From FinXTech:
Identity management and online fraud detection systems were never designed for modern account takeover and account opening fraud. Fraudsters have evolved to access the personal identifiable information (PII) and credentials used for these systems. There needs to be a better way to establish the trust that the digital user is the physical user for which you are expecting to open or update the account. Research has shown that 1 in 140 authentication attempts are account takeover attempts and that 4.3% of new account openings are fraudulent and using stolen synthetic identity information according to the Federal Trade Commission.
So, what can your institution do to stop it? Verify, verify, verify. Establish digital trust between the organization and its customers during account opening, authentication and any consequential transaction. Put the appropriate friction in place to deter fraudsters without alienating customers. It’s a fine balance, but if your institution has trust and confidence that the digital user is the physical user you are expecting, it can reduce fraud and give customers confidence in your brand.
How Do You Establish Trust?
Secure all channels, because fraudsters will find the weak link. Ensure that the contact center can ascertain if an account is under attack on the website and vice versa. Put the same rigorous process in place for account openings and password resets, protect the account during credential issuance and step up authentication for consequential transactions.
Verify identities during account registration, regardless of what channel a prospective customer selects. Even if an individual impersonates someone else and knows that person’s information, they will not be able to pass challenges that check for government IDs, biometrics, phone ownership and possession or dynamic knowledge-based authentication (KBA) questions. Additionally, device and behavioral analysis can inform of elevated risk that require stronger verification methods. When the institution creates the account, the user will have to pass these challenges whether they are opening the account from the contact center, the website or a mobile app.
Risk-based authentication and secure multifactor authentication (MFA) are essential to protect the user’s account once opened. With these methods, a financial institution can perform checks to establish ongoing trust with the user. If a customer is accessing the account from the same device and has no other risk signals, then the institution can feel more confident in its maintained trust with the customer. If anything is off, then the institution should prompt the customer for MFA to a device that has established, verified trust.
Use the same level of scrutiny for password reset requests that the institution uses at initial account opening. Put an identity verification workflow in front of the customer before allowing a password change. This is a hurdle that a fraudster is unlikely to overcome if they have to pass not only “what you know”, but also “what you are” and “what you have” authentication challenges.
The Glue for Stopping Account Fraud
The information needed for rigorous account fraud prevention does not sit in one place. It is on the customer’s mobile device, their government-issued ID, the credit bureau’s, the telecom’s and government databases, as well as a variety of fraud prevention databases.
It is important to establish digital trust with your customers to prevent account takeover and account opening fraud. Low friction and high security may seem to be at odds, but the goal is to prevent fraud. With the appropriate level of security at each step, financial institutions can ensure that their customer’s money is protected. Digital trust from a technical standpoint leads to greater brand trust with customers.