Note: During conversations with carriers Stacey, our Carrier Relations Manager, and I often get requests for a specific use case that outlines why we feel consent re-verification is such an important service for carriers to provide. The following use case underlines the benefits of consent re-verification to a carrier's subscribers as well as the confusing and negative consequences for subscribers if a carrier chooses not to provide them with such a service.
Consent Re-verification Use Case Details
Consumer-1 opens an account with a bank and provides the bank with a cell phone number for receiving fraud notifications.
A few months later, Consumer-1 decides to change phone companies without porting. (Old line is disconnected and Consumer-1 receives a new phone number from the new carrier.)
Consumer-1 now has a new phone number but has not changed any of the alerts or notification instructions they had previously provided to the bank.
Eventually Consumer-1’s original phone number is reassigned by their original carrier to Consumer-2.
Consumer-1 now makes a large purchase but the bank suspects it could be fraudulent so they put a temporary hold on the transaction.
Bank sends an SMS to the cell number on file for Consumer-1 with instructions to approve and release the transaction if it is valid.
Because Consumer-1’s notification number has never been updated at the bank, the bank’s SMS actually goes to a new consumer, Consumer 2. This sets off a series of negative events:
Consumer-1 does not receive the SMS instruction to release the transaction so the purchase is declined;
The bank notifies the retailer of a higher risk of fraud or potential identity theft even though the actual consumer was never notified.
Consumer-2 receives an unconsented request to approve a transaction which they did not make.
Consumer-2 believes the transaction approval request they received is an attempt to steal their identity so they report the transaction as fraudulent even though it was actually a valid transaction that was misdirected to the incorrect cell phone.
Had the consumer’s consent been pre-verified, the bank would have been told that the contact information was incorrect and had the opportunity to contact the consumer via another means or to at least fail the transaction more gracefully. Additionally, the new owner of the number, potentially a new subscriber to the carrier, would not have been sent a transaction which they believed to be fraudulent. This consumer, Consumer-2, now believes that their brand new cell phone account and perhaps even their identity may have been compromised.
Modified (Consent Re-verification) Scenario
Bank executes a consent re-verification transaction by passing the phone number, name and address to the carrier's fraud prevention service provider (e.g., IDICIA)
Carrier (agent) returns one of two results:
verification that the consenting consumer (Consumer-1) is still associated to the provided number and therefore the bank still has valid consent to communicate with that number, or
notification that the consumer information provided by the bank is no longer valid for the provided number. In this case, the bank is able to:
- use another or secondary number to communicate with Consumer-1
- stop sending requests to the number on file which would falsely alarm Consumer-2 who is now associated to the number
- notify the retailer that the verification failed because of an invalid means of contact, not because of fraud
If the consumer’s identity is verified, Bank sends an SMS to the correct and consented cell number on file for Consumer-1 with instructions to approve and release the transaction. This notification complies with TCPA for auto-dialed or texted messages since this is only done when a consumer has consented.
By providing verification that a number IS NOT associated to the provided name, the carrier is protecting their current subscriber from identity theft false alarms. By providing verification that a number IS associated to the provided name, the carrier is protecting their current subscriber from having their transactions rejected and their credit cards flagged for fraud. These are both reasonable expectations of a subscriber. Remember, too, that in both these cases, the consumer’s information is only released to an agent (like IDICIA) who works on behalf of a carrier to prevent subscriber fraud, not to any uncontracted, uncontrolled third-party.
Finally, let’s consider privacy and consent from the perspective of the carrier when they are in either the role of the original carrier or the new carrier. From the original carrier’s perspective, Consumer-1 had already granted consent to the bank to access their information and send them messages. (If they had not, the bank would not be trying to send them this particular message.) If the original carrier has now assigned Consumer-1’s original phone number to Consumer-2, they can better serve their new customer, Consumer-2, by providing the bank with enough information to determine that Consumer-1 is no longer associated to the phone number, thus preventing the bank from incorrectly sending a message to Consumer-2 for which the bank, unknowingly, does not have consent. Therefore, although the original carrier may not have consent from Consumer-2 to verify their account information, by not verifying Consumer-2, they are, effectively, allowing Consumer-2 to receive a message which may lead them to think they are the victim of identity theft. It is unreasonable to assume that a consumer would opt in to receive false notifications when the carrier has the power to prevent the false notifications altogether. So even though Consumer-2 has not consented to the Data User (the bank in this case) verifying Consumer-2’s data, the carrier should act in good faith to serve both their former customers (who did grant consent) as well as their new customers who have a reasonable expectation that their carrier will try to prevent both willful fraud against them (true positives) and false alarms (false positives).
In this scenario the carrier is preventing both active fraud attempts as well as false warnings by using a fraud prevention agent and service. No consumer data disclosure (other than to the carrier’s agent) is made, therefore Consumer-2’s data privacy is respected. An additional benefit to the Carrier is that this fraud prevention agency or service is free to the carrier and actually provides a revenue stream paid for by the bank.
From the perspective of the new carrier, their new subscriber, Consumer-1, has provided consent to the bank and the bank, in turn, is only attempting to verify the identity of someone who has granted consent for them to do so. Therefore, when the carrier is in the role of the New Carrier they are acting on behalf of their subscriber who has asked the bank to notify them, via phone, of potential issues, including fraud prevention, that relate to their account operation and safety.