To mitigate risk associated with online financial services, credit union policies and systemic controls should create an environment in which fraud can be prevented, detected, monitored, and benchmarked against industry standards.
According to 'Fraud Prevention Strategies for Internet Banking,' published by the
BITS Internet Fraud Working Group,, Washington, D.C., risk mitigation policies and controls should:
- Require 'reasonable efforts' to be made to ascertain the true identity of individualmembers and/or the stated business purpose of each commercial enterprise with which theinstitution conducts business.
- Have a 'know your member' policy that includes the following requirements forpersonal account opening: proper identification; validation of the member's residence orplace of business; consideration of the source of funds used to open an account; and checkingwith a service bureau for undesirable behavior such as insufficient funds or check kiting.
- Have adequate ongoing monitoring systems in place to identify suspicioustransactions. These include monitoring transactions coming in and going out of depositaccounts using reports that identify a certain threshold history of the activity over aspecific time frame; creating reports that monitor large dollar deposits; and trackingautomated teller machine activity based on dollar thresholds over a certain timeframe.
- Establish policies and train call center representatives to recognize memberimpersonation or 'pretext' calls. 'Pretext callers' are individuals who call a financialinstitution's call center posing as a member/customer or someone authorized to havemember/customer information to obtain confidential data. When these types of calls areidentified, the representative should deny the caller access to the information and reportthe incident.
For additional guidance, consult NCUA's Letter to Credit Unions No. 01-CU-09 regarding identity theft and pretext calling.
BITS recommends using the following new account opening strategies to deter online identity theft:
- Limit timeframes during which applications must be completed to deter fraud operatorsfrom keeping an application open while researching member data;
- Provide a secure channel for receipt of the member's data to prevent interception; and
- Create an audit trail to assist in authenticating the customer at a later date.
- Use a real-time process to determine whether the member is accurately representinghis/her identity;
- Ask 'in-wallet' questions (i.e., request information from identification typicallyfound in a wallet, such as credit cards) to verify that data is correct and that the identity existsby comparing various data sources. (Used alone, in-wallet questions can't verify that the individualapplying for a new online account is actually who he/she purports to be.);
- Ask 'out-of-wallet' questions, which are generated from information in an individual'scredit bureau report;
- Use 'out-of-credit' questions that ask for information that can't be found on a creditreport, such as what high school the individual attended;
- Provide standard field validations to ensure the member entered all of the informationon the application in the correct format;
- Verify application data by providing checks against Social Security number and date ofbirth, comparing and verifying that the area code belongs with the state of residence, checking thedriver's license format, and confirming that both the former and current address fields are valid andmatch U.S. Postal Service mailing addresses;
- Partner with third-party suppliers of application pattern recognition services (i.e., Websystem environment tracking, false address tracking, and so on); and
- Integrate all 'know your customer' procedures into your online account opening process toensure that your online and offline account opening processes are consistent for auditing purposes.
After applicant approval
- Wait for funding prior to opening an account;
- Require that a signed application be on file;
- Require member authentication to be completed in the branch or by contacting a callcenter;
- Implement manual fraud screening on initial deposits, which can be done with imagescaptured by check processing equipment; and
- Mail account verification only to the address supplied in the online application.