, which stands to reason, because big banks own a large share of the credit card-issuing market. Nine of the large banks plan to add or change credit card risk assessment vendors (Figure 20). Some changes are as straightforward as a vendor swap or incremental vendors to bolster digital channel protections. One large issuer is working on a big-data effort that will use Hadoop and Spark technology to leverage its vast internal dataset, and based on the risk assessment of that internal data, will call out to one or multiple external providers. For example, if the internal data shows no history associated with an applicant, then a data provider such as Socure that provides analysis of social media presence will be included; that may be omitted for individuals who are less likely to be thin file.
MOBILE ONBOARDING: OPPORTUNITY AWAITS?
Mobile is increasingly the device of choice for consumers. Sixty-eight percent of the U.S. consumer population now owns a smartphone, and the 2015 holiday season substantiated the migration to mobile devices.7 2015 holiday e-commerce sales were up 20% over 2014 in the United States; 30% of those sales originated from the mobile channel, versus 25% in 2014.8, 9 U.S. mobile banking logins hit the tipping point in 2013, when mobile banking logins exceeded online banking logins for the first time. That doesn’t mean there are more mobile bankers (yet), but rather that mobile bankers are more engaged, logging in 15 to 20 times per month versus the three to five times that online bankers average.
Maximizing the mobile channel isn’t as easy as porting an online website over to a mobile device. The screen and keyboard are much smaller, which complicates the process of creating an elegant user experience. This challenge is compounded by the fact that innovation is rife in the mobile channel, and consumers’ (particularly millennials’) expectations for a user-friendly mobile commerce experience are shaped by brands such as Apple, Amazon, and Uber.
In spite of the momentum toward mobile, applications originating from the mobile channel have been lagging thus far. A Q1 2015 Aite Group survey of consumers showed that fewer than 5% of consumers actually complete an application for a checking account via a mobile device—many who start there give up and wind up in a branch (or at a competitor). One of the inherent challenges to mobile account acquisition is smaller real estate, both in terms of screen size and keyboard.
Mobile data capture and verification solutions can be a very effective solution to this problem. These solutions use the camera on the mobile device to capture a picture of an identity credential (e.g., a driver’s license), verify the credential, and parse the data into the onboarding system, eliminating the need for consumers to go through the data entry process.
Aite Group asked FIs about their plans with regard to implementing mobile data capture and verification solutions (Figure 21). The percentage of FIs with solutions either in place or in the implementation process are fairly equally split among large, midsize, and small FIs, at 13%, 20%, and 19%, respectively. Thirty-eight percent of large FIs, 63% of midsize FIs, and 37% of small FIs have mobile data capture on their one-to-two-year roadmap.
Mobile data capture and verification can automate the data capture, vastly improving the customer experience, eliminating keystroke errors, and enabling mobile as a bona fide acquisition channel. It can verify the credential and automate the verification of the data, helping with fraud reduction. Finally, mobile data verification can automate the process of collecting and validating additional documents during the manual review process, lowering back office costs. Survey respondents highlight all of these points as key drivers of FIs’ new-account risk assessment investments.
For FIs that either have implemented mobile data capture or are in the process of doing so, customer experience and operational efficiency were highlighted in interviews as dual and equal drivers. Many FIs have ambitious goals for increasing originations via the mobile channel, and this will only be possible by making the process more user friendly. Reducing operational expense is another key goal. One large FI that is in the process of implementing a mobile data verification solution currently has 350 full-time employees dedicated to reviewing the exceptions from its application fraud review process. A big portion of this workload entails reviewing the copies of driver’s licenses, utility bills, etc., that consumers send in to validate their identities. This FI estimates that automating this via mobile data capture will enable it to cut that workforce in half.
CONCLUSION
FIs are facing a dual challenge of rapidly rising fraud and fierce competition in acquiring new customers. Here are a few recommendations for FI executives responsible for new-account acquisitions:
- Prepare for an increase in application fraud. As the U.S. migration to EMV progresses, fraudsters will increasingly look for new ways to perpetrate fraud. Based on the early experience of large FIs as well as data from countries whose EMV upgrades preceded that of the United States, application fraud will increase significantly.
- Build your fraud-mitigation strategy with the assumption that the data has been compromised. The days when personal data was actually private and confidential are long gone, thanks to the rampant trend of data breaches. This means FIs must use new means of verifying the data presented during the application process. As digital channel account acquisitions increase, the assessment of applicants’ digital identity is particularly important.
- Create a delightful customer experience for your new applicants. FIs are no longer just competing with each other, they’re also competing with technology firms that have made digital transactions as easy and intuitive as possible for consumers. The consumer-expectation bar for digital banking has risen substantially as a result.
- Add mobile data capture and verification to your near-term roadmap. Mobile data capture and verification can help with the challenge of risk assessment while improving the customer experience. Consumers are saved the need to type lots of data into a tiny little keyboard, and FIs can automate much of the back-end verification process.