Financial institutions are leaders in delivering of a wide range of services and products via the Internet and mobile communication channels. Unfortunately, electronic crimes targeting consumers and businesses have become the most pervasive crime problem of this millennium. Financial institutions must realize that fraud undermines customer confidence in the bank’s ability, or willingness, to protect its customers.
Fraud rings have proliferated because being a professional fraud operator is easy, profitable and presents low risk and high reward. Ironically, institutions that pride themselves on fostering collaborative environments are being out-networked by the bad guys, who work in a communal ecosystem devoted exclusively to committing fraud around the clock. They are adept at exploitation of gaping vulnerabilities caused by compartmentalization of fraud detection units and the schism between the lines of business and fraud components, including inefficient management and use of data. Sadly, a recent survey of 230 banks by the Information Security Media Group revealed that only 23% learn of fraud incidents through their own auditing processes.
Consumers, retail merchants and business are weak links when it comes to virtual security. They respond to phishing schemes that solicit their most sensitive information, allow already-imperfect antivirus and spyware software to expire or disable the programs, use vulnerable passwords and don’t cover their PIN numbers when using an ATM. They are ill equipped to counter botnets, worms, malware and viruses such as the Zeus strain, which has stolen more bank credentials than any other virus and is linked to more than $100 million in losses worldwide. These exploits spontaneously mutate to stay ahead of the latest detection software.
The latest battleground is business account takeovers. These accounts typically hold higher balances to meet payroll and daily expenses, and often the business customer has weak internal safeguards. Businesses are not afforded the same protections as individuals and thus are often held responsible for losses when their accounts are compromised. Businesses are especially vulnerable because their information security, online banking protocols and technology configuration are seldom as good as they need to be.
One important enabler is that fraud receives scarce attention from top executives unless a significant negative media event occurs. Revenue growth and business expansion are paramount; when it comes to risk programs, credit, market, counterparty and regulatory risks trump all others. As a result of scarce anti-fraud resources and failure to deploy the most effective analytical tools available, fraud rings are able to exploit the bank’s inability to “connect the dots.”
The FBI warns that professional fraud networks, not opportunistic individuals, are inflicting the greatest damage. These networks exploit the “one fraud at a time” detection tools and technologies. Balkanization of fraud detection components based on product lines and delivery channels, technology architecture that resembles a patchwork quilt and overall fragmentation of anti-fraud efforts severely hinder the ability to identify ring activity and deploy effective loss prevention strategies. Finally, industry cooperation must be established.
Identity impersonations account for more than $50 billion in losses and directly affect close to 12 million people annually. Customers expect banks to protect them from this nightmare. Consider the highly publicized Heartland Payment Systems/TJ Maxx hacks in which more than 140 million credit/debit card transactions were compromised, affecting more than 500 banks and countless customers.
From the perspective of bank risk executives, anti-fraud programs are low priority because a lack of positive revenue and losses are built into budget projections. They discount the impact and reputational risk presented by a well publicized negative experience on a mass scale. They should view anti-fraud strategies as a priority, not because of the monetary losses that are “acceptable” from a balance sheet perspective, but rather because current and potential customers feel vulnerable and exposed. Banks that fail to protect customers will lose them to competitors that grasp the problem and the potential opportunity.
Fortunately, the banks themselves hold the most powerful weapon to predict and prevent fraud – data. Banks hold a rich trove of information about customers, transactions, accounts and broader trends/patterns. The effective use and analysis of that data – real time and batched – can identify fraud patterns, anomalies and common data points that reveal associations between fraudulent accounts and group fraud activity. One best practice is to form a small “ring identification team” to proactively identify the malignant social networks. Also, the consolidation of fraud detection and investigative components into a single platform and creation of a shared database of historical alerts, red flags, investigations, watch lists and customer claims can help combat fraud. Components that can’t be consolidated should at least share a case management system.
Once and for all banks must break down the traditional separation between AML and fraud. As the chief of FinCEN has pointed out, fraud and money laundering are codependent. An effective anti-fraud strategy should focus on expending resources on the greatest problems, not just the next alert or case that shows up in the case management system. The organization must prioritize and direct scarce resources toward events that present the largest losses in the aggregate, such as ring activity, and the greatest potential for recovery and prosecution.
Ironically the tools and capability to more effectively prevent and mitigate these losses are available. Banks must develop a sense of urgency because their customers will continue to be easy victims without decisive action. The ranks of fraud thieves are increasing every day due to Internet networking opportunities and the low risk of prosecution. Fraud has become viral and will never be solved by law enforcement. It’s an industry solution dependent on the awareness and sponsorship of bank executives at the highest levels. They must deploy the most powerful analytics available, consolidate data and various fraud components, and make use of multilayered detection technology. It’s not about the money; it’s about the customer. The customer must feel important and protected. After all, it’s just good business to protect your most important asset.
Here’s a webinar that you may also find helpful. (Rex Pruitt from PREMIER Bankcard appears in this as well.) Watch this webinar to learn to break down the data silos that are preventing a holistic view of fraud across the organization.