Case Studies | LF Decentralized Trust

How CULedger protects credit unions against fraud with Hyperledger Indy

Written by Hyperledger Foundation | Jul 15, 2023 10:06:00 PM

While businesses have had an increased focus on the rise of cybersecurity threats, financial institutions are being hit by fraudsters in a more traditional channel: the call center.

In a recent survey by TRUSTID, 51% of the financial services companies who participated identified the call center as the main target for account takeover attacks.

Credit unions are no exception.

“Credit unions put the needs and interests of their members first and foremost and are concerned about the privacy of their members’ personal identifiable information,” says Julie Esser, senior vice president of marketing/communications at CULedger, a credit union service organization (CUSO) that began when a group of credit unions came together in 2016 as a direct response to the increasing threat of fraud.

The consortium launched a research-to-action project to find a more secure anti-fraud solution for its members, coincidentally around the same time the hype around blockchain and cryptocurrency was steadily increasing.

While credit unions weren’t necessarily interested in cryptocurrency, “the promise of the underlying technology around blockchain and distributed ledger technology was appealing in terms of providing operational efficiencies and managing fraud,” says Esser.

After reviewing a successful proof of concept that centered on a decentralized identity solution leveraging Hyperledger Indy—a Hyperledger project hosted by the Linux Foundation—and landing a Series A round of financing, the group formed CULedger to bring the product to market.

Hence MemberPass™ was born—a digital identity credential held by credit union members that protects credit unions and their members from identity theft and fraud in all financial interactions, from call center authentication to lending to opening new accounts.

Identifying the Best Solution

How many times have you answered, “What’s your mother’s maiden name?” or named your first pet when setting up a new account? Today, those common knowledge-based authentication questions have become the most vulnerable forms of customer identification.

“Predators will prey on front-line staff in the call center, who thrive to provide exceptional service to their members,” says Esser. “They try to acquire sensitive information from the member service representatives that they can later use to take over accounts or create synthetic IDs and commit fraud.”

CULedger worked with decentralized identity organization, Evernym, to build an identification solution that was faster, simpler, and more secure with Hyperledger Indy—a distributed ledger software project that is interoperable with other blockchains or can be used on its own to power the decentralization of identity. By implementing Hyperledger Indy, MemberPass™ (formerly called MyCUID) offers a permanent and portable digital identity that reduces member friction and injects more trust in digital interactions within credit unions.

“Self-sovereign identity will change the very nature of the relationship that companies have with their customers, and I couldn’t think of a more fitting match for this breakthrough than credit unions, who know more about creating strong relationships than just about anybody.” says Steve Havas, CEO of Evernym.

Since the outset, the primary goal for the developers behind MemberPass™ is to hone in and improve the identity validation or authentication process.

“Every interaction a member has with their credit union starts with identifying who they are—whether that takes place in a call center, in the branch, or in an online environment,” says Esser. “Right now all three of those channels have different authentication methods that members use, and potentially multiple third-party vendors are involved as well.”

That all adds up to a fragmented way to verify their member’s personal financial information and it creates easy targets for fraudsters. “It’s a mess,” says Esser. “It’s no wonder we get frustrated as a consumer. We make it miserable to conduct financial transactions.”

With MemberPass™, credit unions can now streamline the initial member identity authentication process across the call center, drive-up and lobby touch points, empowering their members with one seamless way of interacting or identifying themselves with their credit union.

“It’s very key for an individual to own their own identity. The challenge is some of the areas that are the most sensitive where we create usernames and passwords, we use the same passwords we’ve duplicated elsewhere. If you can have a MemberPass and then give the rights to entities to engage with, it’s really going to work better in our digital society going forward,” says Ron Amstutz, executive vice president of Desert Financial CU.

And it works both ways. “We’ve seen members victimized because of voice phishing or vishing,” says Esser, “a method where a bad actor calls a member and impersonates a credit union in order to obtain sensitive information.”

To protect individuals in those scenarios, MemberPass™ boasts a two-way encrypted communication capability. So not only are the credit unions authenticating members. Members can also rest assured that if the credit union calls, it is a real employee on the other end of the line and not a fraudster.

During a pilot program with three credit unions in 2019, initial results for MemberPass™ were promising. Whereas authentication in the call center could take anywhere from 90 to 120 seconds—or sometimes even up to five minutes depending on the transaction—MemberPass™ reduced that process down to 15 seconds or less.

For members who are reaching out to the call center, “the identity authentication process is a lot shorter,” says Esser, “which means that the credit union can improve their call center metrics and operational costs and, most importantly, remove the friction from the member experience. Credit unions can be confident that they know who they’re interacting with, without a doubt.”

Credit unions recognized the advantages of MemberPass™ from the get-go. “Our members are already embracing this new method of authentication and sharing their excitement with our team. We’ve been told that the enrollment process is simple and quick and that they feel more secure when calling into the call center,” says Gordon Howe, president and CEO of UNIFY Financial CU. “We are ecstatic to eliminate friction historically associated with authentication in a way that keeps both the member experience and data security at the forefront of the interaction.”

As an added MemberPass™ benefit, says Esser, “we’re estimating that we can reduce a credit union’s (with 125,000 members) annual fraud expense by as much as $150,000 a year in just the call center channel alone.”

Other use cases for the technology outside of the call center have also surfaced. One participating credit union is working with CULedger on a strategy for issuing new MemberPass™ accounts inside its branch locations as part of their new member onboarding process. Other credit unions have expressed interest in implementing MemberPass™ in its Internet banking channel and its mobile banking channel. More use cases are being defined as more credit unions begin to understand the power of this privacy-enhancing technology.

Why Hyperledger Indy was “a Natural Fit”

With a rich history of shared trust and satisfaction between credit unions and their members, CULedger aims to reinforce that bond by creating digital trust between the two parties. “It’s no surprise that credit unions have an interest in MemberPass,” says Esser. “While credit unions and members have enjoyed a trusted financial relationship for a long time, creating a new digital trust relationship needs to be earned. Digital trust begins by providing a safe and secure way for credit unions to verify their members and vice versa.”

Building the MemberPass™ solution with Hyperledger Indy was “a natural fit,” says Esser.

Not only does the distributed ledger software of Hyperledger Indy allow for an individual to own and control their personal information. Developers can also leverage the tools, libraries, and reusable components in Hyperledger Indy to create identity solutions that are compatible across different agencies and even industries.

“In the future, the true value for the consumer will be the openness and the interoperability that will exist and use one digital identity credential anywhere, even outside their credit union,” says Esser. “And being open source was very much a part of our requirements.”

CULedger worked with the Sovrin Foundation to establish its role as a steward in the Sovrin Network, a decentralized global public network enabling self-sovereign identity on the Internet.

“The credit union movement is based on the idea that trusting interactions between people connected by a common bond are the best interactions,” said Phillip Windley, chairman of the Sovrin Foundation. “The Sovrin Network uses the power of cryptography and distributed ledger technology to facilitate trusting digital interactions. It’s only natural that the credit union movement would be so quick to see and embrace the value of this trust.”

The credit union organization also enlisted the expertise of Evernym, the Utah-based self-sovereign identity firm that developed the original source code for Hyperledger Indy and donated it to the Sovrin Foundation.

“The technology itself worked very well for us,” says Esser. “There weren’t any real surprises.” But there were lessons learned that CULedger will capitalize on.

First, the organization is working with Evernym to improve the user experience with the digital identity wallet that is used to facilitate the MemberPass™ connections. “We initially found that the enrollment and verification processes were confusing and difficult to understand,” says Esser. “We’ve made several modifications and continue to improve these processes to make them more user-friendly and faster.”

There’s also a larger role that MemberPass™ can play in managing compliance regulations for credit unions. With more state legislators working to enforce stricter regulations around privacy, “we’ve had regular interactions with the National Credit Union Administration [the credit union regulator] about how credit unions can benefit from MemberPass,” says Esser. So when consumer privacy rules change, Esser says, “credit unions can be in compliance right away, thanks to MemberPass.”

CULedger is also looking to implement a shared Know Your Customer (KYC) capability to assist credit unions in facilitating and streamlining the customer identification and customer due diligence regulatory requirements.

“We’re still conceptualizing around what that could look like in MemberPass,” says Esser. “But based on early research, we estimate we could streamline two-thirds of the credit union’s new member onboarding KYC process leveraging this technology, which will add up to significant time savings and cost savings for the credit union.”

Becoming a Universal Solution

Currently, there are thousands of MemberPass™ credentials in live production, and the expectation is to grow that number year after year.

“In terms of adoption, we’re very much playing a chicken-and-egg situation,” admits Esser. “In order to build interoperability, we need adoption. But first consumers need to realize the benefits of using this technology to increase adoption. As more credit unions start to implement the use of this technology across all their channels, the easier this will become.”

CULedger also hopes to extend MemberPass’ reach and create interoperability by connecting its Digital Trust Registry™ with other verticals. CULedger’s Digital Trust Registry, which ensures identity trust behind each secure, interoperable transaction, is much like registering a public domain for a website on the Internet. The Digital Trust Registry holds the credit union’s unique public decentralized ID (DID) on the Sovrin Network. The public DID is like the credit union’s public domain and will be how a credit union is recognized in the decentralized identity ecosystem. “Essentially we’re issuing the credit union their own MemberPass,” says Esser.

Bringing Portability & Interoperability to Scale

“Our vision is to not only include a focus around decentralized identity,” says Esser. “CULedger is creating a network around digital exchange, which could be anything—credential exchange, information exchange, value exchange. MemberPass will be the cornerstone to facilitate transactions on our network.”

To do so, the organization is looking to adopt a mixed chain approach as it evolves the network.

“We are creating a network of digital exchange and that network will consist of several backbone providers,” says Esser. “The Sovrin Foundation and Hyperledger are our backbone for decentralized identities. We’ll be using other distributed ledger technology networks from IBM, R3, and Hedera, and will be deploying those based on the application. They all need to be interconnected to allow interoperability.”

Overall, CULedger is looking to accelerate the credit union industry as leaders in adopting and leveraging blockchain and distributed ledger technology-based solutions.

“We are an early adopter of this technology,” says Esser. “We are showing how this industry can collaborate and work towards a common goal of scale and adoption. The opportunities for credit unions and their members are endless.”