Printer Friendly

High-flying fraud.


FEW CRIMES AGAINST corporate assets are as easy to commit as credit card fraud. Within that broad category, losses resulting from fraudulent applications have the potential of becoming a much more serious problem than they are and therefore should be a matter of increased concern within the industry.

Although this type of loss is relatively small -- 2.4 percent of the total, according to 1987 Master-Card statistics -- it is among the most preventable. Issuers should refine their application review procedures to stop these frauds before they occur. While this article will focus on bankcards, the concepts discussed apply equally to any credit card issuer.

Exposure to losses may not be limited to the actual dollars charged off on an individual account opened as the result of a fraudulent application. Significant civil liabilities may add to the potential loss for any credit card issuer who fails to exercise due diligence when opening new accounts. This liability may also apply to existing credit card account relationships.

Also, because credit card issuers tend to view fraud as just another cost of doing business rather than a criminal activity and because this attitude is ultimately reflected in the effectiveness of their security operations, law enforcement authorities are reluctant to prosecute criminal fraud cases that are clearly the result of poor procedures or carelessness on the part of the issuer.

Although reported losses due to fraudulent applications may appear relatively low, investigators have found that such losses may have been mistakenly classified as collection or bankruptcy problems. These mistakes are caused either because of procedural errors or simply for lack of recognition of the act as a fraud. Equally important, nonbank credit card issuers may not report their credit card losses in a consistent manner as is required for banks under federal regulation and VISA and MasterCard operating regulations. Thus, the real scope of the problem cannot be measured with any degree of certainty.

Finally, investigating fraud cases that could have been avoided relatively easily in the first place sacrifices time that could have been spent on problems that were not preventable. In today's unrelenting fraud environment, this boils down to intelligent management and an elementary economic principle--the efficient allocation of limited resources.

All credit card issuers should establish a proactive posture with regard to the problem of fraudulent applications rather than the traditional reactive response that may not result in either monetary recovery or criminal prosecution. A definitive credit review program that incorporates security considerations focused on prevention is even more appropriate since a single approved fraud application can enhance the opportunity to perpetrate additional frauds on other creditors. Such an assertive posture would result in a positive payback from both the security and overall business perspectives.

Application Process

In the mid-1960s, Bank of America and Interbank began licensing their credit cards--BankAmericard (later VISA) and Mastercharge (later MasterCard) -- to other banks to gain a competitive edge over the cards already being issued by major department stores. One of the hurdles was to get enough merchants to accept the cards, and that could not be accomplished until enough customers had them.

To solve this problem, banks mailed millions of unsolicited credit cards to households everywhere. Later, following a significant pattern of losses and legislation that banned the mailing of unsolicited credit cards, more traditional credit application methods were used.

In recent years, however, preapproved and prescreened applications requiring only a signature--anyone's signature--and telemarketing applications requiring no signature represent the latest marketing techniques for survival in a highly competitive environment. Relying heavily on credit bureau files and other sources, such solicitation methods are designed to maximize market penetration, but they afford little consideration to the increased criminal opportunities established in the process.

Consumers are also inundated with instant credit plans at major department stores and discount retailers. Appliances, building supplies, electronics, furniture, apparel--just about every consumer good or service is available on a credit plan that can be obtained just by showing a major credit card or applying for the private label card offered by the retailer.

To accommodate this process and the huge volume of new business that it generates, productivity issues have taken on new importance, and application verification procedures have undergone significant changes. Current technology implements a quick review of credit card applications. From a business perspective, the decision-making process associated with these later methods--mass solicitations, instant credit, and telemarketing--is intended to obtain new customers at lower cost.

As is true in so many businesses, controls take time and cost money. So, credit scoring and on-line new-account review procedures are employed to speed the credit review process, book the account, and get the card into the customer's hands. Fewer people, perhaps with less training and experience, handle more applications, and each application passes through the review process more rapidly.

Such methods often sacrifice thoroughness and allow greater opportunities for fraud, but from a business perspective, these methods make sense because more good accounts than bad are opened. In turn, any losses from the relatively few bad accounts will be absorbed by the profits earned from the majority of good ones, and the system is, therefore, economically justified. What this line of thought does not consider, however, are the secondary costs associated with the opening of even a single fraudulent account.

Typical Fraud Application

Among the most typical of credit card fraud applications are those generally referred to as true name frauds. Here, the perpetrator uses the name and some other personal information of a real person to obtain credit cards, which he or she orders to be sent to his or her own address. Pure fraud applications are fictitious from beginning to end--false name, false employment, and false or nonexistent Social Security number--but use some valid mailing address where the card can be received. In between are variations and combinations of both types, including the addition of a fraudulent name to an existing, legitimate account. Applications that are successful in gaining approval usually have the following factors in common:

* They take advantage of credit review systems in which productivity and speed are attained at the expense of true accuracy.

* They incorporate enough information to appear legitimate under existing criteria but vary enough from factual data to create a distinct, new credit bureau file on which future creditors might rely in extending credit.

In the first case, good examples are those verifications that can be accomplished by mail only. In reviewing a credit card application, the issuer may call the employer identified on the application to verify whether the credit card applicant really works there and in the position and at the salary indicated. The employer may respond that such information is verified only on receipt of a written inquiry. As a matter of productivity, such a written verification is seldom performed since it is perceived by the credit issuer as too time-consuming.

In the second case, the identifying data on the application may match the data in the credit bureau file of a real person with the exception of the address. In a highly mobile society, address changes are not unusual, so such an item may be overlooked if the rest of the application appears to be in order. In turn, the new account may be opened and a card mailed to an address which, perhaps months later, is found to be hundreds or thousands of miles from where the individual named on the account actually resides.

When fraudulent applications are erroneously approved, the credit bureau inquiry made by the card issuer or other creditor during the review process often creates a new credit bureau file. Such files rely on the information supplied by creditors. These files, after all, are essentially a record of trade activity reported by creditors. Thus the primary responsibility of accurately reporting trade information lies with the creditor and the consumer, not the credit bureau.

Once a bogus file is created, it will appear to be as legitimate as any real credit bureau file until someone discovers it and corrects the problem. Unfortunately, this may occur only after tens of thousands of dollars in fraud losses have been incurred.

Discovery of Fraudulent Accounts

The discovery that a particular account has been fraudulently applied for or opened may occur at any point from initial receipt of the application to several months later, after the account has been charged over its limit or become delinquent. In some instances, discovery may not be made until the account has been charged off as a bad debt perhaps a year or more after it was opened.

Several different groups of people may contribute to the discovery of a bad account, including law enforcement officials, other creditors, the person whose name was fraudulently used to open the account, or employers. Regardless of who discovers the fraud, the account should immediately be blocked and referred for investigation.

At this point, the secondary costs begin to accrue. Investigative and recovery costs (if recovery is possible), the problems incurred within an already overcrowded criminal justice system (assuming a suspect can be identified and brought to trial), along with the potential for liability costs where civil claims may be brought against the bank or other card issuer can add substantially to the loss on the account.

Civil Liability

The charge-off loss and other internal processing costs associated with a fraudulently opened account may not represent the only exposure to loss for the issuer. In the case of a true name fraud application that is approved and used, the existence of the account may bring personal damage to the innocent person whose name was used in opening the fraudulent account.

Suppose, for example, that X's name and other personal information are fraudulently used by Y to open a VISA or MasterCard account. X may not become aware of the new account in his name until he discovers derogatory credit information in his otherwise flawless credit bureau file.

Suppose further that the matter came to his attention during the course of applying for a mortgage, and that correction of the problem delayed approval on the loan until the lower mortgage interest rate he had anticipated was no longer available. The new, higher rate could translate to a higher payment for which he cannot now qualify. With his loan not approved at the initial and lower rate, he then may have a claim against the bank that wrongfully opened the account because the bank failed to exercise due diligence in opening the new account and thereby in preventing the subsequent credit problem.

Whether X suffers a monetary loss, damage to his reputation, or other personal injury, the productivity issues designed to streamline the credit review process may have just backfired. Even if the bank takes steps to correct the erroneously reported information, it could be liable. This liability could easily cost much more than could ever be justified by the few moments saved by not verifying the authenticity of the original application. In a society so easily moved to litigation, this potential loss situation by itself should serve as adequate incentive for any credit department to make every effort to ensure the accuracy of its work.

Investigative Resources

The efficient allocation of limited resources is a basic economic principle of a free enterprise economy. The same principle should also always apply to security investigations.

The nature of criminal investigations is to discover unknown facts, a process that can be extremely time-consuming. Security departments, particularly those that deal with credit card investigations, increasingly find that cases must be well documented, painstakingly prepared, and airtight if they are to meet the rigid standards of prosecutors.

In order to accomplish this, the investigator must allocate his or her time to the cases that best meet the investigative objectives of the organization. These cases are not necessarily the easiest ones to solve or the ones most likely to result in restitution but the ones that are likely to cause the most damage if left unattended. Within this context, fraud application cases may not always be viewed as priority matters because investigative resources are limited and the fraud was easily preventable and, therefore, less prosecutable.

From a security perspective, it is extremely difficult to justify applying the same amount of investigative effort to avoidable cases as to unavoidable cases. Such situations place the security investigator in the position of cleaning up the mess--a task for which valuable training and experience are virtually wasted.

The Law Enforcement View

Corporate policy usually requires an investigator to investigate a credit card fraud case, but a law enforcement officer may choose not to do so, regardless of how well the case is documented or how compelling the evidence is. From their perspective, law enforcement officers and prosecutors are faced with a perplexing myriad of choices with regard to criminal investigations and prosecutions. The simple fact is that credit card investigations of almost any kind pale in light of more serious crimes. This is not to say that credit card frauds are ignored; they are not. But, in reality, credit card fraud application cases are often seen by the authorities as indefensible errors made repeatedly in the pursuit of profits and without regard to basic security considerations.

Some of the problems that could get an issuer into trouble civilly also relate to the kinds of questions a prosecutor will ask when considering the merits of the cases. For example, "Did the suspect ever make a payment?" If yes, it further establishes the appearance of legitimacy. The question of intent--a necessary element in any fraud case--is seriously diminished. "Are there any witnesses?" This may be unlikely especially if all of the transactions were cash withdrawals at an ATM not equipped with a camera. "Was the handwriting verified?" The application may have been taken by phone. "Did the issuer make a reasonable effort to verify the information on the application or the credit bureau report?" In most cases, the answer is no. If the issuer's position is construed as careless, prosecutors will be reluctant to pursue such a case. From the prosecutor's perspective, the issuer had every opportunity to verify the information on an application at the time it was received. If such verification was totally inadequate, then investigation and prosecution of the resulting fraud may be unjustified and impractical.

Most credit departments have some form of security screening incorporated into their review process, and credit bureau reporting agencies have incorporated alert systems in their files that also aid in detecting possible frauds.

VISA and MasterCard have jointly introduced the Issuers Clearinghouse Service (ICS), a system intended to help bankcard issuers reduce losses from fraudulent applications. Yet, even as the service becomes operational, large credit card fraud application schemes are currently under investigation that may not have been detected by ICS even if it had been available when the applications were approved. The improved technology will help, but the ultimate decision of whether an application should be approved will be made by an employee in a credit office. Therefore, whatever security measures should be included in the credit review process must become a matter of training.

The issue of negligence with respect to opening new accounts may well focus on whether a financial institution can show it took reasonable care in developing and implementing security measures to preclude a foreseeable act from occurring, such as issuing a credit card based on fraudulent application. A bank or other issuer that relied principally on credit scoring techniques to open accounts and failed to verify questionable information may be unable to defend against civil liability or prosecute the perpetrator of the fraud.

To ignore certain verifications as a matter of stated policy may constitute habitual failure to meet requirements. Similarly, the lack of a written policy may demonstrate the same degree of negligence. Thus, the application screening process must include specific procedures and employee training that address these potential negligence issues.

What steps can banks and other credit card issuers take to improve the credit review process and steer clear of negligence? Basic security principles that apply to the corporation as a whole should be reflected in the credit card operation. Managers of credit card operations should not operate under the misguided perception that their function is so unique that it requires special consideration. The cost of avoiding losses is far less than investigating them. Once the card is issued, control of losses is drastically reduced.

Avoiding losses can be accomplished with existing technology and staffing, but additional training of personnel and exception handling of some applications may be necessary. If additional phone calls, letters, or other verification steps are called for, or if extra on-the-job training is required for less experienced employees, the costs incurred will probably be a fraction of the losses that could accrue without such improvements.

Finally, credit card issuers must realize that law enforcement officers cannot begin to cope with every credit card loss, much less the ones that were clearly avoidable. As is true in so many other loss-exposure self-reliance, careful planning, and effective procedures that are consistently implemented reduce losses far more effectively than anything else.

About the Author...Dennis Harper is an investigator for Commerce Bank of Kansas City in Kansas City, MO. He is a member of the International Association of Credit Card Investigators.
COPYRIGHT 1989 American Society for Industrial Security
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 1989 Gale, Cengage Learning. All rights reserved.

Article Details
Printer friendly Cite/link Email Feedback
Title Annotation:credit cards
Author:Harper, Dennis
Publication:Security Management
Date:Mar 1, 1989
Previous Article:Prosecuting shoplifters: stealing the show.
Next Article:Vandalism: a European view.

Related Articles
Leading the charge against credit card crime.
RECORD money: Chip and pin fails to stop card fraud hitting record high.
UK card fraud hits record pounds 535m.
Credit card fraud cost reaches record pounds 1m; Major rise in crime in town.
Credit cards with pin codes will help fight fraud, police say.

Terms of use | Copyright © 2016 Farlex, Inc. | Feedback | For webmasters