CUNA
  • Advocacy
    • Priorities we’re fighting for
    • Actions you can take
  • News
  • Learn
  • Compliance
  • Shop
  • Topics
    • Compliance
    • Credit Union Hero
    • Credit Union Rock Star
    • Credit Union System
    • Directors
    • Human Resources
    • Leadership
    • Lending
    • Marketing
    • Operations
    • Policy & Issues
    • Sales & Service
    • Technology
  • Credit Union Magazine
    • Buyers' Guide
    • Digital Edition
    • Credit Union Hero
    • Credit Union Rock Star
    • Subscribe
    • Advertise
    • Contact
  • Advertise
  • Awards
    • Nominate Credit Union Hero
    • Nominate Credit Union Rock Star
  • Podcasts
  • Videos
  • Contact
Learn More about Member Value

News

Member Benefits
Learn more
Learn more about the benefits of membership.
Home » Best Practices in Device and Identity Verification
Technology Operations

Best Practices in Device and Identity Verification

New FFIEC guidelines aim to mitigate risk using a variety of processes and technologies.

August 11, 2011
Keir Breitenfeld
No Comments

Boiled down to its essence, the latest guidance issued by the Federal Financial Institutions Examination Council (FFIEC) is rather simple. Essentially it asks U.S. financial institutions to mitigate risk using a variety of processes and technologies employed in a layered approach.

More specifically, it asks financial institutions to move beyond simple device identification—IP address checks, static cookies, and challenge questions derived from customer enrollment information—to more complex device identification and heightened out-of-wallet identity verification procedures.

Of course, leading financial services organizations have employed defense-in-depth strategies for years, both online and offline. No experienced information technology (IT) security professional would put all of an institution’s defensive strategies in a single process. This is hardly news.

In addition, while the specific call for “complex” out-of-wallet questions and device identification is news, top financial institutions have employed these techniques in various applications for quite some time.

The problems IT security leaders wrestle with on a day-to-day basis are more specific to making sure that the use out-of-wallet questions and device identification is done with optimal efficacy and that a balance is achieved with their other processes and the need to minimize friction for the customer.

Out-of-wallet identity verification

The recent FFIEC guidance states, “Challenge questions can be implemented more effectively using sophisticated questions. These are commonly referred to as out-of-wallet questions that do not rely on information that is often publicly available.”

I’d like to offer some suggestions as to what “sophistication” means with regards to out-of-wallet questions.

The use of interactive questions to further verify the legitimacy of an identity certainly remains an important and effective tool across multiple industries and points in the customer life cycle.

However, out-of-wallet questions must be managed and used dynamically. Experian consults with clients to find the optimal process points and question session configuration to strike the right balance among the often-opposing forces of fraud prevention, customer experience, and cost.

At a minimum, any institution should consider the following when evaluating an out-of-wallet question service provider and implementation:

  • Questions founded in as diverse a universe of data categories as possible, including credit and noncredit assets if permissible purpose exists;
  • Consumer question performance as an element among many within an overall risk-based decisioning policy;
  • Robust performance-monitoring via established key performance indicators associated with individual question performance and overall effectiveness of policy; and
  • Established processes to rotate questions and adjust access parameters and velocity limits at both the institution and the consumer level.

Cross-referencing a customer’s question performance with other risk attributes such as authentication scores generally will provide the most useful decisioning criteria.

Question sessions must employ speed and time limits, question rotation and hierarchies, and exclusionary conditions. They also must tailor weighting of one question compared with another based on predictive value in a particular market or process point.

The return on investment associated with out-of-wallet questions is often most compelling when the evaluation includes not only fraud prevention, but also customer experience and cost savings (in lieu of more manual customer management processes). Some of these values may be considered soft costs or less quantifiable, but in reality they’re quite real.

Next: Complex device identification

Previous 1 2 Next
KEYWORDS authentication risk

Post a comment to this article

Report Abusive Comment

Credit Union Magazine - Winter 2019

Winter 2019

Alternative lending, compliance management systems, and ideas for boosting credit card portfolios are among the topics of Credit Union Magazine’s Winter 2019 edition.
App •  Digital Edition •  Subscribe

Trending

  • Compliance: Using alternative data in underwriting

  • Concerns over credit union-bank mergers, CRA ‘inaccurate, misinformed’

  • Senate FCU breaks ground on new HQ named after longtime director

Tweets by CUNA_News

Polls

What's the pace of staff turnover at your CU?

View Results
More

Champion of America’s Credit Unions

Credit Union National Association is the only national association that advocates on behalf of all of America’s credit unions. We work tirelessly to protect your best interests in Washington and all 50 states. We fuel your professional growth at every level and champion the credit union story at every turn.

More CUNA

  • About
  • Careers
  • Contact Us
  • Recommended Websites

Resources for

  • CUNA Board Members
  • Credit Union Advocates
  • Leagues
  • Press
  • Vendors