5 Best Practices for Digital Identity Verification

Attacks on the financial sector have increased steadily for two decades, and the volume of reported attempts surged in just the last few years.

In fact, 68% of financial services providers reported an increase in fraud attempts compared to the prior year. Fraud in the account opening processes is endemic; in response, institutions are using multi-layered verification to locate, approve and onboard legitimate customers with low friction while deterring fraud and maintaining compliance. A robust identity verification program allows platforms to capitalize on digital adoption while delivering a seamless customer experience. Fifty-three percent of Americans report that being prompted to take extra steps to verify their identity makes them trust that company more. And those who report being less trusting are less likely to engage in desirable downstream business practices.

A lack of trust creates a drag on profits while compromising the end-user experience. But institutions can use several best practices to locate and approve new legitimate customers, significantly lessening friction or fraud and streamlining the customer journey.

1. Analyze Multiple Layers of Data
Forty-five percent of organizations say they perceive multiple layers of identity attributes as a best practice. As fraudsters increasingly add sophistication to their schemes, additional layers, or “blankets,” of attributes that work together are the key to a seamless customer experience and fraud mitigation. Solutions that orchestrate multiple dynamic data sets not only detect and deter fraud — especially synthetic identity fraud — but don’t add friction because the solution is predicated on data collection practices that are easy to explain and defend.

Multiple layers at the heart of the identity verification process identifies legitimate customers more quickly and accurately, and uses additional verification methods only when absolutely necessary.

2. Layer Machine Learning with Human Fraud Expertise
Financial service providers can balance user experience with identity verification standards by combining  increasingly adopted technologies with human fraud expertise. Financial institutions have the power to analyze massive amounts of digital transaction data by applying supervised machine learning (ML) to the identity verification process, creating efficiencies by recognizing patterns that can improve decision-making.

Coupling this with human expertise and intuition gives institutions the best of both worlds: enhanced anti-fraud protocols and new, more usable data sets that improve identity verification efforts going forward. Machines are great at detecting trends that have already been identified as suspicious, but have a blind spot of detecting novel forms of fraud. It’s critical that providers layer human fraud expertise on top of machine learning.

3. Embrace Data and Decision Transparency
Many ML-based solutions provide a pass or fail score that is as opaque as it is simple. Without visibility into decisioning data, institutions are left to depend on restrictive and hazy score-based identity proofing models. These “black box” solutions don’t offer data intelligence visibility; instead, they apply common engine logic across multiple customers and industries.

An effective identity verification solution should provide a continuous data feedback loop so institutions can understand and explain to regulators and consumers why they made certain decisions. This allows financial institutions to better assess their risk and fine-tune the identity verification processes to best fit their needs. This is nearly impossible to do with a system that relies on “black box” algorithms and little governance of modifications from one company to another.

4. Implement Customized Identity Verification Workflows
The ability to customize identity verification settings to meet specific customer needs is quickly becoming mission-critical. Every organization is different; every financial institution has different verification protocols that reflect these unique needs. This includes the ability to tweak and tune identity verification settings in real time, without the help of IT. Every institution needs the ability to act quickly as they anticipate attacks, adapt to changes in human behavior and respond to the emergence of new customer segments, profiles and needs.

At the same time, institutions need to empower decision-makers to collect less sensitive information or enact pre-qualification formats for certain applications, streamlining customer onboarding without compromising identity verification standards.

5. Cross-Industry Fraud Intelligence
It’s common for fraudsters to jump from industry to industry as they carry out their plans, which means that effectively fighting fraud is a group effort. With the right identity verification solution in place, financial institutions will have visibility into serial, multi-industry fraud schemes and trends and data across industries and channels.

As the financial sector moves towards a post-pandemic reality, fraud attempts are likely to grow alongside customer expectations. Identity verification will be an operational necessity and a moral imperative, keeping financial institutions and consumers safe in a challenging digital environment.

The Threat of Email Compromise

While ransomware attacks grab most of the headlines — for instance, the Colonial Pipeline in Spring 2021 — business email compromise/email account compromise (BEC/EAC) was the top crime in terms of direct loss reported to the FBI.

Business email compromise attacks have evolved over the decade, and are now also referred to as email account compromise, acknowledging that personal email accounts are also targets. According to the FBI’s Internet Crime Complaint Center’s Internet Crime Report for 2020, more than $1.8 billion was lost in 2020 to BEC/EAC attacks. That is more than 50 times the money lost in direct payments to ransomware attacks. BEC/EAC attacks are also much more common, with nearly eight times as many complaints to the FBI compared to ransomware: 19,369 email complaints, compared to 2,474 ransomware complaints in 2020.

Ransomware is still a serious threat, including the threat of business interruption, but you are more likely to be targeted in a BEC/EAC attack than a ransomware attack. A BEC/EAC attack in 2021 usually starts with one of the following:

  • A successful phishing attack against an individual. A fraudulent email is sent to an individual, usually as a part of a large campaign, and that email tricks the user into entering their credentials into a fake login form, which then passes those credentials to the attacker.
  • A successful social engineering attack. Social engineering attacks are most often carried out over the phone, but can also be accomplished via email or instant messaging, or even in person. The attacker will contact the victim and convince them to provide information or inappropriate access to the attacker. In a BEC/EAC attack, the victim’s email login credentials are most valuable.
  • A successful computer intrusion. Computer intrusion in this context is a catch-all for malware and active intrusion of computer systems, resulting in credential compromise.

After gaining access to the victim’s email account, the attacker may lie in wait until a valuable transaction is sent over email. If the account compromised isn’t a valuable enough target, the attacker may use the victim’s account to launch more attacks against the victim’s contacts.

BEC/EAC losses impact organizations in all industries; the common thread through business conducted via wire transfer. The attacker waits until an email with wire instructions is received or is expected, and replaces legitimate instructions with fraudulent ones. Once the wire is sent to the wrong bank, the funds are transferred quickly to other banks, often overseas. In many of these cases, the victim did not recognize the wire was missing for a month or longer — well past the window to recover those funds.

Protecting Yourself and Your Bank

The good news is that you can protect yourself and your organization from these attacks, but it requires vigilance and some inconvenience. Below is a summary of steps to protect personal and company email accounts:

  • Train employees to recognize phishing emails. Common themes in phishing emails are poor grammar and spelling, a sense of urgency, or a link to log in and fix a problem or verify information.
  • Do not click links in emails, instant messages or text messages.
  • Enable multi-factor authentication on all accounts that support it. Enabling multi-factor authentication means that even if your credentials are compromised, an attacker will not be able to access your account.
  • Insist that payments be sent by physical check, not a wire transfer, whenever possible.
  • If a wire must be sent, call a known number on file to verify the wiring instructions when sending a wire to a company for the first time and any time the wire instructions change. If you don’t know the sender’s phone number, call the company’s main number. Do not rely on information in the email, including the phone number. If you do call that number, you may be calling the attacker.
  • Regularly update your computer, cell phone and any other device you use to access email with all security patches.

How One Bank Flattened Fraud

Argo.pngProtecting the bank and its customers — through cybersecurity measures, identity verification, fraud detection and the like — is vital in ensuring a financial institution’s safety and soundness, as well as its reputation in the marketplace. These investments typically represent significant cost centers, but fraud prevention tools can be an exception to the rule if they’re able to pay for themselves by preventing losses.

The idea is, when you put in a fraud system — and this is where some folks lose it — you want to make sure to catch more fraud than the system costs,” says Ronald Zimmerman, vice president in the operations department at $32.2 billion IBERIABANK Corp., based in Lafayette, Louisiana. “You always have to make sure that the cost doesn’t supersede your savings.”

Zimmerman implemented ARGO OASIS about a year ago. OASIS, which stands for Optimized Assessment of Suspicious Items, uses neural networks and image analytics to detect and prevent fraud. Modeled after the human brain, neural networks are a form of artificial intelligence designed to recognize patterns, making it well suited to identify check alterations, forgeries and other forms of transaction fraud. The solution then provides bank employees with detailed information to enable them to further investigate the activity.

Bank Director’s 2020 Risk Survey found that just 8% of executives and directors report that their bank uses AI technology to improve compliance. One-third are exploring these types of solutions.

IBERIA brought in OASIS to identify fraud in its “two-signature accounts” — customer accounts that require two signatures on a high-dollar check. “We have a queue set up in OASIS to monitor these checks as they come in through clearing. If a signature is missing or is in question, OASIS flags it for review,” Zimmerman says.

One thing about the technology that sets it apart is its check stock validation tool. “You have an overlay button where you can place a questioned check on top of a good check, and you have a little slide bar [so you] can see the small differences,” he says.

That tool alone has helped the bank stop roughly $300,000 in check fraud over the first eight months of use — meaning ARGO has already paid for itself. “We’ve caught a ton of fraud through this product,” says Zimmerman.

And $300,000 is a conservative estimate of the bank’s savings, Zimmerman says, because fraudsters have learned not to target his bank. “Check fraud flattened out, because the fraudsters have probably moved on, knowing that we’ve covered up a hole that was there before.”

ARGO OASIS was recognized as the Best Solution for Protecting the Bank at the 2020 Best of FinXTech Awards in May. ALTR, a blockchain-based security solution, and IDology, which uses big data for identity verification and fraud detection, were also finalists in the category.

Importantly, ARGO helps IBERIA stop fraud efficiently. A task that used to occupy three full-time employees’ time now takes two employees just a couple of hours.

IBERIA will soon merge with Memphis, Tennessee-based First Horizon National Corp. to form a $75 billion company. The deal was driven in part by the pursuit of scale.

Generating efficiencies is essential to better compete with big banks, said First Horizon CEO Bryan Jordan in a 2017 presentation. “We’ve got to be invested in technologies in such a way that we’re at or above table stakes,” he said. “The trick for us will be to … create efficiency in other parts of the business to create money that we can invest in leading-edge technologies and processes that really allow us to be competitive.”

Leveraging AI to reduce compliance busywork is a great place to start.

Filling Fraud Detection Gaps

Investment in fraud detection can be a competitive advantage, especially as real-time payments initiatives create new opportunities—and threats—for financial institutions. Luis Rojas of Bottomline Technologies explains where and how to address gaps in fraud detection, and how bank boards should examine the true costs of fraud.

Outlooks for Payments Fraud

  • How Banks Should Address Fraud Gaps
  • Dealing with Legacy Systems
  • What Boards Need to Understand

Winning the War on Cybercrime: The Four Keys to Holistic Fraud Prevention

8-19-13-Trusteer.pngCybercriminals are stepping up their attacks on financial institutions by gaining control of customer devices with sophisticated malicious software installed on a computer or mobile device to secretly read online credentials. The criminals then conduct real-time credential theft and take over accounts. Current technologies are simply not capable of identifying and preventing these attacks and are overloading bank fraud prevention operation teams with unnecessary false positive alerts. In the latest real-time account takeover scheme, cybercriminals use malware to steal user credentials at login, block users from logging into online banking, use the credentials in real time to log into victims’ accounts, and also steal any secondary authentication requests the bank receives from the user to bypass the bank’s security and gain full access to accounts.

The main reason cybercriminals continue to succeed is that they are using highly evasive advanced financial malware for a wide variety of attacks that are very difficult to detect. Cybercriminals are acutely aware of the technologies deployed by most financial institutions and simply design attacks to circumvent these controls. Bypassing them remains relatively straightforward because the controls are isolated rather than integrated with each other.

The Four Keys to Holistic Fraud Prevention

A holistic platform to prevent fraud must be built on four key elements that ensure sustainable prevention of cybercrime in light of the rapidly evolving threat environment.

Comprehensive Coverage
A comprehensive fraud prevention platform is required to protect an organization from fraud attempts across all possible access devices and all attack methods.

Real-Time Intelligence
An intelligent fraud prevention platform correlates data from multiple sources including malware infection, phishing incidents, and device identification, to conclusively detect and prevent attacks.

Adaptable Controls
A fraud prevention platform should adapt to changes in fraud attacks by rapidly deploying countermeasures without overloading your internal resources.

Transparent Protection
A transparent fraud prevention platform does not burden customers with complex authentication protocols or long delays in processing while transaction alerts are sorted out.

Financial institutions that adopt such a holistic solution acquire highly accurate fraud detection that entails negligible customer involvement. When it does involve customers, it is only because the bank has conclusively determined there was attempted fraud, malware or phishing. Additionally, the bank’s fraud prevention capabilities should meet the critical regulatory requirements delineated in the Federal Financial Institutions Examination Council Authentication Guidance Supplement.

Fighting the war on cybercrime will not get easier for financial institutions. Cybercriminals use a divide-and-conquer approach by relying on poor communication about fraudulent activity between financial institutions as well as poor communication between fraud prevention systems that exist in silos. Traditional fraud prevention technologies help reduce fraud but are easily defeated by advanced cyber fraud techniques. To date, advanced financial malware has bypassed virtually every authentication method. Malware also has bypassed risk engines that detect anomalies by learning behaviors and transaction patterns to conduct fraud within tolerable statistical limits.

To win the war on cybercrime, institutions must wage their battles on the front lines—at the customer endpoint. This is where malware and phishing initiate the chain of events that eventually leads to fraud. Breaking the first link of the chain keeps fraud from ever entering the system where it can be overlooked by risk engine analytics or bypass authentication methods. Focusing fraud prevention efforts on the customer endpoint affords the highest likelihood of preventing cyber fraud. This protection, however, cannot be accomplished by simple customer education. The attack sophistication requires banks deploy equally advanced protection technologies, including customer endpoint malware detection.

A holistic fraud prevention platform focuses on preventing fraud at the customer endpoint. Just as important, it incorporates the four key elements that ensure maximum effectiveness with minimal disruption, today and into the future. As cybercrime threats evolve, so does the fraud prevention platform, quickly and seamlessly.

The Bank’s Liability for Cyber Theft on Commercial Accounts

3-12-13_Graves_Bartle_Marcus__Garrett.pngThe amount of financial loss that cybercrime inflicts on banks and their customers is staggering.  In the case of Patco Construction Company v. People’s United Bank (formerly Ocean Bank), fraudsters correctly supplied Patco’s answers to security questions and made six fraudulent withdrawals that totaled about $588,000.  When the U.S.  Court of Appeals in Boston last year found the bank’s security procedures didn’t meet the standard for commercially reasonable, the bank was forced to reimburse the company’s losses from the theft.

The take away from this and other similar rulings is that bank security procedures matter — to customers, to the brand and to the bottom line.  Banks can take steps to dramatically reduce the amount of financial loss to customer accounts and avoid or mitigate the risk of footing the bill for commercial account takeovers.

Here are five steps that banks can take to avoid having commercial account takeovers damage their bottom line:

Implement Commercially Reasonable Security Procedures

The Uniform Commercial Code (UCC) requires that banks have “commercially reasonable security procedures” to protect commercial customer accounts. Without these procedures, banks could most certainly be left holding the bag in the event of an account takeover.

To qualify as “commercially reasonable,” the bank’s security procedures should fall in line with procedures used by similar customers and banks, adhere to customer instructions, and take into account the circumstances and banking patterns of each commercial customer.

When a financial loss leads to litigation, the court will ultimately decide whether a bank’s security procedures are commercially reasonable.  Banks that can respond with current and ironclad procedures will be in the best position to protect against liability.

Train Employees to Follow Security Procedures

In the case of Patco Construction Company, the court faulted the bank because it did not follow its own security procedures.  The bank’s security system had flagged six transactions as unusually high-risk, but the bank failed to monitor the transactions or notify the customers before completing the transactions.  Unattended procedures, no matter how “reasonable,” do little good.

Train your employees on the bank’s procedures and demand strict adherence.  Employees on the front line of transactions are in the best position to impact this potential liability.

Perform Annual Review of Customer Agreements

A key pivot point on the question of liability is the content and nature of the bank’s customer agreements.

Customer agreements are often used as evidence of the security procedures agreed to by banks and their commercial account holders, and the agreements can be helpful to prove that the bank kept its side of the bargain. In certain circumstances, banks may shift the risk of loss for unauthorized payment orders to commercial customers if there was an agreement that payment orders would be verified using a particular security procedure.  This increased protection is available if the bank proves that it accepted the payment order in good faith and in compliance with the specified security procedure.

Schedule an annual review of your customer agreements and update them before you offer a new service or change your security procedures.  While not always protecting you against liability, customer agreements play a key role.

Develop and Test an Incident Response Plan

Without a plan, a bank’s chances of capping the loss and favorably positioning itself are slim.  An incident response plan equips employees with knowledge of whom to call and what to do when they suspect fraud.

The contents of an incident response plan should be tailored to the individual bank.  The format must be user-friendly, so that employees can easily follow the instructions in a stressful situation. The plan should include steps such as notification of the bank’s fraud department, designated management, and the customer, shutting down an online session, reversing payment orders, and invalidating online credentials that have become jeopardized.

Just as fire drills are practiced, so, too, should a bank exercise its employees’ understanding of the response plan. Time is of the essence in limiting loss and the bank’s reaction to the occurrence will be replayed in great detail. 

Promptly Conduct an Investigation of the Fraud

A prompt investigation is necessary to determine the cause of the security breach.  An investigation should include a customer interview by a trained bank employee and, to the extent it is accessible and permitted, a forensic examination of the customer’s computer.  The bank should contact its security provider to find out if the system was functioning properly at the time of loss.  Obtain documents from your security provider that show the customer’s online account activity, the IP address that initiated the fraudulent transfer, and whether the perpetrator used the customer’s credentials.

Prepare, plan, practice and perform.  Your bottom line is at stake.