Nov 2019 | Fraud Prevention

Identity fraud processes

This is perhaps an unusual blog as it merges two of my interests in education and identity and fraud processes. In education (I am a Chair of Governors at a secondary school) there is a great deal of targets which have been set by the nature of a competitive league-based structure. Underpinning these targets is data and this is collected at various points (ages 6/7, 11 and 16). An example of this is the SAT’s that are taken at the end of primary school, and the progress against this at a GCSE level – called Progress 8.

Some schools have capitalised on this process, which is known as “gaming” by entering cohort-wide students for what are perceived to be easy or low value qualifications. An example is the European Computer Driving Licence which allowed a wide set of students to pass in an extremely short space of time. A further example can be where a student, new to the country at the age of 9 or 10 underperforms in the SAT’s. They then become fluent in English over the secondary phase and perform much better than their original expectations were – producing a boost to school performance.

The point here is that a secondary accountability measure “progress 8” was introduced so that parents and governments could measure accurately the performance of schools. But, the crux is that there have been unintended consequences of this action by introducing negative behaviours and deliberate mechanisms to artificially boost school attainment. It’s worth saying that not all schools take these approaches and the majority are ethical – but in a hyper-competitive environment some of the behaviour is not surprising.

So where does that leave identity and fraud? In the same way that a new performance measure or targets can introduce unwanted behaviours, the same can be true of a new process, product or implementation.

A common example that I come across is one where an organisation allows ‘gateway products’. These are the products which are perceived to be lower risk and have a lighter touch identity and fraud process – but importantly the account holder then is able to access further products more easily than if they were a ‘new to organisation’ customer.

A good example is an instant access savings account which has no credit check, light touch identity verification and simple check on the validity of a linked bank account. A lender’s existing customer process for an additional product or service could assume the product checks have been robust beforehand and so skip some of the ‘new to organisation’ customer journey – or allow certain facilities not available to new customers such as instant funds disbursement.

Another example is where step-up processes are included which are meant to allow a frictionless journey. If those processes are not sufficiently robust or configured appropriately then this could present an increased risk and opportunity for fraudsters to take advantage of. One such example is within an online loan journey where part of the process would validate the card of the applicant by way of CVV as part of an identity check. If the applicant failed, they were then presented with what was perceived to be a more difficult journey – however, this was not the case and the fraudsters exploited a weakness in this part of the process to obtain funds.

A recommendation is that the fraud strategist should always try to think imaginatively about how a fraudster could obtain an advantage. For example, always ensuring that identity and fraud strategies are consistent regardless of whether a customer is new to bank or an existing customer.