How to formulate a suitable identity proofing strategy
In this podcast, Matt Johnson, Product Marketing Manager at TransUnion, talks about identity proofing and navigating identity during changing economic dynamics. By the end of this session, you’ll have an understanding of how to formulate an appropriate identity proofing strategy to meet the needs of your customers and online channels.
Here’s a transcript of the podcast for your convenience.
Hi, I’m Matt Johnson, Product Marketing Manager for Fraud and Identity at TransUnion. In this Help Net Security podcast, I’ll be speaking about identity proofing and navigating identity during changing economic dynamics. By the end of this session, you’ll have an understanding of how to formulate an appropriate identity proofing strategy to meet the needs of your customers and online channels.
What is identity proofing?
At its core, the concept of identity proofing seems simple. Identity proofing is the means of verifying and authenticating the identities of legitimate consumers while preventing fraudsters from curating account credentials, transacting or gaining access to unauthorized accounts. But this is where the simplicity ends and where the balancing act of delivering the modern friction right experience that consumers demand against the risk of fraud begins.
Evolution of attack vectors
As data breaches have grown in size and scope over recent years, the vectors of attack have evolved, as fraudsters obtained large amounts of consumer information. Here’s a few trends that are worth noting. Through Q3 of 2019 there were 7.9 billion exposed consumer PII records, an increase of 33% over the same period in 2018.
Synthetic identity fraud continues to be a threat and is still on the rise, and fraudsters are turning to more sophisticated techniques including device simulators, botnets and anonymization to attack vulnerable organizations. Now, as these threats have increased in size and scope, consumers have also simultaneously been increasing their transaction volumes within digital channels.
The COVID-19 pandemic placed unprecedented demands within online channels, and has caused immediate changes in shopping patterns, along with an unprecedented spike in digital transactions. In fact, according to TransUnion data, there was a 23% increase in e-commerce transactions in just the first week after the declaration of the COVID-19 pandemic on March 11th, 2020, and at the time of this recording, a 14% increase in risky financial services transactions.
The shift to digital transactions has been steady in recent years, but some industries such as insurance and even still many financial institutions, have not kept pace with the desire of their customers to move online. The current world issues are serving as a catalyst, forcing this migration as the shift that digital transactions has now been brought forward and is accelerating, with all indications of this being a permanent change.
The changing face of fraud
Many organizations have found that their infrastructure has not been able to scale to meet the increased demand from their customers, most visibly resulting in online outages for financial institutions. With increased transactions and faceless channels, the opportunity for fraud has also increased.
Fraudsters thrive on the uncertainties of today and the foreseeable future and are leveraging the world events for fresh attacks on organizations that are least prepared. Nearly every company has taken measures to assure some level of certainty of who they are doing business with, driven in part by regulations and rules such as know your customer or KYC, anti-money laundering and OFAC guidelines depending on your industry.
But many organizations have been hesitant to go beyond the minimum compliance requirements. Acquiring a customer is challenging enough, without inserting the additional friction into the fraud prevention process. Some organizations have even been willing to accept some level of fraud, simply writing it off as the cost of doing business.
Combating today’s evolving threats
Fraudsters talk with one another and know who to attack and how to best carry it out. Many companies are not prepared to confront the issues created by the new realities of today. In a normal environment, as new threats have emerged, organizations have typically deployed a myriad of siloed solutions that focus primarily on identity verification to establish identity and knowledge-based authentication to authenticate the individual is who they claim to be.
While it has met the requirements to comply with regulations, this structure has been less than ideal, as fraudsters have increasingly been able to defeat it with breached PII data, necessitating organizations to make that tradeoff between customer experience and locking things down with tighter fraud prevention measures.
Perhaps you’re nodding your head in agreement with this trade off, but it doesn’t have to be this way. Combating today’s evolving threats while being ready for the unexpected is no longer a choice, it’s a necessity.
Protecting your business
Consumers are demanding seamless and safe digital experiences and will seek out organizations that will allow them to do business on their terms and in their preferred channels. You can’t afford to lose business due to outdated or cumbersome fraud controls and not being able to meet your customers where they want to do business. So, this begs the question, how can you protect your business and customers while delivering a friction-right experience, even when the bad actors have perfect information and sophisticated techniques?
Fortunately, it’s possible to deliver that great experience for your customers, without having to make that compromise or tradeoffs. Everything hinges on your identity proofing strategy and more specifically how it is structured along with how you deploy it.
Let’s discuss some best practices to ensure your organization is ready. First, given the rapid shift to online channels, you should consider accelerating any planned investment for your digital channels, as the current world events will bring forward a major shift in how consumers transact, requiring new resilient and innovative business models and workflows. If you don’t have the capacity to serve your customers and they experienced service interruptions, trust can erode from your organization.
As it pertains to identity proofing, as I mentioned, it’s complex. It’s not a good idea to go it alone and attempt to build your own solutions against fraudsters that are experts in finding ways to defeat your countermeasures. In fact, their livelihoods often depend on it. It’s better to partner with a vendor that is dedicated to the cause so that you can focus on your core business.
Identity proofing strategy foundation
The foundation to any good identity proofing strategy is data. You should seek out a partner that has the depth and breadth of diverse public records, consumer credit, personal and digital identity data sources. With this foundation of data, it’s also necessary to possess the expertise, to apply technology to make linkages within the data to enable actionable insights. You can have all the data in the world, but if you can’t take any insights from it, it’s not very useful.
Which solutions do you need?
So, with a strong data foundation, let’s talk about which solutions you need to have. A successful strategy will require multiple solutions, but you don’t want to just add additional point solutions alongside your current mix to solve any challenges you may be having. This can result in suboptimal customer experiences with high false positives and your fraud catch, and increase the latency of transactions.
The best practice is to seek out a holistic solution that can orchestrate all of the necessary solutions for your business together. This approach offers a contextualize and multilayered understanding of a consumer to enable trust and delivery friction-right consumer identity proofing and authentication experience that optimizes convenience and security.
Traditional identity verification and knowledge base authentication solutions are still an important part of the mix, but they are no longer the strategy itself. A modern approach should also include digital attribute risk assessment from the device that is being used, document-centric identity authentication, real-time fraud alerts, behavior analysis, reputation and link analysis, along with dynamic multifactor authentication strategies that are aligned to transaction risk.
You should be able to truly know your customer and quickly approved trusted customers while applying appropriate friction to the higher risk transactions. This results in treating each customer individually rather than everyone in the same manner.
With these solutions in place, let’s discuss the linchpin to enabling everything to work in tandem, providing the strongest decisioning available, and that’s orchestration. Orchestration ties everything together, ensuring low latency times, a precise and accurate picture of a consumer and the risk, and the ability to apply the right level of friction tailored to each individual transaction. The best identity proofing strategy leverages tools that are orchestrated together as a full stack, not simply enabling Bring Your Own Disparate Solutions under a unified orchestration layer, that may only simplify your technical integration.
While account opening is the logical place for identity proofing measures, your business should also shift the proactive continuous risk assessment to monitor account behavior, anomalous consumer behaviors, and flag suspicious transactions in real-time. This will protect against the account takeover, new account fraud, synthetic identity fraud, identify potentially fraudulent transactions or unauthorized account use.
Partner smart to ensure compliance
Finally, it’s essential to work with a partner that has support on the ground in the regions where your business operates, to ensure ongoing regulatory compliance anywhere in the world. With growing privacy awareness by consumers and ever-changing regulatory and compliance regulations, such as GDPR, PSD2, KYC, AML and OFAC, along with others, you can minimize your exposure to running afoul of them by leaving it to a partner that can manage it for you.
Orchestrated identity proofing strategy
The last thing you want to end up with is being in the headlines and enduring reputational damage for violating any of these regulations. So, if you partner with an organization that’s able to deliver an orchestrated identity proofing strategy, here’s what you’ll have to look forward to.
First, you’ll be able to truly identify the identity of new customers creating accounts. You’ll also be able to identify and immediately clear good returning customers. You’ll be able to identify returning customers that may have higher risks, such as coming from new devices or wanting to change account information, and applying appropriate friction via authentication strategies.
You’ll increase your identity proofing match rates through linkages and analytics. You’ll stay ahead of evolving threats with security and solutions that are designed to keep you one step ahead. And most importantly, you’ll increase conversions and revenue from delivering the experiences that consumers expect. You invest heavily in your customer acquisition and retention strategies. Ensure you aren’t driving attrition through antiquated identity proofing strategies.
TransUnion’s uniquely positioned to assist organizations like yours attain these objectives through a modern identity proofing approach. For more information and helpful insights, including webinars and case studies, please visit us at transunion.com.