Note: Where available, the PDF/Word icon below is provided to view the complete and fully formatted document
Parliamentary Joint Committee on Law Enforcement
09/09/2014
Financial related crime

NEWTON, Ms Imelda, General Manager, Fraud and Identity Solutions, Veda

STOIANOFF, Ms Tanya Christina, General Manager, External Relations, Veda

STRASSBERG, Mr Matthew, Senior Advisor, External Relations, Veda

[13:45]

CHAIR: Welcome. Thank you all for coming along today and also for your submission to the inquiry. I now invite you to make an opening statement and we will then proceed to questions.

Mr Strassberg : Veda is a data analytics company with specific expertise in identity and fraud solutions. With us is Imelda Newton who has some important insights into identity verification using knowledge based authentication—a technique she will explain later to the committee. Members of the committee, today we seek your support for recommendations that will improve the capacity of identity verification processes and set a framework for greater public-private cooperation to fight identity and fraud crime. While our recommendations will improve the integrity of established identity sources, as Ms Newton will later explain, checks based on just documents or a narrow range of sources are flawed and are not best practice.

Identity verification obligations feature in various Commonwealth and state acts. It can be to open a bank account, sell a house or get a gun licence. However, the resources available to test identity vary. One resource—and you heard about it earlier—is the Document Verification Service. It is managed by the Commonwealth AGD and is answerable, in part, to state agencies. The DVS verifies the authenticity of a government issued identity document without the DVS or the issuing agency disclosing any information, so it is privacy enhancing. However, access to this critical infrastructure is only allowed for businesses with an identity obligation under a Commonwealth act. This restriction on access must end. Also, the cost of access for a business is far too expensive—all up, $5½ thousand per user. The subscription process itself is cumbersome. It is easier for a business to sign up to receive criminal checks on prospective employees than to join the DVS.

Fifteen months after opening, only 200 entities have applied. Consider the real estate agent letting a property or the utility providing energy. As the South Australian police submission points out, organised criminal syndicates are involved in cannabis-growing houses with rentals under false names. We ask that the committee recommend that the DVS should be open to any entity with a reasonable requirement to verify identity and have subscriber requirements similar to those used to subscribe to other government registers, such as ASIC's Personal Property Securities Register. We also note, reflecting the varying unreadiness of state registers, that the DVS cannot verify birth, death and marriage certificates online and in real time. This in the digital age needs remedying.

The electoral roll and information on credit reports are also important identity resources. Veda is one of six organisations nominated in the electoral and referendum regulations giving us permission, via signed agreement with the Australian Electoral Commission, to provide identity verification using the electoral roll. Similarly, use of credit reports for an identity purpose was the subject of amending legislation passed in 2010. In both instances, the manner of use is heavily prescribed, consistent with privacy impact assessments. However, despite this type of frame work, using the electoral roll and credit reports can only be for identity verification under the AML/CTF Act—no other. We call for these two sources to be also available in the same manner, to fulfil identity obligations under any Commonwealth or state act.

Members of the committee: our recommendations on DVS, the electoral roll and credit reports add integrity to the first layer of identity checking. However, having established that a document is real, it is critical to then associate it with the person so claiming. Ms Newton will later explain how this is accomplished through knowledge-based authentication. Before that, I will finish with Veda's recommendations on fraud and closing regulatory gaps.

If Australia is serious about tackling fraud, we need better sharing of information between public and private agencies. We ask that the committee recommend the development of a policy framework to ensure that government agencies, including law enforcement agencies, can share suspected fraud data and have confidence in the private entities they share it with. The framework should include guidance on what information is suitable for release and how it should be released and an accreditation scheme for fraud-analytic providers. Ultimately, a MoU should cover both Commonwealth and state agencies.

With regard to regulatory gaps, we are mindful that AUSTRAC will later appear before the committee. We note that there is significant challenge to identifying the ultimate beneficiary in commercial lending. It is important to track how funds are moved and to know who they are ultimately moved to. We understand the United Kingdom has decided in principle to establish a beneficial ownership register. We ask the committee to recommend that Treasury lead a working party of regulators in industry to scope out what a beneficial ownership register would look like and how it could operate in Australia.

Finally, with regard to AML/CTF we note a longstanding unfulfilled obligation with regard to so-called tranche 2 entities—lawyers, real estate agents and jewellers. 'Know your customer' requirements should apply to these entities' transactions. Through these channels, money laundering can be suspected but it is not yet measured. Coverage of them are supported by the ADA, with the start of national electronic conveyancing. It is an ideal time to extend AML/CTF obligations to cover real estate agents. Members of the committee, Ms Newton will explain what is meant by knowledge-based authentication and how it contributes to better checking of identity.

Ms Newton : It may be worth pointing out why identity is such an important issue to us and our customers. Through our fraud business we have seen a huge increase in the use of stolen identities—identity takeovers, as opposed to the use of fictitious identities. It was the increase in that fraud that gave rise to us developing a technique called knowledge-based authentication. Knowledge-based authentication uses a technique to associate a proven identity with the person presenting it or claiming it to be theirs. The technique uses out-of-wallet questions that you ask of the person. By 'out-of-wallet' I mean that the answers to the questions will not be found in your wallet. So it is not a drivers licence number, a Medicare number or a number of someone else who might appear on your Medicare card. We are able to generate those questions based on data that we hold at Veda.

Before I move on to that, it might be worth pointing out that knowledge-based authentication should not be confused with what are commonly known as secret questions. Secret questions are generally set up once you already have a relationship with an organisation. You may have set some up with the banks that hold your personal bank accounts. They are usually things like: what is the name of the school you first went to, what is your cat's name, what is the make of the first car you bought? But you establish those after you have got that relationship. Knowledge-based authentication is designed to be used where you do not have that existing relationship. It works by us, Veda, knowing some historical information about this person. Of course, they know the real, legitimate owner of that identity. Currently, we are able to use two data sources at Veda to ask a total of six questions. Those questions are based around historical addresses, insurance claims and previous employers.

An example would be: which of these four addresses did you live at in October 2008? So the person who just stole my handbag and my identity and all sorts of things will not be able to answer that question about me. Currently, we are not permitted to use some other really valuable data sources that would help with that. Two of those, in particular, that we are able to use for a straight identity verification on the AML/CTF obligations but not for KBA are the current electoral roll and our credit file information. Some examples of what we could generate from those valuable data sources are: which of these historical electorates were you once a member of? Who are the other members of your household? Again that is something you could derive from the old electoral roll. Credit information is a valuable one. Back in 2008 you applied for a personal loan, which of these organisations did you apply to? It is this level of detail we currently are not able to source.

Why would we want to source extra information given we already have six questions? One of the important things is to break predictability for fraudsters. One of the first things fraudsters do when there are new websites available is work the websites and work out what happens. Often these people have intimate knowledge of the credit-decisioning processes at the financial institutions and they will use that information to work their way around the system. So the more questions we have we can start asking questions randomly and break that predictability.

So as part of this one of our recommendations would be to form a joint task force between government and private enterprise where we could take a deeper dive at the other sources of data that we could use to help enhance this technique and fight against identity theft and the use of stolen identities. I am happy to take questions.

CHAIR: I suppose the first and most obvious question that always arises when people talk about having access to multiple datasets for verification—and that brings up the notion of an Australia card or some other repository of information that might be at risk of access by people we do not want accessing it—is: what safeguards are there in the sort of system you propose?

Ms Newton : Veda are a very compliant organisation. We do hold a lot of sensitive data. To that end, all employees go through full employment screening, including CrimTrac checks. Internally only people have a need to look at certain data are able to do that. For example, if I want to get my credit file, I am not permitted to go through some internal source at Veda; I must go through the same channel as if you were asking for your credit file. We have regular audits on all that access and permissioning and also all of the staff are subjected to compliance testing regularly each quarter.

Ms Stoianoff : The credit reporting information is data we already have, so we are asking for the capacity to utilise the data already in our possession for an extraordinary purpose in terms of fraud and ID. So in terms of penetrating we already have it.

CHAIR: So your capacity at the moment to use the full range of the data you have is limited by legislation?

Ms Stoianoff : Correct.

Senator O'SULLIVAN: So when you access electoral rolls can you get information that is not otherwise published? For example, some women make application to have their address not published on the electoral roll. So if I were to search for that person I could find their name but I could not find any other information.

Mr Strassberg : My understanding is that we get provided a quarterly version of the electoral roll but it does not have the silent electors on there. I will confirm that, but that is my understanding.

Senator O'SULLIVAN: Thank you.

Ms Newton : While you are on the electoral roll, it is important to point out too that we are only allowed to store one version of the electoral roll, so being able to store historical versions—so you have historical copies at a point in time—would also enhance the capability for asking things like knowledge based authentication and also having a higher level of assurance of an identity. The longer someone has been at a specific address is quite important information when you are working out your level of assurance that you have got the right person.

CHAIR: What do you do in the event that somebody has moved and have not updated the electoral roll so there is a mismatch between the data from the electoral roll and what you may have on your system for an application et cetera, which I have no doubt is a frequent occurrence?

Or it would not be infrequent—let me put it that way.

Ms Newton : That is right. Shall I point out 30-year-old males who might never update the electoral roll? We verify an identity by using multiple data sources. In looking for a person's social footprint, it is important not to just check one data source. For example, you may say, 'Let's just use document verification service,' and use one document. All that is doing is proving that that document was legitimately issued by a particular agency. It does not actually link it back to the individual. So by using multiple sources you can develop a level of confidence that you have the right person. Having a little mismatch in one element may not be enough to say, 'No, this is a complete reject.'

When it comes to helping our customers with fraud detection, we believe there is not one silver bullet. Many customers ask for that. There is not one. Rather, you need to have layers and different levels of protection to help you detect that fraud.

Senator O'SULLIVAN: I have a question on technique. You are saying that with one element you might not get it right, but I imagine there is a hierarchy within that. If I have forgotten my wife's maiden name, that might be one that you would not let me get away with.

Ms Newton : That is right.

Senator O'SULLIVAN: So why would you ask a question which, if the answer was inaccurate, could be dismissed? Why wouldn't the questions only be the ones where you have to get 100 per cent?

Ms Newton : You could definitely set up your rules to say it must be 100 per cent. We leave the definition of those rules to our customers, because they are the ones determining what level of risk we are protecting against. Is it a $100,000 mortgage or is it a $5,000 credit card? What is the difference we are talking about here?

Senator O'SULLIVAN: But, again as a matter of interest, what would persuade them to create a series of questions where they would tolerate inaccuracies? What is in it for them? It does not matter whether they are protecting 10c or $10,000. Why wouldn't they stick to a series of questions that need a 100 per cent response?

Ms Newton : You can certainly do that. To date our customers using this particular component—

Senator O'SULLIVAN: That is not my question. You say some will allow errors. I am asking: why would they have that tolerance? Why would they bother to go for an inferior series of questions when a superior series of questions requiring 100 per cent would give them a 100 per cent result?

Ms Newton : If each of the other levels of protection had been met and the customer had missed one question and they were talking about a low-risk product, the financial institution might say, 'I'm okay with that.'

CHAIR: In terms of the knowledge based assessment, what do you think the optimum number of questions is? Obviously there is a limit.

Ms Newton : Yes. Ideally, you would build it up to 10, 15 or even 20 questions that you could have in your portfolio of possible questions and then you would randomly ask them. So you may only be asking two at a time. On one occasion when a client comes in through an online channel you might ask about a historical address and something about an electorate, and then you mix them up. It is this more random nature that helps break the predictability for the fraudsters.

CHAIR: Mr Strassberg, you made a fairly detailed opening statement. I wonder if that is available? Yes, we have it already. Thank you for your time today. We do not have any more questions at this point, but I am sure if something comes up we will be back in contact. A copy of the Hansard transcript will be made available for you to check, and please come back to us with any corrections. Once again, thanks for your submission and thanks for coming along today.