Managing Fraud Risk in Online Lending
Transcription
Managing Fraud Risk in Online Lending
Managing Fraud Risk in Online Lending A Mercator Advisory Group Executive Brief Sponsored by iovation M A N AG I N G F R AU D R I S K ONLINE LENDING IN A Mercator Advisory Group Executive Brief Sponsored by iovation 8 Clock Tower Place, Suite 420 | Maynard, MA 01754 phone: 1(781) 419--1700 | e-mail: mail: [email protected] www.mercatoradvisorygroup.com November 2012 1 © 2012 Mercator Advisory Group, Inc. Managing Fraud Risk in Online Lending A Mercator Advisory Group Executive Brief Sponsored by iovation © 2012 Mercator Advisory Group, Inc. 2 Managing Fraud Risk in Online Lending A Mercator Advisory Group Executive Brief Sponsored by iovation Table of Contents Risk Management in a Risky Business ................................................................ ............................................................................................. ............................................................. 4 Fraud Schemes Evolving ................................................................ ................................................................................................ .................................................................................. .................. 5 Device Identification as an Effective Fraud Deterrent ................................................................ ...................................................................... ................................ 5 Case Study ................................................................ ................................................................................................ ................................................................................................ ................................ ...................................... 7 Fraud Challenges ................................................................ ................................................................................................ ................................................................... 7 ................................................................ Solution Requirements ................................................................ ................................................................................................ .......................................................................................... .......................... 7 Results Using Device Reputation ................................................................ ................................................................................................ ................................ ........................................... 7 Conclusion ................................................................ ................................................................................................ ................................................................................................ ................................ ...................................... 7 © 2012 Mercator Advisory Group, Inc. 3 Managing Fraud Risk in Online Lending A Mercator Advisory Group Executive Brief Sponsored by iovation Risk Management in a Risky Business “It’s just about the riskiest type of loan you can make.” Such were the words of the Vice President of Risk Strategies at one well-known well known online lending lending business. The short-term short term lending space, which in the last five years has expanded rapidly online, beyond the model of brickbrick and mortar check cashing and payday lending locations, is indeed exposed to a great deal of risk. As the online and-mortar short short-term lending ding industry has grown (Figure 1), so has its exposure to fraud. fraud Figure 1: Online Short-Term Term Lending Volume 2007–2011 2007 2011 (E) Online Short-Term Short Term Loan Volume $13.0 Billions USD $10.8 $8.2 $6.7 $7.1 2007 2008 $5.7 2006 2009 2010 2011 (E) Sources: Stephens Inc., Mercator Advisory Group, Group, 2012 While credit risk – the risk that a borrower will default on a loan – is remarkably high in this industry, industry, fraud risk exposure for short-term short term lenders has been a growing concern since the business has moved online. Due to the anonymity involved, identity identity thieves and first-party first party fraudsters have been targeting targeting online short-term short term lenders since the industry’s adoption of the internet as a major customer acquisition channel. Roughly oughly one quarter of payday and other shortshort-term term loan volume originated online in 2010, 2010, and the market share shift away from brick-andbrick mortar locations to the internet will continue for the foreseeable future. mortar © 2012 Mercator Advisory Group, Inc. 4 Managing Fraud Risk in Online Lending A Mercator Advisory Group Executive Brief Sponsored by iovation Online lenders’ products are typically secured by the borrower’s future paychecks and the promise that funds will be available in their checking accounts on a specific date. The lender lender also screens applicants using credit bureau reports and bank account validation services from so-called so called “debit bureaus” such as Early Warning Services or FIS, but there are still those that try to game the system. Once the applicant has been approved approved for a loan and the funds have been disbursed, the lender waits until the agreed upon date and debits the borrower’s bank account via the Automated Clearing House to retrieve funds equal to the original loan amount plus interest. In order to comply with privacy laws, the debit bureaus are prevented from validating either the name associated with a demand deposit account, account and/or and/or whether or not funds are available in it. Since these services only confirm the account number and whether the account is open, the lender is essentially taking the word of the borrower that funds will be accessible on the agreed upon date. Fraud Schemes Evolving It is during that period of time between disbursement and collection that a lender’s risk, if it wasn’t managed adequately prior to loan origination, can quickly become realized as a fraud loss. Fraudsters whose applications adequately successfully pass the underwriting test will simply take the money and run. By then, the lender has little choice but to absorb the loss. To exploit this weakness, fraud against short-term short term lenders has become organized. Fraud rings can routinely include whole teams of participants in multiple locations with multiple devices submitting loan applications to a lender’s website, website and then coordinating efforts efforts once vulnerabilities have been determined. determined The manner of attacks aimed at lenders of all sorts (in credit card, HELOC, and others,, not only short-term) short has achieved new levels of ingenuity, ingenuity, too, as customer acquisition has moved to the Web. Just as lenders lenders have been able to leverage internet technology to automate a portion of the application process, so have fraudsters. Once vulnerabilities have been identified, computing computing scripts that enable automated application submission on lenders’ websites have been exploited by organized criminals with reams of stolen stolen or synthetic identities. Such exploits create the the potential for extremely high-velocity high velocity attacks that seek to overwhelm underwriters with sheer volume in hopes that some fraudulent loan applications applications get approved. Mobile devices have further complicated the issue, since many online lenders’ counter-fraud counter fraud tactics have hinged upon the geolocation of an applicant’s Internet Protocol (IP) address to stop submissions from risky locales. While this may work work when tracking PCs, tablets tablets and smartphones can help fraudsters to effectively hide their locations. Schemes that involve several malevolent actors can introduce additional complexity as more devices enter the equation. Device Identification as an Effective Fraud Deterrent To augment the declining effectiveness of common tools in anti-fraud anti fraud solutions, such as IP geolocation, geolocation lenders have begun to implement functionality that reaches beyond the location of the user’s internet server. server As an ex example, the he use of proxy servers to mask a fraudster’s true location was the inspiration for the deployment of © 2012 Mercator Advisory Group, Inc. 5 Managing Fraud Risk in Online Lending A Mercator Advisory Group Executive Brief Sponsored by iovation proxy piercing services such as iovation’s Real IP service. New generation device identification solutions take fraud detection a step further by both understanding the globally unique identity of a device and by looking at the entire device’s interaction with the lenders’ site. This process includes analysis of attributes such as the device’s device’s operating system, IP address, default language, web browser, browser, and the time differential between the device and the internet server. Device identity and reputation is useful for fraud prevention in multiple ways. By understanding the unique identity of the device that is involved in an online interaction, and an also understanding commonalities between the interactions themselves, a matrix of associations can be revealed that would otherwise remain hidden to analysis. Then, if the device (or any device that it is related to in the association matrix) has a previous Then, previous history of involvement in fraud or abusive behaviors, behaviors the lender can make immediate decisions on that information. information iovation ovation,, for example, maintains a unique shared database that is at the core of its service and is accessible to customers of the vendor’s vendor’s device reputation services. The database exposes fraud and abuse that is shared between customers across a wide range of industries using a secure online forum and social platform. platform In another example of how device identity and reputation can be valuable valuable to the online fraud prevention process, process, a lender may track the velocity of web interactions on its site coming from unique and related devices and decline loan applications from potential borrowers using multiple identities. iovation’s tools,, as an example, allow lenders to modify business rules to adapt to fraud schemes as they evolve. evolve Other members of the online lending ecosystem have also found success in combating fraud by using device identification technology, such as marketing partners that filter filter leads for lenders. Online marketing firms that partner with short-term short term lenders, lenders, credit card issuers, and other types of firms have become active users of device identification as contractual obligations have arisen to allow lenders to share fraud losses los with thee originator of an account that has gone bad. Ensuring that leads represent solid, low-risk low risk prospects, marketing firms can both protect against lost revenue resulting from fraud as well as present more value to lending partners. © 2012 Mercator Advisory Group, Inc. 6 Managing Fraud Risk in Online Lending A Mercator Advisory Group Executive Brief Sponsored by iovation Case Study A leading developer of next generation financial solutions prevents sophisticated loan fraud by utilizing iovation’s device reputation technology, saving s ing the firm $5M annually annually. Fraud Challenges Fraud rings targeted the lender, daily creating hundreds of new accounts with stolen or synthetic identities. identities Internal fraud tools were unable to stop sophisticated fraud initiated by various devices, devices including smart phones and tablets. tablets The inability to identify, investigate, investigate and stop fraud activities in real-time real time resulted resulted in extremely large review queues for fraud analysts on a daily basis, which negatively impacted the lender’s risk management processes processes. Solution Requirements The lender needed real-time r time fraud detection that could handle information from multiple brands, brands, websites and loan products, and that reduced reduce manual review queues. queues Analysts needed to be able to perform perform forensic analysis by drilling down into fraud ring activity details, details and to set et up and adjust business rules on the fly to react to new threats threats. Results Using Device Reputation Wit Within twenty minutes of implementing iovation’s ReputationManager 360, 360 the lender stopped a fraud ring that was presently active on its website. web The firm is now now saving $5 million in annual losses with early fraud detection using comprehensive device reputation tools. tools Real-time time monitoring allows the firm’s fraud analysts to focus on other more pressing priorities. priorities Conclusion Online lenders are in need of robust and cost-effective cost effective risk mitigation and fraud prevention solutions, and those that have not already implemented them will likely experience greater losses as fraudsters migrate to the path of least resistance. Mercator Advisory Group recommends a layered approach to fraud risk management in online short short-term lending nding businesses, and in any instance when the Web is used as a customer acquisition channel for a credit product. Given the recent successes that device identification and reputation solutions have attained, lenders should strongly consider incorporating this functionality into existing fraud prevention processes. © 2012 Mercator Advisory Group, Inc. 7 Managing Fraud Risk in Online Lending A Mercator Advisory Group Executive Brief Sponsored by iovation Copyright Notice External publication terms for Mercator Advisory Group information and data: Any Mercator Advisory Group information that is to be used in advertising, press releases, or promotional promotional materials requires prior written approval from the appropriate Mercator Advisory Group research director. A draft of the proposed document should accompany any such request. Mercator Advisory Group reserves the right to deny approval of external usage for any reason. Copyright 2012, 201 , Mercator Advisory Group, Inc. Reproduction without written permission is completely forbidden. © 2012 Mercator Advisory Group, Inc. 8