Identity fraud is one of consumers' most feared crimes, and at banks those schemes translate into application fraud. FICO's Adam Davies discusses today's common application fraud scams and how to stop them.
The first step in detection and prevention is to recognize the different types of application fraud schemes, says Davies, a senior director with the Fair Isaac Advisors fraud practice.
"There are different types of application fraud; [it] isn't just about people's identities being stolen," Davies says. "There are commonly two types - first- and third-party fraud - and the main difference between those is whether someone's identity has been compromised in order to commit the fraud."
In an interview about the nuances of application fraud, Davies discusses:
- Why ID theft is one of the most feared crimes;
- The latest application fraud trends;
- How organizations can improve fraud prevention without hurting the customer experience.
Davies is currently the Head of the Fair Isaac Advisors Fraud, Waste and Abuse at FICO. He is an established Enterprise Fraud, Security and Financial Crime expert, with over 15 years of fraud consulting expertise and additional expertise in application fraud, internal fraud and operational risk. He has undertaken fraud consulting engagements with companies in multiple industries and in over 80 countries, providing them with best practice approaches to minimizing exposure, centralizing fraud intelligence and creating fraud centers of excellence, while ensuring a balance with customer centricity.
Fair Isaac Advisors
TOM FIELD: In a recent survey, it was shown that identity theft is more feared than terrorism. Why is that?ADAM DAVIES: It is interesting, but it doesn't surprise me. Our identity is more available than it has ever been, so it is no longer just your name, passport and address. It's really everything about you. It's your passwords, usernames, PIN numbers, devices, channels, the relationships you have with people. All those different data points represent your digital identity in this day and age. They are all components that can be used to pretend to be an individual that can be abused to commit fraud. So it doesn't surprise me, especially as consumers are going online. At the speed of which we're seeing the change in e-commerce, that is getting the attention of organized crime. There is not a day that goes by that we don't hear about some kind of hack or something like a Target breach. These people are heavily out there on the internet looking at ways to get ahold of people's identities.
Mitigating Application Fraud
FIELD: What strategies are your clients implementing to help mitigate application fraud?
DAVIES: One of the key things is making sure that we understand there are different types of application fraud. Application fraud isn't just about people's identities being stolen. There are commonly two main types: first- and third-party fraud. The main difference between those is whether or not somebody's identity has been compromised in order to commit fraud. Both of those are, in some respects, a financial crime. One of them is more about identity risk, and the other one is really around collectability risk; whether that person is pretending to be something that they are not. Some characteristics of that might include skip tracing, straight rollers and people that dispute transactions on a credit card. All of those can be some form of first- and third-party fraud, and the biggest increase we've seen over the last five to 10 years is that of first-party fraud.
Different Types of Fraud
FIELD: What are the trends that you're seeing around application fraud, both in terms of first- and third-parties?
DAVIES: When we look at the statistics in terms of the increases that we're seeing around the world, it's quite interesting to see the different markets. For example, in North America, a Javelin report that came out shows that fraud happens every three seconds in the United States. If you look in Europe, sometimes victims of identity fraud can take an average of eight to 10 months before they realize that their identity has been used in some kind of scale. The first thing is to make sure that we take ownership. There has to be some changeability alignment. So often, third-party fraud may be managed by a fraud department, but first-party fraud is commonly managed as bad debt or delinquency. Taking a step to centralize accountability for managing that fraud in one place is [what a lot of banks are doing]. They are looking to define first-party fraud to make sure that they've understood how first-party fraud is more prevalent across products where people take out multitudes of different financial products and then bust that over a number of years.
A lot of people have recognized that both first- and third-party fraud varies in type, and so once the sum of it is opportunist in nature, there's also some heavily organized first- and third-party fraud where you need to use technology. You really do need to use analytics and social entity analysis to try and identify these. There's been a lot of change in terms of regulation, and increasing in pockets around the world, like the Red Flags Rule out there helping banks understand what they need to do. Both to protect themselves and the customer, but also to make sure that victims are given the right level of support through the process. It stems from trying to manage the risk more centrally in a common framework.
FIELD: In organizations you deal with, how do you see them balance fraud prevention with delivering that exceptional customer experience?
DAVIES: It's an important factor in today's fraud management. It's not just about being aggressive in catching or preventing fraud. It's about making sure there is the balance, especially as we're coming out of the recession. A lot of banks around the world are starting to put their foot on the gas a little bit more in terms of onboarding new customers, originating new clients. We're seeing a lot of product bundling and cross-selling activities from the people within marketing.
So it's important the fraud department really understands where that application is coming from. If the applicant is known to us and known to another part of the bank, would he even have known of Target? Did we actually reach out and offer him that? It's making sure the fraud department has great access to the data within their organization to understand the applicant risk and the source. Did the request come into us or was the request outbound? Was it through some telemarketing? Using the same framework, try to understand the level of product risk. Each product itself has a different level of risk.
After that, understanding whether we're really trying to identify this application from a third-party standpoint or a first-party standpoint, or both. Sometimes if we already have a customer onboard, we shouldn't be inundating them with the same level of potential controls as a new person who is unknown to us, asking for risky products. It's about using the data more wisely and holistically to understand the source, applicant and application risk, and the channel that is involved with the request from the customer.
Social Network Analysis
FIELD: Talk about social network analysis and how that is used to mitigate application fraud?
DAVIES: Our identity is online. It becomes more available to hackers and exploiters of this information and people that publish this type of information on websites. More of that data is out there, but what that also means is it leaves you more breadcrumbs in the trail to follow. Because the data is more connected than it's ever been, and we're capturing more of that data then we've ever been able to before. Social network analysis allows us to identify common entities or data points between people. The relationships between people...understanding where people have lived or the phone numbers or email addresses they've used.
When we're trying to identify financial crime that is of the organized side, social network analysis allows us to take a multi-pronged approach. It allows us to search, access and bring together group data sources to try and identify financial crime linkages. It allows us to try and match those entities together so that the components connect you.
It could be a device. It could be a date of birth. It could be a street name. It could be part of your number. It allows us to link those together to show the patterns and organization. It's much easier when it's visually presented to you, rather than trying to read through tables and tables of data, like the matrix, to find patterns. Then, it allows us to analyze the complexity.
We need to then think about, when we have these linkages, what's the rank order? Which of the networks that are connected are most likely to be fraudulent and connected to each other? It allows us to enforce that within our fraud management lifecycle, whether it's in the prevention, detection or investigation process to be able to draw together that intelligence. Social network analysis is a big data play for fraud departments. It just allows them to get access to more intelligence and make smarter fraud decisions.