FB pixel

Sharing data would stop more ID fraudsters

Sharing data would stop more ID fraudsters
 

By Liudas Kanapienis, CEO and co-founder of Ondato

Understanding Fraudsters is a 2023 report by Ondato based on an analysis of millions of ID verifications carried out for our customers in 2022. It contains an intriguing observation that could potentially transform the prevention of ID scams by known fraudsters.

Currently, according to the report, 3% of detected fraud attempts are rejected because they come from known bad actors. However, this number could be much higher with a different approach to data sharing.

From the perspective of an ID verification (IDV) service provider, we can easily catch them if they attempt to scam two or more of our clients, as they will appear in our database as likely fraudsters. But IDV companies seldom share this information with each other. This means that if someone attempts to attack our client and a client of a competitor, neither of us will be aware. Surely that’s to no one’s benefit, other than the fraudsters?

An untenable situation

The current state of affairs is certainly expensive for commercial organisations. In financial services, for example, the Revised Payment Services Directive (PSD2) Directive adopted by the EU in 2015, as a general rule, requires banks, Payment Service Providers (PSPs) and Electronic Money Institutions (EMIs) to refund fraudulently authorised payments to the person who was scammed “without delay”. In a single country, such unauthorised financial fraud losses across payment cards, remote banking and cheques totalled £726.9 million according to the 2023 UK Finance report.

The impact on payment providers is obviously huge. But covering these costs eventually filters through to the providers’ customers – that’s all of us – as banks have to cover these costs to remain in business.

Difficult but not impossible

Nobody is suggesting this is an easy nut to crack. The scope for data sharing between ID verification providers depends on the context and the regulations of different countries and sectors. In general, data sharing can help improve the efficiency and accuracy of identity verification services, as well as enhance the user experience and trust.

But it’s complicated. Data privacy legislation is complex and has the potential to discourage IDV providers from sharing, even when that is to the clear advantage of everyone.

However, let’s not make the mistake of blaming GDPR for inactivity. It does not necessarily prevent the sharing of data about known fraudsters, but it does impose conditions and safeguards to ensure that such sharing is lawful, fair and transparent.

Nor is it a new challenge. The insurance industry has shared data about potentially fraudulent claims for years and found ways to adapt to the post-GDPR environment after its introduction in 2018. Given the success of insurers in this regard, what would it take for IDV providers to create similar models?

What would be needed?

To comply with GDPR, it’s essential to respect core data protection principles, such as data minimisation, accuracy, storage limitation, integrity and confidentiality. In addition there, of course, has to be a lawful basis for sharing personal data about fraudsters. Lawful basis can include legal obligation, vital interests, public interest or legitimate interests, so it seems that there is good scope for progress.

It would also be necessary to document and communicate this lawful basis to the “data subjects and data recipients”, providing them with the rights of access, objection, rectification, erasure, and the rights to restrict processing and not to be subject to automated decision-making. Methods of dispute resolution would also need to be in place. Again, all of this is quite reasonable and achievable. GDPR would require IDVs to inform the data subjects about the data sharing and how they can exercise their rights, but only if that would not prejudice the purpose of preventing or detecting fraud.

Compliance should get easier

Governments recognise the issue and are seeking to make it easier to share data to prevent fraud. For example, in the Netherlands more than 160 banks and insurers have been granted a licence to exchange details of individuals’ fraudulent behaviour by the Autoriteit Persoonsgegevens (AP), the country’s data protection agency. The permission requires compliance with a strict protocol based on decentralised data exchange with relevant controls.

Another approach is to make it simpler for genuine applicants to prove their ID online, forcing fraudsters into more onerous ID processes. Taking this path, the EU is developing a European Digital Identity framework that will enable people and businesses to prove their identity and share electronic documents across the EU. The framework will rely on a common toolbox of technical standards and specifications, as well as a governance model that ensures interoperability and trust among member states.

Time for change

There are security and interoperability challenges to resolve soo, but with the right will, those can be accomplished.
The prize is worth the effort. Data sharing for the prevention of fraud is a vital tool in the fight against fraudsters, who do not confine their activities to just one type of fraud or just one sector. However, it has to be done in a way that respects the rights and interests of the data subjects and complies with the applicable data protection laws. White difficult, this is not impossible and the leading IDVs need to drive this agenda forward as their contribution to minimising the challenge of digital fraud.

About the author

Liudas Kanapienis is CEO and co-founder of Ondato.

DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.

Article Topics

 |   |   |   |   |   | 

Latest Biometrics News

 

ZeroBiometrics passes pioneering BixeLab biometric template protect test

ZeroBiometrics’ face biometrics software meets the specifications for template protection set out in the ISO/IEC 30136, according to a pioneering…

 

Apple patent filing aims for reuse of digital ID without sacrificing privacy

A patent filing from Apple for ensuring a presented reusable digital ID belongs to the person holding it via selfie…

 

Publication of ISO standard sets up biometric bias tests and measurement

The international standard for measuring biometric bias, or demographic differentials, is now available for purchase and preview from the International…

 

EU’s EES delayed again, border crossings still lack equipment

The European Union has confirmed that its upcoming biometric travel scheme will be delayed following warnings from several member states…

 

Age estimation leaders emerge in NIST evaluation

The National Institute for Standards and Technology (NIST) has released its latest Face Analysis Technology Evaluation for Age Estimation &…

 

US Army awards $249 million to Leidos for global biometric facility access

The US Army awarded a six-year, $249 million Indefinite Delivery/Indefinite Quantity (IDIQ) contract to Reston, Virginia-based Leidos for the next…

Comments

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events