I was looking at Geezeo's new Facebook app this morning (more on that later), and I noticed one of the best credit report monitoring ads I'd ever seen. 

Instead of focusing on the negative aspects of your credit history, the banner ad features "testimonials" of the significant savings available with good credit (the banner above claims a $310 savings in her house payment). The stories are provided under the header, "Credit Diagnosis." And, I was initially impressed after clicking through the ad to find a good, landing page with more of the same.

However, the mostly-anonymous company behind the banner, FreeCreditReportsInstantly.com uses a $1, 7-day trial come-on for its $29.95/mo credit report monitoring service. I have no problem with the company charging what the market will bear. And to its credit, FreeCreditReportsInstantly (FCRI) does disclose the go-to fee on the first page of the application. But I think the typical young Facebook user is not going to be happy seeing $29.95 monthly fees on the credit or debit card.   

Why would anyone pay $360/yr for credit monitoring?
The Internet was supposed to make it hard for companies to charge 2x to 3x the going rate when dozens of competitors were just a few clicks away. But here we have a company doing just that and evidently bringing in enough revenue to afford a Facebook ad buy, not to mention holding down the number 3 ad slot on Google searches for "free credit reports" (note 1)?

The answer is complex. It has to do with consumer confusion over the whole business of credit scores, ID theft, and the government-mandated free reports which is what most Googlers are looking for when they type "free credit report." And consumers must share part of the blame too. In a rush to get "something for nothing" they blindly fill out "free trial" forms without reading the fine print or taking time to investigate alternatives.

Taking the high road
But the dizzying array of credit monitoring options provides an opportunity for banks and credit unions to do the public a great service, and turn a nice profit, by educating their customers and offering value-priced alternatives: 

1. Credit scores/monitoring: Instead of pushing credit monitoring services that are too confusing and too expensive for the mass market, provide customers with their credit score each month, and if it takes a dive, alert the customer and provide the tools to access their credit report to investigate any potential problems (see our post yesterday and note 2).
2. Identity fraud support: Citibank's Identity Theft Solutions advertising blitz was a nice humorous break from most bank advertising. However, I think it did a disservice by making full-blown identity fraud seem more commonplace than it really is. Consumers needn't be frightened, they need to be careful, they need to understand what to look for, and they need to know where to turn in the event of suspected fraud.

And since most banks and credit unions don't have the resources to provide full-service fraud assistance, turnkey solutions providers have stepped up to fill the need. We are lucky to feature one such company at our Finovate conference next Tuesday in NYC.

Full-service education and victim response from Identity Theft 911
Five years ago, I met the entire Identity Theft 911 team when they were in Seattle making sales calls. It was refreshing to see someone in the identity fraud space taking a genuine interest in helping the end-user out of a jam, rather than simply trying to get them on the hook for a $150+/yr monitoring service. And over the years, I've kept in touch with the company chairman, Adam Levin, as he's worked the trade shows to garner support for Identity Theft 911 and his other company, Credit.com. Adam will take the stage Tuesday morning in NYC to demonstrate the full range of his company's resources to help banks and credit unions make their customers feel MORE secure, rather than more afraid (see screenshot below of AFL-CIO Employees Federal Credit Union's Identity Theft 911-powered services, link here).  

Note:
1. Search performed from Seattle IP address mid-morning on 26 Sep 2007.   

2. For more information on credit monitoring, see the latest Online Banking Report here.

Intersections, with 4.7 million subscribers (as of March 30, 2007), is a leader in the U.S. credit monitoring business. Its private-label programs are offered by Bank of America, Capital One, Discover, Citibank and many more leading financial institutions. I have personally used the Intersections service for nearly a decade through its distribution agreement with American Express, a partnership which ended last year.

Last year, Intersections redesigned its core consumer-direct website, Identity Guard, to feature four levels of protection (see screenshot below):

1. Good Start (single-bureau monitoring only): Free for six months, then $4.99/mo
2. Watchful Eye (above plus Internet fraud database scanning and quarterly credit report and score): $7.99/mo or $69/yr
3. Extra Caution (same as above, but expanded to all three credit bureaus plus $20,000 id theft insurance): $12.99/mo or $119/yr
4. Total Protection (above plus constant scanning of public record databases): $17.99/mo or $159/yr

Analysis
The free six-months of service is a great way to get customers accustomed to using a daily monitoring service. However, the company does themselves a disservice by completely ignoring the obvious customer question: What happens after six months? As far as I could tell there is no way to get an answer to that question without calling or emailing prior to starting the application (see note 1). That's unacceptable for any eCommerce application, but especially in credit monitoring, which has had its share of questionable marketing practices.

We'll look at the Identity Guard application process and products in detail in our upcoming new report, Online Banking Report: The Market for Fraud Protection, Identity Theft, and Credit Monitoring Services (available at the end of July here).

Identity Guard homepage showing four product choices

Note:

1. My first email about the potential fee has not been answered or confirmed 48 hours later. But my call to customer service this morning was answered promptly, I was speaking with someone in about 50 seconds from dialing. He was a little unsure of the fee, saying "I believe it's $5.95/mo" and he "thought" that yes, you would be charged automatically to a card entered at signup. But overall, he did a decent job answering my question and surprisingly did not try to get me to signup even though I was obviously hesitant.  

I never understood the fight against Wal-Mart's limited-purpose banking charter. I say let it "enjoy" all the benefits of being a bank: CRA statements, regulatory audits, compliance committees, and endless questions about trigger terms and the alphabet soup of regulations. Maybe a banking charter would have distracted it from going ahead and providing pretty much the same thing, but as a non-regulated retail partner instead of a bank.   

Take Kroger for example. They are entering the financial services arena through their retail grocery stores with a menu of financial products outsourced from other companies (link here; also see note 1 and screenshot below).

According to a story Monday in the Lexington (KY) Herald-Leader (here), the grocer began quietly rolling out the services to its 2400 stores in February. Most of the  services are sourced through various Royal Bank of Scotland units.

Other than deposits, it's a full-service offering including:

• Credit card issued by RBS National Bank (a unit of Royal Bank)
• Mortgages through a joint venture with CCO Mortgage (a unit of Royal Bank)
• Home equity loans through Charter Bank (a unit of Royal Bank)
• Gift cards issued by Charter Bank
• Pet insurance through PetFirst Healthcare
• Identity theft services through Trilegiant's PrivacyGuard

Analysis
Kroger's product offering seems reasonable and no doubt will have good visibility in the company's stores. But few of these items are impulse buys and much of the success will hinge on whether the Royal Bank phone sales agents can close the deals. The item that has the best chance of earning its keep: pet insurance, a surprisingly popular search term (see Online Banking Report, #95) and one that can be cross-sold effectively with other pet items. 

Will Kroger Personal Finance be be a success? With low fixed costs, it might turn a nice profit, but probably not nearly as much as the rent that bank clients pay for in-store branches (a core Wal-Mart strategy). But will it impact the industry? Highly unlikely.

I'm sure Wal-Mart will be following this rollout closely. If they find it's working at Kroger, you can bet they'll be doing the same thing within a few years, and probably at much lower prices. So, if you think you've dodged the Wal-Mart Bank bullet, think again. 

Note:

1. The homepage of Kroger's personal finance site <krogerpersonalfinance.com>, is dominated by a pitch for its MasterCard rewards card. The only link so far to the broader offering is the "new products" link hidden on the right leading to the following page <krogerpersonalfinance.com/Max/KPFhome.htm>.

A group of private equity investors led by former Apple CEO John Sculley bought Indentrus last fall and have expanded its business goals. If they’re successful, the order-to-pay business, also called financial logistics, could get a needed shot in the arm.

Identrus—now called Identrust—had been a so-called root certificate authority, selling digital certificates to financial services companies. Under its new ownership, Indentrust will also be selling a managed, turnkey certificate capability to order-to-pay companies and their customers.

Digital certificates are the standard means of securely identifying online parties to each other, and if they’re widely adopted by the order-to-pay community—a group now confined to large corporations like General Electric—they could greatly expand that community by ensuring that the counterparties are who they say they are and minimizing the prospects of fraudulent transactions.

That would conceivably encourage more companies to use the concept, and if order-to-pay does finally get a significant foothold in the treasury-management operations of many corporations, it could transform the payments industry by automating a large fraction of the payments that shuttle back and forth between those firms.

Since most of those payments are expected to be sent via the automated clearinghouse, widespread adoption of order-to-pay would squeeze many business checks out of the payments system.

It would also accelerate the velocity of payments, since order-to-pay systems—there are at least ten of them, including products from US Bank, Bottomline Technologies, Harbor Payments and Xign—pay invoices when presented, instead of within as many as 90 days, as the game is currently paid.

That, in turn, would take the broader economy in unknown directions, since it would increase the liquidity and transparency of the users’ balance sheets, and make more money available to those companies for business purposes. That phenomenon is a good example of how technology not only improves business operations, but also changes both the nature and effects of that business.

The key to broadening order-to-pay has always been the authorization issue; it’s simply too easy to send the wrong person millions of dollars. Digital certificates are the standard solution to that issue, but the technical and administrative challenges they present to users have put a crimp in certificates’ widespread adoption outside of the financial services arena.

Resolving those technical and administrative problems is how Identrust plans to make its living, says Andrea Klein, the company’s chief marketing officer.

“The company has been re-focused on the corporate market,” she says. “Companies can put in a system themselves, but so far, we’ve seen that they want us to run it for them.” Identrust will use its large data center to administer those certificate operations for its customers, she adds.

Indentrust was created in 1999 as the Global Trust Organization by a group of large banks, including CitiGroup and ABN AMRO, to be their root certificate authority, or basic issuing organization. In 2002, it bought the Digital Certificate Trust Company from Zions BanCorporation and the American Banker’s Association. Fifty-five financial institutions use Indentrust digital certificates.

The company was supposed to have been profitable, but never really got there, despite its long reach into the financial services community and the company’s later expansion into issuing certificates to the U.S. government. “They just couldn’t figure out how to be profitable,” says Klein. “Their expertise is in how to do the business of banking, not in launching entrepreneurial companies.”

The new ownership—all entrepreneurial business people—may change that. Last summer, an investor group including Rho Capital Partners—where Sculley is a venture partner—and Enterprise Partners bought the company for $20 million from the original owners. Sculley is chairman, and Karen Wendel, Identrust’s long-time CEO, kept her office. Enterprise is represented by managing director Carl Eibl. Jean Levine, an independent investor, is also involved, and Zions retains a stake in the firm.

One indication Identrust now has a good shot at profitability: TWIST (the Transaction Workflow Innovation Standards Team) has incorporated Identrust’s digital certificates into their supply chain standards. TWIST is a nonprofit group that sets global, XML-based standards for wholesale financial transactions, commercial payments and collections, and cash-management processes.

The combination of the new ownership, its expansion into order-to-pay, and Identrust’s willingness to administer certificates for their customers may turn the company around, says Penny Gillespie, president of Gillespie International.

“If the market isn’t ready (to widely adopt certificate authentication), it should be, but two things have had to come into alignment for that to happen,” she says. “The market has had to realize it has a need, and the product has to be easy to use. It just can’t be as cumbersome as it has been in the past. If (administration) is outsourced, and not cumbersome to the user, it could be a very good idea.” (Contact: Identrust, Andrea Klein, 415-848-2527; Gillespie International, Penny Gillespie, 703-815-0706)

It’s a long time since the public considered the phrase “computer security” to be an achievable state instead of the game it is: Forty announced data breaches since January 1, affecting banks, brokerages, schools, government offices and other institutions have taken care of that.

And some of these breaches are dangerous to consumers and the payments industry, however the companies involved might try to spin the news, or keep it quiet. Consider, for instance, the March 8 event in which 17.8 million files supposedly stolen from Deerfield Beach, Fla.-based iBill Inc. were posted online. The files included names, phone numbers, addresses, e-mail addresses, Internet IP addresses, logins and passwords, credit card types and purchase amounts. iBill mainly handles payments for adult sites.

The company says the stolen data wasn’t theirs, and, aside from a few blog entries, the incident pretty much escaped media notice. But the data, which was posted on sites used by phishers, came from someplace, and whether this particular hack ever makes it into the major media or not, the point is that it’s just another example of how dangerous the current security environment is for the people on whom the industry depends for its existence.

After all, March was also the month when an international debit card breach splashed all over the media, several laptops carrying hundreds of thousands of customer files were lost, news surfaced that the spoils from a recent phishing attack were routed to the Bank of China, and the long-awaited data security bill was reported out of Congressional committee.

Since accepting payments online depends on the willingness of consumers to make them in the first place, the unending stream of announcements is more than a form of water torture for the payments industry. It’s more like a death from a thousand cuts: Every announcement is another reason for people to use websites to shop online, but not buy.

That latent danger would eviscerate altogether the case for online commerce. And the industry can forget about significantly watering down the data security bill in an election year—if the reader will forgive us for repeating ourselves, supporting it is a natural posture for grandstanding politicians.

As a result, it’s not good enough anymore for the world of e-commerce to get by with catchy ad campaigns about how the industry is looking out for its customers; it’s going to have to prove that sending money online is safe, and give customers useful tools to avoid problems in the first place—not just fix things after the fact—or risk undermining the enterprise.

That last would be a shame, not to mention a self-inflicted wound. The market for online commerce is already proven, and growing at a respectable rate. According to the U.S. Census Bureau, it grew in the last quarter of 2005 by 23 percent over the fourth quarter of 2004, compared with overall retail sales growth of 6 percent in the same period. And while e-commerce sales are nothing compared with overall retail receipts—2.4 percent of the fourth quarter’s adjusted $960 billion—it’s clear that e-commerce is a fixture of modern life, and online sales are a healthy growth area for card payments of all stripes.

To its credit, not every financial institution has its head in the sand. Bank of America has been proactive in this arena, as have E*Trade and MasterCard. But too many institutions seem to be clinging to the idea that they don’t have to do much to plug the holes in their online security walls, as long as new accounts outnumber lost accounts, and that saying they’re looking out for their customers is as good as actually looking out for their customers. In an era of eroding faith in institutions of all sorts, the credibility gap between ad campaigns and common sense in this particular arena has to be zero, or that’s where customer confidence will go.

This approach isn’t just shortsighted bean-counting; it’s the equivalent of avoiding a visit to the doctor because it might uncover an expensive disease. In the long run, lack of preventive maintenance could prove equally fatal to these institutions’ bottom lines. After all, the main argument for committing to online commerce is that it’s a cheap replacement for tellers, sales clerks, and real estate.

If people stop using the online channel, those financial firms that refuse to take their metaphorical castor oil will find themselves saddled with higher transaction costs, lower profits, and, eventually, lower share prices. Looked at that way, investing in serious computer security for customers is a wise outlay, and not an opportunity for hair-splitting arguments about saving on overhead: That last strikes us like arguing that you don’t need a roof, because you live in the desert.

One thing that can be done: The industry can adopt one of the existing systems that match customer buying profiles with individual transactions, so that possible fraud can be stopped at the point of sale, instead of letting the transaction go through, protecting the consumer later, and making the merchant eat the loss. Cheap? No. But a powerful tool against crime.

Another? Segue in the United States from the ubiquitous mag stripe to chip cards. Upgrading all those ATMs and point-of-sale terminals would certainly be pricey, but it would also reinforce customer confidence that sooner or later has to totter. Let’s just hope the average consumer never finds out that a mag stripe card can be created with a card blank, a piece of magnetic tape, and an iron.

The same week that Pay By Touch settled outstanding government claims against CardSystems, news of a new computer breach that could be at least as damaging emerged from California, while keylogging made the front page of the New York Times.

Continue reading "News from the Online Fraud Cyberwar" »

Judging by media reports, almost everyone in the civilized world has lost their identity to cyber-criminals. But while there has been an unending torrent of news about data breaches and related identity thefts, the damage has been much less drastic than that, says a study from Javelin Strategy & Research.

“The impression in the general public is that identity fraud is spiraling out of control, but what we came away with is the contrary; the growth [in the phenomenon] has been contained,” says Rubina Johannes, the Javelin research analyst who wrote the report.

Continue reading "The Truth about ID Theft from Javelin Strategy" »

Building on last year's FTC study, Javelin Strategy & Research and the Better Business Bureau, released the latest study of financial fraud and identity theft in the United States. A similar level of fraud was found in the late-2004 polling compared to the FTC survey fielded in mid-2003.

Both studies found that just under 5% of U.S. adults, around 10 million, had been victimized in the prior 12 months, with total losses, primarily to financial institutions, of about $50 billion.

One of the major conclusions is that consumers are more likely to be victimized through offline methods compared to online methods, leading Javelin to conclude in their press release:

Internet-related fraud problems are actually less severe, less costly and not as widespread as previously thought.

However, this conclusion that is disputed in Bob Sullivan's MSNBC article by both Gartner's Avivah Litan and FTC attorney, Lois Greisman.

Here are the key findings:

How was your personal information obtained (i.e. stolen)?
     6%  via online methods
     36% via offline methods
     58% don't know

There are two ways to look at those numbers.

The Javelin take: Of those that know how it happened, offline identity theft outnumbers online identity theft 6-to-1, so let's not overstate the online threat.

The Gartner take: In consumer research, much of the online fraud will be self-reported in the "do not know" category, so the data is inconclusive. Avivah Litan says in the MSNBC article:

The general population doesn't really know how the information is stolen especially, with credit card fraud. If you do have a good guess, it usually is because you are in a fight with family member or neighbor. The study is biased towards people who know how it happened.

Our Take
Anytime you have a survey where the majority of participants select, "don't know," it is difficult to draw precise conclusions.

We think these results are promising for the fraud-fighting potential of the online channel, but they don't vindicate it either.

If you assume that the same 6-to-1 offline/online ratio applies to the "don't know" category, that means about 10% of last year's identity theft occurred via online methods, or 1 million cases costing $5 billion dollars.

Regardless of what the analysts say, that's a problem that needs fixing.

-- JB

Resources:

• Javelin's 2005 Identity Fraud Complimentary Report Summary
• Javelin's press release
• Better Business Bureau Press Release
• 2003 FTC study

• MSNBC - Study: 9.3 million ID theft victims last year

Resolution from Identity Theft 911

What if there was a way to reduce fraud losses, reassure wary users, and help fraud victims get their financial life back in order, all at little or no out-of-pocket cost? It does sound too good to be true, but look what San Francisco-startup Identity Theft 911, LLC offers:

• ·      Up-to-date, professionally written articles on various fraud fighting topics
• ·      Fraud preventions tools such as credit report monitoring, locking mailboxes, and virus protection software
• ·      Victim assistance center staffed by former bank fraud service reps
• ·      Modern security “look and feel”

The Company

We’ve been talking with the principals at Identity Theft 911, LLC for the past few months. The 10-person company founded just six months ago (May 2003), is in high growth mode. It currently has six associates dealing with customers, and plans to triple the staff by January. The Bay-area company taps a deep pool of experienced bank fraud specialists, many of whom have been displaced as major San Francisco financial institutions have moved fraud service centers to lower cost areas.

With so many shady firms pitching questionable credit repair services over the Web, we feel fortunate to have come across a company truly trying to make a difference in fighting this crime. Through their close relationship with TransUnion and TU’s credit monitoring subsidiary TrueCredit, ID Theft 911, has developed tools and services to help victims repair damage from an identity takeover. The company is also involved in user education and service offerings to help users protect themselves from the crime.

Currently, its services are delivered primarily through large employee-assistance programs (EAP) at major U.S. corporations. Typically, large companies contract with an EAP provider to handle employee identity theft questions and resolution for a fixed per-incident fee. Identity Theft 911 recently won a contract to handle victim resolution for AIG’s new Identity Theft Insurance plan. The company also markets directly to consumers through its website, and through co-founder Adam Levin’s other company, www.credit.com  , offering a variety of prevention services and products, along with its core victim-resolution service priced at $300 to $500 depending on the complexity.

Table 2

Consumer products and services

Source: Company, 12/5/03

Table 3

Management

Source: Company, 12/5/03

Financial Institution Opportunities

The company, looking to expand its reach and impact, is willing to partner with financial institutions to develop a wide range of fraud protection and resolution services. Potential offerings range from educational articles running on the bank website to full-scale, fee-based resolution services that could be private-branded for the bank. Wholesale pricing is less than $0.50/mo per customer across your entire base, $2 more if credit monitoring is offered. The company will also work with financial institutions on a revenue-sharing basis.

Financial institutions could potentially outsource their entire identity theft educational content and services to the company. A private or co-branded ID Theft Center could run on the bank’s server, with the content updated periodically by Identity Theft 911.

Another option is to provide ID Theft insurance as a promotional giveaway. www.Credit.com  just launched a promotion that provides one year of free ID theft protection (insurance through AIG, resolution services through Identity Theft 911) as a premium for signing up for credit report monitoring delivered through TrueCredit’s FreeCreditProfile service (see below).

Why work with Identity Theft 911?

Pros

• ·      Better customer satisfaction
• ·      Improved customer retention
• ·      Differentiation in the marketplace
• ·      Reduced fraud losses
• ·      Improved employee satisfaction knowing that professionals can handle tricky victim resolution and police reporting
• ·      Fee income/profits from preventions products and services
• ·      Makes entire website more credible and trustworthy

Cons

• ·      One more service provider to manage and run due diligence on
• ·      Less control over dialogue with the customer
• ·      Out-of-pocket costs

Contact

Steven Christenson, CEO

Identity Theft 911, LLC

550 15th Street, Suite 28

San Francisco, California 94103

(415) 321-1940

scc@idtheft911.com                                                    

http://www.credit.com/  is using identity theft insurance (from AIG, with resolution services from Identity Theft 911) as a free premium to entice users to signup for an $80/yr credit monitoring plan from TrueCredit.