Consumers are concerned about cybertheft and identity fraud—and with good reason. Huge security breaches such as Equifax and Yahoo! have made front page news, raising consumer awareness of the dangers lurking online.
In 2017, 143 million U.S. consumers—more than half of the U.S. adult online population—were victims of cybercrime. The criminals got away with $19.4 billion.1
Even if a consumer has not been directly impacted by fraud, chances are good that they know someone who has.
And even though companies, including banks and credit unions, have implemented security measures to protect consumers, consumers are still wary. The majority of U.S. adults—8 in 10—are concerned about the ability of businesses to safeguard their financial and personal information, and nearly half (48%) think that it’s at least somewhat likely that identity theft will cause them financial loss within the next year.2
Regulatory agencies, such as the Consumer Financial Protection Board, the New York State’s Division of Consumer Protection, and the Office of the Comptroller of the Currency, have stepped up their oversight and enacted legislation designed to detect, identify, and prevent financial crimes and fraud. But cybercriminals are increasingly sophisticated, making it difficult for the regulators to keep up.
Rather than issue specific guidance that could become quickly outdated, the agencies instead provide guidelines for banks and credit unions to follow, giving them latitude in how they protect consumers’ identities.
For example, in the quickly changing digital space, identity challenges are even more pronounced. If a consumer contacts your institution via a mobile device, how do you tie the device to the individual? While technology is emerging that can link the consumer to the device, it raises privacy concerns and banks and credit unions need to get consumer consent before using the technology.
If your bank or credit union has been relying on the same regulatory guidance surrounding legislation, including Know Your Customer (KYC) or the Red Flags rule, for several years, there’s a good chance that your identity authentication processes are not protecting consumers. For instance, the KYC guidance relies on name, address, social security number, and date of birth for authentication, but using only this data is no longer enough.
Bottom line is that there’s no hard and fast rules defining how to be compliant with identity regulations. The regulatory agencies have not caught up to the digital environment and have not yet issued legislation that outlines how financial institutions can use digital devices to authenticate consumers. Banks and credit unions must determine how to verify consumer identity based on their own risk assessment.
But here’s the challenge: a financial institution can implement incredibly robust identity verification and make consumers go through multiple steps to verify that they are who they say they are. However, consumers will become annoyed and frustrated with a lengthy verification process. If they are applying for a loan, they’ll abandon the application. If they are calling into the call center and are asked too many verification questions, they may become so dissatisfied that they switch financial institutions.
Here are three ways financial institutions can address regulatory guidelines for protecting consumers yet provide a frictionless consumer experience.
Consumers have heard time and again that they should protect their social security number and are nervous about providing that information to any organization—including their bank or credit union. At the same time, consumers demand a higher level of protection, and they expect that their financial institution is using other tools to authenticate them, such as the fingerprint scan on their mobile device, often believing this is enough to keep them safe.
It’s an invalid expectation, but it puts banks and credit unions in a precarious position, making it tricky to ask consumers for additional verifying information without frustrating them and delivering a subpar consumer experience.
The good news is that banks and credit unions have adapted to changes in the amount and type of information that consumers are willing to give. Financial institutions used to ask for name, address, and social security number. According to Forrester’s Top Trends Shaping Identity Verification (IDV) in 2018, the top data elements organizations ask for are email (60%), name (54%), and phone number (49%).3
Not using the right data for authentication also wastes resources. Banks and credit unions have used address verification for years to identify fraud, but name, address, and even social security number matching are no longer reliable indicators that a consumer is who they say they are in today’s environment.
Consumers want a frictionless experience, and asking them for unnecessary information, such as their address, when that data isn’t useful just makes consumers jump through hoops they don’t need to. Consider removing address as a fraud trigger and replace it with a different data attribute, such as email, that still provides some value for fraud prevention.
Consumers, especially younger consumers, prefer that their financial institution contact them via email or text message, so it makes sense to collect these pieces of personal information anyway. Again, the regulatory agencies do not dictate which information should be used, so banks and credit unions can make their own determinations.
For Red Flag Compliance, the guidelines do not legislate the specific data attributes banks and credit unions must use for identity verification. However, the regulatory agencies favor traditional data sources, such as credit bureaus, data brokers, and the Social Security Administration. These agencies do recognize that, as technology evolves and cybercriminals become more sophisticated, banks and credit unions will need to look to other sources of data to verify consumer identities. For example, the agencies are open to banks and credit unions using data from authoritative sources, such as direct billing relationships from utility, phone, and cable companies, for verification purposes.
Relying only on easily steal-able offline and online data may pass regulatory muster, but it won’t fully protect consumers from fraud. Cybercriminals can even exploit mobile devices, so sending a SMS text message to a mobile phone is no longer secure without verifying phone ownership. Instead, online and offline verification data must be linked to device-specific data attributes, such as phone type, activity, and Mobile Network Operator (MNO) data, to add another level of protection. Since the verification is done in the background, the consumer experience is not impacted.
Regulatory agencies may not directly ask for your bank or credit union’s risk assessment around fraud and identity theft, but they want to ensure that you have implemented a program that is doing what it was designed to do. If your stated goal is stopping bad guys from opening accounts using other peoples’ identities, do your rules and strategies support that goal? What fraud rate are you comfortable with? Do your processes and rules work? Are you following through and updating the program as fraud evolves? Simply defining rules and processes that don’t directly support your goal likely means that your identity program is too lax. From a regulatory perspective, you won’t be in compliance.
It is possible to improve the consumer experience while stopping identity theft and meeting regulatory guidelines. The key is to combine unique, unsteal-able device-specific attributes to standard online and offline data attributes. The regulatory agencies want to make sure your bank or credit union is doing everything it can to keep ahead of—and outwit—cybercriminals.