ID Insight

Beware the "Black Box"

2009-12-18T15:36:00.002-06:00

Throughout the course of my career I have developed hundreds of analytical models that have been or are being used by many of the banks, credit issuers and direct marketing companies in the country. Statistical modeling is not a topic that I typically bring up at cocktail parties or in general conversation - as it it is the equivalent of administering a few doses of vicodin mixed witha shot of bourbon....zzzzzzzzzzzzzzzzz.

However - there is one topic of modeling that has interested me for many years and should be of interest to the general model consuming public. That topic is that of the "Black Box" approach to selling model based solutions.

Back in the 90's when modeling solutions were coming out of the woodwork, a variety of companies begin marketing their models and scores as their differentiator. The typical tagline was that their solutions were superior because their analytics and analytic teams were "better".

A prime example of this was the Falcon product from HNC which today still is the modeling platform for the majority of all card transactions world-wide. HNC brought neural networks to the industry and they positioned their solution as superior because of those deep analytics. And guess what - it worked! The positioning catapulted their solution to the top and they never looked back. However - if you ever asked HNC what was behind the modeling, they would tell you it was a "Black Box". That is, it was the secret sauce and could not be divulged.

A couple years later, I was presented with a similar situation. I was jointly developing a model with the old Fair Isaac (now FICO). While it was supposed to be a joint effort, when I asked to review the models and codes, their lead analyst informed me that he could not divulge. I asked why not, and he told me that it was a "Black Box", could not be divulged and I probably could not understand anyway. As a trained statistician, all I heard was - "We're smart and you are stupid".

That is when I began to become fixated on the implications of the "Black Box" approach to marketing scoring based solutions. At the time, FICO positioned themselves as the "Gold Standard" in modeling. However, their prospects, clients and competition were referring to them as the "Four Letter F Word". I do think that over time, this has led to their market erosion and loss of credibility.

Most of the people I have ever met from HNC or FICO are, indeed, very smart people. However, when you take the "Black Box" approach to positioning scoring solutions - I think you are jeopardizing your brand and doing a disfavor to your people. After repeatedly hearing "We're smart - you're stupid", eventually people grow tired of it. After all - I don't think anyone likes to be told that they're stupid or incapable of understanding. Especially when it is not true. There are tens of thousands of modelers out there who know exactly what I am talking about.

I have always been a firm believer in transparency in the modeling and scoring process. As solutions providers, we exist to solve problems and provide value. When we throw up the "Black box" it undercuts our value proposition and opportunity to be collaborators. That is why we always work closely with our clients and give them deep understanding of what it is that drives those models. This does not mean that I have to pull out the source code or hand over the actual model on a silver platter. We all need to protect our Intellectual Property. However, this transparency secures a position of collaborator and partner. It also leads to deeper understanding from our clients about what is driving their business.

Transparency in modeling and scoring is becoming more routine over time, as model developers and users understand that it is one piece of the solution. However, it still amazes me that there are some select companies today that are positioning the "Black Box". I welcome that competition. I have to say that I don't mind my competitors positioning themselves as "We're smart - you're stupid".

A.E>>>

When Will the Madness End?

2009-11-02T09:58:00.003-06:00

For a fourth time, the FTC postponed the Red Flag compliance deadline for non banking regulated companies. The original deadline was to be November 1st, 2008. It was set to go live on November 1st, 2009 and now they have pushed it back to June, 2010.

http://www.networkworld.com/news/2009/110209-layer8-ftc-red-flags.html

This new compliance requires non banking institutions that could be exposed to identity theft to put in new procedures to detect and mitigate identity theft. For example, health care. Medical identity theft is growing as people are using stolen identities to receive medical services in a victim's name. You can see that it might be a good idea to have health care providers to makes sure that doesn't happen.

Dear Mr. Elliott, we see that you owe us $25,000 for a liposcution treatment that you received in Los Angeles". Huh?

According to the press release, the 4th delay was caused by members of congress saying that the new compliance is not well understood and we should not punish companies. Huh?

Since when did making sure that companies that receive confidential identity data use it wisely become unfair. In the credit card world, for anyone receiving credit card information - they must be PCI compliant. They must have standards in place to make sure that do everything possible to minimize credit card numbers from being compromised.

However, when it comes to a persons identity, we once more say that this isn't as important. Ironic. If your credit card is compromised, the consumer has a $50 liability and that's the extent of the damage. If your identity is stolen, you may have years and thousands of dollars expended before you can clean it up, if ever.

Priorities? In the meantime, identity theft rose again in 2008 and all expectations are that they will rise again in 2009.

A.E>>>

Fox Guarding the Hen House?

2009-11-02T09:31:00.002-06:00

This is the last topic I thought I would be writing about, but in the past few weeks it has caught my interest in a big way.

A few weeks ago, a colleague of mine that works for a regional high speed internet provider called me to ask if ID Insight maintained information about which households in the country have high speed internet access? When I asked why, I didn't realize how this would lead me on an odyssey canvassing the government, the Obama Stimulus package and a lot of bickering.

The Broadband Stimulus Package is a $7.2 Billion grant program that is part of the American Recovery and Reinvestment Act. Remember: Cash for Clunkers? Ya - that one. Anyway - the Broadband stimulus is intended to bring high speed internet to the hinterlands of rural America.

The way the grant works is generally as follows. If you apply and receive a grant, the government will subsdize 80% of the costs to bring high speed to a particular area. So, if you are a regional operator and it would normally cost you $5 million to lay down the fiber, cable, etc... now it will only cost $1 million. Obviously, this can be very lucrative for the carriers and enable high speed to areas where it may have previously not been possible.

Here's the kicker. To receive a grant, the applicant must demonstrate that an area is under-served. Here's the second kicker. The data does not exist. So how do you get the data? Enter Connected Nation. This non-profit was formed to obtain the data and information needed. They do this by working directly with the carriers to obtain their subscriber lists and develop these broadband maps.

Sounds logical on the surface - right? However, when you do a deeper dive, you find the following. Connected Nation was formed and is managed by the biggest telcos in the world. You know 'em - AT&T, Comcast, Verizon, etc....

So here's the rub. Many smaller and regional telco's are vying for the grant monies, but they don't have all the data. When they apply, the big telco's are now protesting those grants saying that the area is "served". They then hold up Connected Nation as their proof. The regional carriers are left to try to disprove. Their motive is to not allow competition where they don't want it.

The regional carriers and municipalities are furious. And they should be. Why should the major carriers be able to control who goes where and stifle competition? Connected Nation lobbied for this data requirement, and then turned around and lobbied for a separate grant of $350 million to collect the data themselves. Wow!

This saga will continue to play out in the weeks and months to come. Attached is a recent report issued on Connected Nation.

http://www.ntia.doc.gov/broadbandgrants/comments/61BC.pdf

Also - we have a little secret. We have already compiled the data, and it was not collected through the major carriers. It cost us just a trifle less than the $350 million that the government just set aside. Shhhhh. Don't tell anyone.

Why I Depise PowerPoint

2009-09-16T16:53:00.006-05:00

It seems like we live in a PowerPoint world these days. As a provider of financial services solutions, my day is filled with meeting after meeting and presentation after presentation. The vast majority of these meetings are over the phone - especially for those 'first' appointments.

And of course, the medium of choice is our old friend PPT. Couple that with WebEx - and you've got yourself a meeting! It is from there that it is all downhill. After spending hours and sometimes days crafting this masterpiece - the meeting kicks off and jumps right to the AGENDA. From there, you jump into the next slide, the next and so on.

All the while, your audience is on the other end and you have no earthly idea what is happening. Are they sleeping, are they listening or are they busy catching up on their last week of emails. I don't know. I do try to periodically check in and ask if there are any questions. Sometimes that gives you a clue, when there is about a 10 second pause, and then: "Sorry - I had you on mute." Or even better yet, when they put you on hold and they have some lovely music playing in the background.

When they are engaged and asking questions, it is more often than not that these questions lead me to jump past slides or abandon the carefully crafted deck all together.

Because of this - I avoid PPT at all costs. Sometimes it is the necessary evil - especially when you have a large audience and you have information that needs to be on the printed page. However, more often that not, the carefully crafted deck is useless and a complete waste of time.

Especially when you are on a first appointment and your job is not to present your latest gadget, but to listen and discover. I can't solve a problem if I don't know what the problem is or they do not understand yet what their problem might be.

To me, PPT has become a crutch for verbal vomiting and self adulation and comes at the expense of valuable dialogue. I will be speaking at a conference in October, and of course the first thing they did was send me instructions about when and how to upload my PPT. I wonder what they are going to think when I say "I don't have one".

Here's a recent blog on the best and worst of PowerPoint.

http://news.bbc.co.uk/2/hi/uk_news/magazine/8213901.stm

Latest Threat

2009-09-08T14:47:00.003-05:00

Last week we came across another fraud activity that I thought I would share. I was speaking at a conference last week and there was some discussion about one of the latest threats related to altering of a person's credit report. Not exactly new, but renewed.

The scam is as follows. The credit bureaus, by law, have to remove delinquent information from a consumer's credit report within 4 days of receipt of a valid affidavit of identity theft from law enforcement. Once the bureau has the form and the accounts that should be 'sanitized', they then have 4 days to remove.

Makes sense if, indeed, there was identity theft present. However, this is not always the case. The bureaus are finding that many of these affidavits are counterfeit or fictitious. In fact, they went on to describe that they are getting hit particularly hard in the Southern California area and that many suspected reports tend to all have Armenian surnames.

They then went on to describe how there are a bunch of credit repair companies charging hundreds and thousands of dollars to clear a consumer credit report. This is how they are clearing.

Flash forward 24 hours. As I boarded my plane back to Minnesota - I brought up a data study for a prospect - hoping to see if we could help them identify a particular fraud ring they were seeing. At first - the frauds that we analyzed did not seem to out of the ordinary. However, at second glance, we realized that they were all Armenina surnames out of..... you guessed it - Souther California.

This one is pretty scary. Scary - because they all tended to be verified, have good credit, no real fraud characteristics, etc.... Once that credit report has been 'sanitized', they are free to resume roaming and take everyone to the cleaners.

I am sure that once they steal their next batch of money, they just return to their 'buddy', re-sanitize and do it again.

Are our credit granting systems under attack? Is this a pre-cursor of things to come?

A.E>>>

Broadband Stimulus Data

2009-08-26T12:07:00.003-05:00

Over the past few weeks, we have been bombarded with requests for broadband connectivity and internet usage data. Turns out that as part of the Obama Administration's American Recovery and Reinvestment Act that $7.2 billion in Federal grant monies have been set aside to help bring high speed internet to communities without access.

For those that receive a grant, these companies and communities receive $0.80 on the dollar for all expense to provide the access. Pretty good incentive if you asked me.

However, for companies and communities to apply for the grant, they must have data and maps that shows the current connectivity and usage. That's the dilemma. That data does not exist. Why? Because only the carriers have this data and they treat as highly confidential. However - a requirement it remains.

As such, many communities and carriers have not been able to apply for these substantial grants. That is until now. We recently announced the development of the first national database of internet connectivity and usage down to the Census level geography needed.

By accessing our proprietary databases of internet users, we were able to combine with our analytics to produce the data and maps needed.

Pretty exciting stuff. Who would have thunk that a company focused on ID Theft and fraud would be creating a database to enable a computer in every home and classroom. Should be interesting watching this all play out.

A.E>>>

Data Breach Blahhhh!

2009-08-24T14:37:00.004-05:00

I just got done reading my latest article regarding data breaches.

http://www.smartmoney.com/spending/budgeting/dingbat-data-leaks/

In this article, like many others, the author discusses how data is lost, that most breaches are accidental in nature, and the fact that 50% of laptops that are misplaced have personal identifying data.

This focus on data breaches and better protections is doing little or nothing to reduce the rapid increase in identity theft. In fact - it is diverting our focus from what is the much more important issue "What can I do with the data".

If we add up all the breaches and data losses, I would imagine each of our individual ID's are out there in cyber land many times over. That is not the issue - the issue is what can I do with the data.

For example - If I simply need to present that data to open a new credit card account and they open - then this is the problem. If I can use the data to create a fictitous Driver's License which then is used in a routine traffic stop, then this is the problem. If I can use someone's data to receive medical service in the victim's name, then this is the problem.

The point is - the data is out there. While it is good practice to do all we can to secure data, it is not going to address the problem. We need to be spending our time, energies and monies on developing secure systems that do not allow someone with a print out of your personal data to take you to the cleaners.

A.E>>>

The Next Criminal Hero

2009-08-20T16:10:00.002-05:00

For years, Americans have held a deep fixation with criminals, many times transforming them into heros. Every generation seems to have their criminal heros. We can go back to the 20's and 30's with Bonnie & Clyde, Baby Face Nelson, Al Capone, etc... Then the 60's brought us our first white collar crime hero - Frank Abignail, who was the subject of the movie "Catch Me if you can".

Of course, the 70's brought us the trio of The Godfather movies, and made the Corleone's America's favorite crime family. This was followed up with copy cat John Gotti.

Then in the 80's and 90's, Kevin Mitnick (The original computer hacker)was convicted and became the posterchild for young hackers everywhere. Much like Abignail, Mitnick turned his criminal activity into a gold mine by going on the road and telling everyone how he did it.

Now - we have our next posterchild - Albert Gonzalez who was recently arrested for the Heartland Data Systems breach. What makes this even more entertaining is that he was also arrested in the TJX data breach a few years earlier in 2003. Rather than throw him in the slammer, he instead became an informant for the Secret Service. A few short years later, he has achieved his goal of international fame and worship.

For those not in the banking industry, his compromise of Heartland created major havoc for banks everywhere. If you received a new credit or debit card in the past few months, it is likely due to the breach at Heartland. Banks were forced to investigate which cards were compromised and had to re-issue millions of cards. Thus far, this has cost Heartland over $32 MM in fines and losses.

So the next time, you get a fee increase from your bank, you might want to thank Albert. This may alter our collective opinion regarding his hero status.

In the meantime, Albert will go spend a few years behind bars thinking about his crime. More likely, he will be writing his business plan for becoming the next in a line of criminals who turned their misfortunate into a gold mine.

A.E>>>

Back to the Basics

2009-08-17T11:20:00.002-05:00

Well..... now that Tiger crumbled over the weekend, it is back to the grindstone.

The past few months have been nothing short of phenomonal. The economic challenges within the banking industry have resulted in a period of time that will be well remembered for years to come. Much like the dot com era or 9/11, this period will be one in which we will reflect on.

Thankfully - things seem to be on the upward trend, but who knows. However, as I reflect on the past few months and quarters, I have realized some very important lessons with respect to business.

1.) Be wary of the teflon mentality. When this crisis first emerged, the initial reaction was "it hasn't really effected us". A few short weeks and months later - we realized it had - in ways that we hadn't imagined.

2.) Don't get diverted. When a core market segment is impacted, the natural inclination is to see if you shouldn't be pointing your guns elsewhere. I am glad we did not, as sales activity is beginning to return to levels of past.

3.) Have faith. It's difficult to remain focused when you think you have the right message, yet things get more difficult. Does the message need to change? What am I missing? What we found was that the message was right and by focusing on it made all the difference.

4.) Maximize your resources. More than ever, the latest environment forced us to understand to a greater degree what resources were absolutely critical to success and those that were not. By removing un-needed expense and resource, we were able to streamline our operations while minimize our expense.

All in all, I will be happy if the climate over the past few months never returns. At the same time, it has been a great learning experience and we are coming out on the back-end of this more operationally sound than before. The next few months should be entertaining.

Good Hunting out there,

A.E>>>

Why I Hope Tiger Wins

2009-08-12T09:12:00.003-05:00

Being a Minnesotan, I spent Monday afternoon over at Hazeltine National as PGA Championship week kicked off. While it was only a practice round on Monday, everyone was asking of there were any Tiger sightings. Tiger was there bright and early, but we got there late and missed him.

Of course, Tiger is once again favored as he has won an astounding 30% of tournaments he has entered. What perplexes me is that each and every week, I find myself rooting for Tiger to win, even though he has more money than god and may be considered the greatest golfer if he does nothing else.

Why it is perplexing is that like many, I am always for the underdog. Whether it is a football, tennis, baseball or hockey contest - I almost always root for the underdog. I think it is built into our DNA.

However, when it comes to Tiger - I am always hoping that he wins. Why? In analyzing my brain, I think it is simply because I love the way he prepares himself and am absolutely astounded by his mental preparation. In short, he can almost will himself to win. As a colleague told me this morning - he just gives his opponents the Jedi glance, and they crumble. The only other parallel I can draw is to Lance Armstrong.

I think that these two human beings are case studies for mental fortitude. in many ways, they are heros of mine, as they always seem to rise to the occasion. When I wake up in the morning and begin thinking about ID Insight - I remind myself of what it takes to be a Tiger.

He is an inspiration to me and many others, and I hope that he is able to will himself to his 15th major this week.

A.E>>>

Can we make the RFP R.I.P.?

2009-07-30T14:30:00.003-05:00

I was recently reading "Exceptional Selling" by Jeff Thull. The subtitle is "How the Best Connect and Win in High Stakes Sales". Thull offers a bevy of great advice about how the old way of selling is out the door - especially when it comes to complex sales that involve many pieces.

As I was reading - I came across a chapter where he talked about why Requests for proposals (RFP's) result in bad sales. He mentions how winning an RFP is akin to winning the lottery. He goes on to talk about how the process outlines a client's wish list and a defined decision making process that dissuades creativity and finding the optimal solution. In a complex sale - the RFP process does everything to attempt to reduce solution providers to a commodity.

I couldn't agree more. I can see where an RFP might make sense if you are buying toilet paper and there are 5 brands with similar features and it all comes down to price. However - when you are selling complex solutions to sophisticated buyers, the way you get to the optimal solution is to foster creativity and "out-of-the-box" thinking. When you get stuck into the RFP fifedom - usually with procurement - you end up with an invisible wall in front of you that does not allow for the interactivity that is so important to the process.

Thull goes so far to suggest that at times you need to walk away from RFP's. He discusses the opportunity loss that needs to be considered amongst other things. Even when I have been on the winning side of the RFP - the next steps are much more cumbersome. Why? Because you really need to back up and get into creativity side of things. Many times - both parties find out a lot about what should have been knowon up front. I have seen many a partnerships go bad because of this.

At the end of the day, people buy from people and fostering deep understanding results in a better outcome for all sides. I am not sure the RFP is going to be laid to rest anytime soon, but it wouldn't bother me.

A.E>>>

What Sucks with Social Networking

2009-07-01T12:24:00.002-05:00

I am doing my best to get my GenX brain around this whole social networking thing. I also have to explain that I am a borderline GenX'er and was extremely close to being a 'Boomer.

That being said, I have done everything I know how to do with LinkedIn and Twitter. I guess at this point - I have about 317 connections on LinkedIn and belong to 19 groups. On Twitter - I am following 12 people and have 9 people following me.

I obviously find some value or at least potential value by using these tools - but that's no fun to write about, so I thought I would instead right about what sucks.

- I am sick of these groups on LinkedIn. I am bombarded with group discussion boards, when more than half are commercials in disguise or just blatant job postings. LinkedIn needs a better way for Group Leaders to police this. I admit that in the early days - I was trying to promote - until I realized how much it bugged me. So - yes - I was an ass and I apologize to anyone I offended.

- You can't sync accounts. If you by chance set up 2 separate accounts on LinkedIn and are trying to merge - don't bother. When you look it up in the FAQs - it says "Don't bother".

- Why do I have strippers following me on Twitter? I am a neophyte on Twitter, but this week I got notice that some lovely looking woman was now following me. When I looked at her BIO - I realized she was a stripper. Not that I am against strippers, but I was trying to envision myself at my Twitter home page with my wife seeing this seductive stipper sending me comments about what she was doing at the moment.

- Why is it so hard to find people on Twitter? I look up Bill Gates, and it tells me I can follow "NotBillGates". However - I did find and begin following Barack Obama. Mostly - because I am most curious on the subjects that our leader Tweets on. We'll see how that goes, but for now - it is boring.

- How to Tweet your horn. Now that I have 9 people following me - all but one that are not strippers - I feel compelled to tweet. However - I am striking out on what to say. "Hey - just got done eating a burger and it was yummy", or "just mowed the lawn - man its hot".

Anyway - thanks for letting me rant.

Peace Out

BFF Adam

Medical ID Theft: The Next Wave

2009-06-15T09:59:00.003-05:00

With all the attention over the past few years on Identity Theft in general, there is a new trend that is continuing to gain momentum. While identity theft in general has leveled off a bit, the category of Medical Identity Theft is continuing to be more of an issue.

Medical Identity Theft can take many guises, but can be thought of generally as someone using your identifying credentials to receive medical services. This could be anything from an emergency room visit to reconstructive surgery. With the costs of health care continuing to sky-rocket, this should come as no surprise. In fact, when compared to financial service where the average 'loss' is around $10,000 - this can be quickly dwarfed when it comes to health care.

The latest crime stats from 2007 suggest that over 250,000 consumers were the victims of Medical Identity Theft. Much like financial services, the typical fraud can involve either someone using an existing Insurance ID and policy information to utilize an existing account, or alternatively, apply for new services in the victim's name using the stolen ID information such as SSN and DOB.

Historically - health care providers have not deployed the scrutiny in the new account opening process as banks. However - this is beginning to change. Partly due to the increase in related fraud, but also due to the FACT Act provisions which will require health care providers to screen for Medical Identity Theft. While health care providers have not fallen under the regulatory banking agencies, they will now be regulated with respect to Identity Theft practices by the FTC - As of August 1st, 2009.

With the new mandate to electronify all medical records - we expect to see a lot of activity here over the next few years.

Supreme Court Makes Decision on Identity Theft

2009-06-11T13:01:00.002-05:00

A unanimous Supreme Court said in May that illegal workers who use falsified IDs can't be considered identity thieves without proof that they knew they were stealing real people's Social Security and other numbers!

How ridiculous is this?

The court, in an opinion by Justice Stephen Breyer, rejected the government's argument that prosecutors need only show that the identification numbers belong to someone else, regardless of whether the defendant knew it.

So - here we all are trying to deter identity theft, and our Supreme Court says it can only be prosecuted when someone "knows" that the ID was real. This is rarely the case. When people buy and steal IDs, they rarely ever know if they are indeed real.

This case was brought forth due to immigrants who were accessing various IDs to gain employment. However - this ruling I am sure will now make its way into the financial services sector.

Can we turn our brains back on...... please!

Here's a link to one version of the truth.

http://www.brownsvilleherald.com/news/identity-98001-theft-used.html

Examinations In Process

2009-06-02T11:29:00.005-05:00

We are finally beginning to get some good information regarding how banks and credit unions are doing coming out of their initial FACT Act Red Flag audits. The great news is that our clients are being given a passing grade by the auditors for using our Safe2Change solution to meet the address change provisions of FACT Act. Great news, because they deloyed Safe2Change as a much more cost-effective solution to complying versus sending out letter confirmations. At a time when costs are more critical than ever, saving some dollars here is very important, and our customers are able to realize these savings.

More interestingly, we are seeing a couple of general trends emerging from these audits that are worth thinking about.

Looks like the auditors are being somewhat lenient in this first pass. Clearly there are the handful that completely ignored the regulation and are getting it with both barrels. However - in the first round we are hearing that they are generally not having many issues.

The one gap that we are hearing now repeatedly is that the examiners are beginning to scrutinize compliance strategies where financial institutions are mailing letters to the customer's old and new address to achieve compliance. The issue is sufacing not because of the letter mailing strategy, but because FACTA requires that the institution not fulfill subsequent requests credit cards, debit cards, checks, etc. until the consumer has had enough time to receive and respond to the letter. This makes sense. If the institution sends out a letter and then sends the requested card to the new address (where the fraudster is waiting) - then this strategy will still still result in identity theft.

We are finding that most institutions have deployed the letter mailing strategy. However - we are also finding that these same institutions are not putting a "hold" on the account to block the request for cards and checks. This is not allowed per the FACT Act, which states that you can send letters, but not fulfill these additional requests until enough time has passed.

In these early examinations, we are hearing this issue being brought up repeatedly. While the examiners are being a bit lenient in round 1, we see this as being an issue that will be scrutinized much more and that financial institutions will need to plug this hole.

A.E>>>

Subscription Pricing?

2009-05-14T11:05:00.002-05:00

For years, the largest banks have deployed fraud tool after fraud tool. In doing so, the typical end result is a combination of many tools that overlap in form and function.

This makes it difficult for institutions to bring in additional tools or functionality to improve their fraud detection capabilities. One of the major barriers is price. As more and more tools are deployed - the incremental benefit is reduced - yet it is rare for the fraud solutions provider to alter their price based on this.

One of these new tools is what can be referred to as "Velocity" or Link Analysis". Most institutions know that an important piece of their overall strategy is to monitor repeat activity at the same address, phone number or Social Security Number. Eg. why have 5 unique people all applied at 123 Main ST in the last week? However - most insitutions have either not deployed that or are doing it in a rudimentary way.

We have developed a new technology that takes velocity and link analysis to a new level allowing our clients to expose fraud rings that they have not been able to see before.

However - while the value can be realized - we run into this dilemma described above. Because of this - we are beginning to think about a subscription based pricing model that incentivizes more volume not less. End result - better detection - less cost.

What's in an Address Change?

2009-04-20T15:02:00.003-05:00

We've been spending the past few years understanding everything there is to know about the 'risk' of an address change for financial services companies. We know that this is the leading indicator of account takeover and a major reason for the new Red Flag Guidelines.

Over the past few weeks, however, we have begun to look at the business problem a bit differently. While the address change event is associated with risk, this risk is relatively low. However, we are finding that the address change event is the single largest reason for a customer leaving the bank!

We have found that approximately 70% of all consumers that move consdider changing their primary banking relationship and that nearly 25% of consumers do end up changing their primary bank account within 120 days of moving.

When you think about it, it make sense. When you move, many times you move away from the bank branch where you conducted your banking. In doing so, it is somewhat likely that you change your bank account to be closer to the branch. Couple this with the fact that banks routinley are targeting new customers with Free $50 offers, and you can see how 25% of movers change banks.

When you consider that 15% of a typical banks customers move every year, this equates to 3.75% of their deposits walking out the door. When we ask banks what they are doing to retain these customers, the answere is almost always "nothing".

We believe there is a major opportunity to stop a significant percentage of these customers from attriting by communcating more effectively. For example, telling them about your remote banking options, or offering up a home equity line to someone that moved into an owned home.

We are beginning to look more holistically at the Address Change Event as being one of the most important in the customer's lifecycle. An event that includes bothe risk AND opportunity.

Too Busy To Save Money

2009-03-10T16:34:00.003-05:00

This economic crisis becomes more of a circus each and every day. It wasn't too many days ago that Wells Fargo, Chase, and US Bank were being lauded for avoiding the crash that had hit others such as Countrywide, WAMU, etc...

Flash forward a few short months, and they are now in similar spots, cutting dividends and reporting record losses. It tends to make you wonder what other rocks that have yet to be turned over. It is getting downright scary.

Given that ID insight sells primarily to financial services companies, I am routinely asked how this recession is impacting us. Until very shortly - my response was pretty similar. What we offer is a way for banks to save money - so we hadn't seen much of a negtive impact.

However - as of late we have seen that begin to change. Normally - when you walk in the door and tell someone that they can save them significant amounts of money - they are interested - as they should be. Increasingly - however, we are hearing more banks explain that even though they are interested that they cannot afford the time to save money. We are finding many (more every day) banks that simply are looking to keep the doors open.

When we stop making sound, rational business decisions - that's when you realize that this is some really scary stuff.

A.E>>>

Here We Go Again

2009-01-26T09:58:00.002-06:00

Now we have the Heartland Breach burning up the airwaves. Unless you were stuck in a cabin in the remote wilderness for the past few days, you heard about the most recent data breach of Heartland Payment Systems that resulted in approximately 100 million cards being compromised. Supposedly - bigger than TJX.

Reporters came out of the woodwork with headline stories discussing the latest Identity Theft story. Unfortunately, this is not an identity theft story. It is a story on stolen card information. This lack of understanding and mis-information does nothing to help us in the fight against identity theft.

Identity theft is when someone gains access to a person's identifying credentials and uses this to either take over an existing account or open up a new account in the victim's name. This leads to a serious burden on the victim who then has to fight for months and years to clean up their credit histories, their name and yes, their personal identity.

In the Heartland case, credit card numbers were compromised. Yes - this is serious, but from a consumer stand-point, it nowhere resembles identity theft. If someone gains access to your credit card number, what can they do with it? Virtually nothing. If you want to order merchandise online - you not only need the credit card number, but the Billing Name, Address and security code. Heartland maintains that this information was not part of the breach.

Even if it were compromised, this is not overly impactful to the consumer. Even if the card were used fraudulently, it would be the merchant or issuer that would bear the brunt of the damage. For the consumer, when they saw the fraudulent transaction - they would call their issuer and would not be liable for anything beyond $50 (which is never collected anyway). At that point, the issuer would issue a new card and numbers and the consumer would go on their merry way.

I think we need some more consumer education, so we can better focus on controls. I think a good first step would be to begin clarifying two types of breaches: an Identity Theft Breach and a Credit Card Number Breach. If I had heard that 100 million identities had been breached - I would probably have put an immediate fraud block at the bureau. The Heartland breach is meaningless to me...... other than watching the News, or should I say Wrong News.

A.E>>>

Score Based Compliance Solutions the New Standard?

2009-01-15T11:23:00.003-06:00

Over the past few weeks and months, I have been hearing more and more about our clients and prospects asking for score-based compliance solutions. While this may seem logical, it has not and is not the norm.

Historically speaking - the lion's share of financial services companies have deployed your traditional ID Verification solutions to meet BSA and CIP compliance requirements. What I mean is that they have deployed solutions to essentially "match" the identifying elements for a new customer application. Eg. "Did the social match?", "Did the address match?", etc.... In addition - these solutions also look for additional things like "Are they on the OFAC list". Based on these matches and data - this then allows the institution to take action per their compliance program.

While I think most would agree that these steps and measures will most likely get companies in compliance - you can quickly see how it is not fool-proof from preventing identity theft and fraud. Eg. a fraudster that establishes a completely new identity. A fraudster that first opens up a phone number at a new address in the victims name - where upon they will then be "matched at address". Or, the fraudster that fraudulently changes the address at the post-office. In these cases, the transactions will "pass", as we have verified the information.

Similarly - the majority of "non-matches" are not fraud - but good legitimate consumers. Together - we can see the dilemma - verified customera are fraud and unverified customers are good.

That is why scoring makes so much sense. Why? Because all of the information used in the decision is just that - information. It is not the truth - merely a measure of the truth. By scoring, we are able to look at all of the information and create the most optimal measure of the truth. This will lead to smarter decisions, lower amounts of fraud, and the most reasonable compliance program available.

I suspect that this drumbeat around scoring based compliance solutions will only get louder.

A.E>>>

The Inside Threat

2008-12-10T11:37:00.002-06:00

It seems that almost every time we talk to a bank that is dealing with a substantial account takeover issue - it usually comes back to an internal compromise. This is typically some fraudulent employee who has access to account level information.

When you think about this - it makes perfect sense. To successfully takeover an account is not trivial. Not only do you need customer information and account numbers - but also things like Pins and security codes. You typically don't find this out in cyberworld. To get at this - requires internal access.

Of course, once the information is compromised, the typical next step if to change the address on the consumer account and then requests the checks and cards to complete the crime.

With the economic meltdown in full swing, we are estimating that we are going to see a substantial increase in account takeover fraud in 2009. People with access to internal information that normally wouldn't have thought about committing fraud - are much more susceptible to committing fraud as their financial situation rapidly deteriorates.

I hope I'm wrong.

Compliance Humor

2008-12-05T13:00:00.003-06:00

The following was written by Anita Garrett, CRCM of Jefferson Wells International and printed in the Bankers Online Guru newsletter. Enjoy!

"The Creation"

In the beginning

Was the proposed rule

And then came the assumptions

And the assumptions were without form

And the proposed rule was completely without substance

And the darkness was upon the face of the bankers

And they spaketh amongst themselves, saying

"It is a crock of crap and it stinketh."

And the bankers went unto their Associations and sayeth,

"It is a pail of dung, and none may abide the odor thereof."

And the Associations went unto the Sub-Committees

And sayeth unto them,

"It is a container of excrement, and it is very strong

Such that none here may abide by it."

And the Sub-Committees went unto their Congressmen & Senators and sayeth,

"It is a vessel of fertilizer, and none may abide its strength."

And the Congressmen & Senators spoke amongst themselves, saying one to another.

"It contains that which aids plant growth,

And it is very strong."

"It promotes growth and is very powerful."

And the Congressmen & Senators went unto the President and sayeth unto him,

"This new rule will actively promote the growth

And efficiency of all banks, and these areas in particular,

And will serve as a comfort and protection for our constituents."

And the President looked upon the rule and saw that is was good

And the rule became

Regulation X.

What is the Real FACT Act Opportunity?

2008-12-01T15:37:00.005-06:00

Dear Readers,

Well - here we are - now one month after the FACT Act compliance deadline. For those of you that expected fireworks and smoking computers - I am sorry to disappoint. While we definitely saw many banks scrambling at the last minute to get their plans in place - November 1st was, in many ways, a non-event. I guess in hindsight, this should not be overly surprising. We saw similar activity back when the USA Patriot Act went live. It was months and years before many banks got fully into compliance.

However - we have learned a few things since November 1st that are coming to fruition that I thought I would share.

First of all, most banking institutions took the easy route and deployed existing solutions in the new account environment to screen address discrepancies.

In doing so - these banking insitutions are now seeing their fraud queues nearly quadrupling. This is already ending up in double digits reductions in account approval rates. While many banks are now seeing this, most are looking at it as the cost of compliance and doing business.

On the address change front, most banks opted for sending letters to the old and new address to become compliant. These institutions are now realizing the overall cost and impact - and are now expressing a desire to tighten up these processes in early 2009.

We have been sharing this reality for the past 12 months about this impending 'pain' and that pain is now being realized. In a time when banks are closing the doors, cutting expensese at every turn and looking for ways to increase revenues - you sure would think they would be interested in ways to minimize the pain and grow the top line.

It will be interesting to see what happens when the first few banks go through their first post FACTA audit in the coming weeks and months.

More to come,

A.E>>>

Verified?

2008-11-19T21:03:00.003-06:00

Today, we just got done analyzing the confirmed fraud addresses from the United States Postal Inspection Service, which is the law enforcement agency of the Post Office. We went back and looked at all the confirmed fraud addresses over the past 12 months. In doing so, we categorized all of the records into the category of fraud.

What we found was that 48% of the confirmed frauds were due to re-shipping schemes and that 41% of the confirmed frauds were due to a fraudulent change of address. Together - they represent 89% of all confirmed frauds.

What is interesting is that for both of these cases, any ID Verification service would have very likely indicated that the Name Matched the Address! For fraudulent address changes - the fraud artist changed the address from the victim's address to an alternate address. This would then be picked up by the third party verification providers as a confirmed address change. In the second situation - unsuspecting "mules" would receive merchandise that was being shipped to the actual person listed at the address.

Point is - in both cases, any traditional ID Verification service would confirm that the name and address matched! Over the past few years - a culture has developed that when we "match" the name to address that it must be "good". This matching would be considered sufficient or "reasonable" to any examiner as meeting USA Patriot Act, Bank Secrecy Act or Fact Act guidelines. As we can see above - it isn't that simple. Makes you wonder?

Where Do You Go Fishing?

2008-11-18T20:10:00.003-06:00

Today, I spent spent an hour with a prospect discussing the merits of utilizing a score to help them prioritize their online orders that they were reviewing. In preparation - we showed how by using a score - we could identify the 10% of riskiest orders that had a 38% fraud rate and the least risky 10% of orders only had a 2% fraud rate. They mentioned that the score wouldn't help, as they would still have to review all orders.

I asked if knowing that 38% of the orders were fraud in one segment and only 2% in the least risky segment would allow their fraud investigators to be more efficient in their investigation. The answer was a resounding "No".

Unfortunately - this is not a too uncommon response. In the financial services industry, most have become accustomed to scoring to make decisions. However - in other verticals such as e-commerce, the notion of scoring is an all too unfamiliar thought. When pressed on why this knowledge wouldn't help, the response was that it was because their fraud teams had better intuition and "gut" feel.

After the call, I couldn;t help come up with an analogy - related to fishing. I asked a colleague the simple question: "If you were out fishing for walleyes (I'm from Minnesota) and had to decide which spot to go fishing. The first spot was 15 feet deep and the fish finder indicated it was loaded with big fish. The second spot was 80 feet deep and the fish finder indicated there were no walleyes present (every good Minnesotan knows that walleyes aren't in 80 feet of water).

So which spot would you choose? Of course - I think most, and certainly most Minnesotans would quickly ascertain that the first spot would be much more likely to be successful.

This is same thing as scoring. It's all about finding the best fishing spots and avoiding those where success is minimal at best. In doing so, you can have a much more enjoyable day at the lake. Had to throw in that last one, as the snow is starting to fly and I am still holding on to my summer memories.