FINRA recently issued regulatory guidance that includes the use of geolocation for authentication in helping protect customers’ online brokerage accounts from unauthorized access. This guidance comes at a critical time, when account takeover is on the rise – comprising 54% of all fraud attacks in 2020, up from 34% in 2019.
For decades, IP addresses have been the default standard for verifying a user’s location online. But that’s changing. In an era of VPNs, proxies and other IP-location spoofing tools, regulators are increasingly aware IP addresses are not enough and that the use of verified, multi-source geolocation data is critical in combating online fraud.
Getting location right is essential, because there’s a strong correlation between stopping location fraud and stopping other types of fraud. In fact, erratic location behavior often indicates fraud, such as account takeover. In the guidance, FINRA noted: “A customer may be required to provide additional information to verify their identity if they attempt to log in to their account from a new device or different location than usual.”
From Cleveland to Salt Lake City in 20 Minutes?
Another fraud prevention strategy using geolocation is an automated threat detection process called “impossible travel.” The guidance defines impossible travel as “a security control that compares the locations of a user’s most recent two sign-in attempts to determine if travel between those locations was impossible in the timeframe given (e.g., logging in from Cleveland, Ohio, and then, twenty minutes later, from Salt Lake City, Utah).”
We commend FINRA’s commitment to the use of technological innovation in order to tackle fraud. What used to be enough in the 1990s (IP addresses) is certainly no longer enough to tackle today’s fraud challenges. We encourage all financial institutions to look beyond the limitations of IP addresses and embrace modern location intelligence as vital to strengthening their identity verification, authentication and KYC/AML processes.
Learn more about how to go beyond IP addresses to combat evolving fraud threats in our new white paper: Why Your ‘90s Location Data Fails at Detecting Financial Fraud: How Modern Location Intelligence Unmasks Bad Actors.