Surety Bonds as Consumer Protection

Many people associate the phrase “licensed and bonded” with business transactions involving service industries like janitorial services, contractors, house cleaners, and car dealerships. However, surety bonds are incredibly prevalent in all spheres of business in the United States today and some of the most critical bonds from a consumer protection standpoint are found in industries like mortgage and insurance brokerage, surplus lines, and other more ‘white collar’ areas of the business sector.

Surety bonds are in place primarily to protect consumers against fraud during business dealings of many different types. Generally, a business becomes bonded due to state, local, or federal regulations requiring them to hold a surety bond of a certain amount (which varies by industry), and the bond acts as an added protection to whomever does business with the bonded company to ensure that it will act in a lawful and ethical way in all business dealings. If there is a claim filed against the bond, the bonded company is responsible for paying damages or making restitution to the wronged party, up to the full face value of the bond. For example, in the case of a Michigan surety bond, a mortgage broker must be bonded up to $25,000 which means that if the broker acts unethically or engages in fraudulent lending activity, he or she may have to pay up to $25,000 to the consumer who was damaged by the illegal actions.

As the economy began to decline several years ago, many mortgage brokers were making increasingly risky loans to borrowers and engaging in fraudulent lending practices simply to get an edge on the incredibly competitive home loan market. Their actions resulted in a whole subset of borrowers who couldn’t make the payments on their loans because their finances were not sufficient, or borrowers that eventually defaulted on their loans due in part to poor credit history or lack of financial readiness. While surety bonds can’t completely eliminate this type of predatory lending activity, they can drastically reduce it by holding lenders accountable for their actions and providing a financial disincentive to conduct lending without appropriate financial documentation from buyers. In all cases of predatory lending with a bonded lender, borrowers have the opportunity to file a complaint and have their case heard, as well as potentially being compensated for their losses resulting from the activity.

The act of becoming bonded represents, for the bonded company, an agreement to conduct their business within the legal confines of their locality, state, and country. I cannot overstate the importance of making sure that any business that you do with companies eligible for bonding is actually licensed and bonded. The financial implications of doing so are just too great otherwise.

Data Mining & Analysis vs. Predictive Modeling

Complimentary but Different Facets of Risk Management
Fraud prevention and risk management professionals are familiar with both data mining/analysis and predictive modeling as tools of the trade, and the two are often discussed in conjunction with each other. In practice data mining/analysis and predictive modeling, although one (data analysis) is often part of the other (predictive modeling), represent two different facets of risk management.

Data Mining and Analysis
Data mining and analysis has been used as a fraud detection technique for decades. The general concept is that historical data is gathered and analyzed in an effort to further understand it. Several methodologies have proven effective with data analysis, especially in the field of forensic accounting. Some of the more common techniques include the use of filters, expressions/equations, gap detection, statistical analysis, duplicate detection, sorting/indexing, summarization, stratification, cross tabulation/pivot tables, aging, joining/relating, trend analysis, regression analysis, parallel simulation, Benford’s Law, digital analysis, sampling, or the combination of one or more of these techniques.

The general idea is that when performing one or more of the above, suspicious or outlier data is discovered that may indicate the presence of fraudulent or abusive behavior. Alternatively, data that is already known to be fraudulent may be analyzed in an attempt to determine similarities or profiles that seem to be tied to fraud. Numerous software applications have been created to assist with the data analysis work. CaseWare International’s IDEA and ACL Services’ ACL Desktop Edition are two examples. Many data analysis efforts defer to the “poor man’s data analysis tool”, otherwise known as Microsoft Excel. Those who have used Excel extensively will testify that it can be a very effective data analysis tool. It just might take a bit more manual intervention than some of the “prepared” data analysis programs mentioned earlier.

Predictive Modeling
Over the years, many modeling methodologies have been developed in the finance sector in an effort to put data mining to use by predicting and preventing the occurrence of fraud. Industry-specific SaaS and enterprise offerings have been created to address particular pain points. In the Card Not Present realm, CyberSource’s Decision Manager, 41st Parameter’s FraudNet, and Accertify’s Interceptas are a few among many offerings focused on fraud prevention.

Reactive vs. Proactive
The conceptual differences between data mining and analysis vs. predictive modeling could be illustrated as follows:

Proactive Reactive
Predictive Modeling Data Mining & Analysis
Fraud Prevention Fraud Detection

If my main concern is the detection of existing or historical fraud, I will be most interested in data mining and analysis. On the other hand, if I am focused on preventing fraud before (or while) it occurs, I will spend most of my efforts on predictive modeling. And of course, if my risk management agenda encompasses both concerns then I will create policies that include both reactive and proactive activities.

Although predictive modeling is a separate activity, it is not divorced from the data. In fact, for predictive models to be effective they must be based on assumptions made from analyzing available data. The difference is that on one hand you are mining and analyzing data and on the other hand you are creating a model or function that determines what occurs if particular types of data are encountered. Think of predictive modeling as the “next step” after data mining and analysis has occurred. Now that you know what the fraud looks like, you are trying to predict and prevent it from happening again.

Is CDI Finding its Way Into the Norm?

How many people remember the Big Brother scare surrounding the Processor Serial Number (PSN) embedded in Pentium 3’s (and some Pentium 2’s) back in 1999-2000? Despite some of the technical community stating that the PSN was not a solid identifier, as it could be easily masked (or, conversely, “forced” to reveal itself), Intel created quite the scare among large groups of people. Eventually, in April of 2000, the company announced that they would not include the PSN in the forthcoming 1.5GHz Willamette chip. An anonymous Intel engineer was quoted telling Wired magazine, “The gains that it could give us for the proposed line of security features were not sufficient to overcome the bad rep it would give us.”

Jumping ahead 9 years, in mid-September of 2009 I noticed an announcement by ThreatMetrix, touting an opposite reaction to the idea of tracking a device. Evidently, a study done by Ponemon Institute found positive consumer reaction to the concept of CDI (Client Device Identification – sometimes called device ID or device fingerprinting) as part of a fraud prevention/consumer protection strategy. The article states that a significant percentage of surveyed individuals is more amicable to having their computer profiled/identified than they are to have to remember a password or submit to other typical security standards.

If the attitude expressed by the respondents in the Ponemon study is representative at all of the populace as a whole, could it mean the idea of device identification is no longer a scare to consumers?

The key may rest upon the question of whether or not Personally Identifiable Information (PII) is associated with the device ID’s being created. The Ponemon study reveals that consumers are comfortable with a device ID concept as long as personal information is not tied to it.

This is pretty much what today’s device identification vendors are marketing. The technology is intended to create a unique identifier surrounding a device without the need to collect any PII. Some of the device ID elements may be used to tell the technology vendors specific information that is critical to judge the threat level of a transaction (for example, IP geo-location information, time differentiation, browser language, etc.). This information can be scored in some way or forwarded directly to a client company to assist them with filtering suspicious transactions. Since the client company often has individual account information for its visitors, it may combine device ID information with its own customer data to provide an even deeper profile (for example, account-to-device relationships).

Critics of device ID complain that a unique fingerprint is not always attainable, and savvy users can spoof, change, or substitute a device ID. In response to the first concern, how many fraud prevention technologies are 100% accurate? And wouldn’t the absence of a device ID be cause for concern by itself, depending on the application? As far as the second concern goes, which fraud prevention technologies are immune to user tampering of any kind? Add to this the fact that most CDI vendors have the ability to tell when a device ID has been tampered with in some way and the confidence level is not degraded significantly (would a device ID that had been tampered with or that came back differently than expected not be cause for suspicion?).

As is frequently stated by fraud prevention professionals, “there is no silver bullet”. The same holds true for CDI. As always, the winning solution is the combination of various technologies in a layering effect. Despite the fact that CDI has inherent weaknesses, as do all of the prior fraud prevention technologies, it is providing tremendous benefit to many companies, ranging from credit and loan issuers to social networking sites to online retailers. This is especially true when layering it with other effective technologies.

As online business continues to expand it is pleasing to see consumer fear of new technologies, including device fingerprinting, beginning to diminish. I believe that CDI, and other related technologies that tie into the actual devices being used, will become one of the most effective, powerful tools in preventing online fraud and abuse. As long as CDI is used responsibly, including maintaining concern for where and how PII elements fit in to the picture, consumers and businesses alike will see significant benefits from this technology.