Part 1: Figuring out where Knowledge-based Authentication (KBA) fits in mobile account acquisition

“You don’t want to open the door to fraud, but sometimes the fraud losses may be the least of your worries.”

As the financial industry continues its push into mobile channels, many banks are exploring how and where familiar online tools such as knowledge-based authentication (KBA) fit into a mobile account origination process. In this two-part series, Rich Huffman, Senior Director of Identity and Fraud Solutions Product Management at Equifax Inc., discusses the mechanics of KBA by sharing his candid thoughts and expertise on how it has changed, where it fits in mobile, how it can benefit financial institutions and much more.

Can you share how knowledge-based authentication (KBA) has changed in recent years, how well it transfers to mobile banking processes, and how you’re seeing it help financial institutions as they push into the mobile space?

In the past, using information from our private and proprietary databases to ask the individual a series of personal questions about things that only they should know the answers to has worked fairly well to authenticate unknown individuals in remote, web and/or call-center use cases.  As we all know, professional fraudsters evolve over time and adjust their tactics to thwart systems and methods such as this. Fraudsters are increasingly finding ways to get access to some of this information. To help mitigate this risk, we now tap into data that doesn’t sit still or isn’t static over long periods of time. We refer to this type of fact-base as “perishable”. For example, your past address is static,and  it doesn’t change. Whereas, a place you may have traveled to yesterday or last week, or a large dollar item that you recently purchased is ever changing and moving.  Since the data is continuously changing, fraudsters have a difficult time getting to that level of detail in a timely manner, and they can’t re-use it over and over again. So, the investment of effort on their part goes up exponentially and makes their return on investment less attractive. Using recent, topical facts are also highly effective because the consumer can more easily recall the information.

As for using KBA in the mobile space, while it is not ideal, primarily because it poses user experience challenges, sometimes it is the only option. As you can imagine, presenting a series of multiple choice questions to the consumer in a mobile interaction is a bit tricky. As a result, we are seeing clients try a variety of alternative authentication methods in order to help minimize the number of KBA questions asked or avoid KBA altogether.

For example, with all of the information we can bring to bear today, we are now able to better determine if our myriad of insights available to us behind the scene—things we tend to refer to as “passive” checks—can help give you a good read on the person holding the device. For example, are the person and the mobile device in a setting that makes sense? Is this device known to belong to this person? Has this device ever been reported or flagged as having been used to commit fraud before? Do we see any abnormal behaviors or velocities associated with this identity or parts of this identity across the multitude of insights we are plugged into at Equifax. Some of these insights provide enough confidence for a financial institution or other customer to say, ‘Yes, I can trust the identity is who they say they are, so don’t have to put them through a KBA exercise.’ That approach is starting to become a more common practice in the mobile commerce space.

That said, it is important to realize that whatever approach is taken, it needs to be strong enough to assure that the person you are dealing with is indeed the person they say they are, and as a result, there are times when you simply have no other option than to use KBA. In those cases, it is important the user experience is made as simple as possible. The screen must not have cluttered screens that are difficult to read and navigate. Each screen must be simplified, easy to read and easy for users to select their answer(s). Additionally, the number of questions asked should be kept to a minimum but adequate to provide the appropriate level of assurance. For example, this is not the time to force the customer into the arduous process of answering six multiple choice questions. Ideally, you would want to ask no more than two questions that are easy for the consumer to recall while nearly impossible for fraudsters to compromise.

In terms of compliance, banks are required to know their customers, and KBA certainly can help play an important role in the process when the authenticity of an identity is in doubt. It will help ensure the person holding the mobile device is indeed who they say they are. As a result, KBA is still a critical asset to be leveraged in the mobile account opening use case, but it needs to be used intelligently and strategically. A key objective is to have a seamless customer experience which maximizes your odds the customer will actually complete the account opening process while also doing a thorough job of authenticating the person.

How many institutions are using KBA today in their mobile account opening process?

It’s hard to quantify exactly how many banks are using KBA in their mobile channel, but Equifax provides services to over 40 percent of the banks in this country in some shape, form or fashion. This doesn’t mean they are all using Equifax for KBA, but we do know that the vast majority are using some form of KBA as part of their account opening processes today. As a result, financial institutions typically have it available to use as an option within their mobile account opening process today.

So, it’s one of several layers of ID verification in a mobile account opening process, but where does KBA fit in the process?

It really varies based on the financial institution, but we’re seeing a couple of places where KBA is inserted. There is a strong preference to perform all passive, non-FCRA identity checks upfront; so typically, KBA occurs at this point of the account opening process. So, before the bank goes through any other business risk assessments, they want to perform their due diligence on the “know your customer” and authentications fronts first.

[cf]skyword_tracking_tag[/cf]