Part 2: Figuring out where KBA fits in mobile account acquisition
As part of a two-part series about mobile account acquisition with Rich Huffman, Senior Director of Identity and Fraud Solutions Product Management at Equifax Inc., we had a candid discussion about the mechanics of KBA, how it has changed, where KBA fits into mobile and how it assists Financial Institutions. Our first posting introduced KBA concepts for mobile account opening.
What types of questions, and how many, are recommended to include in the authentication, and can you give some examples? Does the depth or complexity of the questions change based on red flags raised earlier in the process?
It is important to ask personally unique questions which are easy to recall. So you could ask them something about a store where they’ve purchased something over a certain amount of money that’s significant, say over $200. I think everybody would say that if you purchased an item for over $200 at a store you’d probably remember it today even if it was just a week ago.
Also, there are a couple of ways to ask questions of consumers. One is to ask questions with multiple choice answers, and that’s the traditional KBA method. But, you can also ask consumers to provide you with some information as an input field. For example, ask them to provide the last four digits of their Social Security Number. From that information, you get one more piece of the “what do you know” puzzle from the customer which you can then verify.
As for the number of questions to ask, asking more than two in a mobile situation may start to degrade the user experience. Always keep in mind, the consumer is probably on their phone and on the go and are most likely not in a frame of mind to address several multiple choice questions. Keep questions topical, fast and easy, but still providing an adequate level of authentication as determined by the financial institution or customer.
In terms of the complexity of the questions, it should vary based on the risk level detected. To determine the risk level, you can take things from behind the scenes, and look to see if the identity exhibits any worrisome behavioral anomalies. Look beyond just your particular interaction with the person and device to avoid blind spots. You do this by leveraging sources that provide insights across thousands of other commercial entities who are also interacting with consumers just like you are. All of these networked and pooled, passive insights are invaluable to help detect risks and threats.
If the risk level is elevated, consider asking a two-part (compound) question, where they have to know two facts instead of just one in order to get it right. Or, maybe it’s not a very high threshold risk, but you need a little more assurance, because you can’t get a solid read on the identity-device linkage and riskiness, so you ask a fairly straight forward question.
Given the highly specific nature of today’s KBA questions, what types of data resources are often integrated to complete the authentication?
The available resources are evolving as more and more people are monetizing big data. We have traditionally looked inside a credit file and activity on the credit file, but it has gone way beyond that at this point. We’re able to tap into unique data assets confidentially, to help assure that this person is the right person. Data like credit card activity or bank account activity is information only the customer would know. We have also looked into other public information, but it tends to be of questionable efficacy because of its availability in the public domain where fraudsters can access it.
Apart from improved fraud mitigation, what other benefits are financial institutions realizing from strategically positioned KBA within a mobile account acquisition process?
By being smart with how to use KBA, organizations can offer a quality customer experience so that prospective customers don’t abandon the process, while adhering to required due diligence from a compliance perspective.
So, there’s the compliance component that’s being met, but it’s being met in a way that makes it easier for the consumer to do business with you. If you misapply KBA in the mobile channel and make it hard for the consumer, they will abandon your process altogether. That lost opportunity cost most likely is higher than the fraud losses you might encounter, so it is critical to strike the right balance between customer convenience and identity examination while still meeting applicable regulatory requirements.
Recommended For You
Approximately $12 billion has been stolen by identity thieves over the past six years[i], and consumers are increasingly aware of […]
A Two-step Authentication Approach Consumers are always on the go, using digital devices to make purchases, check account balances and […]
Meet Credit Union Members Where They Want to Do Business. It takes more than a “smile and a handshake” to […]
From movies like the “Big Short” to today’s history lessons, the Great Recession is well documented. I’ve worked in the […]