Address Fraud: Institutions Waste $300 Million Annually

New Study Says Confirmation Letters Too Costly, Ineffective Linda McGlasson • March 17, 2009 Financial institutions waste an estimated $300 million each year on change of address confirmation letters. This is one of the key findings of a new study from the Fraud Management Institute (FMI), which surveyed more than 300 banks, telecommunications and ecommerce businesses in late 2008.

During the current financial crisis, it is critical for institutions to streamline and reduce costs and boost fraud prevention efforts, yet the survey shows that many are still doing address confirmation manually and spending much more time on ID Theft Red Flags Rule compliance that originally predicted by regulators.

The Beaverton, OR-based research organization polled fraud management professionals to gauge the effectiveness of fraud management practices. According to the report, the true costs associated with managing address-related fraud risk may still not be fully known. "Especially now with the FACT Act Red Flag requirements, a lot of new attention is being put on addresses," says Mike Freiling, FMI's Director of Professional Services.

"The industry as a whole has become increasingly aware of address fraud as a key component of many fraud and identity theft schemes, and we wanted to assess fraud management perceptions, as well as strategies that are helping prevent, detect and mitigate the fraud associated with address misuse," he says.

Among the key findings of the survey:

More than 34 percent of the institutions polled mail confirmation letters to both the old and new addresses in the event of a customer address change;

Another 20 percent mail confirmation letters to the old address only;

4 percent mail letters to the new address.

Mailing confirmation letters costs the industry $300 million a year, Freiling says "Mailing confirmation letters has been a commonly accepted practice, even though the process is slow, expensive, and has little impact as a fraud-control measure," he says. Depending on the size of an institution and its number of customers, adoption of an automated risk-based approach solution can cut costs and significantly reduce manual review time and expense.

Other Findings

FMI's survey and analysis report was released four months after most banks and financial institutions were required by the Fair and Accurate Transactions (FACT) Act's ID Theft Red Flags Rule to begin scrutinizing address changes on existing customers, as well as new account applications where the application address differs from the information maintained by the credit bureaus. State credit unions overseen by the Federal Trade Commission have until May 1 to comply with the guidelines.

Freiling says clearly there is an awareness of the connection between account address change fraud and the risk that account takeover (identity theft) poses to financial institutions and any other company that holds personally identifiable information on its customers. Among the findings:

54% of respondents rate address changes as the transaction posing the greatest risk for account takeover, compared with 34% of respondents who rate requests for credit/debit cards as posing the greatest risk.

Among address fraud patterns, 29% rank new accounts with fictitious addresses as posing the greatest risk of loss, followed closely (27%) by new accounts opened with the name, but not the address, of an identity theft victim.

Telephone transactions are rated a top risk by 52%, where address fraud is perpetrated, followed by web-based transactions at 46%.

Respondents are underestimating the cost drivers to deal with address change fraud, and it has some bearing on the types of solutions they choose. "Many prefer documentary methods, such as photo IDs, but this method is limited to face to face channel, as opposed to channels like the web or telephone," Freiling says. "Larger banks show preferences of risk scoring solutions, rather than documentary methods. This is related to the cost drivers, if they are modest costs involved, and there is a break-even point where banks have to move to it."

Address Fraud Techniques

Freiling explains there are three general categories of address fraud techniques, depending on the way the account containing the fraudulent address is established:

New account fraud occurs when the criminal establishes a new account with the victim's firm and provides the fraudulent address in the course of the new account setup process. New account fraud may involve identity theft, totally fictitious information, or the perpetrator's actual information. In this latter case, it is referred to as "first party fraud."

Account takeover fraud occurs when the criminal gains control of an existing account belonging to someone else and substitutes a fraudulent address for the victim's original address. Account takeover fraud involves identity theft, because the criminal must represent themselves as the victim in order to gain access to the account.

eCommerce fraud occurs when the criminal purchases goods or services over the internet using fraudulent payment and/or address information. eCommerce fraud may involve identity theft if a stolen credit card or bank account number is used for payment.

Whatever type of fraud scheme is employed, Freiling says the new address established for the account can be one of three types of address:

Victim address: The address belongs to another individual or business, and it has been misappropriated.

Controlled address: The address is a true address under the control of the criminal. This does not need to be the criminal's actual address - it can be any address where the criminal can get access to delivered mail.

Fictitious address: The address does not exist, and mail can't be delivered there.

The type of address used depends on the exact details of the fraud technique, Freiling notes. Requests for checks and debit cards, for instance, are typically used in conjunction with a controlled address. Merchandise theft from an eCommerce firm may use a controlled address as the "ship to" address, while using a victim address as the billing address.

"Fictitious addresses, clearly, cannot be used for receiving goods or payment vehicles, but they can be used to block information from being delivered to consumer victims and in cases where theft is executed electronically, such as with theft via electronic payment," Freiling says.