3 minutes
One CU takes a three-tiered approach to identity verification in the call center.
This is bonus coverage from “Who’s There” in the September issue of Credit Union Management magazine.
To keep up with its growth from $400 million to $1.5 billion in just five years, Connexus Credit Union, based in Wausau, Wis., took “a deep dive into member identity verification and took a fresh look at our practices,” reports Marita Hattem, who served as the CU’s chief experience officer after being a health care executive and a member of the CU’s board. She’s now president of MidMichigan Health Medical Centers. “We wanted to be sure we maintained adequate security without interfering with a great member experience.”
The critical interface, the CU found, was the customer service or call center, where Connexus CU employs 23 staffers. “That’s where the phone calls and online chat sessions occur,” Hattem notes. “It’s where it’s easiest for a fraudster to impersonate a member because we can’t see a face or look at a driver’s license. We were using identifiers readily available on Facebook—birth date, address, etc. That was inadequate, so that’s where we focused our attention.”
The answer is a three-tiered approach. For the least risky inquiries (a loan payment due date, a branch location, branch hours, when paperwork was mailed), Connexus CU pretty much uses the same tests it had been using, but also confirms that the phone number of an incoming call matches the phone number on file for that member.
If it doesn’t match, or for transactions with more risk (registration for online banking, money transfers, withdrawals within a certain range), the CU can send a one-time password to a registered device other than the one being used to contact the CU, in addition to the level one steps. To be authenticated, the member then has to enter that password.
For transactions that require the greatest security (international wires, password resets, large withdrawals), Connexus CU uses all of the above plus challenge questions drawn from the huge Lexis/Nexis database. These are knowledge-based questions that presumably only the real member would know how to answer, Hattem explains. Knowledge-based questions use data collected by credit bureaus or other third-party data aggregators that can draw on a lot of detailed personal data about the member. Those are usually presented as a series of multiple choice questions like “Which of the following is not an address where you once lived?” Or “Which of the following publications have you ever subscribed to?”
“CUs have a lot of flexibility,” notes Pem Guerry, executive vice president of Chattanooga, Tenn.-based SIGNiX. “They can ask one question or several. They can let an applicant skip a question. They can have follow-up questions in case an applicant gets one wrong. There’s a lot of room for a CU to customize the process.”
Even when it takes a few minutes to authenticate a member, “they never complain as long as we explain what we are doing and why,” Hattem reports. They do complain sometimes if they have to show a driver’s license at a branch, she notes. She tracks the complaints.
“I read the logs of the concerns we hear, and most of the complaints are from people other than the member who think they should be able to act on behalf of the member—a spouse, parent, sibling, child or close friend. The connections could be legitimate; we don’t know. But they can get pretty petulant when we won’t let them transact.” Notably, if a contact passes all the tests, but the rep still isn’t satisfied, he or she can kick it up to a supervisor.
Biometrics aren’t very helpful, Hattem says, because “most of our contacts are virtual so there’s not a body present to match against a marker on file.” Voice recognition is under review, but “we don’t have enough recorded speech on most of our members to establish a voice pattern to match against,” she explains.
Richard H. Gamble is a freelance writer based in Colorado.