A Finextra member 12 October, 2008, 01:49 0 likes

I believe that Marcus Agius (Barclays) and Andy Hornby (HBOS) went through some such 'procedure' prior to either of them being appointed heads of their respective institutions.

It didn't stop them being defrauded.

I note the similarity in the business models employed by credit refererence agencies charging consumers for 'ID protection' and that of the Russian mafia protection rackets.

It is another example of the general lack of ethics and moral fibre across the financial industry which got us into the present mess.

Credit references are certainly worthless at the institutional level and no doubt will be equally worthless at the consumer level if the current industry stance is maintained.

How about a little leadership?

The share price of google is seriously undermined, not only by the crisis, but by their lack of ethics towards customer privacy, something shared by the behavioural marketing outfits who are now going out of business on a daily basis due to consumer revolt and the attention of legislators.

I predict a similar future for others of the same ilk. Perhaps Experian could show a little leadership?

Of course legislation could provide the answer - I did hear a whisper...

A Finextra member 13 October, 2008, 09:25 0 likes

Actually, I think the core of the problem of identity fraud is that the subject (you and me) is not seen as the 'owner' of that data.  Credit reference agencies should have a duty of care to ensure that the data they hold is correct, by checking with the subject first.  Equally, any activity that requires them to give a reference should only be done when they have received separate sanction to do so by the subject, i.e., it is not good enough for them to rely on a signatuire on a form, obtained by a bank or other institution - they should have to independently verify with the registered owner of the record (which should be me and you) that the request is valid and a response can be given.

This would stop identity fraud in its tracks.  Oh, and reference agencies should not be able to charge you and me for access to the data they hold, as it should be our data, not theirs.

A Finextra member 15 October, 2008, 09:18 0 likes

I've always wondered how DD fraud works.  The DD guarentee requires my bank to give me the money back, before it heads off and does the investigation (which is not the same as with standing orders).  If the DD is fraudulent, the responsibility rests with the originating bank.  It is their responsibility because they have failed to confirm the status and identity of THEIR customer. 

Is there really such a thing as DD fraud, and if there is, who is the victim?  If the victim is the originating bank, they should be more careful!

It seems to me that fraud loopholes are created by corner-cutting beaurocrats and shoestring implementors.  They are not inherent in the technology.

A Finextra member 20 October, 2008, 12:34 0 likes

Direct Debit fraud is, in our experience, like an iceberg in that only 10% of what actually goes on is visible - to banks, scheme managers and the industry in general. According to a survey we ran earlier this year with corporates, payment fraud is generally treated as if it were simple theft.

The principle of Direct Debit fraud is that I use someone else’s account to pay my bills. So typically, I would sign up for an account, say a consumer credit or a mobile telecom account and give identity information and to pay the recurring bills, give the details to a second identity’s a bank account. I then disappear with the funds or phone and in an optimistic case, the account is closed or doesn’t exist; in a pessimistic case, the real owner of the account does not notice for several months, perhaps incurring bank charges or lost interest and then claiming against the Direct Debit Guarantee. In both cases the company who supplied the service is out of pocket at the end of the transaction, leading to higher consumer prices as it makes up the loss out of its profits. Jeremy Clarkson was a famous victim of such a fraud when his bank details were used to set up a Direct Debit to make contributions to a charity.

There are many examples in the UK media but it’s not just a UK issue: At International Payments 2004 TheClearinghouse.com reported that some of its large billers had fallen victim to such schemes. Typically these frauds go unreported by the companies and the financial impact is treated as an operational loss.  But the fact remains that the real victims are the companies who rely on the Direct Debit scheme to collect from their customers.

I agree that the technology is not at fault, but additional techniques can help to manage the problem – that of ensuring that the individual is who they claim to be an that they are related to the account they propose to use.

You say that responsibility rests with the originating bank – I disagree. How can the originating bank verify that the individual with whom they have no contact is related to an account at yet another bank about which they can, for competitive and data protection reasons, know nothing? Ultimately, the liability sits with the company who signs up the consumer and it is their  customer acquisition processes which are placed under test by this fraud.

Until last year, there was nothing much the acquiring business could do about it. Many businesses came to us to ask us what they could do to prove the link between a customer’s presented ID and the bank account they were intending to use to make their payments. Experian has information to help establish this link and has been working with banks to obtain permission to use this data to reduce the fraud for their retail customers.

Finally, the Payment Services Directive will cause Direct Debit Guarantee periods for EU member states to be reviewed and must be at least 8 weeks – how many of us review our banks statements that frequently for fraudulent transactions, and if we do not today, should we start doing so?