Business Scenario / Pain point:
Online Applications for consumer Banking (example, deposit accounts like checking account or IRA account, and credit lines like credit card, student or home loans etc.) are usually long and customer is required to have several data points before being able to completely fill out the application. At the same time he/she also needs to make certain decisions as part of the process. If the customer is not able to finish the application is one attempt, then there are several issues as listed below originate as business problems.
- Customer dropout
- Inability to leverage the partially completed process in future.
- Increased follow up calls from the Sales Team
- Increased traffic to customer care from the customers.
- Bad consumer experience
- Increased cost on other channels to support spillover from online channel.
High Level Business Solution:
Develop online applications that could be saved by the user and later reviewed for completion. On saving an application, the consumer must be made aware of steps for successful review.
Why is there a possibility of more risk of fraud?
The online applications usually tend to capture customer sensitive banking data and customer identity information to enable a shorter process and ease of follow ups during underwriting decisions. Customer Sensitive banking information may involve financial information like banking partners, account number, account balances and identity related information will include information like Name, date of birth, contact information etc. It may also contain other sensitive information for joint applicants, beneficiaries, employer details etc.
The information elements have been used for various crimes like impersonation, identity theft, and fraudulent transactions where bank is directly liable for the losses, and also where user loses the money via bogus or unintended transactions.
Based on the above, the business solution is incomplete and a more holistic fraud review is required to assess, if the proposed solution poses any additional / incremental risk to the bank and its users.
Different organizations can have different checklist items to arrive at Fraud Mitigation Objectives. These checklist items may be based on the following parameters
- Complexity of the solution
- Risk management practices of the organization
- Volumes & Frequencies of fraud using online channel
- Sensitivity of the collected information in the application
- Propensity of the collected information in the application to be misused etc
However for our case, we will assume some basic and common review items to elaborate the concept and process.
Fraud Mitigation Components / Objectives to the Business Solution
- To ensure that user (fraudster) has to provide identity information in order to review a saved application.
- The process should identify, log and track the user or source at application submission
- To ensure that the process does not divulge sensitive information in an insecure manner
- Limit the number of opportunities for the fraudster
- In terms of unsuccessful attempts
- In terms of duration after which the saved application expires (deleted)
Incremental fraud Assessment
Let us also understand, what are the possible ways or avenues that are now open to the fraudster to do an online fraud.
- Account Credentials Take Over
Fraud Enrollment:
The fraudster can either identify itself as a existing customer, access saved application via possible interfaces & submit applications which would be a case of fraud enrollment.
Phishing:
Alternatively, the fraudster can gain access to existing user’s credentials via phishing etc and try to complete a saved application by logging onto Secure banking
•Email Take Over
Email Hack:
The fraudster gains access to the user’s email which is generated post saving.
Please note that the Account Credential take over is an existing avenue for online fraud and is independent of the save solution, and hence it does not pose an incremental risk.
Fraud Mitigation Steps
To Address Fraud Objective 1:
Include multiple information points some of which must be hard to get as part of both avenues. Social Security Number is one example. Full Name, Date of Birth, phone numbers can be other such information points.
To address Fraud Objective 2:
On App submission, record IP of the system. Track IP, customer name etc for multiple app submissions and trigger internal flags
To address Fraud Objective 3:
Specifically in case of email, any information related to identity should not be shared. There could also be 2 or 3 random word phrases as part of email, that will act as additional one time identifiers.
In case of direct access to Online app, if the user is providing the banking credentials, SSN, date of birth, actual email on record, can be hidden, so that the fraud user never gets to see the information.
To address Fraud Objective 4:
Create , auto lock out of credentials or deletion of the saved app after certain number of tries, delete un-reviewed apps after a stipulated period of time etc are some of the additional features to the solution
Low Level Solution
Save Process:
When user saves an application, determine if they have provided a minimum set of data which can be used to identify the applicant. Make sure the minimum data is mix of easy, moderate and hard pieces of information, so that only the right person has easy access to all such elements. Save application for a stipulated period of time. Make sure the email does not contain application data. Add additional code phrases (multiple preferable) to acts as second level of authentication part from minimum data.
Review save Process:
Request all minimum data & additional codes from the email. Allow restricted number of incorrect tries. Delete application if the limit is breached. Flag the user for sales follow up and notify the user on preferred communication channel. Capture the IP and report issue to internal fraud team for further investigation in case of incorrect tries etc
No comments:
Post a Comment