Sharing data would stop more ID fraudsters
By Liudas Kanapienis, CEO and co-founder of Ondato
Understanding Fraudsters is a 2023 report by Ondato based on an analysis of millions of ID verifications carried out for our customers in 2022. It contains an intriguing observation that could potentially transform the prevention of ID scams by known fraudsters.
Currently, according to the report, 3% of detected fraud attempts are rejected because they come from known bad actors. However, this number could be much higher with a different approach to data sharing.
From the perspective of an ID verification (IDV) service provider, we can easily catch them if they attempt to scam two or more of our clients, as they will appear in our database as likely fraudsters. But IDV companies seldom share this information with each other. This means that if someone attempts to attack our client and a client of a competitor, neither of us will be aware. Surely that’s to no one’s benefit, other than the fraudsters?
An untenable situation
The current state of affairs is certainly expensive for commercial organisations. In financial services, for example, the Revised Payment Services Directive (PSD2) Directive adopted by the EU in 2015, as a general rule, requires banks, Payment Service Providers (PSPs) and Electronic Money Institutions (EMIs) to refund fraudulently authorised payments to the person who was scammed “without delay”. In a single country, such unauthorised financial fraud losses across payment cards, remote banking and cheques totalled £726.9 million according to the 2023 UK Finance report.
The impact on payment providers is obviously huge. But covering these costs eventually filters through to the providers’ customers – that’s all of us – as banks have to cover these costs to remain in business.
Difficult but not impossible
Nobody is suggesting this is an easy nut to crack. The scope for data sharing between ID verification providers depends on the context and the regulations of different countries and sectors. In general, data sharing can help improve the efficiency and accuracy of identity verification services, as well as enhance the user experience and trust.
But it’s complicated. Data privacy legislation is complex and has the potential to discourage IDV providers from sharing, even when that is to the clear advantage of everyone.
However, let’s not make the mistake of blaming GDPR for inactivity. It does not necessarily prevent the sharing of data about known fraudsters, but it does impose conditions and safeguards to ensure that such sharing is lawful, fair and transparent.
Nor is it a new challenge. The insurance industry has shared data about potentially fraudulent claims for years and found ways to adapt to the post-GDPR environment after its introduction in 2018. Given the success of insurers in this regard, what would it take for IDV providers to create similar models?
What would be needed?
To comply with GDPR, it’s essential to respect core data protection principles, such as data minimisation, accuracy, storage limitation, integrity and confidentiality. In addition there, of course, has to be a lawful basis for sharing personal data about fraudsters. Lawful basis can include legal obligation, vital interests, public interest or legitimate interests, so it seems that there is good scope for progress.
It would also be necessary to document and communicate this lawful basis to the “data subjects and data recipients”, providing them with the rights of access, objection, rectification, erasure, and the rights to restrict processing and not to be subject to automated decision-making. Methods of dispute resolution would also need to be in place. Again, all of this is quite reasonable and achievable. GDPR would require IDVs to inform the data subjects about the data sharing and how they can exercise their rights, but only if that would not prejudice the purpose of preventing or detecting fraud.
Compliance should get easier
Governments recognise the issue and are seeking to make it easier to share data to prevent fraud. For example, in the Netherlands more than 160 banks and insurers have been granted a licence to exchange details of individuals’ fraudulent behaviour by the Autoriteit Persoonsgegevens (AP), the country’s data protection agency. The permission requires compliance with a strict protocol based on decentralised data exchange with relevant controls.
Another approach is to make it simpler for genuine applicants to prove their ID online, forcing fraudsters into more onerous ID processes. Taking this path, the EU is developing a European Digital Identity framework that will enable people and businesses to prove their identity and share electronic documents across the EU. The framework will rely on a common toolbox of technical standards and specifications, as well as a governance model that ensures interoperability and trust among member states.
Time for change
There are security and interoperability challenges to resolve soo, but with the right will, those can be accomplished.
The prize is worth the effort. Data sharing for the prevention of fraud is a vital tool in the fight against fraudsters, who do not confine their activities to just one type of fraud or just one sector. However, it has to be done in a way that respects the rights and interests of the data subjects and complies with the applicable data protection laws. White difficult, this is not impossible and the leading IDVs need to drive this agenda forward as their contribution to minimising the challenge of digital fraud.
About the author
DISCLAIMER: Biometric Update’s Industry Insights are submitted content. The views expressed in this post are that of the author, and don’t necessarily reflect the views of Biometric Update.