April 2013
THE IMPACT OF ADDRESS CHANGES Most people don t sit around all day thinking about address changes, but at ID Insight Inc. we do. OK, maybe we aren t sitting around all day, but we definitely think about address changes a lot. It is the very reason why ID Insight was founded. Back in 2003 identity theft was increasing at double-digit rates, and the leading indicator was you guessed it a change of address. Since that time, however, we have realized that the address change event is not only an indicator of possible identity theft, but so much more. Why focus on address changes? Address changes are a major life-stage event with many inherent risks and rewards that amount to billions of dollars in impact to financial services companies. While an address change is simple in nature, it impacts financial services companies in many ways. Think about your own address change experiences. Maybe you just got married and moved into that new home or - you may have taken a new job across the country or - the kids have moved off into the world and you are now down-sizing. From a financial services perspective, you can quickly see that how someone moves can have a significant bearing on their financial needs. And it is not just related to addressing a customer s financial needs. Address changes create many operational impacts as well. If you are a financial services company and you begin to take a deep-dive look at address changes, you quickly realize that there are both good and bad outcomes that can happen when your customers change their address, including: Fraud Losses Compliance Requirements Operational Impacts Retention Issues Cross-Selling When we focus on the operational cost of an address change alone, we estimate the average cost to be in excess of $6.00 per change. When we look at retention and cross-selling, we observe that there are hundreds, if not thousands of dollars at stake. This White Paper outlines the various impacts of an address change and a best practices approach to minimize the risk and operational costs while optimizing the opportunity.
FRAUD AND COMPLIANCE The Problem The major fraud type associated with address changes is account takeover. In fact, the main focus of the Fair and Accurate Transaction Act (FACT Act) was address changes. The reason for regulation around address changes was due to this being the control point that is most commonly and easily compromised in a true identity theft situation. When you look at identity theft cases, a typical victim story you will hear is: Someone changed my address and then had a replacement card sent to them. They emptied my account in a couple of days. Since late 2008, financial services companies have been required to take action and screen address changes for the likelihood of account takeover. Since this requirement has been in place, we have observed that, overall, the initial strategies have done little to deter account takeover. According to the Javelin 2013 Identity Theft Report, account takeover fraud is up by 69% when compared to 2011. While fraud types can ebb and flow, it is becoming quite apparent that account takeover continues to become a larger problem whether you consider consumers or corporate accounts. Any way you cut it, account takeover remains a significant problem for the financial services industry. Through our work with banks of all sizes, we have observed that the average fraud loss associated with a single address change is over $4.00 on consumer accounts. FS-ISAC recently reported the average fraud loss per commercial account was over $26. Approaches When FACT Act Section 114(B) went into effect in November of 2008, this required financial institutions to screen address changes for the likelihood of account takeover identity fraud. Most institutions took the path of least resistance of mailing letters, implemented their plan, and have not significantly altered their procedures since. This is now beginning to change, especially as we understand that the initial procedures have done little to deter account takeover. If we look back in the rear-view mirror for a minute, here is a review of what was required for the FACT Act address change requirements:
FACT Act Section 114B: If the address associated with an account is changed, and within at least 30 days there is a request for a card on that same account, the card issuer must take one of the following actions before issuing the card: 1) Notify the cardholder of the request at the former address and provide a means of promptly reporting an incorrect address change, or; 2) Notify the cardholder of the request through other means of communication previously agreed to by the card issuer and cardholder, or; 3) Use some other means of assessing the validity of that address change, in accordance with responsible policies and procedures. The vast majority of financial services opted for Option #1 above. In speaking with hundreds of institutions, the most widely adopted approach to screening address changes for fraud is to send a first class piece of postal mail to either the former address, or both the former and new address. This security letter indicates that an address change was requested, giving the receiver of that mailing an opportunity to stop the fraud in process by notifying the institution. It is understandable why banks and credit unions would choose Option #1. It is both simple and easy. Banks and credit unions send letters every day, so sending a security letter is a fairly simple procedure to deploy on customers requesting an address change. However, as we saw earlier, it has had very little impact on reducing account takeover losses. There are many reasons why this approach is marginal in stopping account takeover: The account is wiped clean before the security letter ever arrives. The letter ends up in the junk mail pile, and never opened. The fraudsters will actually pick up the mail from the victim s box or select consumers who they know are not periodically monitoring their mail. The majority of financial institutions adopted this approach to meet the FACTA compliance requirements and most continue to do so today. While financial institutions are compliant, they have done so at a large cost adding to their expense line while not producing the intended results.
Best Practices Approach Increasingly, financial services companies are abandoning their initial Mail Strategy approach and adopting a reasonable / risk-based approach or option #3 under the FACT Act. This is resulting in detecting more fraud, faster, at a fraction of the cost. ID Insight was founded in 2003 with the idea that by looking at the data and information related to the address change itself, you could identify account takeover fraud. After nearly 10 years of developing our address change technology we know this to be true. And it makes sense. After researching thousands of true account takeover situations, there is one commonality: fraudsters don t typically perform their fraud at addresses similar to their victims. They tend to frequent very nomadic, anonymous address points to facilitate their crime. When we look at it from a data and analytics perspective, we will see things like: Why is John Smith moving from a 3,500 square foot, half-a-million-dollar owned home in suburban Milwaukee to a vacant industrial park address in the highest white-collar crime part of New York City, 1,000 miles away? The fundamental question becomes: Would you rather send John the snail mail asking him to call you or would you rather obtain this information the moment that the crook tried to fraudulently change the address? Thus far, over 700 banks and credit unions have adopted a risk-based approach to screening address changes. In short, using data and analytics to screen address changes. These institutions are able to immediately pass low risk address changes and review high risk address changes. In doing so, they are realizing the following benefits: They are significantly reducing fraud due to account takeover. We have observed the average savings to exceed $2.00 per address change. They are catching the fraud much faster. The address change is many times one clue amongst many that an account takeover is in process. By understanding the dynamics of the address change as it is happening, institutions are taking action much earlier and reducing their exposure. Because it is automated, institutions are able to have a clear and conspicuous audit trail to demonstrate that they screened every address change.
OPERATIONAL IMPACTS The Problem On the surface, address changes are relatively straightforward. However, when you get into the back office, you realize that one simple address change has many touch-points across the enterprise. The address change can come in through any number of channels such as phone centers, online or mail. Some of these channels are authenticated, while some are not. If a consumer has multiple accounts within an institution, this can result in many duplicate address changes. In addition to address changes coming from multiple systems and touch-points, address data tends to be ugly, with invalid addresses, addresses entered incorrectly, etc. This in turn leads to many operational problems such as returned mail, increased postage, destruction of cards and checks and other outcomes. Approaches As described above, the primary approach to deal with address changes is by mailing letters to the old and/or new address. While it is simple and allows an institution to comply with the FACT Act, it is most problematic from an operational perspective. Postage In addition to the low deterrence effect, sending mail is expensive and difficult to track effectively from an audit/compliance perspective. Financial services companies are the single largest mailer of statements and notices in the nation mailing over half of all mailed statements and notices. Overall, they spend over $7 billion per year to send these notices. When we look at an address change, we observe the average postage and fulfillment cost of an address change to be $2.00. Return Mail Address changes are also the major contributor to return mail. According to the United States Postal Service, approximately 75% of all returned mail is caused by a change of address. This is due to a variety of reasons including address information being entered incorrectly or the consumer never notifying the institution of their new address.
When you consider what a consumer does when they change their address with their financial institution, they do one of three things: 1) They notify their institution of the address change. 2) They do not notify their institution, but instead fill out the National Change of Address (NCOA) card at their local post-office. 3) They do not notify their institution nor fill out the NCOA card. We observe that approximately 67% of consumers will notify their financial institution of a change of address. We see that another 20% only fill out the NCOA card and the remaining 13% do not notify the institution or the Post Office. Notifies Institution Does not notify / Fills Out NCOA with the USPS Does not notify institution or USPS 20% 13% 67% How the consumer changed their address can have different consequences for the institution. If the consumer notifies the institution and the new address information is entered incorrectly, this will result in return mail. If they only notify the Post Office, the institution will receive a postcard indicating a change of address with the yellow sticker showing the new address. The institution then needs to resolve. The consumer notifies no one and the mail is sent back RETURN TO SENDER. These costs begin to add up fast. When we consider the overall return mail cost, we observe the average cost to be $1.90 per address change.
Interchange Impacts For those institutions mailing out letters, the FACT Act requires institutions to allow a reasonable period of time (typically 30-60 days) to elapse after the mailing before they can send replacement or emergency cards to the customer. We have observed that approximately 7-10% of customers changing their address will order a replacement card in the first 60 days post-move. This is very disruptive as it comes at a time when the consumer is spending a lot of money. According to the latest survey results, the average new mover spends between $7,000 and $10,000 in the first 120 days post move. When institutions put a hold on card replacement it leads immediately to a loss in interchange revenue. Because the spend factor is so high, the average loss in interchange per address change can be nearly $4.00. Best Practices Approach Increasingly, financial institutions understand the very tangible costs of taking a manual approach towards address changes. Everyone is looking for cost takeout and address change processing is a good place to start. As we saw with fraud and compliance, institutions are moving away from manual methods toward an automated risk-based approach. Not only does this provide significant fraud savings, but also results in significant operational savings. Many of our clients that have moved to automated risk-based solutions have abandoned sending letters all together. This is now becoming the norm as institutions realize that maintaining the mailing of letters becomes unnecessary expense with little or no additional benefit. Others continue to mail letters as more of a belt and suspenders strategy. When it comes to return mail, there are additional savings that can be realized. Because every address change transaction is processed and run through address standardization routines, they are able to identify undeliverable mail before it goes out the door. According to Pitney Bowes, high-rise addresses with the apartment number missing results in a 31% return mail rate. Similarly, vacant lots have a 99% return mail rate. By screening these new addresses through various databases, clients are able to reduce the cost of return mail due to erroneous entry.
When consumers only fill out the NCOA card and the bank is notified of the address change by postcard, banks are able to instantly screen the address change and allow them to update or populate the new address into their Customer Information File. For the consumers that do not notify the institution or the post office, these customers end up in the lost category. In these cases, institutions can automate their return mail processing systems to send customer information to third party providers to find the customer at the new address. Moving from a mail-strategy to an automated risk-based system When it comes to loss of interchange revenue and decreased customer satisfaction due to placing a hold on replacement or emergency cards, we again see the ability to significantly and positively impact the customer experience and the bottom line. By moving to a risk-based real-time solution, resolution is immediate. As such, cards no longer need to be placed on hold as is required if you are sending letters. The institution is able to take action immediately on high risk cases and allow normal account maintenance activities to be performed. The result is no loss in interchange revenue as well as increased customer satisfaction. Impacts Mail Strategy Risk-Based Approach Fraud Losses $ 4.30 $ 2.15 Postage Costs $ 2.00 $ - Return Mail Costs $ 1.90 $ 0.63 Interchange $ 3.80 $ - TOTAL $ 12.00 $ 2.78 When you add it all up, the impacts of moving to a risk-based approach are substantial. From above, we see the opportunity to reduce the average cost of an address change from $12.00 to less than $3.00. For a bank with 100,000 customers and a 10% annual address change rate, this can result in an annual savings of over $90,000.
CONCLUSIONS When you look under the hood at the anatomy of a typical address change, there are many touch-points within the institution producing many outcomes some good and some bad. Many times these impacts are not fully realized. For those institutions maintaining a manual process to screen address changes, they continue to spend more than they should, see more fraud than they should and lose more customers than they should. For those that are now moving to an automated risk-based approach, they are able to significantly reduce the costs, catch more fraud and realize more opportunity. For more information, please visit us at www.idinsight.com, or give us a call at 1.877.749.8731.