Credit Union Authentication
Cybercriminals’ growing sophistication and catalogue of stolen personally identifiable information challenges many credit unions that seek better, quicker authentication solutions for online lending and call centers without affecting member experience.
“Properly authenticating online loan applicants is becoming a serious issue for many credit unions. On one hand, we as an industry recognize that consumers enjoy the speed and efficiency of internet-based lending. On the other, credit unions still have a fiscal responsibility to their members to mitigate risk and comply with numerous privacy and security mandates,” Terrence Corrigan, loan operations manager for the $240 million, Cleveland-based Firefighters Community Credit Union, said.
Corrigan noted this also places a significant burden on technology vendors, who must work with the credit unions to satisfy the typical dynamics associated with online lending.
The big question for credit unions is how to authenticate folks in a faceless environment.
“Credit unions want to be able to lend money online without calling someone into a branch and have them fill out a paper app,” Barry Kirby II, vice president of the Islandia, N.Y.-based loan origination provider Teledata Communications Inc., which provides FFCCU with a decision-lending platform, said.
“TCI finds itself in the middle of the need for credit unions to make decisions faster but also properly identify the applicant and not risk any fraud,” Kirby emphasized.
TCI's cloud-based DecisionLender process all loans, except mortgages. That includes credit cards and personal, automobile and motorcycle loans. DecisionLender comes into play during the underwriting process. When a member clicks on an apply button it serves up an online application. After the member selects the loan type, the system dynamically changes to capture the appropriate information depending on the loan category. Members receive a decision within five to eight seconds after clicking submit.
TCI provides ID verification through off the shelf authentication interfaces to services such TransUnion's Identity Manager. TCI can provide additional verification before signing the contract through a four-digit PIN via text or robo-call that needs entering by the applicant.
The $284 million Portland (Mich.) Federal Credit Union also uses TCI for indirect car loan applications through dealerships; and online applications for signature loans, credit cards and all secured loans, other than mortgages.
“When an application is submitted to us from a dealership or an online member or non-member they submit everything through the application portal. They go through a security piece on the application side that makes sure they are not a robot,” indirect lending relationships manager for PFCU LeAnne Hixson explained. The member application information travels though TCI to the credit union. “When we receive that application, credit has already been pulled,” she said. However, the credit union does not fund anything until it verifies all submitted information.
Dealers, through a contract with the credit union, are responsible for providing a driver's license on every application, a signed loan application, plus any other required signed documents. If applicants are nonmembers, they also must join PFCU, which the dealer can also have them sign for. The credit union then verifies the applicant's information such as the driver's license and address and that the Social Security number on the credit report matches the application. This all takes place prior to funding the loan.
“We are seeing a lot more members using our online application,” Hixson said. While they do have the ability to provide instant online approval to applicants who meet specific criteria, PFCU is more conservative than some online lenders. Right now, that instant approval ratio is about 4% of applications.
The Michigan credit union, however, also seeks to provide the human touch. Hixson said, “It's more than making sure they are who they say they are, it is also making sure we’re talking with them about their entire financial picture. That's huge for PFCU.”
Another venue subject to authentication issues is the call center where agents aim to provide exceptional experiences by listening carefully and reacting promptly to requests. The system's weakness is it does not always recognize spoofed calls from ever-sophisticated defrauders.
The Atlanta-based voice security/authentication firm Pindrop Labs in its annual Call Center Fraud Report revealed a significant increase in the fraud rate, a jump of 113% year-over-year. Fraud rates in 2016 were one in 937 calls across the board, compared to one in 2,000 calls in 2015, according to Pindrop's 2016 report. For financial institutions, the rates were one in every 895 calls.
Pindrop suggested a big objective of scammers is account takeover. This can involve fraudsters calling in multiple times to touch an account with nonmonetary transactions. They might include seemingly innocuous information such as updates to their phone number, password or PIN. Fraudsters also get into email accounts to change the login/password. In reality, they are setting the stage for a complete takeover of the account.
“The more [credit unions] become more of a traditional financial institution the more risk they are exposing financially to fraudsters,” Pindrop VP of Americas Michael Hughes said.
Hughes added fraudsters have the ability to spoof a call from anywhere in the world, or come in from a regular gateway number. He said it then comes down to what the caller can explain about the account and themselves, such as confirming an account or Social Security number, or answering knowledge based authentication questions. Hughes pointed out all of that information is readily available through social media, data breaches, and genuine and illegitimate services that collect information.
Call center agents are at a disadvantage. “The customer experience demands don't allow for a lengthy authentication process,” Hughes said.
The St. Petersburg, Fla.-based CUSO PSCU, which provides call center services for well over 800 member credit unions, also offers risk and fraud management, including Pindrop's phone printing technology, as part of its layered security.
“We’ve tried to tackle all those areas behind the member experience as it pertains to mobile, card, call center, cyber and rewards, an upcoming fraud trend,” Jack Lynch, chief risk officer at PSCU, stated.
The test becomes how to engage members while combating fraud. “In the past year, we’ve tried to focus on a 360-degree view of the member and how are they going through the authentication process in payments,” Lynch maintained.
Making it even more problematic is how impostors can completely seize personally identifiable information. “We’re seeing the fraudster starting to piece together identities,” Lynch said. “They get a piece from us, a piece from public records, and create that story.”
Fraudsters essentially become the member, which is making the authentication process much more difficult when somebody calls in. “You have to be careful when you’re dealing with member experience because you can't have your reps turn into CSI investigators. They are also not trained to detect fraudsters, they are trained to be helpful,” Lynch said.
That is why PSCU is looking to bring more anti-fraud instruments such as geolocation and biometrics into the equation to help. “So, authentication becomes much more than answering questions. It's how do I get a full story and understanding where the call is coming from, who the member is, and using all these new tools in order to secure the member,” Lynch explained.
A new fraud target is account rewards. “Fraudsters are figuring out this is a rich target environment. It's not like members/consumers are looking at their rewards points very often,” Lynch suggested. So once fraudsters obtain the account piece they can drain the rewards points to order gift cards, merchandise or TVs.
To combat reward point theft PSCU started an outbound program to verify when accountholders use a significant amount of points. “We’ve already been able to save about two million points with these pilots. We feel by the end of 2017 this is going to make a big dent in fraudsters stealing rewards points,” Lynch said. “PSCU felt that fraud was a threat to not only the credit union industry but to our members so we set out to drive down fraud and protect the members.”