Innovator Q&A: Fraud management with Chief Risk Officer at BlueVine, Ido Lustig

With the expansion of digital financial services, there is more of a need for a fraud management solution to prevent fraud within a financial institution. Fraud managers are tasked with offering customers protection from potential fraud attacks. Financial crime and fraudulent activity are on the rise now that online banking is a standard for most people. Read how BlueVine is using fraud detection software to manage fraudsters and risk. 

Ido Lustig is Chief Risk Officer at BlueVine, an online lender to small businesses, which has earned a 4.7 out of 5 rating by Trustpilot. Responsible for BlueVine credit, fraud, and regulatory risk management as well as back-office operations, Ido leads international teams of data scientists, data engineers, analysts, and underwriters as well as payments, collections, and administrative specialists. Previously he managed risk-focused groups and solutions at PayPal, where he also researched and implemented fraud prevention and user experience innovations. Ido talked to Mike Sasaki, leader of the Mitek Systems global customer success team, about the importance of identity verification (IDV) in modern B2B lending.

All of a sudden, identity is getting lots of attention in financial services markets. Why is that?
Ido: It’s because of the expansion of digital financial services, with everything going online and mobile. This is a really good thing for small businesses, which we're having trouble getting access to adequate working capital from traditional banks. It’s a great opportunity for fintechs to provide an alternative funding source. BlueVine offers lines of credit or term loans up to $250,000 and invoice factoring credit lines up to $5 million. But it’s also a challenge because lenders can’t be sure who is actually behind that stream of 1s and 0s flowing across the pipe from the online loan applicant to us. Strong IDV enables us to have a higher level of confidence that the people and entities we’re proposing to do business with are actually who they claim to be.

What are the key problems you’re solving for?
Ido: As surprising as it may sound, traditional challenges, like account takeover and stolen company financials, are still problems we constantly defend against. Then there are newer problems, like the growing amount of fraud being perpetrated via synthetic identities. And we need to solve all of them while addressing business and individual concerns about privacy.

I know BlueVine is super-strong in data science and machine learning. How are you using these to mitigate the risks you’ve just mentioned?
Ido: Mitigating risk is all about answering as many questions as possible as accurately as possible to get a clear picture of whether or not the business and individual you’re dealing with are legitimate and creditworthy. And now, with online lending, it’s also about answering these questions as quickly as possible. BlueVine approves loans in as fast as 5 minutes, and small businesses often have the money in their accounts within hours. So our goal with machine learning is to capture in AI as much as we can of the expertise of a seasoned loan officer— making that expertise faster and scalable.

I assume some of these questions and answers are about identity, right?
Ido: Yes, identity is all about cohesiveness. So when we ask all these questions and collect answers in the form of lots of different types of data we want to connect it and analyze it as a whole. If we can connect the data you’re providing as an individual and about the company you’re working at to your online footprint—the trail of data you create using the internet—as well as other behavioral patterns we can see, for instance, in your financials, then we can have a high degree of confidence we know who we’re dealing with. We know you’re a legitimate loan applicant, which mitigates fraud risk.

So from an identity point of view, the more we know about you, the better. But the more we know about you, the more we also need to be concerned about using this information only in appropriate ways and protecting your data and privacy.

Is there a tradeoff between these protections and a frictionless customer experience?
Ido: To some extent, but we’re actually seeing that customers expect a certain amount of friction when doing business with financial services. As long as identity verification measures are relevant and implemented in a way that makes sense—and is even fun—they can increase customer appreciation for the value of the service. We think there’s the beginning of awareness among business owners and consumers of a set of emerging best practices around identity. It is kind of like a standard is developing that people expect you to meet and increasingly judge competitors against.

Does the trend toward self-service affect these dynamics?
Ido: So self-serve is definitely the way a lot of this is going. As a consumer, I enjoy doing most things via my mobile device apps. It’s the easiest, simplest, fastest way to do things. My mobile phone here incorporates a SIM card from my network provider and an app that is linked to me. These are things that the providers I’m working with are able to leverage to verify my identity. They know which number I’m interacting from and which app ID I have on my device. They have a history of user behavior they can compare my activity against, and they can also trigger a push notification or a text message with a single-use password that I need to provide back to them. These are all very secure ways to perform multi-factor authentication. And in most cases, it’s a more secure way for me, the consumer, to accomplish what I’m trying to do than by calling a contact center.

How do you measure IDV success?
Ido: We measure it by how many fake or stolen identities we’ve allowed into our system. This is called the “false negative rate”—essentially, the fraud we missed—and I’m proud to say it’s near zero. When you think of it, one way to get zero fraud would be to reject a very high number of loan applicants—anyone in the least suspicious—but that wouldn’t be very good for our customers or our business. What we do instead is to rely on very accurate risk analytics. Another way we measure their accuracy is by our “false positive rate”—legitimate applicants we misidentified as potentially fraudulent, which is also very, very low. And, of course, we also track customer satisfaction, including our Net Promoter Score, which is quite high.

What technology trends and innovations do you expect to see in IDV?
Ido: Well, first, more biometrics. I do think facial recognition and other forms of biometrics will become a larger element in the way we verify identities. However, it’s important to recognize that biometric data can be hacked, like everything else, so we’re still going to need other types of checks as well.

Another advance we’re starting to see is the emergence of industry consortia enabling data to be shared in an anonymized,  tokenized form. By sharing data in this way across financial services, for instance, we can make sure the person we’re considering for a loan isn’t also simultaneously applying for funds from a dozen other lenders.

It would also be very helpful if we could include a check-in in real-time with government authorities. I’m hopeful Real ID will start to open up a way of confirming that the person we’re dealing with is actually the person authorities have in their records. There’d be no need for actual data to be revealed to lenders, but it would be very helpful for everyone.
Ultimately, I think the key to security and privacy is probably going to be identity tokenization. If we could apply a token to your identity that is based on your biometrics, on your past behavior, on government records, and so on, we could reach a very high level of confidence, and still, the identity would be anonymized because it’s a token. No one would actually know who the person standing behind the token is unless you decide to reveal that. I think this is where we should all be heading.

As an Identity Innovator, Ido, what’s your “secret sauce” for success?
Ido: It’s funny, I started out by saying that risk mitigation is all about asking and answering questions—and I’d say, on a professional level, that’s my “secret sauce.” In my job, you can never stop asking questions because things are always changing and there’s always more to figure out and learn. I mean, when I started my career, the term “data science” didn’t even exist—now I’m leading the data science department at BlueVine. So you can never afford to feel that you’ve nailed it and just wait to see how things mature. Because you will always get surprised.  If you stop asking questions, they’re going to pop up anyway, and you’ll be too late finding answers.

The other thing I’d say is the importance of working with people. If you’re approachable and talk to people—employees, customers, everyone— every day, and make sure you’re really listening, that is so helpful. It’s helped me remain on top of everything changing in the domain I’m heading up, and it’s helped me personally as well.