How can banks prevent identity fraud?

Tim Bedard, Director, OneSpan, provides his advice on how banks can prevent identity fraud and gain the upper hand during a time of increased cyber attacks

Cyber attacks on banks and financial institutions (FIs) are growing in volume, complexity, and speed. Ongoing threats are costing billions: the Home Office estimates that economic crime within the UK’s financial sector is worth £14.4bn each year, and cybercrime victims lost £34.6 million between April and September in 2018 – an increase of 24% from the previous six month period.

Ever more regular data breaches are leaking personally identifiable information (PII) across the web, and thanks to this, it’s increasingly simple for criminals to open new accounts using stolen information, making identity theft easier to perpetrate than ever.

Considering the velocity, scale, and impact of today’s cyber attacks, let’s look at the current fraud landscape and, most importantly, the technology set to help banks fight back.

Fraud is growing…

Fraud is costing companies billions and the nature and sophistication of attacks are growing. A recent report by the Financial Conduct Authority estimates the UK financial services industry is spending over £650 million annually in dedicated staff time to combat fraud and other financial crimes. Given that this excludes costs such as IT investments in fraud detection and prevention, the real number is likely far higher. What’s more, Forrester forecast that global spending on fraud management solutions is expected to double in the next five years, hitting more than £7.6 billion by 2023.

For FIs, spending on fraud prevention continues to prevent losses from growing at a much faster pace than they otherwise would. Yet, today’s fraudsters are organised, sophisticated, and can quickly pivot to take advantage of new platforms, operating systems, and device weaknesses. Combined with massive data breaches and social engineering, bad actors are more aggressive and quicker to change tactics as directly compared to traditional fraud prevention solutions. As a result, the number of attacks is exponentially growing and outpacing fraud management solution spend.

… as is the risk of identity theft

The likelihood of having your identity stolen is higher than you may think. According to Cifas, 2017 saw record levels of identity theft. Victims of data breaches are even more likely to be affected, which is concerning given their regularity. For example, in the aftermath of the 2018 Ticketmaster breach, customers were warned they could be at risk of identity theft, and hotel chain Marriott offered free identity theft monitoring services to victims of its breach that involved 5.3 million unencrypted passport numbers. It’s clear that the threat is real.

As financial institutions shift to digital channels to better serve customers, this creates challenges in verifying identities effectively. Data breaches are exposing more and more personally identifiable information (PII) across the web, making identity theft easier to perpetrate. The notorious Equifax breach saw fraudsters expose the social security numbers, birth dates, and addresses of more than 140 million people. This is static information traditionally required for identity verification, so breaches like this highlight the weaknesses of relying solely on these kinds of data.

So, what’s the solution?

Data breaches show no signs of stopping any time soon, and the consequences – namely, identity theft exposure – should force banks to take a critical look at legacy processes and solutions. The good news is emerging risk-based technologies and modern identity verification can help banks overcome these.

A risk-based approach is key

It’s increasingly difficult to identify fraud across multiple digital channels, and rule-based fraud detection simply can no longer keep up with the speed and scale of today’s fraud. To stay ahead, organisations need to utilise the likes of AI and machine learning to analyse data with context across devices, applications, and transactions with little manual input. By taking a risk-based analytics approach, organisations can detect complex fraud patterns that are difficult for analysts to manually identify.

Creating context-aware identity verification

Financial institutions have traditionally relied on credit agencies for identity verification. The downside to this approach is the static nature of personal information: if stolen, it’s all too easy for bad actors to open a new fraudulent account. It’s therefore clear that FIs can no longer depend on such an outdated approach to verifying customer identities.

By combining traditional identity verification methods with advanced risk analytics, organisations can achieve context-aware identity verification. This will allow banks and financial institutions to make security decisions in real-time based on the total risk associated with a new customer. This technique leverages a variety of checks, including real-time account checking, ID document capture and biometric verification. Ultimately, this approach enables organisations to review and analyse multiple pieces of information from different sources and across multiple digital channels – whether that’s web, mobile, branch or call centre in order to better manage their risk of fraud.

The rapid growth of digital banking channels, alongside the relentless threats of cyber attacks certainly creates new challenges for banks and financial institutions to effectively verify identities. But put simply, if banks do not address legacy processes and solutions they will continue to fall victim to account takeover and new account fraud for years to come. A risk-based approach to analytics, combined with identity verification, allows organisations to make security decisions in real-time and ultimately, better detect new and emerging fraud.