Assessing Digital Identity — You Need to Ask “Who?” AND “Why?”

As customer interactions go completely online, digital identity verification and authentication help — but sophisticated authentication can’t stop all types of fraud

AdobeStock_176790944@2x.jpeg
Adam Davies by Adam Davies

Vice President, Product Management

expand_less Back To Top

Fraud Protection & Compliance

Most financial institutions have experienced a fast and very thorough transition to digital customer interactions. That seismic change continues to create inherent risks that banks must address in complex and creative ways. But as a fraud fighter, two related risks stand out from the pack immediately for me.

  1. Is this customer who they say they are, and how can we verify that identity in the new digital world?
  2. Why is this customer performing a specific action or task – which is a much more contextual and complicated thing to unravel.

The risks of answering either question wrong should encourage financial institutions to rethink a few things, including:

  • How and when they authenticate customers
  • How they determine whether a customer’s behavior signals potential for fraud or whether the customer is the potential victim of a scam
  • What actions to take in response

Adam Davies on digital identity verification

 

Weight Behavior Over Identity

Digital identity authentication has become crucial when designing frictionless experiences for anything from real-time payments to simple account access. More than ever, verification throughout the customer lifecycle is necessary not only for fraud management and regulatory compliance, but also to stop legitimate customers from participating in fraud — whether intentional or not.

Authenticating a customer with credentials or even biometrics at the point of entry is great, if the risk we are protecting against is Account Takeover fraud (ATO). However, if the customer themselves is being scammed, we can’t rely on that alone.

Reconfirming an identity to authorize a transaction, like a large outgoing transfer, doesn’t really prevent fraud when the individual thinks they are doing something legitimate.  If FIs are to protect themselves from the fallout of scams, they need to establish baselines for normal behavior, what the customer archetype is, and what is the expected behavior vs the one being observed.

Financial institutions can then compare live behavior data against those baselines and detect anomalies. Anomalies can be examined and categorized according to established models, like the U.S. Federal Reserve Fraud Classifier, to determine quickly whether there is fraud and which type.  

Ultimately the decision between whether the exposure is authorized or unauthorized isn’t a single decision. It requires making a combination of decisions across the customer journey. Reviewing a “snapshot” moment doesn’t work as well as understanding the decisions made at each point in the journey, and driving the next set of decisions based on prior outcomes.

We’ve Been Playing the Game “Guess Who?”

As digital transformation took hold, fraudsters embraced technology to scale their attacks. To mitigate identity and ATO fraud, banks have deployed many identity management capabilities like authentication, biometrics, behavioral profiling, decisioning and declines/holds.

This allowed us to start playing a game of “Guess Who?” with questions like: is the customer the one initiating these events or is it someone/something pretending to be them? A lot of effort has gone to solving these issues, with layers focused on authentication through various tests to prove that the real person matches their digital identity. Fraudsters have made an industry out of trying to defeat these tests – and while there’s always room to improve, we’ve gotten pretty good at it as an industry. 

Integrate Decisioning to Answer “Guess Why?”

A crucial part of the shift in thinking comes from having an additional mindset. Beyond "Guess Who?” the focus has to equally emphasize “Guess Why?” This means banks need to look at a customer’s action in context to determine whether it signals a scam.

All the identity checks and controls will quickly confirm the answer to the “Guess Who?” question. But since credential and identity checks may prove insufficient on their own, FIs can turn to integrated decisioning across the customer journey to ascertain what a digital identity is doing.

They need capabilities to profile individual behaviors, the ability to pull in appliable third-party data to support decisions and a system to review all events in 100% real time. With this framework, FIs can effectively take false positives and assess for authorized fraud/scam exposure. The bank’s line of thinking should be something like:

“I know it’s my customer, but WHY are they behaving like this? WHY are they behaving differently from other customers in their archetype? WHY are they doing it at this moment? WHY are they sending money to this beneficiary?”

There are some examples of the types of questions we should be asking of the data, and solving for through decision strategies:

  • Why is this customer logging in now, when they normally access their account at different times?
  • Why are they on web when they normally use mobile?
  • Why did they go to a branch to withdraw cash, when they normally use ATMs?
  • Why are they taking more (or less) time to do something than normal?
  • Why do they want to send money to this new beneficiary?
  • Why do they want to send this amount of money?
  • Why do they want to move this money now?

FI can see this and ask whether this odd behavior is authentic, or is indicative of authorized or unauthorized fraud.

Add Third-Party Data for Context

Data does not magically appear when and where it’s needed. FIs need to combine their customer data with both live customer behavior data and third-party data for richer set of contextual variables to answer the questions “Guess Who?” and “Guess Why?”

For example, third-party data might show if there are established relationships between a customer and their payees. Or it might provide insight that a user downloaded an app that has been red-flagged for scams, like a TeamViewer, or that someone has been on the phone for 45 minutes while connected to the online session for the last 10 minutes.

This additional web and app behavior provides the digital breadcrumbs FIs need to detect fraud in the moment – and contact the customer to stop it.

When banks detect behavior that suggests fraud, classifying it properly leads to appropriate follow-ups. These might include extra authentications, live information checks and tests, and even interviews with fraud analysts before a customer can proceed to the next step in their journey.

Better Transaction Security Through Decisioning

Because digital transactions have become so prevalent, FIs will always need to know going forward whether any customer’s behavior deviates from their norm. If it does, FIs will need to determine whether there’s fraud and what sort of fraud it is.

To effectively authenticate and authorize a customer for any activities, FIs should:

  • Deploy decisioning models that include customer behavior, but are tailored specifically for each exposure type. Standard fraud models will typically not perform well to detect scams, as an example.  
  • Identify which customers have the most potential to be victims of varieties of fraud/scams, segment those customers into different archetypes, and tailor controls & treatments specifically to those segments.
  • Determine what type of authentication or authorization methods will most benefit and protect those customers when unauthorized fraud is in play.
  • Educate customers to make them more aware of how to protect and verify their identities, and add sensible friction back into authentication activities, especially related to payments.
  • Educate customers on the risks of scams and tailor the message specific to the type of scams they might face.
  • Have more ways to engage with the customer across each customer journey and understand how to tailor the treatment depending on whether the risk is authorized or not.

By pulling in the right third-party data; using distinct modelling approaches for authorized and unauthorized exposure; and leveraging flexible orchestration, profiling and decisioning; FIs can sequence very specific controls across the customer journey. They can also deliver positive customer experiences that ensure the customers feel protected and give the bank the best way to minimize losses.

How FICO Can Help Authenticate Customers across the Lifecycle

Adam Davies
Adam Davies
Adam Davies is an experienced fraud, security and financial crime expert, with global expertise gained from undertaking consulting assignments in over 80 countries. He has worked in multiple industries (banking, telco, retail, healthcare, education and government), managing aspects of fraud, financial crime, operational risk and internal fraud investigations. Considered an enterprise fraud thought leader, Davies has a proven track record of providing clients with best practice approaches to minimizing exposure, centralizing fraud intelligence and creating fraud centers of excellence.
See all Posts
chevron_leftBlog Home
identity verification fraud management

Related posts

Popular Posts

Take the next step

Connect with FICO for answers to all your product and solution questions. Interested in becoming a business partner? Contact us to learn more. We look forward to hearing from you.

Contact us