Substantial Support from State Attorneys General on Identity Theft Rules

It is not every day that 62 percent of the state Attorneys General collaborate and present a unified response to the federal government. On February 11, 2019 31 AGs signed a letter to Donald Clark, Secretary of the Federal Trade Commission (FTC) in response to the FTC’s December 4 request for comment on the Identity Theft Rules, 16 C.F.R. Part 681 Project No. 188402.

The Identity Theft Rules (“the Rules”), known as the “Red Flags Rule” and the “Card Issuers Rule,” “require financial institutions and some creditors to implement a written identity theft prevention program designed to detect the “red flags” of identity theft in their day-to-day operations, take steps to prevent it and mitigate its damage.” Only these entities have the ability to stop a fraudulent account from being opened at their own place of business or to notify a consumer of a change of address in conjunction with a request for an additional or replacement card, which is a strong indicator that the account may have been taken over by an identity thief.

The AGs note that “the Rules complement the laws of states that have enacted laws requiring entities to develop, implement and maintain reasonable safeguards to protect the security, confidentiality and integrity of personal information.”

The Aging Practice of Knowledge-Based Authentication

It is refreshing to read that AGs know there are more secure ways to protect consumer identities. After numerous complaints filed by citizens, the AGs are well aware of the common practice of knowledge-based authentication – answering a series of questions based on information contained in one’s credit report.

KBA used to be an effective method to verify the identity of individuals online. In order to pass, an individual must correctly answer the questions presented and must provide answers within a given amount of time to prevent fraudsters from conducting online research on to find one’s pet’s name, for example.

With so many large-scale breaches spanning multiple vertical markets, millions of consumers have been victimized in at least one of them, leaving personally identifiable information exposed and for sale on the dark web.  

Shifting to More Secure Practices

As banks, financial services and health care organizations and other entities move to streamline and secure the customer onboarding experience, many have dropped KBA altogether and have migrated to the latest digital onboarding technologies. Last May, the president signed the Economic Growth, Regulatory Relief and Consumer Protections Act into law. The law removes some of the regulatory red tape that financial institutions must navigate to ensure compliance. Key language in the act includes the use of a driver’s license or personal identity card. As the law states, “when an individual initiates a request through an online service to open an account with a financial institution or obtain a financial product or service from a financial institution, the financial institution may record personal information from a scan of the driver’s license or personal identification card of the individual, or make a copy or receive an image of the driver’s license or personal identification card of the individual, and store or retain such information in any electronic format.”

By leveraging the numerous capabilities built in to the latest smartphones, individuals can open a bank account via an app that captures their driver’s license and validates its authenticity combined with a “selfie” to begin the process. Using advanced facial recognition to ensure that the photo on the driver’s license matches the selfie, the bank has high confidence that the individual is the person he or she claims to be.

This approach addresses several of the items listed in the “Suspicious Documents” section of the current Rules including:

• Documents provided for identification appear to have been altered or forged.
• The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
• Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.
• Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check.

The AGs also note that “with information gleaned from data breaches or publicly available on social media sites, identity thieves can be better than consumers at answering knowledge-based authentication questions because they have the data in front of them, whereas consumers need to try to recollect events that happened years prior. Thus, even if a person can provide some authenticating information, identity thieves may not be sufficiently screened from opening or accessing an account. Therefore, we would delete example number #18 [see below] and instead encourage more modern forms of authentication, such as multi-factor authentication.”

Example #18
For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Multi-Factor Authentication

To clarify, multi-factor authentication (MFA) will certainly be effective to prevent account takeover, but for multi-factor authentication to be effective, it must be bound to a verified identity, thus creating a “trusted user;” for the security of the transaction, the authentication event needs to be performed on a trusted device. Many but not all organizations have deployed MFA to replace passwords to authenticate users. MFA comes in many forms, with each offering varying levels of friction and security. 

Complementing identity verification and MFA is real-time risk analysis, which delivers dynamic protection against fraudulent activities across multiple channels – identifying risk at critical steps, predicting risk levels and taking quick action when fraud patterns are identified. The risk analysis works silently in the background to collect and score activities and operations based on intelligent analysis of behavioral, contextual, qualitative and quantitative data, as well as by challenging unusual patterns and stepping up security where required.

All too often, federal agencies do not share information or try to reinvent the wheel. As the FTC updates the Red Flag Rules, they ideally should include the provisions noted in the Economic Growth, Regulatory Relief and Consumer Protections Act to enable organizations to digitally onboard consumers via scans of a driver’s license. As a consumer, I certainly hope the FTC embraces the comments provided by 62 percent of the state Attorneys General, which include multi-factor authentication.