Mitigating Account Takeover Fraud
Five years ago, if you were talking about fraud in the life insurance industry – you’d be talking about things like false or exaggerated claims, application fraud or possibly even internal employee fraud.While these fraud risks remain, the increase in 3rd party actors regularly attempting to access customer data and cash value inside of certain insurance, annuity and retirement productsbyimpersonating customers and taking over their accounts, known as account takeover fraud (ATO), has shifted the landscape. Companies across the industry have regularly reported issues with ATO being perpetrated across call centers, websites, mobile apps andeven via paper forms.
Despite our collective efforts, ATO remains a prominent issue for our industry -- an industry based on a foundation of trust and security; a promise to be there in our customers’ time of need. As we all work to shift away from the paper-based forms of the past for servicing to the digital channels of the future, so too must our ability to authenticate our legitimate customers and identify the bad actors. If done well, we can increase the security of our customers’ data and assets while reducing friction, resulting in a positive customer experience.
To achieve this objective, below are some key areas that companies should consider integrating into their business and fraud prevention strategies. Given the rapid changes in the digital, cyber and fraud space, companies should also recognize trying to simply keep up will most likely mean falling behind.
1. Customer Profile
Develop an approach to collect data and identity proof starting at the point of new customer acquisition (including often overlooked details like beneficiary information) and store this information as an enterprise data asset. Capturing and validating information such as device, voice, government ID and customer preference and creating a profile of your customer that starts at acquisition will help ensure you understand – and can authenticate - your customer from day one.
2. Identity Proofing and Authentication
Identity proofing – the verification of an identity prior to the issuance of accounts and/or credentials - requires you to collect enough information at the time of new business acquisition or 1st interaction to validate the customer, often when you have little or no previous information collected. Once successfully identity proofed, it becomes significantly easier to authenticate the legitimate customer on subsequent interactions, although authentication is not without its own challenges.
Using a multi-factor authentication approach (the ability to use multiple factors from something you know, have and are) is a reasonable step forward. While this remains a standard for authentication, it often relies too heavily on 3rd party data that can be expensive to obtain, challenging for customers to use and risks being compromised as fraudsters find weak points.It also has an inherent weakness in that it treats authentication as a one-time event.For companies looking to take authentication a step further, a continuous behavior-based authentication approach should be considered.
Companies should also consider moving away from passwords as the key to accessing their accounts. Given the volume of privacy breaches, customer passwords are frequently compromised and all too often, the same passwords are used in multiple places.
3. Cross-Channel Visibility/Orchestration
As companies convert many customer interactions to digital channels and allow real-time self-servicing for customers, having an ecosystem that can manage a complex set of identity proofing, authentication and threat detection capabilities is essential to security and customer satisfaction.Orchestration can enable this.
So, what is orchestration?
Orchestration is a platform that integrates, consolidates, and manages user identities, authentication, fraud detection, and access controls.User attributesand threat detection signals are combined to authenticate legitimate customers in a low friction manner while simultaneously detecting suspicious activity in real-time and applying additional friction or terminating the session to mitigate the risk of fraud. Orchestration offers many other benefits, includingcross-channelvisibility of customer interactions, customizable customer experience based on user preferences, simplified architecture and streamlined integration process for new authentication capabilities, and reduced IT development and maintenance costs.
4. Fraud/Behavioral Analytics
Many fraud prevention programs take a linear, rules-based approach to preventing fraud (for example, A + B = Fraud). Instead, companies should consider investing in analytical capabilities that enables them to take a risk-based approach leveraging and weighting multiple corroboration and dissonance signalsto inform real-time decisions based on the risk present during any given interaction. This can lead to an increase in fraud identification, a reduction in false positive fraud alerts, and, ultimately, an improved customer experience.
There are many other ways in which analytics can also be used to enhance a company’s fraud prevention program that should be considered as well,such as analyzing the efficiency and efficacy of various vendor solutions (either as stand-alone or in concert with other solutions) and using predictive analytics to predict the likelihood individual transactions might be fraudulent.
Unlike the fraud of the past, ATO fraud has the potential to do significant and rapid damage to customer experience, brand reputation and, ultimately, to the bottom line. The ability to build and maintain trust with customers, to be there for them in their time of need, is central to the insurance industry. It is imperative that each company develop a fraud prevention strategy and implement a suite of solutions that are designed to deliver on that promise.
So, what are the right solutions for you?
Unfortunately, there is no one answer to that question. It will vary company by company.
Fraud leaders should assess their company’s long-term servicing strategy as well as understand their fraud risks and their fraud risk tolerance to determine the approach that is right for them.
But one thing is clear.Doing nothing is not an option.