Conventional wisdom: Online fraud is becoming an increasingly serious threat, one that’s likely to get a lot worse before it gets any better.
More than 160,000 cyberattacks were reported last year – more than double the rate recorded in 2016 – making 2017 the worst year on record. Every attack means compromised data, and compromised data means an opportunity for fraudsters to use that information to commit fraud.
As it turns out, these breaches are expensive. According to the most recent Global Fraud Index™, fraud cost eCommerce merchants an astounding $57.8 billion across eight of the largest retail sectors in the second quarter of 2017.
To protect themselves, companies are deploying a variety of authentication solutions to allow the right customers in and to keep the bad guys out. Validating customers’ identities as they initiate onboarding activities — like signing up for banking services — only offers half an impression of who they really are, however. That’s according to Jose Caldera, chief products officer for digital identity compliance solutions provider IdentityMind Global, who says FIs and merchants must also monitor long-term behaviors to build a profile that reflects a user’s trustworthiness.
For the March Digital Identity Tracker feature story, Caldera spoke with PYMNTS about what goes into building a user’s risk profile based on insights gleaned from a variety of digital data points. He also explained why creating such a profile makes more sense than focusing on the conditions of risk offered by traditional know your customer (KYC) solutions.
A Roadmap for Understanding Digital IDs
Fraud is a hot topic that consistently makes headlines. Just last month, special counselor Robert Mueller indicted 13 Russian nationals and companies for their interfering roles in the 2016 presidential election. Some of those named used stolen data to set up bank accounts and purchase political advertising.
The elaborate nature of that alleged fraud indicates a willingness to get highly creative with bad acts. As fraudsters become more brazen, Caldera believes it will become more important for companies to invest in systems that help them distinguish which digital partners they can trust.
“Fraud won’t go away, no matter how much technology is put in place,” he said. “It’s not going to go away, so [companies] have to build systems that are smarter.”
These smarter systems need to focus more on who the good users are, providing companies with context regarding any risks they could pose. Developing a strong understanding of the parties involved could provide a more accurate understanding of trust in the digital age, Caldera added.
“My hope is that we continue to evolve in our understanding of users based on digital representations,” he said. “Currently, there is a lot of information that can be associated with digital identities, and as technology continues to evolve, that identity definition becomes richer and more accurate.”
Smart Compliance for Stronger Digital Profiles
It’s one thing to confirm that a consumer is who he says he is, but it’s an entirely different matter to ensure that consumer is authorized to use the account, payments credentials or profile data he is presenting — and to verify that usage is in pursuit of a legitimate business purpose.
Companies need smarter compliance solutions to help them address this wide range of identity verification needs, Caldera said.
“It all boils down to the premise that the more [companies] know about the person they are dealing with, the better [they] can adapt those compliance and risk processes,” he said.
Automated solutions can work to verify both company and user identities by running new customers through a layered, real-time KYC check. These security layers are intended to create a more thorough understanding of the customer through a long-term profile.
Building an electronic profile of a customer based on past interactions and experiences can also help relying parties determine customer trustworthiness. Creating what IdentityMind calls an “electronic DNA” (eDNA™) profile can offer insights into his or her long-term behavioral changes, thereby helping FIs and merchants assess associated risks.
“From a compliance perspective, it’s critical to understand how that user evolves and how that user behaves over time,” Caldera explained, adding that knowing the customer only becomes more complicated as business moves across borders.
Rethinking Risk-Based Systems
Traditional KYC and anti-money laundering (AML) protocols typically account for known risks, but they might not offer a complete picture of whether a specific customer or company is trustworthy. Caldera contends that can only be done if a relying party is using a richer profile based on an analysis of a user’s or company’s information — including email addresses, phone numbers, geolocation, financial activity records and others. IdentityMind is working to deliver that by storing its eDNA profiles in a “reputational database,” including digital identities that interact with various clients, individuals or companies.
The eDNA profiles are designed to help clients understand who to trust early in a relationship, enabling companies to understand whether new customers are good or bad actors. A good client’s eDNA evolves gradually over time based on transaction activity, Caldera explained, and a bad client’s eDNA is easy to detect because it “evolves quickly and erratically.”
Older models can present an incomplete picture of circumstance-based risk. This narrow focus has allowed such systems to become outdated, potentially alienating trustworthy companies or individuals based on unique behavior patterns. Through eDNA assessment, companies can update older, risk-based models and better understand the risk presented by a specific entity.
“Many fraud prevention technologies focus on conditions of risk on a given transaction without the context of the user behind that transaction, which leads to too many false positives,” Caldera said. “If I have been a good customer for years, then the risk of the transactions I perform should be inherently less risky. They key is to know that I am really behind those transactions, and not a fraudster pretending to be me.”
Building a database of trustworthy users also adds context to the risk of a transaction.
“That concept shifts how we think about risk and how we think about fraud,” Caldera noted.
While fraud shows no signs of slowing down, the ability to better distinguish trustworthy partners from untrustworthy ones will no doubt be a valuable business tool in the digital era.