It seems like there’s a news story almost daily about data breaches involving retailers, credit bureaus, or government entities. While many of the stories focus on the immediate consequences for consumers, the downstream effects of these data breaches can wreak havoc on online lenders and their customers.
The trouble for lenders often starts when fraud teams respond too aggressively to a major data breach. By setting overly conservative identity verification screening rules, for example, lenders can end up rejecting good customers, resulting not just in the loss of immediate business but also the potential for long-term customer revenue. Once they are denied a loan that they probably should have been approved for, customers are unlikely to return and certainly won’t be likely to recommend the lender to others.
While it’s a difficult balance to strike, there are proven methods for lenders to confidently verify a customer’s identity in the era of constant data breaches. Here are three rules of thumb:
#1. Assume every identity has been compromised
In the first half of 2017, the number of data breaches climbed 29 percent. From the Republican National Committee contractor whose breach exposed voting data on nearly 200 million Americans to Verizon’s breach that affected more than 14 million customers, data hacks are increasing in frequency and severity across all industries.
The recent breach of credit reporting giant Equifax is another example. Reported by the Wall Street Journal as the largest social security data breach in history, approximately 143 million U.S. consumers’ confidential data, including social security numbers, names, birth dates, and addresses were compromised. What’s more, the breach exposed the credit card numbers of 200,000 consumers as well as “dispute documents” with personal information of another 180,000.
Because personal data of every kind is readily available to fraudsters, online lenders face significant identity verification challenges. They need smarter systems to allow borrowers to use their own (likely compromised) data while being able to recognize when criminals are using the same data illegally.
#2. Go beyond Social Security Numbers
For many online lenders, the social security number has long been regarded as a key indicator of identity. But if it wasn’t made abundantly clear by the Equifax data breach, social security numbers (SSNs) can no longer be a trusted piece of identity data. In fact, SSNs were never meant to serve this purpose in the first place. They were created solely as a way to keep track of an individual’s earnings for social security and benefits purposes.
So, what do you do if SSNs are a key customer identifier for your business? Start incorporating modern identifiers into your verification process. Those include home address, email, phone, and IP address. Better yet, verify all of these elements and link them back to the customer.
#3. Confirm Whole Identities by Linking Identity Data Attributes Together
While it’s easy to use and piece together stolen identity data, it is impossible to fabricate the linkages that effectively mimic a real person. Legitimate borrowers can be confirmed by verifying many identity data elements and ensuring they all connect to the individual behind the transaction, clearly distinguishing them from bad actors whose data elements won’t correlate properly.
Linkage analysis can include connecting name, address, phone, IP, and other non-personally identifiable information (non-PII) data.
Some positive signals include things like:
- an email address age of more than 720 days
- an IP address within 10 miles of the physical address
- a match between phone and address
- a match between email and name
- a match between phone and name
- a match between address and name
And common risk signals include:
- a mismatch between linked email, phone, or address details
- an email address less than 90 days old
- a non-fixed VoIP or toll free phone number
- a phone country code and physical address mismatch
- invalid phone, email, or address info
- a proxy IP address
Eva Casey Velasquez, President and CEO of the ID Theft Resource Center, which provides non-profit resources and support to victims of identity fraud, has recommended businesses take action with multi-factor authentication processes. “We are encouraging businesses to be fearless in their security,” she said. “At the end of the day, it is your customer base that you are helping.”
The rate of data breaches continues to pick up speed with no end in sight. Lenders that fortify their fraud management strategies with a multi-layer approach will be able to avoid reactive decision-making in the aftermath of a data breach.
Just because the personal data of your borrowers is available on the dark web doesn’t mean that verifying their identity is hard or impossible. It just means that basic identity data attribute verification won’t work and whole identity verification will be required. Your teams will appreciate their newfound ability to excel through the wake of the next data breach and your growing base of happy customers will be more apt to refer your business to a friend.
Tom Donlea leads the global marketing efforts of Whitepages Pro, the worldwide identity verification data provider for risk management in banking and online lending. With over ten years of online payments and risk experience, he previously was the founding executive director of the Merchant Risk Council.