Address Fraud: Institutions Waste $300 Million Annually
New Study Says Confirmation Letters Too Costly, Ineffective Financial institutions waste an estimated $300 million each year on change of address confirmation letters. This is one of the key findings of a new study from the Fraud Management Institute (FMI), which surveyed more than 300 banks, telecommunications and ecommerce businesses in late 2008.During the current financial crisis, it is critical for institutions to streamline and reduce costs and boost fraud prevention efforts, yet the survey shows that many are still doing address confirmation manually and spending much more time on ID Theft Red Flags Rule compliance that originally predicted by regulators.
The Beaverton, OR-based research organization polled fraud management professionals to gauge the effectiveness of fraud management practices. According to the report, the true costs associated with managing address-related fraud risk may still not be fully known. "Especially now with the FACT Act Red Flag requirements, a lot of new attention is being put on addresses," says Mike Freiling, FMI's Director of Professional Services.
"The industry as a whole has become increasingly aware of address fraud as a key component of many fraud and identity theft schemes, and we wanted to assess fraud management perceptions, as well as strategies that are helping prevent, detect and mitigate the fraud associated with address misuse," he says.
Among the key findings of the survey:
Mailing confirmation letters costs the industry $300 million a year, Freiling says "Mailing confirmation letters has been a commonly accepted practice, even though the process is slow, expensive, and has little impact as a fraud-control measure," he says. Depending on the size of an institution and its number of customers, adoption of an automated risk-based approach solution can cut costs and significantly reduce manual review time and expense.
Other Findings
FMI's survey and analysis report was released four months after most banks and financial institutions were required by the Fair and Accurate Transactions (FACT) Act's ID Theft Red Flags Rule to begin scrutinizing address changes on existing customers, as well as new account applications where the application address differs from the information maintained by the credit bureaus. State credit unions overseen by the Federal Trade Commission have until May 1 to comply with the guidelines.
Freiling says clearly there is an awareness of the connection between account address change fraud and the risk that account takeover (identity theft) poses to financial institutions and any other company that holds personally identifiable information on its customers. Among the findings:
Respondents are underestimating the cost drivers to deal with address change fraud, and it has some bearing on the types of solutions they choose. "Many prefer documentary methods, such as photo IDs, but this method is limited to face to face channel, as opposed to channels like the web or telephone," Freiling says. "Larger banks show preferences of risk scoring solutions, rather than documentary methods. This is related to the cost drivers, if they are modest costs involved, and there is a break-even point where banks have to move to it."
Address Fraud Techniques
Freiling explains there are three general categories of address fraud techniques, depending on the way the account containing the fraudulent address is established:
Whatever type of fraud scheme is employed, Freiling says the new address established for the account can be one of three types of address:
The type of address used depends on the exact details of the fraud technique, Freiling notes. Requests for checks and debit cards, for instance, are typically used in conjunction with a controlled address. Merchandise theft from an eCommerce firm may use a controlled address as the "ship to" address, while using a victim address as the billing address.
"Fictitious addresses, clearly, cannot be used for receiving goods or payment vehicles, but they can be used to block information from being delivered to consumer victims and in cases where theft is executed electronically, such as with theft via electronic payment," Freiling says.