Managing Fraud Risk in Online Lending

Transcription

Managing Fraud Risk in Online Lending
Managing Fraud Risk in Online Lending
A Mercator Advisory Group Executive Brief Sponsored by iovation
M A N AG I N G F R AU D R I S K
ONLINE LENDING
IN
A Mercator Advisory Group Executive Brief Sponsored by iovation
8 Clock Tower Place, Suite 420 | Maynard, MA 01754
phone: 1(781) 419--1700 | e-mail:
mail: info@mercatoradvisorygroup.com
www.mercatoradvisorygroup.com
November 2012
1
© 2012 Mercator Advisory Group, Inc.
Managing Fraud Risk in Online Lending
A Mercator Advisory Group Executive Brief Sponsored by iovation
© 2012 Mercator Advisory Group, Inc.
2
Managing Fraud Risk in Online Lending
A Mercator Advisory Group Executive Brief Sponsored by iovation
Table of Contents
Risk Management in a Risky Business ................................................................
.............................................................................................
............................................................. 4
Fraud Schemes Evolving ................................................................
................................................................................................
..................................................................................
.................. 5
Device Identification as an Effective Fraud Deterrent ................................................................
......................................................................
................................
5
Case Study ................................................................
................................................................................................
................................................................................................
................................
......................................
7
Fraud Challenges ................................................................
................................................................................................
................................................................... 7
................................................................
Solution Requirements ................................................................
................................................................................................
..........................................................................................
.......................... 7
Results Using Device Reputation ................................................................
................................................................................................
................................
...........................................
7
Conclusion ................................................................
................................................................................................
................................................................................................
................................
......................................
7
© 2012 Mercator Advisory Group, Inc.
3
Managing Fraud Risk in Online Lending
A Mercator Advisory Group Executive Brief Sponsored by iovation
Risk Management in a Risky Business
“It’s just about the riskiest type of loan you can make.” Such were the words of the Vice President of Risk
Strategies at one well-known
well known online lending
lending business.
The short-term
short term lending space, which in the last five years has expanded rapidly online, beyond the model of brickbrick
and mortar check cashing and payday lending locations, is indeed exposed to a great deal of risk. As the online
and-mortar
short
short-term
lending
ding industry has grown (Figure 1), so has its exposure to fraud.
fraud
Figure 1: Online Short-Term
Term Lending Volume 2007–2011
2007 2011 (E)
Online Short-Term
Short Term Loan Volume
$13.0
Billions USD
$10.8
$8.2
$6.7
$7.1
2007
2008
$5.7
2006
2009
2010
2011 (E)
Sources: Stephens Inc., Mercator Advisory Group,
Group, 2012
While credit risk – the risk that a borrower will default on a loan – is remarkably high in this industry,
industry, fraud risk
exposure for short-term
short term lenders has been a growing concern since the business has moved online. Due to the
anonymity involved, identity
identity thieves and first-party
first party fraudsters have been targeting
targeting online short-term
short term lenders since
the industry’s adoption of the internet as a major customer acquisition channel. Roughly
oughly one quarter of payday
and other shortshort-term
term loan volume originated online in 2010,
2010, and the market share shift away from brick-andbrick
mortar locations to the internet will continue for the foreseeable future.
mortar
© 2012 Mercator Advisory Group, Inc.
4
Managing Fraud Risk in Online Lending
A Mercator Advisory Group Executive Brief Sponsored by iovation
Online lenders’ products are typically secured by the borrower’s future paychecks and the promise that funds will
be available in their checking accounts on a specific date. The lender
lender also screens applicants using credit bureau
reports and bank account validation services from so-called
so called “debit bureaus” such as Early Warning Services or FIS,
but there are still those that try to game the system. Once the applicant has been approved
approved for a loan and the
funds have been disbursed, the lender waits until the agreed upon date and debits the borrower’s bank account
via the Automated Clearing House to retrieve funds equal to the original loan amount plus interest. In order to
comply with privacy laws, the debit bureaus are prevented from validating either the name associated with a
demand deposit account,
account and/or
and/or whether or not funds are available in it. Since these services only confirm the
account number and whether the account is open, the lender is essentially taking the word of the borrower that
funds will be accessible on the agreed upon date.
Fraud Schemes Evolving
It is during that period of time between disbursement and collection that a lender’s risk, if it wasn’t managed
adequately prior to loan origination, can quickly become realized as a fraud loss. Fraudsters whose applications
adequately
successfully pass the underwriting test will simply take the money and run. By then, the lender has little choice but
to absorb the loss. To exploit this weakness, fraud against short-term
short term lenders has become organized. Fraud rings
can routinely include whole teams of participants in multiple locations with multiple devices submitting loan
applications to a lender’s website,
website and then coordinating efforts
efforts once vulnerabilities have been determined.
determined
The manner of attacks aimed at lenders of all sorts (in credit card, HELOC, and others,, not only short-term)
short
has
achieved new levels of ingenuity,
ingenuity, too, as customer acquisition has moved to the Web. Just as lenders
lenders have been
able to leverage internet technology to automate a portion of the application process, so have fraudsters. Once
vulnerabilities have been identified, computing
computing scripts that enable automated application submission on lenders’
websites have been exploited by organized criminals with reams of stolen
stolen or synthetic identities. Such exploits
create the
the potential for extremely high-velocity
high velocity attacks that seek to overwhelm underwriters with sheer volume in
hopes that some fraudulent loan applications
applications get approved.
Mobile devices have further complicated the issue, since many online lenders’ counter-fraud
counter fraud tactics have hinged
upon the geolocation of an applicant’s Internet Protocol (IP) address to stop submissions from risky locales. While
this may work
work when tracking PCs, tablets
tablets and smartphones can help fraudsters to effectively hide their locations.
Schemes that involve several malevolent actors can introduce additional complexity as more devices enter the
equation.
Device Identification as an Effective Fraud Deterrent
To augment the declining effectiveness of common tools in anti-fraud
anti fraud solutions, such as IP geolocation,
geolocation lenders
have begun to implement functionality that reaches beyond the location of the user’s internet server.
server As an
ex
example,
the
he use of proxy servers to mask a fraudster’s true location was the inspiration for the deployment of
© 2012 Mercator Advisory Group, Inc.
5
Managing Fraud Risk in Online Lending
A Mercator Advisory Group Executive Brief Sponsored by iovation
proxy piercing services such as iovation’s Real IP service. New generation device identification solutions take fraud
detection a step further by both understanding the globally unique identity of a device and by looking at the entire
device’s interaction with the lenders’ site. This process includes analysis of attributes such as the device’s
device’s
operating system, IP address, default language, web browser,
browser, and the time differential between the device and the
internet server.
Device identity and reputation is useful for fraud prevention in multiple ways. By understanding the unique
identity of the device that is involved in an online interaction, and
an also understanding commonalities between the
interactions themselves, a matrix of associations can be revealed that would otherwise remain hidden to analysis.
Then, if the device (or any device that it is related to in the association matrix) has a previous
Then,
previous history of
involvement in fraud or abusive behaviors,
behaviors the lender can make immediate decisions on that information.
information
iovation
ovation,, for example, maintains a unique shared database that is at the core of its service and is accessible to
customers of the vendor’s
vendor’s device reputation services. The database exposes fraud and abuse that is shared
between customers across a wide range of industries using a secure online forum and social platform.
platform
In another example of how device identity and reputation can be valuable
valuable to the online fraud prevention process,
process,
a lender may track the velocity of web interactions on its site coming from unique and related devices and decline
loan applications from potential borrowers using multiple identities. iovation’s tools,, as an example, allow lenders
to modify business rules to adapt to fraud schemes as they evolve.
evolve
Other members of the online lending ecosystem have also found success in combating fraud by using device
identification technology, such as marketing partners that filter
filter leads for lenders. Online marketing firms that
partner with short-term
short term lenders,
lenders, credit card issuers, and other types of firms have become active users of device
identification as contractual obligations have arisen to allow lenders to share fraud losses
los with thee originator of an
account that has gone bad. Ensuring that leads represent solid, low-risk
low risk prospects, marketing firms can both
protect against lost revenue resulting from fraud as well as present more value to lending partners.
© 2012 Mercator Advisory Group, Inc.
6
Managing Fraud Risk in Online Lending
A Mercator Advisory Group Executive Brief Sponsored by iovation
Case Study
A leading developer of next generation financial solutions prevents sophisticated loan fraud by utilizing iovation’s
device reputation technology, saving
s ing the firm $5M annually
annually.
Fraud Challenges
Fraud rings targeted the lender, daily creating hundreds of new accounts with stolen or synthetic identities.
identities
Internal fraud tools were unable to stop sophisticated fraud initiated by various devices,
devices including smart phones
and tablets.
tablets The inability to identify, investigate,
investigate and stop fraud activities in real-time
real time resulted
resulted in extremely large
review queues for fraud analysts on a daily basis, which negatively impacted the lender’s risk management
processes
processes.
Solution Requirements
The lender needed real-time
r
time fraud detection that could handle information from multiple brands,
brands, websites and
loan products, and that reduced
reduce manual review queues.
queues Analysts needed to be able to perform
perform forensic analysis
by drilling down into fraud ring activity details,
details and to set
et up and adjust business rules on the fly to react to new
threats
threats.
Results Using Device Reputation
Wit
Within
twenty minutes of implementing iovation’s ReputationManager 360,
360 the lender stopped a fraud ring that
was presently active on its website.
web
The firm is now
now saving $5 million in annual losses with early fraud detection
using comprehensive device reputation tools.
tools Real-time
time monitoring allows the firm’s fraud analysts to focus on
other more pressing priorities.
priorities
Conclusion
Online lenders are in need of robust and cost-effective
cost effective risk mitigation and fraud prevention solutions, and those
that have not already implemented them will likely experience greater losses as fraudsters migrate to the path of
least resistance. Mercator Advisory Group recommends a layered approach to fraud risk management in online
short
short-term
lending
nding businesses, and in any instance when the Web is used as a customer acquisition channel for a
credit product. Given the recent successes that device identification and reputation solutions have attained,
lenders should strongly consider incorporating this functionality into existing fraud prevention processes.
© 2012 Mercator Advisory Group, Inc.
7
Managing Fraud Risk in Online Lending
A Mercator Advisory Group Executive Brief Sponsored by iovation
Copyright Notice
External publication terms for Mercator Advisory Group information and data: Any Mercator Advisory Group
information that is to be used in advertising, press releases, or promotional
promotional materials requires prior written
approval from the appropriate Mercator Advisory Group research director. A draft of the proposed document
should accompany any such request. Mercator Advisory Group reserves the right to deny approval of external
usage for any reason.
Copyright 2012,
201 , Mercator Advisory Group, Inc. Reproduction without written permission is completely forbidden.
© 2012 Mercator Advisory Group, Inc.
8