Identity fraud

High-tech assault on fraud

November 2006

Executive summary

o Information-sharing is one of the most powerful weapons against fraudsters. An FSA initiative, Fighting Fraud in Partnership, allows information to be shared among the industry, regulators, government, police and customers.

o As the government is one of the largest victims of financial fraud, the Home Office has initiated a project to link public and private data on individuals related to fraud.

o The FSA says firms need to collect more detailed and accurate data and invest in systems and controls to detect fraud threats at an early stage.

o Despite rises in ID fraud, CIFAS claims its shared data scheme is working. In the first half of 2006 its 250 members detected 85,128 frauds, an increase of 12.5 per cent on the same period in 2005, preventing frauds worth £360 million or £1,400 every minute.

o It's easier for crooks to get hold of victims' recent details, but lenders should check older data, in particular employment records, as it is more difficult for criminals to get this information.

Hardly a week goes by without identity fraud hitting the headlines, and not just in the personal finance pages - often it is front-page news, reflecting how serious a problem it has become. Tales of how consumer IDs are sold for a £1 on Russian websites and how we all have a 1 in 1,000 chance of being a victim of ID fraud are sending shivers down the spine of the financial services industry.

Crooks are raiding bins, 'phishing' online, breaking into homes, skimming credit cards, getting mail diverted, stealing passports and even impersonating the deceased to get their hands on valuable personal information to take over someone's identity or to impersonate them. It is known as 'the silent crime', as victims only become aware that something is amiss when they receive bills for credit card transactions they have not made, loans they have not applied for, or goods they have not bought.

The facts make chilling reading. CIFAS, the UK's fraud-prevention service, said that in the first six months of 2006, ID theft soared by 22 per cent with 32,000 people affected. It expects there to be 65,000 cases of ID fraud this year, up from 55,000 in 2005. More than half of this involves criminals using false identities to open store-cards, credit-card and mobile phone accounts. The increase in ID fraud goes hand in hand with a rise in the number of passports stolen each year, which has doubled to around a quarter a million a year from 2000. Almost 12,000 passport applications each year are thought to be fraudulent. And the fraudulent use of the identity of a deceased person is one of the fastest growing areas of crime, increasing annually by around 60 per cent and currently standing at 80,000 thefts a year.

The Home Office estimates that identity fraud costs the UK economy around £1.7 billion a year or £35 per person. However, many experts believe that this is a gross underestimate, as some businesses write ID-fraud losses off as bad debt. City consultancy Euristix estimates that £1.3 billion of total ‘bad debt’ in the UK retail lending sector is actually fraud.

[SUBHEAD]

Plastic cards

ID fraud has risen as the Chip-and-PIN (personal identity number) security system for plastic cards, introduced in 2004, achieved success and criminals moved to the next soft spot. Card fraud fell by £65 million to £439.4 million in 2005, according to figures from APACs.

Following rises in previous years, in 2005 card ID theft also fell because cards were fairly useless to fraudsters without a PIN. Fraud caused by either account takeover or fraudulent applications fell by 17 per cent to £30.5 million from £36.9 million in 2004. Card ID theft is now a small proportion of overall card fraud at just under 7 per cent.

The only type of card fraud that was still rising was card-not-present fraud, where someone pretends to be someone else, which rose by 21 per cent to £181.2 million in 2005.

[SUBHEAD]

Cheques

Fraudulent use of cheques had also been causing concern, and action has now been taken to get it under control. Banks and building societies have now introduced a new arrangement whereby consumers are required to add details such as the name and account number on the beneficiary area of a cheque rather than just the name of the institution. This follows cases in which cheques written to an institution were used fraudulently, often being intercepted in the mail and then cashed by opening an account using a false identity.

[SUBHEAD]

Linking information

As it became clear that ID fraud was a growing problem, in 2004 the Financial Services Authority (FSA) introduced a new initiative, Fighting Fraud in Partnership, which aimed to get the industry, regulators, government, police and customers sharing information and pushing in the same direction. At the time, the FSA said that collaboration was the key to fighting fraudulent crime including ID fraud and that information-sharing is one of the most powerful weapons of all against fraudsters.

As the government is one of the largest victims of financial fraud, the Home Office has initiated a project to link public and private data on individuals related to fraud. As federated online services are expected to be introduced next year by organisations partnering, there is even more of a need for the public and private sector, to combat fraud. Federated online services will enable consumers to enter their security details once to access their account details from a number of organisations including financial services and government services.

Following a fraud review, the police too are to give ID fraud more of a priority across the police network, whereas at the moment it is mainly dealt with by the Serious Fraud Office.

[SUBHEAD]

Fraud management

Meanwhile, mounting fraud losses have meant that financial service companies have strengthened their fraud-management capabilities, but firms could still do more to protect themselves and their customers, according to a recent FSA report, Fraud Governance. It found several areas where firms need to work harder. In particular, it said they need to collect more detailed and accurate data and to invest in systems and controls to detect threats of fraud at an early stage. The FSA stated that some firms are not able to assess where and why they are at risk from fraud and need to manage their responses in order to avoid being targeted as the weakest link. Surprise, surprise, the study found that firms that underinvested in anti-fraud measures tended to suffer high levels of losses.

The report also found evidence of competing priorities between fraud mitigation and customer experience. Firms were naturally wary of putting clients through more rigorous identity verification procedures when only around 1 per cent are likely to be fraudsters.

Despite rises in ID fraud, CIFAS claims that its 250 member organisations, which include banks, credit card issuers and insurers, have been more successful at detecting frauds through its shared data scheme. Between January and June 2006 its members detected 85,128 frauds, an increase of 12.5 per cent on the same period in 2005. It said that its members had been able to prevent financial frauds worth £360 million or £1,400 every minute.

CIFAS now believes that identity fraud will give criminals a short-lived career once all the new initiatives involving the Home Office, the industry and the police get underway.

Much of the focus of campaigns run by lenders and credit reference agencies has involved making the public more aware of how to protect themselves. Last month (October 2006) the National Identity Fraud Prevention Week was held, aiming to raise awareness among the public and businesses and to show people how to protect themselves. Organised by CIFAS, the Metropolitan Police, Crimestoppers, Fellowes, Equifax and Experian, it involved a marketing campaign to direct people to a new information website, www.stop-idfraud.co.uk, and a new freephone number 00800 1810 1810.

Financial crime specialist MHA Consulting believes that, despite all the initiatives, more could still be done, such as corroborating information presented by an individual against information held by government departments and extending the breadth of data supplied to credit reference agencies to include savings, investment, insurance and pension data to form a more complete picture of account holdings. It also believes that extending the depth of data to go further back in time would help lenders verify information more accurately.

Sue Thornhill, director of MHA, explained that it is often easy for crooks to get hold of their victims' recent information, but that if lenders checked older data and, in particular, employment records, this would make life harder for criminals because it is so much more difficult for them to get old addresses and employment records.

She added that much had been done to raise awareness among the public but that consumers still need to be encouraged to check their credit history regularly.

In conjunction with the British Bankers' Association (BBA), MHA recently brought out the Fraud Manager's Reference Guide, which can be ordered from the BBA on 020 7216 8890.

[SUBHEAD]

ID verification

Credit reference agencies and ID verification software firms are confident that electronic ID verification will not only help lenders beat the crooks but cut costs and improve the customer experience.

Electronic verification of ID was made valid by the FSA in 2005 and complies with revised guidelines recently introduced by the Treasury's Joint Money Laundering Steering Group. This requires firms to have a fully documented and auditable ID verification system in place for both electronic and paper verifications.

Neil Lewis, head of fraud and ID products at credit reference agency Equifax, believes that the only way to reduce ID fraud is for lenders to share data in a flexible and efficient way. He welcomes the move by the Home Office to share fraud information between the public and private sector, but adds that this will take time and will not be easy to achieve.

“The momentum is going in the right direction, the profile of ID fraud is being raised and lenders are upgrading their defences. ID fraud is a moving target and lenders cannot afford to drop their guard for a moment and must constantly review their defences. The problem lenders have is keeping the balance between catching the 1 per cent of suspects without offending 99 per cent of their client base,” he said.

While preventing identities being stolen cannot be made watertight until a universal identity system such as an identity card or biometrics is introduced, Lewis believes that, in the meantime, lenders can take steps to cut crooks off from their living.

[SUBHEAD]

Siran

Equifax is about to launch an online shared database, called Siran, which it believes will cut ID fraud losses for lenders. It is a closed user group and members can only access the database if they also contribute data. As the database builds up, Lewis said it will produce more and more valuable information. The database has been designed to flag up fraud rings where multiple applications for credit, perhaps up to 30, share one piece of information which links them all together.

[SUBHEAD]

'Deceased' database

Karen Webster, product director for the Halo database at marketing specialist Millennium, believes that ID fraud could be reduced if the checking of information on the deceased was made compulsory by businesses. She added that under the third Anti-Money Laundering Directive, to be implemented by December 2007, there is an obligation at the lender's discretion to look at negative as well as positive customer data.

The Halo database of the deceased is used by many financial organisations in-house and by several of the main credit reference agencies including Callcredit. The database goes back to 1989 and contains information on around 45,000 of the 50,000 people who die each month. Rather than being an extra layer of security adding costs to a lender's processing bill, Webster claims that “new electronic systems such as Halo will have a big impact on cutting ID fraud and on cutting costs for lenders”.

[SUBHEAD]

URU

GB Group, which produces the URU ID verification tool, also claims that electronic identity checking can save lenders time and money and increase customer conversion rates. It claims that URU can carry out multiple checks simultaneously and deliver results in less than a second. URU cross-references all customers' data online - including address, date of birth, passport and driver's licence - across a number of independent data sources to verify their identity.

GB Group says that an electronic ID verification system removes the paper-chase and actually cuts the time it takes to open a new account, thereby maximising revenue quickly. It claims that URU can produce cost savings of 70 per cent against manual checks.

Newcastle Building Society supports this, saying that since it has been using URU, it has been able to save 15 per cent of the time it normally takes to open a customer account and that faster processing has helped it increase its customer conversion rate by almost half. The society adds that URU has matched between 86 and 91 per cent of clients. The society introduced URU around two years ago, after first testing it in six branches. It now uses URU for ID verification across all its product areas throughout the organisation in branches, for online business and for third-party processing of accounts on behalf of clients.

[SUBHEAD]

Help for victims

While the industry feels that it is making headway in the battle against ID fraudsters, one organisation that is not happy about the way ID fraud is being tackled is the National Consumer Council (NCC). It feels that consumers who become victims of ID fraud are not given enough support, partly because the police consider the victim to be the company that bears the loss rather than the individual who has had their ID stolen.

NCC recently called for businesses, including banks and financial companies, to fund the setting up of a national ID theft support centre available by phone and online to help victims prove their identity, learn about credit reports and fraud and take steps to prevent further fraud. NCC said that a similar service has been successfully set up in the US so the UK should follow.